mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-26 23:20:18 +02:00
b88ddadf8b
The Intel SGX DCAP driver makes the SGX application enclave device and the SGX provisioning enclave available below the path `/dev/sgx/`. Since Linux 5.11, a derivation of the DCAP driver is part of the kernel and available through the X86_SGX config option; NixOS enables this option by default. In contrast to the out-of-tree DCAP driver, the in-tree SGX driver uses a flat hierarchy for the SGX devices resulting in the paths `/dev/sgx_enclave` for the application enclave device and `/dev/sgx_provison` for the provisioning enclave device. As of this commit, even the latest version of the Intel SGX PSW libraries still tries to open the (legacy) DCAP paths only. This means that SGX software currently cannot find the required SGX devices even if the system actually supports SGX through the in-tree driver. Intel wants to change this behavior in an upcoming release of intel/linux-sgx. Having said that, SGX software assuming the SGX devices below `/dev/sgx/` will prevail. Therefore, this commit introduces the NixOS configuration option `hardware.cpu.intel.sgx.enableDcapCompat` which creates the necessary symlinks to support existing SGX software. The option defaults to true as it is currently the only way to support SGX software. Also, enabling the SGX AESM service enables the option. The permissions of the devices `/dev/sgx_enclave` and `/dev/sgx_provison` remain the same, i.e., are not affected regardless of having the new option enabled or not. |
||
|---|---|---|
| .. | ||
| config | ||
| hardware | ||
| i18n/input-method | ||
| installer | ||
| misc | ||
| profiles | ||
| programs | ||
| security | ||
| services | ||
| system | ||
| tasks | ||
| testing | ||
| virtualisation | ||
| module-list.nix | ||
| rename.nix | ||