diff --git a/pkgs/os-specific/linux/sgx-sdk/default.nix b/pkgs/os-specific/linux/sgx-sdk/default.nix
index 130fd12cbb91..646812da7082 100644
--- a/pkgs/os-specific/linux/sgx-sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx-sdk/default.nix
@@ -84,51 +84,53 @@ stdenv.mkDerivation rec {
   # Build external/ippcp_internal first. The Makefile is rewritten to make the
   # build faster by splitting different versions of ipp-crypto builds and to
   # avoid patching the Makefile for reproducibility issues.
-  buildPhase = let
-    ipp-crypto-no_mitigation = callPackage (import ./ipp-crypto.nix) {};
+  buildPhase =
+    let
+      ipp-crypto-no_mitigation = callPackage (import ./ipp-crypto.nix) { };
 
-    sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
+      sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
 
-    nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
-    ipp-crypto-cve_2020_0551_load = callPackage (import ./ipp-crypto.nix) {
-      extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
-    };
+      nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
+      ipp-crypto-cve_2020_0551_load = callPackage (import ./ipp-crypto.nix) {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
+      };
 
-    nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
-    ipp-crypto-cve_2020_0551_cf = callPackage (import ./ipp-crypto.nix) {
-      extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
-    };
-  in ''
-    cd external/ippcp_internal
+      nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
+      ipp-crypto-cve_2020_0551_cf = callPackage (import ./ipp-crypto.nix) {
+        extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
+      };
+    in
+    ''
+      cd external/ippcp_internal
 
-    mkdir -p lib/linux/intel64/no_mitigation
-    cp ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a lib/linux/intel64/no_mitigation
-    chmod a+w lib/linux/intel64/no_mitigation/libippcp.a
-    cp ${ipp-crypto-no_mitigation}/include/* ./inc
+      mkdir -p lib/linux/intel64/no_mitigation
+      cp ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a lib/linux/intel64/no_mitigation
+      chmod a+w lib/linux/intel64/no_mitigation/libippcp.a
+      cp ${ipp-crypto-no_mitigation}/include/* ./inc
 
-    mkdir -p lib/linux/intel64/cve_2020_0551_load
-    cp ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_load
-    chmod a+w lib/linux/intel64/cve_2020_0551_load/libippcp.a
+      mkdir -p lib/linux/intel64/cve_2020_0551_load
+      cp ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_load
+      chmod a+w lib/linux/intel64/cve_2020_0551_load/libippcp.a
 
-    mkdir -p lib/linux/intel64/cve_2020_0551_cf
-    cp ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_cf
-    chmod a+w lib/linux/intel64/cve_2020_0551_cf/libippcp.a
+      mkdir -p lib/linux/intel64/cve_2020_0551_cf
+      cp ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a lib/linux/intel64/cve_2020_0551_cf
+      chmod a+w lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
-    rm -f ./inc/ippcp.h
-    patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp20u3.patch -o ./inc/ippcp.h
+      rm -f ./inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp20u3.patch -o ./inc/ippcp.h
 
-    mkdir -p license
-    cp ${ipp-crypto-no_mitigation.src}/LICENSE ./license
+      mkdir -p license
+      cp ${ipp-crypto-no_mitigation.src}/LICENSE ./license
 
-    # Build the SDK installation package.
-    cd ../..
+      # Build the SDK installation package.
+      cd ../..
 
-    # Nix patches make so that $(SHELL) defaults to "sh" instead of "/bin/sh".
-    # The build uses $(SHELL) as an argument to file -L which requires a path.
-    make SHELL=$SHELL sdk_install_pkg
+      # Nix patches make so that $(SHELL) defaults to "sh" instead of "/bin/sh".
+      # The build uses $(SHELL) as an argument to file -L which requires a path.
+      make SHELL=$SHELL sdk_install_pkg
 
-    runHook postBuild
-  '';
+      runHook postBuild
+    '';
 
   postBuild = ''
     patchShebangs ./linux/installer/bin/sgx_linux_x64_sdk_*.bin
diff --git a/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix
index 52cef4f82815..ac5fd2ad1ccc 100644
--- a/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix
+++ b/pkgs/os-specific/linux/sgx-sdk/ipp-crypto.nix
@@ -4,7 +4,7 @@
 , cmake
 , python3
 , nasm
-, extraCmakeFlags ? []
+, extraCmakeFlags ? [ ]
 }:
 
 stdenv.mkDerivation rec {