commit db091609ffcee8751219f67d58823632aebcac2d · pyrox.dev/nixpkgs

+90

pkgs/os-specific/linux/sgx/ssl/default.nix

··· 1 + { stdenv 2 + , fetchFromGitHub 3 + , fetchpatch 4 + , fetchurl 5 + , lib 6 + , perl 7 + , sgx-sdk 8 + , which 9 + , debug ? false 10 + }: 11 + let 12 + sgxVersion = sgx-sdk.versionTag; 13 + opensslVersion = "1.1.1l"; 14 + in 15 + stdenv.mkDerivation rec { 16 + pname = "sgx-ssl" + lib.optionalString debug "-debug"; 17 + version = "lin_${sgxVersion}_${opensslVersion}"; 18 + 19 + src = fetchFromGitHub { 20 + owner = "intel"; 21 + repo = "intel-sgx-ssl"; 22 + rev = version; 23 + hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8="; 24 + }; 25 + 26 + postUnpack = 27 + let 28 + opensslSourceArchive = fetchurl { 29 + url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; 30 + hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E="; 31 + }; 32 + in 33 + '' 34 + ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz 35 + ''; 36 + 37 + patches = [ 38 + # https://github.com/intel/intel-sgx-ssl/pull/111 39 + ./intel-sgx-ssl-pr-111.patch 40 + ]; 41 + 42 + postPatch = '' 43 + patchShebangs Linux/build_openssl.sh 44 + 45 + # Run the test in the `installCheckPhase`, not the `buildPhase` 46 + substituteInPlace Linux/sgx/Makefile \ 47 + --replace '$(MAKE) -C $(TEST_DIR) all' \ 48 + 'bash -c "true"' 49 + ''; 50 + 51 + enableParallelBuilding = true; 52 + 53 + nativeBuildInputs = [ 54 + perl 55 + sgx-sdk 56 + stdenv.glibc 57 + which 58 + ]; 59 + 60 + makeFlags = [ 61 + "-C Linux" 62 + ] ++ lib.optionals debug [ 63 + "DEBUG=1" 64 + ]; 65 + 66 + installFlags = [ 67 + "DESTDIR=$(out)" 68 + ]; 69 + 70 + # Build and run the test app 71 + doInstallCheck = true; 72 + installCheckTarget = "all test"; 73 + installCheckFlags = [ 74 + "SGX_MODE=SIM" 75 + "-C sgx/test_app" 76 + "-j 1" # Makefile doesn't support multiple jobs 77 + ]; 78 + preInstallCheck = '' 79 + # Expects the enclave file in the current working dir 80 + ln -s sgx/test_app/TestEnclave.signed.so . 81 + ''; 82 + 83 + meta = with lib; { 84 + description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; 85 + homepage = "https://github.com/intel/intel-sgx-ssl"; 86 + maintainers = with maintainers; [ trundle veehaitch ]; 87 + platforms = [ "x86_64-linux" ]; 88 + license = with licenses; [ bsd3 openssl ]; 89 + }; 90 + }

+99

pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch

··· 1 + From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001 2 + From: Vincent Haupert <mail@vincent-haupert.de> 3 + Date: Sat, 8 Jan 2022 17:22:31 +0100 4 + Subject: [PATCH 1/3] Linux: fix Nix detection 5 + 6 + Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE` 7 + environment variable instead of `NIX_PATH`. The latter is only set in a 8 + `nix-shell` session but isn't when building a derivation through 9 + `nix-build`. In contrast, the `NIX_STORE` environment variable is set in 10 + both cases. 11 + 12 + Signed-off-by: Vincent Haupert <mail@vincent-haupert.de> 13 + --- 14 + Linux/sgx/buildenv.mk | 2 +- 15 + 1 file changed, 1 insertion(+), 1 deletion(-) 16 + 17 + diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk 18 + index cd8818e..dac23c7 100644 19 + --- a/Linux/sgx/buildenv.mk 20 + +++ b/Linux/sgx/buildenv.mk 21 + @@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB)) 22 + UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h 23 + ifneq ("$(wildcard $(UBUNTU_CONFNAME))","") 24 + OS_ID=1 25 + -else ifeq ($(origin NIX_PATH),environment) 26 + +else ifeq ($(origin NIX_STORE),environment) 27 + OS_ID=3 28 + else 29 + OS_ID=2 30 + 31 + From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001 32 + From: Vincent Haupert <mail@vincent-haupert.de> 33 + Date: Sat, 8 Jan 2022 17:33:22 +0100 34 + Subject: [PATCH 2/3] Linux: call binaries relative to PATH 35 + 36 + Using an absolute path to call binaries is incompatible with 37 + distributions which do not follow the Filesystem Hierachy Standard; 38 + Nix is an example. Also, it is inconsistent with the rest of the code 39 + base, let alone superfluous. 40 + 41 + Signed-off-by: Vincent Haupert <mail@vincent-haupert.de> 42 + --- 43 + Linux/build_openssl.sh | 2 +- 44 + 1 file changed, 1 insertion(+), 1 deletion(-) 45 + 46 + diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh 47 + index 7d77b79..e8b59a1 100755 48 + --- a/Linux/build_openssl.sh 49 + +++ b/Linux/build_openssl.sh 50 + @@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 51 + echo $SGXSSL_ROOT 52 + 53 + OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp" 54 + -OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'` 55 + +OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'` 56 + if [ "$OPENSSL_VERSION" == "" ] 57 + then 58 + echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory." 59 + 60 + From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001 61 + From: Vincent Haupert <mail@vincent-haupert.de> 62 + Date: Tue, 11 Jan 2022 10:56:39 +0100 63 + Subject: [PATCH 3/3] Linux: properly extract GCC major version 64 + 65 + Calling `gcc -dumpversion` yields the full version string, e.g., 66 + `10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number 67 + comparison operator to check if the returned version is at least 68 + 8. This results in an error if the returned GCC version includes a patch 69 + version; "10.3.0" isn't a valid number. 70 + 71 + This commit fixes the version detection by only extracting the relevant 72 + major version of GCC. 73 + 74 + Signed-off-by: Vincent Haupert <mail@vincent-haupert.de> 75 + --- 76 + Linux/build_openssl.sh | 3 ++- 77 + 1 file changed, 2 insertions(+), 1 deletion(-) 78 + 79 + diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh 80 + index e8b59a1..6e4046f 100755 81 + --- a/Linux/build_openssl.sh 82 + +++ b/Linux/build_openssl.sh 83 + @@ -82,6 +82,7 @@ fi 84 + MITIGATION_OPT="" 85 + MITIGATION_FLAGS="" 86 + CC_VERSION=`gcc -dumpversion` 87 + +CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.` 88 + for arg in "$@" 89 + do 90 + case $arg in 91 + @@ -99,7 +100,7 @@ do 92 + ;; 93 + -mfunction-return=thunk-extern) 94 + MITIGATION_FLAGS+=" $arg" 95 + - if [[ $CC_VERSION -ge 8 ]] ; then 96 + + if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then 97 + MITIGATION_FLAGS+=" -fcf-protection=none" 98 + fi 99 + shift

+2

pkgs/top-level/all-packages.nix

··· 22872 22872 22873 22873 sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { }; 22874 22874 22875 + sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { }; 22876 + 22875 22877 sgx-psw = callPackage ../os-specific/linux/sgx/psw { }; 22876 22878 22877 22879 shadow = callPackage ../os-specific/linux/shadow { };