pyrox.dev
1{ config, lib, ... }:
2let
3 cfg = config.hardware.cpu.intel.sgx;
4 defaultPrvGroup = "sgx_prv";
5in
6{
7 options.hardware.cpu.intel.sgx.enableDcapCompat = lib.mkOption {
8 description = ''
9 Whether to enable backward compatibility for SGX software build for the
10 out-of-tree Intel SGX DCAP driver.
11
12 Creates symbolic links for the SGX devices `/dev/sgx_enclave`
13 and `/dev/sgx_provision` to make them available as
14 `/dev/sgx/enclave` and `/dev/sgx/provision`,
15 respectively.
16 '';
17 type = lib.types.bool;
18 default = true;
19 };
20
21 options.hardware.cpu.intel.sgx.provision = {
22 enable = lib.mkEnableOption "access to the Intel SGX provisioning device";
23 user = lib.mkOption {
24 description = "Owner to assign to the SGX provisioning device.";
25 type = lib.types.str;
26 default = "root";
27 };
28 group = lib.mkOption {
29 description = "Group to assign to the SGX provisioning device.";
30 type = lib.types.str;
31 default = defaultPrvGroup;
32 };
33 mode = lib.mkOption {
34 description = "Mode to set for the SGX provisioning device.";
35 type = lib.types.str;
36 default = "0660";
37 };
38 };
39
40 config = lib.mkMerge [
41 (lib.mkIf cfg.provision.enable {
42 assertions = [
43 {
44 assertion = lib.hasAttr cfg.provision.user config.users.users;
45 message = "Given user does not exist";
46 }
47 {
48 assertion =
49 (cfg.provision.group == defaultPrvGroup) || (lib.hasAttr cfg.provision.group config.users.groups);
50 message = "Given group does not exist";
51 }
52 ];
53
54 users.groups = lib.optionalAttrs (cfg.provision.group == defaultPrvGroup) {
55 "${cfg.provision.group}" = { };
56 };
57
58 services.udev.extraRules = with cfg.provision; ''
59 SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${user}", GROUP="${group}", MODE="${mode}"
60 '';
61 })
62 (lib.mkIf cfg.enableDcapCompat {
63 services.udev.extraRules = ''
64 SUBSYSTEM=="misc", KERNEL=="sgx_enclave", SYMLINK+="sgx/enclave"
65 SUBSYSTEM=="misc", KERNEL=="sgx_provision", SYMLINK+="sgx/provision"
66 '';
67 })
68 ];
69}