From 25955eed5ce01dbee70bfe98713c4e74a8317e33 Mon Sep 17 00:00:00 2001
From: Philip Hayes <philiphayes9@gmail.com>
Date: Tue, 23 Jan 2024 17:38:28 +0800
Subject: [PATCH] sgx-sdk: 2.21 -> 2.23

- `make preparation` step keeps changing; use a more maintainable .patch
  approach instead of copying over steps from Makefile.

- Remove stale patch.

Diff: <https://github.com/intel/linux-sgx/compare/sgx_2.21...sgx_2.23>

Changelog (2.22): <https://github.com/intel/linux-sgx/releases/tag/sgx_2.22>

Changelog (2.23): <https://github.com/intel/linux-sgx/releases/tag/sgx_2.23>
---
 pkgs/os-specific/linux/sgx/sdk/default.nix    | 37 ++++---------------
 .../linux/sgx/sdk/disable-downloads.patch     | 26 +++++++++++++
 2 files changed, 34 insertions(+), 29 deletions(-)
 create mode 100644 pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch

diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix
index 2570406a7112..26046219932c 100644
--- a/pkgs/os-specific/linux/sgx/sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , autoconf
 , automake
 , binutils
@@ -27,15 +26,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.21.100.1";
+  version = "2.23.100.2";
   # Version as used in the Git tag
-  versionTag = "2.21";
+  versionTag = "2.23";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
+    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
     fetchSubmodules = true;
   };
 
@@ -46,39 +45,19 @@ stdenv.mkDerivation rec {
   '';
 
   patches = [
-    # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
-    (fetchpatch {
-      url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
-      sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
-    })
+    # There's a `make preparation` step that downloads some prebuilt binaries
+    # and applies some patches to the in-repo git submodules. This patch removes
+    # the parts that download things, since we can't do that inside the sandbox.
+    ./disable-downloads.patch
   ];
 
-  # There's a `make preparation` step that downloads some prebuilt binaries and
-  # applies some patches to the in-repo git submodules. We can't just run it,
-  # since it downloads things, so this step just extracts the patching steps.
   postPatch = ''
     patchShebangs linux/installer/bin/build-installpkg.sh \
       linux/installer/common/sdk/createTarball.sh \
       linux/installer/common/sdk/install.sh \
       external/sgx-emm/create_symlink.sh
 
-    echo "Running 'make preparation' but without download steps"
-
-    # Seems to download something. Build currently uses ipp-crypto and not
-    # sgxssl so probably not an issue.
-    # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
-
-    pushd external/openmp/openmp_code
-      git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
-        || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
-    popd
-
-    pushd external/protobuf/protobuf_code
-      git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
-        || git apply ../sgx_protobuf.patch --check -R
-    popd
-
-    ./external/sgx-emm/create_symlink.sh
+    make preparation
   '';
 
   # We need `cmake` as a build input but don't use it to kick off the build phase
diff --git a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
new file mode 100644
index 000000000000..bdf9b9f9136e
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch
@@ -0,0 +1,26 @@
+diff --git a/Makefile b/Makefile
+index 32433051..2e480efb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -50,8 +50,8 @@ tips:
+ preparation:
+ # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
+ # Only enable the download from git
+-	git submodule update --init --recursive
+-	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
++	# git submodule update --init --recursive
++	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+ 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+ 	./external/sgx-emm/create_symlink.sh
+@@ -59,8 +59,8 @@ preparation:
+ 	cd external/cbor && cp -r libcbor sgx_libcbor
+ 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
+ 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
+-	./download_prebuilt.sh
+-	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
++	# ./download_prebuilt.sh
++	# ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ 
+ psw:
+ 	$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)