-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aesmd: allow to customize quote provider library, init sgx-azure-dcap-client at 1.11.2 #203449
Conversation
20a19c4
to
8591a44
Compare
8591a44
to
0b94244
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly some questions
url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_report.h"; | ||
hash = "sha256-NCDH3uhSlRRx0DDA/MKhWlUnA1rJ94O4DLuzqmnfr0I="; | ||
}) | ||
(fetchurl { | ||
url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_key.h"; | ||
hash = "sha256-3ApIE2QevE8MeU0y5UGvwaKD9OOJ3H9c5ibxsBSr49g="; | ||
}) | ||
(fetchurl { | ||
url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_attributes.h"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since these 3 come from the same repo/HEAD, how about introducing a variable for the commit hash to simplify maintenance?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also thought about that but when we realized that those were touched four years ago for the last time, we decided it's probably not worth it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do a sparse checkout to not rely on 3 FODs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See latest push. I’m not sure if that’s really much of an improvement overall.
@@ -83,7 +89,6 @@ in | |||
storeAesmFolder = "${sgx-psw}/aesm"; | |||
# Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp | |||
aesmDataFolder = "/var/opt/aesmd/data"; | |||
aesmStateDirSystemd = "%S/aesmd"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was unused?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
@ofborg test aesmd |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
@@ -121,7 +121,7 @@ stdenv.mkDerivation rec { | |||
|
|||
mkdir $out/bin | |||
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ | |||
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ | |||
--suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There shouldn't be any files lik aesm at $out in a normal package
# No need to build `sgx-azure-dcap-client` again | ||
postPatch = '' | ||
substituteInPlace ./src/Linux/Makefile.in \ | ||
--replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' \ | ||
'$(TEST_SUITE): $(TEST_SUITE_OBJ)' | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should do all patching in the default.nix if possible
configurePhase = '' | ||
runHook preConfigure | ||
|
||
substitute src/Linux/Makefile{.in,} \ | ||
--replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
--replace '-Wall' '-Wall -Wno-deprecated-declarations' \ | ||
--replace 'prefix = /usr/local' 'prefix =' | ||
|
||
runHook postConfigure | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are not running any configure steps here so it can all go to postPatch
patchPhase = '' | ||
runHook prePatch | ||
|
||
mkdir src/Linux/ext | ||
ln -s ${headers} src/Linux/ext/intel | ||
|
||
runHook postPatch | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
patchPhase = '' | |
runHook prePatch | |
mkdir src/Linux/ext | |
ln -s ${headers} src/Linux/ext/intel | |
runHook postPatch | |
''; | |
postPatch = '' | |
mkdir src/Linux/ext | |
ln -s ${headers} src/Linux/ext/intel | |
''; |
]; | ||
|
||
buildInputs = [ | ||
curl.dev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
curl.dev | |
curl |
that should be chosen automatically
url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_report.h"; | ||
hash = "sha256-NCDH3uhSlRRx0DDA/MKhWlUnA1rJ94O4DLuzqmnfr0I="; | ||
}) | ||
(fetchurl { | ||
url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_key.h"; | ||
hash = "sha256-3ApIE2QevE8MeU0y5UGvwaKD9OOJ3H9c5ibxsBSr49g="; | ||
}) | ||
(fetchurl { | ||
url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_attributes.h"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do a sparse checkout to not rely on 3 FODs.
environment = mkOption { | ||
type = with types; attrsOf str; | ||
default = { }; | ||
description = mdDoc "Additional environment variables to pass to the AESM service."; | ||
# Example environment variable for `sgx-azure-dcap-client` provider library | ||
example = { | ||
AZDCAP_COLLATERAL_VERSION = "v2"; | ||
AZDCAP_DEBUG_LOG_LEVEL = "INFO"; | ||
}; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need that and should advice people to use the option directly instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You think they should use config.systemd.services.aesmd.environment
? I don't think that's very ergonomic. How should we advice people?
0b94244
to
b621aa1
Compare
|
||
substitute src/Linux/Makefile{.in,} \ | ||
--replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
--replace '-Wall' '-Wall -Wno-deprecated-declarations' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is usually more robust since it does not require patching:
NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";
installFlags = [ | ||
"DESTDIR=$(out)" | ||
]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
installFlags = [ | |
"DESTDIR=$(out)" | |
]; |
substitute src/Linux/Makefile{.in,} \ | ||
--replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
--replace '-Wall' '-Wall -Wno-deprecated-declarations' \ | ||
--replace 'prefix = /usr/local' 'prefix =' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--replace 'prefix = /usr/local' 'prefix =' \ |
--replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
--replace '-Wall' '-Wall -Wno-deprecated-declarations' \ | ||
--replace 'prefix = /usr/local' 'prefix =' \ | ||
--replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is provider lib not build by the project anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This just makes sure that the provider lib is not built again when building the test suite. Also see #203449 (comment)
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`: - Append instead of prepend to allow for overriding in service config - As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is not necessary to also set in `LD_LIBRARY_PATH` of the systemd service. Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
b621aa1
to
dbff3c2
Compare
Anything else we should do here, @SuperSandro2000 @Mic92? |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/1594 |
Description of changes
Tested in an Azure VM (with Enarx)
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes