From 6d5e7fae157439fd23396523c5d2aa9c8a5899ab Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Mon, 1 Jul 2024 14:39:57 +0200 Subject: [PATCH 1/3] docs: adapt README.md to reality Signed-off-by: Harald Hoyer --- README.md | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 6e01c22..b1b5319 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ In `~/.config/nix/nix.conf` ```ini experimental-features = nix-command flakes +sandbox = true ``` or on nixos in `/etc/nixos/configuration.nix` add the following lines: @@ -42,22 +43,16 @@ or on nixos in `/etc/nixos/configuration.nix` add the following lines: nix = { extraOptions = '' experimental-features = nix-command flakes + sandbox = true ''; }; } ``` -Optionally install cachix (to save build time) and use the nixsgx cache: - -```shell -$ nix-env -iA cachix -f https://cachix.org/api/v1/install -$ cachix use nixsgx -``` - ### Develop ```shell -$ nix develop --impure +$ nix develop ``` optionally create `.envrc` for `direnv` to automatically load the environment when entering the directory: @@ -86,17 +81,17 @@ $ nix run github:nixos/nixpkgs/nixos-23.11#nixci See the `packages` directory for the available packages and containers. ```shell -$ nix build -L .#container-vault-sgx-azure +$ nix build -L .#container-self-attestation-test-sgx-azure [...] -#8 5.966 Measurement: -#8 5.966 45b9f90fc2562e66516f40c83adc30007c88427d8d9fa7a35718f4cbdeac3efd +teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> Measurement: +teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4 [...] -$ docker load -i result -$ docker run -v $(pwd):/mnt -i --init --rm teepot-vault-sgx-azure:latest "cp teepot-vault-sgx-azure.sig /mnt" -$ nix shell github:matter-labs/nixsgx#gramine -c gramine-sgx-sigstruct-view teepot-vault-sgx-azure.sig +$ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') +$ docker run -v $(pwd):/mnt -i --init --rm $IMAGE_TAG "cp app.sig /mnt" +$ nix shell github:matter-labs/nixsgx#gramine -c gramine-sgx-sigstruct-view app.sig Attributes: mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d - mr_enclave: 45b9f90fc2562e66516f40c83adc30007c88427d8d9fa7a35718f4cbdeac3efd + mr_enclave: eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4 isv_prod_id: 0 isv_svn: 0 debug_enclave: False From b5fa7e1f449cac7fcbce0f8c65377214468272a2 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 2 Jul 2024 13:00:19 +0200 Subject: [PATCH 2/3] chore: replace cache in `flake.nix` nixConfig Signed-off-by: Harald Hoyer --- flake.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index 4aa6d62..6177e31 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,10 @@ { description = "teepot"; - nixConfig.extra-substituters = [ - "https://nixsgx.cachix.org" - ]; - nixConfig.extra-trusted-public-keys = [ - "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=" - ]; + nixConfig = { + extra-substituters = [ "https://attic.teepot.org/tee-pot" ]; + extra-trusted-public-keys = [ "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=" ]; + }; inputs = { nixsgx-flake.url = "github:matter-labs/nixsgx"; From fc3fe37f8105fba7a2069ba60c226c5b4592ae21 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Tue, 2 Jul 2024 13:01:12 +0200 Subject: [PATCH 3/3] fix: `sgx.nonpie_binary` option is deprecated see https://github.com/gramineproject/gramine/pull/1187 Signed-off-by: Harald Hoyer --- packages/container-vault-sgx-azure/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/container-vault-sgx-azure/default.nix b/packages/container-vault-sgx-azure/default.nix index dfdc797..a1461e8 100644 --- a/packages/container-vault-sgx-azure/default.nix +++ b/packages/container-vault-sgx-azure/default.nix @@ -69,7 +69,6 @@ nixsgxLib.mkSGXContainer { edmm_enable = false; enclave_size = "8G"; max_threads = 64; - nonpie_binary = true; trusted_files = [ "file:/opt/vault/plugins/"