- Normally SGX has a SIM mode for running enclave tests on non-Intel SGX
capable hardware; however, these tests do some tricky stuff with cpuid
and CPU trap handling that make them non-portable.
- This diff makes it so OfBorg (which can't _run_ the tests) at least
builds them. The tests are also split out into a separate derivation
to save my sanity when iterating on them, since sgx-ssl takes like 30
min to build...
Context:
The `aesm_service` binary depends on a vendored library called
`CppMicroServices`. At build time, this lib creates and then bundles
service resources into a zip file and then embeds this zip into the
binary. Without changes, the `aesm_service` will be different after every
build because the embedded zip file contents have different modified times.
All credits to @haraldh for this patch <3
Without the change build fails on `master` as
https://hydra.nixos.org/build/247706272:
local_cache.cpp: In function 'void throw_if(bool, const std::string&)':
local_cache.cpp:40:20: error: 'runtime_error' is not a member of 'std'
40 | throw std::runtime_error(error);
| ^~~~~~~~~~~~~
local_cache.cpp:17:1: note: 'std::runtime_error' is defined in header '<stdexcept>'; did you forget to '#include <stdexcept>'?
16 | #include <sys/file.h>
+++ |+#include <stdexcept>
17 | #include <sys/stat.h>
* Updated platform enclaves.
* Re-enable parallel build; seems to work properly across several
different machines.
* Ensure all non-enclave libs get stripped so we don't add `gcc` to the
runtime closure.
* I'm not sure what the value of providing a non-platfrom /bin/mount is
for non-NixOS users for a service that isn't used that only bloats
closure size.
with structuredAttrs lists will be bash arrays which cannot be exported
which will be a issue with some patches and some wrappers like cc-wrapper
this makes it clearer that NIX_CFLAGS_COMPILE must be a string as lists
in env cause a eval failure
Currently, the sgx-sdk.runTestsHW attribute fails to build due to
linking errors. It looks like OpenSSL versions are mixed up.
And indeed sgx-sdk pulls in OpenSSL 3 while ipp-crypto pulls in
OpenSSL 1.1.
Fix by pinning the OpenSSL version for the SGX SDK to OpenSSL 1.1 as
well.
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`:
- Append instead of prepend to allow for overriding in service config
- As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is
not necessary to also set in `LD_LIBRARY_PATH` of the systemd service.
Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
Although we build the test app in SGX simulation mode which does not
require hardware SGX support, SGX SSL fails to initialize on non-Intel
CPUs. This is unexpected (and inconsistent with the `sgx-sdk` sample
code we run in the `installCheckPhase`) and subject to an upstream
issue: https://github.com/intel/intel-sgx-ssl/issues/113
Revert this commit as soon as the issue is resolved by Intel.
Make it easier to review updates to `sgx-{sdk,psw}` on machines with
actual SGX hardware support. The passthru tests build and run the SGX
samples in simulation mode which works without any hardware support. To
run the samples on a machine with SGX hardware support, issue the
following command:
```bash
$(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
```
Make sure the SGX AESM daemon is running as some tests require it. See
the `services.aesmd.*` NixOS module options and the `sgx-psw` package
for details.