matter-labs · haraldh · May 17, 2024 · May 17, 2024 · May 17, 2024
@@ -1,5 +1,6 @@
 { stdenv
 , fetchFromGitHub
+, fetchpatch
 , lib
 , curl
 , nlohmann_json
@@ -15,7 +16,7 @@ let
     find "$out" -mindepth 1 -delete
     cp ${lib.concatStringsSep " " list} "$out/"
   '';
-  headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
+  headers = linkFarmFromDrvs "azure-dcap-client-intel-headers" [
     (fetchFromGitHub rec {
       name = "${repo}-headers";
       owner = "intel";
@@ -44,8 +45,14 @@ stdenv.mkDerivation rec {
   };
 
   patches = [
-    ./missing-includes.patch
     ./Azure-DCAP-Client.patch
+    # Fix gcc-13 build:
+    #   https://github.com/microsoft/Azure-DCAP-Client/pull/197
+    (fetchpatch {
+      name = "gcc-13.patch";
+      url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch";
+      hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc=";
+    })
   ];
 
   nativeBuildInputs = [
@@ -78,11 +85,11 @@ stdenv.mkDerivation rec {
   # $(nix-build -A sgx-azure-dcap-client.tests.suite)/bin/tests
   passthru.tests.suite = callPackage ./test-suite.nix { };
 
-  meta = with lib; {
+  meta = {
     description = "Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache";
     homepage = "https://github.com/microsoft/azure-dcap-client";
-    maintainers = with maintainers; [ phlip9 trundle veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = [ licenses.mit ];
+    license = [ lib.licenses.mit ];
   };
 }
@@ -9,7 +9,7 @@ sgx-azure-dcap-client.overrideAttrs (old: {
     gtest
   ];
 
-  patches = [
+  patches = (old.patches or [ ]) ++ [
     ./tests-missing-includes.patch
   ];
 

@@ -15,15 +15,15 @@
 }:
 stdenv.mkDerivation rec {
   pname = "sgx-dcap";
-  version = "1.20";
+  version = "1.21";
 
   postUnpack =
     let
       dcap = rec {
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
+          hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk=";
         };
       };
     in
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     owner = "intel";
     repo = "SGXDataCenterAttestationPrimitives";
     rev = "DCAP_${version}";
-    hash = "sha256-gNQzV6wpoQUZ3x/RqvFLwak4HhDOiJC5mW0okGx3UGA=";
+    hash = "sha256-Vp8R4W6qdPTGJFNJrPPKe9Oqxxj+UIdZf2GSL+gCyjU=";
     fetchSubmodules = true;
   };
 

@@ -13,8 +13,11 @@
 , which
 , debug ? false
 }:
+let
+  inherit (nixsgx) sgx-sdk;
+in
 stdenv.mkDerivation rec {
-  inherit (nixsgx.sgx-sdk) version versionTag src patches;
+  inherit (sgx-sdk) patches src version versionTag;
   pname = "sgx-psw";
 
   postUnpack =
@@ -29,15 +32,15 @@ stdenv.mkDerivation rec {
       # Also include the Data Center Attestation Primitives (DCAP) platform
       # enclaves.
       dcap = rec {
-        version = "1.20";
+        version = "1.21";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-nPsI89KSBA3cSNTMWyktZP5dkf+BwL3NZ4MuUf6G98o=";
+          hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk=";
         };
       };
     in
-    nixsgx.sgx-sdk.postUnpack + ''
+    sgx-sdk.postUnpack + ''
       # Make sure we use the correct version of prebuilt DCAP
       grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
         || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
@@ -51,7 +54,7 @@ stdenv.mkDerivation rec {
     file
     makeWrapper
     python3
-    nixsgx.sgx-sdk
+    sgx-sdk
     which
   ];
 
@@ -159,30 +162,30 @@ stdenv.mkDerivation rec {
     echo "Fixing aesmd.service"
     substituteInPlace $out/lib/systemd/system/aesmd.service \
       --replace '@aesm_folder@' \
-                "$out/aesm" \
+                     "$out/aesm" \
       --replace 'Type=forking' \
-                'Type=simple' \
+                     'Type=simple' \
       --replace "ExecStart=$out/aesm/aesm_service" \
-                "ExecStart=$out/bin/aesm_service --no-daemon"\
+                     "ExecStart=$out/bin/aesm_service --no-daemon"\
       --replace "/bin/mkdir" \
-                "${coreutils}/bin/mkdir" \
+                     "${coreutils}/bin/mkdir" \
       --replace "/bin/chown" \
-                "${coreutils}/bin/chown" \
+                     "${coreutils}/bin/chown" \
       --replace "/bin/chmod" \
-                "${coreutils}/bin/chmod" \
+                     "${coreutils}/bin/chmod" \
       --replace "/bin/kill" \
-                "${coreutils}/bin/kill"
+                     "${coreutils}/bin/kill"
   '';
 
   passthru.tests = {
     service = nixosTests.aesmd;
   };
 
-  meta = with lib; {
+  meta = {
     description = "Intel SGX Architectural Enclave Service Manager";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ phlip9 veehaitch citadelcore ];
+    maintainers = with lib.maintainers; [ phlip9 veehaitch citadelcore ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
   };
 }
@@ -21,6 +21,6 @@ index 6b0ebd7a..fa2aebca 100644
  // The current downside is the times written to your archives will be from 1979.
 -//#define MINIZ_NO_TIME
 +#define MINIZ_NO_TIME
- 
+
  // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
  //#define MINIZ_NO_ARCHIVE_APIS
@@ -26,15 +26,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.23.100.2";
+  version = "2.24.100.3";
   # Version as used in the Git tag
-  versionTag = "2.23";
+  versionTag = "2.24";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-i+fE6xKiuljG8LY8TIHgrW15DVpdp46bZdNo/BjgT/I=";
+    hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw=";
     fetchSubmodules = true;
   };
 
@@ -45,14 +45,22 @@ stdenv.mkDerivation rec {
   '';
 
   patches = [
-    # no timestamp in mini zip archives
-    ./CppMicroServices-no-mtime.patch
-    # Set the CXX standard for nix builds of sgx-psw
-    ./aesm-cxx-standard.patch
     # There's a `make preparation` step that downloads some prebuilt binaries
     # and applies some patches to the in-repo git submodules. This patch removes
     # the parts that download things, since we can't do that inside the sandbox.
     ./disable-downloads.patch
+
+    # Set the CXX standard for nix builds of sgx-psw
+    ./aesm-cxx-standard.patch
+
+    # This patch disable mtime in bundled zip file for reproducible builds.
+    #
+    # Context: The `aesm_service` binary depends on a vendored library called
+    # `CppMicroServices`. At build time, this lib creates and then bundles
+    # service resources into a zip file and then embeds this zip into the
+    # binary. Without changes, the `aesm_service` will be different after every
+    # build because the embedded zip file contents have different modified times.
+    ./cppmicroservices-no-mtime.patch
   ];
 
   postPatch = ''
@@ -116,17 +124,20 @@ stdenv.mkDerivation rec {
 
       pushd 'external/ippcp_internal'
 
-      cp -r ${ipp-crypto-no_mitigation}/include/. inc/
-
       install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
         lib/linux/intel64/no_mitigation/libippcp.a
       install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
         lib/linux/intel64/cve_2020_0551_load/libippcp.a
       install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
         lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
+      cp -r ${ipp-crypto-no_mitigation}/include/* inc/
+
+      mkdir inc/ippcp
+      cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/
+
       rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h
 
       install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
 
@@ -280,11 +291,11 @@ stdenv.mkDerivation rec {
       '';
     };
 
-  meta = with lib; {
+  meta = {
     description = "Intel SGX SDK for Linux built with IPP Crypto Library";
     homepage = "https://github.com/intel/linux-sgx";
-    maintainers = with maintainers; [ phlip9 sbellem arturcygan veehaitch ];
+    maintainers = with lib.maintainers; [ phlip9 sbellem arturcygan veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 ];
+    license = [ lib.licenses.bsd3 ];
   };
 }
@@ -1,8 +1,8 @@
 diff --git a/Makefile b/Makefile
-index 32433051..2e480efb 100644
+index 73502a7..f24bd11 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -50,8 +50,8 @@ tips:
+@@ -50,18 +50,18 @@ tips:
  preparation:
  # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
  # Only enable the download from git
@@ -12,8 +12,10 @@ index 32433051..2e480efb 100644
 +	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
  	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
  	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+-	cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
++	cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R
  	./external/sgx-emm/create_symlink.sh
-@@ -59,8 +59,8 @@ preparation:
+ 	cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R
  	cd external/cbor && cp -r libcbor sgx_libcbor
  	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
  	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R

@@ -2,28 +2,30 @@
 , fetchFromGitHub
 , cmake
 , nasm
-, ninja
 , openssl
 , python3
 , extraCmakeFlags ? [ ]
 }:
 gcc11Stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2021.10.0";
+  version = "2021.11.1";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
     rev = "ippcp_${version}";
-    hash = "sha256-DfXsJ+4XqyjCD+79LUD53Cx8D46o1a4fAZa2UxGI1Xg=";
+    hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI=";
   };
 
-  cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
+  cmakeFlags = [
+    "-DARCH=intel64"
+    # sgx-sdk now requires FIPS-compliance mode turned on
+    "-DIPPCP_FIPS_MODE=on"
+  ] ++ extraCmakeFlags;
 
   nativeBuildInputs = [
     cmake
     nasm
-    ninja
     openssl
     python3
   ];