commit dbff3c22c156de370cd8771688651becd62cab6b · pyrox.dev/nixpkgs

+11 -1

nixos/modules/services/security/aesmd.nix

···

       25
       25
        
             default = false;

     

       26
       26
        
             description = lib.mdDoc "Whether to build the PSW package in debug mode.";

     

       27
       27
        
           };

     

       28
       28
       +
           environment = mkOption {

     

       29
       29
       +
             type = with types; attrsOf str;

     

       30
       30
       +
             default = { };

     

       31
       31
       +
             description = mdDoc "Additional environment variables to pass to the AESM service.";

     

       32
       32
       +
             # Example environment variable for `sgx-azure-dcap-client` provider library

     

       33
       33
       +
             example = {

     

       34
       34
       +
               AZDCAP_COLLATERAL_VERSION = "v2";

     

       35
       35
       +
               AZDCAP_DEBUG_LOG_LEVEL = "INFO";

     

       36
       36
       +
             };

     

       37
       37
       +
           };

     

       28
       38
        
           quoteProviderLibrary = mkOption {

     

       29
       39
        
             type = with types; nullOr path;

     

       30
       40
        
             default = null;

     
···

       104
       114
        
                 NAME = "aesm_service";

     

       105
       115
        
                 AESM_PATH = storeAesmFolder;

     

       106
       116
        
                 LD_LIBRARY_PATH = makeLibraryPath [ cfg.quoteProviderLibrary ];

     

       107
       107
       -
               };

     

       117
       117
       +
               } // cfg.environment;

     

       108
       118
        
       

     

       109
       119
        
               # Make sure any of the SGX application enclave devices is available

     

       110
       120
        
               unitConfig.AssertPathExists = [

+10 -1

nixos/tests/aesmd.nix

···

       28
       28
        
       

     

       29
       29
        
           specialisation = {

     

       30
       30
        
             withQuoteProvider.configuration = { ... }: {

     

       31
       31
       -
               services.aesmd.quoteProviderLibrary = pkgs.sgx-azure-dcap-client;

     

       31
       31
       +
               services.aesmd = {

     

       32
       32
       +
                 quoteProviderLibrary = pkgs.sgx-azure-dcap-client;

     

       33
       33
       +
                 environment = {

     

       34
       34
       +
                   AZDCAP_DEBUG_LOG_LEVEL = "INFO";

     

       35
       35
       +
                 };

     

       36
       36
       +
               };

     

       32
       37
        
             };

     

       33
       38
        
           };

     

       34
       39
        
         };

     
···

       89
       94
        
               ld_library_path = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep LD_LIBRARY_PATH")

     

       90
       95
        
               assert ld_library_path.startswith("LD_LIBRARY_PATH=${pkgs.sgx-azure-dcap-client}/lib:"), \

     

       91
       96
        
                 "LD_LIBRARY_PATH is not set to the configured quote provider library"

     

       97
       97
       +
       

     

       98
       98
       +
             with subtest("aesmd.service with quote provider library has set AZDCAP_DEBUG_LOG_LEVEL"):

     

       99
       99
       +
               azdcp_debug_log_level = machine.succeed(f"xargs -0 -L1 -a /proc/{main_pid}/environ | grep AZDCAP_DEBUG_LOG_LEVEL")

     

       100
       100
       +
               assert azdcp_debug_log_level == "AZDCAP_DEBUG_LOG_LEVEL=INFO\n", "AZDCAP_DEBUG_LOG_LEVEL is not set to INFO"

     

       92
       101
        
           '';

     

       93
       102
        
       }