Add SGX packages #71529
Add SGX packages #71529
Conversation
|
The |
exFalso
force-pushed
the
aslemmer/add-sgx-tools
branch
from
4958855
to
5246e11
Compare
exFalso
force-pushed
the
aslemmer/add-sgx-tools
branch
3 times, most recently
from
e3f2f4e
to
7262491
Compare
|
I removed the elf2sgxs tool, it's a bit of an overkill to add a nightly rust version just for that. Perhaps first we should have proper nightly support |
| intel-aesmd2_4_0 = callPackage ../os-specific/linux/intel-aesmd/2.4.0.nix { }; | ||
| intel-aesmd2_5_0 = callPackage ../os-specific/linux/intel-aesmd/2.5.0.nix { }; | ||
| intel-aesmd2_6_0 = callPackage ../os-specific/linux/intel-aesmd/2.6.0.nix { }; | ||
| intel-aesmd2_7_0 = callPackage ../os-specific/linux/intel-aesmd/2.7.0.nix { }; |
There was a problem hiding this comment.
Why the many different versions?
There was a problem hiding this comment.
The protocol has changed through these versions, and the latest release of https://crates.io/crates/aesm-client which interfaces with aesmd only works up to 2.4.0. This is why I added these alternative versions and not just the latest one.
There was a problem hiding this comment.
Than I only would add 2.4 and the latest.
exFalso
force-pushed
the
aslemmer/add-sgx-tools
branch
from
2e7945a
to
75f0dea
Compare
|
@infinisil anything else I can do for this PR? |
|
|
||
| patchelf \ | ||
| --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ | ||
| --set-rpath ${lib.makeLibraryPath (with pkgs; [ stdenv.cc.cc.lib openssl protobuf3_0 ])}:$AESM_PATH \ |
There was a problem hiding this comment.
Is it not possible to compile it from source?
|
(triage) what’s the status? |
| boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeIntel}/intel-ucode.img" ]; | ||
| }) | ||
|
|
||
| (mkIf (intel.sgx.enable || intel.aesmd.enable) { |
There was a problem hiding this comment.
Can aesmd be used without sgx? If not, then you should add an assertion like aesmd.enable -> sgx.enable and change this here to mkIf sgx.enable
|
Also #71529 (comment) should be addressed |
|
Hello, I'm a bot and I thank you in the name of the community for your contributions. Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human. If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do: If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list. If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past. If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments. Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel. |
stale
bot
added
the
2.status: stale
|
@infinisil do you think we could still merge this? It would be sad for the initial and the review work to go to waste. |
stale
bot
removed
the
2.status: stale
|
I don't think it makes sense to merge something that apparently nobody needs as of now (otherwise we'd have seen somebody pinging this PR). The work isn't lost imo because whoever needs it in the future can pick up this PR's work again :). I'll close this for now then |
Motivation for this change
This PR adds packages related to Intel SGX, in particular the driver, aesmd, and an enclave signing tool. Furthermore a protobuf version was added(3.0) required to run the aesmd daemon.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @bjornfor @peti