commit c8c8ac5cc65e4cc8c6e7c84fbfc68e5466fc1d74 · pyrox.dev/nixpkgs

+18 -3

nixos/modules/services/security/aesmd.nix

···

       25
       25
        
             default = false;

     

       26
       26
        
             description = lib.mdDoc "Whether to build the PSW package in debug mode.";

     

       27
       27
        
           };

     

       28
       28
       +
           environment = mkOption {

     

       29
       29
       +
             type = with types; attrsOf str;

     

       30
       30
       +
             default = { };

     

       31
       31
       +
             description = mdDoc "Additional environment variables to pass to the AESM service.";

     

       32
       32
       +
             # Example environment variable for `sgx-azure-dcap-client` provider library

     

       33
       33
       +
             example = {

     

       34
       34
       +
               AZDCAP_COLLATERAL_VERSION = "v2";

     

       35
       35
       +
               AZDCAP_DEBUG_LOG_LEVEL = "INFO";

     

       36
       36
       +
             };

     

       37
       37
       +
           };

     

       38
       38
       +
           quoteProviderLibrary = mkOption {

     

       39
       39
       +
             type = with types; nullOr path;

     

       40
       40
       +
             default = null;

     

       41
       41
       +
             example = literalExpression "pkgs.sgx-azure-dcap-client";

     

       42
       42
       +
             description = lib.mdDoc "Custom quote provider library to use.";

     

       43
       43
       +
           };

     

       28
       44
        
           settings = mkOption {

     

       29
       45
        
             description = lib.mdDoc "AESM configuration";

     

       30
       46
        
             default = { };

     
···

       83
       99
        
               storeAesmFolder = "${sgx-psw}/aesm";

     

       84
       100
        
               # Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp

     

       85
       101
        
               aesmDataFolder = "/var/opt/aesmd/data";

     

       86
       86
       -
               aesmStateDirSystemd = "%S/aesmd";

     

       87
       102
        
             in

     

       88
       103
        
             {

     

       89
       104
        
               description = "Intel Architectural Enclave Service Manager";

     
···

       98
       113
        
               environment = {

     

       99
       114
        
                 NAME = "aesm_service";

     

       100
       115
        
                 AESM_PATH = storeAesmFolder;

     

       101
       101
       -
                 LD_LIBRARY_PATH = storeAesmFolder;

     

       102
       102
       -
               };

     

       116
       116
       +
                 LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ];

     

       117
       117
       +
               } // cfg.environment;

     

       103
       118
        
       

     

       104
       119
        
               # Make sure any of the SGX application enclave devices is available

     

       105
       120
        
               unitConfig.AssertPathExists = [

+68 -28

nixos/tests/aesmd.nix

···

       1
       1
        
       { pkgs, lib, ... }: {

     

       2
       2
        
         name = "aesmd";

     

       3
       3
        
         meta = {

     

       4
       4
       -
           maintainers = with lib.maintainers; [ veehaitch ];

     

       4
       4
       +
           maintainers = with lib.maintainers; [ trundle veehaitch ];

     

       5
       5
        
         };

     

       6
       6
        
       

     

       7
       7
        
         nodes.machine = { lib, ... }: {

     
···

       25
       25
        
       

     

       26
       26
        
           # We don't have a real SGX machine in NixOS tests

     

       27
       27
        
           systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ];

     

       28
       28
       +
       

     

       29
       29
       +
           specialisation = {

     

       30
       30
       +
             withQuoteProvider.configuration = { ... }: {

     

       31
       31
       +
               services.aesmd = {

     

       32
       32
       +
                 quoteProviderLibrary = pkgs.sgx-azure-dcap-client;

     

       33
       33
       +
                 environment = {

     

       34
       34
       +
                   AZDCAP_DEBUG_LOG_LEVEL = "INFO";

     

       35
       35
       +
                 };

     

       36
       36
       +
               };

     

       37
       37
       +
             };

     

       38
       38
       +
           };

     

       28
       39
        
         };

     

       29
       40
        
       

     

       30
       30
       -
         testScript = ''

     

       31
       31
       -
           with subtest("aesmd.service starts"):

     

       32
       32
       -
             machine.wait_for_unit("aesmd.service")

     

       33
       33
       -
             status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")

     

       34
       34
       -
             assert status == 0, "Could not get MainPID of aesmd.service"

     

       35
       35
       -
             main_pid = main_pid.strip()

     

       41
       41
       +
         testScript = { nodes, ... }:

     

       42
       42
       +
           let

     

       43
       43
       +
             specialisations = "${nodes.machine.system.build.toplevel}/specialisation";

     

       44
       44
       +
           in

     

       45
       45
       +
           ''

     

       46
       46
       +
             def get_aesmd_pid():

     

       47
       47
       +
               status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")

     

       48
       48
       +
               assert status == 0, "Could not get MainPID of aesmd.service"

     

       49
       49
       +
               return main_pid.strip()

     

       36
       50
        
       

     

       37
       37
       -
           with subtest("aesmd.service runtime directory permissions"):

     

       38
       38
       -
             runtime_dir = "/run/aesmd";

     

       39
       39
       -
             res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip()

     

       40
       40
       -
             assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}"

     

       51
       51
       +
             with subtest("aesmd.service starts"):

     

       52
       52
       +
               machine.wait_for_unit("aesmd.service")

     

       41
       53
        
       

     

       42
       42
       -
           with subtest("aesm.socket available on host"):

     

       43
       43
       -
             socket_path = "/var/run/aesmd/aesm.socket"

     

       44
       44
       -
             machine.wait_until_succeeds(f"test -S {socket_path}")

     

       45
       45
       -
             machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})")

     

       46
       46
       -
             for op in [ "-r", "-w", "-x" ]:

     

       47
       47
       -
               machine.succeed(f"sudo -u sgxtest test {op} {socket_path}")

     

       48
       48
       -
               machine.fail(f"sudo -u nosgxtest test {op} {socket_path}")

     

       54
       54
       +
             main_pid = get_aesmd_pid()

     

       49
       55
        
       

     

       50
       50
       -
           with subtest("Copies white_list_cert_to_be_verify.bin"):

     

       51
       51
       -
             whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin"

     

       52
       52
       -
             whitelist_perms = machine.succeed(

     

       53
       53
       -
               f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}"

     

       54
       54
       -
             ).strip()

     

       55
       55
       -
             assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}"

     

       56
       56
       +
             with subtest("aesmd.service runtime directory permissions"):

     

       57
       57
       +
               runtime_dir = "/run/aesmd";

     

       58
       58
       +
               res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip()

     

       59
       59
       +
               assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}"

     

       56
       60
        
       

     

       57
       57
       -
           with subtest("Writes and binds aesm.conf in service namespace"):

     

       58
       58
       -
             aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")

     

       61
       61
       +
             with subtest("aesm.socket available on host"):

     

       62
       62
       +
               socket_path = "/var/run/aesmd/aesm.socket"

     

       63
       63
       +
               machine.wait_until_succeeds(f"test -S {socket_path}")

     

       64
       64
       +
               machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})")

     

       65
       65
       +
               for op in [ "-r", "-w", "-x" ]:

     

       66
       66
       +
                 machine.succeed(f"sudo -u sgxtest test {op} {socket_path}")

     

       67
       67
       +
                 machine.fail(f"sudo -u nosgxtest test {op} {socket_path}")

     

       59
       68
        
       

     

       60
       60
       -
             assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"

     

       61
       61
       -
         '';

     

       69
       69
       +
             with subtest("Copies white_list_cert_to_be_verify.bin"):

     

       70
       70
       +
               whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin"

     

       71
       71
       +
               whitelist_perms = machine.succeed(

     

       72
       72
       +
                 f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}"

     

       73
       73
       +
               ).strip()

     

       74
       74
       +
               assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}"

     

       75
       75
       +
       

     

       76
       76
       +
             with subtest("Writes and binds aesm.conf in service namespace"):

     

       77
       77
       +
               aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")

     

       78
       78
       +
       

     

       79
       79
       +
               assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"

     

       80
       80
       +
       

     

       81
       81
       +
             with subtest("aesmd.service without quote provider library has correct LD_LIBRARY_PATH"):

     

       82
       82
       +
               status, environment = machine.systemctl("show --property Environment --value aesmd.service")

     

       83
       83
       +
               assert status == 0, "Could not get Environment of aesmd.service"

     

       84
       84
       +
               env_by_name = dict(entry.split("=", 1) for entry in environment.split())

     

       85
       85
       +
               assert not env_by_name["LD_LIBRARY_PATH"], "LD_LIBRARY_PATH is not empty"

     

       86
       86
       +
       

     

       87
       87
       +
             with subtest("aesmd.service with quote provider library starts"):

     

       88
       88
       +
               machine.succeed('${specialisations}/withQuoteProvider/bin/switch-to-configuration test')

     

       89
       89
       +
               machine.wait_for_unit("aesmd.service")

     

       90
       90
       +
       

     

       91
       91
       +
             main_pid = get_aesmd_pid()

     

       92
       92
       +
       

     

       93
       93
       +
             with subtest("aesmd.service with quote provider library has correct LD_LIBRARY_PATH"):

     

       94
       94
       +
               ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH")

     

       95
       95
       +
               assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \

     

       96
       96
       +
                 "LD_LIBRARY_PATH is not set to the configured quote provider library"

     

       97
       97
       +
       

     

       98
       98
       +
             with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"):

     

       99
       99
       +
               azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL")

     

       100
       100
       +
               assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO"

     

       101
       101
       +
           '';

     

       62
       102
        
       }

+1 -1

nixos/tests/all-tests.nix

···

       69
       69
        
         _3proxy = runTest ./3proxy.nix;

     

       70
       70
        
         acme = runTest ./acme.nix;

     

       71
       71
        
         adguardhome = runTest ./adguardhome.nix;

     

       72
       72
       -
         aesmd = runTest ./aesmd.nix;

     

       72
       72
       +
         aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix;

     

       73
       73
        
         agate = runTest ./web-servers/agate.nix;

     

       74
       74
        
         agda = handleTest ./agda.nix {};

     

       75
       75
        
         airsonic = handleTest ./airsonic.nix {};

+93

pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix

···

       1
       1
       +
       { stdenv

     

       2
       2
       +
       , fetchFromGitHub

     

       3
       3
       +
       , fetchurl

     

       4
       4
       +
       , lib

     

       5
       5
       +
       , curl

     

       6
       6
       +
       , nlohmann_json

     

       7
       7
       +
       , openssl

     

       8
       8
       +
       , pkg-config

     

       9
       9
       +
       , linkFarmFromDrvs

     

       10
       10
       +
       , callPackage

     

       11
       11
       +
       }:

     

       12
       12
       +
       

     

       13
       13
       +
       let

     

       14
       14
       +
         # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions

     

       15
       15
       +
         filterSparse = list: ''

     

       16
       16
       +
           cp -r "$out"/. .

     

       17
       17
       +
           find "$out" -mindepth 1 -delete

     

       18
       18
       +
           cp ${lib.concatStringsSep " " list} "$out/"

     

       19
       19
       +
         '';

     

       20
       20
       +
         headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [

     

       21
       21
       +
           (fetchFromGitHub rec {

     

       22
       22
       +
             name = "${repo}-headers";

     

       23
       23
       +
             owner = "intel";

     

       24
       24
       +
             repo = "SGXDataCenterAttestationPrimitives";

     

       25
       25
       +
             rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9";

     

       26
       26
       +
             sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ];

     

       27
       27
       +
             hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY=";

     

       28
       28
       +
             postFetch = filterSparse sparseCheckout;

     

       29
       29
       +
           })

     

       30
       30
       +
           (fetchFromGitHub rec {

     

       31
       31
       +
             name = "${repo}-headers";

     

       32
       32
       +
             owner = "intel";

     

       33
       33
       +
             repo = "linux-sgx";

     

       34
       34
       +
             rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be";

     

       35
       35
       +
             hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs=";

     

       36
       36
       +
             sparseCheckout = [

     

       37
       37
       +
               "common/inc/sgx_report.h"

     

       38
       38
       +
               "common/inc/sgx_key.h"

     

       39
       39
       +
               "common/inc/sgx_attributes.h"

     

       40
       40
       +
             ];

     

       41
       41
       +
             postFetch = filterSparse sparseCheckout;

     

       42
       42
       +
           })

     

       43
       43
       +
         ];

     

       44
       44
       +
       in

     

       45
       45
       +
       stdenv.mkDerivation rec {

     

       46
       46
       +
         pname = "azure-dcap-client";

     

       47
       47
       +
         version = "1.11.2";

     

       48
       48
       +
       

     

       49
       49
       +
         src = fetchFromGitHub {

     

       50
       50
       +
           owner = "microsoft";

     

       51
       51
       +
           repo = pname;

     

       52
       52
       +
           rev = version;

     

       53
       53
       +
           hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA=";

     

       54
       54
       +
         };

     

       55
       55
       +
       

     

       56
       56
       +
         nativeBuildInputs = [

     

       57
       57
       +
           pkg-config

     

       58
       58
       +
         ];

     

       59
       59
       +
       

     

       60
       60
       +
         buildInputs = [

     

       61
       61
       +
           curl

     

       62
       62
       +
           nlohmann_json

     

       63
       63
       +
           openssl

     

       64
       64
       +
         ];

     

       65
       65
       +
       

     

       66
       66
       +
         postPatch = ''

     

       67
       67
       +
           mkdir -p src/Linux/ext/intel

     

       68
       68
       +
           find -L '${headers}' -type f -exec ln -s {} src/Linux/ext/intel \;

     

       69
       69
       +
       

     

       70
       70
       +
           substitute src/Linux/Makefile{.in,} \

     

       71
       71
       +
             --replace '##CURLINC##' '${curl.dev}/include/curl/' \

     

       72
       72
       +
             --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)'

     

       73
       73
       +
         '';

     

       74
       74
       +
       

     

       75
       75
       +
         NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";

     

       76
       76
       +
       

     

       77
       77
       +
         makeFlags = [

     

       78
       78
       +
           "-C src/Linux"

     

       79
       79
       +
           "prefix=$(out)"

     

       80
       80
       +
         ];

     

       81
       81
       +
       

     

       82
       82
       +
         # Online test suite; run with

     

       83
       83
       +
         # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests

     

       84
       84
       +
         passthru.tests.suite = callPackage ./test-suite.nix { };

     

       85
       85
       +
       

     

       86
       86
       +
         meta = with lib; {

     

       87
       87
       +
           description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";

     

       88
       88
       +
           homepage = "https://github.com/microsoft/azure-dcap-client";

     

       89
       89
       +
           maintainers = with maintainers; [ trundle veehaitch ];

     

       90
       90
       +
           platforms = [ "x86_64-linux" ];

     

       91
       91
       +
           license = [ licenses.mit ];

     

       92
       92
       +
         };

     

       93
       93
       +
       }

+27

pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix

···

       1
       1
       +
       { lib

     

       2
       2
       +
       , sgx-azure-dcap-client

     

       3
       3
       +
       , gtest

     

       4
       4
       +
       , makeWrapper

     

       5
       5
       +
       }:

     

       6
       6
       +
       sgx-azure-dcap-client.overrideAttrs (oldAttrs: {

     

       7
       7
       +
         nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [

     

       8
       8
       +
           makeWrapper

     

       9
       9
       +
           gtest

     

       10
       10
       +
         ];

     

       11
       11
       +
       

     

       12
       12
       +
         buildFlags = [

     

       13
       13
       +
           "tests"

     

       14
       14
       +
         ];

     

       15
       15
       +
       

     

       16
       16
       +
         installPhase = ''

     

       17
       17
       +
           runHook preInstall

     

       18
       18
       +
       

     

       19
       19
       +
           install -D ./src/Linux/tests "$out/bin/tests"

     

       20
       20
       +
       

     

       21
       21
       +
           runHook postInstall

     

       22
       22
       +
         '';

     

       23
       23
       +
       

     

       24
       24
       +
         postFixup = ''

     

       25
       25
       +
           wrapProgram "$out/bin/tests" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}"

     

       26
       26
       +
         '';

     

       27
       27
       +
       })

+1 -1

pkgs/os-specific/linux/sgx/psw/default.nix

···

       121
       121
        
       

     

       122
       122
        
           mkdir $out/bin

     

       123
       123
        
           makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \

     

       124
       124
       -
             --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \

     

       124
       124
       +
             --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \

     

       125
       125
        
             --chdir "$out/aesm"

     

       126
       126
        
       

     

       127
       127
        
           # Make sure we didn't forget to handle any files

pkgs/top-level/all-packages.nix

···

       26083
       26083
        
       

     

       26084
       26084
        
         seturgent = callPackage ../os-specific/linux/seturgent { };

     

       26085
       26085
        
       

     

       26086
       26086
       +
         sgx-azure-dcap-client = callPackage ../os-specific/linux/sgx/azure-dcap-client { };

     

       26087
       26087
       +
       

     

       26086
       26088
        
         sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { };

     

       26087
       26089
        
       

     

       26088
       26090
        
         sgx-ssl = callPackage ../os-specific/linux/sgx/ssl { };