From 81d1d79b1d61afff91f21a678756c404ea85afdc Mon Sep 17 00:00:00 2001
From: Philip Kannegaard Hayes <philiphayes9@gmail.com>
Date: Wed, 25 Jun 2025 13:35:56 -0700
Subject: [PATCH] sgx-psw: 2.25 -> 2.26

---
 nixos/modules/services/security/aesmd.nix     | 33 ++++++++++++-------
 .../sgx/psw/add-missing-header-pr-1063.patch  | 12 +++++++
 pkgs/os-specific/linux/sgx/psw/default.nix    | 12 ++++---
 3 files changed, 41 insertions(+), 16 deletions(-)
 create mode 100644 pkgs/os-specific/linux/sgx/psw/add-missing-header-pr-1063.patch

diff --git a/nixos/modules/services/security/aesmd.nix b/nixos/modules/services/security/aesmd.nix
index 4f7f55e78e99d..6fec5fe46ea76 100644
--- a/nixos/modules/services/security/aesmd.nix
+++ b/nixos/modules/services/security/aesmd.nix
@@ -166,15 +166,25 @@ in
         ];
 
         serviceConfig = {
-          ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''
-            set -euo pipefail
-            whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"
-            if [[ ! -f "$whiteListFile" ]]; then
-              ${pkgs.coreutils}/bin/install -m 644 -D \
-                "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \
-                "$whiteListFile"
-            fi
-          '';
+          ExecStartPre =
+            let
+              script = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''
+                set -euo pipefail
+
+                # For some reason systemd 257+ won't properly bind mount the
+                # StateDirectory with the aesmd DynamicUser owning it
+                chown -R aesmd:aesmd /var/opt/aesmd
+
+                whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"
+                if [[ ! -f "$whiteListFile" ]]; then
+                  install -m 644 -o aesmd -g aesmd -D \
+                    "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \
+                    "$whiteListFile"
+                fi
+              '';
+              # Run setup with elevated privileges
+            in
+            "+${script}";
           ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon";
           ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"'';
 
@@ -196,9 +206,8 @@ in
           RuntimeDirectoryMode = "0750";
 
           # Hardening
-
-          # chroot into the runtime directory
-          RootDirectory = "%t/aesmd";
+          # # chroot prevents the setup from locating the aesmd DynamicUser
+          # RootDirectory = "%t/aesmd";
           BindReadOnlyPaths = [
             builtins.storeDir
             # Hardcoded path AESM_CONFIG_FILE in psw/ae/aesm_service/source/utils/aesm_config.cpp
diff --git a/pkgs/os-specific/linux/sgx/psw/add-missing-header-pr-1063.patch b/pkgs/os-specific/linux/sgx/psw/add-missing-header-pr-1063.patch
new file mode 100644
index 0000000000000..24c31520d681b
--- /dev/null
+++ b/pkgs/os-specific/linux/sgx/psw/add-missing-header-pr-1063.patch
@@ -0,0 +1,12 @@
+diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp
+index 9867ecc86..46fcf8733 100644
+--- a/psw/enclave_common/sgx_enclave_common.cpp
++++ b/psw/enclave_common/sgx_enclave_common.cpp
+@@ -35,6 +35,7 @@
+ #include <dlfcn.h>
+ #include <map>
+ #include <functional>
++#include <algorithm>
+ #include "sgx_enclave_common.h"
+ #include "sgx_urts.h"
+ #include "arch.h"
diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix
index 2b3e97604f973..f311c285fa64e 100644
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@@ -20,15 +20,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-psw";
   # Version as given in se_version.h
-  version = "2.25.100.3";
+  version = "2.26.100.0";
   # Version as used in the Git tag
-  versionTag = "2.25";
+  versionTag = "2.26";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw=";
+    hash = "sha256-g7t51Js4JoF7QeEngzmJJcRP2bQDbEMeKimVzqNDkFI=";
     fetchSubmodules = true;
   };
 
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
       # Fetch the Data Center Attestation Primitives (DCAP) platform enclaves
       # and pre-built sgxssl.
       dcap = rec {
-        version = "1.22";
+        version = "1.23";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
@@ -90,6 +90,10 @@ stdenv.mkDerivation rec {
     # binary. Without changes, the `aesm_service` will be different after every
     # build because the embedded zip file contents have different modified times.
     ./cppmicroservices-no-mtime.patch
+
+    # Add missing `#include <algorithm>` to fix build with GCC 14
+    # PR: <https://github.com/intel/linux-sgx/pull/1063>
+    ./add-missing-header-pr-1063.patch
   ];
 
   postPatch =