feat(gramine): v1.7 -> v1.8

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 07:33:55 +02:00 · 2024-11-12 17:27:23 +01:00 · 2024-11-12 17:27:23 +01:00 · 50f3adc1c6
commit 50f3adc1c6
parent ee9445bf57
3 changed files with 28 additions and 69 deletions
--- a/overlays/libTee/sgxGramineContainer.nix
+++ b/overlays/libTee/sgxGramineContainer.nix
@ -55,7 +55,7 @@ let
    };
    loader = {
      argv = [ entrypoint ];
-      entrypoint = "file:{{ gramine.libos }}";
+      entrypoint.uri = "file:{{ gramine.libos }}";
      env = {
        AZDCAP_COLLATERAL_VERSION = "v4";
        AZDCAP_DEBUG_LOG_LEVEL = "ignore";
@ -209,7 +209,9 @@ let
            CHROOT=$(pwd)
            appDir="${appDir}"
            cd "''${appDir#/}"
-            HOME="''${appDir#/}" ${nixsgx.gramine}/bin/gramine-manifest ${manifestFile} ${appName}.manifest;
+            HOME="${appDir}" ${nixsgx.gramine}/bin/gramine-manifest \
                --chroot "$CHROOT" \
                ${manifestFile} ${appName}.manifest;
            ${nixsgx.gramine}/bin/gramine-sgx-sign \
              --chroot "$CHROOT" \
              --manifest ${appName}.manifest \
--- a/packages/gramine/default.nix
+++ b/packages/gramine/default.nix
@ -8,44 +8,16 @@
 , nasm
 , ninja
 , cmake
 , cacert
 , pkg-config
 , autoconf
 , perl
 , gawk
 , bison
 , patchelf
 , which
 , ...
 }:
 let
  gcc-wrap = fetchurl {
    url = "https://ftp.gnu.org/gnu/gcc/gcc-10.2.0/gcc-10.2.0.tar.gz";
    hash = "sha256-J+h53MxjnNewzAjtV1wWaUkleVKbU8n/J7C5YmX6hn0=";
  };
  tomlc99-wrap = fetchurl {
    url = "https://github.com/cktan/tomlc99/archive/208203af46bdbdb29ba199660ed78d09c220b6c5.tar.gz";
    hash = "sha256-cxORP94awLCjGjTk/I4QSMDLGwgT59okpEtMw8gPDok=";
  };
  cjson-wrap = fetchurl {
    url = "https://github.com/DaveGamble/cJSON/archive/v1.7.12.tar.gz";
    hash = "sha256-dgaHZlq0Glz/nECxBTwZVyvNqt7xGU5cuhteb4JGhuc=";
  };
  curl-wrap = fetchurl {
    url = "https://curl.se/download/curl-8.7.1.tar.gz";
    hash = "sha256-+RJJyH9o6gDPJ8RP36WnhCPkHnG31AjlkBqYltkFxJU=";
  };
  mbedtls-wrap = fetchurl {
    url = "https://github.com/ARMmbed/mbedtls/archive/mbedtls-3.5.2.tar.gz";
    hash = "sha256-7t7MRos/jQUu8FqdQr9j8EyKHFDRxalMJRxoE2WixyM=";
  };
  uthash-wrap = fetchurl {
    url = "https://github.com/troydhanson/uthash/archive/v2.1.0.tar.gz";
    hash = "sha256-FSzNjmTQ9JU3cjLjlk0Gx+yLuMP70yF/ilcCYU+aZp4=";
  };
  glibc-wrap = fetchurl {
    url = "https://ftp.gnu.org/gnu/glibc/glibc-2.39.tar.gz";
    hash = "sha256-l/hPO3WIzVQJOm9jibDBqB5w2ZcI10ljouPqt8fclC0=";
  };
  python = pkgs.python3;
  my-python-packages = ps: with ps; [
@ -60,48 +32,28 @@ let
 in
 python.pkgs.buildPythonPackage {
  pname = "gramine";
-  version = "1.7";
+  version = "1.8";
  src = pkgs.fetchFromGitHub {
    owner = "gramineproject";
    repo = "gramine";
-    rev = "v1.7";
+    rev = "v1.8";
-    hash = "sha256-QHgRGIx4jnTh0O3ihJbnuPwTdygJ03zpL2bdqAN9+sA=";
+    hash = "sha256-yz7hVEJAqYQbzdCEVG1c/mVpuBDQtv/MUSCcH60pN5g=";
    fetchSubmodules = true;
    postFetch = ''
      (
        cd "$out"
        export NIX_SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
        for prj in subprojects/*.wrap; do
          ${lib.getExe meson} subprojects download "$(basename "$prj" .wrap)"
          rm -rf subprojects/$(basename "$prj" .wrap)/.git
        done
      )
    '';
  };
  patches = [
    # Add locking around read/write on encrypted pipes
    (fetchpatch {
      url = "https://github.com/gramineproject/gramine/commit/cd68a460abf9db2295f5dc5cf292b8678741fb22.patch";
      hash = "sha256-KRgcFiZWCOz1x8O0cgL7aZ1xG9bdZDPwRKSgqOWJ2nQ=";
    })
  ];
  outputs = [ "out" "dev" ];
  # Unpack subproject sources
  postUnpack = ''(
    cd "$sourceRoot/subprojects"
    tar -zxf ${gcc-wrap}
    cp -av packagefiles/gcc-10.2.0/. gcc-10.2.0
    tar -zxf ${tomlc99-wrap}
    cp -av packagefiles/tomlc99/. tomlc99-208203af46bdbdb29ba199660ed78d09c220b6c5
    tar -zxf ${cjson-wrap}
    cp -av packagefiles/cJSON/. cJSON-1.7.12
    tar -zxf ${curl-wrap}
    cp -av packagefiles/curl-8.7.1/. curl-8.7.1
    mkdir mbedtls-mbedtls-3.5.2
    tar -zxf ${mbedtls-wrap} -C mbedtls-mbedtls-3.5.2
    cp -av packagefiles/mbedtls/. mbedtls-mbedtls-3.5.2
    tar -zxf ${uthash-wrap}
    cp -av packagefiles/uthash/. uthash-2.1.0
    mkdir glibc-2.39-1
    tar -zxf ${glibc-wrap} -C glibc-2.39-1
    cp -av packagefiles/glibc-2.39/. glibc-2.39-1
    sed -i -e 's#set -e#set -ex#g' glibc-2.39-1/compile.sh
  )'';
  postPatch = ''
    patchShebangs --build $(find . -name '*.sh')
    patchShebangs --build $(find . -name '*.py')
@ -113,8 +65,15 @@ python.pkgs.buildPythonPackage {
    "-Ddirect=enabled"
    "-Dsgx=enabled"
    "-Dsgx_driver=upstream"
    "-Dc_args=-Wno-error=attributes"
    "-Dc_args=-Wno-attributes"
  ];
  env.PERL = lib.getExe perl;
  # will be enabled by projects on demand
  hardeningDisable = [ "fortify" "pie" "stackprotector" ];
  postFixup = ''
    set -e
    rm $out/lib/*.a
@ -138,7 +97,6 @@ python.pkgs.buildPythonPackage {
    pkg-config
    nixsgx.sgx-sdk
    nixsgx.protobufc
    nixsgx.protobufc.dev
    nixsgx.sgx-dcap.dev
    nixsgx.sgx-dcap.quote_verify
    autoconf
@ -146,6 +104,7 @@ python.pkgs.buildPythonPackage {
    bison
    patchelf
    which
    perl
  ];
  buildInputs = [
@ -158,8 +117,6 @@ python.pkgs.buildPythonPackage {
    (python.withPackages my-python-packages)
  ];
  #doCheck = false;
  meta = with lib; {
    description = "A lightweight usermode guest OS designed to run a single Linux application";
    homepage = "https://gramine.readthedocs.io/";
--- a/packages/nixsgx-test-sgx-dcap/default.nix
+++ b/packages/nixsgx-test-sgx-dcap/default.nix
@ -19,7 +19,7 @@ pkgs.lib.tee.sgxGramineContainer {
    sgx = {
      edmm_enable = false;
      enclave_size = "32M";
-      max_threads = 2;
+      max_threads = 4;
    };
  };
 }