diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3d13537..3791eab 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,18 +16,38 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - - name: Setup Rust toolchain - run: rustup show - - run: cargo fmt --all -- --check + - uses: cachix/install-nix-action@v26 + with: + extra_nix_config: | + access-tokens = github.com=${{ github.token }} + - uses: cachix/cachix-action@v14 + with: + name: nixsgx + extraPullNames: vault-auth-tee + - name: Enable magic Nix cache + uses: DeterminateSystems/magic-nix-cache-action@main + + - name: cargo fmt + run: nix build -L .#cargoFmt deny: name: cargo deny runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - - uses: EmbarkStudios/cargo-deny-action@v1 + - uses: cachix/install-nix-action@v26 with: - arguments: --workspace + extra_nix_config: | + access-tokens = github.com=${{ github.token }} + - uses: cachix/cachix-action@v14 + with: + name: nixsgx + extraPullNames: vault-auth-tee + - name: Enable magic Nix cache + uses: DeterminateSystems/magic-nix-cache-action@main + + - name: cargo deny + run: nix build -L .#cargoDeny check-spdx-headers: runs-on: ubuntu-latest diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 87a69fb..d2d915d 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -11,7 +11,7 @@ concurrency: cancel-in-progress: true jobs: - check: + fmt: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -22,11 +22,14 @@ jobs: - uses: cachix/cachix-action@v14 with: name: nixsgx + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' extraPullNames: vault-auth-tee + - name: Enable magic Nix cache + uses: DeterminateSystems/magic-nix-cache-action@main - - run: nix flake check -L --show-trace --keep-going + - run: nix fmt . -- --check - fmt: + clippy: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -37,11 +40,16 @@ jobs: - uses: cachix/cachix-action@v14 with: name: nixsgx + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' extraPullNames: vault-auth-tee + - name: Enable magic Nix cache + uses: DeterminateSystems/magic-nix-cache-action@main - - run: nix fmt . -- --check + - name: cargo clippy + run: nix build -L .#cargoClippy - clippy: + check: + needs: clippy runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -52,14 +60,15 @@ jobs: - uses: cachix/cachix-action@v14 with: name: nixsgx + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' extraPullNames: vault-auth-tee - name: Enable magic Nix cache uses: DeterminateSystems/magic-nix-cache-action@main - - name: cargo clippy - run: nix develop -L --ignore-environment -c cargo clippy --all + - run: nix flake check -L --show-trace --keep-going build: + needs: check runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 diff --git a/Cargo.lock b/Cargo.lock index 7de64dd..0530772 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1824,18 +1824,18 @@ dependencies = [ [[package]] name = "pin-project" -version = "1.1.4" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0302c4a0442c456bd56f841aee5c3bfd17967563f6fadc9ceb9f9c23cf3807e0" +checksum = "b6bf43b791c5b9e34c3d182969b4abb522f9343702850a2e57f460d00d09b4b3" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.1.4" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "266c042b60c9c76b8d53061e52b2e0d1116abc57cefc8c5cd671619a56ac3690" +checksum = "2f38a4412a78282e09a2cf38d195ea5420d15ba0602cb375210efbc877243965" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index 6321bfe..2c20040 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,56 +1,6 @@ -[package] -name = "teepot" -description = "TEE secret manager" -# no MIT license, because of copied code from: -# * https://github.com/enarx/enarx -# * https://github.com/enarx/sgx -license = "Apache-2.0" -version.workspace = true -edition.workspace = true -authors.workspace = true -repository.workspace = true - -[dependencies] -actix-http.workspace = true -actix-web.workspace = true -anyhow.workspace = true -awc.workspace = true -bytemuck.workspace = true -bytes.workspace = true -clap.workspace = true -const-oid.workspace = true -enumset.workspace = true -futures-core.workspace = true -getrandom.workspace = true -hex.workspace = true -intel-tee-quote-verification-rs.workspace = true -num-integer.workspace = true -num-traits.workspace = true -p256.workspace = true -pgp.workspace = true -pkcs8.workspace = true -rand.workspace = true -rsa.workspace = true -rustls.workspace = true -serde.workspace = true -serde_json.workspace = true -serde_with.workspace = true -sha2.workspace = true -signature.workspace = true -thiserror.workspace = true -tracing.workspace = true -webpki-roots.workspace = true -x509-cert.workspace = true -zeroize.workspace = true - -[dev-dependencies] -anyhow.workspace = true -base64.workspace = true -hex.workspace = true -testaso.workspace = true - [workspace] members = ["crates/*", "bin/*"] +resolver = "2" [workspace.package] version = "0.1.0" @@ -78,7 +28,7 @@ enumset = { version = "1.1", features = ["serde", "std"] } futures-core = { version = "0.3.30", features = ["alloc"], default-features = false } getrandom = "0.2.12" hex = { version = "0.4.3", features = ["std"], default-features = false } -intel-tee-quote-verification-rs = { path = "crates/intel-tee-quote-verification-rs", version = "0.2.1" } +intel-tee-quote-verification-rs = { path = "crates/intel-tee-quote-verification-rs" } intel-tee-quote-verification-sys = { version = "0.2.1" } k256 = "0.13" log = "0.4" @@ -99,7 +49,7 @@ serde_json = "1" serde_with = { version = "3.6", features = ["base64", "hex"] } sha2 = "0.10.8" signature = "2.2.0" -teepot = { path = "." } +teepot = { path = "crates/teepot" } testaso = "0.1.0" thiserror = "1.0.57" tokio = { version = "1", features = ["sync", "macros", "rt-multi-thread", "fs", "time"] } diff --git a/bin/tee-vault-admin/src/main.rs b/bin/tee-vault-admin/src/main.rs index 274c5f0..9cd54f8 100644 --- a/bin/tee-vault-admin/src/main.rs +++ b/bin/tee-vault-admin/src/main.rs @@ -117,7 +117,7 @@ mod tests { use serde_json::json; use teepot::json::http::{VaultCommand, VaultCommands}; - const TEST_DATA: &str = include_str!("../../../tests/data/test.json"); + const TEST_DATA: &str = include_str!("../../../crates/teepot/tests/data/test.json"); #[test] fn test_vault_commands() { diff --git a/crates/teepot/Cargo.toml b/crates/teepot/Cargo.toml new file mode 100644 index 0000000..a2c48bf --- /dev/null +++ b/crates/teepot/Cargo.toml @@ -0,0 +1,50 @@ +[package] +name = "teepot" +description = "TEE secret manager" +# no MIT license, because of copied code from: +# * https://github.com/enarx/enarx +# * https://github.com/enarx/sgx +license = "Apache-2.0" +version.workspace = true +edition.workspace = true +authors.workspace = true +repository.workspace = true + +[dependencies] +actix-http.workspace = true +actix-web.workspace = true +anyhow.workspace = true +awc.workspace = true +bytemuck.workspace = true +bytes.workspace = true +clap.workspace = true +const-oid.workspace = true +enumset.workspace = true +futures-core.workspace = true +getrandom.workspace = true +hex.workspace = true +intel-tee-quote-verification-rs.workspace = true +num-integer.workspace = true +num-traits.workspace = true +p256.workspace = true +pgp.workspace = true +pkcs8.workspace = true +rand.workspace = true +rsa.workspace = true +rustls.workspace = true +serde.workspace = true +serde_json.workspace = true +serde_with.workspace = true +sha2.workspace = true +signature.workspace = true +thiserror.workspace = true +tracing.workspace = true +webpki-roots.workspace = true +x509-cert.workspace = true +zeroize.workspace = true + +[dev-dependencies] +anyhow.workspace = true +base64.workspace = true +hex.workspace = true +testaso.workspace = true diff --git a/src/client/mod.rs b/crates/teepot/src/client/mod.rs similarity index 100% rename from src/client/mod.rs rename to crates/teepot/src/client/mod.rs diff --git a/src/client/vault.rs b/crates/teepot/src/client/vault.rs similarity index 100% rename from src/client/vault.rs rename to crates/teepot/src/client/vault.rs diff --git a/src/json/http.rs b/crates/teepot/src/json/http.rs similarity index 100% rename from src/json/http.rs rename to crates/teepot/src/json/http.rs diff --git a/src/json/mod.rs b/crates/teepot/src/json/mod.rs similarity index 100% rename from src/json/mod.rs rename to crates/teepot/src/json/mod.rs diff --git a/src/json/secrets.rs b/crates/teepot/src/json/secrets.rs similarity index 100% rename from src/json/secrets.rs rename to crates/teepot/src/json/secrets.rs diff --git a/src/lib.rs b/crates/teepot/src/lib.rs similarity index 100% rename from src/lib.rs rename to crates/teepot/src/lib.rs diff --git a/src/quote/mod.rs b/crates/teepot/src/quote/mod.rs similarity index 100% rename from src/quote/mod.rs rename to crates/teepot/src/quote/mod.rs diff --git a/src/server/attestation.rs b/crates/teepot/src/server/attestation.rs similarity index 100% rename from src/server/attestation.rs rename to crates/teepot/src/server/attestation.rs diff --git a/src/server/mod.rs b/crates/teepot/src/server/mod.rs similarity index 100% rename from src/server/mod.rs rename to crates/teepot/src/server/mod.rs diff --git a/src/server/pki.rs b/crates/teepot/src/server/pki.rs similarity index 100% rename from src/server/pki.rs rename to crates/teepot/src/server/pki.rs diff --git a/src/server/signatures.rs b/crates/teepot/src/server/signatures.rs similarity index 100% rename from src/server/signatures.rs rename to crates/teepot/src/server/signatures.rs diff --git a/src/sgx/error.rs b/crates/teepot/src/sgx/error.rs similarity index 100% rename from src/sgx/error.rs rename to crates/teepot/src/sgx/error.rs diff --git a/src/sgx/mod.rs b/crates/teepot/src/sgx/mod.rs similarity index 100% rename from src/sgx/mod.rs rename to crates/teepot/src/sgx/mod.rs diff --git a/src/sgx/sign.rs b/crates/teepot/src/sgx/sign.rs similarity index 99% rename from src/sgx/sign.rs rename to crates/teepot/src/sgx/sign.rs index 6b9e0d0..7b58f43 100644 --- a/src/sgx/sign.rs +++ b/crates/teepot/src/sgx/sign.rs @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -// Copyright (c) 2023 Matter Labs +// Copyright (c) 2023-2024 Matter Labs // Copyright (c) The Enarx Project Developers https://github.com/enarx/sgx @@ -357,6 +357,7 @@ mod test { } #[test] + #[allow(clippy::unusual_byte_groupings)] fn author_instantiation() { let author = Author::new(0x2000_03_30, 0u32); assert_eq!(author.header1, Author::HEADER1); diff --git a/src/sgx/tcblevel.rs b/crates/teepot/src/sgx/tcblevel.rs similarity index 100% rename from src/sgx/tcblevel.rs rename to crates/teepot/src/sgx/tcblevel.rs diff --git a/tests/data/gpgkey.asc b/crates/teepot/tests/data/gpgkey.asc similarity index 100% rename from tests/data/gpgkey.asc rename to crates/teepot/tests/data/gpgkey.asc diff --git a/tests/data/gpgkey.pub b/crates/teepot/tests/data/gpgkey.pub similarity index 100% rename from tests/data/gpgkey.pub rename to crates/teepot/tests/data/gpgkey.pub diff --git a/tests/data/gramine-test.sig b/crates/teepot/tests/data/gramine-test.sig similarity index 100% rename from tests/data/gramine-test.sig rename to crates/teepot/tests/data/gramine-test.sig diff --git a/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.asc b/crates/teepot/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.asc similarity index 100% rename from tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.asc rename to crates/teepot/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.asc diff --git a/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.b64 b/crates/teepot/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.b64 similarity index 100% rename from tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.b64 rename to crates/teepot/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.b64 diff --git a/tests/data/stress.json b/crates/teepot/tests/data/stress.json similarity index 100% rename from tests/data/stress.json rename to crates/teepot/tests/data/stress.json diff --git a/tests/data/stress.json.asc b/crates/teepot/tests/data/stress.json.asc similarity index 100% rename from tests/data/stress.json.asc rename to crates/teepot/tests/data/stress.json.asc diff --git a/tests/data/test.json b/crates/teepot/tests/data/test.json similarity index 100% rename from tests/data/test.json rename to crates/teepot/tests/data/test.json diff --git a/tests/data/test.json.asc b/crates/teepot/tests/data/test.json.asc similarity index 100% rename from tests/data/test.json.asc rename to crates/teepot/tests/data/test.json.asc diff --git a/tests/data/test2.json b/crates/teepot/tests/data/test2.json similarity index 100% rename from tests/data/test2.json rename to crates/teepot/tests/data/test2.json diff --git a/tests/data/test2.json.asc b/crates/teepot/tests/data/test2.json.asc similarity index 100% rename from tests/data/test2.json.asc rename to crates/teepot/tests/data/test2.json.asc diff --git a/tests/sgx_quote_verification.rs b/crates/teepot/tests/sgx_quote_verification.rs similarity index 100% rename from tests/sgx_quote_verification.rs rename to crates/teepot/tests/sgx_quote_verification.rs diff --git a/deny.toml b/deny.toml index afe1cbc..6cb4884 100644 --- a/deny.toml +++ b/deny.toml @@ -29,7 +29,7 @@ allow = [ "Unlicense", "MPL-2.0", "Unicode-DFS-2016", - "CC0-1.0", + # "CC0-1.0", # not yet seen "BSD-2-Clause", "BSD-3-Clause", "OpenSSL", @@ -65,12 +65,9 @@ skip-tree = [] unknown-registry = "warn" unknown-git = "warn" allow-registry = ["https://github.com/rust-lang/crates.io-index"] -allow-git = [ - # we need the mio override to disable eventfd for SGX - "https://github.com/tokio-rs/mio?rev=ec0776f5af29548e4e1f48f86f5fa123a46caa07#ec0776f5af29548e4e1f48f86f5fa123a46caa07", -] +# allow-git = [] [sources.allow-org] -github = [""] -gitlab = [""] -bitbucket = [""] +#github = [""] +#gitlab = [""] +#bitbucket = [""] diff --git a/flake.lock b/flake.lock index eb25ea4..698bd18 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "crane": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709610799, + "narHash": "sha256-5jfLQx0U9hXbi2skYMGodDJkIgffrjIOgMRjZqms2QE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "81c393c776d5379c030607866afef6406ca1be57", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -287,6 +307,7 @@ }, "root": { "inputs": { + "crane": "crane", "nixpkgs": "nixpkgs", "nixsgx-flake": "nixsgx-flake", "rust-overlay": "rust-overlay", diff --git a/flake.nix b/flake.nix index 5b2afd2..39efa28 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,13 @@ { description = "teepot"; + nixConfig.extra-substituters = [ + "https://nixsgx.cachix.org" + ]; + nixConfig.extra-trusted-public-keys = [ + "nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=" + ]; + inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; @@ -23,6 +30,11 @@ url = "github:oxalica/rust-overlay?rev=3ad32bb27c700b59306224e285b66577e3532dfc"; inputs.nixpkgs.follows = "nixpkgs"; }; + + crane = { + url = "github:ipetkov/crane"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: @@ -49,6 +61,16 @@ outputs-builder = channels: { formatter = channels.nixpkgs.nixpkgs-fmt; + + checks = { + inherit + (channels.nixpkgs.teepot) cargoFmt; + inherit + (channels.nixpkgs.teepot) cargoClippy; + inherit + (channels.nixpkgs.teepot) cargoDeny; + }; + }; }; } diff --git a/packages/cargoClippy/default.nix b/packages/cargoClippy/default.nix new file mode 100644 index 0000000..116c44e --- /dev/null +++ b/packages/cargoClippy/default.nix @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Matter Labs +{ lib +, inputs +, makeRustPlatform +, nixsgx +, pkg-config +, rust-bin +, pkgs +, callPackage +, ... +}@args: +let + teepotCrate = import ../teepot/teepot.nix args; +in +teepotCrate.craneLib.cargoClippy ( + teepotCrate.commonArgs // { + pname = "teepot"; + inherit (teepotCrate) cargoArtifacts NIX_OUTPATH_USED_AS_RANDOM_SEED; + } +) diff --git a/packages/cargoDeny/default.nix b/packages/cargoDeny/default.nix new file mode 100644 index 0000000..962a35e --- /dev/null +++ b/packages/cargoDeny/default.nix @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Matter Labs +{ lib +, inputs +, makeRustPlatform +, nixsgx +, pkg-config +, rust-bin +, pkgs +, callPackage +, ... +}@args: +let + teepotCrate = import ../teepot/teepot.nix args; +in +teepotCrate.craneLib.cargoDeny ( + teepotCrate.commonArgs // { + pname = "teepot"; + } +) diff --git a/packages/cargoFmt/default.nix b/packages/cargoFmt/default.nix new file mode 100644 index 0000000..d496d04 --- /dev/null +++ b/packages/cargoFmt/default.nix @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Matter Labs +{ lib +, inputs +, makeRustPlatform +, nixsgx +, pkg-config +, rust-bin +, pkgs +, callPackage +, ... +}@args: +let + teepotCrate = import ../teepot/teepot.nix args; +in +teepotCrate.craneLib.cargoFmt ( + teepotCrate.commonArgs // { + pname = "teepot"; + } +) diff --git a/packages/teepot/default.nix b/packages/teepot/default.nix index 1fa2a0a..636998e 100644 --- a/packages/teepot/default.nix +++ b/packages/teepot/default.nix @@ -1,77 +1,58 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) 2024 Matter Labs { lib +, inputs , makeRustPlatform , nixsgx , pkg-config , rust-bin -}: +, pkgs +, ... +}@args: let - cargoToml = builtins.fromTOML (builtins.readFile ../../Cargo.toml); - rustVersion = rust-bin.fromRustupToolchainFile ../../rust-toolchain.toml; - rustPlatform = makeRustPlatform { - cargo = rustVersion; - rustc = rustVersion; - }; + teepotCrate = import ./teepot.nix args; in -rustPlatform.buildRustPackage { - pname = cargoToml.package.name; - inherit (cargoToml.workspace.package) version; +teepotCrate.craneLib.buildPackage ( + teepotCrate.commonArgs // { + pname = "teepot"; + inherit (teepotCrate) cargoArtifacts + NIX_OUTPATH_USED_AS_RANDOM_SEED; - nativeBuildInputs = [ - pkg-config - rustPlatform.bindgenHook - ]; - buildInputs = [ - nixsgx.sgx-sdk - nixsgx.sgx-dcap - nixsgx.sgx-dcap.quote_verify - ]; + passthru = { + inherit (teepotCrate) rustPlatform + rustVersion + commonArgs + craneLib + cargoArtifacts; + NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa"; + }; - src = with lib.fileset; toSource { - root = ./../..; - fileset = unions [ - ../../Cargo.lock - ../../Cargo.toml - ../../bin - ../../crates - ../../rust-toolchain.toml - ../../src - ../../tests + outputs = [ + "out" + "tee_key_preexec" + "tee_ratls_preexec" + "tee_self_attestation_test" + "tee_stress_client" + "tee_vault_admin" + "tee_vault_unseal" + "teepot_read" + "teepot_write" + "vault_admin" + "vault_unseal" + "verify_attestation" ]; - }; - RUSTFLAGS = "--cfg mio_unsupported_force_waker_pipe"; - cargoBuildFlags = "--all"; - checkType = "debug"; - cargoLock = { - lockFile = ../../Cargo.lock; - }; + postInstall = '' + mkdir -p $out/nix-support + for i in $outputs; do + [[ $i == "out" ]] && continue + mkdir -p "''${!i}/bin" + echo "''${!i}" >> $out/nix-support/propagated-user-env-packages + binname=''${i//_/-} + mv "$out/bin/$binname" "''${!i}/bin/" + done + ''; + } +) - outputs = [ - "out" - "tee_key_preexec" - "tee_ratls_preexec" - "tee_self_attestation_test" - "tee_stress_client" - "tee_vault_admin" - "tee_vault_unseal" - "teepot_read" - "teepot_write" - "vault_admin" - "vault_unseal" - "verify_attestation" - ]; - - postInstall = '' - mkdir -p $out/nix-support - for i in $outputs; do - [[ $i == "out" ]] && continue - mkdir -p "''${!i}/bin" - echo "''${!i}" >> $out/nix-support/propagated-user-env-packages - binname=''${i//_/-} - mv "$out/bin/$binname" "''${!i}/bin/" - done - ''; -} diff --git a/packages/teepot/teepot.nix b/packages/teepot/teepot.nix new file mode 100644 index 0000000..eb9a73c --- /dev/null +++ b/packages/teepot/teepot.nix @@ -0,0 +1,61 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Matter Labs +{ lib +, inputs +, makeRustPlatform +, nixsgx +, pkg-config +, rust-bin +, pkgs +, ... +}: +let + rustVersion = rust-bin.fromRustupToolchainFile ../../rust-toolchain.toml; + rustPlatform = makeRustPlatform { + cargo = rustVersion; + rustc = rustVersion; + }; + craneLib = (inputs.crane.mkLib pkgs).overrideToolchain rustVersion; + commonArgs = { + nativeBuildInputs = [ + pkg-config + rustPlatform.bindgenHook + ]; + + buildInputs = [ + nixsgx.sgx-sdk + nixsgx.sgx-dcap + nixsgx.sgx-dcap.quote_verify + ]; + + strictDeps = true; + src = with lib.fileset; toSource { + root = ../../.; + fileset = unions [ + ../../Cargo.lock + ../../Cargo.toml + ../../bin + ../../crates + ../../rust-toolchain.toml + ../../deny.toml + ../../taplo.toml + ]; + }; + + RUSTFLAGS = "--cfg mio_unsupported_force_waker_pipe"; + checkType = "debug"; + }; + cargoArtifacts = craneLib.buildDepsOnly (commonArgs // { + pname = "teepot-workspace"; + inherit NIX_OUTPATH_USED_AS_RANDOM_SEED; + }); + NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa"; +in +{ + inherit rustPlatform + rustVersion + commonArgs + craneLib + cargoArtifacts; + NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa"; +}