aesmd: allow overriding sgx-psw package manually

2024-11-01 18:27:09 -07:00 · 2024-11-01 18:27:09 -07:00 · 6524b07894
commit 6524b07894
parent 2d0e1f8046
1 changed files with 14 additions and 8 deletions
--- a/nixos/modules/services/security/aesmd.nix
+++ b/nixos/modules/services/security/aesmd.nix
@ -1,10 +1,12 @@
 { config, options, pkgs, lib, ... }:
-with lib;
 let
+  inherit (lib) concatStringsSep literalExpression makeLibraryPath mkEnableOption
+    mkForce mkIf mkOption mkPackageOption mkRemovedOptionModule optional types;
+
  cfg = config.services.aesmd;
  opt = options.services.aesmd;

-  sgx-psw = pkgs.sgx-psw.override { inherit (cfg) debug; };
+  sgx-psw = cfg.package;

  configFile = with cfg.settings; pkgs.writeText "aesmd.conf" (
    concatStringsSep "\n" (
@ -18,13 +20,17 @@ let
  );
 in
 {
+  imports = [
+    (mkRemovedOptionModule [ "debug" ] ''
+      Enable debug mode by overriding the aesmd package directly:
+
+          services.aesmd.package = pkgs.sgx-psw.override { debug = true; };
+    '')
+  ];
+
  options.services.aesmd = {
    enable = mkEnableOption "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX";
-    debug = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Whether to build the PSW package in debug mode.";
-    };
+    package = mkPackageOption pkgs "sgx-psw" { };
    environment = mkOption {
      type = with types; attrsOf str;
      default = { };
@ -126,7 +132,7 @@ in
          "|/dev/sgx_enclave"
        ];

-        serviceConfig = rec {
+        serviceConfig = {
          ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''
            set -euo pipefail
            whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"