parent
f5fcb87723
commit
dd79220bca
@ -0,0 +1,178 @@ |
||||
{ stdenv |
||||
, lib |
||||
, fetchurl |
||||
, cmake |
||||
, coreutils |
||||
, curl |
||||
, file |
||||
, glibc |
||||
, makeWrapper |
||||
, protobuf |
||||
, python3 |
||||
, sgx-sdk |
||||
, shadow |
||||
, systemd |
||||
, util-linux |
||||
, which |
||||
}: |
||||
stdenv.mkDerivation rec { |
||||
inherit (sgx-sdk) version versionTag src; |
||||
pname = "sgx-psw"; |
||||
|
||||
postUnpack = |
||||
let |
||||
ae.prebuilt = fetchurl { |
||||
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; |
||||
hash = "sha256-nGKZEpT2Mx0DLgqjv9qbZqBt1pQaSHcnA0K6nHma3sk"; |
||||
}; |
||||
dcap = rec { |
||||
version = "1.11"; |
||||
filename = "prebuilt_dcap_${version}.tar.gz"; |
||||
prebuilt = fetchurl { |
||||
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; |
||||
hash = "sha256-ShGScS4yNLki04RNPxxLvqzGmy4U1L0gVETvfAo8w9M="; |
||||
}; |
||||
}; |
||||
in |
||||
sgx-sdk.postUnpack + '' |
||||
# Make sure we use the correct version of prebuilt DCAP |
||||
grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ |
||||
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) |
||||
|
||||
tar -zxf ${ae.prebuilt} -C $sourceRoot/ |
||||
tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ |
||||
''; |
||||
|
||||
nativeBuildInputs = [ |
||||
cmake |
||||
file |
||||
makeWrapper |
||||
python3 |
||||
sgx-sdk |
||||
which |
||||
]; |
||||
|
||||
buildInputs = [ |
||||
curl |
||||
protobuf |
||||
]; |
||||
|
||||
postPatch = '' |
||||
# https://github.com/intel/linux-sgx/pull/730 |
||||
substituteInPlace buildenv.mk --replace '/bin/cp' 'cp' |
||||
substituteInPlace psw/ae/aesm_service/source/CMakeLists.txt \ |
||||
--replace '/usr/bin/getconf' 'getconf' |
||||
|
||||
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/205 |
||||
substituteInPlace ./external/dcap_source/QuoteGeneration/buildenv.mk \ |
||||
--replace '/bin/cp' 'cp' |
||||
substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/Makefile \ |
||||
--replace '/bin/cp' 'cp' |
||||
substituteInPlace external/dcap_source/tools/SGXPlatformRegistration/buildenv.mk \ |
||||
--replace '/bin/cp' 'cp' |
||||
|
||||
patchShebangs \ |
||||
linux/installer/bin/build-installpkg.sh \ |
||||
linux/installer/common/psw/createTarball.sh \ |
||||
linux/installer/common/psw/install.sh |
||||
''; |
||||
|
||||
dontUseCmakeConfigure = true; |
||||
|
||||
# Randomly fails if enabled |
||||
enableParallelBuilding = false; |
||||
|
||||
buildFlags = [ |
||||
"psw_install_pkg" |
||||
]; |
||||
|
||||
installFlags = [ |
||||
"-C linux/installer/common/psw/output" |
||||
"DESTDIR=$(TMPDIR)/install" |
||||
]; |
||||
|
||||
postInstall = '' |
||||
installDir=$TMPDIR/install |
||||
sgxPswDir=$installDir/opt/intel/sgxpsw |
||||
|
||||
mv $installDir/usr/lib64/ $out/lib/ |
||||
ln -sr $out/lib $out/lib64 |
||||
|
||||
# Install udev rules to lib/udev/rules.d |
||||
mv $sgxPswDir/udev/ $out/lib/ |
||||
|
||||
# Install example AESM config |
||||
mkdir $out/etc/ |
||||
mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/ |
||||
rmdir $sgxPswDir/aesm/conf/ |
||||
|
||||
# Delete init service |
||||
rm $sgxPswDir/aesm/aesmd.conf |
||||
|
||||
# Move systemd services |
||||
mkdir -p $out/lib/systemd/system/ |
||||
mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/ |
||||
mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/ |
||||
|
||||
# Move misc files |
||||
mkdir $out/share/ |
||||
mv $sgxPswDir/licenses $out/share/ |
||||
|
||||
# Remove unnecessary files |
||||
rm $sgxPswDir/{cleanup.sh,startup.sh} |
||||
rm -r $sgxPswDir/scripts |
||||
|
||||
mv $sgxPswDir/aesm/ $out/ |
||||
|
||||
mkdir $out/bin |
||||
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ |
||||
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ |
||||
--run "cd $out/aesm" |
||||
|
||||
# Make sure we didn't forget to handle any files |
||||
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) |
||||
''; |
||||
|
||||
# Most—if not all—of those fixups are not relevant for NixOS as we have our own |
||||
# NixOS module which is based on those files without relying on them. Still, it |
||||
# is helpful to have properly patched versions for non-NixOS distributions. |
||||
postFixup = '' |
||||
header "Fixing aesmd.service" |
||||
substituteInPlace $out/lib/systemd/system/aesmd.service \ |
||||
--replace '@aesm_folder@' \ |
||||
"$out/aesm" \ |
||||
--replace 'Type=forking' \ |
||||
'Type=simple' \ |
||||
--replace "ExecStart=$out/aesm/aesm_service" \ |
||||
"ExecStart=$out/bin/aesm_service --no-daemon"\ |
||||
--replace "/bin/mkdir" \ |
||||
"${coreutils}/bin/mkdir" \ |
||||
--replace "/bin/chown" \ |
||||
"${coreutils}/bin/chown" \ |
||||
--replace "/bin/chmod" \ |
||||
"${coreutils}/bin/chmod" \ |
||||
--replace "/bin/kill" \ |
||||
"${coreutils}/bin/kill" |
||||
|
||||
header "Fixing remount-dev-exec.service" |
||||
substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \ |
||||
--replace '/bin/mount' \ |
||||
"${util-linux}/bin/mount" |
||||
|
||||
header "Fixing linksgx.sh" |
||||
# https://github.com/intel/linux-sgx/pull/736 |
||||
substituteInPlace $out/aesm/linksgx.sh \ |
||||
--replace '/usr/bin/getent' \ |
||||
'${glibc.bin}/bin/getent' \ |
||||
--replace '/usr/sbin/usermod' \ |
||||
'${shadow}/bin/usermod' |
||||
''; |
||||
|
||||
meta = with lib; { |
||||
description = "Intel SGX Architectural Enclave Service Manager"; |
||||
homepage = "https://github.com/intel/linux-sgx"; |
||||
maintainers = with maintainers; [ veehaitch citadelcore ]; |
||||
platforms = [ "x86_64-linux" ]; |
||||
license = with licenses; [ bsd3 ]; |
||||
}; |
||||
} |
Loading…
Reference in new issue