feat: compat code for non x86_64-linux

- do not build packages, which require `x86_64-linux` - use Phala `dcap-qvl` crate for remote attestation, if possible - nix: exclude `nixsgx` on non `x86_64-linux` platforms Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 07:03:56 +02:00 · 2025-03-20 10:25:24 +01:00 · 2025-03-20 10:25:24 +01:00 · eb39705ff1
commit eb39705ff1
parent ed808efd03
41 changed files with 1531 additions and 519 deletions
--- a/packages/container-self-attestation-test-sgx-azure/default.nix
+++ b/packages/container-self-attestation-test-sgx-azure/default.nix
@ -2,10 +2,12 @@
 # Copyright (c) 2024 Matter Labs
 { teepot
 , pkgs
+, stdenv
 , container-name ? "teepot-self-attestation-test-sgx-azure"
 , tag ? null
 , isAzure ? true
 }:
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
 pkgs.lib.tee.sgxGramineContainer {
  name = container-name;
  inherit tag;
--- a/packages/container-tdx-test/default.nix
+++ b/packages/container-tdx-test/default.nix
@ -1,6 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
 { lib
+, stdenv
 , openssl
 , curl
 , dockerTools
@ -8,28 +9,31 @@
 , teepot
 , nixsgx
 }:
-dockerTools.buildLayeredImage {
-  name = "tdx-test";
+if (stdenv.hostPlatform.isDarwin) then {
+  # FIXME: dockerTools.buildLayeredImage seems to be broken on Darwin
+} else
+  dockerTools.buildLayeredImage {
+    name = "tdx-test";

-  config.Entrypoint = [ "${teepot.teepot.tdx_test}/bin/tdx-test-dcap" ];
-  config.Env = [
-    "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
-  ];
-
-  contents = buildEnv {
-    name = "image-root";
-
-    paths = with dockerTools;[
-      teepot.teepot.tdx_test
-      openssl.out
-      curl.out
-      nixsgx.sgx-dcap.quote_verify
-      nixsgx.sgx-dcap.default_qpl
-      usrBinEnv
-      binSh
-      caCertificates
-      fakeNss
+    config.Entrypoint = [ "${teepot.teepot.tdx_test}/bin/tdx-test" ];
+    config.Env = [
+      "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
    ];
-    pathsToLink = [ "/bin" "/lib" "/etc" "/share" ];
-  };
-}
+
+    contents = buildEnv {
+      name = "image-root";
+
+      paths = with dockerTools; [
+        teepot.teepot.tdx_test
+        openssl.out
+        curl.out
+        # nixsgx.sgx-dcap.quote_verify
+        # nixsgx.sgx-dcap.default_qpl
+        usrBinEnv
+        binSh
+        caCertificates
+        fakeNss
+      ];
+      pathsToLink = [ "/bin" "/lib" "/etc" "/share" ];
+    };
+  }
--- a/packages/container-tee-key-preexec-dcap/default.nix
+++ b/packages/container-tee-key-preexec-dcap/default.nix
@ -2,6 +2,7 @@
 # Copyright (c) 2024 Matter Labs
 { teepot
 , pkgs
+, stdenv
 , bash
 , coreutils
 , container-name ? "teepot-key-preexec-dcap"
@ -9,6 +10,7 @@
 }: let
  entrypoint = "${bash}/bin/bash";
 in
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
 pkgs.lib.tee.sgxGramineContainer {
  name = container-name;
  inherit tag entrypoint;
--- a/packages/container-vault-admin-sgx-azure/default.nix
+++ b/packages/container-vault-admin-sgx-azure/default.nix
@ -2,10 +2,12 @@
 # Copyright (c) 2024 Matter Labs
 { teepot
 , pkgs
+, stdenv
 , container-name ? "teepot-vault-admin-sgx-azure"
 , tag ? null
 , isAzure ? null
 }:
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
 pkgs.lib.tee.sgxGramineContainer {
  name = container-name;
  inherit tag;
--- a/packages/container-vault-admin/default.nix
+++ b/packages/container-vault-admin/default.nix
@ -2,11 +2,13 @@
 # Copyright (c) 2024 Matter Labs
 { dockerTools
 , buildEnv
+, stdenv
 , teepot
 , openssl
 , curl
 , nixsgx
 }:
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
 dockerTools.buildLayeredImage {
  name = "vault-admin";

--- a/packages/container-vault-sgx-azure/default.nix
+++ b/packages/container-vault-sgx-azure/default.nix
@ -2,6 +2,7 @@
 # Copyright (c) 2024 Matter Labs
 { teepot
 , pkgs
+, stdenv
 , vat
 , vault
 , container-name ? "teepot-vault-sgx-azure"
@ -12,6 +13,7 @@ let
  entrypoint = "${teepot.teepot.tee_ratls_preexec}/bin/tee-ratls-preexec";
  appDir = "/opt/vault";
 in
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
 pkgs.lib.tee.sgxGramineContainer {
  name = container-name;
  inherit tag;
@ -86,5 +88,3 @@ pkgs.lib.tee.sgxGramineContainer {
    sys.experimental__enable_flock = true;
  };
 }
-
-
--- a/packages/container-vault-unseal-sgx-azure/default.nix
+++ b/packages/container-vault-unseal-sgx-azure/default.nix
@ -2,11 +2,13 @@
 # Copyright (c) 2024 Matter Labs
 { teepot
 , pkgs
+, stdenv
 , vat
 , container-name ? "teepot-vault-unseal-sgx-azure"
 , tag ? null
 , isAzure ? true
 }:
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
 pkgs.lib.tee.sgxGramineContainer {
  name = container-name;
  inherit tag isAzure;
--- a/packages/container-vault-unseal/default.nix
+++ b/packages/container-vault-unseal/default.nix
@ -1,30 +1,43 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
 { dockerTools
+, lib
+, stdenv
 , buildEnv
 , teepot
 , openssl
 , curl
 , nixsgx
 }:
-dockerTools.buildLayeredImage {
-  name = "vault-unseal";
+if (stdenv.hostPlatform.isDarwin) then {
+  # FIXME: dockerTools.buildLayeredImage seems to be broken on Darwin
+} else
+  dockerTools.buildLayeredImage {
+    name = "vault-unseal";

-  config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ];
+    config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ];

-  contents = buildEnv {
-    name = "image-root";
-    paths = with dockerTools; with nixsgx;[
-      openssl.out
-      curl.out
-      sgx-dcap.quote_verify
-      sgx-dcap.default_qpl
-      usrBinEnv
-      binSh
-      caCertificates
-      fakeNss
-      teepot.teepot.vault_unseal
-    ];
-    pathsToLink = [ "/bin" "/lib" "/etc" ];
-  };
-}
+    contents = buildEnv {
+      name = "image-root";
+      paths =
+        with dockerTools;
+        with nixsgx;
+        [
+          openssl.out
+          curl.out
+          usrBinEnv
+          binSh
+          caCertificates
+          fakeNss
+          teepot.teepot.vault_unseal
+        ] ++ lib.optionals (stdenv.hostPlatform.system == "x86_64-linux") [
+          sgx-dcap.quote_verify
+          sgx-dcap.default_qpl
+        ];
+      pathsToLink = [
+        "/bin"
+        "/lib"
+        "/etc"
+      ];
+    };
+  }
--- a/packages/container-verify-attestation-sgx/default.nix
+++ b/packages/container-verify-attestation-sgx/default.nix
@ -2,30 +2,44 @@
 # Copyright (c) 2024 Matter Labs
 { dockerTools
 , buildEnv
+, lib
+, stdenv
 , teepot
 , openssl
 , curl
 , nixsgx
 }:
-dockerTools.buildLayeredImage {
-  name = "verify-attestation-sgx";
+if (stdenv.hostPlatform.isDarwin) then {
+  # FIXME: dockerTools.buildLayeredImage seems to be broken on Darwin
+} else
+  dockerTools.buildLayeredImage {
+    name = "verify-attestation-sgx";

-  config.Entrypoint = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ];
-  config.Env = [ "LD_LIBRARY_PATH=/lib" ];
-  contents = buildEnv {
-    name = "image-root";
+    config.Entrypoint = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ];
+    config.Env = [ "LD_LIBRARY_PATH=/lib" ];
+    contents = buildEnv {
+      name = "image-root";

-    paths = with dockerTools; with nixsgx;[
-      openssl.out
-      curl.out
-      sgx-dcap.quote_verify
-      sgx-dcap.default_qpl
-      teepot.teepot.verify_attestation
-      usrBinEnv
-      binSh
-      caCertificates
-      fakeNss
-    ];
-    pathsToLink = [ "/bin" "/lib" "/etc" "/share" ];
-  };
-}
+      paths =
+        with dockerTools;
+        with nixsgx;
+        [
+          openssl.out
+          curl.out
+          teepot.teepot.verify_attestation
+          usrBinEnv
+          binSh
+          caCertificates
+          fakeNss
+        ] ++ lib.optionals (stdenv.hostPlatform.system == "x86_64-linux") [
+          sgx-dcap.quote_verify
+          sgx-dcap.default_qpl
+        ];
+      pathsToLink = [
+        "/bin"
+        "/lib"
+        "/etc"
+        "/share"
+      ];
+    };
+  }
--- a/packages/container-verify-era-proof-attestation-sgx/default.nix
+++ b/packages/container-verify-era-proof-attestation-sgx/default.nix
@ -3,31 +3,45 @@
 { dockerTools
 , buildEnv
 , teepot
+, stdenv
 , openssl
 , curl
 , nixsgx
 , pkg-config
 }:
-dockerTools.buildLayeredImage {
-  name = "verify-era-proof-attestation";
+if (stdenv.hostPlatform.isDarwin) then {
+  # FIXME: dockerTools.buildLayeredImage seems to be broken on Darwin
+} else
+  dockerTools.buildLayeredImage {
+    name = "verify-era-proof-attestation";

-  config.Entrypoint = [ "${teepot.teepot.verify_era_proof_attestation}/bin/verify-era-proof-attestation" ];
-  config.Env = [ "LD_LIBRARY_PATH=/lib" ];
-  contents = buildEnv {
-    name = "image-root";
-
-    paths = with dockerTools; with nixsgx;[
-      pkg-config
-      openssl.out
-      curl.out
-      sgx-dcap.quote_verify
-      sgx-dcap.default_qpl
-      teepot.teepot.verify_era_proof_attestation
-      usrBinEnv
-      binSh
-      caCertificates
-      fakeNss
+    config.Entrypoint = [
+      "${teepot.teepot.verify_era_proof_attestation}/bin/verify-era-proof-attestation"
    ];
-    pathsToLink = [ "/bin" "/lib" "/etc" "/share" ];
-  };
-}
+    config.Env = [ "LD_LIBRARY_PATH=/lib" ];
+    contents = buildEnv {
+      name = "image-root";
+
+      paths =
+        with dockerTools;
+        with nixsgx;
+        [
+          pkg-config
+          openssl.out
+          curl.out
+          sgx-dcap.quote_verify
+          sgx-dcap.default_qpl
+          teepot.teepot.verify_era_proof_attestation
+          usrBinEnv
+          binSh
+          caCertificates
+          fakeNss
+        ];
+      pathsToLink = [
+        "/bin"
+        "/lib"
+        "/etc"
+        "/share"
+      ];
+    };
+  }
--- a/packages/tdx_google/default.nix
+++ b/packages/tdx_google/default.nix
@ -2,9 +2,12 @@
 # Copyright (c) 2024 Matter Labs
 { lib
 , pkgs
+, stdenv
 , system
 , ...
-}: lib.teepot.nixosGenerate {
+}:
+if (stdenv.hostPlatform.system != "x86_64-linux") then { } else
+lib.teepot.nixosGenerate {
  inherit (lib) nixosSystem;
  inherit system pkgs;
  modules = [
--- a/packages/teepot/default.nix
+++ b/packages/teepot/default.nix
@ -1,20 +1,30 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Matter Labs
-{ lib, pkgs, makeWrapper, teepot }:
-let teepotCrate = teepot.teepotCrate; in
+{ lib
+, pkgs
+, makeWrapper
+, teepot
+, stdenv
+}:
+let
+  teepotCrate = teepot.teepotCrate;
+in
 teepotCrate.craneLib.buildPackage (
-  teepotCrate.commonArgs // {
+  teepotCrate.commonArgs
+    // {
    pname = "teepot";
    inherit (teepotCrate) cargoArtifacts;

    nativeBuildInputs = teepotCrate.commonArgs.nativeBuildInputs ++ [ makeWrapper ];

    passthru = {
-      inherit (teepotCrate) rustPlatform
+      inherit (teepotCrate)
+        rustPlatform
        rustVersion
        commonArgs
        craneLib
-        cargoArtifacts;
+        cargoArtifacts
+        ;
    };

    outputs = [
@ -37,9 +47,10 @@ teepotCrate.craneLib.buildPackage (
      "verify_era_proof_attestation"
    ];

-    postInstall = ''
+    postInstall = lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") ''
      removeReferencesToVendoredSources "$out" "$cargoVendorDir"
      removeReferencesToVendoredSources "$out" "${teepotCrate.rustVersion}/lib/rustlib/"
+    '' + ''
      mkdir -p $out/nix-support
      for i in $outputs; do
        [[ $i == "out" ]] && continue
@ -47,14 +58,19 @@ teepotCrate.craneLib.buildPackage (
        echo -n "''${!i} " >> $out/nix-support/propagated-user-env-packages
        binname=''${i//_/-}
        mv "$out/bin/$binname" "''${!i}/bin/"
-
-        makeWrapper "''${!i}/bin/$binname" "''${!i}/bin/$binname-dcap" \
-          --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ pkgs.nixsgx.sgx-dcap.quote_verify pkgs.nixsgx.sgx-dcap.default_qpl pkgs.curl ]}" \
-          --set-default QCNL_CONF_PATH "${pkgs.nixsgx.sgx-dcap.default_qpl}/etc/sgx_default_qcnl.conf"
-
+    '' + lib.optionalString (stdenv.hostPlatform.system == "x86_64-linux") ''
+      makeWrapper "''${!i}/bin/$binname" "''${!i}/bin/$binname-dcap" \
+        --prefix LD_LIBRARY_PATH : "${
+          lib.makeLibraryPath [
+            pkgs.nixsgx.sgx-dcap.quote_verify
+            pkgs.nixsgx.sgx-dcap.default_qpl
+            pkgs.curl
+          ]
+        }" \
+        --set-default QCNL_CONF_PATH "${pkgs.nixsgx.sgx-dcap.default_qpl}/etc/sgx_default_qcnl.conf"
+    '' + ''
      done
      rmdir "$out/bin"
    '';
  }
 )
-
--- a/packages/teepotCrate/default.nix
+++ b/packages/teepotCrate/default.nix
@ -2,12 +2,14 @@
 # Copyright (c) 2024 Matter Labs
 { lib
 , inputs
+, stdenv
 , makeRustPlatform
-, nixsgx
+, nixsgx ? null
 , pkg-config
 , rust-bin
 , pkgs
 , openssl
+, darwin
 }:
 let
  rustVersion = rust-bin.fromRustupToolchainFile (inputs.src + "/rust-toolchain.toml");
@ -23,11 +25,15 @@ let
    ];

    buildInputs = [
-      openssl
+      openssl.dev
+    ]
+    ++ lib.optionals (stdenv.hostPlatform.system == "x86_64-linux") [
      nixsgx.sgx-sdk
      nixsgx.sgx-dcap
      nixsgx.sgx-dcap.quote_verify
      nixsgx.sgx-dcap.libtdx_attest
+    ] ++ lib.optionals stdenv.isDarwin [
+      darwin.apple_sdk.frameworks.Security
    ];

    strictDeps = true;