openenclave: LVI mitigation build under Nix fails to find cstdlib

What’s going on is that the invoke_compiler script has been generated to hard-code the compiler for the case when LVI mitigation flags are not passed in:

    if [ $lvi_mitigation == 0 ]; then
        /nix/store/d7c8whpgvxj7lzjjfwk96sr9fpqk0znh-clang-wrapper-8.0.1/bin/clang $@
    else

This causes clang to be invoked when /lvi_mitigation_bin/clang++ wrapper is called, resulting in missing include errors.

Retaining the the theme of the original snippet would fix the compile error: https://github.com/openenclave/openenclave/blob/a381bfe51de0178b1989fb0d2abbc7b8e7179fbe/scripts/lvi-mitigation/invoke_compiler#L26-L28

We need to invoke the actual compiler, and not the wrapper. The challenge is that under nix, the compilers won’t exist in /usr/bin.

Yes, I would be fine with contributing my changes. Will open a pull request once I’ve got my derivation cleaned up.

I attempted to handle that via substituteInPlace in my derivation:

substituteInPlace scripts/lvi-mitigation/invoke_compiler \
            --replace '/usr/bin/"$compiler"' '${clang}/bin/clang' \
            --replace 'export PATH=/bin:/usr/local:"$lvi_bin_path"' 'export PATH=$PATH:"$lvi_bin_path"'

That should just append $lvi_bin_path, and not do anything funky with /bin or /usr/local.

You should be able to build it like this:

{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
    nativeBuildInputs = [(
        pkgs.callPackage (import ./default.nix { type = "sgx"; }) { }
    )];
}

Save my default.nix and that as shell.nix in a folder, and then run nix-shell. Note that I have included breakpointHook in my derivation for testing, so it will pause on an error instead of exiting, use Ctrl+C to exit.