harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

sgx: add aesmd and refactor

Browse source 
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit is contained in:
Harald Hoyer 2024-03-06 15:12:04 +01:00
parent 69f4e8bcf9
commit d0ad237493
8 changed files with 227 additions and 163 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

128
flake.lock
View file

@ -503,6 +503,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
@ -578,6 +594,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils-plus_2": {
"inputs": {
"flake-utils": "flake-utils_5"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": { "flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
@ -629,6 +663,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_5": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flutter-tools": { "flutter-tools": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1287,6 +1339,41 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_5": {
"locked": {
"lastModified": 1707091808,
"narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixsgx-flake": {
"inputs": {
"nixpkgs": "nixpkgs_5",
"snowfall-lib": "snowfall-lib"
},
"locked": {
"lastModified": 1709040449,
"narHash": "sha256-NDXSUI7GTCekniW52EBvi5PlzdQ37XkrIB1oH4GrUvM=",
"owner": "matter-labs",
"repo": "nixsgx",
"rev": "2b11fbc725fbab3fbaef13490decd3f93c43ae07",
"type": "github"
},
"original": {
"owner": "matter-labs",
"repo": "nixsgx",
"type": "github"
}
},
"nmd": { "nmd": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1890,7 +1977,8 @@
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"neovim-flake": "neovim-flake", "neovim-flake": "neovim-flake",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
"snowfall-lib": "snowfall-lib", "nixsgx-flake": "nixsgx-flake",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"unstable": "unstable" "unstable": "unstable"
} }
@ -1999,6 +2087,29 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus", "flake-utils-plus": "flake-utils-plus",
"nixpkgs": [
"nixsgx-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696432959,
"narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"type": "github"
}
},
"snowfall-lib_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils-plus": "flake-utils-plus_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -2131,6 +2242,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tabular": { "tabular": {
"flake": false, "flake": false,
"locked": { "locked": {

9
flake.nix
View file

@ -28,6 +28,11 @@
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
nixsgx-flake = {
url = "github:matter-labs/nixsgx";
# inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs: outputs = inputs:
@ -82,6 +87,10 @@
disko.nixosModules.disko disko.nixosModules.disko
]; ];
overlays = with inputs; [
nixsgx-flake.overlays.default
];
outputs-builder = channels: { outputs-builder = channels: {
formatter = channels.nixpkgs.nixpkgs-fmt; formatter = channels.nixpkgs.nixpkgs-fmt;
defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; }; defaultApp = lib.flake-utils-plus.mkApp { drv = channels.nixpkgs.home-manager; };

2
modules/nixos/nix-ld/default.nix
View file

@ -2,7 +2,7 @@
with lib; with lib;
with lib.plusultra; with lib.plusultra;
let cfg = config.plusultra.gui; let cfg = config.plusultra.nix-ld;
in in
{ {
options.plusultra.nix-ld = with types; { options.plusultra.nix-ld = with types; {

67
modules/nixos/sgx/pccs/default.nix Normal file
View file

@ -0,0 +1,67 @@
{ options, config, lib, pkgs, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.pccs;
in
{
options.plusultra.pccs = with types; {
enable = mkBoolOpt false "Whether or not to enable a SGX-DCAP.";
secret = mkOption {
type = with types; nullOr path;
default = null;
example = literalExpression "config.sops.secrets.pccs.path";
description = lib.mdDoc "path to the pccs secret file";
};
};
config = mkIf cfg.enable {
assertions = [{
assertion = cfg.secret != null;
message = "path to the pccs secret file is required when pccs is enabled";
}];
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# For Nixos version > 22.11
defaultNetwork.settings = { dns_enabled = true; };
};
};
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:pccs_1_19
pccs = {
image = "docker.io/backslashhh/pccs:dcap_1_19";
autoStart = true;
ports = [ "8081:8081" ];
extraOptions = [
"--volume=/dev/log:/dev/log"
"--secret=PCCS_CONFIG,type=mount"
];
};
};
systemd.services.pccs-secret =
{
description = "Inject pccs secret";
wantedBy = [ "multi-user.target" ];
before = [ "podman-pccs.service" ];
serviceConfig = {
EnvironmentFile = cfg.secret;
ExecStart = ''
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
'';
RemainAfterExit = true;
};
};
};
}

2
overlays/jetbrains-toolbox/default.nix
View file

@ -1,7 +1,5 @@
{ channels, ... }: { channels, ... }:
final: prev: final: prev:
{ {
inherit (channels.unstable) jetbrains-toolbox; inherit (channels.unstable) jetbrains-toolbox;
} }

5
overlays/nixsgx/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ channels, ... }:
final: prev:
{
inherit (channels.nixpkgs.nixsgx) sgx-psw;
}

163
systems/x86_64-linux/sgx/default.nix
View file

@ -29,11 +29,18 @@ with lib.plusultra;
networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
plusultra.gui.enable = false; services.aesmd.enable = true;
plusultra.nix.enable = true;
plusultra.nix.extra-substituters = { plusultra = {
pccs.enable = true;
pccs.secret = config.sops.secrets.pccs.path;
gui.enable = false;
nix-ld.enable = true;
nix.enable = true;
nix.extra-substituters = {
"https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=";
}; };
};
boot = { boot = {
lanzaboote = { lanzaboote = {
@ -157,154 +164,4 @@ with lib.plusultra;
}; };
}; };
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers = {
# podman run --pull=always --name pccs -it --rm -v /dev/log:/dev/log --secret PCCS_CONFIG,type=mount -p 8081:8081 registry.gitlab.com/haraldh/pccs:dcap_1_19
pccs = {
image = "registry.gitlab.com/haraldh/pccs:dcap_1_19";
autoStart = true;
ports = [ "8081:8081" ];
extraOptions = [
"--volume=/dev/log:/dev/log"
"--secret=PCCS_CONFIG,type=mount"
];
};
};
systemd.services.pccs-secret =
{
description = "Inject pccs secret";
wantedBy = [ "multi-user.target" ];
before = [ "podman-pccs.service" ];
serviceConfig = {
EnvironmentFile = config.sops.secrets.pccs.path;
ExecStart = ''
-${pkgs.podman}/bin/podman secret create --env PCCS_CONFIG PCCS_CONFIG
'';
RemainAfterExit = true;
};
};
programs.nix-ld.enable = true;
# Sets up all the libraries to load
programs.nix-ld.libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curlWithGnuTls
dbus
dbus-glib
desktop-file-utils
e2fsprogs
expat
flac
fontconfig
freeglut
freetype
fribidi
fuse
fuse3
gdk-pixbuf
glew110
glib
gmp
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-ugly
gst_all_1.gstreamer
gtk2
harfbuzz
icu
keyutils.lib
libGL
libGLU
libappindicator-gtk2
libcaca
libcanberra
libcap
libclang.lib
libdbusmenu
libdrm
libgcrypt
libgpg-error
libidn
libjack2
libjpeg
libmikmod
libogg
libpng12
libpulseaudio
librsvg
libsamplerate
libthai
libtheora
libtiff
libudev0-shim
libusb1
libuuid
libvdpau
libvorbis
libvpx
libxcrypt-legacy
libxkbcommon
libxml2
mesa
nspr
nss
openssl
p11-kit
pango
pixman
python3
speex
stdenv.cc.cc
tbb
udev
vulkan-loader
wayland
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libpciaccess
xorg.libxcb
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
xorg.xkeyboardconfig
xz
zlib
];
} }

12
systems/x86_64-linux/sgx/hardware-configuration.nix
View file

@ -5,7 +5,8 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ];
@ -16,19 +17,20 @@
boot.extraModprobeConfig = "options kvm_intel nested=1"; boot.extraModprobeConfig = "options kvm_intel nested=1";
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6"; {
device = "/dev/disk/by-uuid/7aa17b01-785e-41c6-9723-79195af906c6";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=@" ]; options = [ "subvol=@" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/C902-1AF5"; {
device = "/dev/disk/by-uuid/C902-1AF5";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; } [{ device = "/dev/disk/by-uuid/72d061d7-ab18-47b9-beb1-1c465dda1be9"; }];
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's