mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-10-07 13:09:27 +03:00
sgx-psw: 2.16 -> 2.21
* Updated platform enclaves. * Re-enable parallel build; seems to work properly across several different machines. * Ensure all non-enclave libs get stripped so we don't add `gcc` to the runtime closure. * I'm not sure what the value of providing a non-platfrom /bin/mount is for non-NixOS users for a service that isn't used that only bloats closure size.
This commit is contained in:
parent
a03b0a37b6
commit
77d43f5fb8
@ -5,15 +5,11 @@
|
||||
, coreutils
|
||||
, curl
|
||||
, file
|
||||
, glibc
|
||||
, makeWrapper
|
||||
, nixosTests
|
||||
, protobuf
|
||||
, python3
|
||||
, sgx-sdk
|
||||
, shadow
|
||||
, systemd
|
||||
, util-linux
|
||||
, which
|
||||
, debug ? false
|
||||
}:
|
||||
@ -23,16 +19,21 @@ stdenv.mkDerivation rec {
|
||||
|
||||
postUnpack =
|
||||
let
|
||||
# Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
|
||||
# run user application enclaves, verify launch policies, produce remote
|
||||
# attestation quotes, and do platform certification.
|
||||
ae.prebuilt = fetchurl {
|
||||
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
|
||||
hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
|
||||
hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
|
||||
};
|
||||
# Also include the Data Center Attestation Primitives (DCAP) platform
|
||||
# enclaves.
|
||||
dcap = rec {
|
||||
version = "1.13";
|
||||
version = "1.18";
|
||||
filename = "prebuilt_dcap_${version}.tar.gz";
|
||||
prebuilt = fetchurl {
|
||||
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
|
||||
hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
|
||||
hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
|
||||
};
|
||||
};
|
||||
in
|
||||
@ -75,9 +76,6 @@ stdenv.mkDerivation rec {
|
||||
|
||||
dontUseCmakeConfigure = true;
|
||||
|
||||
# Randomly fails if enabled
|
||||
enableParallelBuilding = false;
|
||||
|
||||
buildFlags = [
|
||||
"psw_install_pkg"
|
||||
] ++ lib.optionals debug [
|
||||
@ -131,6 +129,31 @@ stdenv.mkDerivation rec {
|
||||
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
|
||||
'';
|
||||
|
||||
stripDebugList = [
|
||||
# Only strip the host libraries. If we don't strip, we accidentally pull in
|
||||
# `gcc`...
|
||||
#
|
||||
# We need to avoid stripping the enclave ".signed.so" files, since that
|
||||
# would modify the enclave measurement (hash).
|
||||
#
|
||||
# TODO(phlip9): put the enclave libraries in a separate directory or tell
|
||||
# strip to ignore all "*.signed.so".
|
||||
"aesm/aesm_service"
|
||||
"aesm/libCppMicroServices.so.4.0.0"
|
||||
"aesm/libdcap_quoteprov.so"
|
||||
"aesm/libipc.so"
|
||||
"aesm/liboal.so"
|
||||
"aesm/libsgx_default_qcnl_wrapper.so"
|
||||
"aesm/libsgx_pce_logic.so.1"
|
||||
"aesm/libsgx_qe3_logic.so.1"
|
||||
"aesm/liburts_internal.so"
|
||||
"aesm/libutils.so"
|
||||
|
||||
"aesm/bundles"
|
||||
"lib"
|
||||
"bin"
|
||||
];
|
||||
|
||||
# Most—if not all—of those fixups are not relevant for NixOS as we have our own
|
||||
# NixOS module which is based on those files without relying on them. Still, it
|
||||
# is helpful to have properly patched versions for non-NixOS distributions.
|
||||
@ -151,11 +174,6 @@ stdenv.mkDerivation rec {
|
||||
"${coreutils}/bin/chmod" \
|
||||
--replace "/bin/kill" \
|
||||
"${coreutils}/bin/kill"
|
||||
|
||||
echo "Fixing remount-dev-exec.service"
|
||||
substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
|
||||
--replace '/bin/mount' \
|
||||
"${util-linux}/bin/mount"
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
|
Loading…
Reference in New Issue
Block a user