sgx-psw: 2.16 -> 2.21

* Updated platform enclaves. * Re-enable parallel build; seems to work properly across several different machines. * Ensure all non-enclave libs get stripped so we don't add `gcc` to the runtime closure. * I'm not sure what the value of providing a non-platfrom /bin/mount is for non-NixOS users for a service that isn't used that only bloats closure size.
2024-10-07 13:09:27 +03:00 · 2023-09-12 15:08:49 -07:00 · 2023-09-12 15:08:49 -07:00 · 77d43f5fb8
commit 77d43f5fb8
parent a03b0a37b6
1 changed files with 33 additions and 15 deletions
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@ -5,15 +5,11 @@
 , coreutils
 , curl
 , file
-, glibc
 , makeWrapper
 , nixosTests
 , protobuf
 , python3
 , sgx-sdk
-, shadow
-, systemd
-, util-linux
 , which
 , debug ? false
 }:
@ -23,16 +19,21 @@ stdenv.mkDerivation rec {

  postUnpack =
    let
+      # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
+      # run user application enclaves, verify launch policies, produce remote
+      # attestation quotes, and do platform certification.
      ae.prebuilt = fetchurl {
        url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
-        hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
+        hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
      };
+      # Also include the Data Center Attestation Primitives (DCAP) platform
+      # enclaves.
      dcap = rec {
-        version = "1.13";
+        version = "1.18";
        filename = "prebuilt_dcap_${version}.tar.gz";
        prebuilt = fetchurl {
          url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
+          hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
        };
      };
    in
@ -75,9 +76,6 @@ stdenv.mkDerivation rec {

  dontUseCmakeConfigure = true;

-  # Randomly fails if enabled
-  enableParallelBuilding = false;
-
  buildFlags = [
    "psw_install_pkg"
  ] ++ lib.optionals debug [
@ -131,6 +129,31 @@ stdenv.mkDerivation rec {
    rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
  '';

+  stripDebugList = [
+    # Only strip the host libraries. If we don't strip, we accidentally pull in
+    # `gcc`...
+    #
+    # We need to avoid stripping the enclave ".signed.so" files, since that
+    # would modify the enclave measurement (hash).
+    #
+    # TODO(phlip9): put the enclave libraries in a separate directory or tell
+    # strip to ignore all "*.signed.so".
+    "aesm/aesm_service"
+    "aesm/libCppMicroServices.so.4.0.0"
+    "aesm/libdcap_quoteprov.so"
+    "aesm/libipc.so"
+    "aesm/liboal.so"
+    "aesm/libsgx_default_qcnl_wrapper.so"
+    "aesm/libsgx_pce_logic.so.1"
+    "aesm/libsgx_qe3_logic.so.1"
+    "aesm/liburts_internal.so"
+    "aesm/libutils.so"
+
+    "aesm/bundles"
+    "lib"
+    "bin"
+  ];
+
  # Most—if not all—of those fixups are not relevant for NixOS as we have our own
  # NixOS module which is based on those files without relying on them. Still, it
  # is helpful to have properly patched versions for non-NixOS distributions.
@ -151,11 +174,6 @@ stdenv.mkDerivation rec {
                "${coreutils}/bin/chmod" \
      --replace "/bin/kill" \
                "${coreutils}/bin/kill"
-
-    echo "Fixing remount-dev-exec.service"
-    substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
-      --replace '/bin/mount' \
-                "${util-linux}/bin/mount"
  '';

  passthru.tests = {