packages/linux-sgx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!75 Upgrade to 2.19

Browse Source 
From: @ZhouShuiQing 
Reviewed-by: @houmingyong 
Signed-off-by: @houmingyong
This commit is contained in:
openeuler-ci-bot 2023-07-26 02:27:09 +00:00 committed by Gitee
commit 6a654cec35
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
17 changed files with 100 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
0001-disable-the-download-process-in-building.patch
View File

@ -1,15 +1,16 @@
From d046801c2a6eee21fbf6018ce43588e3fe79a045 Mon Sep 17 00:00:00 2001
From 182690045036bfc425e3a38384691cbf42ccc006 Mon Sep 17 00:00:00 2001
From: wangcheng <wangcheng156@huawei.com>
Date: Thu, 16 Dec 2021 04:51:21 +0000
Subject: [PATCH] disable the download process in building
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
---
Makefile | 8 +--
.../QuoteVerification/prepare_sgxssl.sh | 62 +++++++++----------
2 files changed, 35 insertions(+), 35 deletions(-)
diff --git a/Makefile b/Makefile
index 34d43bad..072c5dd2 100644
index 8bd287c..7f91fa3 100644
--- a/Makefile
+++ b/Makefile
@@ -50,14 +50,14 @@ tips:
@ -32,13 +33,13 @@ index 34d43bad..072c5dd2 100644
psw:
$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
diff --git a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh
index 8a3c9e46..f490a2b7 100755
index 60ff2b1..5e44288 100755
--- a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh
+++ b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh
@@ -44,37 +44,37 @@ full_openssl_url_old=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz
sgxssl_chksum=6c33d2178b6b01bdbb1f97804ae14aec13544b0cb45902a0906c20ef7b4032bc
openssl_chksum=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca
sgxssl_chksum=bff5a9059911846e27447acb402c4690346abf46da8e1c26b66d406e8abb1588
openssl_chksum=8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
-rm -f check_sum_sgxssl.txt check_sum_openssl.txt
-if [ ! -f $build_script ]; then
- wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
@ -70,40 +71,40 @@ index 8a3c9e46..f490a2b7 100755
-if [ "$1" = "nobuild" ]; then
- exit 0
-fi
+#rm -f check_sum_sgxssl.txt check_sum_openssl.txt
+#if [ ! -f $build_script ]; then
+# wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
+# sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
+# grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
+# if [ $? -ne 0 ]; then
+# echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
+# rm -f $sgxssl_dir/$sgxssl_file_name.zip
+# exit -1
+# fi
+# unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1
+# mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1
+# rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1
+# rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1
+#fi
+# rm -f check_sum_sgxssl.txt check_sum_openssl.txt
+# if [ ! -f $build_script ]; then
+# wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
+# sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
+# grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
+# if [ $? -ne 0 ]; then
+# echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
+# rm -f $sgxssl_dir/$sgxssl_file_name.zip
+# exit -1
+# fi
+# unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1
+# mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1
+# rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1
+# rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1
+# fi
+#
+#if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then
+# wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1
+# sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt
+# grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt
+# if [ $? -ne 0 ]; then
+# echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure"
+# rm -f $openssl_out_dir/$openssl_ver_name.tar.gz
+# exit -1
+# fi
+#fi
+# if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then
+# wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1
+# sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt
+# grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt
+# if [ $? -ne 0 ]; then
+# echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure"
+# rm -f $openssl_out_dir/$openssl_ver_name.tar.gz
+# exit -1
+# fi
+# fi
+#
+#
+#if [ "$1" = "nobuild" ]; then
+# exit 0
+#fi
+# if [ "$1" = "nobuild" ]; then
+# exit 0
+# fi
pushd $sgxssl_dir/Linux/
make clean sgxssl_no_mitigation
--
2.27.0
2.33.0

29
add-secure-compilation-options.patch → 0003-add-secure-compilation-options.patch
View File

@ -3,8 +3,9 @@ From: houmingyong <houmingyong@huawei.com>
Date: Mon, 30 May 2022 19:18:21 +0800
Subject: [PATCH] add-secure-compilation-options
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
---
external/ippcp_internal/Makefile | 22 +------------------
external/ippcp_internal/Makefile | 20 +------------------
.../ippcp_internal/ipp-crypto/CMakeLists.txt | 3 +++
.../sources/cmake/linux/GNU8.2.0.cmake | 2 +-
.../ippcp/crypto_mb/src/cmake/linux/GNU.cmake | 2 +-
@ -14,30 +15,28 @@ Subject: [PATCH] add-secure-compilation-options
.../le_launch_service_bundle/CMakeLists.txt | 2 +-
.../source/core/ipc/CMakeLists.txt | 1 +
.../aesm_service/source/utils/CMakeLists.txt | 2 +-
10 files changed, 13 insertions(+), 32 deletions(-)
10 files changed, 13 insertions(+), 30 deletions(-)
diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index 96187ed..7b5ef26 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5)
CHECK_PATCHED :=
@@ -61,14 +61,6 @@ else ifeq ($(MITIGATION-CVE-2020-0551), CF)
endif
OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
-CHECK_SOURCE :=
-# For reproducibility build in docker, the code should be
-# For reproducibility build in docker, the code should be
-# prepared before build. So skip the code check to avoid
-# triggering network request
-# triggering network request
-ifneq ($(origin NIX_STORE), environment)
-ifneq ($(PATCH_LOG), SGX.)
-CHECK_SOURCE:= ipp_source
-endif
-CHECK_SOURCE:= $(IPP_SOURCE)/build
-endif
-
.PHONY: all build_ipp
all: build_ipp
# copy the built out lib, header files and license to the target folder
@@ -84,19 +74,9 @@ all: build_ipp
@@ -79,19 +71,9 @@ all: build_ipp
$(MKDIR) license
$(CP) ipp-crypto/LICENSE ./license/
@ -45,19 +44,19 @@ index 96187ed..7b5ef26 100644
+build_ipp:
cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
-.PHONY: ipp_source
-ipp_source:
-$(IPP_SOURCE)/build:
-ifeq ($(shell git rev-parse --is-inside-work-tree), true)
- git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
-else
- $(RM) -rf $(IPP_SOURCE)
- git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
-endif
- cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch
- cd $(IPP_SOURCE) && git apply ../0001-IPP-crypto-for-SGX.patch
- mkdir -p $(IPP_SOURCE)/build
-
.PHONY: clean
clean:
$(RM) -rf ipp-crypto/build
$(RM) -rf ipp-crypto/build/*
diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
index f750c7b..6b1eef3 100644
--- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt

0
adapt-openssl-CVE.patch → 0004-adapt-openssl-CVE.patch
View File

0
DCAP-disabling-the-rpatch-option.patch → 0005-DCAP-disabling-the-rpatch-option.patch
View File

39
0006-fix-build-error.patch Normal file
View File

@ -0,0 +1,39 @@
From 101b2e8f1db12fc04070daea351247fc7c990683 Mon Sep 17 00:00:00 2001
From: zhoushuiqing <zhoushuiqing2@huawei.com>
Date: Fri, 21 Jul 2023 20:40:27 +0800
Subject: [PATCH] fix-build-error
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
---
external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h b/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h
index 01f15907..44ab7bac 100644
--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h
+++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h
@@ -38,7 +38,10 @@ __INLINE void CopyBlock(const void* pSrc, void* pDst, cpSize numBytes)
Ipp8u* d = (Ipp8u*)pDst;
cpSize k;
for(k=0; k<numBytes; k++ )
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
d[k] = s[k];
+#pragma GCC diagnostic pop
}
__INLINE void CopyBlock_safe(const void* pSrc, cpSize srcNumBytes, void* pDst, cpSize dstNumBytes)
@@ -106,7 +109,10 @@ __INLINE void PadBlock(Ipp8u paddingByte, void* pDst, cpSize numBytes)
Ipp8u* d = (Ipp8u*)pDst;
cpSize k;
for(k=0; k<numBytes; k++ )
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
d[k] = paddingByte;
+#pragma GCC diagnostic pop
}
#if !((_IPP>=_IPP_W7) || (_IPP32E>=_IPP32E_M7))
--
2.33.0

BIN
DCAP_1.15.tar.gz → DCAP_1.16.tar.gz
View File

Binary file not shown.

BIN
lin_2.18_1.1.1q.tar.gz
View File

Binary file not shown.

BIN
lin_2.19_1.1.1t.tar.gz Normal file
View File

Binary file not shown.

20
linux-sgx.spec
View File

@ -1,15 +1,15 @@
Name: linux-sgx
Version: 2.18.1
Version: 2.19
Release: 1
Summary: Intel(R) Software Guard Extensions for Linux* OS
ExclusiveArch: x86_64
License: BSD-3-Clause
URL: https://github.com/intel/linux-sgx
%define DCAP_version 1.15
%define DCAP_version 1.16
%define protobuf_version 3.20.1
%define openssl_version 1.1.1q
%define intel_sgx_ssl_version 2.18
%define openssl_version 1.1.1t
%define intel_sgx_ssl_version 2.19
%define sgx_emm_version 1.0.0
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{version}.tar.gz
@ -27,9 +27,10 @@ Source11: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx
Patch0: 0001-disable-the-download-process-in-building.patch
Patch1: 0002-fix-building-error-for-systemd.patch
Patch2: add-secure-compilation-options.patch
Patch3: adapt-openssl-CVE.patch
Patch4: DCAP-disabling-the-rpatch-option.patch
Patch2: 0003-add-secure-compilation-options.patch
Patch3: 0004-adapt-openssl-CVE.patch
Patch4: 0005-DCAP-disabling-the-rpatch-option.patch
Patch5: 0006-fix-build-error.patch
BuildRequires: gcc-c++ protobuf-devel libtool ocaml ocaml-ocamlbuild compat-openssl11-devel cmake python curl-devel createrepo_c git nasm
BuildRequires: protobuf-lite-devel protobuf-c-devel boost-devel
@ -311,7 +312,7 @@ make preparation
make -j -C external/ippcp_internal/
make -j2 sdk_install_pkg_no_mitigation
./linux/installer/bin/sgx_linux_x64_sdk_2.18.101.1.bin --prefix=./
./linux/installer/bin/sgx_linux_x64_sdk_2.19.100.3.bin --prefix=./
source ./sgxsdk/environment
make psw
@ -867,6 +868,9 @@ if [ -x /opt/intel/sgx-dcap-pccs/startup.sh ]; then /opt/intel/sgx-dcap-pccs/sta
%files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
%changelog
* Sat Jul 22 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 2.19-1
- Upgrade to 2.19
* Mon Feb 06 2023 wangyu <wangyu283@huawei.com> - 2.18.1-1
- Upgrade to 2.18.1

BIN
openssl-1.1.1q.tar.gz → openssl-1.1.1t.tar.gz
View File

Binary file not shown.

0
optimized_libs_2.18.1.tar.gz → optimized_libs_2.19.tar.gz
View File

BIN
prebuilt_ae_2.18.1.tar.gz
View File

Binary file not shown.

BIN
prebuilt_ae_2.19.tar.gz Normal file
View File

Binary file not shown.

BIN
prebuilt_dcap_1.15.tar.gz
View File

Binary file not shown.

BIN
prebuilt_dcap_1.16.tar.gz Normal file
View File

Binary file not shown.

BIN
sgx_2.18.1.tar.gz
View File

Binary file not shown.

BIN
sgx_2.19.tar.gz Normal file
View File

Binary file not shown.