feat: initial commit

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

packages/sgx-sdk/CppMicroServices-no-mtime.patch

@@ -0,0 +1,26 @@
+diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+index aee499e9..13fa89d4 100644
+--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
++++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
+                    const_cast<mz_zip_archive*>(&m_ZipArchive), index)
+                    ? true
+                    : false;
+-    stat.modifiedTime = zipStat.m_time;
++    stat.modifiedTime = 0;
+     stat.crc32 = zipStat.m_crc32;
+     // This will limit the size info from uint64 to uint32 on 32-bit
+     // architectures. We don't care because we assume resources > 2GB
+diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
+index 6b0ebd7a..fa2aebca 100644
+--- a/external/CppMicroServices/third_party/miniz.c
++++ b/external/CppMicroServices/third_party/miniz.c
+@@ -170,7 +170,7 @@
+ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
+ // get/set file times, and the C run-time funcs that get/set times won't be called.
+ // The current downside is the times written to your archives will be from 1979.
+-//#define MINIZ_NO_TIME
++#define MINIZ_NO_TIME
+ 
+ // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
+ //#define MINIZ_NO_ARCHIVE_APIS

packages/sgx-sdk/aesm-cxx-standard.patch

@@ -0,0 +1,13 @@
+diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt
+index ffc1bee7..5c61e9f1 100644
+--- a/psw/ae/aesm_service/source/CMakeLists.txt
++++ b/psw/ae/aesm_service/source/CMakeLists.txt
+@@ -64,7 +64,7 @@ if(SGX_DISABLE_PSE)
+ endif()
+ 
+ set(CMAKE_CXX_STANDARD_REQUIRED 1)
+-set(CMAKE_CXX_STANDARD 11)
++set(CMAKE_CXX_STANDARD 17)
+ set(CMAKE_SKIP_BUILD_RPATH true)
+ 
+ ########## SGX SDK Settings ##########

packages/sgx-sdk/default.nix

@@ -0,0 +1,290 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoconf
+, automake
+, binutils
+, callPackage
+, cmake
+, file
+, gdb
+, git
+, libtool
+, linkFarmFromDrvs
+, ocaml
+, ocamlPackages
+, openssl
+, perl
+, python3
+, texinfo
+, validatePkgConfig
+, writeShellApplication
+, writeShellScript
+, writeText
+, debug ? false
+}:
+stdenv.mkDerivation rec {
+  pname = "sgx-sdk";
+  # Version as given in se_version.h
+  version = "2.23.100.2";
+  # Version as used in the Git tag
+  versionTag = "2.23";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "linux-sgx";
+    rev = "sgx_${versionTag}";
+    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
+    fetchSubmodules = true;
+  };
+
+  postUnpack = ''
+    # Make sure this is the right version of linux-sgx
+    grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
+      || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
+  '';
+
+  patches = [
+    # no timestamp in mini zip archives
+    ./CppMicroServices-no-mtime.patch
+    # Set the CXX standard for nix builds of sgx-psw
+    ./aesm-cxx-standard.patch
+    # There's a `make preparation` step that downloads some prebuilt binaries
+    # and applies some patches to the in-repo git submodules. This patch removes
+    # the parts that download things, since we can't do that inside the sandbox.
+    ./disable-downloads.patch
+  ];
+
+  postPatch = ''
+    patchShebangs linux/installer/bin/build-installpkg.sh \
+      linux/installer/common/sdk/createTarball.sh \
+      linux/installer/common/sdk/install.sh \
+      external/sgx-emm/create_symlink.sh
+
+    make preparation
+  '';
+
+  # We need `cmake` as a build input but don't use it to kick off the build phase
+  dontUseCmakeConfigure = true;
+
+  # SDK built with stackprotector produces broken enclaves which crash at runtime.
+  # Disable all to be safe, SDK build configures compiler mitigations manually.
+  hardeningDisable = [ "all" ];
+
+  nativeBuildInputs = [
+    autoconf
+    automake
+    cmake
+    file
+    git
+    ocaml
+    ocamlPackages.ocamlbuild
+    perl
+    python3
+    texinfo
+    validatePkgConfig
+  ];
+
+  buildInputs = [
+    libtool
+    openssl
+  ];
+
+  BINUTILS_DIR = "${binutils}/bin";
+
+  # Build external/ippcp_internal first. The Makefile is rewritten to make the
+  # build faster by splitting different versions of ipp-crypto builds and to
+  # avoid patching the Makefile for reproducibility issues.
+  preBuild =
+    let
+      ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
+
+      sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
+
+      nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
+      ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
+      };
+
+      nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
+      ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
+      };
+    in
+    ''
+      echo "Setting up IPP crypto build artifacts"
+
+      pushd 'external/ippcp_internal'
+
+      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
+
+      install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
+        lib/linux/intel64/no_mitigation/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_load/libippcp.a
+      install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
+        lib/linux/intel64/cve_2020_0551_cf/libippcp.a
+
+      rm inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
+
+      install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
+
+      popd
+    '';
+
+  buildFlags = [
+    "sdk_install_pkg"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  postBuild = ''
+    patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    installDir=$TMPDIR
+    ./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir
+    installDir=$installDir/sgxsdk
+
+    echo "Move files created by installer"
+
+    mkdir -p $out/bin
+    pushd $out
+
+    mv $installDir/bin/sgx-gdb $out/bin
+    mkdir $out/bin/x64
+    for file in $installDir/bin/x64/*; do
+      mv $file bin/
+      ln -sr bin/$(basename $file) bin/x64/
+    done
+    rmdir $installDir/bin/{x64,}
+
+    # Move `lib64` to `lib` and symlink `lib64`
+    mv $installDir/lib64 lib
+    ln -s lib/ lib64
+
+    # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
+    for file in lib/libsgx_urts.so.*; do
+      ln -srf lib/libsgx_urts.so $file
+    done
+
+    mv $installDir/include/ .
+
+    mkdir -p share/
+    mv $installDir/{SampleCode,licenses} share/
+
+    mkdir -p share/bin
+    mv $installDir/{environment,buildenv.mk} share/bin/
+    ln -s share/bin/{environment,buildenv.mk} .
+
+    # pkgconfig should go to lib/
+    mv $installDir/pkgconfig lib/
+    ln -s lib/pkgconfig/ .
+
+    # Also create the `sdk_libs` for compat. All the files
+    # link to libraries in `lib64/`, we shouldn't link the entire
+    # directory, however, as there seems to be some ambiguity between
+    # SDK and PSW libraries.
+    mkdir sdk_libs/
+    for file in $installDir/sdk_libs/*; do
+      ln -sr lib/$(basename $file) sdk_libs/
+      rm $file
+    done
+    rmdir $installDir/sdk_libs
+
+    # No uninstall script required
+    rm $installDir/uninstall.sh
+
+    # Create an `sgxsdk` symlink which points to `$out` for compat
+    ln -sr . sgxsdk
+
+    # Make sure we didn't forget any files
+    rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
+
+    popd
+
+    runHook postInstall
+  '';
+
+  preFixup = ''
+    echo "Strip sgxsdk prefix"
+    for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
+      substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
+    done
+
+    echo "Fixing pkg-config files"
+    sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc
+
+    echo "Fixing SGX_SDK default in samples"
+    substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
+      --replace '/opt/intel/sgxsdk' "$out"
+    for file in $out/share/SampleCode/*/Makefile; do
+      substituteInPlace $file \
+        --replace '/opt/intel/sgxsdk' "$out"
+    done
+
+    echo "Fixing BINUTILS_DIR in buildenv.mk"
+    substituteInPlace $out/share/bin/buildenv.mk \
+      --replace 'BINUTILS_DIR ?= /usr/local/bin' \
+                'BINUTILS_DIR ?= ${BINUTILS_DIR}'
+
+    echo "Fixing GDB path in bin/sgx-gdb"
+    substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
+  '';
+
+  doInstallCheck = true;
+
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    # Make sure all symlinks are valid
+    output=$(find "$out" -type l -exec test ! -e {} \; -print)
+    if [[ -n "$output" ]]; then
+      echo "Broken symlinks:"
+      echo "$output"
+      exit 1
+    fi
+
+    runHook postInstallCheck
+  '';
+
+  setupHook = writeText "setup-hook.sh" ''
+    sgxsdk() {
+        export SGX_SDK=@out@
+    }
+
+    postHooks+=(sgxsdk)
+  '';
+
+  passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
+
+  # Run tests in SGX hardware mode on an SGX-enabled machine
+  # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
+  passthru.runTestsHW =
+    let
+      testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
+      testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
+    in
+    writeShellApplication {
+      name = "run-tests-hw";
+      text = ''
+        for test in ${testsHWLinked}/*; do
+          printf '*** Running test %s ***\n\n' "$(basename "$test")"
+          printf 'a\n' | "$test/bin/app"
+          printf '\n'
+        done
+      '';
+    };
+
+  meta = with lib; {
+    description = "Intel SGX SDK for Linux built with IPP Crypto Library";
+    homepage = "https://github.com/intel/linux-sgx";
+    maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 ];
+  };
+}

packages/sgx-sdk/disable-downloads.patch

@@ -0,0 +1,26 @@
+diff --git a/Makefile b/Makefile
+index 32433051..2e480efb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -50,8 +50,8 @@ tips:
+ preparation:
+ # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
+ # Only enable the download from git
+-	git submodule update --init --recursive
+-	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
++	# git submodule update --init --recursive
++	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+ 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+ 	./external/sgx-emm/create_symlink.sh
+@@ -59,8 +59,8 @@ preparation:
+ 	cd external/cbor && cp -r libcbor sgx_libcbor
+ 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
+ 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
+-	./download_prebuilt.sh
+-	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
++	# ./download_prebuilt.sh
++	# ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ 
+ psw:
+ 	$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)

packages/sgx-sdk/ipp-crypto.nix

@@ -0,0 +1,30 @@
+{ gcc11Stdenv
+, fetchFromGitHub
+, cmake
+, nasm
+, ninja
+, openssl
+, python3
+, extraCmakeFlags ? [ ]
+}:
+gcc11Stdenv.mkDerivation rec {
+  pname = "ipp-crypto";
+  version = "2021.10.0";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "ipp-crypto";
+    rev = "ippcp_${version}";
+    hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
+  };
+
+  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+
+  nativeBuildInputs = [
+    cmake
+    nasm
+    ninja
+    openssl
+    python3
+  ];
+}