From 4f7f8d0b2dce31038d1fde0d5d8321e68f16e0c6 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Mon, 13 Dec 2021 15:23:42 +0100
Subject: [PATCH] sgx-sdk, sgx-psw: 2.14 -> 2.15.1

Also add some of the new samples as tests. Disable parallel builds for
the samples as they don't seem to support it (fail randomly).
---
 pkgs/os-specific/linux/sgx/psw/default.nix    |  6 +--
 pkgs/os-specific/linux/sgx/sdk/default.nix    | 53 ++++++++-----------
 pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix | 22 ++++++--
 pkgs/os-specific/linux/sgx/sdk/samples.nix    |  8 ++-
 4 files changed, 50 insertions(+), 39 deletions(-)

diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix
index e449c99b0776..b418d5c18225 100644
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -25,14 +25,14 @@ stdenv.mkDerivation rec {
     let
       ae.prebuilt = fetchurl {
         url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
-        hash = "sha256-nGKZEpT2Mx0DLgqjv9qbZqBt1pQaSHcnA0K6nHma3sk";
+        hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
       };
       dcap = rec {
-        version = "1.11";
+        version = "1.12.1";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-ShGScS4yNLki04RNPxxLvqzGmy4U1L0gVETvfAo8w9M=";
+          hash = "sha256-V/XHva9Sq3P36xSW+Sd0G6Dnk4H0ANO1Ns/u+FI1eGI=";
         };
       };
     in
diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix
index e08511272af3..18876f927e80 100644
--- a/pkgs/os-specific/linux/sgx/sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -1,7 +1,8 @@
 { lib
 , stdenv
-, fetchzip
 , fetchFromGitHub
+, fetchpatch
+, fetchzip
 , callPackage
 , autoconf
 , automake
@@ -25,40 +26,33 @@
 }:
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
-  version = "2.14.100.2";
-
-  versionTag = lib.concatStringsSep "." (lib.take 2 (lib.splitVersion version));
+  # Version as given in se_version.h
+  version = "2.15.101.1";
+  # Version as used in the Git tag
+  versionTag = "2.15.1";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-D/QZWBUe1gRbbjWnV10b7IPoM3utefAsOEKnQuasIrM=";
+    hash = "sha256-e11COTR5eDPMB81aPRKatvIkAOeX+OZgnvn2utiv78M=";
     fetchSubmodules = true;
   };
 
-  postUnpack =
-    let
-      optlibName = "optimized_libs_${versionTag}.tar.gz";
-      optimizedLibs = fetchzip {
-        url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/${optlibName}";
-        hash = "sha256-FjNhNV9+KDMvBYdWXZbua6qYOc3Z1/jtcF4j52TSxQY=";
-        stripRoot = false;
-      };
-      sgxIPPCryptoHeader = "${optimizedLibs}/external/ippcp_internal/inc/sgx_ippcp.h";
-    in
-    ''
-      # Make sure this is the right version of linux-sgx
-      grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
-        || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
+  postUnpack = ''
+    # Make sure this is the right version of linux-sgx
+    grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
+      || (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
+  '';
 
-      # Make sure we use the correct version to build IPP Crypto
-      grep -q 'optlib_name=${optlibName}' "$src/download_prebuilt.sh" \
-        || (echo "Could not find expected optimized libs ${optlibName} in linux-sgx source" >&2 && exit 1)
-
-      # Add missing sgx_ippcp.h: https://github.com/intel/linux-sgx/pull/752
-      ln -s ${sgxIPPCryptoHeader} "$sourceRoot/external/ippcp_internal/inc/sgx_ippcp.h"
-    '';
+  patches = [
+    # Commit to add missing sgx_ippcp.h not yet part of this release
+    (fetchpatch {
+      name = "add-missing-sgx_ippcp-header.patch";
+      url = "https://github.com/intel/linux-sgx/commit/51d1087b707a47e18588da7bae23e5f686d44be6.patch";
+      sha256 = "sha256-RZC14H1oEuGp0zn8CySDPy1KNqP/POqb+KMYoQt2A7M=";
+    })
+  ];
 
   postPatch = ''
     # https://github.com/intel/linux-sgx/pull/730
@@ -121,7 +115,7 @@ stdenv.mkDerivation rec {
 
       pushd 'external/ippcp_internal'
 
-      install ${ipp-crypto-no_mitigation}/include/* inc/
+      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
 
       install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
         lib/linux/intel64/no_mitigation/libippcp.a
@@ -131,7 +125,7 @@ stdenv.mkDerivation rec {
         lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
       rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp20u3.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h
 
       install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
 
@@ -227,8 +221,7 @@ stdenv.mkDerivation rec {
       --replace '/opt/intel/sgxsdk' "$out"
     for file in $out/share/SampleCode/*/Makefile; do
       substituteInPlace $file \
-        --replace '/opt/intel/sgxsdk' "$out" \
-        --replace '$(SGX_SDK)/buildenv.mk' "$out/share/bin/buildenv.mk"
+        --replace '/opt/intel/sgxsdk' "$out"
     done
 
     header "Fixing BINUTILS_DIR in buildenv.mk"
diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
index ac5fd2ad1ccc..85fcfc9c554d 100644
--- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix
@@ -2,23 +2,35 @@
 , stdenv
 , fetchFromGitHub
 , cmake
-, python3
 , nasm
+, openssl
+, python3
 , extraCmakeFlags ? [ ]
 }:
 
 stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2020_update3";
+  version = "2021.3";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
-    rev = "ipp-crypto_${version}";
-    sha256 = "02vlda6mlhbd12ljzdf65klpx4kmx1ylch9w3yllsiya4hwqzy4b";
+    rev = "ippcp_${version}";
+    hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM=";
   };
 
+  # Fix typo: https://github.com/intel/ipp-crypto/pull/33
+  postPatch = ''
+    substituteInPlace sources/cmake/ippcp-gen-config.cmake \
+      --replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
+  '';
+
   cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
 
-  nativeBuildInputs = [ cmake python3 nasm ];
+  nativeBuildInputs = [
+    cmake
+    nasm
+    openssl
+    python3
+  ];
 }
diff --git a/pkgs/os-specific/linux/sgx/sdk/samples.nix b/pkgs/os-specific/linux/sgx/sdk/samples.nix
index 82dbc24568ef..21b31f824476 100644
--- a/pkgs/os-specific/linux/sgx/sdk/samples.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/samples.nix
@@ -12,7 +12,11 @@ let
     buildInputs = [
       sgx-sdk
     ];
-    enableParallelBuilding = true;
+
+    # The samples don't have proper support for parallel building
+    # causing them to fail randomly.
+    enableParallelBuilding = false;
+
     buildFlags = [
       "SGX_MODE=SIM"
     ];
@@ -44,6 +48,7 @@ in
     # Requires interaction
     doInstallCheck = false;
   });
+  protobufSGXDemo = buildSample "ProtobufSGXDemo";
   remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
     dontFixup = true;
     installCheckPhase = ''
@@ -52,6 +57,7 @@ in
   });
   sampleEnclave = buildSample "SampleEnclave";
   sampleEnclavePCL = buildSample "SampleEnclavePCL";
+  sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
   sealUnseal = buildSample "SealUnseal";
   switchless = buildSample "Switchless";
 }