commit b758deb6dffed16cdc9e815e418bf643ee8a7e2b · pyrox.dev/nixpkgs

+6 -6

pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix

··· 16 16 find "$out" -mindepth 1 -delete 17 17 cp ${lib.concatStringsSep " " list} "$out/" 18 18 ''; 19 - headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [ 19 + headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [ 20 20 (fetchFromGitHub rec { 21 21 name = "${repo}-headers"; 22 22 owner = "intel"; ··· 69 69 find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \; 70 70 71 71 substitute src/Linux/Makefile{.in,} \ 72 - --replace '##CURLINC##' '${curl.dev}/include/curl/' \ 73 - --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)' 72 + --replace-fail '##CURLINC##' '${curl.dev}/include/curl/' \ 73 + --replace-fail '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)' 74 74 ''; 75 75 76 76 env.NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations"; ··· 84 84 # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests 85 85 passthru.tests.suite = callPackage ./test-suite.nix { }; 86 86 87 - meta = with lib; { 87 + meta = { 88 88 description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; 89 89 homepage = "https://github.com/microsoft/azure-dcap-client"; 90 - maintainers = with maintainers; [ phlip9 trundle veehaitch ]; 90 + maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ]; 91 91 platforms = [ "x86_64-linux" ]; 92 - license = [ licenses.mit ]; 92 + license = [ lib.licenses.mit ]; 93 93 }; 94 94 }

+19 -19

pkgs/os-specific/linux/sgx/psw/default.nix

··· 29 29 # Also include the Data Center Attestation Primitives (DCAP) platform 30 30 # enclaves. 31 31 dcap = rec { 32 - version = "1.20"; 32 + version = "1.21"; 33 33 filename = "prebuilt_dcap_${version}.tar.gz"; 34 34 prebuilt = fetchurl { 35 35 url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; 36 - hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; 36 + hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; 37 37 }; 38 38 }; 39 39 in ··· 158 158 # is helpful to have properly patched versions for non-NixOS distributions. 159 159 echo "Fixing aesmd.service" 160 160 substituteInPlace $out/lib/systemd/system/aesmd.service \ 161 - --replace '@aesm_folder@' \ 162 - "$out/aesm" \ 163 - --replace 'Type=forking' \ 164 - 'Type=simple' \ 165 - --replace "ExecStart=$out/aesm/aesm_service" \ 166 - "ExecStart=$out/bin/aesm_service --no-daemon"\ 167 - --replace "/bin/mkdir" \ 168 - "${coreutils}/bin/mkdir" \ 169 - --replace "/bin/chown" \ 170 - "${coreutils}/bin/chown" \ 171 - --replace "/bin/chmod" \ 172 - "${coreutils}/bin/chmod" \ 173 - --replace "/bin/kill" \ 174 - "${coreutils}/bin/kill" 161 + --replace-fail '@aesm_folder@' \ 162 + "$out/aesm" \ 163 + --replace-fail 'Type=forking' \ 164 + 'Type=simple' \ 165 + --replace-fail "ExecStart=$out/aesm/aesm_service" \ 166 + "ExecStart=$out/bin/aesm_service --no-daemon"\ 167 + --replace-fail "/bin/mkdir" \ 168 + "${coreutils}/bin/mkdir" \ 169 + --replace-fail "/bin/chown" \ 170 + "${coreutils}/bin/chown" \ 171 + --replace-fail "/bin/chmod" \ 172 + "${coreutils}/bin/chmod" \ 173 + --replace-fail "/bin/kill" \ 174 + "${coreutils}/bin/kill" 175 175 ''; 176 176 177 177 passthru.tests = { 178 178 service = nixosTests.aesmd; 179 179 }; 180 180 181 - meta = with lib; { 181 + meta = { 182 182 description = "Intel SGX Architectural Enclave Service Manager"; 183 183 homepage = "https://github.com/intel/linux-sgx"; 184 - maintainers = with maintainers; [ phlip9 veehaitch citadelcore ]; 184 + maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ]; 185 185 platforms = [ "x86_64-linux" ]; 186 - license = with licenses; [ bsd3 ]; 186 + license = [ lib.licenses.bsd3 ]; 187 187 }; 188 188 }

+12 -9

pkgs/os-specific/linux/sgx/sdk/default.nix

··· 26 26 stdenv.mkDerivation rec { 27 27 pname = "sgx-sdk"; 28 28 # Version as given in se_version.h 29 - version = "2.23.100.2"; 29 + version = "2.24.100.3"; 30 30 # Version as used in the Git tag 31 - versionTag = "2.23"; 31 + versionTag = "2.24"; 32 32 33 33 src = fetchFromGitHub { 34 34 owner = "intel"; 35 35 repo = "linux-sgx"; 36 36 rev = "sgx_${versionTag}"; 37 - hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I="; 37 + hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw="; 38 38 fetchSubmodules = true; 39 39 }; 40 40 ··· 121 121 122 122 pushd 'external/ippcp_internal' 123 123 124 - cp -r ${ipp-crypto-no_mitigation}/include/. inc/ 125 - 126 124 install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \ 127 125 lib/linux/intel64/no_mitigation/libippcp.a 128 126 install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \ ··· 130 128 install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \ 131 129 lib/linux/intel64/cve_2020_0551_cf/libippcp.a 132 130 131 + cp -r ${ipp-crypto-no_mitigation}/include/* inc/ 132 + 133 + mkdir inc/ippcp 134 + cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/ 135 + 133 136 rm inc/ippcp.h 134 - patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h 137 + patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h 135 138 136 139 install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE 137 140 ··· 285 288 ''; 286 289 }; 287 290 288 - meta = with lib; { 291 + meta = { 289 292 description = "Intel SGX SDK for Linux built with IPP Crypto Library"; 290 293 homepage = "https://github.com/intel/linux-sgx"; 291 - maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ]; 294 + maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ]; 292 295 platforms = [ "x86_64-linux" ]; 293 - license = with licenses; [ bsd3 ]; 296 + license = [ lib.licenses.bsd3 ]; 294 297 }; 295 298 }

+5 -3

pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch

··· 1 1 diff --git a/Makefile b/Makefile 2 - index 32433051..2e480efb 100644 2 + index 73502a7..f24bd11 100644 3 3 --- a/Makefile 4 4 +++ b/Makefile 5 - @@ -50,8 +50,8 @@ tips: 5 + @@ -50,18 +50,18 @@ tips: 6 6 preparation: 7 7 # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. 8 8 # Only enable the download from git ··· 12 12 + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild 13 13 cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R 14 14 cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R 15 + - cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R 16 + + cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R 15 17 ./external/sgx-emm/create_symlink.sh 16 - @@ -59,8 +59,8 @@ preparation: 18 + cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R 17 19 cd external/cbor && cp -r libcbor sgx_libcbor 18 20 cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R 19 21 cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R

+7 -3

pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix

··· 8 8 }: 9 9 gcc11Stdenv.mkDerivation rec { 10 10 pname = "ipp-crypto"; 11 - version = "2021.10.0"; 11 + version = "2021.11.1"; 12 12 13 13 src = fetchFromGitHub { 14 14 owner = "intel"; 15 15 repo = "ipp-crypto"; 16 16 rev = "ippcp_${version}"; 17 - hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg="; 17 + hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI="; 18 18 }; 19 19 20 - cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; 20 + cmakeFlags = [ 21 + "-DARCH=intel64" 22 + # sgx-sdk now requires FIPS-compliance mode turned on 23 + "-DIPPCP_FIPS_MODE=on" 24 + ] ++ extraCmakeFlags; 21 25 22 26 nativeBuildInputs = [ 23 27 cmake

+7 -7

pkgs/os-specific/linux/sgx/ssl/default.nix

··· 10 10 }: 11 11 let 12 12 sgxVersion = sgx-sdk.versionTag; 13 - opensslVersion = "3.0.12"; 13 + opensslVersion = "3.0.13"; 14 14 in 15 15 stdenv.mkDerivation { 16 16 pname = "sgx-ssl" + lib.optionalString debug "-debug"; ··· 27 27 let 28 28 opensslSourceArchive = fetchurl { 29 29 url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; 30 - hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E="; 30 + hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; 31 31 }; 32 32 in 33 33 '' ··· 39 39 40 40 # Skip the tests. Build and run separately (see below). 41 41 substituteInPlace Linux/sgx/Makefile \ 42 - --replace '$(MAKE) -C $(TEST_DIR) all' \ 43 - 'bash -c "true"' 42 + --replace-fail '$(MAKE) -C $(TEST_DIR) all' \ 43 + 'bash -c "true"' 44 44 ''; 45 45 46 46 nativeBuildInputs = [ ··· 71 71 SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; }; 72 72 }; 73 73 74 - meta = with lib; { 74 + meta = { 75 75 description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; 76 76 homepage = "https://github.com/intel/intel-sgx-ssl"; 77 - maintainers = with maintainers; [ phlip9 trundle veehaitch ]; 77 + maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ]; 78 78 platforms = [ "x86_64-linux" ]; 79 - license = [ licenses.bsd3 licenses.openssl ]; 79 + license = with lib.licenses; [ bsd3 openssl ]; 80 80 }; 81 81 }