Building images with nix

This article describes how to build applications with the nix package manager. Only applications linked against musl are supported as sgx-lkl will provide its version of musl libc to support syscalls. Luckily musl support in nixpkgs is quiet good, many packages can be pulled from the pkgsMusl namespace. Also remember to compile your applications as position independent executable (the -pie gcc flag). Or otherwise the loader might be not able to start the application.

You can save the following snippet and save it as default.nix to build an image with iperf included.

with import <nixpkgs> {};
let
  buildImage = pkg: stdenv.mkDerivation {
    name = "image";
    buildInputs = [ e2fsprogs lkl ];
    unpackPhase = ":";

    installPhase = ''
      truncate -s 10M $out

      mkfs.ext4 $out
      mkdir -p root/{nix/store,/tmp}
      cptofs -t ext4 -i $out root/* /
      cptofs -t ext4 -i $out $(cat ${closureInfo { rootPaths = [pkg]; }}/store-paths) /nix/store
    '';
  };
  runImage = pkg: pkgs.writeScript "run-lkl" ''
    #!${runtimeShell}
    set -eu -o pipefail
    tmppath=$(mktemp -d)
    cleanup() { rm -rf "$tmppath"; }
    trap cleanup EXIT SIGINT SIGQUIT ERR

    install -m660 ${(buildImage pkg)} $tmppath/fs.img
    exe=$1
    shift
    TMPDIR=/tmp sgx-lkl-run $tmppath/fs.img ${pkg}/$exe "$@"
  '';

  relocatableIperf = pkgsMusl.iperf.overrideAttrs (old: {
    LDFLAGS = "-pie -rdynamic";
  });
in
  runImage relocatableIperf

To use it run:

$ nix-build

This will result in a shell script that can executed directly.

./result /bin/iperf

or just use to build and execute in one step.

$(nix-build) /bin/iperf

Note that this assumes that you have sgx-lkl-run in your PATH, which can be done like this:

$ export PATH=$(realpath build):$PATH