Commit Graph

48 Commits

Author SHA1 Message Date
Philip Hayes
3dd129f7db sgx-ssl: openssl: 3.0.12 -> 3.0.13 2024-05-05 17:50:39 -07:00
Philip Hayes
8b050cc911 sgx-azure-dcap-client: fix warnings 2024-05-05 17:40:49 -07:00
Philip Hayes
fcc7d2be75 sgx-psw: 2.23 -> 2.24 2024-05-05 16:56:53 -07:00
Philip Hayes
0c918484fb sgx-sdk: 2.23 -> 2.24
- .patch out a `git submodule update` from `make preparation`.

- Place the `ipp-crypto/fips_cert.h` header somewhere sgx-sdk can find it.

Diff: <https://github.com/intel/linux-sgx/compare/sgx_2.23...sgx_2.24>

Changelog: <https://github.com/intel/linux-sgx/releases/tag/sgx_2.24>
2024-05-05 16:40:11 -07:00
Philip Hayes
ec66c8886b sgx-sdk/ipp-crypto: 2021.10.0 -> 2021.11.1
- gcc 12 and 13 are _still_ failing

- sgx-sdk now requires FIPS-mode enabled

Diff: <https://github.com/intel/ipp-crypto/compare/ippcp_2021.10.0...ippcp_2021.11.1>

Changelog: <https://github.com/intel/ipp-crypto/blob/ippcp_2021.11.1/CHANGELOG.md>
2024-05-05 16:39:46 -07:00
Philip Hayes
bf15997e3d sgx-ssl: split out tests. build-only by default.
- Normally SGX has a SIM mode for running enclave tests on non-Intel SGX
  capable hardware; however, these tests do some tricky stuff with cpuid
  and CPU trap handling that make them non-portable.

- This diff makes it so OfBorg (which can't _run_ the tests) at least
  builds them. The tests are also split out into a separate derivation
  to save my sanity when iterating on them, since sgx-ssl takes like 30
  min to build...
2024-03-06 17:20:44 -08:00
Philip Hayes
9dd20575b3 sgx-sdk: disable mtime in bundled zip file for reproducible builds
Context:

The `aesm_service` binary depends on a vendored library called
`CppMicroServices`. At build time, this lib creates and then bundles
service resources into a zip file and then embeds this zip into the
binary. Without changes, the `aesm_service` will be different after every
build because the embedded zip file contents have different modified times.

All credits to @haraldh for this patch <3
2024-03-06 17:20:30 -08:00
Philip Hayes
fd3978c164 sgx-sdk: add 'phlip9' as maintainer of sgx packages 2024-03-06 17:20:24 -08:00
Philip Hayes
418b770aab sgx-ssl: 1.1.1u -> 3.0.12
Diff: <https://github.com/intel/intel-sgx-ssl/compare/lin_2.21_1.1.1u...3.0_Rev2>
2024-03-06 17:20:13 -08:00
Philip Hayes
6721126b85 sgx-azure-dcap-client: 1.12.1 -> 1.12.3
Diff: <https://github.com/microsoft/Azure-DCAP-Client/compare/1.12.1...1.12.3>
2024-03-06 17:19:30 -08:00
Philip Hayes
422a893019 sgx-psw: 2.21 -> 2.23 2024-03-06 16:51:11 -08:00
Philip Hayes
25955eed5c sgx-sdk: 2.21 -> 2.23
- `make preparation` step keeps changing; use a more maintainable .patch
  approach instead of copying over steps from Makefile.

- Remove stale patch.

Diff: <https://github.com/intel/linux-sgx/compare/sgx_2.21...sgx_2.23>

Changelog (2.22): <https://github.com/intel/linux-sgx/releases/tag/sgx_2.22>

Changelog (2.23): <https://github.com/intel/linux-sgx/releases/tag/sgx_2.23>
2024-03-06 16:51:11 -08:00
Philip Hayes
3a38edd589 sgx-sdk/ipp-crypto: 2021.9.0 -> 2021.10.0
- gcc 13 still failing to compile w/o warnings...

Diff: <https://github.com/intel/ipp-crypto/compare/ippcp_2021.9.0...ippcp_2021.10.0>

Changelog: <https://github.com/intel/ipp-crypto/blob/ippcp_2021.10.0/CHANGELOG.md>
2024-03-06 16:51:11 -08:00
Sergei Trofimovich
9687bedc4c sgx-azure-dcap-client: fix gcc-13 build failure
Without the change build fails on `master` as
https://hydra.nixos.org/build/247706272:

    local_cache.cpp: In function 'void throw_if(bool, const std::string&)':
    local_cache.cpp:40:20: error: 'runtime_error' is not a member of 'std'
       40 |         throw std::runtime_error(error);
          |                    ^~~~~~~~~~~~~
    local_cache.cpp:17:1: note: 'std::runtime_error' is defined in header '<stdexcept>'; did you forget to '#include <stdexcept>'?
       16 | #include <sys/file.h>
      +++ |+#include <stdexcept>
       17 | #include <sys/stat.h>
2024-02-11 17:19:57 +00:00
Philip Hayes
84ba69f030 sgx-psw: more robust stripping w/o touching enclaves 2023-12-21 13:25:51 +01:00
Philip Hayes
8d2a5753fd sgx-sdk/ipp-crypto: 2021.7 -> 2021.9.0
- Removes `sgx-sdk` dependency on EOL OpenSSL v1.1
- Updated ipp-crypto version is technically beyond the upstream
  `linux-sgx` repo's pinned version, but appears to work just as well.

Diff: <https://github.com/intel/ipp-crypto/compare/ippcp_2021.7...ippcp_2021.9.0>

Changelog: <https://github.com/intel/ipp-crypto/blob/ippcp_2021.9.0/CHANGELOG.md>
2023-12-21 13:25:51 +01:00
Philip Hayes
d8958b1861 sgx-azure-dcap-client: 1.11.2 -> 1.12.1
Release notes:
<https://github.com/microsoft/Azure-DCAP-Client/releases/tag/1.12.1>
2023-12-21 13:25:51 +01:00
Philip Hayes
c037c23bda sgx-ssl: 1.1.1l -> 1.1.1u
Release notes: <https://github.com/intel/intel-sgx-ssl/releases/tag/lin_2.21_1.1.1u>
2023-12-21 13:25:50 +01:00
Philip Hayes
77d43f5fb8 sgx-psw: 2.16 -> 2.21
* Updated platform enclaves.
* Re-enable parallel build; seems to work properly across several
  different machines.
* Ensure all non-enclave libs get stripped so we don't add `gcc` to the
  runtime closure.
* I'm not sure what the value of providing a non-platfrom /bin/mount is
  for non-NixOS users for a service that isn't used that only bloats
  closure size.
2023-12-21 13:25:50 +01:00
Philip Hayes
a03b0a37b6 sgx-sdk: 2.16 -> 2.21
Release notes:
<https://github.com/intel/linux-sgx/releases/tag/sgx_2.21>

sgx-sdk/ipp-crypto: 2021.3 -> 2021.7

* The `substituteInPlace` is no longer necessary as corresponding PR was
  merged.
2023-12-21 13:25:50 +01:00
Theodore Ni
b14fcda6c0
sgx-psw: disable fortify3 hardening flag 2023-07-12 22:35:45 -07:00
Weijia Wang
f2970c0c85
Merge pull request #219381 from 0xbe7a/sgx-gcc-11
sgx/sdk/ipp-crypto: pin stdenv to gcc11
2023-03-03 21:22:17 +02:00
be7a
a0691fc810
sgx/sdk/ipp-crypto: pin stdenv to gcc11 2023-03-03 17:16:23 +01:00
Artturin
f9fdf2d402 treewide: move NIX_CFLAGS_COMPILE to the env attrset
with structuredAttrs lists will be bash arrays which cannot be exported
which will be a issue with some patches and some wrappers like cc-wrapper

this makes it clearer that NIX_CFLAGS_COMPILE must be a string as lists
in env cause a eval failure
2023-02-22 21:23:04 +02:00
Artturin
fe1c7a1945 treewide: remove usages of header and stopNest
they're obsolete
2023-01-16 00:08:12 +02:00
Sandro
c8c8ac5cc6
Merge pull request #203449 from yaxitech/azure-quote-provider 2022-12-24 16:19:39 +01:00
Julian Stecklina
2c8407089b sgx-sdk: pin to openssl_1_1
Currently, the sgx-sdk.runTestsHW attribute fails to build due to
linking errors. It looks like OpenSSL versions are mixed up.

And indeed sgx-sdk pulls in OpenSSL 3 while ipp-crypto pulls in
OpenSSL 1.1.

Fix by pinning the OpenSSL version for the SGX SDK to OpenSSL 1.1 as
well.
2022-12-12 17:18:28 +01:00
Vincent Haupert
4e937f0d6b sgx-azure-quote-provider: add test-suite derivation 2022-12-04 20:12:50 +01:00
Andreas Stührk
da0dc8339c nixos/aesmd: add option to configure quote provider library
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`:
- Append instead of prepend to allow for overriding in service config
- As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is
  not necessary to also set in `LD_LIBRARY_PATH` of the systemd service.

Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
2022-12-04 20:12:50 +01:00
Andreas Stührk
7de32b0ce9 sgx-azure-dcap-client: init at 1.11.2 2022-12-04 20:12:50 +01:00
ajs124
d761390cd0 sgx/sdk/ipp-crypto: pin to openssl_1_1 2022-08-17 20:16:46 +02:00
Artturin
c1fffdfffb treewide: change some glibc to stdenv.cc.libc 2022-05-27 05:57:43 +03:00
Artturin
0c4d65b21e treewide: stdenv.glibc -> glibc 2022-05-25 15:51:20 +03:00
Artturi
4f337a99de
Merge pull request #167571 from veehaitch/sgx-2.16
sgx-sdk, sgx-psw: 2.15.1 -> 2.16
2022-05-08 16:00:56 +03:00
Sandro Jäckel
f96a60f950
ssl: fix nix-env version parsing 2022-04-30 02:37:20 +02:00
Vincent Haupert
02e6180ce7 sgx-psw: 2.15.1 -> 2.16 2022-04-06 21:36:44 +02:00
Vincent Haupert
8655b82de7 sgx-sdk: 2.15.1 -> 2.16 2022-04-06 21:36:28 +02:00
Naïm Favier
9160044f5f
treewide/makeWrapper: replace --run cd with --chdir
Lay the groundwork for switching to binary wrappers by reducing uses
of `--run` (which is not supported by `makeBinaryWrapper`).
2022-03-19 09:46:31 +01:00
Jörg Thalheim
9f93be7e1b
Merge pull request #153237 from veehaitch/sgx-sdk-2.15.1-samples
sgx-sdk, sgx-psw: improve samples
2022-01-31 05:58:09 +01:00
Jonathan Ringer
8d530c676a
sgx-sdk: fix build 2022-01-24 19:16:05 -08:00
Vincent Haupert
6639cd8c65 sgx-ssl: don't run test app in installCheckPhase
Although we build the test app in SGX simulation mode which does not
require hardware SGX support, SGX SSL fails to initialize on non-Intel
CPUs. This is unexpected (and inconsistent with the `sgx-sdk` sample
code we run in the `installCheckPhase`) and subject to an upstream
issue: https://github.com/intel/intel-sgx-ssl/issues/113

Revert this commit as soon as the issue is resolved by Intel.
2022-01-15 13:08:31 +01:00
Andreas Stührk
db091609ff sgx-ssl: init at lin_2.15.1_1.1.1l
Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
2022-01-12 19:24:39 +01:00
Vincent Haupert
9dac06a14d sgx-sdk, sgx-psw: improve samples
Make it easier to review updates to `sgx-{sdk,psw}` on machines with
actual SGX hardware support. The passthru tests build and run the SGX
samples in simulation mode which works without any hardware support. To
run the samples on a machine with SGX hardware support, issue the
following command:

```bash
 $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
```

Make sure the SGX AESM daemon is running as some tests require it. See
the `services.aesmd.*` NixOS module options and the `sgx-psw` package
for details.
2022-01-09 18:02:58 +01:00
Vincent Haupert
4f7f8d0b2d sgx-sdk, sgx-psw: 2.14 -> 2.15.1
Also add some of the new samples as tests. Disable parallel builds for
the samples as they don't seem to support it (fail randomly).
2021-12-15 13:09:18 +01:00
Vincent Haupert
d6cc0ad96e nixosTests.aesmd: init 2021-12-10 10:18:31 +01:00
Vincent Haupert
92c24a12a7 sgx-sdk, sgx-psw: add debug argument 2021-12-10 10:04:02 +01:00
Vincent Haupert
dd79220bca sgx-psw: init at 2.14.100.2
Co-authored-by: Alex Zero <joseph@marsden.space>
2021-12-10 10:04:02 +01:00
Vincent Haupert
f5fcb87723 sgx-sdk: create sgx dir and move 2021-12-10 10:04:02 +01:00