nixos/aesmd: add option `environment` · pyrox.dev/nixpkgs@dbff3c2

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/aesmd: add option `environment`

Vincent Haupert 3 years ago dbff3c22 4e937f0d

+21 -2

2 changed files

expand all

nixos

modules

services

security

aesmd.nix

tests

aesmd.nix

+11 -1

nixos/modules/services/security/aesmd.nix

··· 25 25 default = false; 26 26 description = lib.mdDoc "Whether to build the PSW package in debug mode."; 27 27 }; 28 + environment = mkOption { 29 + type = with types; attrsOf str; 30 + default = { }; 31 + description = mdDoc "Additional environment variables to pass to the AESM service."; 32 + # Example environment variable for `sgx-azure-dcap-client` provider library 33 + example = { 34 + AZDCAP_COLLATERAL_VERSION = "v2"; 35 + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; 36 + }; 37 + }; 28 38 quoteProviderLibrary = mkOption { 29 39 type = with types; nullOr path; 30 40 default = null; ··· 104 114 NAME = "aesm_service"; 105 115 AESM_PATH = storeAesmFolder; 106 116 LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ]; 107 - }; 117 + } // cfg.environment; 108 118 109 119 # Make sure any of the SGX application enclave devices is available 110 120 unitConfig.AssertPathExists = [

+10 -1

nixos/tests/aesmd.nix

··· 28 28 29 29 specialisation = { 30 30 withQuoteProvider.configuration = { ... }: { 31 - services.aesmd.quoteProviderLibrary = pkgs.sgx-azure-dcap-client; 31 + services.aesmd = { 32 + quoteProviderLibrary = pkgs.sgx-azure-dcap-client; 33 + environment = { 34 + AZDCAP_DEBUG_LOG_LEVEL = "INFO"; 35 + }; 36 + }; 32 37 }; 33 38 }; 34 39 }; ··· 89 94 ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH") 90 95 assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \ 91 96 "LD_LIBRARY_PATH is not set to the configured quote provider library" 97 + 98 + with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"): 99 + azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL") 100 + assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO" 92 101 ''; 93 102 }