chore: sgx-sdk: 2.23 -> 2.24

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 23:43:56 +02:00 · 2024-05-17 10:24:14 +02:00 · 2024-05-17 10:24:14 +02:00 · e9a6d7a4dc
commit e9a6d7a4dc
parent b792d5ea46
9 changed files with 185 additions and 64 deletions
--- a/packages/azure-dcap-client/default.nix
+++ b/packages/azure-dcap-client/default.nix
@ -1,5 +1,6 @@
 { stdenv
 , fetchFromGitHub
 , fetchpatch
 , lib
 , curl
 , nlohmann_json
@ -15,7 +16,7 @@ let
    find "$out" -mindepth 1 -delete
    cp ${lib.concatStringsSep " " list} "$out/"
  '';
-  headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
+  headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [
    (fetchFromGitHub rec {
      name = "${repo}-headers";
      owner = "intel";
@ -44,8 +45,14 @@ stdenv.mkDerivation rec {
  };
  patches = [
    ./missing-includes.patch
    ./Azure-DCAP-Client.patch
    # Fix gcc-13 build:
    #   https://github.com/microsoft/Azure-DCAP-Client/pull/197
    (fetchpatch {
      name = "gcc-13.patch";
      url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch";
      hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc=";
    })
  ];
  nativeBuildInputs = [
@ -78,11 +85,11 @@ stdenv.mkDerivation rec {
  # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests
  passthru.tests.suite = callPackage ./test-suite.nix { };
-  meta = with lib; {
+  meta = {
    description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
    homepage = "https://github.com/microsoft/azure-dcap-client";
-    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
    platforms = [ "x86_64-linux" ];
-    license = [ licenses.mit ];
+    license = [ lib.licenses.mit ];
  };
 }
--- a/packages/azure-dcap-client/test-suite.nix
+++ b/packages/azure-dcap-client/test-suite.nix
@ -9,7 +9,7 @@ sgx-azure-dcap-client.overrideAttrs (old: {
    gtest
  ];
-  patches = [
+  patches = (old.patches or [ ]) ++ [
    ./tests-missing-includes.patch
  ];
--- a/packages/sgx-psw/default.nix
+++ b/packages/sgx-psw/default.nix
@ -13,8 +13,11 @@
 , which
 , debug ? false
 }:
 let
  inherit (nixsgx) sgx-sdk;
 in
 stdenv.mkDerivation rec {
-  inherit (nixsgx.sgx-sdk) version versionTag src patches;
+  inherit (sgx-sdk) patches src version versionTag;
  pname = "sgx-psw";
  postUnpack =
@ -29,15 +32,15 @@ stdenv.mkDerivation rec {
      # Also include the Data Center Attestation Primitives (DCAP) platform
      # enclaves.
      dcap = rec {
-        version = "1.20";
+        version = "1.21";
        filename = "prebuilt_dcap_${version}.tar.gz";
        prebuilt = fetchurl {
          url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
+          hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk=";
        };
      };
    in
-    nixsgx.sgx-sdk.postUnpack + ''
+    sgx-sdk.postUnpack + ''
      # Make sure we use the correct version of prebuilt DCAP
      grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
        || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
@ -51,7 +54,7 @@ stdenv.mkDerivation rec {
    file
    makeWrapper
    python3
-    nixsgx.sgx-sdk
+    sgx-sdk
    which
  ];
@ -159,30 +162,30 @@ stdenv.mkDerivation rec {
    echo "Fixing aesmd.service"
    substituteInPlace $out/lib/systemd/system/aesmd.service \
      --replace '@aesm_folder@' \
-                "$out/aesm" \
+                     "$out/aesm" \
      --replace 'Type=forking' \
-                'Type=simple' \
+                     'Type=simple' \
      --replace "ExecStart=$out/aesm/aesm_service" \
-                "ExecStart=$out/bin/aesm_service --no-daemon"\
+                     "ExecStart=$out/bin/aesm_service --no-daemon"\
      --replace "/bin/mkdir" \
-                "${coreutils}/bin/mkdir" \
+                     "${coreutils}/bin/mkdir" \
      --replace "/bin/chown" \
-                "${coreutils}/bin/chown" \
+                     "${coreutils}/bin/chown" \
      --replace "/bin/chmod" \
-                "${coreutils}/bin/chmod" \
+                     "${coreutils}/bin/chmod" \
      --replace "/bin/kill" \
-                "${coreutils}/bin/kill"
+                     "${coreutils}/bin/kill"
  '';
  passthru.tests = {
    service = nixosTests.aesmd;
  };
-  meta = with lib; {
+  meta = {
    description = "Intel SGX Architectural Enclave Service Manager";
    homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ phlip9 veehaitch citadelcore ];
+    maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ];
    platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
  };
 }
--- a/packages/sgx-sdk/cppmicroservices-no-mtime.patch
+++ b/packages/sgx-sdk/cppmicroservices-no-mtime.patch
@ -21,6 +21,6 @@ index 6b0ebd7a..fa2aebca 100644
 // The current downside is the times written to your archives will be from 1979.
 -//#define MINIZ_NO_TIME
 +#define MINIZ_NO_TIME
- 
+
 // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
 //#define MINIZ_NO_ARCHIVE_APIS
--- a/packages/sgx-sdk/default.nix
+++ b/packages/sgx-sdk/default.nix
@ -26,15 +26,15 @@
 stdenv.mkDerivation rec {
  pname = "sgx-sdk";
  # Version as given in se_version.h
-  version = "2.23.100.2";
+  version = "2.24.100.3";
  # Version as used in the Git tag
-  versionTag = "2.23";
+  versionTag = "2.24";
  src = fetchFromGitHub {
    owner = "intel";
    repo = "linux-sgx";
    rev = "sgx_${versionTag}";
-    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
+    hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
    fetchSubmodules = true;
  };
@ -45,14 +45,22 @@ stdenv.mkDerivation rec {
  '';
  patches = [
    # no timestamp in mini zip archives
    ./CppMicroServices-no-mtime.patch
    # Set the CXX standard for nix builds of sgx-psw
    ./aesm-cxx-standard.patch
    # There's a `make preparation` step that downloads some prebuilt binaries
    # and applies some patches to the in-repo git submodules. This patch removes
    # the parts that download things, since we can't do that inside the sandbox.
    ./disable-downloads.patch
    # Set the CXX standard for nix builds of sgx-psw
    ./aesm-cxx-standard.patch
    # This patch disable mtime in bundled zip file for reproducible builds.
    #
    # Context: The `aesm_service` binary depends on a vendored library called
    # `CppMicroServices`. At build time, this lib creates and then bundles
    # service resources into a zip file and then embeds this zip into the
    # binary. Without changes, the `aesm_service` will be different after every
    # build because the embedded zip file contents have different modified times.
    ./cppmicroservices-no-mtime.patch
  ];
  postPatch = ''
@ -116,8 +124,6 @@ stdenv.mkDerivation rec {
      pushd 'external/ippcp_internal'
      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
      install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
        lib/linux/intel64/no_mitigation/libippcp.a
      install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
@ -125,8 +131,13 @@ stdenv.mkDerivation rec {
      install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
        lib/linux/intel64/cve_2020_0551_cf/libippcp.a
      cp -r ${ipp-crypto-no_mitigation}/include/* inc/
      mkdir inc/ippcp
      cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
      rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h
      install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
@ -280,11 +291,11 @@ stdenv.mkDerivation rec {
      '';
    };
-  meta = with lib; {
+  meta = {
    description = "Intel SGX SDK for Linux built with IPP Crypto Library";
    homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ];
    platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
  };
 }
--- a/packages/sgx-sdk/disable-downloads.patch
+++ b/packages/sgx-sdk/disable-downloads.patch
@ -1,8 +1,8 @@
 diff --git a/Makefile b/Makefile
-index 32433051..2e480efb 100644
+index 73502a7..f24bd11 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -50,8 +50,8 @@ tips:
+@@ -50,18 +50,18 @@ tips:
 preparation:
 # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
 # Only enable the download from git
@ -12,8 +12,10 @@ index 32433051..2e480efb 100644
 +	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
 -	cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
 +	cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
 	./external/sgx-emm/create_symlink.sh
-@@ -59,8 +59,8 @@ preparation:
+ 	cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
 	cd external/cbor && cp -r libcbor sgx_libcbor
 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
--- a/packages/sgx-sdk/ipp-crypto.nix
+++ b/packages/sgx-sdk/ipp-crypto.nix
@ -2,28 +2,30 @@
 , fetchFromGitHub
 , cmake
 , nasm
 , ninja
 , openssl
 , python3
 , extraCmakeFlags ? [ ]
 }:
 gcc11Stdenv.mkDerivation rec {
  pname = "ipp-crypto";
-  version = "2021.10.0";
+  version = "2021.11.1";
  src = fetchFromGitHub {
    owner = "intel";
    repo = "ipp-crypto";
    rev = "ippcp_${version}";
-    hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
+    hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI=";
  };
-  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+  cmakeFlags = [
    "-DARCH=intel64"
    # sgx-sdk now requires FIPS-compliance mode turned on
    "-DIPPCP_FIPS_MODE=on"
  ] ++ extraCmakeFlags;
  nativeBuildInputs = [
    cmake
    nasm
    ninja
    openssl
    python3
  ];
--- a/packages/sgx-ssl/default.nix
+++ b/packages/sgx-ssl/default.nix
@ -1,16 +1,17 @@
 { stdenv
 , callPackage
 , fetchFromGitHub
 , fetchurl
 , lib
 , openssl
 , perl
 , nixsgx
 , which
 , debug ? false
 }:
 let
-  sgxVersion = nixsgx.sgx-sdk.versionTag;
+  inherit (nixsgx) sgx-sdk;
-  opensslVersion = "3.0.12";
+  sgxVersion = sgx-sdk.versionTag;
  opensslVersion = "3.0.13";
 in
 stdenv.mkDerivation {
  pname = "sgx-ssl" + lib.optionalString debug "-debug";
@ -27,7 +28,7 @@ stdenv.mkDerivation {
    let
      opensslSourceArchive = fetchurl {
        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-        hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E=";
+        hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM=";
      };
    in
    ''
@ -37,16 +38,15 @@ stdenv.mkDerivation {
  postPatch = ''
    patchShebangs Linux/build_openssl.sh
-    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    # Skip the tests. Build and run separately (see below).
    substituteInPlace Linux/sgx/Makefile \
      --replace '$(MAKE) -C $(TEST_DIR) all' \
-                'bash -c "true"'
+                     'bash -c "true"'
  '';
  nativeBuildInputs = [
    perl
-    nixsgx.sgx-sdk
+    sgx-sdk
    stdenv.cc.libc
    which
  ];
@ -60,22 +60,23 @@ stdenv.mkDerivation {
    "DESTDIR=$(out)"
  ];
-  # Build the test app
+  # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on
-  doInstallCheck = false;
+  # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg.
-  installCheckTarget = "test";
+  #
-  installCheckFlags = [
+  # ```
-    "SGX_MODE=SIM"
+  # nix run .#sgx-ssl.tests.HW
-    "-j 1" # Makefile doesn't support multiple jobs
+  # nix run .#sgx-ssl.tests.SIM
-  ];
+  # ```
-  nativeInstallCheckInputs = [
+  passthru.tests = {
-    openssl
+    HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; };
-  ];
+    SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; };
  };
-  meta = with lib; {
+  meta = {
    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
    homepage = "https://github.com/intel/intel-sgx-ssl";
-    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
    platforms = [ "x86_64-linux" ];
-    license = [ licenses.bsd3 licenses.openssl ];
+    license = with lib.licenses; [ bsd3 openssl ];
  };
 }
--- a/packages/sgx-ssl/tests.nix
+++ b/packages/sgx-ssl/tests.nix
@ -0,0 +1,95 @@
 # This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness.
 # The whole package effectively does:
 #
 # ```
 # SGX_MODE=${sgxMode} make -C Linux/sgx/test_app
 # cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin
 # ```
 #
 # OfBorg fails to run these tests since they require real Intel HW. That
 # includes the simulation mode! The tests appears to do something fancy with
 # cpuid and exception trap handlers that make them very non-portable.
 #
 # These tests are split out from the parent pkg since recompiling the parent
 # takes like 30 min : )
 { lib
 , openssl
 , sgx-psw
 , sgx-sdk
 , sgx-ssl
 , stdenv
 , which
 , opensslVersion ? throw "required parameter"
 , sgxMode ? throw "required parameter" # "SIM" or "HW"
 }:
 stdenv.mkDerivation {
  inherit (sgx-ssl) postPatch src version;
  pname = sgx-ssl.pname + "-tests-${sgxMode}";
  postUnpack = sgx-ssl.postUnpack + ''
    sourceRootAbs=$(readlink -e $sourceRoot)
    packageDir=$sourceRootAbs/Linux/package
    # Do the inverse of 'make install' and symlink built artifacts back into
    # '$src/Linux/package/' to avoid work.
    mkdir $packageDir/lib $packageDir/lib64
    ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/
    ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/
    ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/
    # test_app needs some internal openssl headers.
    # See: tail end of 'Linux/build_openssl.sh'
    tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz
    echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h
    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/
    ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/
  '';
  nativeBuildInputs = [
    openssl.bin
    sgx-sdk
    which
  ];
  preBuild = ''
    # Need to regerate the edl header
    make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c
  '';
  makeFlags = [
    "-C Linux/sgx/test_app"
    "SGX_MODE=${sgxMode}"
  ];
  installPhase = ''
    runHook preInstall
    # Enclaves can't be stripped after signing.
    install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves
    install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin
    runHook postInstall
  '';
  postFixup = ''
    # Move the enclaves where they actually belong.
    mv $TMPDIR/enclaves/*.signed.so* $out/bin/
    # HW SGX must runs against sgx-psw, not sgx-sdk.
    if [[ "${sgxMode}" == "HW" ]]; then
      patchelf \
        --set-rpath "$( \
          patchelf --print-rpath $out/bin/TestApp \
            | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \
        )" \
        $out/bin/TestApp
    fi
  '';
  meta = {
    platforms = [ "x86_64-linux" ];
    mainProgram = "TestApp";
  };
 }