sgx-sdk: 2.16 -> 2.21

Release notes:
<https://github.com/intel/linux-sgx/releases/tag/sgx_2.21>

sgx-sdk/ipp-crypto: 2021.3 -> 2021.7

* The `substituteInPlace` is no longer necessary as corresponding PR was
  merged.

pkgs/os-specific/linux/sgx/samples/default.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , makeWrapper
+, openssl
 , sgx-sdk
 , sgx-psw
 , which
@@ -18,6 +19,7 @@ let
 
     nativeBuildInputs = [
       makeWrapper
+      openssl
       which
     ];
 
@@ -66,7 +68,9 @@ let
 in
 {
   cxx11SGXDemo = buildSample "Cxx11SGXDemo";
-  localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
+  cxx14SGXDemo = buildSample "Cxx14SGXDemo";
+  cxx17SGXDemo = buildSample "Cxx17SGXDemo";
+  localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: {
     installPhase = ''
       runHook preInstall
 
@@ -86,7 +90,7 @@ in
   });
   powerTransition = buildSample "PowerTransition";
   protobufSGXDemo = buildSample "ProtobufSGXDemo";
-  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
+  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: {
     # Makefile sets rpath to point to $TMPDIR
     preFixup = ''
       patchelf --remove-rpath $out/bin/app
@@ -97,13 +101,40 @@ in
     '';
   });
   sampleEnclave = buildSample "SampleEnclave";
-  sampleEnclavePCL = buildSample "SampleEnclavePCL";
   sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
-  sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: {
+  sampleMbedCrypto = buildSample "SampleMbedCrypto";
+  sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: {
     prePatch = ''
       substituteInPlace App/App.cpp \
         --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
     '';
   });
   switchless = buildSample "Switchless";
+  # # Requires SGX-patched openssl (sgxssl) build
+  # sampleAttestedTLS = buildSample "SampleAttestedTLS";
+} // lib.optionalAttrs (!isSimulation) {
+  # # Requires kernel >= v6.2 && HW SGX
+  # sampleAEXNotify = buildSample "SampleAEXNotify";
+
+  # Requires HW SGX
+  sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: {
+    nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,lib}
+      mv sample app
+      install -m 755 app $out/bin
+
+      wrapProgram "$out/bin/app" \
+        --chdir "$out/lib" \
+        --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [sgx-psw]}"
+
+      runHook postInstall
+    '';
+  });
+
+  # # SEGFAULTs in simulation mode?
+  # sampleEnclavePCL = buildSample "SampleEnclavePCL";
 }

pkgs/os-specific/linux/sgx/sdk/default.nix

@@ -29,15 +29,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.16.100.4";
+  version = "2.21.100.1";
   # Version as used in the Git tag
-  versionTag = "2.16";
+  versionTag = "2.21";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY=";
+    hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
     fetchSubmodules = true;
   };
 
@@ -55,10 +55,32 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  # There's a `make preparation` step that downloads some prebuilt binaries and
+  # applies some patches to the in-repo git submodules. We can't just run it,
+  # since it downloads things, so this step just extracts the patching steps.
   postPatch = ''
     patchShebangs linux/installer/bin/build-installpkg.sh \
       linux/installer/common/sdk/createTarball.sh \
-      linux/installer/common/sdk/install.sh
+      linux/installer/common/sdk/install.sh \
+      external/sgx-emm/create_symlink.sh
+
+    echo "Running 'make preparation' but without download steps"
+
+    # Seems to download something. Build currently uses ipp-crypto and not
+    # sgxssl so probably not an issue.
+    # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+
+    pushd external/openmp/openmp_code
+      git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
+        || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+    popd
+
+    pushd external/protobuf/protobuf_code
+      git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
+        || git apply ../sgx_protobuf.patch --check -R
+    popd
+
+    ./external/sgx-emm/create_symlink.sh
   '';
 
   # We need `cmake` as a build input but don't use it to kick off the build phase
@@ -123,7 +145,7 @@ stdenv.mkDerivation rec {
         lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
       rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
 
       install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
 
@@ -136,8 +158,6 @@ stdenv.mkDerivation rec {
     "DEBUG=1"
   ];
 
-  enableParallelBuilding = true;
-
   postBuild = ''
     patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
   '';
@@ -166,6 +186,11 @@ stdenv.mkDerivation rec {
     mv $installDir/lib64 lib
     ln -s lib/ lib64
 
+    # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
+    for file in lib/libsgx_urts.so.*; do
+      ln -srf lib/libsgx_urts.so $file
+    done
+
     mv $installDir/include/ .
 
     mkdir -p share/
@@ -204,7 +229,6 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-
   preFixup = ''
     echo "Strip sgxsdk prefix"
     for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do

pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix

@@ -1,5 +1,4 @@
-{ lib
-, gcc11Stdenv
+{ gcc11Stdenv
 , fetchFromGitHub
 , cmake
 , nasm
@@ -7,29 +6,24 @@
 , python3
 , extraCmakeFlags ? [ ]
 }:
-
 gcc11Stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2021.3";
+  version = "2021.7";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
     rev = "ippcp_${version}";
-    hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM=";
+    hash = "sha256-3W0LlJgmrp2Rk7xQ+0GQfkF2UpH4htx9R7IL86smtnY=";
   };
 
-  # Fix typo: https://github.com/intel/ipp-crypto/pull/33
-  postPatch = ''
-    substituteInPlace sources/cmake/ippcp-gen-config.cmake \
-      --replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
-  '';
-
   cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
 
   nativeBuildInputs = [
     cmake
     nasm
+    # TODO(phlip9): The most recent `ipp-crypto` version (2021.9) now uses
+    # OpenSSL v3 so we can avoid this EOL version when sgx-sdk updates.
     openssl_1_1
     python3
   ];