pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #203449 from yaxitech/azure-quote-provider

authored by

Sandro and committed by
GitHub c8c8ac5c 33371086

+210 -33
+18 -3
nixos/modules/services/security/aesmd.nix
··· 25 25 default = false; 26 26 description = lib.mdDoc "Whether to build the PSW package in debug mode."; 27 27 }; 28 + environment = mkOption { 29 + type = with types; attrsOf str; 30 + default = { }; 31 + description = mdDoc "Additional environment variables to pass to the AESM service."; 32 + # Example environment variable for `sgx-azure-dcap-client` provider library 33 + example = { 34 + AZDCAP_COLLATERAL_VERSION = "v2"; 35 + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; 36 + }; 37 + }; 38 + quoteProviderLibrary = mkOption { 39 + type = with types; nullOr path; 40 + default = null; 41 + example = literalExpression "pkgs.sgx-azure-dcap-client"; 42 + description = lib.mdDoc "Custom quote provider library to use."; 43 + }; 28 44 settings = mkOption { 29 45 description = lib.mdDoc "AESM configuration"; 30 46 default = { }; ··· 83 99 storeAesmFolder = "${sgx-psw}/aesm"; 84 100 # Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp 85 101 aesmDataFolder = "/var/opt/aesmd/data"; 86 - aesmStateDirSystemd = "%S/aesmd"; 87 102 in 88 103 { 89 104 description = "Intel Architectural Enclave Service Manager"; ··· 98 113 environment = { 99 114 NAME = "aesm_service"; 100 115 AESM_PATH = storeAesmFolder; 101 - LD_LIBRARY_PATH = storeAesmFolder; 102 - }; 116 + LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ]; 117 + } // cfg.environment; 103 118 104 119 # Make sure any of the SGX application enclave devices is available 105 120 unitConfig.AssertPathExists = [
+68 -28
nixos/tests/aesmd.nix
··· 1 1 { pkgs, lib, ... }: { 2 2 name = "aesmd"; 3 3 meta = { 4 - maintainers = with lib.maintainers; [ veehaitch ]; 4 + maintainers = with lib.maintainers; [ trundle veehaitch ]; 5 5 }; 6 6 7 7 nodes.machine = { lib, ... }: { ··· 25 25 26 26 # We don't have a real SGX machine in NixOS tests 27 27 systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ]; 28 + 29 + specialisation = { 30 + withQuoteProvider.configuration = { ... }: { 31 + services.aesmd = { 32 + quoteProviderLibrary = pkgs.sgx-azure-dcap-client; 33 + environment = { 34 + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; 35 + }; 36 + }; 37 + }; 38 + }; 28 39 }; 29 40 30 - testScript = '' 31 - with subtest("aesmd.service starts"): 32 - machine.wait_for_unit("aesmd.service") 33 - status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") 34 - assert status == 0, "Could not get MainPID of aesmd.service" 35 - main_pid = main_pid.strip() 41 + testScript = { nodes, ... }: 42 + let 43 + specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; 44 + in 45 + '' 46 + def get_aesmd_pid(): 47 + status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") 48 + assert status == 0, "Could not get MainPID of aesmd.service" 49 + return main_pid.strip() 36 50 37 - with subtest("aesmd.service runtime directory permissions"): 38 - runtime_dir = "/run/aesmd"; 39 - res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() 40 - assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" 51 + with subtest("aesmd.service starts"): 52 + machine.wait_for_unit("aesmd.service") 41 53 42 - with subtest("aesm.socket available on host"): 43 - socket_path = "/var/run/aesmd/aesm.socket" 44 - machine.wait_until_succeeds(f"test -S {socket_path}") 45 - machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") 46 - for op in [ "-r", "-w", "-x" ]: 47 - machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") 48 - machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") 54 + main_pid = get_aesmd_pid() 49 55 50 - with subtest("Copies white_list_cert_to_be_verify.bin"): 51 - whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" 52 - whitelist_perms = machine.succeed( 53 - f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" 54 - ).strip() 55 - assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" 56 + with subtest("aesmd.service runtime directory permissions"): 57 + runtime_dir = "/run/aesmd"; 58 + res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() 59 + assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" 56 60 57 - with subtest("Writes and binds aesm.conf in service namespace"): 58 - aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") 61 + with subtest("aesm.socket available on host"): 62 + socket_path = "/var/run/aesmd/aesm.socket" 63 + machine.wait_until_succeeds(f"test -S {socket_path}") 64 + machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") 65 + for op in [ "-r", "-w", "-x" ]: 66 + machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") 67 + machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") 59 68 60 - assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" 61 - ''; 69 + with subtest("Copies white_list_cert_to_be_verify.bin"): 70 + whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" 71 + whitelist_perms = machine.succeed( 72 + f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" 73 + ).strip() 74 + assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" 75 + 76 + with subtest("Writes and binds aesm.conf in service namespace"): 77 + aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") 78 + 79 + assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" 80 + 81 + with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"): 82 + status, environment = machine.systemctl("show --property Environment --value aesmd.service") 83 + assert status == 0, "Could not get Environment of aesmd.service" 84 + env_by_name = dict(entry.split("=", 1) for entry in environment.split()) 85 + assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty" 86 + 87 + with subtest("aesmd.service with quote provider library starts"): 88 + machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test') 89 + machine.wait_for_unit("aesmd.service") 90 + 91 + main_pid = get_aesmd_pid() 92 + 93 + with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"): 94 + ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH") 95 + assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \ 96 + "LD_LIBRARY_PATH is not set to the configured quote provider library" 97 + 98 + with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"): 99 + azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL") 100 + assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO" 101 + ''; 62 102 }
+1 -1
nixos/tests/all-tests.nix
··· 69 69 _3proxy = runTest ./3proxy.nix; 70 70 acme = runTest ./acme.nix; 71 71 adguardhome = runTest ./adguardhome.nix; 72 - aesmd = runTest ./aesmd.nix; 72 + aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix; 73 73 agate = runTest ./web-servers/agate.nix; 74 74 agda = handleTest ./agda.nix {}; 75 75 airsonic = handleTest ./airsonic.nix {};
+93
pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix
··· 1 + { stdenv 2 + , fetchFromGitHub 3 + , fetchurl 4 + , lib 5 + , curl 6 + , nlohmann_json 7 + , openssl 8 + , pkg-config 9 + , linkFarmFromDrvs 10 + , callPackage 11 + }: 12 + 13 + let 14 + # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions 15 + filterSparse = list: '' 16 + cp -r "$out"/. . 17 + find "$out" -mindepth 1 -delete 18 + cp ${lib.concatStringsSep " " list} "$out/" 19 + ''; 20 + headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [ 21 + (fetchFromGitHub rec { 22 + name = "${repo}-headers"; 23 + owner = "intel"; 24 + repo = "SGXDataCenterAttestationPrimitives"; 25 + rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9"; 26 + sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ]; 27 + hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY="; 28 + postFetch = filterSparse sparseCheckout; 29 + }) 30 + (fetchFromGitHub rec { 31 + name = "${repo}-headers"; 32 + owner = "intel"; 33 + repo = "linux-sgx"; 34 + rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be"; 35 + hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs="; 36 + sparseCheckout = [ 37 + "common/inc/sgx_report.h" 38 + "common/inc/sgx_key.h" 39 + "common/inc/sgx_attributes.h" 40 + ]; 41 + postFetch = filterSparse sparseCheckout; 42 + }) 43 + ]; 44 + in 45 + stdenv.mkDerivation rec { 46 + pname = "azure-dcap-client"; 47 + version = "1.11.2"; 48 + 49 + src = fetchFromGitHub { 50 + owner = "microsoft"; 51 + repo = pname; 52 + rev = version; 53 + hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA="; 54 + }; 55 + 56 + nativeBuildInputs = [ 57 + pkg-config 58 + ]; 59 + 60 + buildInputs = [ 61 + curl 62 + nlohmann_json 63 + openssl 64 + ]; 65 + 66 + postPatch = '' 67 + mkdir -p src/Linux/ext/intel 68 + find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \; 69 + 70 + substitute src/Linux/Makefile{.in,} \ 71 + --replace '##CURLINC##' '${curl.dev}/include/curl/' \ 72 + --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)' 73 + ''; 74 + 75 + NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations"; 76 + 77 + makeFlags = [ 78 + "-C src/Linux" 79 + "prefix=$(out)" 80 + ]; 81 + 82 + # Online test suite; run with 83 + # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests 84 + passthru.tests.suite = callPackage ./test-suite.nix { }; 85 + 86 + meta = with lib; { 87 + description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; 88 + homepage = "https://github.com/microsoft/azure-dcap-client"; 89 + maintainers = with maintainers; [ trundle veehaitch ]; 90 + platforms = [ "x86_64-linux" ]; 91 + license = [ licenses.mit ]; 92 + }; 93 + }
+27
pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix
··· 1 + { lib 2 + , sgx-azure-dcap-client 3 + , gtest 4 + , makeWrapper 5 + }: 6 + sgx-azure-dcap-client.overrideAttrs (oldAttrs: { 7 + nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ 8 + makeWrapper 9 + gtest 10 + ]; 11 + 12 + buildFlags = [ 13 + "tests" 14 + ]; 15 + 16 + installPhase = '' 17 + runHook preInstall 18 + 19 + install -D ./src/Linux/tests "$out/bin/tests" 20 + 21 + runHook postInstall 22 + ''; 23 + 24 + postFixup = '' 25 + wrapProgram "$out/bin/tests" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}" 26 + ''; 27 + })
+1 -1
pkgs/os-specific/linux/sgx/psw/default.nix
··· 121 121 122 122 mkdir $out/bin 123 123 makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ 124 - --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ 124 + --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ 125 125 --chdir "$out/aesm" 126 126 127 127 # Make sure we didn't forget to handle any files
+2
pkgs/top-level/all-packages.nix
··· 26083 26083 26084 26084 seturgent = callPackage ../os-specific/linux/seturgent { }; 26085 26085 26086 + sgx-azure-dcap-client = callPackage ../os-specific/linux/sgx/azure-dcap-client { }; 26087 + 26086 26088 sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { }; 26087 26089 26088 26090 sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { };