aesmd: allow to customize quote provider library, init sgx-azure-dcap-client at 1.11.2 #203449
Conversation
Trundle
force-pushed
the
azure-quote-provider
branch
from
20a19c4
to
8591a44
Compare
veehaitch
force-pushed
the
azure-quote-provider
branch
from
8591a44
to
0b94244
Compare
| url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_report.h"; | ||
| hash = "sha256-NCDH3uhSlRRx0DDA/MKhWlUnA1rJ94O4DLuzqmnfr0I="; | ||
| }) | ||
| (fetchurl { | ||
| url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_key.h"; | ||
| hash = "sha256-3ApIE2QevE8MeU0y5UGvwaKD9OOJ3H9c5ibxsBSr49g="; | ||
| }) | ||
| (fetchurl { | ||
| url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_attributes.h"; |
There was a problem hiding this comment.
since these 3 come from the same repo/HEAD, how about introducing a variable for the commit hash to simplify maintenance?
There was a problem hiding this comment.
We also thought about that but when we realized that those were touched four years ago for the last time, we decided it's probably not worth it.
There was a problem hiding this comment.
We could do a sparse checkout to not rely on 3 FODs.
There was a problem hiding this comment.
See latest push. I’m not sure if that’s really much of an improvement overall.
| @@ -83,7 +89,6 @@ in | |||
| storeAesmFolder = "${sgx-psw}/aesm"; | |||
| # Hardcoded path AESM_DATA_FOLDER in psw/ae/aesm_service/source/oal/linux/aesm_util.cpp | |||
| aesmDataFolder = "/var/opt/aesmd/data"; | |||
| aesmStateDirSystemd = "%S/aesmd"; | |||
|
@ofborg test aesmd |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
| @@ -121,7 +121,7 @@ stdenv.mkDerivation rec { | |||
|
|
|||
| mkdir $out/bin | |||
| makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \ | |||
| --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ | |||
| --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \ | |||
There was a problem hiding this comment.
There shouldn't be any files lik aesm at $out in a normal package
| # No need to build `sgx-azure-dcap-client` again | ||
| postPatch = '' | ||
| substituteInPlace ./src/Linux/Makefile.in \ | ||
| --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' \ | ||
| '$(TEST_SUITE): $(TEST_SUITE_OBJ)' | ||
| ''; |
There was a problem hiding this comment.
I think we should do all patching in the default.nix if possible
| configurePhase = '' | ||
| runHook preConfigure | ||
|
|
||
| substitute src/Linux/Makefile{.in,} \ | ||
| --replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
| --replace '-Wall' '-Wall -Wno-deprecated-declarations' \ | ||
| --replace 'prefix = /usr/local' 'prefix =' | ||
|
|
||
| runHook postConfigure | ||
| ''; |
There was a problem hiding this comment.
We are not running any configure steps here so it can all go to postPatch
| patchPhase = '' | ||
| runHook prePatch | ||
|
|
||
| mkdir src/Linux/ext | ||
| ln -s ${headers} src/Linux/ext/intel | ||
|
|
||
| runHook postPatch | ||
| ''; |
There was a problem hiding this comment.
| patchPhase = '' | |
| runHook prePatch | |
| mkdir src/Linux/ext | |
| ln -s ${headers} src/Linux/ext/intel | |
| runHook postPatch | |
| ''; | |
| postPatch = '' | |
| mkdir src/Linux/ext | |
| ln -s ${headers} src/Linux/ext/intel | |
| ''; |
| ]; | ||
|
|
||
| buildInputs = [ | ||
| curl.dev |
There was a problem hiding this comment.
| curl.dev | |
| curl |
that should be chosen automatically
| url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_report.h"; | ||
| hash = "sha256-NCDH3uhSlRRx0DDA/MKhWlUnA1rJ94O4DLuzqmnfr0I="; | ||
| }) | ||
| (fetchurl { | ||
| url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_key.h"; | ||
| hash = "sha256-3ApIE2QevE8MeU0y5UGvwaKD9OOJ3H9c5ibxsBSr49g="; | ||
| }) | ||
| (fetchurl { | ||
| url = "https://raw.githubusercontent.com/intel/linux-sgx/1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be/common/inc/sgx_attributes.h"; |
There was a problem hiding this comment.
We could do a sparse checkout to not rely on 3 FODs.
| environment = mkOption { | ||
| type = with types; attrsOf str; | ||
| default = { }; | ||
| description = mdDoc "Additional environment variables to pass to the AESM service."; | ||
| # Example environment variable for `sgx-azure-dcap-client` provider library | ||
| example = { | ||
| AZDCAP_COLLATERAL_VERSION = "v2"; | ||
| AZDCAP_DEBUG_LOG_LEVEL = "INFO"; | ||
| }; | ||
| }; |
There was a problem hiding this comment.
I don't think we need that and should advice people to use the option directly instead.
There was a problem hiding this comment.
You think they should use config.systemd.services.aesmd.environment? I don't think that's very ergonomic. How should we advice people?
veehaitch
force-pushed
the
azure-quote-provider
branch
from
0b94244
to
b621aa1
Compare
|
|
||
| substitute src/Linux/Makefile{.in,} \ | ||
| --replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
| --replace '-Wall' '-Wall -Wno-deprecated-declarations' \ |
There was a problem hiding this comment.
This is usually more robust since it does not require patching:
NIX_CFLAGS_COMPILE = "-Wno-deprecated-declarations";
| installFlags = [ | ||
| "DESTDIR=$(out)" | ||
| ]; |
There was a problem hiding this comment.
| installFlags = [ | |
| "DESTDIR=$(out)" | |
| ]; |
| substitute src/Linux/Makefile{.in,} \ | ||
| --replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
| --replace '-Wall' '-Wall -Wno-deprecated-declarations' \ | ||
| --replace 'prefix = /usr/local' 'prefix =' \ |
There was a problem hiding this comment.
| --replace 'prefix = /usr/local' 'prefix =' \ |
| --replace '##CURLINC##' '${curl.dev}/include/curl/' \ | ||
| --replace '-Wall' '-Wall -Wno-deprecated-declarations' \ | ||
| --replace 'prefix = /usr/local' 'prefix =' \ | ||
| --replace '$(TEST_SUITE): $(PROVIDER_LIB) $(TEST_SUITE_OBJ)' '$(TEST_SUITE): $(TEST_SUITE_OBJ)' |
There was a problem hiding this comment.
Is provider lib not build by the project anymore?
There was a problem hiding this comment.
This just makes sure that the provider lib is not built again when building the test suite. Also see #203449 (comment)
Changes sgx-psw to append `aesm` to `LD_LIBRARY_PATH`: - Append instead of prepend to allow for overriding in service config - As we already add a wrapper to add `aesm` to `LD_LIBRARY_PATH` it is not necessary to also set in `LD_LIBRARY_PATH` of the systemd service. Co-authored-by: Vincent Haupert <mail@vincent-haupert.de>
veehaitch
force-pushed
the
azure-quote-provider
branch
from
b621aa1
to
dbff3c2
Compare
|
Anything else we should do here, @SuperSandro2000 @Mic92? |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/1594 |
Description of changes
Tested in an Azure VM (with Enarx)
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes