+10 -2

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

··· 19 19 </section> 20 20 <section xml:id="sec-release-22.05-new-services"> 21 21 <title>New Services</title> 22 22 - <para> 23 23 - </para> 22 22 + <itemizedlist spacing="compact"> 23 23 + <listitem> 24 24 + <para> 25 25 + <link xlink:href="https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw">aesmd</link>, 26 26 + the Intel SGX Architectural Enclave Service Manager. Available 27 27 + as 28 28 + <link linkend="opt-services.aesmd.enable">services.aesmd</link>. 29 29 + </para> 30 30 + </listitem> 31 31 + </itemizedlist> 24 32 </section> 25 33 <section xml:id="sec-release-22.05-incompatibilities"> 26 34 <title>Backward Incompatibilities</title>

+2

nixos/doc/manual/release-notes/rl-2205.section.md

··· 8 8 9 9 ## New Services {#sec-release-22.05-new-services} 10 10 11 11 + - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). 12 12 + 11 13 ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} 12 14 13 15 - `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.

+47

nixos/modules/hardware/cpu/intel-sgx.nix

··· 1 1 + { config, lib, ... }: 2 2 + with lib; 3 3 + let 4 4 + cfg = config.hardware.cpu.intel.sgx.provision; 5 5 + defaultGroup = "sgx_prv"; 6 6 + in 7 7 + { 8 8 + options.hardware.cpu.intel.sgx.provision = { 9 9 + enable = mkEnableOption "access to the Intel SGX provisioning device"; 10 10 + user = mkOption { 11 11 + description = "Owner to assign to the SGX provisioning device."; 12 12 + type = types.str; 13 13 + default = "root"; 14 14 + }; 15 15 + group = mkOption { 16 16 + description = "Group to assign to the SGX provisioning device."; 17 17 + type = types.str; 18 18 + default = defaultGroup; 19 19 + }; 20 20 + mode = mkOption { 21 21 + description = "Mode to set for the SGX provisioning device."; 22 22 + type = types.str; 23 23 + default = "0660"; 24 24 + }; 25 25 + }; 26 26 + 27 27 + config = mkIf cfg.enable { 28 28 + assertions = [ 29 29 + { 30 30 + assertion = hasAttr cfg.user config.users.users; 31 31 + message = "Given user does not exist"; 32 32 + } 33 33 + { 34 34 + assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups); 35 35 + message = "Given group does not exist"; 36 36 + } 37 37 + ]; 38 38 + 39 39 + users.groups = optionalAttrs (cfg.group == defaultGroup) { 40 40 + "${cfg.group}" = { }; 41 41 + }; 42 42 + 43 43 + services.udev.extraRules = '' 44 44 + SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="${cfg.mode}" 45 45 + ''; 46 46 + }; 47 47 + }

+2

nixos/modules/module-list.nix

··· 45 45 ./hardware/ckb-next.nix 46 46 ./hardware/cpu/amd-microcode.nix 47 47 ./hardware/cpu/intel-microcode.nix 48 48 + ./hardware/cpu/intel-sgx.nix 48 49 ./hardware/corectrl.nix 49 50 ./hardware/digitalbitbox.nix 50 51 ./hardware/device-tree.nix ··· 928 929 ./services/search/kibana.nix 929 930 ./services/search/meilisearch.nix 930 931 ./services/search/solr.nix 932 932 + ./services/security/aesmd.nix 931 933 ./services/security/certmgr.nix 932 934 ./services/security/cfssl.nix 933 935 ./services/security/clamav.nix

+227

nixos/modules/services/security/aesmd.nix

··· 1 1 + { config, pkgs, lib, ... }: 2 2 + with lib; 3 3 + let 4 4 + cfg = config.services.aesmd; 5 5 + 6 6 + sgx-psw = pkgs.sgx-psw.override { inherit (cfg) debug; }; 7 7 + 8 8 + configFile = with cfg.settings; pkgs.writeText "aesmd.conf" ( 9 9 + concatStringsSep "\n" ( 10 10 + optional (whitelistUrl != null) "whitelist url = ${whitelistUrl}" ++ 11 11 + optional (proxy != null) "aesm proxy = ${proxy}" ++ 12 12 + optional (proxyType != null) "proxy type = ${proxyType}" ++ 13 13 + optional (defaultQuotingType != null) "default quoting type = ${defaultQuotingType}" ++ 14 14 + # Newline at end of file 15 15 + [ "" ] 16 16 + ) 17 17 + ); 18 18 + in 19 19 + { 20 20 + options.services.aesmd = { 21 21 + enable = mkEnableOption "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX"; 22 22 + debug = mkOption { 23 23 + type = types.bool; 24 24 + default = false; 25 25 + description = "Whether to build the PSW package in debug mode."; 26 26 + }; 27 27 + settings = mkOption { 28 28 + description = "AESM configuration"; 29 29 + default = { }; 30 30 + type = types.submodule { 31 31 + options.whitelistUrl = mkOption { 32 32 + type = with types; nullOr str; 33 33 + default = null; 34 34 + example = "http://whitelist.trustedservices.intel.com/SGX/LCWL/Linux/sgx_white_list_cert.bin"; 35 35 + description = "URL to retrieve authorized Intel SGX enclave signers."; 36 36 + }; 37 37 + options.proxy = mkOption { 38 38 + type = with types; nullOr str; 39 39 + default = null; 40 40 + example = "http://proxy_url:1234"; 41 41 + description = "HTTP network proxy."; 42 42 + }; 43 43 + options.proxyType = mkOption { 44 44 + type = with types; nullOr (enum [ "default" "direct" "manual" ]); 45 45 + default = if (cfg.settings.proxy != null) then "manual" else null; 46 46 + example = "default"; 47 47 + description = '' 48 48 + Type of proxy to use. The <literal>default</literal> uses the system's default proxy. 49 49 + If <literal>direct</literal> is given, uses no proxy. 50 50 + A value of <literal>manual</literal> uses the proxy from 51 51 + <option>services.aesmd.settings.proxy</option>. 52 52 + ''; 53 53 + }; 54 54 + options.defaultQuotingType = mkOption { 55 55 + type = with types; nullOr (enum [ "ecdsa_256" "epid_linkable" "epid_unlinkable" ]); 56 56 + default = null; 57 57 + example = "ecdsa_256"; 58 58 + description = "Attestation quote type."; 59 59 + }; 60 60 + }; 61 61 + }; 62 62 + }; 63 63 + 64 64 + config = mkIf cfg.enable { 65 65 + assertions = [{ 66 66 + assertion = !(config.boot.specialFileSystems."/dev".options ? "noexec"); 67 67 + message = "SGX requires exec permission for /dev"; 68 68 + }]; 69 69 + 70 70 + hardware.cpu.intel.sgx.provision.enable = true; 71 71 + 72 72 + systemd.services.aesmd = 73 73 + let 74 74 + storeAesmFolder = "${sgx-psw}/aesm"; 75 75 + # Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp 76 76 + aesmDataFolder = "/var/opt/aesmd/data"; 77 77 + aesmStateDirSystemd = "%S/aesmd"; 78 78 + in 79 79 + { 80 80 + description = "Intel Architectural Enclave Service Manager"; 81 81 + wantedBy = [ "multi-user.target" ]; 82 82 + 83 83 + after = [ 84 84 + "auditd.service" 85 85 + "network.target" 86 86 + "syslog.target" 87 87 + ]; 88 88 + 89 89 + environment = { 90 90 + NAME = "aesm_service"; 91 91 + AESM_PATH = storeAesmFolder; 92 92 + LD_LIBRARY_PATH = storeAesmFolder; 93 93 + }; 94 94 + 95 95 + # Make sure any of the SGX application enclave devices is available 96 96 + unitConfig.AssertPathExists = [ 97 97 + # legacy out-of-tree driver 98 98 + "|/dev/isgx" 99 99 + # DCAP driver 100 100 + "|/dev/sgx/enclave" 101 101 + # in-tree driver 102 102 + "|/dev/sgx_enclave" 103 103 + ]; 104 104 + 105 105 + serviceConfig = rec { 106 106 + ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' 107 107 + set -euo pipefail 108 108 + whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin" 109 109 + if [[ ! -f "$whiteListFile" ]]; then 110 110 + ${pkgs.coreutils}/bin/install -m 644 -D \ 111 111 + "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \ 112 112 + "$whiteListFile" 113 113 + fi 114 114 + ''; 115 115 + ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon"; 116 116 + ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"''; 117 117 + 118 118 + Restart = "on-failure"; 119 119 + RestartSec = "15s"; 120 120 + 121 121 + DynamicUser = true; 122 122 + Group = "sgx"; 123 123 + SupplementaryGroups = [ 124 124 + config.hardware.cpu.intel.sgx.provision.group 125 125 + ]; 126 126 + 127 127 + Type = "simple"; 128 128 + 129 129 + WorkingDirectory = storeAesmFolder; 130 130 + StateDirectory = "aesmd"; 131 131 + StateDirectoryMode = "0700"; 132 132 + RuntimeDirectory = "aesmd"; 133 133 + RuntimeDirectoryMode = "0750"; 134 134 + 135 135 + # Hardening 136 136 + 137 137 + # chroot into the runtime directory 138 138 + RootDirectory = "%t/aesmd"; 139 139 + BindReadOnlyPaths = [ 140 140 + builtins.storeDir 141 141 + # Hardcoded path AESM_CONFIG_FILE in psw/ae/aesm_service/source/utils/aesm_config.cpp 142 142 + "${configFile}:/etc/aesmd.conf" 143 143 + ]; 144 144 + BindPaths = [ 145 145 + # Hardcoded path CONFIG_SOCKET_PATH in psw/ae/aesm_service/source/core/ipc/SocketConfig.h 146 146 + "%t/aesmd:/var/run/aesmd" 147 147 + "%S/aesmd:/var/opt/aesmd" 148 148 + ]; 149 149 + 150 150 + # PrivateDevices=true will mount /dev noexec which breaks AESM 151 151 + PrivateDevices = false; 152 152 + DevicePolicy = "closed"; 153 153 + DeviceAllow = [ 154 154 + # legacy out-of-tree driver 155 155 + "/dev/isgx rw" 156 156 + # DCAP driver 157 157 + "/dev/sgx rw" 158 158 + # in-tree driver 159 159 + "/dev/sgx_enclave rw" 160 160 + "/dev/sgx_provision rw" 161 161 + ]; 162 162 + 163 163 + # Requires Internet access for attestation 164 164 + PrivateNetwork = false; 165 165 + 166 166 + RestrictAddressFamilies = [ 167 167 + # Allocates the socket /var/run/aesmd/aesm.socket 168 168 + "AF_UNIX" 169 169 + # Uses the HTTP protocol to initialize some services 170 170 + "AF_INET" 171 171 + "AF_INET6" 172 172 + ]; 173 173 + 174 174 + # True breaks stuff 175 175 + MemoryDenyWriteExecute = false; 176 176 + 177 177 + # needs the ipc syscall in order to run 178 178 + SystemCallFilter = [ 179 179 + "@system-service" 180 180 + "~@aio" 181 181 + "~@chown" 182 182 + "~@clock" 183 183 + "~@cpu-emulation" 184 184 + "~@debug" 185 185 + "~@keyring" 186 186 + "~@memlock" 187 187 + "~@module" 188 188 + "~@mount" 189 189 + "~@privileged" 190 190 + "~@raw-io" 191 191 + "~@reboot" 192 192 + "~@resources" 193 193 + "~@setuid" 194 194 + "~@swap" 195 195 + "~@sync" 196 196 + "~@timer" 197 197 + ]; 198 198 + SystemCallArchitectures = "native"; 199 199 + SystemCallErrorNumber = "EPERM"; 200 200 + 201 201 + CapabilityBoundingSet = ""; 202 202 + KeyringMode = "private"; 203 203 + LockPersonality = true; 204 204 + NoNewPrivileges = true; 205 205 + NotifyAccess = "none"; 206 206 + PrivateMounts = true; 207 207 + PrivateTmp = true; 208 208 + PrivateUsers = true; 209 209 + ProcSubset = "pid"; 210 210 + ProtectClock = true; 211 211 + ProtectControlGroups = true; 212 212 + ProtectHome = true; 213 213 + ProtectHostname = true; 214 214 + ProtectKernelLogs = true; 215 215 + ProtectKernelModules = true; 216 216 + ProtectKernelTunables = true; 217 217 + ProtectProc = "invisible"; 218 218 + ProtectSystem = "strict"; 219 219 + RemoveIPC = true; 220 220 + RestrictNamespaces = true; 221 221 + RestrictRealtime = true; 222 222 + RestrictSUIDSGID = true; 223 223 + UMask = "0066"; 224 224 + }; 225 225 + }; 226 226 + }; 227 227 + }

+62

nixos/tests/aesmd.nix

··· 1 1 + import ./make-test-python.nix ({ pkgs, lib, ... }: { 2 2 + name = "aesmd"; 3 3 + meta = { 4 4 + maintainers = with lib.maintainers; [ veehaitch ]; 5 5 + }; 6 6 + 7 7 + machine = { lib, ... }: { 8 8 + services.aesmd = { 9 9 + enable = true; 10 10 + settings = { 11 11 + defaultQuotingType = "ecdsa_256"; 12 12 + proxyType = "direct"; 13 13 + whitelistUrl = "http://nixos.org"; 14 14 + }; 15 15 + }; 16 16 + 17 17 + # Should have access to the AESM socket 18 18 + users.users."sgxtest" = { 19 19 + isNormalUser = true; 20 20 + extraGroups = [ "sgx" ]; 21 21 + }; 22 22 + 23 23 + # Should NOT have access to the AESM socket 24 24 + users.users."nosgxtest".isNormalUser = true; 25 25 + 26 26 + # We don't have a real SGX machine in NixOS tests 27 27 + systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ]; 28 28 + }; 29 29 + 30 30 + testScript = '' 31 31 + with subtest("aesmd.service starts"): 32 32 + machine.wait_for_unit("aesmd.service") 33 33 + status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") 34 34 + assert status == 0, "Could not get MainPID of aesmd.service" 35 35 + main_pid = main_pid.strip() 36 36 + 37 37 + with subtest("aesmd.service runtime directory permissions"): 38 38 + runtime_dir = "/run/aesmd"; 39 39 + res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() 40 40 + assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" 41 41 + 42 42 + with subtest("aesm.socket available on host"): 43 43 + socket_path = "/var/run/aesmd/aesm.socket" 44 44 + machine.wait_until_succeeds(f"test -S {socket_path}") 45 45 + machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") 46 46 + for op in [ "-r", "-w", "-x" ]: 47 47 + machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") 48 48 + machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") 49 49 + 50 50 + with subtest("Copies white_list_cert_to_be_verify.bin"): 51 51 + whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" 52 52 + whitelist_perms = machine.succeed( 53 53 + f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" 54 54 + ).strip() 55 55 + assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" 56 56 + 57 57 + with subtest("Writes and binds aesm.conf in service namespace"): 58 58 + aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") 59 59 + 60 60 + assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" 61 61 + ''; 62 62 + })

+1

nixos/tests/all-tests.nix

··· 23 23 { 24 24 _3proxy = handleTest ./3proxy.nix {}; 25 25 acme = handleTest ./acme.nix {}; 26 26 + aesmd = handleTest ./aesmd.nix {}; 26 27 agda = handleTest ./agda.nix {}; 27 28 airsonic = handleTest ./airsonic.nix {}; 28 29 amazon-init-shell = handleTest ./amazon-init-shell.nix {};

+5 -3

pkgs/os-specific/linux/sgx-sdk/default.nix pkgs/os-specific/linux/sgx/sdk/default.nix

··· 21 21 , validatePkgConfig 22 22 , writeShellScript 23 23 , writeText 24 24 + , debug ? false 24 25 }: 25 25 - with lib; 26 26 stdenv.mkDerivation rec { 27 27 pname = "sgx-sdk"; 28 28 version = "2.14.100.2"; 29 29 30 30 - versionTag = concatStringsSep "." (take 2 (splitVersion version)); 30 30 + versionTag = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version)); 31 31 32 32 src = fetchFromGitHub { 33 33 owner = "intel"; ··· 140 140 141 141 buildFlags = [ 142 142 "sdk_install_pkg" 143 143 + ] ++ lib.optionals debug [ 144 144 + "DEBUG=1" 143 145 ]; 144 146 145 147 enableParallelBuilding = true; ··· 264 266 265 267 passthru.tests = callPackage ./samples.nix { }; 266 268 267 267 - meta = { 269 269 + meta = with lib; { 268 270 description = "Intel SGX SDK for Linux built with IPP Crypto Library"; 269 271 homepage = "https://github.com/intel/linux-sgx"; 270 272 maintainers = with maintainers; [ sbellem arturcygan veehaitch ];

pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix

pkgs/os-specific/linux/sgx-sdk/samples.nix pkgs/os-specific/linux/sgx/sdk/samples.nix

+190

pkgs/os-specific/linux/sgx/psw/default.nix

··· 1 1 + { stdenv 2 2 + , lib 3 3 + , fetchurl 4 4 + , cmake 5 5 + , coreutils 6 6 + , curl 7 7 + , file 8 8 + , glibc 9 9 + , makeWrapper 10 10 + , nixosTests 11 11 + , protobuf 12 12 + , python3 13 13 + , sgx-sdk 14 14 + , shadow 15 15 + , systemd 16 16 + , util-linux 17 17 + , which 18 18 + , debug ? false 19 19 + }: 20 20 + stdenv.mkDerivation rec { 21 21 + inherit (sgx-sdk) version versionTag src; 22 22 + pname = "sgx-psw"; 23 23 + 24 24 + postUnpack = 25 25 + let 26 26 + ae.prebuilt = fetchurl { 27 27 + url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; 28 28 + hash = "sha256-nGKZEpT2Mx0DLgqjv9qbZqBt1pQaSHcnA0K6nHma3sk"; 29 29 + }; 30 30 + dcap = rec { 31 31 + version = "1.11"; 32 32 + filename = "prebuilt_dcap_${version}.tar.gz"; 33 33 + prebuilt = fetchurl { 34 34 + url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; 35 35 + hash = "sha256-ShGScS4yNLki04RNPxxLvqzGmy4U1L0gVETvfAo8w9M="; 36 36 + }; 37 37 + }; 38 38 + in 39 39 + sgx-sdk.postUnpack + '' 40 40 + # Make sure we use the correct version of prebuilt DCAP 41 41 + grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ 42 42 + || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) 43 43 + 44 44 + tar -zxf ${ae.prebuilt} -C $sourceRoot/ 45 45 + tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ 46 46 + ''; 47 47 + 48 48 + nativeBuildInputs = [ 49 49 + cmake 50 50 + file 51 51 + makeWrapper 52 52 + python3 53 53 + sgx-sdk 54 54 + which 55 55 + ]; 56 56 + 57 57 + buildInputs = [ 58 58 + curl 59 59 + protobuf 60 60 + ]; 61 61 + 62 62 + hardeningDisable = lib.optionals debug [ 63 63 + "fortify" 64 64 + ]; 65 65 + 66 66 + postPatch = '' 67 67 + # https://github.com/intel/linux-sgx/pull/730 68 68 + substituteInPlace buildenv.mk --replace '/bin/cp' 'cp' 69 69 + substituteInPlace psw/ae/aesm_service/source/CMakeLists.txt \ 70 70 + --replace '/usr/bin/getconf' 'getconf' 71 71 + 72 72 + # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/205 73 73 + substituteInPlace ./external/dcap_source/QuoteGeneration/buildenv.mk \ 74 74 + --replace '/bin/cp' 'cp' 75 75 + substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/Makefile \ 76 76 + --replace '/bin/cp' 'cp' 77 77 + substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/buildenv.mk \ 78 78 + --replace '/bin/cp' 'cp' 79 79 + 80 80 + patchShebangs \ 81 81 + linux/installer/bin/build-installpkg.sh \ 82 82 + linux/installer/common/psw/createTarball.sh \ 83 83 + linux/installer/common/psw/install.sh 84 84 + ''; 85 85 + 86 86 + dontUseCmakeConfigure = true; 87 87 + 88 88 + # Randomly fails if enabled 89 89 + enableParallelBuilding = false; 90 90 + 91 91 + buildFlags = [ 92 92 + "psw_install_pkg" 93 93 + ] ++ lib.optionals debug [ 94 94 + "DEBUG=1" 95 95 + ]; 96 96 + 97 97 + installFlags = [ 98 98 + "-C linux/installer/common/psw/output" 99 99 + "DESTDIR=$(TMPDIR)/install" 100 100 + ]; 101 101 + 102 102 + postInstall = '' 103 103 + installDir=$TMPDIR/install 104 104 + sgxPswDir=$installDir/opt/intel/sgxpsw 105 105 + 106 106 + mv $installDir/usr/lib64/ $out/lib/ 107 107 + ln -sr $out/lib $out/lib64 108 108 + 109 109 + # Install udev rules to lib/udev/rules.d 110 110 + mv $sgxPswDir/udev/ $out/lib/ 111 111 + 112 112 + # Install example AESM config 113 113 + mkdir $out/etc/ 114 114 + mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/ 115 115 + rmdir $sgxPswDir/aesm/conf/ 116 116 + 117 117 + # Delete init service 118 118 + rm $sgxPswDir/aesm/aesmd.conf 119 119 + 120 120 + # Move systemd services 121 121 + mkdir -p $out/lib/systemd/system/ 122 122 + mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/ 123 123 + mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/ 124 124 + 125 125 + # Move misc files 126 126 + mkdir $out/share/ 127 127 + mv $sgxPswDir/licenses $out/share/ 128 128 + 129 129 + # Remove unnecessary files 130 130 + rm $sgxPswDir/{cleanup.sh,startup.sh} 131 131 + rm -r $sgxPswDir/scripts 132 132 + 133 133 + mv $sgxPswDir/aesm/ $out/ 134 134 + 135 135 + mkdir $out/bin 136 136 + makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ 137 137 + --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ 138 138 + --run "cd $out/aesm" 139 139 + 140 140 + # Make sure we didn't forget to handle any files 141 141 + rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) 142 142 + ''; 143 143 + 144 144 + # Most—if not all—of those fixups are not relevant for NixOS as we have our own 145 145 + # NixOS module which is based on those files without relying on them. Still, it 146 146 + # is helpful to have properly patched versions for non-NixOS distributions. 147 147 + postFixup = '' 148 148 + header "Fixing aesmd.service" 149 149 + substituteInPlace $out/lib/systemd/system/aesmd.service \ 150 150 + --replace '@aesm_folder@' \ 151 151 + "$out/aesm" \ 152 152 + --replace 'Type=forking' \ 153 153 + 'Type=simple' \ 154 154 + --replace "ExecStart=$out/aesm/aesm_service" \ 155 155 + "ExecStart=$out/bin/aesm_service --no-daemon"\ 156 156 + --replace "/bin/mkdir" \ 157 157 + "${coreutils}/bin/mkdir" \ 158 158 + --replace "/bin/chown" \ 159 159 + "${coreutils}/bin/chown" \ 160 160 + --replace "/bin/chmod" \ 161 161 + "${coreutils}/bin/chmod" \ 162 162 + --replace "/bin/kill" \ 163 163 + "${coreutils}/bin/kill" 164 164 + 165 165 + header "Fixing remount-dev-exec.service" 166 166 + substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \ 167 167 + --replace '/bin/mount' \ 168 168 + "${util-linux}/bin/mount" 169 169 + 170 170 + header "Fixing linksgx.sh" 171 171 + # https://github.com/intel/linux-sgx/pull/736 172 172 + substituteInPlace $out/aesm/linksgx.sh \ 173 173 + --replace '/usr/bin/getent' \ 174 174 + '${glibc.bin}/bin/getent' \ 175 175 + --replace '/usr/sbin/usermod' \ 176 176 + '${shadow}/bin/usermod' 177 177 + ''; 178 178 + 179 179 + passthru.tests = { 180 180 + service = nixosTests.aesmd; 181 181 + }; 182 182 + 183 183 + meta = with lib; { 184 184 + description = "Intel SGX Architectural Enclave Service Manager"; 185 185 + homepage = "https://github.com/intel/linux-sgx"; 186 186 + maintainers = with maintainers; [ veehaitch citadelcore ]; 187 187 + platforms = [ "x86_64-linux" ]; 188 188 + license = with licenses; [ bsd3 ]; 189 189 + }; 190 190 + }

+3 -1

pkgs/top-level/all-packages.nix

··· 22737 22737 22738 22738 seturgent = callPackage ../os-specific/linux/seturgent { }; 22739 22739 22740 22740 - sgx-sdk = callPackage ../os-specific/linux/sgx-sdk { }; 22740 22740 + sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { }; 22741 22741 + 22742 22742 + sgx-psw = callPackage ../os-specific/linux/sgx/psw { }; 22741 22743 22742 22744 shadow = callPackage ../os-specific/linux/shadow { }; 22743 22745