pyrox.dev
1{ pkgs, lib, ... }:
2{
3 name = "aesmd";
4 meta = {
5 maintainers = with lib.maintainers; [
6 trundle
7 veehaitch
8 ];
9 };
10
11 nodes.machine =
12 { lib, ... }:
13 {
14 services.aesmd = {
15 enable = true;
16 settings = {
17 defaultQuotingType = "ecdsa_256";
18 proxyType = "direct";
19 whitelistUrl = "http://nixos.org";
20 };
21 };
22
23 # Should have access to the AESM socket
24 users.users."sgxtest" = {
25 isNormalUser = true;
26 extraGroups = [ "sgx" ];
27 };
28
29 # Should NOT have access to the AESM socket
30 users.users."nosgxtest".isNormalUser = true;
31
32 # We don't have a real SGX machine in NixOS tests
33 systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ];
34
35 specialisation = {
36 withQuoteProvider.configuration =
37 { ... }:
38 {
39 services.aesmd = {
40 quoteProviderLibrary = pkgs.sgx-azure-dcap-client;
41 environment = {
42 AZDCAP_DEBUG_LOG_LEVEL = "INFO";
43 };
44 };
45 };
46 };
47 };
48
49 testScript =
50 { nodes, ... }:
51 let
52 specialisations = "${nodes.machine.system.build.toplevel}/specialisation";
53 in
54 ''
55 def get_aesmd_pid():
56 status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")
57 assert status == 0, "Could not get MainPID of aesmd.service"
58 return main_pid.strip()
59
60 with subtest("aesmd.service starts"):
61 machine.wait_for_unit("aesmd.service")
62
63 main_pid = get_aesmd_pid()
64
65 with subtest("aesmd.service runtime directory permissions"):
66 runtime_dir = "/run/aesmd";
67 res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip()
68 assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}"
69
70 with subtest("aesm.socket available on host"):
71 socket_path = "/var/run/aesmd/aesm.socket"
72 machine.wait_until_succeeds(f"test -S {socket_path}")
73 machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})")
74 for op in [ "-r", "-w", "-x" ]:
75 machine.succeed(f"sudo -u sgxtest test {op} {socket_path}")
76 machine.fail(f"sudo -u nosgxtest test {op} {socket_path}")
77
78 with subtest("Copies white_list_cert_to_be_verify.bin"):
79 whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin"
80 whitelist_perms = machine.succeed(
81 f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}"
82 ).strip()
83 assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}"
84
85 with subtest("Writes and binds aesm.conf in service namespace"):
86 aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")
87
88 assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"
89
90 with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"):
91 status, environment = machine.systemctl("show --property Environment --value aesmd.service")
92 assert status == 0, "Could not get Environment of aesmd.service"
93 env_by_name = dict(entry.split("=", 1) for entry in environment.split())
94 assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty"
95
96 with subtest("aesmd.service with quote provider library starts"):
97 machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test')
98 machine.wait_for_unit("aesmd.service")
99
100 main_pid = get_aesmd_pid()
101
102 with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"):
103 ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH")
104 assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \
105 "LD_LIBRARY_PATH is not set to the configured quote provider library"
106
107 with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"):
108 azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL")
109 assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO"
110 '';
111}