harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-21 07:33:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into gramine-v1.8

Browse source
This commit is contained in:
Harald Hoyer 2024-11-19 23:08:47 +07:00 committed by GitHub
commit 86524f9b3b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 31 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

30
README.md
View file

@ -1,6 +1,6 @@
# nixsgx # nixsgx
This repository contains a Nix flake with up2date packages for the Intel SGX SDK and gramine. This repository contains a Nix flake with up-to-date packages for the Intel SGX SDK and gramine.
Hopefully most of the packages will be upstreamed to nixpkgs at some point. Hopefully most of the packages will be upstreamed to nixpkgs at some point.
@ -8,5 +8,29 @@ All package builds should be reproducible and therefore can be used to build rep
## Usage ## Usage
See: https://github.com/matter-labs/teepot ### Test enclave
and https://github.com/matter-labs/era-fee-withdrawer/tree/gramine-sgx
A testing enclave container is provided and can be ran like so:
```sh
# Build the dcap (or azure) container variant
nix build .#nixsgx-test-sgx-dcap
# Load image into docker
docker load < result
# Run the enclave, binding the sgx devices
docker run -i --init --rm \
--device /dev/sgx_enclave \
--device /dev/sgx_provision \
nixsgx-test-sgx-dcap:latest
```
> Note: An external aesmd instance can be provided by mounting the socket to the container: `-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket`
### Reference projects
The following projects provide reproducible enclaves using nixsgx:
- https://github.com/matter-labs/teepot
- https://github.com/matter-labs/era-fee-withdrawer/tree/gramine-sgx

4
overlays/libTee/sgxGramineContainer.nix
View file

@ -22,6 +22,7 @@
, sigFile ? null , sigFile ? null
, extendedPackages ? [ ] , extendedPackages ? [ ]
, customRecursiveMerge ? null , customRecursiveMerge ? null
, maxLayers ? 100
}: }:
assert lib.assertMsg (!(isAzure && sgx_default_qcnl_conf != null)) "sgx_default_qcnl_conf can't be set for Azure"; assert lib.assertMsg (!(isAzure && sgx_default_qcnl_conf != null)) "sgx_default_qcnl_conf can't be set for Azure";
let let
@ -201,6 +202,7 @@ let
inherit tag; inherit tag;
inherit contents; inherit contents;
inherit fromImage; inherit fromImage;
inherit maxLayers;
includeStorePaths = false; includeStorePaths = false;
extraCommands = (mkNixStore contents) + '' extraCommands = (mkNixStore contents) + ''
@ -233,6 +235,7 @@ let
inherit config; inherit config;
inherit tag; inherit tag;
inherit fromImage; inherit fromImage;
inherit maxLayers;
includeStorePaths = false; includeStorePaths = false;
extraCommands = '' extraCommands = ''
@ -249,6 +252,7 @@ let
inherit tag; inherit tag;
inherit config; inherit config;
inherit fromImage; inherit fromImage;
inherit maxLayers;
contents = extendedContents; contents = extendedContents;
}; };
in in