diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix
index fa4a7be01cf5..9b5c8087b232 100644
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -5,15 +5,11 @@
 , coreutils
 , curl
 , file
-, glibc
 , makeWrapper
 , nixosTests
 , protobuf
 , python3
 , sgx-sdk
-, shadow
-, systemd
-, util-linux
 , which
 , debug ? false
 }:
@@ -23,16 +19,21 @@ stdenv.mkDerivation rec {
 
   postUnpack =
     let
+      # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
+      # run user application enclaves, verify launch policies, produce remote
+      # attestation quotes, and do platform certification.
       ae.prebuilt = fetchurl {
         url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
-        hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
+        hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
       };
+      # Also include the Data Center Attestation Primitives (DCAP) platform
+      # enclaves.
       dcap = rec {
-        version = "1.13";
+        version = "1.18";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
+          hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
         };
       };
     in
@@ -75,9 +76,6 @@ stdenv.mkDerivation rec {
 
   dontUseCmakeConfigure = true;
 
-  # Randomly fails if enabled
-  enableParallelBuilding = false;
-
   buildFlags = [
     "psw_install_pkg"
   ] ++ lib.optionals debug [
@@ -131,6 +129,31 @@ stdenv.mkDerivation rec {
     rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
   '';
 
+  stripDebugList = [
+    # Only strip the host libraries. If we don't strip, we accidentally pull in
+    # `gcc`...
+    #
+    # We need to avoid stripping the enclave ".signed.so" files, since that
+    # would modify the enclave measurement (hash).
+    #
+    # TODO(phlip9): put the enclave libraries in a separate directory or tell
+    # strip to ignore all "*.signed.so".
+    "aesm/aesm_service"
+    "aesm/libCppMicroServices.so.4.0.0"
+    "aesm/libdcap_quoteprov.so"
+    "aesm/libipc.so"
+    "aesm/liboal.so"
+    "aesm/libsgx_default_qcnl_wrapper.so"
+    "aesm/libsgx_pce_logic.so.1"
+    "aesm/libsgx_qe3_logic.so.1"
+    "aesm/liburts_internal.so"
+    "aesm/libutils.so"
+
+    "aesm/bundles"
+    "lib"
+    "bin"
+  ];
+
   # Most—if not all—of those fixups are not relevant for NixOS as we have our own
   # NixOS module which is based on those files without relying on them. Still, it
   # is helpful to have properly patched versions for non-NixOS distributions.
@@ -151,11 +174,6 @@ stdenv.mkDerivation rec {
                 "${coreutils}/bin/chmod" \
       --replace "/bin/kill" \
                 "${coreutils}/bin/kill"
-
-    echo "Fixing remount-dev-exec.service"
-    substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
-      --replace '/bin/mount' \
-                "${util-linux}/bin/mount"
   '';
 
   passthru.tests = {