sgx-sdk, sgx-psw: improve samples

Make it easier to review updates to `sgx-{sdk,psw}` on machines with
actual SGX hardware support. The passthru tests build and run the SGX
samples in simulation mode which works without any hardware support. To
run the samples on a machine with SGX hardware support, issue the
following command:

```bash
 $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
```

Make sure the SGX AESM daemon is running as some tests require it. See
the `services.aesmd.*` NixOS module options and the `sgx-psw` package
for details.

2 files changed, 22 insertions, 65 deletions

diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix
index 18876f927e8..0a80040f33a 100644
--- a/pkgs/os-specific/linux/sgx/sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/default.nix
@@ -3,15 +3,16 @@
 , fetchFromGitHub
 , fetchpatch
 , fetchzip
-, callPackage
 , autoconf
 , automake
 , binutils
+, callPackage
 , cmake
 , file
 , gdb
 , git
 , libtool
+, linkFarmFromDrvs
 , nasm
 , ocaml
 , ocamlPackages
@@ -20,6 +21,7 @@
 , python3
 , texinfo
 , validatePkgConfig
+, writeShellApplication
 , writeShellScript
 , writeText
 , debug ? false
@@ -257,7 +259,25 @@ stdenv.mkDerivation rec {
     postHooks+=(sgxsdk)
   '';
 
-  passthru.tests = callPackage ./samples.nix { };
+  passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
+
+  # Run tests in SGX hardware mode on an SGX-enabled machine
+  # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
+  passthru.runTestsHW =
+    let
+      testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
+      testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
+    in
+    writeShellApplication {
+      name = "run-tests-hw";
+      text = ''
+        for test in ${testsHWLinked}/*; do
+          printf '*** Running test %s ***\n\n' "$(basename "$test")"
+          printf 'a\n' | "$test/bin/app"
+          printf '\n'
+        done
+      '';
+    };
 
   meta = with lib; {
     description = "Intel SGX SDK for Linux built with IPP Crypto Library";
diff --git a/pkgs/os-specific/linux/sgx/sdk/samples.nix b/pkgs/os-specific/linux/sgx/sdk/samples.nix
deleted file mode 100644
index 21b31f82447..00000000000
--- a/pkgs/os-specific/linux/sgx/sdk/samples.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-{ stdenv
-, sgx-sdk
-, which
-}:
-let
-  buildSample = name: stdenv.mkDerivation rec {
-    inherit name;
-
-    src = sgx-sdk.out;
-    sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
-
-    buildInputs = [
-      sgx-sdk
-    ];
-
-    # The samples don't have proper support for parallel building
-    # causing them to fail randomly.
-    enableParallelBuilding = false;
-
-    buildFlags = [
-      "SGX_MODE=SIM"
-    ];
-
-    installPhase = ''
-      mkdir $out
-      install -m 755 app $out/app
-      install *.so $out/
-    '';
-
-    doInstallCheck = true;
-    installCheckInputs = [ which ];
-    installCheckPhase = ''
-      pushd $out
-      ./app
-      popd
-    '';
-  };
-in
-{
-  cxx11SGXDemo = buildSample "Cxx11SGXDemo";
-  localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
-    installPhase = ''
-      mkdir $out
-      cp -r bin/. $out/
-    '';
-  });
-  powerTransition = (buildSample "PowerTransition").overrideAttrs (oldAttrs: {
-    # Requires interaction
-    doInstallCheck = false;
-  });
-  protobufSGXDemo = buildSample "ProtobufSGXDemo";
-  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
-    dontFixup = true;
-    installCheckPhase = ''
-      echo "a" | LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/sample_libcrypto ./app
-    '';
-  });
-  sampleEnclave = buildSample "SampleEnclave";
-  sampleEnclavePCL = buildSample "SampleEnclavePCL";
-  sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
-  sealUnseal = buildSample "SealUnseal";
-  switchless = buildSample "Switchless";
-}