-
-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/security/sgx: init #129432
nixos/security/sgx: init #129432
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,167 @@ | ||
{ config, lib, pkgs, ... }: | ||
with lib; | ||
let | ||
cfg = config.security.sgx; | ||
in | ||
{ | ||
options.security.sgx = { | ||
enable = mkEnableOption "Intel SGX"; | ||
|
||
config = mkOption { | ||
type = types.lines; | ||
default = ""; | ||
description = "Configuration for the SGX daemon."; | ||
}; | ||
|
||
packages = { | ||
psw = mkOption { | ||
default = pkgs.intel-sgx-psw; | ||
defaultText = "pkgs.intel-sgx-psw"; | ||
description = "The SGX PSW (platform software) package to use."; | ||
}; | ||
|
||
sdk = mkOption { | ||
default = pkgs.intel-sgx-sdk; | ||
defaultText = "pkgs.intel-sgx-sdk"; | ||
description = "The SGX SDK (software development kit) package to use."; | ||
}; | ||
|
||
driver = mkOption { | ||
type = types.package; | ||
default = pkgs.linuxPackages.isgx; | ||
defaultText = "pkgs.linuxPackages.isgx"; | ||
description = "The SGX driver package to use."; | ||
}; | ||
}; | ||
}; | ||
|
||
config = mkIf cfg.enable { | ||
boot.extraModulePackages = [ cfg.packages.driver ]; | ||
services.udev.packages = [ cfg.packages.psw ]; | ||
|
||
# aesmd depends on auditd | ||
security.auditd.enable = true; | ||
|
||
# write service config file | ||
environment.etc."aesmd.conf".text = cfg.config; | ||
|
||
# create service user and groups | ||
users = { | ||
users.aesmd = { | ||
group = "aesmd"; | ||
isSystemUser = true; | ||
extraGroups = [ "sgx_prv" ]; | ||
description = "Intel SGX Service Account"; | ||
}; | ||
|
||
groups = { | ||
aesmd = { }; | ||
sgx_prv = { }; | ||
}; | ||
}; | ||
|
||
systemd.services.aesmd = | ||
let | ||
path = "${cfg.packages.psw}/aesm"; | ||
in | ||
{ | ||
description = "Intel(R) Architectural Enclave Service Manager"; | ||
after = [ "syslog.target" "network.target" "auditd.service" ]; | ||
wantedBy = [ "multi-user.target" ]; | ||
|
||
# restart when config file changes | ||
restartTriggers = [ config.environment.etc."aesmd.conf".source ]; | ||
|
||
environment = { | ||
NAME = "aesm_service"; | ||
AESM_PATH = "/var/opt/aesmd"; | ||
LD_LIBRARY_PATH = "${cfg.packages.psw}/lib:${path}"; | ||
}; | ||
|
||
serviceConfig = { | ||
ExecStart = "${path}/aesm_service --no-daemon"; | ||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | ||
ExecStartPre = [ "${pkgs.coreutils}/bin/mkdir -p /var/opt/aesmd/data /var/opt/aesmd/fwdir/data" ]; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You could also leverage systemd sandboxing using |
||
|
||
Restart = "on-failure"; | ||
RestartSec = "15s"; | ||
|
||
# environment | ||
User = "aesmd"; | ||
Group = "aesmd"; | ||
|
||
WorkingDirectory = "/var/opt/aesmd"; | ||
RuntimeDirectory = "aesmd"; | ||
RuntimeDirectoryMode = "0755"; | ||
ReadWritePaths = [ "/var/opt/aesmd" ]; | ||
Mic92 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
# Hardening | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I really appreciate all the effort you've put into hardening. We should definitely have that but I wonder how tried and tested this configuration is as the upstream service definition does not declare any hardening. Do you run this service in production somewhere or can you share any other experiences? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. From my own experience with running aesmd and systemd hardening option, the option chosen here looks fine. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Upstream probably don't care as much about adding them because they might target some old redhat linux that does not have those hardening options yet. |
||
CapabilityBoundingSet = ""; | ||
DevicePolicy = "closed"; | ||
DeviceAllow = [ | ||
"/dev/isgx rw" | ||
"/dev/sgx rw" | ||
"/dev/sgx/enclave rw" | ||
"/dev/sgx/provision rw" | ||
]; | ||
IPAddressDeny = "any"; | ||
KeyringMode = "private"; | ||
LockPersonality = true; | ||
MemoryDenyWriteExecute = false; | ||
NoNewPrivileges = true; | ||
NotifyAccess = "none"; | ||
ProcSubset = "pid"; | ||
RemoveIPC = true; | ||
|
||
PrivateDevices = false; | ||
PrivateMounts = true; | ||
PrivateNetwork = false; | ||
PrivateTmp = true; | ||
PrivateUsers = true; | ||
|
||
ProtectClock = true; | ||
ProtectControlGroups = true; | ||
ProtectHome = true; | ||
ProtectKernelLogs = true; | ||
ProtectKernelModules = true; | ||
ProtectKernelTunables = true; | ||
ProtectHostname = true; | ||
ProtectProc = "invisible"; | ||
ProtectSystem = "strict"; | ||
RestrictAddressFamilies = [ "AF_UNIX" ]; | ||
Mic92 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
RestrictNamespaces = true; | ||
RestrictRealtime = true; | ||
RestrictSUIDSGID = true; | ||
|
||
# needs the ipc syscall in order to run | ||
SystemCallFilter = [ | ||
"@system-service" | ||
"~@aio" | ||
"~@clock" | ||
"~@cpu-emulation" | ||
"~@chown" | ||
"~@debug" | ||
"~@keyring" | ||
"~@memlock" | ||
"~@module" | ||
"~@mount" | ||
"~@raw-io" | ||
"~@reboot" | ||
"~@swap" | ||
"~@privileged" | ||
"~@resources" | ||
"~@setuid" | ||
"~@sync" | ||
"~@timer" | ||
]; | ||
SystemCallArchitectures = "native"; | ||
SystemCallErrorNumber = "EPERM"; | ||
}; | ||
}; | ||
|
||
systemd.tmpfiles.rules = [ | ||
"d /var/opt/aesmd 0750 aesmd aesmd - -" | ||
"z /var/opt/aesmd 0750 aesmd aesmd - -" | ||
]; | ||
}; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be
config.boot.kernelPackages.isgx
. Otherwise, it will mix up kernel modules and kernel with different versions.As a side note: Newer kernels come with SGX support built-in, but I'm not sure whether this is a realistic option just yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the in-tree SGX support works just fine! 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then we could flip the SGX kernel option on for newer kernels by default and get rid of the third-party module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll have a modern Atom to test this on next week or so.