diff options
| author | Vincent Haupert <mail@vincent-haupert.de> | 2022-01-02 23:38:00 +0100 |
|---|---|---|
| committer | Vincent Haupert <mail@vincent-haupert.de> | 2022-01-09 18:02:58 +0100 |
| commit | 9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a (patch) | |
| tree | 49edaa1937e5697f076d8a8c7ce587a8c0de13c7 /pkgs/os-specific/linux/sgx | |
| parent | 0bf74112110f225bde9017bd0940226aad1f3155 (diff) | |
| download | nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.tar nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.tar.gz nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.tar.bz2 nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.tar.lz nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.tar.xz nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.tar.zst nixpkgs-9dac06a14ddeef95b103a91579a5aa7d8b6ebe8a.zip | |
sgx-sdk, sgx-psw: improve samples
Make it easier to review updates to `sgx-{sdk,psw}` on machines with
actual SGX hardware support. The passthru tests build and run the SGX
samples in simulation mode which works without any hardware support. To
run the samples on a machine with SGX hardware support, issue the
following command:
```bash
$(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
```
Make sure the SGX AESM daemon is running as some tests require it. See
the `services.aesmd.*` NixOS module options and the `sgx-psw` package
for details.
Diffstat (limited to 'pkgs/os-specific/linux/sgx')
| -rw-r--r-- | pkgs/os-specific/linux/sgx/samples/default.nix | 109 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/sdk/default.nix | 24 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/sgx/sdk/samples.nix | 63 |
3 files changed, 131 insertions, 65 deletions
diff --git a/pkgs/os-specific/linux/sgx/samples/default.nix b/pkgs/os-specific/linux/sgx/samples/default.nix new file mode 100644 index 00000000000..f9c5ae45054 --- /dev/null +++ b/pkgs/os-specific/linux/sgx/samples/default.nix @@ -0,0 +1,109 @@ +{ stdenv +, lib +, makeWrapper +, sgx-sdk +, sgx-psw +, which + # "SIM" or "HW" +, sgxMode +}: +let + isSimulation = sgxMode == "SIM"; + buildSample = name: stdenv.mkDerivation { + pname = name; + version = sgxMode; + + src = sgx-sdk.out; + sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}"; + + nativeBuildInputs = [ + makeWrapper + which + ]; + + buildInputs = [ + sgx-sdk + ]; + + # The samples don't have proper support for parallel building + # causing them to fail randomly. + enableParallelBuilding = false; + + buildFlags = [ + "SGX_MODE=${sgxMode}" + ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib} + install -m 755 app $out/bin + install *.so $out/lib + + wrapProgram "$out/bin/app" \ + --run "cd $out/lib" \ + ${lib.optionalString (!isSimulation) + ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''} + + runHook postInstall + ''; + + # Breaks the signature of the enclaves + dontFixup = true; + + # We don't have access to real SGX hardware during the build + doInstallCheck = isSimulation; + installCheckPhase = '' + runHook preInstallCheck + + pushd / + echo a | $out/bin/app + popd + + runHook preInstallCheck + ''; + }; +in +{ + cxx11SGXDemo = buildSample "Cxx11SGXDemo"; + localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: { + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib} + install -m 755 bin/app* $out/bin + install bin/*.so $out/lib + + for bin in $out/bin/*; do + wrapProgram $bin \ + --run "cd $out/lib" \ + ${lib.optionalString (!isSimulation) + ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''} + done + + runHook postInstall + ''; + }); + powerTransition = buildSample "PowerTransition"; + protobufSGXDemo = buildSample "ProtobufSGXDemo"; + remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: { + # Makefile sets rpath to point to $TMPDIR + preFixup = '' + patchelf --remove-rpath $out/bin/app + ''; + + postInstall = '' + install sample_libcrypto/*.so $out/lib + ''; + }); + sampleEnclave = buildSample "SampleEnclave"; + sampleEnclavePCL = buildSample "SampleEnclavePCL"; + sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; + sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: { + prePatch = '' + substituteInPlace App/App.cpp \ + --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"' + ''; + }); + switchless = buildSample "Switchless"; +} diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix index 18876f927e8..0a80040f33a 100644 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ b/pkgs/os-specific/linux/sgx/sdk/default.nix @@ -3,15 +3,16 @@ , fetchFromGitHub , fetchpatch , fetchzip -, callPackage , autoconf , automake , binutils +, callPackage , cmake , file , gdb , git , libtool +, linkFarmFromDrvs , nasm , ocaml , ocamlPackages @@ -20,6 +21,7 @@ , python3 , texinfo , validatePkgConfig +, writeShellApplication , writeShellScript , writeText , debug ? false @@ -257,7 +259,25 @@ stdenv.mkDerivation rec { postHooks+=(sgxsdk) ''; - passthru.tests = callPackage ./samples.nix { }; + passthru.tests = callPackage ../samples { sgxMode = "SIM"; }; + + # Run tests in SGX hardware mode on an SGX-enabled machine + # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw + passthru.runTestsHW = + let + testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; }); + testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW); + in + writeShellApplication { + name = "run-tests-hw"; + text = '' + for test in ${testsHWLinked}/*; do + printf '*** Running test %s ***\n\n' "$(basename "$test")" + printf 'a\n' | "$test/bin/app" + printf '\n' + done + ''; + }; meta = with lib; { description = "Intel SGX SDK for Linux built with IPP Crypto Library"; diff --git a/pkgs/os-specific/linux/sgx/sdk/samples.nix b/pkgs/os-specific/linux/sgx/sdk/samples.nix deleted file mode 100644 index 21b31f82447..00000000000 --- a/pkgs/os-specific/linux/sgx/sdk/samples.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ stdenv -, sgx-sdk -, which -}: -let - buildSample = name: stdenv.mkDerivation rec { - inherit name; - - src = sgx-sdk.out; - sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}"; - - buildInputs = [ - sgx-sdk - ]; - - # The samples don't have proper support for parallel building - # causing them to fail randomly. - enableParallelBuilding = false; - - buildFlags = [ - "SGX_MODE=SIM" - ]; - - installPhase = '' - mkdir $out - install -m 755 app $out/app - install *.so $out/ - ''; - - doInstallCheck = true; - installCheckInputs = [ which ]; - installCheckPhase = '' - pushd $out - ./app - popd - ''; - }; -in -{ - cxx11SGXDemo = buildSample "Cxx11SGXDemo"; - localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: { - installPhase = '' - mkdir $out - cp -r bin/. $out/ - ''; - }); - powerTransition = (buildSample "PowerTransition").overrideAttrs (oldAttrs: { - # Requires interaction - doInstallCheck = false; - }); - protobufSGXDemo = buildSample "ProtobufSGXDemo"; - remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: { - dontFixup = true; - installCheckPhase = '' - echo "a" | LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/sample_libcrypto ./app - ''; - }); - sampleEnclave = buildSample "SampleEnclave"; - sampleEnclavePCL = buildSample "SampleEnclavePCL"; - sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; - sealUnseal = buildSample "SealUnseal"; - switchless = buildSample "Switchless"; -} |