sgx-psw: 2.25 -> 2.26 by phlip9 · Pull Request #420079 · NixOS/nixpkgs

phlip9 · 2025-06-26T00:45:02Z

Changes

Update the sgx-psw package to the latest 2.26 release.

Fix the aesmd service, which broke with the update to systemd-v257 (#356818).

If possible, it would be nice to backport this to release-25.05, as sgx-psw/aesmd are currently broken on that release.

Prior update attempt (2.25 -> 2.26): #403984
Previous update PR (2.24 -> 2.25): #353041

Quick Glossary:

Intel SGX is a Confidential Computing technology for running hardware-isolated enclaves and confidential VMs (Intel TDX) on Intel server CPUs alongside an untrusted hypervisor/Linux/userspace software stack.
sgx-psw (Platform SoftWare) provides the aesmd service (Architecture Enclave Service Manager Daemon), which simplifies running enclaves and getting remote attestation quotes.

Testing:

These changes were tested on an SGX-enabled Azure gen2 VM (DCSv3) running NixOS.

Run against real SGX hardware

Make sure you're running on a recent x86-64 Intel CPU, against a somewhat recent kernel with the in-tree kernel SGX driver (any NixOS config in the last few years should cover this).

Check the hardware and kernel setup:

$ journalctl --boot --dmesg --grep=sgx
kernel: sgx: EPC section 0x2c0000000-0x3bfffffff

In your NixOS configuration.nix, add something like:

  services.aesmd = {
    enable = true;
    # Include this if you're running on Azure
    quoteProviderLibrary = pkgs.sgx-azure-dcap-client;
  };

After a nixos-rebuild switch, check that the devices are configured and the aesmd service is running:

$ find /dev -name "*sgx*" -ls
 83      0 crw-rw----   1 root     sgx_prv   10, 126 May  8 17:21 /dev/sgx_provision
 84      0 crw-rw----   1 root     sgx       10, 125 May  8 17:21 /dev/sgx_enclave
400      0 drwxr-xr-x   2 root     root           80 May  8 17:21 /dev/sgx

$ systemctl status aesmd.service
● aesmd.service - Intel Architectural Enclave Service Manager
     Loaded: loaded (/etc/systemd/system/aesmd.service; enabled; preset: ignored)
     Active: active (running) since Thu 2025-06-26 00:19:15 UTC; 22min ago
 Invocation: d358b870341e4fb88622346358d5fb64
    Process: 861 ExecStartPre=/nix/store/ig3jvcxc2qb1qzmar2l3hrg3mf6rm55m-copy-aesmd-data-files.sh (code=exited, status=0/SUCCESS)
   Main PID: 866 (aesm_service)
         IP: 17.1K in, 3.2K out
         IO: 16.8M read, 16K written
      Tasks: 4 (limit: 9495)
     Memory: 20M (peak: 20.2M)
        CPU: 363ms
     CGroup: /system.slice/aesmd.service
             └─866 /nix/store/rkwsxksksxlwcnjxsfpakd02vrslnj2m-sgx-psw-2.26.100.0/aesm/aesm_service --no-daemon

Jun 26 00:19:15 lexe-dev-sgx aesm_service[866]: epid_quote_service_bundle_name:2.0.0
Jun 26 00:19:15 lexe-dev-sgx aesm_service[866]: le_launch_service_bundle_name:2.0.0
Jun 26 00:19:15 lexe-dev-sgx aesm_service[866]: linux_network_service_bundle_name:2.0.0
Jun 26 00:19:15 lexe-dev-sgx aesm_service[866]: pce_service_bundle_name:2.0.0
Jun 26 00:19:15 lexe-dev-sgx aesm_service[866]: quote_ex_service_bundle_name:2.0.0
Jun 26 00:19:15 lexe-dev-sgx aesm_service[866]: system_bundle:4.0.0
Jun 26 00:19:16 lexe-dev-sgx aesm_service[866]: Failed to set logging callback for the quote provider library.
Jun 26 00:19:16 lexe-dev-sgx aesm_service[866]: The server sock is 0x1edfb790
Jun 26 00:21:17 lexe-dev-sgx aesm_service[866]: InKernel LE loaded
Jun 26 00:21:17 lexe-dev-sgx aesm_service[866]: Azure Quote Provider: libdcap_quoteprov.so [INFO]: Debug Logging Enabled

$ ls -l /var/run/aesmd/aesm.socket
srwxrwxrwx 1 aesmd sgx 0 Jun 26 00:19 /var/run/aesmd/aesm.socket

Run a test enclave that exercises remote attestation:

$ nix run -L github:lexe-app/lexe-public#run-sgx-test
Ensure SGX platform primitives work (sealing, attestation, etc)
machine_id: e6f7d35736746f205a71551771263b86
measurement: eac7ec70f2de593d368f4e56622a0cd9121299ea8d423a55d687c5fbaccb7444

SEALING
seal('label', 'my data') := 4c00000004000100000000000e0e100fffff010000000000000000000700000000000000e70000000000000056fb656bd71b051ba6a95a9a9e6f35a65954215f4cdbda2fae2ad4edff95ceff000000001700000018330baa813a2b8cb80a351935551f1ffb4f1da134714a

REMOTE ATTESTATION
fake pubkey we're attesting to: 4545454545454545454545454545454545454545454545454545454545454545
SGX DER-serialized evidence:
quote: 03000200000000000b00..4452d2d2d2d2d0a00

SGX enclave Report:
measurement: eac7ec70f2de593d368f4e56622a0cd9121299ea8d423a55d687c5fbaccb7444
mrsigner: 9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a
reportdata: 45454545454545454545454545454545454545454545454545454545454545450000000000000000000000000000000000000000000000000000000000000000
attributes: Attributes { flags: INIT | MODE64BIT, xfrm: 231 }
miscselect: (empty)
cpusvn: 10101110ffff01000000000000000000
isvsvn: 0
isvsvn: 0

marcin-serwin

Version 2.27 is out which does not require patching

marcin-serwin · 2026-02-10T22:23:00Z

nixos/modules/services/security/aesmd.nix

-          # chroot into the runtime directory
-          RootDirectory = "%t/aesmd";
+          # # chroot prevents the setup from locating the aesmd DynamicUser
+          # RootDirectory = "%t/aesmd";


Is this intentional?

Sorry, the comment could be clearer. When I tested this, RootDirectory (which as I understand it, chroot's into the given directory), seemed to interact poorly with DynamicUser and prevented the service from starting properly.

EDIT: for more context, this first became an issue after NixOS updated to systemd-v257

phlip9 · 2026-02-11T09:29:43Z

@marcin-serwin Thanks for the review! It reminded me to update to sgx-psw-v2.27, which I've done in this PR: #489368

Might be more convenient to just review+land that one

nix-owners bot requested review from RealityAnomaly and veehaitch June 26, 2025 00:51

phlip9 force-pushed the phlip9/sgx-psw-v2.26 branch from 7d0d471 to cb047ca Compare June 26, 2025 00:53

sgx-psw: 2.25 -> 2.26

81d1d79

phlip9 force-pushed the phlip9/sgx-psw-v2.26 branch from cb047ca to 81d1d79 Compare June 26, 2025 20:04

phlip9 changed the title ~~sgx-psw+aesmd: 2.25 -> 2.26~~ sgx-psw: 2.25 -> 2.26 Jun 26, 2025

iedame mentioned this pull request Nov 8, 2025

Tracking: Broken ancient packages #459759

Open

nixpkgs-ci bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 24, 2025

marcin-serwin requested changes Feb 10, 2026

View reviewed changes

nixpkgs-ci bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Feb 10, 2026

phlip9 mentioned this pull request Feb 11, 2026

sgx-psw+aesmd: 2.25 -> 2.27 #489368

Open

13 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

sgx-psw: 2.25 -> 2.26#420079

sgx-psw: 2.25 -> 2.26#420079
phlip9 wants to merge 1 commit intoNixOS:masterfrom
phlip9:phlip9/sgx-psw-v2.26

phlip9 commented Jun 26, 2025 •

edited

Loading

Uh oh!

marcin-serwin left a comment

Uh oh!

marcin-serwin Feb 10, 2026

Uh oh!

phlip9 Feb 11, 2026 •

edited

Loading

Uh oh!

phlip9 commented Feb 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

phlip9 commented Jun 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Run against real SGX hardware

Uh oh!

marcin-serwin left a comment

Choose a reason for hiding this comment

Uh oh!

marcin-serwin Feb 10, 2026

Choose a reason for hiding this comment

Uh oh!

phlip9 Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

phlip9 commented Feb 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

phlip9 commented Jun 26, 2025 •

edited

Loading

phlip9 Feb 11, 2026 •

edited

Loading