sgx: factor out aesmd

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
2024-03-20 16:53:28 +01:00 · 2024-03-20 16:53:28 +01:00 · f1899875ce
commit f1899875ce
parent 0b9fb35062
3 changed files with 45 additions and 13 deletions
--- a/systems/x86_64-linux/sgx-nixos/default.nix
+++ b/systems/x86_64-linux/sgx-nixos/default.nix
@ -14,9 +14,23 @@ with lib.metacfg;
    base.enable = true;
    nix-ld.enable = true;
    nix.enable = true;
+    aesmd_dcap.enable = true;
    user.extraGroups = [ "docker" "sgx" ];
  };

+  environment.etc."sgx_default_qcnl.conf".text = ''
+    {
+      "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/"
+      "use_secure_cert": false,
+      "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+      "retry_times": 6,
+      "retry_delay": 10,
+      "pck_cache_expire_hours": 168,
+      "verify_collateral_cache_expire_hours": 168,
+      "local_cache_only": false
+    }
+  '';
+
  virtualisation.docker.enable = true;

  system.autoUpgrade = {
@ -30,8 +44,6 @@ with lib.metacfg;

  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.

-  services.aesmd.enable = true;
-
  powerManagement.cpuFreqGovernor = "ondemand";

  system.stateVersion = "23.11";