commit 2d0e1f80465c3d7e4d5acfbbe0e1a538944a81e5 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

sgx-psw: 2.24 -> 2.25

Diff: <https://github.com/intel/linux-sgx/compare/sgx_2.24...sgx_2.25>

Changelog: <https://github.com/intel/linux-sgx/releases/tag/sgx_2.25>

This diff decouples the `sgx-psw` and `sgx-sdk` builds. We only need some
headers and a single tool (`sgx_edger8r`) from the base sdk in order to build
`sgx-psw`. The biggest benefit here is that I can quickly iterate on `sgx-psw`,
which takes just 3 min to build, vs. waiting 1+ hour to build both `sgx-sdk`
and `sgx-psw`.

`sgx-sdk` is also broken in an inscrutable way with 2.25 and I don't really
have the patience to waste more time on it. Now I can update the only useful
artifact (the `aesmd` service from `sgx-psw`) without wasting time on the sdk.

Philip Kannegaard Hayes 1 year ago 2d0e1f80 807e9154

+169 -29

3 changed files

expand all

unified split

pkgs

os-specific

linux

sgx

psw

cppmicroservices-no-mtime.patch

default.nix

disable-downloads.patch

+26

pkgs/os-specific/linux/sgx/psw/cppmicroservices-no-mtime.patch

··· 1 + diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp 2 + index aee499e9..13fa89d4 100644 3 + --- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp 4 + +++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp 5 + @@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, 6 + const_cast<mz_zip_archive*>(&m_ZipArchive), index) 7 + ? true 8 + : false; 9 + - stat.modifiedTime = zipStat.m_time; 10 + + stat.modifiedTime = 0; 11 + stat.crc32 = zipStat.m_crc32; 12 + // This will limit the size info from uint64 to uint32 on 32-bit 13 + // architectures. We don't care because we assume resources > 2GB 14 + diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c 15 + index 6b0ebd7a..fa2aebca 100644 16 + --- a/external/CppMicroServices/third_party/miniz.c 17 + +++ b/external/CppMicroServices/third_party/miniz.c 18 + @@ -170,7 +170,7 @@ 19 + // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or 20 + // get/set file times, and the C run-time funcs that get/set times won't be called. 21 + // The current downside is the times written to your archives will be from 1979. 22 + -//#define MINIZ_NO_TIME 23 + +#define MINIZ_NO_TIME 24 + 25 + // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. 26 + //#define MINIZ_NO_ARCHIVE_APIS

+111 -29

pkgs/os-specific/linux/sgx/psw/default.nix

··· 1 1 { stdenv 2 2 , lib 3 3 , fetchurl 4 + , fetchFromGitHub 4 5 , cmake 5 6 , coreutils 6 7 , curl 7 8 , file 9 + , git 8 10 , makeWrapper 9 11 , nixosTests 10 12 , protobuf 11 13 , python3 12 - , sgx-sdk 14 + , ocaml 15 + , ocamlPackages 13 16 , which 14 17 , debug ? false 15 18 }: 16 19 stdenv.mkDerivation rec { 17 - inherit (sgx-sdk) patches src version versionTag; 18 20 pname = "sgx-psw"; 21 + # Version as given in se_version.h 22 + version = "2.25.100.3"; 23 + # Version as used in the Git tag 24 + versionTag = "2.25"; 25 + 26 + src = fetchFromGitHub { 27 + owner = "intel"; 28 + repo = "linux-sgx"; 29 + rev = "sgx_${versionTag}"; 30 + hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw="; 31 + fetchSubmodules = true; 32 + }; 19 33 34 + # Extract Intel-provided, pre-built enclaves and libs. 20 35 postUnpack = 21 36 let 22 37 # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help ··· 24 39 # attestation quotes, and do platform certification. 25 40 ae.prebuilt = fetchurl { 26 41 url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; 27 - hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; 42 + hash = "sha256-Hlh96rYOyml2y50d8ASKz6U97Fl0hbGYECeZiG9nMSQ="; 43 + }; 44 + 45 + # Pre-built ipp-crypto with mitigations. 46 + optlib.prebuilt = fetchurl { 47 + url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/optimized_libs_${versionTag}.tar.gz"; 48 + hash = "sha256-7mDTaLtpOQLHQ6Fv+FWJ2k/veJZPXIcuj7kOdRtRqhg="; 28 49 }; 29 - # Also include the Data Center Attestation Primitives (DCAP) platform 30 - # enclaves. 50 + 51 + # Fetch the Data Center Attestation Primitives (DCAP) platform enclaves 52 + # and pre-built sgxssl. 31 53 dcap = rec { 32 - version = "1.21"; 54 + version = "1.22"; 33 55 filename = "prebuilt_dcap_${version}.tar.gz"; 34 56 prebuilt = fetchurl { 35 57 url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; 36 - hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; 58 + hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ="; 37 59 }; 38 60 }; 39 61 in 40 - sgx-sdk.postUnpack + '' 62 + '' 63 + # Make sure this is the right version of linux-sgx 64 + grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \ 65 + || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1) 66 + 67 + tar -xzvf ${ae.prebuilt} -C $sourceRoot/ 68 + tar -xzvf ${optlib.prebuilt} -C $sourceRoot/ 69 + 41 70 # Make sure we use the correct version of prebuilt DCAP 42 71 grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ 43 72 || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) 44 73 45 - tar -zxf ${ae.prebuilt} -C $sourceRoot/ 46 - tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ 74 + tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source ./prebuilt/ 75 + tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration ./psw/ 76 + ''; 77 + 78 + patches = [ 79 + # There's a `make preparation` step that downloads some prebuilt binaries 80 + # and applies some patches to the in-repo git submodules. This patch removes 81 + # the parts that download things, since we can't do that inside the sandbox. 82 + ./disable-downloads.patch 83 + 84 + # This patch disables mtime in bundled zip file for reproducible builds. 85 + # 86 + # Context: The `aesm_service` binary depends on a vendored library called 87 + # `CppMicroServices`. At build time, this lib creates and then bundles 88 + # service resources into a zip file and then embeds this zip into the 89 + # binary. Without changes, the `aesm_service` will be different after every 90 + # build because the embedded zip file contents have different modified times. 91 + ./cppmicroservices-no-mtime.patch 92 + ]; 93 + 94 + postPatch = 95 + let 96 + # The base directories we want to copy headers from. The exact headers are 97 + # parsed from <linux/installer/common/sdk/BOMs/sdk_base.txt> 98 + bomDirsToCopyFrom = builtins.concatStringsSep "|" [ 99 + "common/" 100 + "external/dcap_source/" 101 + "external/ippcp_internal/" 102 + "external/sgx-emm/" 103 + "psw/" 104 + "sdk/tlibcxx/" 105 + ]; 106 + in 107 + '' 108 + patchShebangs \ 109 + external/sgx-emm/create_symlink.sh \ 110 + linux/installer/bin/build-installpkg.sh \ 111 + linux/installer/common/psw/createTarball.sh \ 112 + linux/installer/common/psw/install.sh 113 + 114 + # Run sgx-sdk preparation step 115 + make preparation 116 + 117 + # Build a fake SGX_SDK directory. Normally sgx-psw depends on first building 118 + # all of sgx-sdk, however we can actually build them independently by just 119 + # copying a few header files and building `sgx_edger8r` separately. 120 + mkdir .sgxsdk 121 + export SGX_SDK="$(readlink -f .sgxsdk)" 122 + 123 + # Parse the BOM for the headers we need, then copy them into SGX_SDK 124 + # Each line in the BOM.txt looks like: 125 + # <deliverydir>/...\t<installdir>/package/...\t.... 126 + # TODO(phlip9): hardlink? 127 + sed -n -r 's:^<deliverydir>/(${bomDirsToCopyFrom})(\S+)\s<installdir>/package/(\S+)\s.*$:\1\2\n.sgxsdk/\3:p' \ 128 + < linux/installer/common/sdk/BOMs/sdk_base.txt \ 129 + | xargs --max-args=2 install -v -D 47 130 ''; 48 131 49 132 nativeBuildInputs = [ 50 133 cmake 51 134 file 135 + git 52 136 makeWrapper 137 + ocaml 138 + ocamlPackages.ocamlbuild 53 139 python3 54 - sgx-sdk 55 140 which 56 141 ]; 57 142 ··· 60 145 protobuf 61 146 ]; 62 147 63 - hardeningDisable = [ 64 - # causes redefinition of _FORTIFY_SOURCE 65 - "fortify3" 66 - ] ++ lib.optionals debug [ 67 - "fortify" 68 - ]; 148 + dontUseCmakeConfigure = true; 149 + 150 + preBuild = '' 151 + # Build `sgx_edger8r`, the enclave .edl -> .h file codegen tool. 152 + # Then place it in `$SGX_SDK/bin` and `$SGX_SDK/bin/x64`. 153 + make -C sdk/edger8r/linux 154 + mkdir -p $SGX_SDK/bin/x64 155 + sgx_edger8r_bin="$(readlink -f build/linux/sgx_edger8r)" 156 + ln -s $sgx_edger8r_bin $SGX_SDK/bin/ 157 + ln -s $sgx_edger8r_bin $SGX_SDK/bin/x64/ 69 158 70 - postPatch = '' 71 - patchShebangs \ 72 - linux/installer/bin/build-installpkg.sh \ 73 - linux/installer/common/psw/createTarball.sh \ 74 - linux/installer/common/psw/install.sh 159 + # Add this so we can link against libsgx_urts. 160 + build_dir="$(readlink -f build/linux)" 161 + ln -s $build_dir $SGX_SDK/lib 162 + ln -s $build_dir $SGX_SDK/lib64 75 163 ''; 76 164 77 - dontUseCmakeConfigure = true; 78 - 79 - buildFlags = [ 80 - "psw_install_pkg" 81 - ] ++ lib.optionals debug [ 82 - "DEBUG=1" 83 - ]; 165 + buildFlags = [ "psw_install_pkg" ] ++ lib.optionals debug [ "DEBUG=1" ]; 84 166 85 167 installFlags = [ 86 168 "-C linux/installer/common/psw/output"

+32

pkgs/os-specific/linux/sgx/psw/disable-downloads.patch

··· 1 + diff --git a/Makefile b/Makefile 2 + index 19bc05a..6b1acd4 100644 3 + --- a/Makefile 4 + +++ b/Makefile 5 + @@ -50,13 +50,13 @@ tips: 6 + preparation: 7 + # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. 8 + # Only enable the download from git 9 + - git submodule update --init --recursive 10 + + # git submodule update --init --recursive 11 + cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \ 12 + git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check 13 + - ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild 14 + + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild 15 + cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R 16 + cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R 17 + - cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R 18 + + cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R 19 + ./external/sgx-emm/create_symlink.sh 20 + cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R 21 + cd external/cbor && cp -r libcbor sgx_libcbor 22 + @@ -64,8 +64,8 @@ preparation: 23 + cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R 24 + cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R 25 + cd external/ippcp_internal/ipp-crypto && mkdir -p build 26 + - ./download_prebuilt.sh 27 + - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh 28 + + # ./download_prebuilt.sh 29 + + # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh 30 + 31 + psw: 32 + $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)