Merge pull request #154550 from veehaitch/sgx-compat-udev

nixos/intel-sgx: add option for Intel SGX DCAP compatibility
2 years ago · dfdf225a98
parent 32e0d3743d b88ddadf8b
commit dfdf225a98
2 changed files with 48 additions and 21 deletions
--- a/nixos/modules/hardware/cpu/intel-sgx.nix
+++ b/nixos/modules/hardware/cpu/intel-sgx.nix
@ -1,10 +1,24 @@
 { config, lib, ... }:
 with lib;
 let
-  cfg = config.hardware.cpu.intel.sgx.provision;
-  defaultGroup = "sgx_prv";
+  cfg = config.hardware.cpu.intel.sgx;
+  defaultPrvGroup = "sgx_prv";
 in
 {
+  options.hardware.cpu.intel.sgx.enableDcapCompat = mkOption {
+    description = ''
+      Whether to enable backward compatibility for SGX software build for the
+      out-of-tree Intel SGX DCAP driver.
+
+      Creates symbolic links for the SGX devices <literal>/dev/sgx_enclave</literal>
+      and <literal>/dev/sgx_provision</literal> to make them available as
+      <literal>/dev/sgx/enclave</literal>  and <literal>/dev/sgx/provision</literal>,
+      respectively.
+    '';
+    type = types.bool;
+    default = true;
+  };
+
  options.hardware.cpu.intel.sgx.provision = {
    enable = mkEnableOption "access to the Intel SGX provisioning device";
    user = mkOption {
@ -15,7 +29,7 @@ in
    group = mkOption {
      description = "Group to assign to the SGX provisioning device.";
      type = types.str;
-      default = defaultGroup;
+      default = defaultPrvGroup;
    };
    mode = mkOption {
      description = "Mode to set for the SGX provisioning device.";
@ -24,24 +38,32 @@ in
    };
  };

-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = hasAttr cfg.user config.users.users;
-        message = "Given user does not exist";
-      }
-      {
-        assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups);
-        message = "Given group does not exist";
-      }
-    ];
+  config = mkMerge [
+    (mkIf cfg.provision.enable {
+      assertions = [
+        {
+          assertion = hasAttr cfg.provision.user config.users.users;
+          message = "Given user does not exist";
+        }
+        {
+          assertion = (cfg.provision.group == defaultPrvGroup) || (hasAttr cfg.provision.group config.users.groups);
+          message = "Given group does not exist";
+        }
+      ];

-    users.groups = optionalAttrs (cfg.group == defaultGroup) {
-      "${cfg.group}" = { };
-    };
+      users.groups = optionalAttrs (cfg.provision.group == defaultPrvGroup) {
+        "${cfg.provision.group}" = { };
+      };

-    services.udev.extraRules = ''
-      SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="${cfg.mode}"
-    '';
-  };
+      services.udev.extraRules = with cfg.provision; ''
+        SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${user}", GROUP="${group}", MODE="${mode}"
+      '';
+    })
+    (mkIf cfg.enableDcapCompat {
+      services.udev.extraRules = ''
+        SUBSYSTEM=="misc", KERNEL=="sgx_enclave",   SYMLINK+="sgx/enclave"
+        SUBSYSTEM=="misc", KERNEL=="sgx_provision", SYMLINK+="sgx/provision"
+      '';
+    })
+  ];
 }
--- a/nixos/modules/services/security/aesmd.nix
+++ b/nixos/modules/services/security/aesmd.nix
@ -73,6 +73,11 @@ in

    hardware.cpu.intel.sgx.provision.enable = true;

+    # Make sure the AESM service can find the SGX devices until
+    # https://github.com/intel/linux-sgx/issues/772 is resolved
+    # and updated in nixpkgs.
+    hardware.cpu.intel.sgx.enableDcapCompat = mkForce true;
+
    systemd.services.aesmd =
      let
        storeAesmFolder = "${sgx-psw}/aesm";