chore: sgx-sdk: 2.23 -> 2.24

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

packages/sgx-sdk/cppmicroservices-no-mtime.patch

@@ -21,6 +21,6 @@ index 6b0ebd7a..fa2aebca 100644
  // The current downside is the times written to your archives will be from 1979.
 -//#define MINIZ_NO_TIME
 +#define MINIZ_NO_TIME
- 
+
  // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
  //#define MINIZ_NO_ARCHIVE_APIS

packages/sgx-sdk/default.nix

@@ -26,15 +26,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.23.100.2";
+  version = "2.24.100.3";
   # Version as used in the Git tag
-  versionTag = "2.23";
+  versionTag = "2.24";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
+    hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
     fetchSubmodules = true;
   };
 
@@ -45,14 +45,22 @@ stdenv.mkDerivation rec {
   '';
 
   patches = [
-    # no timestamp in mini zip archives
-    ./CppMicroServices-no-mtime.patch
-    # Set the CXX standard for nix builds of sgx-psw
-    ./aesm-cxx-standard.patch
     # There's a `make preparation` step that downloads some prebuilt binaries
     # and applies some patches to the in-repo git submodules. This patch removes
     # the parts that download things, since we can't do that inside the sandbox.
     ./disable-downloads.patch
+
+    # Set the CXX standard for nix builds of sgx-psw
+    ./aesm-cxx-standard.patch
+
+    # This patch disable mtime in bundled zip file for reproducible builds.
+    #
+    # Context: The `aesm_service` binary depends on a vendored library called
+    # `CppMicroServices`. At build time, this lib creates and then bundles
+    # service resources into a zip file and then embeds this zip into the
+    # binary. Without changes, the `aesm_service` will be different after every
+    # build because the embedded zip file contents have different modified times.
+    ./cppmicroservices-no-mtime.patch
   ];
 
   postPatch = ''
@@ -116,8 +124,6 @@ stdenv.mkDerivation rec {
 
       pushd 'external/ippcp_internal'
 
-      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
-
       install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
         lib/linux/intel64/no_mitigation/libippcp.a
       install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
@@ -125,8 +131,13 @@ stdenv.mkDerivation rec {
       install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
         lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
+      cp -r ${ipp-crypto-no_mitigation}/include/* inc/
+
+      mkdir inc/ippcp
+      cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
+
       rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h
 
       install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
 
@@ -280,11 +291,11 @@ stdenv.mkDerivation rec {
       '';
     };
 
-  meta = with lib; {
+  meta = {
     description = "Intel SGX SDK for Linux built with IPP Crypto Library";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
   };
 }

packages/sgx-sdk/disable-downloads.patch

@@ -1,8 +1,8 @@
 diff --git a/Makefile b/Makefile
-index 32433051..2e480efb 100644
+index 73502a7..f24bd11 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -50,8 +50,8 @@ tips:
+@@ -50,18 +50,18 @@ tips:
  preparation:
  # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
  # Only enable the download from git
@@ -12,8 +12,10 @@ index 32433051..2e480efb 100644
 +	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
  	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
  	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+-	cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
++	cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
  	./external/sgx-emm/create_symlink.sh
-@@ -59,8 +59,8 @@ preparation:
+ 	cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
  	cd external/cbor && cp -r libcbor sgx_libcbor
  	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
  	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R

packages/sgx-sdk/ipp-crypto.nix

@@ -2,28 +2,30 @@
 , fetchFromGitHub
 , cmake
 , nasm
-, ninja
 , openssl
 , python3
 , extraCmakeFlags ? [ ]
 }:
 gcc11Stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2021.10.0";
+  version = "2021.11.1";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
     rev = "ippcp_${version}";
-    hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
+    hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI=";
   };
 
-  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+  cmakeFlags = [
+    "-DARCH=intel64"
+    # sgx-sdk now requires FIPS-compliance mode turned on
+    "-DIPPCP_FIPS_MODE=on"
+  ] ++ extraCmakeFlags;
 
   nativeBuildInputs = [
     cmake
     nasm
-    ninja
     openssl
     python3
   ];