From f1899875ce51b01bd9d82d3283013d1d35f2cee8 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 20 Mar 2024 16:53:28 +0100 Subject: [PATCH] sgx: factor out aesmd Signed-off-by: Harald Hoyer --- modules/nixos/sgx/aesmd_dcap/default.nix | 30 ++++++++++++++++++++++ systems/x86_64-linux/sgx-nixos/default.nix | 16 ++++++++++-- systems/x86_64-linux/sgx/default.nix | 12 +-------- 3 files changed, 45 insertions(+), 13 deletions(-) create mode 100644 modules/nixos/sgx/aesmd_dcap/default.nix diff --git a/modules/nixos/sgx/aesmd_dcap/default.nix b/modules/nixos/sgx/aesmd_dcap/default.nix new file mode 100644 index 0000000..a68e50e --- /dev/null +++ b/modules/nixos/sgx/aesmd_dcap/default.nix @@ -0,0 +1,30 @@ +{ options, config, lib, pkgs, ... }: + +with lib; +with lib.metacfg; +let + cfg = config.metacfg.aesmd_dcap; +in +{ + options.metacfg.aesmd_dcap = with types; { + enable = mkBoolOpt false "Whether or not to enable aesmd in dcap mode."; + }; + + config = mkIf cfg.enable { + metacfg = { + nix.extra-substituters = { + "https://nixsgx.cachix.org".key = "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="; + }; + }; + services.aesmd = { + enable = true; + quoteProviderLibrary = pkgs.nixsgx.sgx-dcap.default_qpl; + }; + systemd.services.aesmd = { + environment.LD_LIBRARY_PATH = lib.mkForce (lib.makeLibraryPath [ pkgs.nixsgx.sgx-dcap.default_qpl pkgs.curl.out ]); + serviceConfig.BindReadOnlyPaths = [ + "/etc/sgx_default_qcnl.conf" + ]; + }; + }; +} diff --git a/systems/x86_64-linux/sgx-nixos/default.nix b/systems/x86_64-linux/sgx-nixos/default.nix index d08852e..8260627 100644 --- a/systems/x86_64-linux/sgx-nixos/default.nix +++ b/systems/x86_64-linux/sgx-nixos/default.nix @@ -14,9 +14,23 @@ with lib.metacfg; base.enable = true; nix-ld.enable = true; nix.enable = true; + aesmd_dcap.enable = true; user.extraGroups = [ "docker" "sgx" ]; }; + environment.etc."sgx_default_qcnl.conf".text = '' + { + "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/" + "use_secure_cert": false, + "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", + "retry_times": 6, + "retry_delay": 10, + "pck_cache_expire_hours": 168, + "verify_collateral_cache_expire_hours": 168, + "local_cache_only": false + } + ''; + virtualisation.docker.enable = true; system.autoUpgrade = { @@ -30,8 +44,6 @@ with lib.metacfg; networking.wireless.enable = false; # Enables wireless support via wpa_supplicant. - services.aesmd.enable = true; - powerManagement.cpuFreqGovernor = "ondemand"; system.stateVersion = "23.11"; diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix index 198d928..366dd24 100644 --- a/systems/x86_64-linux/sgx/default.nix +++ b/systems/x86_64-linux/sgx/default.nix @@ -14,6 +14,7 @@ in gui.enable = false; nix-ld.enable = true; nix.enable = true; + aesmd_dcap.enable = true; pccs.enable = true; pccs.secret = config.sops.secrets.pccs.path; podman.enable = true; @@ -33,17 +34,6 @@ in security.tpm2.enable = false; security.tpm2.abrmd.enable = false; - services.aesmd = { - enable = true; - quoteProviderLibrary = pkgs.nixsgx.sgx-dcap.default_qpl; - }; - systemd.services.aesmd = { - environment.LD_LIBRARY_PATH = lib.mkForce (lib.makeLibraryPath [ pkgs.nixsgx.sgx-dcap.default_qpl pkgs.curl.out ]); - serviceConfig.BindReadOnlyPaths = [ - "/etc/sgx_default_qcnl.conf" - ]; - }; - services.pcscd.enable = true; powerManagement.cpuFreqGovernor = "ondemand";