From 50f3adc1c6afb0b877ab82a1da8adfcceba6ac01 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 12 Nov 2024 17:27:23 +0100 Subject: [PATCH] feat(gramine): v1.7 -> v1.8 Signed-off-by: Harald Hoyer --- overlays/libTee/sgxGramineContainer.nix | 6 +- packages/gramine/default.nix | 89 ++++++----------------- packages/nixsgx-test-sgx-dcap/default.nix | 2 +- 3 files changed, 28 insertions(+), 69 deletions(-) diff --git a/overlays/libTee/sgxGramineContainer.nix b/overlays/libTee/sgxGramineContainer.nix index e275a66..cd13a52 100644 --- a/overlays/libTee/sgxGramineContainer.nix +++ b/overlays/libTee/sgxGramineContainer.nix @@ -55,7 +55,7 @@ let }; loader = { argv = [ entrypoint ]; - entrypoint = "file:{{ gramine.libos }}"; + entrypoint.uri = "file:{{ gramine.libos }}"; env = { AZDCAP_COLLATERAL_VERSION = "v4"; AZDCAP_DEBUG_LOG_LEVEL = "ignore"; @@ -209,7 +209,9 @@ let CHROOT=$(pwd) appDir="${appDir}" cd "''${appDir#/}" - HOME="''${appDir#/}" ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest; + HOME="${appDir}" ${nixsgx.gramine}/bin/gramine-manifest \ + --chroot "$CHROOT" \ + ${manifestFile} ${appName}.manifest; ${nixsgx.gramine}/bin/gramine-sgx-sign \ --chroot "$CHROOT" \ --manifest ${appName}.manifest \ diff --git a/packages/gramine/default.nix b/packages/gramine/default.nix index 93d58bf..9fcb433 100644 --- a/packages/gramine/default.nix +++ b/packages/gramine/default.nix @@ -8,44 +8,16 @@ , nasm , ninja , cmake +, cacert , pkg-config , autoconf +, perl , gawk , bison , patchelf , which -, ... }: let - gcc-wrap = fetchurl { - url = "https://ftp.gnu.org/gnu/gcc/gcc-10.2.0/gcc-10.2.0.tar.gz"; - hash = "sha256-J+h53MxjnNewzAjtV1wWaUkleVKbU8n/J7C5YmX6hn0="; - }; - tomlc99-wrap = fetchurl { - url = "https://github.com/cktan/tomlc99/archive/208203af46bdbdb29ba199660ed78d09c220b6c5.tar.gz"; - hash = "sha256-cxORP94awLCjGjTk/I4QSMDLGwgT59okpEtMw8gPDok="; - }; - cjson-wrap = fetchurl { - url = "https://github.com/DaveGamble/cJSON/archive/v1.7.12.tar.gz"; - hash = "sha256-dgaHZlq0Glz/nECxBTwZVyvNqt7xGU5cuhteb4JGhuc="; - }; - curl-wrap = fetchurl { - url = "https://curl.se/download/curl-8.7.1.tar.gz"; - hash = "sha256-+RJJyH9o6gDPJ8RP36WnhCPkHnG31AjlkBqYltkFxJU="; - }; - mbedtls-wrap = fetchurl { - url = "https://github.com/ARMmbed/mbedtls/archive/mbedtls-3.5.2.tar.gz"; - hash = "sha256-7t7MRos/jQUu8FqdQr9j8EyKHFDRxalMJRxoE2WixyM="; - }; - uthash-wrap = fetchurl { - url = "https://github.com/troydhanson/uthash/archive/v2.1.0.tar.gz"; - hash = "sha256-FSzNjmTQ9JU3cjLjlk0Gx+yLuMP70yF/ilcCYU+aZp4="; - }; - glibc-wrap = fetchurl { - url = "https://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.gz"; - hash = "sha256-l/hPO3WIzVQJOm9jibDBqB5w2ZcI10ljouPqt8fclC0="; - }; - python = pkgs.python3; my-python-packages = ps: with ps; [ @@ -60,48 +32,28 @@ let in python.pkgs.buildPythonPackage { pname = "gramine"; - version = "1.7"; + version = "1.8"; src = pkgs.fetchFromGitHub { owner = "gramineproject"; repo = "gramine"; - rev = "v1.7"; - hash = "sha256-QHgRGIx4jnTh0O3ihJbnuPwTdygJ03zpL2bdqAN9+sA="; + rev = "v1.8"; + hash = "sha256-yz7hVEJAqYQbzdCEVG1c/mVpuBDQtv/MUSCcH60pN5g="; fetchSubmodules = true; + postFetch = '' + ( + cd "$out" + export NIX_SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt + for prj in subprojects/*.wrap; do + ${lib.getExe meson} subprojects download "$(basename "$prj" .wrap)" + rm -rf subprojects/$(basename "$prj" .wrap)/.git + done + ) + ''; }; - patches = [ - # Add locking around read/write on encrypted pipes - (fetchpatch { - url = "https://github.com/gramineproject/gramine/commit/cd68a460abf9db2295f5dc5cf292b8678741fb22.patch"; - hash = "sha256-KRgcFiZWCOz1x8O0cgL7aZ1xG9bdZDPwRKSgqOWJ2nQ="; - }) - ]; - outputs = [ "out" "dev" ]; - # Unpack subproject sources - postUnpack = ''( - cd "$sourceRoot/subprojects" - tar -zxf ${gcc-wrap} - cp -av packagefiles/gcc-10.2.0/. gcc-10.2.0 - tar -zxf ${tomlc99-wrap} - cp -av packagefiles/tomlc99/. tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5 - tar -zxf ${cjson-wrap} - cp -av packagefiles/cJSON/. cJSON-1.7.12 - tar -zxf ${curl-wrap} - cp -av packagefiles/curl-8.7.1/. curl-8.7.1 - mkdir mbedtls-mbedtls-3.5.2 - tar -zxf ${mbedtls-wrap} -C mbedtls-mbedtls-3.5.2 - cp -av packagefiles/mbedtls/. mbedtls-mbedtls-3.5.2 - tar -zxf ${uthash-wrap} - cp -av packagefiles/uthash/. uthash-2.1.0 - mkdir glibc-2.39-1 - tar -zxf ${glibc-wrap} -C glibc-2.39-1 - cp -av packagefiles/glibc-2.39/. glibc-2.39-1 - sed -i -e 's#set -e#set -ex#g' glibc-2.39-1/compile.sh - )''; - postPatch = '' patchShebangs --build $(find . -name '*.sh') patchShebangs --build $(find . -name '*.py') @@ -113,8 +65,15 @@ python.pkgs.buildPythonPackage { "-Ddirect=enabled" "-Dsgx=enabled" "-Dsgx_driver=upstream" + "-Dc_args=-Wno-error=attributes" + "-Dc_args=-Wno-attributes" ]; + env.PERL = lib.getExe perl; + + # will be enabled by projects on demand + hardeningDisable = [ "fortify" "pie" "stackprotector" ]; + postFixup = '' set -e rm $out/lib/*.a @@ -138,7 +97,6 @@ python.pkgs.buildPythonPackage { pkg-config nixsgx.sgx-sdk nixsgx.protobufc - nixsgx.protobufc.dev nixsgx.sgx-dcap.dev nixsgx.sgx-dcap.quote_verify autoconf @@ -146,6 +104,7 @@ python.pkgs.buildPythonPackage { bison patchelf which + perl ]; buildInputs = [ @@ -158,8 +117,6 @@ python.pkgs.buildPythonPackage { (python.withPackages my-python-packages) ]; - #doCheck = false; - meta = with lib; { description = "A lightweight usermode guest OS designed to run a single Linux application"; homepage = "https://gramine.readthedocs.io/"; diff --git a/packages/nixsgx-test-sgx-dcap/default.nix b/packages/nixsgx-test-sgx-dcap/default.nix index e31b282..33f789f 100644 --- a/packages/nixsgx-test-sgx-dcap/default.nix +++ b/packages/nixsgx-test-sgx-dcap/default.nix @@ -19,7 +19,7 @@ pkgs.lib.tee.sgxGramineContainer { sgx = { edmm_enable = false; enclave_size = "32M"; - max_threads = 2; + max_threads = 4; }; }; }