sgx-sdk: init at 2.14 by sbellem · Pull Request #126990 · NixOS/nixpkgs · GitHub

sbellem commented on Jun 15, 2021 •

Motivation for this change

Add a derivation for Intel's SGX SDK, which is a fundamental building block for enclave applications, aimed at Intel SGX -enabled computers. Trusted hardware such as Intel SGX allows user to have confidence, (under certain assumptions), that a remote computer is running the software they expect. In order to gain trust that the remote computer is indeed running the expected software, reproducible builds are required. A verifying party uses the trusted software code to reproduce an enclave build to check it against the build that is running on the remote computer, through a process know as remote attestation. This is where nix come into the picture as nix allows us to build software in a reproducible way, hence the motivation for this pull request.

The SGX SDK depends on a cryptographic library, named ipp-crypto which takes around 1h30 to build. The current build toolchain provided by Intel uses prebuilt binaries, although it's possible to build it from source. The SGX SDK could be built in roughly 3 ways:

1. Use the pre-built binary to build the SGX SDK from source (less desirable from an Open Source standpoint).
2. Build everything from source, all in one nix derivation, since the IPP Crypto lib is a git submodule, and the Linux SGX SDK repo contains a specific Makefile and patch to build the IPP Crypto for SGX.
3. Build everything from source, but in separate nix derivations, such that the IPP Crypto library has its own dedicated nix derivation and is a dependency to the SGX SDK.

The current draft PR contains a nix derivation to build the IPP Crypto library for SGX as a standalone package, as a demonstration and for test purposes. There's a nix derivation for the SGX SDK that follows point 2 above, meaning that both the IPP Crypto dependency and the SGX SDK are built with the same nix derivation. It should be noted that when it is built for the purpose of SGX, the IPP Crypto library appears to have a slightly different build configuration. This needs to be clarified with Intel's Linux SGX team, but is nevertheless quite clear from the Makefile, patch and python script used that appear to be specific to SGX. (See https://github.com/intel/linux-sgx/tree/master/external/ippcp_internal for the details of how IPP Crypto is build from the linux-sgx repository, and https://github.com/initc3/sgx-ipp-crypto for an isolation of what appears to be strictly necessary to build IPP Crypto). Currently, it seems that most users do not build the IPP Crypto library from source but instead use the pre-built binaries, although some users have expressed disappointment with this as they would like to have a way to build the SGX SDK from components that are all open source. Whether the SGX SDK is built following the approaches in point 2 or 3, the current toolchain of the linux-sgx repository will need some minor changes to remove the current hard requirement of downloading pre-built binaries. This PR, for demonstration and test purposes is using a fork of the current linux-sgx repository, in which these minor changes have been implemented. This will need to go through Intel's team for approval before Intel's repository can be used.

To sum up, things to clarify:

• How to the build the IPP Crypto dependency: in a standalone derivation or within the SGX SDK derivation?
• Work with Intel to adapt the current build toolchain such that building the SGX SDK "fully" from source is possible.

If the IPP Crypto is built separately:

• the dependencies (buildInputs) listed in the current derivation (ippcrypto/default.nix) need to be reviewed as many are perhaps superfluous.

Some preliminary tests to build both derivations included in this draft PR have been done on GitHub CI using a very recent nixpkgs/nix docker image (nixpkgs/nix@sha256:c7ab99ed60cc587ac784742e2814303331283cca121507a1d4c0dd21ed1bdf83) as a base. The results of these builds can be viewed at https://github.com/sbellem/nixpkgs/actions/workflows/sgxsdk.yml. The derivations were built for the master and release-21.05 branches, and for tag 21.11-pre.

A binary cache on cachix has been added to store the successfully built packages (only for master currently). The cache is at https://app.cachix.org/api/v1/cache/gluonixpkgs/contents.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• 21.11 Release Notes
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.