harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-21 23:43:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #30 from matter-labs/sgx-sdk-2.24

Browse source 
chore: sgx-sdk: 2.23 -> 2.24 sgx-dcap: 1.20 -> 1.21
This commit is contained in:
Harald Hoyer 2024-05-17 18:07:36 +02:00 committed by GitHub
commit 5f62851666
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 188 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

17
packages/azure-dcap-client/default.nix
View file

@ -1,5 +1,6 @@
{ stdenv { stdenv
, fetchFromGitHub , fetchFromGitHub
, fetchpatch
, lib , lib
, curl , curl
, nlohmann_json , nlohmann_json
@ -15,7 +16,7 @@ let
find "$out" -mindepth 1 -delete find "$out" -mindepth 1 -delete
cp ${lib.concatStringsSep " " list} "$out/" cp ${lib.concatStringsSep " " list} "$out/"
''; '';
headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [ headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [
(fetchFromGitHub rec { (fetchFromGitHub rec {
name = "${repo}-headers"; name = "${repo}-headers";
owner = "intel"; owner = "intel";
@ -44,8 +45,14 @@ stdenv.mkDerivation rec {
}; };
patches = [ patches = [
./missing-includes.patch
./Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch
# Fix gcc-13 build:
# https://github.com/microsoft/Azure-DCAP-Client/pull/197
(fetchpatch {
name = "gcc-13.patch";
url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch";
hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc=";
})
]; ];
nativeBuildInputs = [ nativeBuildInputs = [
@ -78,11 +85,11 @@ stdenv.mkDerivation rec {
# $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests
passthru.tests.suite = callPackage ./test-suite.nix { }; passthru.tests.suite = callPackage ./test-suite.nix { };
meta = with lib; { meta = {
description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
homepage = "https://github.com/microsoft/azure-dcap-client"; homepage = "https://github.com/microsoft/azure-dcap-client";
maintainers = with maintainers; [ phlip9 trundle veehaitch ]; maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];
license = [ licenses.mit ]; license = [ lib.licenses.mit ];
}; };
} }

2
packages/azure-dcap-client/test-suite.nix
View file

@ -9,7 +9,7 @@ sgx-azure-dcap-client.overrideAttrs (old: {
gtest gtest
]; ];
patches = [ patches = (old.patches or [ ]) ++ [
./tests-missing-includes.patch ./tests-missing-includes.patch
]; ];

6
packages/sgx-dcap/default.nix
View file

@ -15,7 +15,7 @@
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "sgx-dcap"; pname = "sgx-dcap";
version = "1.20"; version = "1.21";
postUnpack = postUnpack =
let let
@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
filename = "prebuilt_dcap_${version}.tar.gz"; filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl { prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk=";
}; };
}; };
in in
@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
owner = "intel"; owner = "intel";
repo = "SGXDataCenterAttestationPrimitives"; repo = "SGXDataCenterAttestationPrimitives";
rev = "DCAP_${version}"; rev = "DCAP_${version}";
hash = "sha256-gNQzV6wpoQUZ3x/RqvFLwak4HhDOiJC5mW0okGx3UGA="; hash = "sha256-Vp8R4W6qdPTGJFNJrPPKe9Oqxxj+UIdZf2GSL+gCyjU=";
fetchSubmodules = true; fetchSubmodules = true;
}; };

19
packages/sgx-psw/default.nix
View file

@ -13,8 +13,11 @@
, which , which
, debug ? false , debug ? false
}: }:
let
inherit (nixsgx) sgx-sdk;
in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
inherit (nixsgx.sgx-sdk) version versionTag src patches; inherit (sgx-sdk) patches src version versionTag;
pname = "sgx-psw"; pname = "sgx-psw";
postUnpack = postUnpack =
@ -29,15 +32,15 @@ stdenv.mkDerivation rec {
# Also include the Data Center Attestation Primitives (DCAP) platform # Also include the Data Center Attestation Primitives (DCAP) platform
# enclaves. # enclaves.
dcap = rec { dcap = rec {
version = "1.20"; version = "1.21";
filename = "prebuilt_dcap_${version}.tar.gz"; filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl { prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk=";
}; };
}; };
in in
nixsgx.sgx-sdk.postUnpack + '' sgx-sdk.postUnpack + ''
# Make sure we use the correct version of prebuilt DCAP # Make sure we use the correct version of prebuilt DCAP
grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
@ -51,7 +54,7 @@ stdenv.mkDerivation rec {
file file
makeWrapper makeWrapper
python3 python3
nixsgx.sgx-sdk sgx-sdk
which which
]; ];
@ -178,11 +181,11 @@ stdenv.mkDerivation rec {
service = nixosTests.aesmd; service = nixosTests.aesmd;
}; };
meta = with lib; { meta = {
description = "Intel SGX Architectural Enclave Service Manager"; description = "Intel SGX Architectural Enclave Service Manager";
homepage = "https://github.com/intel/linux-sgx"; homepage = "https://github.com/intel/linux-sgx";
maintainers = with maintainers; [ phlip9 veehaitch citadelcore ]; maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 ]; license = [ lib.licenses.bsd3 ];
}; };
} }

0
packages/sgx-sdk/CppMicroServices-no-mtime.patch → packages/sgx-sdk/cppmicroservices-no-mtime.patch
View file

37
packages/sgx-sdk/default.nix
View file

@ -26,15 +26,15 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "sgx-sdk"; pname = "sgx-sdk";
# Version as given in se_version.h # Version as given in se_version.h
version = "2.23.100.2"; version = "2.24.100.3";
# Version as used in the Git tag # Version as used in the Git tag
versionTag = "2.23"; versionTag = "2.24";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "linux-sgx"; repo = "linux-sgx";
rev = "sgx_${versionTag}"; rev = "sgx_${versionTag}";
hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I="; hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
fetchSubmodules = true; fetchSubmodules = true;
}; };
@ -45,14 +45,22 @@ stdenv.mkDerivation rec {
''; '';
patches = [ patches = [
# no timestamp in mini zip archives
./CppMicroServices-no-mtime.patch
# Set the CXX standard for nix builds of sgx-psw
./aesm-cxx-standard.patch
# There's a `make preparation` step that downloads some prebuilt binaries # There's a `make preparation` step that downloads some prebuilt binaries
# and applies some patches to the in-repo git submodules. This patch removes # and applies some patches to the in-repo git submodules. This patch removes
# the parts that download things, since we can't do that inside the sandbox. # the parts that download things, since we can't do that inside the sandbox.
./disable-downloads.patch ./disable-downloads.patch
# Set the CXX standard for nix builds of sgx-psw
./aesm-cxx-standard.patch
# This patch disable mtime in bundled zip file for reproducible builds.
#
# Context: The `aesm_service` binary depends on a vendored library called
# `CppMicroServices`. At build time, this lib creates and then bundles
# service resources into a zip file and then embeds this zip into the
# binary. Without changes, the `aesm_service` will be different after every
# build because the embedded zip file contents have different modified times.
./cppmicroservices-no-mtime.patch
]; ];
postPatch = '' postPatch = ''
@ -116,8 +124,6 @@ stdenv.mkDerivation rec {
pushd 'external/ippcp_internal' pushd 'external/ippcp_internal'
cp -r ${ipp-crypto-no_mitigation}/include/. inc/
install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \ install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
lib/linux/intel64/no_mitigation/libippcp.a lib/linux/intel64/no_mitigation/libippcp.a
install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \ install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
@ -125,8 +131,13 @@ stdenv.mkDerivation rec {
install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \ install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
lib/linux/intel64/cve_2020_0551_cf/libippcp.a lib/linux/intel64/cve_2020_0551_cf/libippcp.a
cp -r ${ipp-crypto-no_mitigation}/include/* inc/
mkdir inc/ippcp
cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
rm inc/ippcp.h rm inc/ippcp.h
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h
install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
@ -280,11 +291,11 @@ stdenv.mkDerivation rec {
''; '';
}; };
meta = with lib; { meta = {
description = "Intel SGX SDK for Linux built with IPP Crypto Library"; description = "Intel SGX SDK for Linux built with IPP Crypto Library";
homepage = "https://github.com/intel/linux-sgx"; homepage = "https://github.com/intel/linux-sgx";
maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ]; maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 ]; license = [ lib.licenses.bsd3 ];
}; };
} }

8
packages/sgx-sdk/disable-downloads.patch
View file

@ -1,8 +1,8 @@
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 32433051..2e480efb 100644 index 73502a7..f24bd11 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -50,8 +50,8 @@ tips: @@ -50,18 +50,18 @@ tips:
preparation: preparation:
# As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
# Only enable the download from git # Only enable the download from git
@ -12,8 +12,10 @@ index 32433051..2e480efb 100644
+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R
- cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
+ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
./external/sgx-emm/create_symlink.sh ./external/sgx-emm/create_symlink.sh
@@ -59,8 +59,8 @@ preparation: cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
cd external/cbor && cp -r libcbor sgx_libcbor cd external/cbor && cp -r libcbor sgx_libcbor
cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R

12
packages/sgx-sdk/ipp-crypto.nix
View file

@ -2,28 +2,30 @@
, fetchFromGitHub , fetchFromGitHub
, cmake , cmake
, nasm , nasm
, ninja
, openssl , openssl
, python3 , python3
, extraCmakeFlags ? [ ] , extraCmakeFlags ? [ ]
}: }:
gcc11Stdenv.mkDerivation rec { gcc11Stdenv.mkDerivation rec {
pname = "ipp-crypto"; pname = "ipp-crypto";
version = "2021.10.0"; version = "2021.11.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "ipp-crypto"; repo = "ipp-crypto";
rev = "ippcp_${version}"; rev = "ippcp_${version}";
hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg="; hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI=";
}; };
cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; cmakeFlags = [
"-DARCH=intel64"
# sgx-sdk now requires FIPS-compliance mode turned on
"-DIPPCP_FIPS_MODE=on"
] ++ extraCmakeFlags;
nativeBuildInputs = [ nativeBuildInputs = [
cmake cmake
nasm nasm
ninja
openssl openssl
python3 python3
]; ];

41
packages/sgx-ssl/default.nix
View file

@ -1,16 +1,17 @@
{ stdenv { stdenv
, callPackage
, fetchFromGitHub , fetchFromGitHub
, fetchurl , fetchurl
, lib , lib
, openssl
, perl , perl
, nixsgx , nixsgx
, which , which
, debug ? false , debug ? false
}: }:
let let
sgxVersion = nixsgx.sgx-sdk.versionTag; inherit (nixsgx) sgx-sdk;
opensslVersion = "3.0.12"; sgxVersion = sgx-sdk.versionTag;
opensslVersion = "3.0.13";
in in
stdenv.mkDerivation { stdenv.mkDerivation {
pname = "sgx-ssl" + lib.optionalString debug "-debug"; pname = "sgx-ssl" + lib.optionalString debug "-debug";
@ -27,7 +28,7 @@ stdenv.mkDerivation {
let let
opensslSourceArchive = fetchurl { opensslSourceArchive = fetchurl {
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E="; hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM=";
}; };
in in
'' ''
@ -37,7 +38,7 @@ stdenv.mkDerivation {
postPatch = '' postPatch = ''
patchShebangs Linux/build_openssl.sh patchShebangs Linux/build_openssl.sh
# Run the test in the `installCheckPhase`, not the `buildPhase` # Skip the tests. Build and run separately (see below).
substituteInPlace Linux/sgx/Makefile \ substituteInPlace Linux/sgx/Makefile \
--replace '$(MAKE) -C $(TEST_DIR) all' \ --replace '$(MAKE) -C $(TEST_DIR) all' \
'bash -c "true"' 'bash -c "true"'
@ -45,8 +46,7 @@ stdenv.mkDerivation {
nativeBuildInputs = [ nativeBuildInputs = [
perl perl
nixsgx.sgx-sdk sgx-sdk
stdenv.cc.libc
which which
]; ];
@ -60,22 +60,23 @@ stdenv.mkDerivation {
"DESTDIR=$(out)" "DESTDIR=$(out)"
]; ];
# Build the test app # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
doInstallCheck = false; # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
installCheckTarget = "test"; #
installCheckFlags = [ # ```
"SGX_MODE=SIM" # nix run .#sgx-ssl.tests.HW
"-j 1" # Makefile doesn't support multiple jobs # nix run .#sgx-ssl.tests.SIM
]; # ```
nativeInstallCheckInputs = [ passthru.tests = {
openssl HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };
]; SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };
};
meta = with lib; { meta = {
description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
homepage = "https://github.com/intel/intel-sgx-ssl"; homepage = "https://github.com/intel/intel-sgx-ssl";
maintainers = with maintainers; [ phlip9 trundle veehaitch ]; maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];
license = [ licenses.bsd3 licenses.openssl ]; license = with lib.licenses; [ bsd3 openssl ];
}; };
} }

95
packages/sgx-ssl/tests.nix Normal file
View file

@ -0,0 +1,95 @@
# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
# The whole package effectively does:
#
# ```
# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
# ```
#
# OfBorg fails to run these tests since they require real Intel HW. That
# includes the simulation mode! The tests appears to do something fancy with
# cpuid and exception trap handlers that make them very non-portable.
#
# These tests are split out from the parent pkg since recompiling the parent
# takes like 30 min : )
{ lib
, openssl
, sgx-psw
, sgx-sdk
, sgx-ssl
, stdenv
, which
, opensslVersion ? throw "required parameter"
, sgxMode ? throw "required parameter" # "SIM" or "HW"
}:
stdenv.mkDerivation {
inherit (sgx-ssl) postPatch src version;
pname = sgx-ssl.pname + "-tests-${sgxMode}";
postUnpack = sgx-ssl.postUnpack + ''
sourceRootAbs=$(readlink -e $sourceRoot)
packageDir=$sourceRootAbs/Linux/package
# Do the inverse of 'make install' and symlink built artifacts back into
# '$src/Linux/package/' to avoid work.
mkdir $packageDir/lib $packageDir/lib64
ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/
# test_app needs some internal openssl headers.
# See: tail end of 'Linux/build_openssl.sh'
tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
'';
nativeBuildInputs = [
openssl.bin
sgx-sdk
which
];
preBuild = ''
# Need to regerate the edl header
make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
'';
makeFlags = [
"-C Linux/sgx/test_app"
"SGX_MODE=${sgxMode}"
];
installPhase = ''
runHook preInstall
# Enclaves can't be stripped after signing.
install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves
install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin
runHook postInstall
'';
postFixup = ''
# Move the enclaves where they actually belong.
mv $TMPDIR/enclaves/*.signed.so* $out/bin/
# HW SGX must runs against sgx-psw, not sgx-sdk.
if [[ "${sgxMode}" == "HW" ]]; then
patchelf \
--set-rpath "$( \
patchelf --print-rpath $out/bin/TestApp \
| sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \
)" \
$out/bin/TestApp
fi
'';
meta = {
platforms = [ "x86_64-linux" ];
mainProgram = "TestApp";
};
}