Skip to content

nixos/aesmd: add qcnl config#181347

Open
rvolosatovs wants to merge 3 commits intoNixOS:masterfrom
profianinc:feat/aesmd-qcnl
Open

nixos/aesmd: add qcnl config#181347
rvolosatovs wants to merge 3 commits intoNixOS:masterfrom
profianinc:feat/aesmd-qcnl

Conversation

@rvolosatovs
Copy link
Member

@rvolosatovs rvolosatovs commented Jul 13, 2022
edited
Loading

Description of changes

QCNL is used by AESMD internally, this allows for configuring the library.

See https://profianinc.github.io/nixpkgs/options.html#opt-services.aesmd.qcnl.settings for rendered doc

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@rvolosatovs rvolosatovs requested a review from veehaitch July 13, 2022 11:06
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jul 13, 2022
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jul 13, 2022
@rvolosatovs rvolosatovs force-pushed the feat/aesmd-qcnl branch 2 times, most recently from 9104719 to 81ebdf6 Compare July 13, 2022 13:29
veehaitch
veehaitch reviewed Jul 13, 2022
View reviewed changes
@rvolosatovs rvolosatovs requested a review from veehaitch July 25, 2022 16:40
@rvolosatovs
Copy link
Member Author

rvolosatovs commented Jul 25, 2022
edited
Loading

@veehaitch PR updated as discussed, PTAL!
Do we need to add some kind of alias for the aesmd.settings level? It looks like a breaking change, since original AESMD PR was merged in 22.05 #148593

I highly doubt anyone apart from us uses it though, since there's no kernel package with SGX support in nixpkgs anyway AFAIK

@veehaitch
Copy link
Member

veehaitch commented Aug 4, 2022

Looks good to me, thanks! However, you have to convert the description = fields to Markdown to resolve the conflicts.

We should definitely add an alias through mkRenamedOptionModule. We have Kernel support for SGX since #153525:

# zcat /proc/config.gz | grep "SGX"
CONFIG_X86_SGX=y
CONFIG_X86_SGX_KVM=y

veehaitch
veehaitch reviewed Aug 9, 2022
View reviewed changes
veehaitch
veehaitch approved these changes Aug 12, 2022
View reviewed changes
Copy link
Member

@veehaitch veehaitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this!

@bobby285271 bobby285271 added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 12, 2022
@rvolosatovs
Copy link
Member Author

rvolosatovs commented Aug 22, 2022

Any update on this PR?

SuperSandro2000
SuperSandro2000 reviewed Aug 31, 2022
View reviewed changes
nixos/modules/services/security/aesmd.nix
options.defaultQuotingType = mkOption {
type = with types; nullOr (enum [ "ecdsa_256" "epid_linkable" "epid_unlinkable" ]);
options.retryDelay = mkOption {
type = with types; nullOr ints.u32;
Copy link
Member

@SuperSandro2000 SuperSandro2000 Aug 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First time I am seeing this type being used.

nixos/modules/services/security/aesmd.nix
Comment on lines +113 to +133
type = with types; nullOr ints.u32;
default = null;
example = 6;
description = mdDoc ''
Maximum retry times for QCNL. When `null` or set to `0`, no retry will be performed.
Copy link
Member

@SuperSandro2000 SuperSandro2000 Aug 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
type = with types; nullOr ints.u32;
default = null;
example = 6;
description = mdDoc ''
Maximum retry times for QCNL. When `null` or set to `0`, no retry will be performed.
type = types.ints.u32;
default = 0;
example = 6;
description = mdDoc ''
Maximum retry times for QCNL. When set to `0`, no retry will be performed.

Why not do this instead?

Copy link
Member Author

@rvolosatovs rvolosatovs Jun 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that's better UX, but I directly matched upstream behavior here https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/68a77a852cd911a44a97733aec870e9bd93a3b86/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf#L23-L26

Copy link
Member

@SuperSandro2000 SuperSandro2000 Jun 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need to mirror the null here. Not defined would be equal to the option having not default and for clarity we can then also set the default to 0 which is equal to null.

@haraldh
Copy link
Contributor

haraldh commented Apr 19, 2023

@rvolosatovs @SuperSandro2000 anything needed for this PR to be merged?

@rvolosatovs
Copy link
Member Author

rvolosatovs commented Apr 19, 2023

@rvolosatovs @SuperSandro2000 anything needed for this PR to be merged?

I'll try to get this addressed today #181347 (comment) and it should be good to go

@haraldh
Copy link
Contributor

haraldh commented May 11, 2023

@rvolosatovs @SuperSandro2000 anything needed for this PR to be merged?

I'll try to get this addressed today #181347 (comment) and it should be good to go

@rvolosatovs any progress? 😉

@rvolosatovs
nixos/aesmd: add qcnl config
f590bcc 
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
@rvolosatovs
nixos/aesmd: remove settings attribute
f845f17 
Flatten to better match other services

Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
@rvolosatovs
nixos/aesmd: drop the lib prefix
a7fab34 
Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
@rvolosatovs
Copy link
Member Author

rvolosatovs commented Jun 12, 2023
edited
Loading

@rvolosatovs @SuperSandro2000 anything needed for this PR to be merged?

I'll try to get this addressed today #181347 (comment) and it should be good to go

@rvolosatovs any progress? wink

Getting back to this now, sorry for the delay - I have unarchived the source repository to be able to update the branch, but honestly not sure what to do about #181347 (comment) I did a direct translation of upstream config here, if the intention is to "do things better" in the NixOS module, then it'd make sense to not change this one field semantics, but also other fields. I'd rather just stick with upstream, which would simplify things like e.g. migration from existing configs and further maintenance in case upstream changes something

SuperSandro2000
SuperSandro2000 reviewed Jun 20, 2023
View reviewed changes
nixos/modules/services/security/aesmd.nix
];
"${aesmdConfigFile}:/etc/aesmd.conf"
]
++ optional (!isNull cfg.qcnl) (let
Copy link
Member

@SuperSandro2000 SuperSandro2000 Jun 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
++ optional (!isNull cfg.qcnl) (let
++ optional (cfg.qcnl != null) (let

SuperSandro2000
SuperSandro2000 reviewed Jun 20, 2023
View reviewed changes
nixos/modules/services/security/aesmd.nix
};
options.useSecureCert = mkOption {
type = with types; nullOr bool;
default = null;
Copy link
Member

@SuperSandro2000 SuperSandro2000 Jun 20, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does null mean here? true? From the description this is unclear.

@wegank wegank removed the 12.approvals: 1 This PR was reviewed and approved by one person. label Sep 7, 2023
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label May 3, 2024
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 4, 2024
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jun 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

+1 more reviewer

@veehaitch veehaitch veehaitch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rvolosatovs @veehaitch @haraldh @SuperSandro2000 @wegank @bobby285271