Merge pull request #154157 from yaxitech/sgx-ssl

sgx-ssl: init at lin_2.15.1_1.1.1l
2022-01-16 06:05:10 +00:00 · 2022-01-16 06:05:10 +00:00 · 5a6a12256d
parent b254d2b1fe 6639cd8c65
commit 5a6a12256d
4 changed files with 202 additions and 0 deletions
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -12172,6 +12172,12 @@
    githubId = 1183303;
    name = "Jakob Klepp";
  };
+  trundle = {
+    name = "Andreas Stührk";
+    email = "andy@hammerhartes.de";
+    github = "Trundle";
+    githubId = 332418;
+  };
  tscholak = {
    email = "torsten.scholak@googlemail.com";
    github = "tscholak";
--- a/pkgs/os-specific/linux/sgx/ssl/default.nix
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@ -0,0 +1,95 @@
+{ stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchurl
+, lib
+, perl
+, sgx-sdk
+, which
+, debug ? false
+}:
+let
+  sgxVersion = sgx-sdk.versionTag;
+  opensslVersion = "1.1.1l";
+in
+stdenv.mkDerivation rec {
+  pname = "sgx-ssl" + lib.optionalString debug "-debug";
+  version = "lin_${sgxVersion}_${opensslVersion}";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-sgx-ssl";
+    rev = version;
+    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+  };
+
+  postUnpack =
+    let
+      opensslSourceArchive = fetchurl {
+        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
+        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+      };
+    in
+    ''
+      ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
+    '';
+
+  patches = [
+    # https://github.com/intel/intel-sgx-ssl/pull/111
+    ./intel-sgx-ssl-pr-111.patch
+  ];
+
+  postPatch = ''
+    patchShebangs Linux/build_openssl.sh
+
+    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    substituteInPlace Linux/sgx/Makefile \
+      --replace '$(MAKE) -C $(TEST_DIR) all' \
+                'bash -c "true"'
+  '';
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [
+    perl
+    sgx-sdk
+    stdenv.glibc
+    which
+  ];
+
+  makeFlags = [
+    "-C Linux"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+  ];
+
+  # Build the test app
+  #
+  # Running the test app is currently only supported on Intel CPUs
+  # and will fail on non-Intel CPUs even in SGX simulation mode.
+  # Therefore, we only build the test app without running it until
+  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
+  doInstallCheck = true;
+  installCheckTarget = "all";
+  installCheckFlags = [
+    "SGX_MODE=SIM"
+    "-C sgx/test_app"
+    "-j 1" # Makefile doesn't support multiple jobs
+  ];
+  preInstallCheck = ''
+    # Expects the enclave file in the current working dir
+    ln -s sgx/test_app/TestEnclave.signed.so .
+  '';
+
+  meta = with lib; {
+    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
+    homepage = "https://github.com/intel/intel-sgx-ssl";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 openssl ];
+  };
+}
--- a/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
+++ b/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
@ -0,0 +1,99 @@
+From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:22:31 +0100
+Subject: [PATCH 1/3] Linux: fix Nix detection
+
+Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
+environment variable instead of `NIX_PATH`. The latter is only set in a
+`nix-shell` session but isn't when building a derivation through
+`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
+both cases.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/sgx/buildenv.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
+index cd8818e..dac23c7 100644
+--- a/Linux/sgx/buildenv.mk
+++ b/Linux/sgx/buildenv.mk
+@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
+ UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
+ ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
+ 	OS_ID=1
+-else ifeq ($(origin NIX_PATH),environment)
+else ifeq ($(origin NIX_STORE),environment)
+ 	OS_ID=3
+ else
+ 	OS_ID=2
+
+From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:33:22 +0100
+Subject: [PATCH 2/3] Linux: call binaries relative to PATH
+
+Using an absolute path to call binaries is incompatible with
+distributions which do not follow the Filesystem Hierachy Standard;
+Nix is an example. Also, it is inconsistent with the rest of the code
+base, let alone superfluous.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index 7d77b79..e8b59a1 100755
+--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
+@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ echo $SGXSSL_ROOT
+ 
+ OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
+-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
+ if [ "$OPENSSL_VERSION" == "" ] 
+ then
+ 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
+
+From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Tue, 11 Jan 2022 10:56:39 +0100
+Subject: [PATCH 3/3] Linux: properly extract GCC major version
+
+Calling `gcc -dumpversion` yields the full version string, e.g.,
+`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
+comparison operator to check if the returned version is at least
+8. This results in an error if the returned GCC version includes a patch
+version; "10.3.0" isn't a valid number.
+
+This commit fixes the version detection by only extracting the relevant
+major version of GCC.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index e8b59a1..6e4046f 100755
+--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
+@@ -82,6 +82,7 @@ fi
+ MITIGATION_OPT=""
+ MITIGATION_FLAGS=""
+ CC_VERSION=`gcc -dumpversion`
+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
+ for arg in "$@"
+ do
+     case $arg in
+@@ -99,7 +100,7 @@ do
+         ;;
+     -mfunction-return=thunk-extern)
+         MITIGATION_FLAGS+=" $arg"
+-        if [[ $CC_VERSION -ge 8 ]] ; then
+        if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
+             MITIGATION_FLAGS+=" -fcf-protection=none"
+         fi
+         shift
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -22899,6 +22899,8 @@ with pkgs;

  sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { };

+  sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { };
+
  sgx-psw = callPackage ../os-specific/linux/sgx/psw { };

  shadow = callPackage ../os-specific/linux/shadow { };