feat: sgx-dcap.default_qpl config file

works now out of the box without a PCCS server and API token. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 15:33:56 +02:00 · 2024-03-22 10:19:06 +01:00 · 2024-03-22 10:19:06 +01:00 · 802aca6e67
commit 802aca6e67
parent 7afe2bbed7
2 changed files with 23 additions and 6 deletions
--- a/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-sgx_default_qcnl_conf.patch
+++ b/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-sgx_default_qcnl_conf.patch
@ -0,0 +1,13 @@
+diff --git a/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf b/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf
+index a7c84c9..ac491b0 100644
+--- a/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf
+++ b/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf
+@@ -2,7 +2,7 @@
+   // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+   
+   //PCCS server address
+-  "pccs_url": "https://localhost:8081/sgx/certification/v4/"
+  "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
+ 
+   // To accept insecure HTTPS certificate, set this option to false
+   ,"use_secure_cert": true
--- a/packages/sgx-dcap/default.nix
+++ b/packages/sgx-dcap/default.nix
@ -63,8 +63,12 @@ stdenv.mkDerivation rec {
  ];

  patches = [
+    # make tarballs reproducible
    ./SGXDataCenterAttestationPrimitives-tarball-repro.patch
+    # sigh... Intel!
    ./SGXDataCenterAttestationPrimitives-parallel-make.patch
+    # make config work without a dedicated PCCS server by default
+    ./SGXDataCenterAttestationPrimitives-sgx_default_qcnl_conf.patch
  ];

  postPatch = ''
@ -153,7 +157,7 @@ stdenv.mkDerivation rec {
        #    sgx-ra-service
        #    tdx-qgs
    )
-    
+
    for ((i = 0 ; i < ''${#dcap_map[@]} ; i+=2 )); do
        src="''${dcap_map[i]}"
        dst="''${dcap_map[i+1]}"
@ -162,19 +166,19 @@ stdenv.mkDerivation rec {

        mkdir -p "$dst"

-        if [[ -d "$out/$src/opt/intel" ]]; then 
-          find "$out/$src/opt/intel" 
+        if [[ -d "$out/$src/opt/intel" ]]; then
+          find "$out/$src/opt/intel"
          moveToOutput "$src/opt/intel" "$dst"
          mkdir "$dst/bin"
          mv "$dst/$src/opt/intel"/*/* "$dst/bin/"
        fi
- 
-        if [[ -d "$out/$src" ]]; then 
+
+        if [[ -d "$out/$src" ]]; then
          find "$out/$src"
          moveToOutput "$src" "$dst"
        fi

-        if [[ -d "$out/$src-dev" ]]; then 
+        if [[ -d "$out/$src-dev" ]]; then
          find "$out/$src-dev"
          moveToOutput "$src-dev" "$dst"
        fi