From 59f5fe8bcdc1d3eb9a4f9a94281606ad6719e15a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20St=C3=BChrk?= <andy@hammerhartes.de>
Date: Sat, 8 Jan 2022 19:27:00 +0100
Subject: [PATCH 1/3] maintainer: add trundle

---
 maintainers/maintainer-list.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
index 843b03692bc..7d12095ce83 100644
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -12149,6 +12149,12 @@
     githubId = 1183303;
     name = "Jakob Klepp";
   };
+  trundle = {
+    name = "Andreas Stührk";
+    email = "andy@hammerhartes.de";
+    github = "Trundle";
+    githubId = 332418;
+  };
   tscholak = {
     email = "torsten.scholak@googlemail.com";
     github = "tscholak";

From db091609ffcee8751219f67d58823632aebcac2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20St=C3=BChrk?= <andy@hammerhartes.de>
Date: Fri, 31 Dec 2021 11:51:58 +0100
Subject: [PATCH 2/3] sgx-ssl: init at lin_2.15.1_1.1.1l

Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
---
 pkgs/os-specific/linux/sgx/ssl/default.nix    | 90 +++++++++++++++++
 .../linux/sgx/ssl/intel-sgx-ssl-pr-111.patch  | 99 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  2 +
 3 files changed, 191 insertions(+)
 create mode 100644 pkgs/os-specific/linux/sgx/ssl/default.nix
 create mode 100644 pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch

diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix
new file mode 100644
index 00000000000..174d789a61b
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -0,0 +1,90 @@
+{ stdenv
+, fetchFromGitHub
+, fetchpatch
+, fetchurl
+, lib
+, perl
+, sgx-sdk
+, which
+, debug ? false
+}:
+let
+  sgxVersion = sgx-sdk.versionTag;
+  opensslVersion = "1.1.1l";
+in
+stdenv.mkDerivation rec {
+  pname = "sgx-ssl" + lib.optionalString debug "-debug";
+  version = "lin_${sgxVersion}_${opensslVersion}";
+
+  src = fetchFromGitHub {
+    owner = "intel";
+    repo = "intel-sgx-ssl";
+    rev = version;
+    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+  };
+
+  postUnpack =
+    let
+      opensslSourceArchive = fetchurl {
+        url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
+        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+      };
+    in
+    ''
+      ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
+    '';
+
+  patches = [
+    # https://github.com/intel/intel-sgx-ssl/pull/111
+    ./intel-sgx-ssl-pr-111.patch
+  ];
+
+  postPatch = ''
+    patchShebangs Linux/build_openssl.sh
+
+    # Run the test in the `installCheckPhase`, not the `buildPhase`
+    substituteInPlace Linux/sgx/Makefile \
+      --replace '$(MAKE) -C $(TEST_DIR) all' \
+                'bash -c "true"'
+  '';
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [
+    perl
+    sgx-sdk
+    stdenv.glibc
+    which
+  ];
+
+  makeFlags = [
+    "-C Linux"
+  ] ++ lib.optionals debug [
+    "DEBUG=1"
+  ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+  ];
+
+  # Build and run the test app
+  doInstallCheck = true;
+  installCheckTarget = "all test";
+  installCheckFlags = [
+    "SGX_MODE=SIM"
+    "-C sgx/test_app"
+    "-j 1" # Makefile doesn't support multiple jobs
+  ];
+  preInstallCheck = ''
+    # Expects the enclave file in the current working dir
+    ln -s sgx/test_app/TestEnclave.signed.so .
+  '';
+
+  meta = with lib; {
+    description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
+    homepage = "https://github.com/intel/intel-sgx-ssl";
+    maintainers = with maintainers; [ trundle veehaitch ];
+    platforms = [ "x86_64-linux" ];
+    license = with licenses; [ bsd3 openssl ];
+  };
+}
diff --git a/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch b/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
new file mode 100644
index 00000000000..6ef06d7e231
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch
@@ -0,0 +1,99 @@
+From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:22:31 +0100
+Subject: [PATCH 1/3] Linux: fix Nix detection
+
+Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
+environment variable instead of `NIX_PATH`. The latter is only set in a
+`nix-shell` session but isn't when building a derivation through
+`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
+both cases.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/sgx/buildenv.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
+index cd8818e..dac23c7 100644
+--- a/Linux/sgx/buildenv.mk
++++ b/Linux/sgx/buildenv.mk
+@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
+ UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
+ ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
+ 	OS_ID=1
+-else ifeq ($(origin NIX_PATH),environment)
++else ifeq ($(origin NIX_STORE),environment)
+ 	OS_ID=3
+ else
+ 	OS_ID=2
+
+From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 8 Jan 2022 17:33:22 +0100
+Subject: [PATCH 2/3] Linux: call binaries relative to PATH
+
+Using an absolute path to call binaries is incompatible with
+distributions which do not follow the Filesystem Hierachy Standard;
+Nix is an example. Also, it is inconsistent with the rest of the code
+base, let alone superfluous.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index 7d77b79..e8b59a1 100755
+--- a/Linux/build_openssl.sh
++++ b/Linux/build_openssl.sh
+@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ echo $SGXSSL_ROOT
+ 
+ OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
+-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
++OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
+ if [ "$OPENSSL_VERSION" == "" ] 
+ then
+ 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
+
+From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Tue, 11 Jan 2022 10:56:39 +0100
+Subject: [PATCH 3/3] Linux: properly extract GCC major version
+
+Calling `gcc -dumpversion` yields the full version string, e.g.,
+`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
+comparison operator to check if the returned version is at least
+8. This results in an error if the returned GCC version includes a patch
+version; "10.3.0" isn't a valid number.
+
+This commit fixes the version detection by only extracting the relevant
+major version of GCC.
+
+Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
+---
+ Linux/build_openssl.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
+index e8b59a1..6e4046f 100755
+--- a/Linux/build_openssl.sh
++++ b/Linux/build_openssl.sh
+@@ -82,6 +82,7 @@ fi
+ MITIGATION_OPT=""
+ MITIGATION_FLAGS=""
+ CC_VERSION=`gcc -dumpversion`
++CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
+ for arg in "$@"
+ do
+     case $arg in
+@@ -99,7 +100,7 @@ do
+         ;;
+     -mfunction-return=thunk-extern)
+         MITIGATION_FLAGS+=" $arg"
+-        if [[ $CC_VERSION -ge 8 ]] ; then
++        if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
+             MITIGATION_FLAGS+=" -fcf-protection=none"
+         fi
+         shift
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 2ba9dd62933..73c2a83d72d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -22872,6 +22872,8 @@ with pkgs;
 
   sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { };
 
+  sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { };
+
   sgx-psw = callPackage ../os-specific/linux/sgx/psw { };
 
   shadow = callPackage ../os-specific/linux/shadow { };

From 6639cd8c652dcd99862b852766272fc2136f47da Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Sat, 15 Jan 2022 13:08:16 +0100
Subject: [PATCH 3/3] sgx-ssl: don't run test app in `installCheckPhase`

Although we build the test app in SGX simulation mode which does not
require hardware SGX support, SGX SSL fails to initialize on non-Intel
CPUs. This is unexpected (and inconsistent with the `sgx-sdk` sample
code we run in the `installCheckPhase`) and subject to an upstream
issue: https://github.com/intel/intel-sgx-ssl/issues/113

Revert this commit as soon as the issue is resolved by Intel.
---
 pkgs/os-specific/linux/sgx/ssl/default.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/sgx/ssl/default.nix b/pkgs/os-specific/linux/sgx/ssl/default.nix
index 174d789a61b..c54eda19d6a 100644
--- a/pkgs/os-specific/linux/sgx/ssl/default.nix
+++ b/pkgs/os-specific/linux/sgx/ssl/default.nix
@@ -67,9 +67,14 @@ stdenv.mkDerivation rec {
     "DESTDIR=$(out)"
   ];
 
-  # Build and run the test app
+  # Build the test app
+  #
+  # Running the test app is currently only supported on Intel CPUs
+  # and will fail on non-Intel CPUs even in SGX simulation mode.
+  # Therefore, we only build the test app without running it until
+  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
   doInstallCheck = true;
-  installCheckTarget = "all test";
+  installCheckTarget = "all";
   installCheckFlags = [
     "SGX_MODE=SIM"
     "-C sgx/test_app"