sgx-psw+aesmd: 2.25 -> 2.27

nixos/modules/services/security/aesmd.nix

@@ -11,7 +11,6 @@ let
     literalExpression
     makeLibraryPath
     mkEnableOption
-    mkForce
     mkIf
     mkOption
     mkPackageOption
@@ -129,11 +128,6 @@ in
 
     hardware.cpu.intel.sgx.provision.enable = true;
 
-    # Make sure the AESM service can find the SGX devices until
-    # https://github.com/intel/linux-sgx/issues/772 is resolved
-    # and updated in nixpkgs.
-    hardware.cpu.intel.sgx.enableDcapCompat = mkForce true;
-
     systemd.services.aesmd =
       let
         storeAesmFolder = "${sgx-psw}/aesm";
@@ -156,25 +150,16 @@ in
         }
         // cfg.environment;
 
-        # Make sure any of the SGX application enclave devices is available
-        unitConfig.AssertPathExists = [
-          # legacy out-of-tree driver
-          "|/dev/isgx"
-          # DCAP driver
-          "|/dev/sgx/enclave"
-          # in-tree driver
-          "|/dev/sgx_enclave"
-        ];
+        # Ensure the SGX application enclave device is available
+        unitConfig.AssertPathExists = [ "/dev/sgx_enclave" ];
 
         serviceConfig = {
-          ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''
-            set -euo pipefail
-            whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"
-            if [[ ! -f "$whiteListFile" ]]; then
-              ${pkgs.coreutils}/bin/install -m 644 -D \
+          # Run with elevated privileges to create /var/opt/aesmd/... before
+          # dropping to DynamicUser.
+          ExecStartPre = ''
+            +${lib.getExe' pkgs.coreutils "install"} -m 644 -D \
                 "${storeAesmFolder}/data/white_list_cert_to_be_verify.bin" \
-                "$whiteListFile"
-            fi
+                "${aesmDataFolder}/white_list_cert_to_be_verify.bin"
           '';
           ExecStart = "${sgx-psw}/bin/aesm_service --no-daemon";
           ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"'';
@@ -196,9 +181,8 @@ in
           RuntimeDirectory = "aesmd";
           RuntimeDirectoryMode = "0750";
 
-          # Hardening
+          # --- Hardening ---
 
-          # chroot into the runtime directory
           RootDirectory = "%t/aesmd";
           BindReadOnlyPaths = [
             builtins.storeDir
@@ -215,10 +199,6 @@ in
           PrivateDevices = false;
           DevicePolicy = "closed";
           DeviceAllow = [
-            # legacy out-of-tree driver
-            "/dev/isgx rw"
-            # DCAP driver
-            "/dev/sgx rw"
             # in-tree driver
             "/dev/sgx_enclave rw"
             "/dev/sgx_provision rw"
@@ -230,7 +210,7 @@ in
           RestrictAddressFamilies = [
             # Allocates the socket /var/run/aesmd/aesm.socket
             "AF_UNIX"
-            # Uses the HTTP protocol to initialize some services
+            # Makes HTTPS requests to the Intel PCCS service (or a cache).
             "AF_INET"
             "AF_INET6"
           ];

pkgs/by-name/sg/sgx-azure-dcap-client/missing-includes.patch

@@ -0,0 +1,24 @@
+diff --git a/src/Linux/curl_easy.h b/src/Linux/curl_easy.h
+index 047f3e2..c9c5e83 100644
+--- a/src/Linux/curl_easy.h
++++ b/src/Linux/curl_easy.h
+@@ -6,6 +6,7 @@
+ #define CURL_EASY_H
+
+ #define _CRT_SECURE_NO_WARNINGS // Use strncpy for portability.
++#include <cstdint>
+ #include <cassert>
+ #include <cstddef>
+ #include <exception>
+diff --git a/src/local_cache.h b/src/local_cache.h
+index da86967..d9b0d3f 100644
+--- a/src/local_cache.h
++++ b/src/local_cache.h
+@@ -5,6 +5,7 @@
+ #ifndef LOCAL_CACHE_H
+ #define LOCAL_CACHE_H
+
++#include <cstdint>
+ #include <string>
+ #include <vector>
+ #include <memory>

pkgs/by-name/sg/sgx-azure-dcap-client/package.nix

@@ -1,7 +1,6 @@
 {
   stdenv,
   fetchFromGitHub,
-  fetchpatch,
   lib,
   curl,
   nlohmann_json,
@@ -36,23 +35,18 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "azure-dcap-client";
-  version = "1.12.3";
+  version = "1.13.0-pre0";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = "azure-dcap-client";
-    rev = finalAttrs.version;
-    hash = "sha256-zTDaICsSPXctgFRCZBiZwXV9dLk2pFL9kp5a8FkiTZA=";
+    rev = "839ac4a2acc11b90cb91a483fcfc0cf7ae6a75c7";
+    hash = "sha256-dVO5cSOcpkOuxql06exS4aLJgvtRg+Oi6k8HBIjwPlg=";
   };
 
   patches = [
-    # Fix gcc-13 build:
-    #   https://github.com/microsoft/Azure-DCAP-Client/pull/197
-    (fetchpatch {
-      name = "gcc-13.patch";
-      url = "https://github.com/microsoft/Azure-DCAP-Client/commit/fbcae7b3c8f1155998248cf5b5f4c1df979483f5.patch";
-      hash = "sha256-ezEuQql3stn58N1ZPKMlhPpUOBkDpCcENpGwFAmWtHc=";
-    })
+    # missing `#include <cstdint>`
+    ./missing-includes.patch
   ];
 
   nativeBuildInputs = [

pkgs/by-name/sg/sgx-azure-dcap-client/test-suite.nix

@@ -11,7 +11,11 @@ sgx-azure-dcap-client.overrideAttrs (old: {
   ];
 
   patches = (old.patches or [ ]) ++ [
+    # Missing `#include <array>`
     ./tests-missing-includes.patch
+
+    # gtest no longer supports c++14. Use c++17.
+    ./tests-cpp-version.patch
   ];
 
   buildFlags = [

pkgs/by-name/sg/sgx-azure-dcap-client/tests-cpp-version.patch

@@ -0,0 +1,39 @@
+diff --git a/src/Linux/CMakeLists.txt b/src/Linux/CMakeLists.txt
+index 8567253..0137a7a 100644
+--- a/src/Linux/CMakeLists.txt
++++ b/src/Linux/CMakeLists.txt
+@@ -13,8 +13,8 @@ endif(__SERVICE_VM__)
+
+ find_package(OpenSSL REQUIRED)
+
+-set(CMAKE_CXX_STANDARD 14)
+-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++14")
++set(CMAKE_CXX_STANDARD 17)
++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++17")
+
+ # Link runTests with what we want to test and the GTest and pthread library
+ add_executable(dcap_provider_utests ../UnitTest/test_local_cache.cpp ../UnitTest/test_quote_prov.cpp ../UnitTest/main.cpp ../Linux/local_cache.cpp)
+diff --git a/src/Linux/Makefile.in b/src/Linux/Makefile.in
+index 58a1c77..1ce6431 100644
+--- a/src/Linux/Makefile.in
++++ b/src/Linux/Makefile.in
+@@ -8,15 +8,15 @@ DEBUG ?= 0
+ SERVICE_VM ?= 0
+ ifeq ($(DEBUG), 1)
+ ifeq ($(SERVICE_VM), 1)
+-	CFLAGS = -fPIC -std=c++14 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread
++	CFLAGS = -fPIC -std=c++17 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread
+ else
+-	CFLAGS = -fPIC -std=c++14 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread
++	CFLAGS = -fPIC -std=c++17 -g -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread
+ endif
+ else
+ ifeq ($(SERVICE_VM), 1)
+-	CFLAGS = -fPIC -std=c++14 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread
++	CFLAGS = -fPIC -std=c++17 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -D__SERVICE_VM__ -Wno-unknown-pragmas -pthread
+ else
+-	CFLAGS = -fPIC -std=c++14 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread
++	CFLAGS = -fPIC -std=c++17 -Wall -I /usr/local/include/gtest/ -Werror $(INCLUDES) -D__LINUX__ -Wno-unknown-pragmas -pthread
+ endif
+ endif
+