2021-06-13 04:54:55 +00:00
|
|
|
{ lib
|
|
|
|
, stdenv
|
|
|
|
, fetchFromGitHub
|
|
|
|
, callPackage
|
|
|
|
, autoconf
|
|
|
|
, automake
|
|
|
|
, binutils
|
|
|
|
, cmake
|
|
|
|
, file
|
2021-11-15 02:00:27 +00:00
|
|
|
, gdb
|
2021-06-13 04:54:55 +00:00
|
|
|
, git
|
|
|
|
, libtool
|
|
|
|
, nasm
|
|
|
|
, ncurses
|
|
|
|
, ocaml
|
|
|
|
, ocamlPackages
|
|
|
|
, openssl
|
|
|
|
, perl
|
|
|
|
, python3
|
|
|
|
, texinfo
|
2021-11-15 00:57:40 +00:00
|
|
|
, validatePkgConfig
|
2021-06-13 04:54:55 +00:00
|
|
|
, which
|
|
|
|
, writeShellScript
|
|
|
|
}:
|
|
|
|
|
|
|
|
stdenv.mkDerivation rec {
|
|
|
|
pname = "sgx-sdk";
|
|
|
|
version = "2.14";
|
|
|
|
|
|
|
|
src = fetchFromGitHub {
|
|
|
|
owner = "intel";
|
|
|
|
repo = "linux-sgx";
|
2021-11-14 23:39:09 +00:00
|
|
|
rev = "sgx_${version}";
|
2021-06-13 04:54:55 +00:00
|
|
|
sha256 = "1cr2mkk459s270ng0yddgcryi0zc3dfmg9rmdrdh9mhy2mc1kx0g";
|
|
|
|
fetchSubmodules = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
postPatch = ''
|
2021-11-14 23:32:36 +00:00
|
|
|
# https://github.com/intel/linux-sgx/pull/730
|
|
|
|
substituteInPlace buildenv.mk --replace '/bin/cp' 'cp'
|
|
|
|
|
|
|
|
# https://github.com/intel/linux-sgx/pull/752
|
|
|
|
ln -s "$src/external/epid-sdk/ext/ipp/include/sgx_ippcp.h" \
|
|
|
|
'external/ippcp_internal/inc/sgx_ippcp.h'
|
|
|
|
|
2021-11-15 00:36:16 +00:00
|
|
|
patchShebangs linux/installer/bin/build-installpkg.sh \
|
|
|
|
linux/installer/common/sdk/createTarball.sh \
|
|
|
|
linux/installer/common/sdk/install.sh
|
2021-06-13 04:54:55 +00:00
|
|
|
'';
|
|
|
|
|
2021-11-15 00:13:24 +00:00
|
|
|
# We need `cmake` as a build input but don't use it to kick off the build phase
|
|
|
|
dontUseCmakeConfigure = true;
|
2021-06-13 04:54:55 +00:00
|
|
|
|
|
|
|
# SDK built with stackprotector produces broken enclaves which crash at runtime.
|
|
|
|
# Disable all to be safe, SDK build configures compiler mitigations manually.
|
|
|
|
hardeningDisable = [ "all" ];
|
|
|
|
|
|
|
|
nativeBuildInputs = [
|
2021-11-15 00:13:24 +00:00
|
|
|
autoconf
|
|
|
|
automake
|
2021-06-13 04:54:55 +00:00
|
|
|
cmake
|
2021-11-15 00:13:24 +00:00
|
|
|
file
|
2021-06-13 04:54:55 +00:00
|
|
|
git
|
2021-11-15 00:13:24 +00:00
|
|
|
ncurses
|
2021-06-13 04:54:55 +00:00
|
|
|
ocaml
|
|
|
|
ocamlPackages.ocamlbuild
|
|
|
|
perl
|
|
|
|
python3
|
|
|
|
texinfo
|
2021-11-15 00:57:40 +00:00
|
|
|
validatePkgConfig
|
2021-06-13 04:54:55 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
buildInputs = [
|
|
|
|
libtool
|
|
|
|
openssl
|
|
|
|
];
|
|
|
|
|
|
|
|
BINUTILS_DIR = "${binutils}/bin";
|
|
|
|
|
|
|
|
# Build external/ippcp_internal first. The Makefile is rewritten to make the
|
|
|
|
# build faster by splitting different versions of ipp-crypto builds and to
|
|
|
|
# avoid patching the Makefile for reproducibility issues.
|
2021-11-15 00:13:24 +00:00
|
|
|
preBuild =
|
2021-11-14 23:10:36 +00:00
|
|
|
let
|
2021-11-15 00:13:24 +00:00
|
|
|
ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-14 23:10:36 +00:00
|
|
|
sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-14 23:10:36 +00:00
|
|
|
nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
|
2021-11-15 00:13:24 +00:00
|
|
|
ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
|
2021-11-14 23:10:36 +00:00
|
|
|
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
|
|
|
|
};
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-14 23:10:36 +00:00
|
|
|
nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
|
2021-11-15 00:13:24 +00:00
|
|
|
ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
|
2021-11-14 23:10:36 +00:00
|
|
|
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
|
|
|
|
};
|
|
|
|
in
|
|
|
|
''
|
2021-11-15 09:33:00 +00:00
|
|
|
header "Setting up IPP crypto build artifacts"
|
|
|
|
|
2021-11-15 00:13:24 +00:00
|
|
|
pushd 'external/ippcp_internal'
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:36:16 +00:00
|
|
|
install ${ipp-crypto-no_mitigation}/include/* inc/
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:36:16 +00:00
|
|
|
install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
|
|
|
|
lib/linux/intel64/no_mitigation/libippcp.a
|
|
|
|
install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
|
|
|
|
lib/linux/intel64/cve_2020_0551_load/libippcp.a
|
|
|
|
install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
|
|
|
|
lib/linux/intel64/cve_2020_0551_cf/libippcp.a
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:36:16 +00:00
|
|
|
rm inc/ippcp.h
|
|
|
|
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp20u3.patch -o inc/ippcp.h
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:36:16 +00:00
|
|
|
install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:13:24 +00:00
|
|
|
popd
|
2021-11-15 00:36:16 +00:00
|
|
|
'';
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:13:24 +00:00
|
|
|
buildFlags = [
|
|
|
|
"sdk_install_pkg"
|
|
|
|
];
|
2021-06-13 04:54:55 +00:00
|
|
|
|
|
|
|
postBuild = ''
|
2021-11-15 00:36:16 +00:00
|
|
|
patchShebangs linux/installer/bin/sgx_linux_x64_sdk_*.bin
|
2021-06-13 04:54:55 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
installPhase = ''
|
2021-11-15 00:13:24 +00:00
|
|
|
runHook preInstall
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:13:24 +00:00
|
|
|
./linux/installer/bin/sgx_linux_x64_sdk_*.bin -prefix "$out"
|
|
|
|
|
|
|
|
runHook postInstall
|
|
|
|
'';
|
2021-06-13 04:54:55 +00:00
|
|
|
|
2021-11-15 00:57:40 +00:00
|
|
|
preFixup = ''
|
2021-11-15 02:00:27 +00:00
|
|
|
sgxsdk="$out/sgxsdk"
|
|
|
|
|
2021-11-15 09:33:00 +00:00
|
|
|
header "Fixing pkg-config files"
|
2021-11-15 02:00:27 +00:00
|
|
|
sed -i "s|prefix=.*|prefix=$sgxsdk|g" $out/sgxsdk/pkgconfig/*.pc
|
|
|
|
|
2021-11-15 09:33:00 +00:00
|
|
|
header "Patching GDB path in bin/sgx-gdb"
|
2021-11-15 02:00:27 +00:00
|
|
|
substituteInPlace "$sgxsdk/bin/sgx-gdb" --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
|
2021-11-15 00:57:40 +00:00
|
|
|
'';
|
|
|
|
|
2021-06-13 04:54:55 +00:00
|
|
|
doInstallCheck = true;
|
|
|
|
installCheckInputs = [ which ];
|
|
|
|
installCheckPhase = ''
|
2021-11-15 00:13:24 +00:00
|
|
|
runHook preInstallCheck
|
|
|
|
|
2021-06-13 04:54:55 +00:00
|
|
|
source $out/sgxsdk/environment
|
|
|
|
cd SampleCode/SampleEnclave
|
|
|
|
make SGX_MODE=SGX_SIM
|
|
|
|
./app
|
2021-11-15 00:13:24 +00:00
|
|
|
|
|
|
|
runHook postInstallCheck
|
2021-06-13 04:54:55 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
meta = with lib; {
|
|
|
|
description = "Intel SGX SDK for Linux built with IPP Crypto Library";
|
|
|
|
homepage = "https://github.com/intel/linux-sgx";
|
|
|
|
maintainers = with maintainers; [ sbellem arturcygan ];
|
|
|
|
platforms = [ "x86_64-linux" ];
|
|
|
|
license = with licenses; [ bsd3 ];
|
|
|
|
};
|
|
|
|
}
|