harald/nixsgx
1
0
Fork 0
mirror of https://github.com/matter-labs/nixsgx.git synced 2025-07-21 07:33:55 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #61 from matter-labs/sgx_2.25

Browse source 
feat: sgx-2.25 dcap-1.22
This commit is contained in:
Harald Hoyer 2024-10-15 10:59:34 +02:00 committed by GitHub
commit d00fbd916b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 34 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

11
packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch
View file

@ -119,17 +119,6 @@ index 4e53085..7047a49 100755
pushd ${INSTALL_PATH} &> /dev/null pushd ${INSTALL_PATH} &> /dev/null
sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile
-tar -zcvf ${TARBALL_NAME} * -tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
popd &> /dev/null
diff --git a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh
index fa3286e..cacf5a3 100755
--- a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh
+++ b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh
@@ -57,5 +57,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f
# Create the tarball
pushd ${INSTALL_PATH} &> /dev/null
-tar -zcvf ${TARBALL_NAME} *
+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} * +tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} *
popd &> /dev/null popd &> /dev/null
diff --git a/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh b/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh diff --git a/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh b/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh

20
packages/sgx-dcap/default.nix
View file

@ -15,7 +15,7 @@
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "sgx-dcap"; pname = "sgx-dcap";
version = "1.21"; version = "1.22";
postUnpack = postUnpack =
let let
@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
filename = "prebuilt_dcap_${version}.tar.gz"; filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl { prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ=";
}; };
}; };
in in
@ -33,13 +33,14 @@ stdenv.mkDerivation rec {
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in dcap source" >&2 && grep 'ae_file_name' "$sourceRoot/QuoteGeneration/download_prebuilt.sh" && exit 1) || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in dcap source" >&2 && grep 'ae_file_name' "$sourceRoot/QuoteGeneration/download_prebuilt.sh" && exit 1)
tar -zxf ${dcap.prebuilt} -C $sourceRoot/QuoteGeneration/ tar -zxf ${dcap.prebuilt} -C $sourceRoot/QuoteGeneration/
tar -zxf ${dcap.prebuilt} -C $sourceRoot/
''; '';
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "SGXDataCenterAttestationPrimitives"; repo = "SGXDataCenterAttestationPrimitives";
rev = "DCAP_${version}"; rev = "DCAP_${version}";
hash = "sha256-Vp8R4W6qdPTGJFNJrPPKe9Oqxxj+UIdZf2GSL+gCyjU="; hash = "sha256-Ubjm3/tpfkRrKhub10g2oDl+2vv/MF4wnJR/nLz7KDk=";
fetchSubmodules = true; fetchSubmodules = true;
}; };
@ -75,11 +76,11 @@ stdenv.mkDerivation rec {
patchShebangs --build $(find . -name '*.sh') patchShebangs --build $(find . -name '*.sh')
''; '';
preBuild = '' makeFlags = [
makeFlagsArray+=(SGX_SDK="${nixsgx.sgx-sdk}" SGXSSL_PACKAGE_PATH="${nixsgx.sgx-ssl}") "SGX_SDK=${nixsgx.sgx-sdk}"
''; "SGXSSL_PACKAGE_PATH=${nixsgx.sgx-ssl}"
];
# sigh... Intel!
enableParallelBuilding = true; enableParallelBuilding = true;
dontUseCmakeConfigure = true; dontUseCmakeConfigure = true;
@ -112,7 +113,6 @@ stdenv.mkDerivation rec {
./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network ./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network
./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi ./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi
./tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool ./tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool
#./QuoteGeneration/installer/linux/common/sgx-dcap-pccs
) )
for src in ''${dcap_pkgdirs[@]}; do for src in ''${dcap_pkgdirs[@]}; do
@ -152,10 +152,6 @@ stdenv.mkDerivation rec {
"$ra_uefi" "$ra_uefi"
tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/output tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/output
"$pck_id_retrieval_tool" "$pck_id_retrieval_tool"
#QuoteGeneration/installer/linux/common/sgx-dcap-pccs/output
#"$pccs"
# sgx-ra-service
# tdx-qgs
) )
for ((i = 0 ; i < ''${#dcap_map[@]} ; i+=2 )); do for ((i = 0 ; i < ''${#dcap_map[@]} ; i+=2 )); do

7
packages/sgx-psw/default.nix
View file

@ -27,16 +27,16 @@ stdenv.mkDerivation rec {
# attestation quotes, and do platform certification. # attestation quotes, and do platform certification.
ae.prebuilt = fetchurl { ae.prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; hash = "sha256-Hlh96rYOyml2y50d8ASKz6U97Fl0hbGYECeZiG9nMSQ=";
}; };
# Also include the Data Center Attestation Primitives (DCAP) platform # Also include the Data Center Attestation Primitives (DCAP) platform
# enclaves. # enclaves.
dcap = rec { dcap = rec {
version = "1.21"; version = "1.22";
filename = "prebuilt_dcap_${version}.tar.gz"; filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl { prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ=";
}; };
}; };
in in
@ -47,6 +47,7 @@ stdenv.mkDerivation rec {
tar -zxf ${ae.prebuilt} -C $sourceRoot/ tar -zxf ${ae.prebuilt} -C $sourceRoot/
tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/
''; '';
nativeBuildInputs = [ nativeBuildInputs = [

10
packages/sgx-sdk/default.nix
View file

@ -27,15 +27,15 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "sgx-sdk"; pname = "sgx-sdk";
# Version as given in se_version.h # Version as given in se_version.h
version = "2.24.100.3"; version = "2.25.100.3";
# Version as used in the Git tag # Version as used in the Git tag
versionTag = "2.24"; versionTag = "2.25";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "linux-sgx"; repo = "linux-sgx";
rev = "sgx_${versionTag}"; rev = "sgx_${versionTag}";
hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw="; hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw=";
fetchSubmodules = true; fetchSubmodules = true;
}; };
@ -139,13 +139,15 @@ stdenv.mkDerivation rec {
cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/ cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
rm inc/ippcp.h rm inc/ippcp.h
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u12.patch -o ./inc/ippcp.h
install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
popd popd
''; '';
env.NIX_CFLAGS_COMPILE = "-Wno-error=missing-include-dirs";
buildFlags = [ buildFlags = [
"sdk_install_pkg" "sdk_install_pkg"
] ++ lib.optionals debug [ ] ++ lib.optionals debug [

16
packages/sgx-sdk/disable-downloads.patch
View file

@ -1,14 +1,16 @@
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 73502a7..f24bd11 100644 index 19bc05ab..f9ef0b75 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -50,18 +50,18 @@ tips: @@ -50,13 +50,13 @@ tips:
preparation: preparation:
# As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
# Only enable the download from git # Only enable the download from git
- git submodule update --init --recursive - git submodule update --init --recursive
- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ # git submodule update --init --recursive + # git submodule update --init --recursive
cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \
git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check
- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R
@ -17,12 +19,14 @@ index 73502a7..f24bd11 100644
./external/sgx-emm/create_symlink.sh ./external/sgx-emm/create_symlink.sh
cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
cd external/cbor && cp -r libcbor sgx_libcbor cd external/cbor && cp -r libcbor sgx_libcbor
cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R @@ -64,8 +64,8 @@ preparation:
cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R
cd external/ippcp_internal/ipp-crypto && mkdir -p build
- ./download_prebuilt.sh - ./download_prebuilt.sh
- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ # ./download_prebuilt.sh + #./download_prebuilt.sh
+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh + #./external/dcap_source/QuoteGeneration/download_prebuilt.sh
psw: psw:
$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)

4
packages/sgx-sdk/ipp-crypto.nix
View file

@ -8,13 +8,13 @@
}: }:
gcc11Stdenv.mkDerivation rec { gcc11Stdenv.mkDerivation rec {
pname = "ipp-crypto"; pname = "ipp-crypto";
version = "2021.11.1"; version = "2021.12.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "ipp-crypto"; repo = "ipp-crypto";
rev = "ippcp_${version}"; rev = "ippcp_${version}";
hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI="; hash = "sha256-voxjx9Np/8jy9XS6EvUK4aW18/DGQGaPpTKm9RzuCU8=";
}; };
cmakeFlags = [ cmakeFlags = [

8
packages/sgx-ssl/default.nix
View file

@ -11,7 +11,7 @@
let let
inherit (nixsgx) sgx-sdk; inherit (nixsgx) sgx-sdk;
sgxVersion = sgx-sdk.versionTag; sgxVersion = sgx-sdk.versionTag;
opensslVersion = "3.0.13"; opensslVersion = "3.0.14";
in in
stdenv.mkDerivation { stdenv.mkDerivation {
pname = "sgx-ssl" + lib.optionalString debug "-debug"; pname = "sgx-ssl" + lib.optionalString debug "-debug";
@ -20,15 +20,15 @@ stdenv.mkDerivation {
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "intel"; owner = "intel";
repo = "intel-sgx-ssl"; repo = "intel-sgx-ssl";
rev = "3.0_Rev2"; rev = "3.0_Rev4";
hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I="; hash = "sha256-RNAMmm2UNbIziBqu4RioPDb1/3TBd+MCsJ8PeCHWhL0=";
}; };
postUnpack = postUnpack =
let let
opensslSourceArchive = fetchurl { opensslSourceArchive = fetchurl {
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; hash = "sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o=";
}; };
in in
'' ''