commit a0ab6d84ff85a81feb1081fb46acfdc644feb7d6 · pyrox.dev/nixpkgs

+6

maintainers/maintainer-list.nix

··· 10185 10185 githubId = 720864; 10186 10186 name = "Sébastien Bourdeauducq"; 10187 10187 }; 10188 + sbellem = { 10189 + email = "sbellem@gmail.com"; 10190 + github = "sbellem"; 10191 + githubId = 125458; 10192 + name = "Sylvain Bellemare"; 10193 + }; 10188 10194 sbond75 = { 10189 10195 name = "sbond75"; 10190 10196 email = "43617712+sbond75@users.noreply.github.com";

+159

pkgs/os-specific/linux/sgx-sdk/default.nix

··· 1 + { lib 2 + , stdenv 3 + , fetchpatch 4 + , fetchurl 5 + , fetchFromGitHub 6 + , callPackage 7 + , autoconf 8 + , automake 9 + , binutils 10 + , cmake 11 + , file 12 + , git 13 + , libtool 14 + , nasm 15 + , ncurses 16 + , ocaml 17 + , ocamlPackages 18 + , openssl 19 + , perl 20 + , python3 21 + , texinfo 22 + , which 23 + , writeShellScript 24 + }: 25 + 26 + stdenv.mkDerivation rec { 27 + pname = "sgx-sdk"; 28 + version = "2.14"; 29 + 30 + src = fetchFromGitHub { 31 + owner = "intel"; 32 + repo = "linux-sgx"; 33 + rev = "0cea078f17a24fb807e706409972d77f7a958db9"; 34 + sha256 = "1cr2mkk459s270ng0yddgcryi0zc3dfmg9rmdrdh9mhy2mc1kx0g"; 35 + fetchSubmodules = true; 36 + }; 37 + 38 + patches = [ 39 + (fetchpatch { 40 + name = "replace-bin-cp-with-cp.patch"; 41 + url = "https://github.com/intel/linux-sgx/commit/e0db5291d46d1c124980719d63829d65f89cf2c7.patch"; 42 + sha256 = "0xwlpm1r4rl4anfhjkr6fgz0gcyhr0ng46fv8iw9hfsh891yqb7z"; 43 + }) 44 + (fetchpatch { 45 + name = "sgx_ippcp.h.patch"; 46 + url = "https://github.com/intel/linux-sgx/commit/e5929083f8161a8e7404afc0577936003fbb9d0b.patch"; 47 + sha256 = "12bgs9rxlq82hn5prl9qz2r4mwypink8hzdz4cki4k4cmkw961f5"; 48 + }) 49 + ]; 50 + postPatch = '' 51 + patchShebangs ./linux/installer/bin/build-installpkg.sh \ 52 + ./linux/installer/common/sdk/createTarball.sh \ 53 + ./linux/installer/common/sdk/install.sh 54 + ''; 55 + 56 + dontConfigure = true; 57 + 58 + # SDK built with stackprotector produces broken enclaves which crash at runtime. 59 + # Disable all to be safe, SDK build configures compiler mitigations manually. 60 + hardeningDisable = [ "all" ]; 61 + 62 + nativeBuildInputs = [ 63 + cmake 64 + git 65 + ocaml 66 + ocamlPackages.ocamlbuild 67 + perl 68 + python3 69 + texinfo 70 + nasm 71 + file 72 + ncurses 73 + autoconf 74 + automake 75 + ]; 76 + 77 + buildInputs = [ 78 + libtool 79 + openssl 80 + ]; 81 + 82 + BINUTILS_DIR = "${binutils}/bin"; 83 + 84 + # Build external/ippcp_internal first. The Makefile is rewritten to make the 85 + # build faster by splitting different versions of ipp-crypto builds and to 86 + # avoid patching the Makefile for reproducibility issues. 87 + buildPhase = let 88 + ipp-crypto-no_mitigation = callPackage (import ./ipp-crypto.nix) {}; 89 + 90 + sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm"; 91 + 92 + nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@"; 93 + ipp-crypto-cve_2020_0551_load = callPackage (import ./ipp-crypto.nix) { 94 + extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ]; 95 + }; 96 + 97 + nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@"; 98 + ipp-crypto-cve_2020_0551_cf = callPackage (import ./ipp-crypto.nix) { 99 + extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ]; 100 + }; 101 + in '' 102 + cd external/ippcp_internal 103 + 104 + mkdir -p lib/linux/intel64/no_mitigation 105 + cp ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a lib/linux/intel64/no_mitigation 106 + chmod a+w lib/linux/intel64/no_mitigation/libippcp.a 107 + cp ${ipp-crypto-no_mitigation}/include/* ./inc 108 + 109 + mkdir -p lib/linux/intel64/cve_2020_0551_load 110 + cp ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_load 111 + chmod a+w lib/linux/intel64/cve_2020_0551_load/libippcp.a 112 + 113 + mkdir -p lib/linux/intel64/cve_2020_0551_cf 114 + cp ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_cf 115 + chmod a+w lib/linux/intel64/cve_2020_0551_cf/libippcp.a 116 + 117 + rm -f ./inc/ippcp.h 118 + patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp20u3.patch -o ./inc/ippcp.h 119 + 120 + mkdir -p license 121 + cp ${ipp-crypto-no_mitigation.src}/LICENSE ./license 122 + 123 + # Build the SDK installation package. 124 + cd ../.. 125 + 126 + # Nix patches make so that $(SHELL) defaults to "sh" instead of "/bin/sh". 127 + # The build uses $(SHELL) as an argument to file -L which requires a path. 128 + make SHELL=$SHELL sdk_install_pkg 129 + 130 + runHook postBuild 131 + ''; 132 + 133 + postBuild = '' 134 + patchShebangs ./linux/installer/bin/sgx_linux_x64_sdk_*.bin 135 + ''; 136 + 137 + installPhase = '' 138 + echo -e 'no\n'$out | ./linux/installer/bin/sgx_linux_x64_sdk_*.bin 139 + ''; 140 + 141 + dontFixup = true; 142 + 143 + doInstallCheck = true; 144 + installCheckInputs = [ which ]; 145 + installCheckPhase = '' 146 + source $out/sgxsdk/environment 147 + cd SampleCode/SampleEnclave 148 + make SGX_MODE=SGX_SIM 149 + ./app 150 + ''; 151 + 152 + meta = with lib; { 153 + description = "Intel SGX SDK for Linux built with IPP Crypto Library"; 154 + homepage = "https://github.com/intel/linux-sgx"; 155 + maintainers = with maintainers; [ sbellem arturcygan ]; 156 + platforms = [ "x86_64-linux" ]; 157 + license = with licenses; [ bsd3 ]; 158 + }; 159 + }

+24

pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix

··· 1 + { lib 2 + , stdenv 3 + , fetchFromGitHub 4 + , cmake 5 + , python3 6 + , nasm 7 + , extraCmakeFlags ? [] 8 + }: 9 + 10 + stdenv.mkDerivation rec { 11 + pname = "ipp-crypto"; 12 + version = "2020_update3"; 13 + 14 + src = fetchFromGitHub { 15 + owner = "intel"; 16 + repo = "ipp-crypto"; 17 + rev = "ipp-crypto_${version}"; 18 + sha256 = "02vlda6mlhbd12ljzdf65klpx4kmx1ylch9w3yllsiya4hwqzy4b"; 19 + }; 20 + 21 + cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; 22 + 23 + nativeBuildInputs = [ cmake python3 nasm ]; 24 + }

+2

pkgs/top-level/all-packages.nix

··· 22473 22473 22474 22474 seturgent = callPackage ../os-specific/linux/seturgent { }; 22475 22475 22476 + sgx-sdk = callPackage ../os-specific/linux/sgx-sdk { }; 22477 + 22476 22478 shadow = callPackage ../os-specific/linux/shadow { }; 22477 22479 22478 22480 sinit = callPackage ../os-specific/linux/sinit {