diff --git a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix index 0ee191e86895..c21f8ea8a644 100644 --- a/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix +++ b/pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix @@ -35,13 +35,13 @@ let in stdenv.mkDerivation rec { pname = "azure-dcap-client"; - version = "1.12.1"; + version = "1.12.3"; src = fetchFromGitHub { owner = "microsoft"; repo = pname; rev = version; - hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU="; + hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA="; }; patches = [ @@ -87,7 +87,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache"; homepage = "https://github.com/microsoft/azure-dcap-client"; - maintainers = with maintainers; [ trundle veehaitch ]; + maintainers = with maintainers; [ phlip9 trundle veehaitch ]; platforms = [ "x86_64-linux" ]; license = [ licenses.mit ]; }; diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index 22e52b6ec9fd..42e00071d810 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -14,7 +14,7 @@ , debug ? false }: stdenv.mkDerivation rec { - inherit (sgx-sdk) version versionTag src; + inherit (sgx-sdk) patches src version versionTag; pname = "sgx-psw"; postUnpack = @@ -24,16 +24,16 @@ stdenv.mkDerivation rec { # attestation quotes, and do platform certification. ae.prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; - hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0="; + hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; }; # Also include the Data Center Attestation Primitives (DCAP) platform # enclaves. dcap = rec { - version = "1.18"; + version = "1.20"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY="; + hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o="; }; }; in @@ -181,7 +181,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Intel SGX Architectural Enclave Service Manager"; homepage = "https://github.com/intel/linux-sgx"; - maintainers = with maintainers; [ veehaitch citadelcore ]; + maintainers = with maintainers; [ phlip9 veehaitch citadelcore ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; diff --git a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch new file mode 100644 index 000000000000..019f58927152 --- /dev/null +++ b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch @@ -0,0 +1,26 @@ +diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp +index aee499e9..13fa89d4 100644 +--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp ++++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp +@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, + const_cast(&m_ZipArchive), index) + ? true + : false; +- stat.modifiedTime = zipStat.m_time; ++ stat.modifiedTime = 0; + stat.crc32 = zipStat.m_crc32; + // This will limit the size info from uint64 to uint32 on 32-bit + // architectures. We don't care because we assume resources > 2GB +diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c +index 6b0ebd7a..fa2aebca 100644 +--- a/external/CppMicroServices/third_party/miniz.c ++++ b/external/CppMicroServices/third_party/miniz.c +@@ -170,7 +170,7 @@ + // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or + // get/set file times, and the C run-time funcs that get/set times won't be called. + // The current downside is the times written to your archives will be from 1979. +-//#define MINIZ_NO_TIME ++#define MINIZ_NO_TIME + + // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. + //#define MINIZ_NO_ARCHIVE_APIS diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix index 2570406a7112..67489ee3c07c 100644 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ b/pkgs/os-specific/linux/sgx/sdk/default.nix @@ -1,7 +1,6 @@ { lib , stdenv , fetchFromGitHub -, fetchpatch , autoconf , automake , binutils @@ -27,15 +26,15 @@ stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h - version = "2.21.100.1"; + version = "2.23.100.2"; # Version as used in the Git tag - versionTag = "2.21"; + versionTag = "2.23"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; - hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY="; + hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I="; fetchSubmodules = true; }; @@ -46,39 +45,28 @@ stdenv.mkDerivation rec { ''; patches = [ - # Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784 - (fetchpatch { - url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch"; - sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w="; - }) + # There's a `make preparation` step that downloads some prebuilt binaries + # and applies some patches to the in-repo git submodules. This patch removes + # the parts that download things, since we can't do that inside the sandbox. + ./disable-downloads.patch + + # This patch disable mtime in bundled zip file for reproducible builds. + # + # Context: The `aesm_service` binary depends on a vendored library called + # `CppMicroServices`. At build time, this lib creates and then bundles + # service resources into a zip file and then embeds this zip into the + # binary. Without changes, the `aesm_service` will be different after every + # build because the embedded zip file contents have different modified times. + ./cppmicroservices-no-mtime.patch ]; - # There's a `make preparation` step that downloads some prebuilt binaries and - # applies some patches to the in-repo git submodules. We can't just run it, - # since it downloads things, so this step just extracts the patching steps. postPatch = '' patchShebangs linux/installer/bin/build-installpkg.sh \ linux/installer/common/sdk/createTarball.sh \ linux/installer/common/sdk/install.sh \ external/sgx-emm/create_symlink.sh - echo "Running 'make preparation' but without download steps" - - # Seems to download something. Build currently uses ipp-crypto and not - # sgxssl so probably not an issue. - # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild - - pushd external/openmp/openmp_code - git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \ - || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R - popd - - pushd external/protobuf/protobuf_code - git apply ../sgx_protobuf.patch >/dev/null 2>&1 \ - || git apply ../sgx_protobuf.patch --check -R - popd - - ./external/sgx-emm/create_symlink.sh + make preparation ''; # We need `cmake` as a build input but don't use it to kick off the build phase @@ -300,7 +288,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; homepage = "https://github.com/intel/linux-sgx"; - maintainers = with maintainers; [ sbellem arturcygan veehaitch ]; + maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ]; platforms = [ "x86_64-linux" ]; license = with licenses; [ bsd3 ]; }; diff --git a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch new file mode 100644 index 000000000000..bdf9b9f9136e --- /dev/null +++ b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch @@ -0,0 +1,26 @@ +diff --git a/Makefile b/Makefile +index 32433051..2e480efb 100644 +--- a/Makefile ++++ b/Makefile +@@ -50,8 +50,8 @@ tips: + preparation: + # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. + # Only enable the download from git +- git submodule update --init --recursive +- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild ++ # git submodule update --init --recursive ++ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R + cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R + ./external/sgx-emm/create_symlink.sh +@@ -59,8 +59,8 @@ preparation: + cd external/cbor && cp -r libcbor sgx_libcbor + cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R + cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R +- ./download_prebuilt.sh +- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh ++ # ./download_prebuilt.sh ++ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh + + psw: + $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix index 5a4c941a22b9..c72a0c528516 100644 --- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix +++ b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix @@ -8,13 +8,13 @@ }: gcc11Stdenv.mkDerivation rec { pname = "ipp-crypto"; - version = "2021.9.0"; + version = "2021.10.0"; src = fetchFromGitHub { owner = "intel"; repo = "ipp-crypto"; rev = "ippcp_${version}"; - hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co="; + hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg="; }; cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags; diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix index 9d1905e09d1f..94d7e20b21c4 100644 --- a/pkgs/os-specific/linux/sgx/ssl/default.nix +++ b/pkgs/os-specific/linux/sgx/ssl/default.nix @@ -1,8 +1,8 @@ { stdenv +, callPackage , fetchFromGitHub , fetchurl , lib -, openssl , perl , sgx-sdk , which @@ -10,7 +10,7 @@ }: let sgxVersion = sgx-sdk.versionTag; - opensslVersion = "1.1.1u"; + opensslVersion = "3.0.12"; in stdenv.mkDerivation { pname = "sgx-ssl" + lib.optionalString debug "-debug"; @@ -19,15 +19,15 @@ stdenv.mkDerivation { src = fetchFromGitHub { owner = "intel"; repo = "intel-sgx-ssl"; - rev = "lin_${sgxVersion}_${opensslVersion}"; - hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg="; + rev = "3.0_Rev2"; + hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I="; }; postUnpack = let opensslSourceArchive = fetchurl { url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y="; + hash = "sha256-+Tyejt3l6RZhGd4xdV/Ie0qjSGNmL2fd/LoU0La2m2E="; }; in '' @@ -37,7 +37,7 @@ stdenv.mkDerivation { postPatch = '' patchShebangs Linux/build_openssl.sh - # Run the test in the `installCheckPhase`, not the `buildPhase` + # Skip the tests. Build and run separately (see below). substituteInPlace Linux/sgx/Makefile \ --replace '$(MAKE) -C $(TEST_DIR) all' \ 'bash -c "true"' @@ -46,7 +46,6 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl sgx-sdk - stdenv.cc.libc which ]; @@ -60,21 +59,22 @@ stdenv.mkDerivation { "DESTDIR=$(out)" ]; - # Build the test app - doInstallCheck = true; - installCheckTarget = "test"; - installCheckFlags = [ - "SGX_MODE=SIM" - "-j 1" # Makefile doesn't support multiple jobs - ]; - nativeInstallCheckInputs = [ - openssl - ]; + # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on + # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg. + # + # ``` + # nix run .#sgx-ssl.tests.HW + # nix run .#sgx-ssl.tests.SIM + # ``` + passthru.tests = { + HW = callPackage ./tests.nix { sgxMode = "HW"; inherit opensslVersion; }; + SIM = callPackage ./tests.nix { sgxMode = "SIM"; inherit opensslVersion; }; + }; meta = with lib; { description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; homepage = "https://github.com/intel/intel-sgx-ssl"; - maintainers = with maintainers; [ trundle veehaitch ]; + maintainers = with maintainers; [ phlip9 trundle veehaitch ]; platforms = [ "x86_64-linux" ]; license = [ licenses.bsd3 licenses.openssl ]; }; diff --git a/pkgs/os-specific/linux/sgx/ssl/tests.nix b/pkgs/os-specific/linux/sgx/ssl/tests.nix new file mode 100644 index 000000000000..d9357ba04310 --- /dev/null +++ b/pkgs/os-specific/linux/sgx/ssl/tests.nix @@ -0,0 +1,95 @@ +# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness. +# The whole package effectively does: +# +# ``` +# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app +# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin +# ``` +# +# OfBorg fails to run these tests since they require real Intel HW. That +# includes the simulation mode! The tests appears to do something fancy with +# cpuid and exception trap handlers that make them very non-portable. +# +# These tests are split out from the parent pkg since recompiling the parent +# takes like 30 min : ) + +{ lib +, openssl +, sgx-psw +, sgx-sdk +, sgx-ssl +, stdenv +, which +, opensslVersion ? throw "required parameter" +, sgxMode ? throw "required parameter" # "SIM" or "HW" +}: +stdenv.mkDerivation { + inherit (sgx-ssl) postPatch src version; + pname = sgx-ssl.pname + "-tests-${sgxMode}"; + + postUnpack = sgx-ssl.postUnpack + '' + sourceRootAbs=$(readlink -e $sourceRoot) + packageDir=$sourceRootAbs/Linux/package + + # Do the inverse of 'make install' and symlink built artifacts back into + # '$src/Linux/package/' to avoid work. + mkdir $packageDir/lib $packageDir/lib64 + ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/ + ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/ + ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/ + + # test_app needs some internal openssl headers. + # See: tail end of 'Linux/build_openssl.sh' + tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz + echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h + ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/ + ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/ + ''; + + nativeBuildInputs = [ + openssl.bin + sgx-sdk + which + ]; + + preBuild = '' + # Need to regerate the edl header + make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c + ''; + + makeFlags = [ + "-C Linux/sgx/test_app" + "SGX_MODE=${sgxMode}" + ]; + + installPhase = '' + runHook preInstall + + # Enclaves can't be stripped after signing. + install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves + + install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin + + runHook postInstall + ''; + + postFixup = '' + # Move the enclaves where they actually belong. + mv $TMPDIR/enclaves/*.signed.so* $out/bin/ + + # HW SGX must runs against sgx-psw, not sgx-sdk. + if [[ "${sgxMode}" == "HW" ]]; then + patchelf \ + --set-rpath "$( \ + patchelf --print-rpath $out/bin/TestApp \ + | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \ + )" \ + $out/bin/TestApp + fi + ''; + + meta = { + platforms = [ "x86_64-linux" ]; + mainProgram = "TestApp"; + }; +}