From d0ad237493dbe540dd5f2281683ba8723ad0af86 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 6 Mar 2024 15:12:04 +0100 Subject: [PATCH] sgx: add aesmd and refactor Signed-off-by: Harald Hoyer --- flake.lock | 128 +++++++++++++- flake.nix | 9 + modules/nixos/nix-ld/default.nix | 2 +- modules/nixos/sgx/pccs/default.nix | 67 +++++++ overlays/jetbrains-toolbox/default.nix | 2 - overlays/nixsgx/default.nix | 5 + systems/x86_64-linux/sgx/default.nix | 165 ++---------------- .../sgx/hardware-configuration.nix | 12 +- 8 files changed, 227 insertions(+), 163 deletions(-) create mode 100644 modules/nixos/sgx/pccs/default.nix create mode 100644 overlays/nixsgx/default.nix diff --git a/flake.lock b/flake.lock index 8c19496..3d507d7 100644 --- a/flake.lock +++ b/flake.lock @@ -503,6 +503,22 @@ "type": "github" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -578,6 +594,24 @@ "type": "github" } }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_5" + }, + "locked": { + "lastModified": 1696331477, + "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "type": "github" + } + }, "flake-utils_2": { "inputs": { "systems": "systems_2" @@ -629,6 +663,24 @@ "type": "github" } }, + "flake-utils_5": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flutter-tools": { "flake": false, "locked": { @@ -1287,6 +1339,41 @@ "type": "github" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1707091808, + "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixsgx-flake": { + "inputs": { + "nixpkgs": "nixpkgs_5", + "snowfall-lib": "snowfall-lib" + }, + "locked": { + "lastModified": 1709040449, + "narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, "nmd": { "flake": false, "locked": { @@ -1890,7 +1977,8 @@ "lanzaboote": "lanzaboote", "neovim-flake": "neovim-flake", "nixpkgs": "nixpkgs_4", - "snowfall-lib": "snowfall-lib", + "nixsgx-flake": "nixsgx-flake", + "snowfall-lib": "snowfall-lib_2", "sops-nix": "sops-nix", "unstable": "unstable" } @@ -1999,6 +2087,29 @@ "inputs": { "flake-compat": "flake-compat_3", "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696432959, + "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "snowfall-lib_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" ] @@ -2131,6 +2242,21 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tabular": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 5386a2b..b2d1499 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,11 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + + nixsgx-flake = { + url = "github:matter-labs/nixsgx"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: @@ -82,6 +87,10 @@ disko.nixosModules.disko ]; + overlays = with inputs; [ + nixsgx-flake.overlays.default + ]; + outputs-builder = channels: { formatter = channels.nixpkgs.nixpkgs-fmt; defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; }; diff --git a/modules/nixos/nix-ld/default.nix b/modules/nixos/nix-ld/default.nix index 9c0331f..331ddef 100644 --- a/modules/nixos/nix-ld/default.nix +++ b/modules/nixos/nix-ld/default.nix @@ -2,7 +2,7 @@ with lib; with lib.plusultra; -let cfg = config.plusultra.gui; +let cfg = config.plusultra.nix-ld; in { options.plusultra.nix-ld = with types; { diff --git a/modules/nixos/sgx/pccs/default.nix b/modules/nixos/sgx/pccs/default.nix new file mode 100644 index 0000000..8e71f95 --- /dev/null +++ b/modules/nixos/sgx/pccs/default.nix @@ -0,0 +1,67 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.plusultra; +let cfg = config.plusultra.pccs; +in +{ + options.plusultra.pccs = with types; { + enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP."; + secret = mkOption { + type = with types; nullOr path; + default = null; + example = literalExpression "config.sops.secrets.pccs.path"; + description = lib.mdDoc "path to the pccs secret file"; + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = cfg.secret != null; + message = "path to the pccs secret file is required when pccs is enabled"; + }]; + + virtualisation = { + podman = { + enable = true; + + # Create a `docker` alias for podman, to use it as a drop-in replacement + dockerCompat = true; + + # For Nixos version > 22.11 + defaultNetwork.settings = { dns_enabled = true; }; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.containers = { + # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19 + pccs = { + image = "docker.io/backslashhh/pccs:dcap_1_19"; + autoStart = true; + ports = [ "8081:8081" ]; + extraOptions = [ + "--volume=/dev/log:/dev/log" + "--secret=PCCS_CONFIG,type=mount" + ]; + }; + }; + + systemd.services.pccs-secret = + { + description = "Inject pccs secret"; + wantedBy = [ "multi-user.target" ]; + before = [ "podman-pccs.service" ]; + + serviceConfig = { + EnvironmentFile = cfg.secret; + ExecStart = '' + -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG + ''; + RemainAfterExit = true; + }; + }; + + + }; +} diff --git a/overlays/jetbrains-toolbox/default.nix b/overlays/jetbrains-toolbox/default.nix index e5429aa..94485f7 100644 --- a/overlays/jetbrains-toolbox/default.nix +++ b/overlays/jetbrains-toolbox/default.nix @@ -1,7 +1,5 @@ { channels, ... }: - final: prev: - { inherit (channels.unstable) jetbrains-toolbox; } diff --git a/overlays/nixsgx/default.nix b/overlays/nixsgx/default.nix new file mode 100644 index 0000000..66b492e --- /dev/null +++ b/overlays/nixsgx/default.nix @@ -0,0 +1,5 @@ +{ channels, ... }: +final: prev: +{ + inherit (channels.nixpkgs.nixsgx) sgx-psw; +} diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index b53b40a..0dab774 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -29,10 +29,17 @@ with lib.plusultra; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. - plusultra.gui.enable = false; - plusultra.nix.enable = true; - plusultra.nix.extra-substituters = { - "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + services.aesmd.enable = true; + + plusultra = { + pccs.enable = true; + pccs.secret = config.sops.secrets.pccs.path; + gui.enable = false; + nix-ld.enable = true; + nix.enable = true; + nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; }; boot = { @@ -157,154 +164,4 @@ with lib.plusultra; }; }; - virtualisation.oci-containers.backend = "podman"; - virtualisation.oci-containers.containers = { - - # podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19 - pccs = { - image = "registry.gitlab.com/haraldh/pccs:dcap_1_19"; - autoStart = true; - ports = [ "8081:8081" ]; - extraOptions = [ - "--volume=/dev/log:/dev/log" - "--secret=PCCS_CONFIG,type=mount" - ]; - }; - }; - - systemd.services.pccs-secret = - { - description = "Inject pccs secret"; - wantedBy = [ "multi-user.target" ]; - before = [ "podman-pccs.service" ]; - - serviceConfig = { - EnvironmentFile = config.sops.secrets.pccs.path; - ExecStart = '' - -${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG - ''; - RemainAfterExit = true; - }; - }; - - - programs.nix-ld.enable = true; - - # Sets up all the libraries to load - programs.nix-ld.libraries = with pkgs; [ - SDL - SDL2 - SDL2_image - SDL2_mixer - SDL2_ttf - SDL_image - SDL_mixer - SDL_ttf - alsa-lib - at-spi2-atk - at-spi2-core - atk - bzip2 - cairo - cups - curlWithGnuTls - dbus - dbus-glib - desktop-file-utils - e2fsprogs - expat - flac - fontconfig - freeglut - freetype - fribidi - fuse - fuse3 - gdk-pixbuf - glew110 - glib - gmp - gst_all_1.gst-plugins-base - gst_all_1.gst-plugins-ugly - gst_all_1.gstreamer - gtk2 - harfbuzz - icu - keyutils.lib - libGL - libGLU - libappindicator-gtk2 - libcaca - libcanberra - libcap - libclang.lib - libdbusmenu - libdrm - libgcrypt - libgpg-error - libidn - libjack2 - libjpeg - libmikmod - libogg - libpng12 - libpulseaudio - librsvg - libsamplerate - libthai - libtheora - libtiff - libudev0-shim - libusb1 - libuuid - libvdpau - libvorbis - libvpx - libxcrypt-legacy - libxkbcommon - libxml2 - mesa - nspr - nss - openssl - p11-kit - pango - pixman - python3 - speex - stdenv.cc.cc - tbb - udev - vulkan-loader - wayland - xorg.libICE - xorg.libSM - xorg.libX11 - xorg.libXScrnSaver - xorg.libXcomposite - xorg.libXcursor - xorg.libXdamage - xorg.libXext - xorg.libXfixes - xorg.libXft - xorg.libXi - xorg.libXinerama - xorg.libXmu - xorg.libXrandr - xorg.libXrender - xorg.libXt - xorg.libXtst - xorg.libXxf86vm - xorg.libpciaccess - xorg.libxcb - xorg.xcbutil - xorg.xcbutilimage - xorg.xcbutilkeysyms - xorg.xcbutilrenderutil - xorg.xcbutilwm - xorg.xkeyboardconfig - xz - zlib - ]; - } diff --git a/systems/x86_64-linux/sgx/hardware-configuration.nix b/systems/x86_64-linux/sgx/hardware-configuration.nix index 11bc10f..0afa72d 100644 --- a/systems/x86_64-linux/sgx/hardware-configuration.nix +++ b/systems/x86_64-linux/sgx/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ (modulesPath + "/installer/scan/not-detected.nix") + [ + (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; @@ -16,19 +17,20 @@ boot.extraModprobeConfig = "options kvm_intel nested=1"; fileSystems."/" = - { device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; + { + device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; fsType = "btrfs"; options = [ "subvol=@" ]; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C902-1AF5"; + { + device = "/dev/disk/by-uuid/C902-1AF5"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; } - ]; + [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's