diff --git a/nixos/modules/services/security/aesmd.nix b/nixos/modules/services/security/aesmd.nix index 7a05fde7d3cbd..04bd3c4bb10c3 100644 --- a/nixos/modules/services/security/aesmd.nix +++ b/nixos/modules/services/security/aesmd.nix @@ -11,7 +11,6 @@ let literalExpression makeLibraryPath mkEnableOption - mkForce mkIf mkOption mkPackageOption @@ -129,11 +128,6 @@ in hardware.cpu.intel.sgx.provision.enable = true; - # Make sure the AESM service can find the SGX devices until - # https://github.com/intel/linux-sgx/issues/772 is resolved - # and updated in nixpkgs. - hardware.cpu.intel.sgx.enableDcapCompat = mkForce true; - systemd.services.aesmd = let storeAesmFolder = "${sgx-psw}/aesm"; @@ -156,25 +150,16 @@ in } // cfg.environment; - # Make sure any of the SGX application enclave devices is available - unitConfig.AssertPathExists = [ - # legacy out-of-tree driver - "|/dev/isgx" - # DCAP driver - "|/dev/sgx/enclave" - # in-tree driver - "|/dev/sgx_enclave" - ]; + # Ensure the SGX application enclave device is available + unitConfig.AssertPathExists = [ "/dev/sgx_enclave" ]; serviceConfig = { - ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' - set -euo pipefail - whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin" - if [[ ! -f "$whiteListFile" ]]; then - ${pkgs.coreutils}/bin/install -m 644 -D \ + # Run with elevated privileges to create /var/opt/aesmd/... before + # dropping to DynamicUser. + ExecStartPre = '' + +${lib.getExe' pkgs.coreutils "install"} -m 644 -D \ "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \ - "$whiteListFile" - fi + "${aesmDataFolder}/white_list_cert_to_be_verify.bin" ''; ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon"; ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"''; @@ -196,9 +181,8 @@ in RuntimeDirectory = "aesmd"; RuntimeDirectoryMode = "0750"; - # Hardening + # --- Hardening --- - # chroot into the runtime directory RootDirectory = "%t/aesmd"; BindReadOnlyPaths = [ builtins.storeDir @@ -215,10 +199,6 @@ in PrivateDevices = false; DevicePolicy = "closed"; DeviceAllow = [ - # legacy out-of-tree driver - "/dev/isgx rw" - # DCAP driver - "/dev/sgx rw" # in-tree driver "/dev/sgx_enclave rw" "/dev/sgx_provision rw" @@ -230,7 +210,7 @@ in RestrictAddressFamilies = [ # Allocates the socket /var/run/aesmd/aesm.socket "AF_UNIX" - # Uses the HTTP protocol to initialize some services + # Makes HTTPS requests to the Intel PCCS service (or a cache). "AF_INET" "AF_INET6" ]; diff --git a/pkgs/by-name/sg/sgx-azure-dcap-client/missing-includes.patch b/pkgs/by-name/sg/sgx-azure-dcap-client/missing-includes.patch new file mode 100644 index 0000000000000..c2f30e33236b1 --- /dev/null +++ b/pkgs/by-name/sg/sgx-azure-dcap-client/missing-includes.patch @@ -0,0 +1,24 @@ +diff --git a/src/Linux/curl_easy.h b/src/Linux/curl_easy.h +index 047f3e2..c9c5e83 100644 +--- a/src/Linux/curl_easy.h ++++ b/src/Linux/curl_easy.h +@@ -6,6 +6,7 @@ + #define CURL_EASY_H + + #define _CRT_SECURE_NO_WARNINGS // Use strncpy for portability. ++#include + #include + #include + #include +diff --git a/src/local_cache.h b/src/local_cache.h +index da86967..d9b0d3f 100644 +--- a/src/local_cache.h ++++ b/src/local_cache.h +@@ -5,6 +5,7 @@ + #ifndef LOCAL_CACHE_H + #define LOCAL_CACHE_H + ++#include + #include + #include + #include diff --git a/pkgs/by-name/sg/sgx-azure-dcap-client/package.nix b/pkgs/by-name/sg/sgx-azure-dcap-client/package.nix index 3be23a08d5982..f43d216c0badf 100644 --- a/pkgs/by-name/sg/sgx-azure-dcap-client/package.nix +++ b/pkgs/by-name/sg/sgx-azure-dcap-client/package.nix @@ -1,7 +1,6 @@ { stdenv, fetchFromGitHub, - fetchpatch, lib, curl, nlohmann_json, @@ -36,23 +35,18 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "azure-dcap-client"; - version = "1.12.3"; + version = "1.13.0-pre0"; src = fetchFromGitHub { owner = "microsoft"; repo = "azure-dcap-client"; - rev = finalAttrs.version; - hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA="; + rev = "839ac4a2acc11b90cb91a483fcfc0cf7ae6a75c7"; + hash = "sha256-dVO5cSOcpkOuxql06exS4aLJgvtRg+Oi6k8HBIjwPlg="; }; patches = [ - # Fix gcc-13 build: - # https://github.com/microsoft/Azure-DCAP-Client/pull/197 - (fetchpatch { - name = "gcc-13.patch"; - url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch"; - hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc="; - }) + # missing `#include ` + ./missing-includes.patch ]; nativeBuildInputs = [ diff --git a/pkgs/by-name/sg/sgx-azure-dcap-client/test-suite.nix b/pkgs/by-name/sg/sgx-azure-dcap-client/test-suite.nix index 5363efd55835a..1ce647f72a6e9 100644 --- a/pkgs/by-name/sg/sgx-azure-dcap-client/test-suite.nix +++ b/pkgs/by-name/sg/sgx-azure-dcap-client/test-suite.nix @@ -11,7 +11,11 @@ sgx-azure-dcap-client.overrideAttrs (old: { ]; patches = (old.patches or [ ]) ++ [ + # Missing `#include ` ./tests-missing-includes.patch + + # gtest no longer supports c++14. Use c++17. + ./tests-cpp-version.patch ]; buildFlags = [ diff --git a/pkgs/by-name/sg/sgx-azure-dcap-client/tests-cpp-version.patch b/pkgs/by-name/sg/sgx-azure-dcap-client/tests-cpp-version.patch new file mode 100644 index 0000000000000..0fd03ba0ce952 --- /dev/null +++ b/pkgs/by-name/sg/sgx-azure-dcap-client/tests-cpp-version.patch @@ -0,0 +1,39 @@ +diff --git a/src/Linux/CMakeLists.txt b/src/Linux/CMakeLists.txt +index 8567253..0137a7a 100644 +--- a/src/Linux/CMakeLists.txt ++++ b/src/Linux/CMakeLists.txt +@@ -13,8 +13,8 @@ endif(__SERVICE_VM__) + + find_package(OpenSSL REQUIRED) + +-set(CMAKE_CXX_STANDARD 14) +-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++14") ++set(CMAKE_CXX_STANDARD 17) ++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++17") + + # Link runTests with what we want to test and the GTest and pthread library + add_executable(dcap_provider_utests ../UnitTest/test_local_cache.cpp ../UnitTest/test_quote_prov.cpp ../UnitTest/main.cpp ../Linux/local_cache.cpp) +diff --git a/src/Linux/Makefile.in b/src/Linux/Makefile.in +index 58a1c77..1ce6431 100644 +--- a/src/Linux/Makefile.in ++++ b/src/Linux/Makefile.in +@@ -8,15 +8,15 @@ DEBUG ?= 0 + SERVICE_VM ?= 0 + ifeq ($(DEBUG), 1) + ifeq ($(SERVICE_VM), 1) +- CFLAGS = -fPIC -std=c++14 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread ++ CFLAGS = -fPIC -std=c++17 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread + else +- CFLAGS = -fPIC -std=c++14 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread ++ CFLAGS = -fPIC -std=c++17 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread + endif + else + ifeq ($(SERVICE_VM), 1) +- CFLAGS = -fPIC -std=c++14 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread ++ CFLAGS = -fPIC -std=c++17 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread + else +- CFLAGS = -fPIC -std=c++14 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread ++ CFLAGS = -fPIC -std=c++17 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread + endif + endif + diff --git a/pkgs/by-name/sg/sgx-ssl/package.nix b/pkgs/by-name/sg/sgx-ssl/package.nix deleted file mode 100644 index cac1c5e28a757..0000000000000 --- a/pkgs/by-name/sg/sgx-ssl/package.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - stdenv, - callPackage, - fetchFromGitHub, - fetchurl, - lib, - perl, - sgx-sdk, - which, - debug ? false, -}: -let - sgxVersion = sgx-sdk.versionTag; - opensslVersion = "3.0.13"; -in -stdenv.mkDerivation { - pname = "sgx-ssl" + lib.optionalString debug "-debug"; - version = "${sgxVersion}_${opensslVersion}"; - - src = fetchFromGitHub { - owner = "intel"; - repo = "intel-sgx-ssl"; - rev = "3.0_Rev2"; - hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I="; - }; - - postUnpack = - let - opensslSourceArchive = fetchurl { - url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; - }; - in - '' - ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz - ''; - - postPatch = '' - patchShebangs Linux/build_openssl.sh - - # Skip the tests. Build and run separately (see below). - substituteInPlace Linux/sgx/Makefile \ - --replace-fail '$(MAKE) -C $(TEST_DIR) all' \ - 'bash -c "true"' - ''; - - nativeBuildInputs = [ - perl - sgx-sdk - which - ]; - - makeFlags = [ - "-C Linux" - ] - ++ lib.optionals debug [ - "DEBUG=1" - ]; - - installFlags = [ - "DESTDIR=$(out)" - ]; - - # These tests build on any x86_64-linux but BOTH SIM and HW will only _run_ on - # real Intel hardware. Split these out so OfBorg doesn't choke on this pkg. - # - # ``` - # nix run .#sgx-ssl.tests.HW - # nix run .#sgx-ssl.tests.SIM - # ``` - passthru.tests = { - HW = callPackage ./tests.nix { - sgxMode = "HW"; - inherit opensslVersion; - }; - SIM = callPackage ./tests.nix { - sgxMode = "SIM"; - inherit opensslVersion; - }; - }; - - meta = { - description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL"; - homepage = "https://github.com/intel/intel-sgx-ssl"; - maintainers = with lib.maintainers; [ - phlip9 - veehaitch - ]; - platforms = [ "x86_64-linux" ]; - license = with lib.licenses; [ - bsd3 - openssl - ]; - }; -} diff --git a/pkgs/by-name/sg/sgx-ssl/tests.nix b/pkgs/by-name/sg/sgx-ssl/tests.nix deleted file mode 100644 index 3b360f696525b..0000000000000 --- a/pkgs/by-name/sg/sgx-ssl/tests.nix +++ /dev/null @@ -1,96 +0,0 @@ -# This package _builds_ (but doesn't run!) the sgx-ssl test enclave + harness. -# The whole package effectively does: -# -# ``` -# SGX_MODE=${sgxMode} make -C Linux/sgx/test_app -# cp Linux/sgx/{TestApp,TestEnclave.signed.so} $out/bin -# ``` -# -# OfBorg fails to run these tests since they require real Intel HW. That -# includes the simulation mode! The tests appears to do something fancy with -# cpuid and exception trap handlers that make them very non-portable. -# -# These tests are split out from the parent pkg since recompiling the parent -# takes like 30 min : ) - -{ - lib, - openssl, - sgx-psw, - sgx-sdk, - sgx-ssl, - stdenv, - which, - opensslVersion ? throw "required parameter", - sgxMode ? throw "required parameter", # "SIM" or "HW" -}: -stdenv.mkDerivation { - inherit (sgx-ssl) postPatch src version; - pname = sgx-ssl.pname + "-tests-${sgxMode}"; - - postUnpack = sgx-ssl.postUnpack + '' - sourceRootAbs=$(readlink -e $sourceRoot) - packageDir=$sourceRootAbs/Linux/package - - # Do the inverse of 'make install' and symlink built artifacts back into - # '$src/Linux/package/' to avoid work. - mkdir $packageDir/lib $packageDir/lib64 - ln -s ${lib.getLib sgx-ssl}/lib/* $packageDir/lib/ - ln -s ${lib.getLib sgx-ssl}/lib64/* $packageDir/lib64/ - ln -sf ${lib.getDev sgx-ssl}/include/* $packageDir/include/ - - # test_app needs some internal openssl headers. - # See: tail end of 'Linux/build_openssl.sh' - tar -C $sourceRootAbs/openssl_source -xf $sourceRootAbs/openssl_source/openssl-${opensslVersion}.tar.gz - echo '#define OPENSSL_VERSION_STR "${opensslVersion}"' > $sourceRootAbs/Linux/sgx/osslverstr.h - ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/crypto $sourceRootAbs/Linux/sgx/test_app/enclave/ - ln -s $sourceRootAbs/openssl_source/openssl-${opensslVersion}/include/internal $sourceRootAbs/Linux/sgx/test_app/enclave/ - ''; - - nativeBuildInputs = [ - openssl.bin - sgx-sdk - which - ]; - - preBuild = '' - # Need to regerate the edl header - make -C Linux/sgx/libsgx_tsgxssl sgx_tsgxssl_t.c - ''; - - makeFlags = [ - "-C Linux/sgx/test_app" - "SGX_MODE=${sgxMode}" - ]; - - installPhase = '' - runHook preInstall - - # Enclaves can't be stripped after signing. - install -Dm 755 Linux/sgx/test_app/TestEnclave.signed.so -t $TMPDIR/enclaves - - install -Dm 755 Linux/sgx/test_app/TestApp -t $out/bin - - runHook postInstall - ''; - - postFixup = '' - # Move the enclaves where they actually belong. - mv $TMPDIR/enclaves/*.signed.so* $out/bin/ - - # HW SGX must runs against sgx-psw, not sgx-sdk. - if [[ "${sgxMode}" == "HW" ]]; then - patchelf \ - --set-rpath "$( \ - patchelf --print-rpath $out/bin/TestApp \ - | sed 's|${lib.getLib sgx-sdk}|${lib.getLib sgx-psw}|' \ - )" \ - $out/bin/TestApp - fi - ''; - - meta = { - platforms = [ "x86_64-linux" ]; - mainProgram = "TestApp"; - }; -} diff --git a/pkgs/os-specific/linux/sgx/psw/cppmicroservices-compat.patch b/pkgs/os-specific/linux/sgx/psw/cppmicroservices-compat.patch new file mode 100644 index 0000000000000..c0044c3292d6d --- /dev/null +++ b/pkgs/os-specific/linux/sgx/psw/cppmicroservices-compat.patch @@ -0,0 +1,87 @@ +diff --git a/external/CppMicroServices/CMakeLists.txt b/external/CppMicroServices/CMakeLists.txt +index 8d0aff3..44d45d9 100644 +--- a/external/CppMicroServices/CMakeLists.txt ++++ b/external/CppMicroServices/CMakeLists.txt +@@ -1,7 +1,7 @@ + # Extract the current version from the VERSION file + file(STRINGS VERSION _version LIMIT_COUNT 1) + +-set(US_CMAKE_MINIMUM_REQUIRED_VERSION 3.2) ++set(US_CMAKE_MINIMUM_REQUIRED_VERSION 3.10) + + cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) + +diff --git a/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h b/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h +index 3f240f4..e8acef9 100644 +--- a/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h ++++ b/external/CppMicroServices/framework/include/cppmicroservices/AnyMap.h +@@ -25,6 +25,7 @@ + + #include "cppmicroservices/Any.h" + ++#include + #include + #include + +diff --git a/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h +index 9b36a9b..12894fa 100644 +--- a/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h ++++ b/external/CppMicroServices/framework/include/cppmicroservices/BundleEvent.h +@@ -25,6 +25,7 @@ + + #include "cppmicroservices/FrameworkExport.h" + ++#include + #include + #include + +diff --git a/external/CppMicroServices/framework/include/cppmicroservices/Constants.h b/external/CppMicroServices/framework/include/cppmicroservices/Constants.h +index 590a890..cf60926 100644 +--- a/external/CppMicroServices/framework/include/cppmicroservices/Constants.h ++++ b/external/CppMicroServices/framework/include/cppmicroservices/Constants.h +@@ -25,6 +25,7 @@ + + #include "cppmicroservices/FrameworkConfig.h" + ++#include + #include + + namespace cppmicroservices { +diff --git a/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h +index 71caf1b..a29e87c 100644 +--- a/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h ++++ b/external/CppMicroServices/framework/include/cppmicroservices/FrameworkEvent.h +@@ -25,6 +25,7 @@ + + #include "cppmicroservices/FrameworkExport.h" + ++#include + #include + #include + +diff --git a/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h b/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h +index 451cb82..da7c5f0 100644 +--- a/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h ++++ b/external/CppMicroServices/framework/include/cppmicroservices/ServiceEvent.h +@@ -25,6 +25,8 @@ + + #include "cppmicroservices/ServiceReference.h" + ++#include ++ + US_MSVC_PUSH_DISABLE_WARNING( + 4251) // 'identifier' : class 'type' needs to have dll-interface to be used by clients of class 'type2' + +diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt +index 5728e9b..0169263 100644 +--- a/psw/ae/aesm_service/source/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/CMakeLists.txt +@@ -30,7 +30,7 @@ + # + + # [proj-begin] +-cmake_minimum_required(VERSION 3.0.0) ++cmake_minimum_required(VERSION 3.10.0) + project(ModularAESM VERSION 0.1.0) + + diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index 2b3e97604f973..534a9e98f13dd 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -20,15 +20,15 @@ stdenv.mkDerivation rec { pname = "sgx-psw"; # Version as given in se_version.h - version = "2.25.100.3"; + version = "2.27.100.1"; # Version as used in the Git tag - versionTag = "2.25"; + versionTag = "2.27"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; - hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw="; + hash = "sha256-hNmh4IgNJDNqt2xF8zBnD/x+saMyMk5hZLA3aOqzqEA="; fetchSubmodules = true; }; @@ -52,11 +52,11 @@ stdenv.mkDerivation rec { # Fetch the Data Center Attestation Primitives (DCAP) platform enclaves # and pre-built sgxssl. dcap = rec { - version = "1.22"; + version = "1.24"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ="; + hash = "sha256-sc/eYIPdhwAyDk2Zh1HU6yuFlobqVy/4++m5OnQE3Bc="; }; }; in @@ -72,8 +72,8 @@ stdenv.mkDerivation rec { grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \ || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1) - tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source ./prebuilt/ - tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration ./psw/ + tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source prebuilt/ + tar -xzvf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration psw/ ''; patches = [ @@ -90,6 +90,13 @@ stdenv.mkDerivation rec { # binary. Without changes, the `aesm_service` will be different after every # build because the embedded zip file contents have different modified times. ./cppmicroservices-no-mtime.patch + + # CppMicroServices is failing to build with CMake 4 and GCC 15 + # PR: + # - CMake 4 dropped support for <3.5 and warns on <3.10, so bump the + # `cmake_minimum_required` to 3.10 + # - Various header files now need `#include ` to compile + ./cppmicroservices-compat.patch ]; postPatch = diff --git a/pkgs/os-specific/linux/sgx/psw/disable-downloads.patch b/pkgs/os-specific/linux/sgx/psw/disable-downloads.patch index fff31cb67ebee..cce1522b8af69 100644 --- a/pkgs/os-specific/linux/sgx/psw/disable-downloads.patch +++ b/pkgs/os-specific/linux/sgx/psw/disable-downloads.patch @@ -1,32 +1,27 @@ diff --git a/Makefile b/Makefile -index 19bc05a..6b1acd4 100644 +index 144f4e4..834c23e 100644 --- a/Makefile +++ b/Makefile -@@ -50,13 +50,13 @@ tips: +@@ -50,22 +50,17 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git - git submodule update --init --recursive -+ # git submodule update --init --recursive cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \ git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check - ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild -+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R + cd external/protobuf/protobuf_code && git apply ../0001-bumped-protobuf-to-1.33.0.patch >/dev/null 2>&1 || git apply ../0001-bumped-protobuf-to-1.33.0.patch --check -R - cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R -+ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R ./external/sgx-emm/create_symlink.sh - cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R cd external/cbor && cp -r libcbor sgx_libcbor -@@ -64,8 +64,8 @@ preparation: + cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R cd external/ippcp_internal/ipp-crypto && mkdir -p build - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh -+ # ./download_prebuilt.sh -+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) diff --git a/pkgs/os-specific/linux/sgx/samples/default.nix b/pkgs/os-specific/linux/sgx/samples/default.nix deleted file mode 100644 index 7b31a96240cd6..0000000000000 --- a/pkgs/os-specific/linux/sgx/samples/default.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - stdenv, - lib, - makeWrapper, - openssl, - sgx-sdk, - sgx-psw, - which, - # "SIM" or "HW" - sgxMode, -}: -let - isSimulation = sgxMode == "SIM"; - buildSample = - name: - stdenv.mkDerivation { - pname = name; - version = sgxMode; - - src = sgx-sdk.out; - sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}"; - - nativeBuildInputs = [ - makeWrapper - openssl - which - ]; - - buildInputs = [ - sgx-sdk - ]; - - # The samples don't have proper support for parallel building - # causing them to fail randomly. - enableParallelBuilding = false; - - buildFlags = [ - "SGX_MODE=${sgxMode}" - ]; - - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib} - install -m 755 app $out/bin - install *.so $out/lib - - wrapProgram "$out/bin/app" \ - --chdir "$out/lib" \ - ${lib.optionalString (!isSimulation) - ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"'' - } - - runHook postInstall - ''; - - # Breaks the signature of the enclaves - dontFixup = true; - - # We don't have access to real SGX hardware during the build - doInstallCheck = isSimulation; - installCheckPhase = '' - runHook preInstallCheck - - pushd / - echo a | $out/bin/app - popd - - runHook preInstallCheck - ''; - }; -in -{ - cxx11SGXDemo = buildSample "Cxx11SGXDemo"; - cxx14SGXDemo = buildSample "Cxx14SGXDemo"; - cxx17SGXDemo = buildSample "Cxx17SGXDemo"; - localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: { - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib} - install -m 755 bin/app* $out/bin - install bin/*.so $out/lib - - for bin in $out/bin/*; do - wrapProgram $bin \ - --chdir "$out/lib" \ - ${lib.optionalString (!isSimulation) - ''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"'' - } - done - - runHook postInstall - ''; - }); - powerTransition = buildSample "PowerTransition"; - protobufSGXDemo = buildSample "ProtobufSGXDemo"; - remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: { - # Makefile sets rpath to point to $TMPDIR - preFixup = '' - patchelf --remove-rpath $out/bin/app - ''; - - postInstall = '' - install sample_libcrypto/*.so $out/lib - ''; - }); - sampleEnclave = buildSample "SampleEnclave"; - sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP"; - sampleMbedCrypto = buildSample "SampleMbedCrypto"; - sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: { - prePatch = '' - substituteInPlace App/App.cpp \ - --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"' - ''; - }); - switchless = buildSample "Switchless"; - # # Requires SGX-patched openssl (sgxssl) build - # sampleAttestedTLS = buildSample "SampleAttestedTLS"; -} -// lib.optionalAttrs (!isSimulation) { - # # Requires kernel >= v6.2 && HW SGX - # sampleAEXNotify = buildSample "SampleAEXNotify"; - - # Requires HW SGX - sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: { - nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs; - - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib} - mv sample app - install -m 755 app $out/bin - - wrapProgram "$out/bin/app" \ - --chdir "$out/lib" \ - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}" - - runHook postInstall - ''; - }); - - # # SEGFAULTs in simulation mode? - # sampleEnclavePCL = buildSample "SampleEnclavePCL"; -} diff --git a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch deleted file mode 100644 index 019f58927152a..0000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp -index aee499e9..13fa89d4 100644 ---- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp -+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp -@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index, - const_cast(&m_ZipArchive), index) - ? true - : false; -- stat.modifiedTime = zipStat.m_time; -+ stat.modifiedTime = 0; - stat.crc32 = zipStat.m_crc32; - // This will limit the size info from uint64 to uint32 on 32-bit - // architectures. We don't care because we assume resources > 2GB -diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c -index 6b0ebd7a..fa2aebca 100644 ---- a/external/CppMicroServices/third_party/miniz.c -+++ b/external/CppMicroServices/third_party/miniz.c -@@ -170,7 +170,7 @@ - // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or - // get/set file times, and the C run-time funcs that get/set times won't be called. - // The current downside is the times written to your archives will be from 1979. --//#define MINIZ_NO_TIME -+#define MINIZ_NO_TIME - - // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's. - //#define MINIZ_NO_ARCHIVE_APIS diff --git a/pkgs/os-specific/linux/sgx/sdk/default.nix b/pkgs/os-specific/linux/sgx/sdk/default.nix deleted file mode 100644 index b9cf66d2e283a..0000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/default.nix +++ /dev/null @@ -1,304 +0,0 @@ -{ - lib, - stdenv, - fetchFromGitHub, - autoconf, - automake, - binutils, - callPackage, - cmake, - file, - gdb, - git, - libtool, - linkFarmFromDrvs, - ocamlPackages, - openssl, - perl, - python3, - texinfo, - validatePkgConfig, - writeShellApplication, - writeShellScript, - writeText, - debug ? false, -}: -stdenv.mkDerivation (finalAttrs: { - pname = "sgx-sdk"; - # Version as given in se_version.h - version = "2.24.100.3"; - # Version as used in the Git tag - versionTag = "2.24"; - - src = fetchFromGitHub { - owner = "intel"; - repo = "linux-sgx"; - rev = "sgx_${finalAttrs.versionTag}"; - hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw="; - fetchSubmodules = true; - }; - - postUnpack = '' - # Make sure this is the right version of linux-sgx - grep -q '"${finalAttrs.version}"' "$src/common/inc/internal/se_version.h" \ - || (echo "Could not find expected version ${finalAttrs.version} in linux-sgx source" >&2 && exit 1) - ''; - - patches = [ - # There's a `make preparation` step that downloads some prebuilt binaries - # and applies some patches to the in-repo git submodules. This patch removes - # the parts that download things, since we can't do that inside the sandbox. - ./disable-downloads.patch - - # This patch disable mtime in bundled zip file for reproducible builds. - # - # Context: The `aesm_service` binary depends on a vendored library called - # `CppMicroServices`. At build time, this lib creates and then bundles - # service resources into a zip file and then embeds this zip into the - # binary. Without changes, the `aesm_service` will be different after every - # build because the embedded zip file contents have different modified times. - ./cppmicroservices-no-mtime.patch - ]; - - postPatch = '' - patchShebangs linux/installer/bin/build-installpkg.sh \ - linux/installer/common/sdk/createTarball.sh \ - linux/installer/common/sdk/install.sh \ - external/sgx-emm/create_symlink.sh - - make preparation - ''; - - # We need `cmake` as a build input but don't use it to kick off the build phase - dontUseCmakeConfigure = true; - - # SDK built with stackprotector produces broken enclaves which crash at runtime. - # Disable all to be safe, SDK build configures compiler mitigations manually. - hardeningDisable = [ "all" ]; - - nativeBuildInputs = [ - autoconf - automake - cmake - file - git - ocamlPackages.ocaml - ocamlPackages.ocamlbuild - perl - python3 - texinfo - validatePkgConfig - ]; - - buildInputs = [ - libtool - openssl - ]; - - env.BINUTILS_DIR = "${binutils}/bin"; - - # Build external/ippcp_internal first. The Makefile is rewritten to make the - # build faster by splitting different versions of ipp-crypto builds and to - # avoid patching the Makefile for reproducibility issues. - preBuild = - let - ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { }; - - sgx-asm-pp = "python ${finalAttrs.src}/build-scripts/sgx-asm-pp.py --assembler=nasm"; - - nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@"; - ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix { - extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ]; - }; - - nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@"; - ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix { - extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ]; - }; - in - '' - echo "Setting up IPP crypto build artifacts" - - pushd 'external/ippcp_internal' - - install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \ - lib/linux/intel64/no_mitigation/libippcp.a - install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \ - lib/linux/intel64/cve_2020_0551_load/libippcp.a - install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \ - lib/linux/intel64/cve_2020_0551_cf/libippcp.a - - cp -r ${ipp-crypto-no_mitigation}/include/* inc/ - - mkdir inc/ippcp - cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/ - - rm inc/ippcp.h - patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h - - install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE - - popd - ''; - - buildFlags = [ - "sdk_install_pkg" - ] - ++ lib.optionals debug [ - "DEBUG=1" - ]; - - postBuild = '' - patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${finalAttrs.version}.bin - ''; - - installPhase = '' - runHook preInstall - - installDir=$TMPDIR - ./linux/installer/bin/sgx_linux_x64_sdk_${finalAttrs.version}.bin -prefix $installDir - installDir=$installDir/sgxsdk - - echo "Move files created by installer" - - mkdir -p $out/bin - pushd $out - - mv $installDir/bin/sgx-gdb $out/bin - mkdir $out/bin/x64 - for file in $installDir/bin/x64/*; do - mv $file bin/ - ln -sr bin/$(basename $file) bin/x64/ - done - rmdir $installDir/bin/{x64,} - - # Move `lib64` to `lib` and symlink `lib64` - mv $installDir/lib64 lib - ln -s lib/ lib64 - - # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so - for file in lib/libsgx_urts.so.*; do - ln -srf lib/libsgx_urts.so $file - done - - mv $installDir/include/ . - - mkdir -p share/ - mv $installDir/{SampleCode,licenses} share/ - - mkdir -p share/bin - mv $installDir/{environment,buildenv.mk} share/bin/ - ln -s share/bin/{environment,buildenv.mk} . - - # pkgconfig should go to lib/ - mv $installDir/pkgconfig lib/ - ln -s lib/pkgconfig/ . - - # Also create the `sdk_libs` for compat. All the files - # link to libraries in `lib64/`, we shouldn't link the entire - # directory, however, as there seems to be some ambiguity between - # SDK and PSW libraries. - mkdir sdk_libs/ - for file in $installDir/sdk_libs/*; do - ln -sr lib/$(basename $file) sdk_libs/ - rm $file - done - rmdir $installDir/sdk_libs - - # No uninstall script required - rm $installDir/uninstall.sh - - # Create an `sgxsdk` symlink which points to `$out` for compat - ln -sr . sgxsdk - - # Make sure we didn't forget any files - rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1) - - popd - - runHook postInstall - ''; - - preFixup = '' - echo "Strip sgxsdk prefix" - for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do - substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out" - done - - echo "Fixing pkg-config files" - sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc - - echo "Fixing SGX_SDK default in samples" - substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \ - --replace '/opt/intel/sgxsdk' "$out" - for file in $out/share/SampleCode/*/Makefile; do - substituteInPlace $file \ - --replace '/opt/intel/sgxsdk' "$out" - done - - echo "Fixing BINUTILS_DIR in buildenv.mk" - substituteInPlace $out/share/bin/buildenv.mk \ - --replace 'BINUTILS_DIR ?= /usr/local/bin' \ - 'BINUTILS_DIR ?= ${finalAttrs.env.BINUTILS_DIR}' - - echo "Fixing GDB path in bin/sgx-gdb" - substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb' - ''; - - doInstallCheck = true; - - installCheckPhase = '' - runHook preInstallCheck - - # Make sure all symlinks are valid - output=$(find "$out" -type l -exec test ! -e {} \; -print) - if [[ -n "$output" ]]; then - echo "Broken symlinks:" - echo "$output" - exit 1 - fi - - runHook postInstallCheck - ''; - - setupHook = writeText "setup-hook.sh" '' - sgxsdk() { - export SGX_SDK=@out@ - } - - postHooks+=(sgxsdk) - ''; - - passthru.tests = callPackage ../samples { sgxMode = "SIM"; }; - - # Run tests in SGX hardware mode on an SGX-enabled machine - # $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw - passthru.runTestsHW = - let - testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; }); - testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW); - in - writeShellApplication { - name = "run-tests-hw"; - text = '' - for test in ${testsHWLinked}/*; do - printf '*** Running test %s ***\n\n' "$(basename "$test")" - printf 'a\n' | "$test/bin/app" - printf '\n' - done - ''; - }; - - meta = { - description = "Intel SGX SDK for Linux built with IPP Crypto Library"; - homepage = "https://github.com/intel/linux-sgx"; - maintainers = with lib.maintainers; [ - phlip9 - sbellem - arturcygan - veehaitch - ]; - platforms = [ "x86_64-linux" ]; - license = [ lib.licenses.bsd3 ]; - }; -}) diff --git a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch b/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch deleted file mode 100644 index c045606df144c..0000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/disable-downloads.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/Makefile b/Makefile -index 73502a7..f24bd11 100644 ---- a/Makefile -+++ b/Makefile -@@ -50,18 +50,18 @@ tips: - preparation: - # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. - # Only enable the download from git -- git submodule update --init --recursive -- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild -+ # git submodule update --init --recursive -+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild - cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R - cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R -- cd external/protobuf/protobuf_code && git submodule update --init --recursive && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R -+ cd external/protobuf/protobuf_code && cd third_party/abseil-cpp && git apply ../../../sgx_abseil.patch>/dev/null 2>&1 || git apply ../../../sgx_abseil.patch --check -R - ./external/sgx-emm/create_symlink.sh - cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R - cd external/cbor && cp -r libcbor sgx_libcbor - cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R - cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R -- ./download_prebuilt.sh -- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh -+ # ./download_prebuilt.sh -+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh - - psw: - $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) diff --git a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix b/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix deleted file mode 100644 index 49ae08fb0df28..0000000000000 --- a/pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - stdenv, - fetchFromGitHub, - cmake, - nasm, - openssl, - python3, - extraCmakeFlags ? [ ], -}: -stdenv.mkDerivation rec { - pname = "ipp-crypto"; - version = "2021.11.1"; - - src = fetchFromGitHub { - owner = "intel"; - repo = "ipp-crypto"; - rev = "ippcp_${version}"; - hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI="; - }; - - cmakeFlags = [ - "-DARCH=intel64" - # sgx-sdk now requires FIPS-compliance mode turned on - "-DIPPCP_FIPS_MODE=on" - ] - ++ extraCmakeFlags; - - # Yes, it seems bad for a cryptography library to trigger this - # warning. We previously pinned an EOL GCC which avoided it, but this - # issue is present regardless of whether we use a compiler that flags - # it up or not; upstream just doesn’t test with modern compilers. - env.NIX_CFLAGS_COMPILE = "-Wno-error=stringop-overflow"; - - nativeBuildInputs = [ - cmake - nasm - openssl - python3 - ]; -} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 4b735b0af5922..8d1949f544819 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1745,6 +1745,8 @@ mapAliases { serverless = throw "'serverless' has been removed because version 3.x is unmaintained upstream and vulnerable, and version 4.x lacks a suitable binary or source download."; # Added 2025-11-22 session-desktop-appimage = throw "'session-desktop-appimage' has been renamed to/replaced by 'session-desktop'"; # Converted to throw 2025-10-27 sexp = throw "'sexp' has been renamed to/replaced by 'sexpp'"; # Converted to throw 2025-10-27 + sgx-sdk = throw "'sgx-sdk' has been removed as it was unmaintained and broken"; # Added 2026-02-20 + sgx-ssl = throw "'sgx-ssl' has been removed as it was unmaintained and broken"; # Added 2026-02-20 shadered = throw "shadered has been removed because it has been marked as broken since at least November 2024."; # Added 2025-10-01 shades-of-gray-theme = throw "'shades-of-gray-theme' has been removed because upstream is a 404"; # Added 2025-12-20 shared_desktop_ontologies = throw "'shared_desktop_ontologies' has been removed as it had been abandoned upstream"; # Added 2025-11-09 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1741a298f2307..ebd80a1bd4686 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -8924,13 +8924,7 @@ with pkgs; rfkill_udev = callPackage ../os-specific/linux/rfkill/udev.nix { }; - sgx-sdk = callPackage ../os-specific/linux/sgx/sdk { - ocamlPackages = ocaml-ng.ocamlPackages_5_3; - }; - - sgx-psw = callPackage ../os-specific/linux/sgx/psw { - protobuf = protobuf_21; - }; + sgx-psw = callPackage ../os-specific/linux/sgx/psw { }; sinit = callPackage ../os-specific/linux/sinit { rcinit = "/etc/rc.d/rc.init";