diff --git a/packages/azure-dcap-client/default.nix b/packages/azure-dcap-client/default.nix index 60821be..58c7adc 100644 --- a/packages/azure-dcap-client/default.nix +++ b/packages/azure-dcap-client/default.nix @@ -1,5 +1,6 @@ { stdenv , fetchFromGitHub +, fetchpatch , lib , curl , nlohmann_json @@ -15,7 +16,7 @@ let find "$out" -mindepth 1 -delete cp ${lib.concatStringsSep " " list} "$out/" ''; - headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [ + headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [ (fetchFromGitHub rec { name = "${repo}-headers"; owner = "intel"; @@ -44,8 +45,14 @@ stdenv.mkDerivation rec { }; patches = [ - ./missing-includes.patch ./Azure-DCAP-Client.patch + # Fix gcc-13 build: + # https://github.com/microsoft/Azure-DCAP-Client/pull/197 + (fetchpatch { + name = "gcc-13.patch"; + url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch"; + hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc="; + }) ]; nativeBuildInputs = [ @@ -78,11 +85,11 @@ stdenv.mkDerivation rec { # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests passthru.tests.suite = callPackage ./test-suite.nix { }; - meta = with lib; { + meta = { description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; homepage = "https://github.com/microsoft/azure-dcap-client"; - maintainers = with maintainers; [ phlip9 trundle veehaitch ]; + maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ]; platforms = [ "x86_64-linux" ]; - license = [ licenses.mit ]; + license = [ lib.licenses.mit ]; }; } diff --git a/packages/azure-dcap-client/test-suite.nix b/packages/azure-dcap-client/test-suite.nix index 1e4432e..6136c51 100644 --- a/packages/azure-dcap-client/test-suite.nix +++ b/packages/azure-dcap-client/test-suite.nix @@ -9,7 +9,7 @@ sgx-azure-dcap-client.overrideAttrs (old: { gtest ]; - patches = [ + patches = (old.patches or [ ]) ++ [ ./tests-missing-includes.patch ]; diff --git a/packages/sgx-dcap/default.nix b/packages/sgx-dcap/default.nix index b55e70a..dcc9b26 100644 --- a/packages/sgx-dcap/default.nix +++ b/packages/sgx-dcap/default.nix @@ -15,7 +15,7 @@ }: stdenv.mkDerivation rec { pname = "sgx-dcap"; - version = "1.20"; + version = "1.21"; postUnpack = let @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; + hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; }; }; in @@ -39,7 +39,7 @@ stdenv.mkDerivation rec { owner = "intel"; repo = "SGXDataCenterAttestationPrimitives"; rev = "DCAP_${version}"; - hash = "sha256-gNQzV6wpoQUZ3x/RqvFLwak4HhDOiJC5mW0okGx3UGA="; + hash = "sha256-Vp8R4W6qdPTGJFNJrPPKe9Oqxxj+UIdZf2GSL+gCyjU="; fetchSubmodules = true; }; diff --git a/packages/sgx-psw/default.nix b/packages/sgx-psw/default.nix index aeebdb0..e3d80fa 100644 --- a/packages/sgx-psw/default.nix +++ b/packages/sgx-psw/default.nix @@ -13,8 +13,11 @@ , which , debug ? false }: +let + inherit (nixsgx) sgx-sdk; +in stdenv.mkDerivation rec { - inherit (nixsgx.sgx-sdk) version versionTag src patches; + inherit (sgx-sdk) patches src version versionTag; pname = "sgx-psw"; postUnpack = @@ -29,15 +32,15 @@ stdenv.mkDerivation rec { # Also include the Data Center Attestation Primitives (DCAP) platform # enclaves. dcap = rec { - version = "1.20"; + version = "1.21"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; + hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; }; }; in - nixsgx.sgx-sdk.postUnpack + '' + sgx-sdk.postUnpack + '' # Make sure we use the correct version of prebuilt DCAP grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) @@ -51,7 +54,7 @@ stdenv.mkDerivation rec { file makeWrapper python3 - nixsgx.sgx-sdk + sgx-sdk which ]; @@ -159,30 +162,30 @@ stdenv.mkDerivation rec { echo "Fixing aesmd.service" substituteInPlace $out/lib/systemd/system/aesmd.service \ --replace '@aesm_folder@' \ - "$out/aesm" \ + "$out/aesm" \ --replace 'Type=forking' \ - 'Type=simple' \ + 'Type=simple' \ --replace "ExecStart=$out/aesm/aesm_service" \ - "ExecStart=$out/bin/aesm_service --no-daemon"\ + "ExecStart=$out/bin/aesm_service --no-daemon"\ --replace "/bin/mkdir" \ - "${coreutils}/bin/mkdir" \ + "${coreutils}/bin/mkdir" \ --replace "/bin/chown" \ - "${coreutils}/bin/chown" \ + "${coreutils}/bin/chown" \ --replace "/bin/chmod" \ - "${coreutils}/bin/chmod" \ + "${coreutils}/bin/chmod" \ --replace "/bin/kill" \ - "${coreutils}/bin/kill" + "${coreutils}/bin/kill" ''; passthru.tests = { service = nixosTests.aesmd; }; - meta = with lib; { + meta = { description = "Intel SGX Architectural Enclave Service Manager"; homepage = "https://github.com/intel/linux-sgx"; - maintainers = with maintainers; [ phlip9 veehaitch citadelcore ]; + maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ]; platforms = [ "x86_64-linux" ]; - license = with licenses; [ bsd3 ]; + license = [ lib.licenses.bsd3 ]; }; } diff --git a/packages/sgx-sdk/CppMicroServices-no-mtime.patch b/packages/sgx-sdk/cppmicroservices-no-mtime.patch similarity index 99% rename from packages/sgx-sdk/CppMicroServices-no-mtime.patch rename to packages/sgx-sdk/cppmicroservices-no-mtime.patch index 8423367..019f589 100644 --- a/packages/sgx-sdk/CppMicroServices-no-mtime.patch +++ b/packages/sgx-sdk/cppmicroservices-no-mtime.patch @@ -21,6 +21,6 @@ index 6b0ebd7a..fa2aebca 100644 // The current downside is the times written to your archives will be from 1979. -//#define MINIZ_NO_TIME +#define MINIZ_NO_TIME - + // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. //#define MINIZ_NO_ARCHIVE_APIS diff --git a/packages/sgx-sdk/default.nix b/packages/sgx-sdk/default.nix index f9eea84..2fdc828 100644 --- a/packages/sgx-sdk/default.nix +++ b/packages/sgx-sdk/default.nix @@ -26,15 +26,15 @@ stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h - version = "2.23.100.2"; + version = "2.24.100.3"; # Version as used in the Git tag - versionTag = "2.23"; + versionTag = "2.24"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; - hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I="; + hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw="; fetchSubmodules = true; }; @@ -45,14 +45,22 @@ stdenv.mkDerivation rec { ''; patches = [ - # no timestamp in mini zip archives - ./CppMicroServices-no-mtime.patch - # Set the CXX standard for nix builds of sgx-psw - ./aesm-cxx-standard.patch # There's a `make preparation` step that downloads some prebuilt binaries # and applies some patches to the in-repo git submodules. This patch removes # the parts that download things, since we can't do that inside the sandbox. ./disable-downloads.patch + + # Set the CXX standard for nix builds of sgx-psw + ./aesm-cxx-standard.patch + + # This patch disable mtime in bundled zip file for reproducible builds. + # + # Context: The `aesm_service` binary depends on a vendored library called + # `CppMicroServices`. At build time, this lib creates and then bundles + # service resources into a zip file and then embeds this zip into the + # binary. Without changes, the `aesm_service` will be different after every + # build because the embedded zip file contents have different modified times. + ./cppmicroservices-no-mtime.patch ]; postPatch = '' @@ -116,8 +124,6 @@ stdenv.mkDerivation rec { pushd 'external/ippcp_internal' - cp -r ${ipp-crypto-no_mitigation}/include/. inc/ - install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \ lib/linux/intel64/no_mitigation/libippcp.a install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \ @@ -125,8 +131,13 @@ stdenv.mkDerivation rec { install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \ lib/linux/intel64/cve_2020_0551_cf/libippcp.a + cp -r ${ipp-crypto-no_mitigation}/include/* inc/ + + mkdir inc/ippcp + cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/ + rm inc/ippcp.h - patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h + patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE @@ -280,11 +291,11 @@ stdenv.mkDerivation rec { ''; }; - meta = with lib; { + meta = { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; homepage = "https://github.com/intel/linux-sgx"; - maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ]; + maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ]; platforms = [ "x86_64-linux" ]; - license = with licenses; [ bsd3 ]; + license = [ lib.licenses.bsd3 ]; }; } diff --git a/packages/sgx-sdk/disable-downloads.patch b/packages/sgx-sdk/disable-downloads.patch index bdf9b9f..c045606 100644 --- a/packages/sgx-sdk/disable-downloads.patch +++ b/packages/sgx-sdk/disable-downloads.patch @@ -1,8 +1,8 @@ diff --git a/Makefile b/Makefile -index 32433051..2e480efb 100644 +index 73502a7..f24bd11 100644 --- a/Makefile +++ b/Makefile -@@ -50,8 +50,8 @@ tips: +@@ -50,18 +50,18 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git @@ -12,8 +12,10 @@ index 32433051..2e480efb 100644 + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R +- cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R ++ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R ./external/sgx-emm/create_symlink.sh -@@ -59,8 +59,8 @@ preparation: + cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R cd external/cbor && cp -r libcbor sgx_libcbor cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R diff --git a/packages/sgx-sdk/ipp-crypto.nix b/packages/sgx-sdk/ipp-crypto.nix index df7600c..eba9e7f 100644 --- a/packages/sgx-sdk/ipp-crypto.nix +++ b/packages/sgx-sdk/ipp-crypto.nix @@ -2,28 +2,30 @@ , fetchFromGitHub , cmake , nasm -, ninja , openssl , python3 , extraCmakeFlags ? [ ] }: gcc11Stdenv.mkDerivation rec { pname = "ipp-crypto"; - version = "2021.10.0"; + version = "2021.11.1"; src = fetchFromGitHub { owner = "intel"; repo = "ipp-crypto"; rev = "ippcp_${version}"; - hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg="; + hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI="; }; - cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; + cmakeFlags = [ + "-DARCH=intel64" + # sgx-sdk now requires FIPS-compliance mode turned on + "-DIPPCP_FIPS_MODE=on" + ] ++ extraCmakeFlags; nativeBuildInputs = [ cmake nasm - ninja openssl python3 ]; diff --git a/packages/sgx-ssl/default.nix b/packages/sgx-ssl/default.nix index 502ed8c..ee1ab81 100644 --- a/packages/sgx-ssl/default.nix +++ b/packages/sgx-ssl/default.nix @@ -1,16 +1,17 @@ { stdenv +, callPackage , fetchFromGitHub , fetchurl , lib -, openssl , perl , nixsgx , which , debug ? false }: let - sgxVersion = nixsgx.sgx-sdk.versionTag; - opensslVersion = "3.0.12"; + inherit (nixsgx) sgx-sdk; + sgxVersion = sgx-sdk.versionTag; + opensslVersion = "3.0.13"; in stdenv.mkDerivation { pname = "sgx-ssl" + lib.optionalString debug "-debug"; @@ -27,7 +28,7 @@ stdenv.mkDerivation { let opensslSourceArchive = fetchurl { url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E="; + hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; }; in '' @@ -37,16 +38,15 @@ stdenv.mkDerivation { postPatch = '' patchShebangs Linux/build_openssl.sh - # Run the test in the `installCheckPhase`, not the `buildPhase` + # Skip the tests. Build and run separately (see below). substituteInPlace Linux/sgx/Makefile \ --replace '$(MAKE) -C $(TEST_DIR) all' \ - 'bash -c "true"' + 'bash -c "true"' ''; nativeBuildInputs = [ perl - nixsgx.sgx-sdk - stdenv.cc.libc + sgx-sdk which ]; @@ -60,22 +60,23 @@ stdenv.mkDerivation { "DESTDIR=$(out)" ]; - # Build the test app - doInstallCheck = false; - installCheckTarget = "test"; - installCheckFlags = [ - "SGX_MODE=SIM" - "-j 1" # Makefile doesn't support multiple jobs - ]; - nativeInstallCheckInputs = [ - openssl - ]; + # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on + # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg. + # + # ``` + # nix run .#sgx-ssl.tests.HW + # nix run .#sgx-ssl.tests.SIM + # ``` + passthru.tests = { + HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; }; + SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; }; + }; - meta = with lib; { + meta = { description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; homepage = "https://github.com/intel/intel-sgx-ssl"; - maintainers = with maintainers; [ phlip9 trundle veehaitch ]; + maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ]; platforms = [ "x86_64-linux" ]; - license = [ licenses.bsd3 licenses.openssl ]; + license = with lib.licenses; [ bsd3 openssl ]; }; } diff --git a/packages/sgx-ssl/tests.nix b/packages/sgx-ssl/tests.nix new file mode 100644 index 0000000..d9357ba --- /dev/null +++ b/packages/sgx-ssl/tests.nix @@ -0,0 +1,95 @@ +# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness. +# The whole package effectively does: +# +# ``` +# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app +# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin +# ``` +# +# OfBorg fails to run these tests since they require real Intel HW. That +# includes the simulation mode! The tests appears to do something fancy with +# cpuid and exception trap handlers that make them very non-portable. +# +# These tests are split out from the parent pkg since recompiling the parent +# takes like 30 min : ) + +{ lib +, openssl +, sgx-psw +, sgx-sdk +, sgx-ssl +, stdenv +, which +, opensslVersion ? throw "required parameter" +, sgxMode ? throw "required parameter" # "SIM" or "HW" +}: +stdenv.mkDerivation { + inherit (sgx-ssl) postPatch src version; + pname = sgx-ssl.pname + "-tests-${sgxMode}"; + + postUnpack = sgx-ssl.postUnpack + '' + sourceRootAbs=$(readlink -e $sourceRoot) + packageDir=$sourceRootAbs/Linux/package + + # Do the inverse of 'make install' and symlink built artifacts back into + # '$src/Linux/package/' to avoid work. + mkdir $packageDir/lib $packageDir/lib64 + ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/ + ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/ + ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/ + + # test_app needs some internal openssl headers. + # See: tail end of 'Linux/build_openssl.sh' + tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz + echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h + ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/ + ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/ + ''; + + nativeBuildInputs = [ + openssl.bin + sgx-sdk + which + ]; + + preBuild = '' + # Need to regerate the edl header + make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c + ''; + + makeFlags = [ + "-C Linux/sgx/test_app" + "SGX_MODE=${sgxMode}" + ]; + + installPhase = '' + runHook preInstall + + # Enclaves can't be stripped after signing. + install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves + + install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin + + runHook postInstall + ''; + + postFixup = '' + # Move the enclaves where they actually belong. + mv $TMPDIR/enclaves/*.signed.so* $out/bin/ + + # HW SGX must runs against sgx-psw, not sgx-sdk. + if [[ "${sgxMode}" == "HW" ]]; then + patchelf \ + --set-rpath "$( \ + patchelf --print-rpath $out/bin/TestApp \ + | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \ + )" \ + $out/bin/TestApp + fi + ''; + + meta = { + platforms = [ "x86_64-linux" ]; + mainProgram = "TestApp"; + }; +}