packages/linux-sgx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!74 Upgrade to latest release [linux-sgx: 2.15.1 -> 2.18.1]

Browse Source 
From: @BornThisWay 
Reviewed-by: @hzero1996, @houmingyong 
Signed-off-by: @houmingyong
This commit is contained in:
openeuler-ci-bot 2023-02-09 12:44:43 +00:00 committed by Gitee
commit f0097b3ea7
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
28 changed files with 345 additions and 1064 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
0001-disable-the-download-process-in-building.patch
View File

@ -12,7 +12,7 @@ diff --git a/Makefile b/Makefile
index 34d43bad..072c5dd2 100644
--- a/Makefile
+++ b/Makefile
@@ -50,13 +50,13 @@ tips:
@@ -50,14 +50,14 @@ tips:
preparation:
# As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
# Only enable the download from git
@ -22,6 +22,7 @@ index 34d43bad..072c5dd2 100644
+ # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R
./external/sgx-emm/create_symlink.sh
@# download prebuilt binaries
- ./download_prebuilt.sh
- ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
@ -30,14 +31,14 @@ index 34d43bad..072c5dd2 100644
psw:
$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh
diff --git a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh
index 8a3c9e46..f490a2b7 100755
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh
--- a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh
+++ b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh
@@ -44,37 +44,37 @@ full_openssl_url_old=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz
sgxssl_chksum=825e58823f2ec39bcfb69c2c62cc4e769bdac057ade10b362cdeac1f5a563954
openssl_chksum=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
sgxssl_chksum=6c33d2178b6b01bdbb1f97804ae14aec13544b0cb45902a0906c20ef7b4032bc
openssl_chksum=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca
-rm -f check_sum_sgxssl.txt check_sum_openssl.txt
-if [ ! -f $build_script ]; then
- wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1

199
0002-fix-building-error-for-systemd.patch
View File

@ -12,45 +12,49 @@ Subject: [PATCH] systemd
linux/installer/common/sgx-aesm-service/startup.sh | 2 +-
6 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
index 1f3efdb..81592b1 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
diff --git a/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh b/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh
index ee16324..a3ce6d9 100755
--- a/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh
+++ b/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh
@@ -38,7 +38,7 @@ if test $(id -u) -ne 0; then
exit 1
fi
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl daemon-reload
systemctl stop mpa_registration_tool
systemctl disable mpa_registration_tool ||:
diff --git a/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile b/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
index 72c7557..2ca16b8 100644
--- a/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
+++ b/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
@@ -37,9 +37,9 @@ PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*))
VAR_OPT_PATH=/var/opt/sgxra
USR_LIB_PATH=/usr/$(notdir $(shell gcc -print-multi-os-directory))/$(shell dpkg-architecture -qDEB_HOST_MULTIARCH 2> /dev/null)
-RAD_CONF_NAME=$(if $(wildcard /run/systemd/system/.*),mpa_registration_tool.service,$(if $(wildcard /etc/init/.*),mpa_registration_tool.conf,))
-RAD_CONF_DEL=$(if $(wildcard /run/systemd/system/.*),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.*),mpa_registration_tool.service,))
-RAD_CONF_PATH=$(if $(wildcard /run/systemd/system/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/))
+RAD_CONF_NAME=$(if $(wildcard /run/systemd/users/.*),mpa_registration_tool.service,$(if $(wildcard /etc/init/.*),mpa_registration_tool.conf,))
+RAD_CONF_DEL=$(if $(wildcard /run/systemd/users/.*),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.*),mpa_registration_tool.service,))
+RAD_CONF_PATH=$(if $(wildcard /run/systemd/users/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/))
-RAD_CONF_NAME=$(if $(wildcard /run/systemd/system/.),mpa_registration_tool.service,$(if $(wildcard /etc/init/.),mpa_registration_tool.conf,))
-RAD_CONF_DEL=$(if $(wildcard /run/systemd/system/.),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.),mpa_registration_tool.service,))
-RAD_CONF_PATH=$(if $(wildcard /run/systemd/system/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/))
+RAD_CONF_NAME=$(if $(wildcard /run/systemd/users/.),mpa_registration_tool.service,$(if $(wildcard /etc/init/.),mpa_registration_tool.conf,))
+RAD_CONF_DEL=$(if $(wildcard /run/systemd/users/.),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.),mpa_registration_tool.service,))
+RAD_CONF_PATH=$(if $(wildcard /run/systemd/users/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/))
ifeq ($(RAD_CONF_NAME),)
ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
index 89c1d8d..5c10e80 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
@@ -72,7 +72,7 @@ MPA_DST_PATH=%{_instal_path}
# Install the MPA service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
MPA_NAME=mpa_registration_tool.service
MPA_TEMP=$MPA_DST_PATH/$MPA_NAME
if [ -d /lib/systemd/system ]; then
@@ -122,7 +122,7 @@ systemctl start mpa_registration_tool.service
MPA_DST_PATH=%{_install_path}
# Disable service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl disable mpa_registration_tool.service
diff --git a/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh b/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh
index e596d99..21849fc 100755
--- a/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh
+++ b/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh
@@ -38,7 +38,7 @@ if test $(id -u) -ne 0; then
exit 1
fi
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl enable mpa_registration_tool
systemctl start mpa_registration_tool
elif [ -d /etc/init/ ]; then
diff --git a/linux/installer/common/psw/install.sh b/linux/installer/common/psw/install.sh
index 042f83c..1ab1e5b 100755
--- a/linux/installer/common/psw/install.sh
@ -134,6 +138,139 @@ index e73c435..9170d7c 100755
systemctl enable aesmd
systemctl start aesmd
elif [ -d /etc/init/ ]; then
diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile b/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile
index 06f81f5..721a516 100644
--- a/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile
+++ b/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile
@@ -35,7 +35,7 @@ PACKAGE_ROOT_FOLDER=pkgroot
PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*))
PCCS_CONF=pccs.service
-PCCS_CONF_PATH=$(if $(wildcard /run/systemd/system/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/))
+PCCS_CONF_PATH=$(if $(wildcard /run/systemd/users/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/))
ifeq ($(PCCS_CONF_PATH),)
ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),)
diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile
index fcf4b7f..538c658 100644
--- a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile
+++ b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile
@@ -34,9 +34,9 @@ include installConfig
PACKAGE_ROOT_FOLDER=pkgroot
PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*))
-QGSD_CONF_NAME=$(if $(wildcard /run/systemd/system/.*),qgsd.service,$(if $(wildcard /etc/init/.*),qgsd.conf,))
-QGSD_CONF_DEL=$(if $(wildcard /run/systemd/system/.*),qgsd.conf,$(if $(wildcard /etc/init/.*),qgsd.service,))
-QGSD_CONF_PATH=$(if $(wildcard /run/systemd/system/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/))
+QGSD_CONF_NAME=$(if $(wildcard /run/systemd/users/.*),qgsd.service,$(if $(wildcard /etc/init/.*),qgsd.conf,))
+QGSD_CONF_DEL=$(if $(wildcard /run/systemd/users/.*),qgsd.conf,$(if $(wildcard /etc/init/.*),qgsd.service,))
+QGSD_CONF_PATH=$(if $(wildcard /run/systemd/users/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/))
ifeq ($(QGSD_CONF_NAME),)
ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),)
diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh
index e0cf354..ba501a5 100755
--- a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh
+++ b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh
@@ -39,7 +39,7 @@ if test $(id -u) -ne 0; then
fi
# Kill qgsd service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl daemon-reload
systemctl stop qgsd
systemctl disable qgsd 2> /dev/null
diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh
index 230c666..4d09d54 100755
--- a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh
+++ b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh
@@ -46,7 +46,7 @@ id -u qgsd &> /dev/null || \
# Start the AESMD service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl enable qgsd
systemctl start qgsd
elif [ -d /etc/init/ ]; then
diff --git a/external/dcap_source/QuoteGeneration/pccs/cleanup.sh b/external/dcap_source/QuoteGeneration/pccs/cleanup.sh
index 7a9e827..aa55b84 100755
--- a/external/dcap_source/QuoteGeneration/pccs/cleanup.sh
+++ b/external/dcap_source/QuoteGeneration/pccs/cleanup.sh
@@ -43,7 +43,7 @@ rm -rf ${PCCS_HOME}/node_modules
#Remove PCCS system service
echo -n "Uninstalling PCCS service ..."
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl stop pccs || true
systemctl disable pccs || true
systemctl daemon-reload
diff --git a/external/dcap_source/QuoteGeneration/pccs/startup.sh b/external/dcap_source/QuoteGeneration/pccs/startup.sh
index c6e9993..86fa9a9 100755
--- a/external/dcap_source/QuoteGeneration/pccs/startup.sh
+++ b/external/dcap_source/QuoteGeneration/pccs/startup.sh
@@ -58,7 +58,7 @@ then
fi
#Install PCCS as system service
echo -n "Installing PCCS service ..."
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl daemon-reload
systemctl enable pccs
if [ "$1" == "debian" ]; then
diff --git a/linux/installer/common/psw-dcap/cleanup.sh b/linux/installer/common/psw-dcap/cleanup.sh
index 968d650..0e80d1b 100755
--- a/linux/installer/common/psw-dcap/cleanup.sh
+++ b/linux/installer/common/psw-dcap/cleanup.sh
@@ -39,7 +39,7 @@ if test $(id -u) -ne 0; then
fi
# Kill AESM service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl daemon-reload
systemctl stop aesmd
systemctl disable aesmd 2> /dev/null
diff --git a/linux/installer/common/psw-dcap/startup.sh b/linux/installer/common/psw-dcap/startup.sh
index 0f6e99c..365373f 100755
--- a/linux/installer/common/psw-dcap/startup.sh
+++ b/linux/installer/common/psw-dcap/startup.sh
@@ -44,7 +44,7 @@ id -u aesmd &> /dev/null || \
-d /var/opt/aesmd -s /sbin/nologin aesmd
# Start the AESMD service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl enable aesmd
systemctl start aesmd
elif [ -d /etc/init/ ]; then
diff --git a/linux/installer/common/psw-tdx/cleanup.sh b/linux/installer/common/psw-tdx/cleanup.sh
index cf750b1..1e3c1e5 100644
--- a/linux/installer/common/psw-tdx/cleanup.sh
+++ b/linux/installer/common/psw-tdx/cleanup.sh
@@ -39,7 +39,7 @@ if test $(id -u) -ne 0; then
fi
# Kill qgsd service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl daemon-reload
systemctl stop qgsd
systemctl disable qgsd 2> /dev/null
diff --git a/linux/installer/common/psw-tdx/startup.sh b/linux/installer/common/psw-tdx/startup.sh
index 31c564c..0ab9604 100644
--- a/linux/installer/common/psw-tdx/startup.sh
+++ b/linux/installer/common/psw-tdx/startup.sh
@@ -44,7 +44,7 @@ id -u qgsd &> /dev/null || \
-d /var/opt/qgsd -s /sbin/nologin qgsd
# Start the QGSD service
-if [ -d /run/systemd/system ]; then
+if [ -d /run/systemd/users ]; then
systemctl enable qgsd
systemctl start qgsd
elif [ -d /etc/init/ ]; then
--
2.23.0

70
DCAP-disabling-the-rpatch-option.patch
View File

@ -11,12 +11,12 @@ Subject: [PATCH] DCAP disabling the rpatch option
.../tools/PCKRetrievalTool/Qpl/linux/Makefile | 2 +-
5 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk
diff --git a/external/dcap_source/QuoteGeneration/buildenv.mk b/external/dcap_source/QuoteGeneration/buildenv.mk
index 8c87626e..f05ccdaf 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk
@@ -97,12 +97,7 @@ INCLUDE :=
CUR_DIR := $(realpath $(call parent-dir,$(lastword $(wordlist 2,$(words $(MAKEFILE_LIST)),x $(MAKEFILE_LIST)))))
--- a/external/dcap_source/QuoteGeneration/buildenv.mk
+++ b/external/dcap_source/QuoteGeneration/buildenv.mk
@@ -104,12 +104,7 @@
endif
# turn on stack protector for SDK
-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
@ -29,59 +29,13 @@ index 8c87626e..f05ccdaf 100644
ifdef DEBUG
COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile
index 3dde7a10..30009c2d 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile
@@ -51,7 +51,7 @@ QL_Lib_Include_Paths += -I../../quote/inc -I../../../pce_wrapper/inc -I../inc
QL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths)
LDUFLAGS:= -pthread $(COMMON_LDFLAGS)
-LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections -Wl,-rpath=.
+LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections
QL_Lib_Cpp_Flags := $(QL_Lib_C_Flags) -std=c++11
QL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile
index 2068554b..da3d3bea 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile
@@ -79,7 +79,7 @@ C_FLAGS:= -DLINUX -fPIC -Werror $(APP_INCLUDE_PATHS)
# link flags, link CPUSVNCompare library
LINK_FLAGS := -Wl,-rpath,${ORIGIN} -L$(BIN_DIR) -l$(LIB_NAME)
-LINK_FLAGS := -Wl,-rpath=. -L$(BIN_DIR) -l$(LIB_NAME)
+LINK_FLAGS := -L$(BIN_DIR) -l$(LIB_NAME)
# debug/release switch
ifeq ($(DEBUG), 1)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile
diff --git a/external/dcap_source/tools/PCKRetrievalTool/Makefile b/external/dcap_source/tools/PCKRetrievalTool/Makefile
index 4596ee9c..116db7d2 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile
@@ -104,7 +104,7 @@ App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
App_Cpp_Flags := $(App_C_Flags) -std=c++11
App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack
-App_Link_Flags += -lcurl -ldl -lpthread -Wl,-rpath=.
+App_Link_Flags += -lcurl -ldl -lpthread
App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile
index b046d726..551a133f 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile
@@ -91,7 +91,7 @@ LDUFLAGS += -Wl,--gc-sections
QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11
-QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -L$(SGX_SDK)/lib64 -lpthread -ldl -Wl,-rpath=.
+QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -L$(SGX_SDK)/lib64 -lpthread -ldl
QPL_Lib_Cpp_Objects := $(QPL_Lib_Cpp_Files:.cpp=.o)
--- a/external/dcap_source/tools/PCKRetrievalTool/Makefile
+++ b/external/dcap_source/tools/PCKRetrievalTool/Makefile
@@ -111,3 +111,2 @@
ifeq ($(STANDALONE), 1)
- App_Link_Flags += -Wl,-rpath=.
endif
--
2.33.0

BIN
DCAP_1.12.1.tar.gz → DCAP_1.15.tar.gz
View File

Binary file not shown.

8
adapt-openssl-CVE.patch
View File

@ -4,13 +4,13 @@ Date: Sun, 5 Jun 2022 14:44:37 +0800
Subject: [PATCH] decompress openssl sourece before build
---
.../intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh | 2 --
.../sgxssl/Linux/build_openssl.sh | 2 --
1 file changed, 2 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh
diff --git a/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh b/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh
index 7d77b79..43745b8 100755
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh
--- a/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh
+++ b/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh
@@ -54,8 +54,6 @@ mkdir -p $SGXSSL_ROOT/package/lib64/
# build openssl modules, clean previous openssl dir if it exist

15
add-secure-compilation-options.patch
View File

@ -10,7 +10,7 @@ Subject: [PATCH] add-secure-compilation-options
.../ippcp/crypto_mb/src/cmake/linux/GNU.cmake | 2 +-
.../openmp/openmp_code/final/CMakeLists.txt | 2 ++
.../protobuf_code/cmake/CMakeLists.txt | 2 ++
.../protobuf_code/cmake/install.cmake | 7 ------
.../protobuf_code/cmake/install.cmake | 7 -------
.../le_launch_service_bundle/CMakeLists.txt | 2 +-
.../source/core/ipc/CMakeLists.txt | 1 +
.../aesm_service/source/utils/CMakeLists.txt | 2 +-
@ -28,7 +28,7 @@ index 96187ed..7b5ef26 100644
-# For reproducibility build in docker, the code should be
-# prepared before build. So skip the code check to avoid
-# triggering network request
-ifneq ($(origin NIX_PATH), environment)
-ifneq ($(origin NIX_STORE), environment)
-ifneq ($(PATCH_LOG), SGX.)
-CHECK_SOURCE:= ipp_source
-endif
@ -116,7 +116,7 @@ index 52661f5..ec0b64f 100644
+++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
@@ -1,6 +1,8 @@
# Minimum CMake required
cmake_minimum_required(VERSION 3.1.3)
cmake_minimum_required(VERSION 3.5)
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
@ -124,13 +124,13 @@ index 52661f5..ec0b64f 100644
message(STATUS "Protocol Buffers Configuring...")
endif()
diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake
index 4091bc8..8e12831 100644
index 4e1c5de..5f9c786 100644
--- a/external/protobuf/protobuf_code/cmake/install.cmake
+++ b/external/protobuf/protobuf_code/cmake/install.cmake
@@ -31,13 +31,6 @@ endforeach()
if (protobuf_BUILD_PROTOC_BINARIES)
@@ -32,13 +32,6 @@ if (protobuf_BUILD_PROTOC_BINARIES)
install(TARGETS protoc EXPORT protobuf-targets
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc
BUNDLE DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
- if (UNIX AND NOT APPLE)
- set_property(TARGET protoc
- PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
@ -176,4 +176,3 @@ index 77aac37..6d17c19 100644
${OPENSSL_LIBRARIES}
--
2.27.0

25
add-strip-compilation-option-for-pck-id-retrieval-tool.patch
View File

@ -1,25 +0,0 @@
From 4788eadaf33cc6b88ab883e43804e1f237779104 Mon Sep 17 00:00:00 2001
From: wangyu <wangyu283@huawei.com>
Date: Tue, 20 Sep 2022 15:06:21 +0800
Subject: [PATCH] add -s to link flags for PCKRetrievalTool
---
.../tools/PCKRetrievalTool/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile
index 116db7d..7c13b6e 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile
@@ -142,7 +142,7 @@ Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefau
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
-Wl,--defsym,__ImageBase=0 -Wl,--gc-sections \
-Wl,-z,relro,-z,now,-z,noexecstack \
- -Wl,--version-script=Enclave/Enclave.lds
+ -Wl,--version-script=Enclave/Enclave.lds -s
Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o)
ENCLAVE_LIBRARY_PATH := Enclave/
--
1.8.3.1

BIN
as.ld.objdump.r4.tar.gz
View File

Binary file not shown.

75
backport-CVE-2021-22570.patch
View File

@ -1,75 +0,0 @@
From 77fd494f2acfd6b08f888f342ca721e3f0809b52 Mon Sep 17 00:00:00 2001
From: wangxiaochao <wangxiaochao2@huawei.com>
Date: Fri, 18 Mar 2022 14:46:35 +0800
Subject: [PATCH] fix CVE-2021-22570
Conflict:NA
Reference:https://gitee.com/src-openeuler/protobuf/pulls/64/files
Signed-off-by: wangxiaochao <wangxiaochao2@huawei.com>
---
.../src/google/protobuf/descriptor.cc | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc b/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc
index 8998e1b..e6f7ec2 100644
--- a/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc
+++ b/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc
@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
const Descriptor::ReservedRange* range = reserved_range(i);
if (range->end == range->start + 1) {
strings::SubstituteAndAppend(contents, "$0, ", range->start);
+ } else if (range->end > FieldDescriptor::kMaxNumber) {
+ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
} else {
strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
range->end - 1);
@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString(
const EnumDescriptor::ReservedRange* range = reserved_range(i);
if (range->end == range->start) {
strings::SubstituteAndAppend(contents, "$0, ", range->start);
+ } else if (range->end == INT_MAX) {
+ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
} else {
strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
range->end);
@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
// Use its file as the parent instead.
if (parent == nullptr) parent = file_;
+ if (full_name.find('\0') != std::string::npos) {
+ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
+ "\"" + full_name + "\" contains null character.");
+ return false;
+ }
if (tables_->AddSymbol(full_name, symbol)) {
if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
// This is only possible if there was already an error adding something of
@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
void DescriptorBuilder::AddPackage(const std::string& name,
const Message& proto,
const FileDescriptor* file) {
+ if (name.find('\0') != std::string::npos) {
+ AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
+ "\"" + name + "\" contains null character.");
+ return;
+ }
if (tables_->AddSymbol(name, Symbol(file))) {
// Success. Also add parent package, if any.
std::string::size_type dot_pos = name.find_last_of('.');
@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
}
result->pool_ = pool_;
+ if (result->name().find('\0') != std::string::npos) {
+ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
+ "\"" + result->name() + "\" contains null character.");
+ return nullptr;
+ }
+
// Add to tables.
if (!tables_->AddFile(result)) {
AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
--
2.23.0

72
backport-CVE-2022-0778.patch
View File

@ -1,72 +0,0 @@
From 4382b4d9446c34d29b12dedf6b93f35215b9dd3b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65
Conflict: NA
---
.../openssl-1.1.1l/crypto/bn/bn_sqrt.c | 30 +++++++++++--------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
index 1723d5d..53b0f55 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.23.0

61
backport-CVE-2022-0778_test.patch
View File

@ -1,61 +0,0 @@
From 6ec7f406d2141b78508b5df91597a61de2ac38ed Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0
Conflict: NA
---
.../openssl_source/openssl-1.1.1l/test/bntest.c | 11 ++++++++++-
.../test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c
index 236501e..08c60a2 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c
@@ -1685,8 +1685,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d03..e28cc6b 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--
2.23.0

80
backport-CVE-2022-1292.patch
View File

@ -1,80 +0,0 @@
From 9b495e8d9028ca893019c5b176d913051ea925ac Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
Conflict:NA
---
.../openssl-1.1.1l/tools/c_rehash.in | 29 ++++++++++++++++---
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index fa7c6c9..83c1cc8 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
--
2.23.0

259
backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
View File

@ -1,259 +0,0 @@
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 29 May 2022 20:11:24 +0200
Subject: [PATCH] Fix file operations in c_rehash.
CVE-2022-2068
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reference: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7
Conflict: NA
---
external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
1 file changed, 107 insertions(+), 109 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index cfd18f5da1..9d2a6f6db7 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -104,52 +104,78 @@ foreach (@dirlist) {
}
exit($errorcount);
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
+}
+
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -177,76 +203,48 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
}
--
2.23.0

76
backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
View File

@ -1,76 +0,0 @@
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:00:22 +1000
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reference:https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431
Conflict: NA
---
external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
index fe2b26542a..812758e02e 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl
@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
--
2.27.0

BIN
intel-sgx-ssl-lin_2.15.1_1.1.1l.zip
View File

Binary file not shown.

BIN
lin_2.18_1.1.1q.tar.gz Normal file
View File

Binary file not shown.

456
linux-sgx.spec
View File

@ -1,39 +1,40 @@
Name: linux-sgx
Version: 2.15.1
Release: 9
Version: 2.18.1
Release: 1
Summary: Intel(R) Software Guard Extensions for Linux* OS
ExclusiveArch: x86_64
License: BSD-3-Clause
URL: https://github.com/intel/linux-sgx
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_2.15.1.tar.gz
Source1: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_1.12.1.tar.gz
%define DCAP_version 1.15
%define protobuf_version 3.20.1
%define openssl_version 1.1.1q
%define intel_sgx_ssl_version 2.18
%define sgx_emm_version 1.0.0
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{version}.tar.gz
Source1: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_%{DCAP_version}.tar.gz
Source2: https://github.com/llvm-mirror/openmp/archive/svn-tags/openmp_code.tar.gz
Source3: https://github.com/oneapi-src/oneDNN/archive/oneDNN-2.5.tar.gz
Source4: https://github.com/intel/ipp-crypto/archive/ipp-crypto.tar.gz
Source5: https://download.01.org/intel-sgx/sgx-linux/2.15.1/optimized_libs_2.15.1.tar.gz
Source6: https://download.01.org/intel-sgx/sgx-linux/2.15.1/prebuilt_ae_2.15.1.tar.gz
Source7: https://github.com/protocolbuffers/protobuf/archive/refs/tags/protobuf_code.tar.gz
Source8: https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/prebuilt_dcap_1.9.tar.gz
Source9: https://download.01.org/intel-sgx/sgx-linux/2.15.1/as.ld.objdump.r4.tar.gz
Source10: https://github.com/openssl/openssl/archive/refs/tags/openssl-1.1.1l.tar.gz
Source11: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip
Source5: https://download.01.org/intel-sgx/sgx-linux/%{version}/optimized_libs_%{version}.tar.gz
Source6: https://download.01.org/intel-sgx/sgx-linux/%{version}/prebuilt_ae_%{version}.tar.gz
Source7: https://github.com/protocolbuffers/protobuf/archive/refs/tags/v%{protobuf_version}.tar.gz
Source8: https://download.01.org/intel-sgx/sgx-dcap/%{DCAP_version}/linux/prebuilt_dcap_%{DCAP_version}.tar.gz
Source9: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz
Source10: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/lin_%{intel_sgx_ssl_version}_%{openssl_version}.tar.gz
Source11: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx_emm_version}.tar.gz
Patch0: 0001-disable-the-download-process-in-building.patch
Patch1: 0002-fix-building-error-for-systemd.patch
Patch2: add-secure-compilation-options.patch
Patch3: backport-CVE-2021-22570.patch
Patch4: backport-CVE-2022-0778.patch
Patch5: backport-CVE-2022-0778_test.patch
Patch6: backport-CVE-2022-1292.patch
Patch7: adapt-openssl-CVE.patch
Patch8: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch9: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch10: DCAP-disabling-the-rpatch-option.patch
Patch11: add-strip-compilation-option-for-pck-id-retrieval-tool.patch
Patch3: adapt-openssl-CVE.patch
Patch4: DCAP-disabling-the-rpatch-option.patch
BuildRequires: gcc-c++ protobuf-devel libtool ocaml ocaml-ocamlbuild compat-openssl11-devel cmake python curl-devel createrepo_c git nasm
BuildRequires: protobuf-lite-devel protobuf-c-devel boost-devel
Requires: glibc
Requires: glibc
%description
Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application
@ -259,174 +260,119 @@ Summary: Intel(R) Software Guard Extensions Basic Headers
Intel(R) Software Guard Extensions Basic Headers
%package_help
%prep
%setup -q -b 0 -n linux-sgx-sgx_%{version}
%%setup -q -D -a 1 -n linux-sgx-sgx_%{version}/external/dcap_source
%%setup -q -D -a 2 -n linux-sgx-sgx_%{version}/external/openmp
%%setup -q -D -a 3 -n linux-sgx-sgx_%{version}/external/dnnl/dnnl
%%setup -q -D -a 4 -n linux-sgx-sgx_%{version}/external/ippcp_internal
%%setup -q -D -a 5 -n linux-sgx-sgx_%{version}
%%setup -q -D -a 6 -n linux-sgx-sgx_%{version}
%%setup -q -D -a 7 -n linux-sgx-sgx_%{version}/external/protobuf
%%setup -q -D -a 8 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration
%%setup -q -D -a 11 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/
%%setup -q -D -a 10 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source
%%setup -q -D -a 9 -n linux-sgx-sgx_%{version}
%setup -q -D -a 1 -n linux-sgx-sgx_%{version}/external/dcap_source
%setup -q -D -a 2 -n linux-sgx-sgx_%{version}/external/openmp
%setup -q -D -a 3 -n linux-sgx-sgx_%{version}/external/dnnl/dnnl
%setup -q -D -a 4 -n linux-sgx-sgx_%{version}/external/ippcp_internal
%setup -q -D -a 5 -n linux-sgx-sgx_%{version}
%setup -q -D -a 6 -n linux-sgx-sgx_%{version}
%setup -q -D -a 7 -n linux-sgx-sgx_%{version}/external/protobuf
%setup -q -D -a 8 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/QuoteGeneration
%setup -q -D -a 10 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/QuoteVerification/
%setup -q -D -a 9 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/QuoteVerification/intel-sgx-ssl-lin_%{intel_sgx_ssl_version}_%{openssl_version}/openssl_source
%setup -q -D -a 11 -n linux-sgx-sgx_%{version}/external/sgx-emm/emm_src
%setup -q -D -n linux-sgx-sgx_%{version}
%autopatch -p1
%build
pushd external/protobuf
mv protobuf-%{protobuf_version}/{.[!.],}* ./protobuf_code
rm -rf protobuf-%{protobuf_version}
popd
pushd external/dcap_source/
mv SGXDataCenterAttestationPrimitives-DCAP_1.12.1/{.[!.],}* .
rm -rf SGXDataCenterAttestationPrimitives-DCAP_1.12.1
mv SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/{.[!.],}* .
rm -rf SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}
popd
pushd external/dcap_source/QuoteVerification
mv intel-sgx-ssl-lin_2.15.1_1.1.1l sgxssl
mv intel-sgx-ssl-lin_%{intel_sgx_ssl_version}_%{openssl_version} sgxssl
popd
cp %{SOURCE10} external/dcap_source/QuoteVerification/sgxssl/openssl_source
cp %{SOURCE9} external/dcap_source/QuoteVerification/sgxssl/openssl_source
pushd external/dnnl/dnnl
mv oneDNN-2.5/{.[!.],}* .
rm -rf oneDNN-2.5
popd
pushd external/sgx-emm/emm_src
mv sgx-emm-sgx-emm-%{sgx_emm_version}/{.[!.],}* .
rm -rf sgx-emm-sgx-emm-%{sgx_emm_version}
popd
%autopatch -p1
%build
make preparation
make -j -C external/ippcp_internal/
make -j2 sdk_install_pkg_no_mitigation
linux/installer/bin/sgx_linux_x64_sdk_2.15.101.1.bin --prefix=./
./linux/installer/bin/sgx_linux_x64_sdk_2.18.101.1.bin --prefix=./
source ./sgxsdk/environment
make -j2 psw
%define DCAP_LINUX_INSTALLER_COMMON_DIR external/dcap_source/QuoteGeneration/installer/linux/common/
%define DCAP_LINUX_INSTALLER_RPM_DIR external/dcap_source/QuoteGeneration/installer/linux/rpm
make psw
make -C external/dcap_source QuoteGeneration PCKCertSelection PCKRetrievalTool SGXPlatformRegistration
%define LINUX_INSTALLER_COMMON_DIR linux/installer/common
%define LINUX_INSTALLER_RPM_DIR linux/installer/rpm
packages1=(libsgx-enclave-common libsgx-epid libsgx-headers libsgx-launch libsgx-quote-ex libsgx-uae-service libsgx-urts psw sdk sgx-aesm-service)
for package1 in ${packages1[@]}
do
if [ ${package1} == sdk -o ${package1} == psw ]; then
source ./%{LINUX_INSTALLER_COMMON_DIR}/${package1}/installConfig.x64
else
source ./%{LINUX_INSTALLER_COMMON_DIR}/${package1}/installConfig
fi
source ./%{LINUX_INSTALLER_COMMON_DIR}/sdk/installConfig.x64
%{LINUX_INSTALLER_COMMON_DIR}/sdk/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/sdk/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/sdk/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/sdk/build
%{LINUX_INSTALLER_COMMON_DIR}/${package1}/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/${package1}/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/${package1}/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/${package1}/build
done
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qe3/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qe3/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qe3/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build
%define DCAP_LINUX_INSTALLER_COMMON_DIR external/dcap_source/QuoteGeneration/installer/linux/common/
%define DCAP_LINUX_INSTALLER_RPM_DIR external/dcap_source/QuoteGeneration/installer/linux/rpm
packages2=(libsgx-ae-qe3 libsgx-ae-qve libsgx-dcap-default-qpl libsgx-dcap-ql libsgx-dcap-quote-verify libsgx-pce-logic libsgx-qe3-logic sgx-dcap-pccs)
for package2 in ${packages2[@]}
do
if [ ${package2} == sgx-dcap-pccs ]; then
mkdir -p external/dcap_source/QuoteGeneration/pccs/lib/
cp external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so external/dcap_source/QuoteGeneration/pccs/lib/
fi
make -C external/dcap_source/QuoteGeneration pce_logic
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-pce-logic/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-pce-logic/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-pce-logic/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/${package2}/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/${package2}/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/${package2}/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/${package2}/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/${package2}/build
done
make -C external/dcap_source/QuoteGeneration qe3_logic
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-qe3-logic/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-qe3-logic/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-qe3-logic/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build
make -C external/dcap_source/QuoteGeneration qcnl_wrapper
make -C external/dcap_source/QuoteGeneration qpl_wrapper
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-default-qpl/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-default-qpl/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-default-qpl/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build
make -C external/dcap_source/tools/PCKCertSelection
mkdir -p external/dcap_source/QuoteGeneration/pccs/lib/
cp external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so external/dcap_source/QuoteGeneration/pccs/lib/
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/sgx-dcap-pccs/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/sgx-dcap-pccs/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/sgx-dcap-pccs/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build
make -C external/dcap_source/QuoteGeneration qve_wrapper
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-ql/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-ql/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-ql/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build
make -C external/dcap_source/QuoteGeneration qve_wrapper
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qve/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qve/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qve/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build
source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-quote-verify/installConfig
%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-quote-verify/createTarball.sh
mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build
tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-quote-verify/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build
make -C external/dcap_source/tools/PCKRetrievalTool/
source ./external/dcap_source/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/installConfig
external/dcap_source/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/createTarball.sh
mkdir -p external/dcap_source/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/build
tar -xvf external/dcap_source/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/output/${TARBALL_NAME} -C external/dcap_source/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/sgx-aesm-service/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/sgx-aesm-service/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-epid/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-epid/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-epid/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-epid/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-epid/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-launch/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-launch/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-launch/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-launch/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-launch/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-quote-ex/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-quote-ex/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-quote-ex/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-quote-ex/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-quote-ex/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-uae-service/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-uae-service/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-uae-service/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-uae-service/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-uae-service/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-enclave-common/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-enclave-common/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-enclave-common/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-enclave-common/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-enclave-common/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-urts/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-urts/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-urts/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-urts/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-urts/build
%define TOOLS_INSTALLER_PLATFORM_DIR external/dcap_source/tools/SGXPlatformRegistration/
%define TOOLS_INSTALLER_COMMON_DIR external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/
%define TOOLS_INSTALLER_RPM_DIR external/dcap_source/tools/SGXPlatformRegistration/package/installer/rpm
make -C %{TOOLS_INSTALLER_PLATFORM_DIR}/package MP_VERIFY_DATA_STRUCTS=$(MP_VERIFY_DATA_STRUCTS)
#make -C %{TOOLS_INSTALLER_PLATFORM_DIR}/package MP_VERIFY_DATA_STRUCTS=$(MP_VERIFY_DATA_STRUCTS)
mkdir -p %{TOOLS_INSTALLER_PLATFORM_DIR}/build/installer
source ./%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-uefi/installConfig
%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-uefi/createTarball.sh
mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-uefi/build
tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-uefi/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-uefi/build
packages3=(libsgx-ra-uefi libsgx-ra-network sgx-ra-service)
for package3 in ${packages3[@]}
do
source ./%{TOOLS_INSTALLER_COMMON_DIR}/${package3}/installConfig
%{TOOLS_INSTALLER_COMMON_DIR}/${package3}/createTarball.sh
mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/${package3}/build
tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/${package3}/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/${package3}/build
done
source ./%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-network/installConfig
%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-network/createTarball.sh
mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-network/build
tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-network/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-network/build
source ./%{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/installConfig
%{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/createTarball.sh
mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build
tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build
source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/installConfig
%{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/createTarball.sh
mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build
tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build
%install
%define _install_path /opt/intel/sgxsdk
pushd %{LINUX_INSTALLER_RPM_DIR}/sdk/build
mkdir %{?buildroot}/sdk-dir/
make DESTDIR=%{?buildroot}/sdk-dir/ install
@ -436,11 +382,12 @@ cp ./sgxsdk/environment %{?buildroot}/sdk-dir/opt/intel/sgxsdk
sed -i 's/^.*export SGX_SDK.*$/export SGX_SDK=\/opt\/intel\/sgxsdk/g' %{?buildroot}/sdk-dir/opt/intel/sgxsdk/environment
find %{LINUX_INSTALLER_RPM_DIR}/sdk/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/sdk-dir%{_docdir}/sgxsdk/COPYING
echo "/opt/intel/sgxsdk" > %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk
find %{?buildroot}/sdk-dir | sort | \
find %{?buildroot}/sdk-dir/ | sort | \
awk '$0 !~ last "/" {print last} {last=$0} END {print last}' | \
sed -e "s#^%{?buildroot}/sdk-dir##" | \
grep -v "^/opt/intel/sgxsdk" >> %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk || :
cp -r %{?buildroot}/sdk-dir/* %{?buildroot}/
grep -v "^/opt/intel/sgxsdk/SampleCode" >> %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk || :
sed -i '2d' %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk
cp -rf %{?buildroot}/sdk-dir/* %{?buildroot}/
rm -rf %{?buildroot}/sdk-dir/
rm -rf %{?buildroot}/opt/intel/sgxsdk/SampleCode
@ -450,10 +397,11 @@ make DESTDIR=%{?buildroot}/libsgx-ae-qe3-dir/ install
install -d %{?buildroot}/libsgx-ae-qe3-dir/%{_docdir}/libsgx-ae-qe3
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-ae-qe3-dir%{_docdir}/libsgx-ae-qe3/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build/list-libsgx-ae-qe3
for f in $(find %{?buildroot}/libsgx-ae-qe3-dir -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-ae-qe3-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build/list-libsgx-ae-qe3
done
cp -r %{?buildroot}/libsgx-ae-qe3-dir/* %{?buildroot}/
cp -rf %{?buildroot}/libsgx-ae-qe3-dir/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-ae-qe3-dir/
pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build
@ -462,10 +410,11 @@ make DESTDIR=%{?buildroot}/libsgx-pce-logic-dir/ install
install -d %{?buildroot}/libsgx-pce-logic-dir/%{_docdir}/libsgx-pce-logic
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-pce-logic-dir%{_docdir}/libsgx-pce-logic/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build/list-libsgx-pce-logic
for f in $(find %{?buildroot}/libsgx-pce-logic-dir -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-pce-logic-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build/list-libsgx-pce-logic
done
cp -r %{?buildroot}/libsgx-pce-logic-dir/* %{?buildroot}/
cp -rf %{?buildroot}/libsgx-pce-logic-dir/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-pce-logic-dir/
pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build
@ -474,10 +423,11 @@ make DESTDIR=%{?buildroot}/libsgx-qe3-logic-dir/ install
install -d %{?buildroot}/libsgx-qe3-logic-dir/%{_docdir}/libsgx-qe3-logic
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-qe3-logic-dir%{_docdir}/libsgx-qe3-logic/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build/list-libsgx-qe3-logic
for f in $(find %{?buildroot}/libsgx-qe3-logic-dir -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-qe3-logic-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build/list-libsgx-qe3-logic
done
cp -r %{?buildroot}/libsgx-qe3-logic-dir/* %{?buildroot}/
cp -rf %{?buildroot}/libsgx-qe3-logic-dir/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-qe3-logic-dir/
pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build
@ -486,15 +436,16 @@ make DESTDIR=%{?buildroot}/libsgx-dcap-default-qpl-dir/ install
install -d %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl%{_docdir}/libsgx-dcap-default-qpl
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl%{_docdir}/libsgx-dcap-default-qpl/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl
for f in $(find %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl
done
cp -r %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl/* %{?buildroot}/
cp -rf %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl/
for f in $(find %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl-devel
done
cp -r %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev/* %{?buildroot}/
cp -r %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev/
sed -i 's#^/etc/sgx_default_qcnl.conf#%config &#' %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl
@ -504,9 +455,25 @@ make DESTDIR=%{?buildroot}/sgx-dcap-pccs-dir/ install
install -d %{?buildroot}/sgx-dcap-pccs-dir%{_docdir}/sgx-dcap-pccs
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/sgx-dcap-pccs-dir%{_docdir}/sgx-dcap-pccs/COPYING
echo "/opt/intel/sgx-dcap-pccs" > %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
echo %{_docdir}/sgx-dcap-pccs/COPYING >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
echo "%config /opt/intel/sgx-dcap-pccs/config/default.json" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
find %{?buildroot}/sgx-dcap-pccs-dir -type d -links 2 | \
sed -e "s#^%{?buildroot}/sgx-dcap-pccs-dir##" | \
grep -v "^%{_libdir}" | \
grep -v "^%{_bindir}" | \
grep -v "^%{_sysconfdir}" | \
grep -v "^%{_install_path}" | \
sed -e "s#^#%dir #" > %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
for f in $(find %{?buildroot}/sgx-dcap-pccs-dir); do
if [ -d ${f} ]; then
echo ${f} | \
sed -e "s#^%{?buildroot}/sgx-dcap-pccs-dir##" | \
grep "^%{_install_path}" | \
sed -e "s#^#%dir #" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
else
echo ${f} | \
sed -e "s#^%{?buildroot}/sgx-dcap-pccs-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
fi
done
sed -i 's#^%{_install_path}/config/default.json#%config &#' %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
cp -r %{?buildroot}/sgx-dcap-pccs-dir/* %{?buildroot}/
rm -rf %{?buildroot}/sgx-dcap-pccs-dir/
@ -516,11 +483,13 @@ make DESTDIR=%{?buildroot}/libsgx-dcap-ql-dir/ install
install -d %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql%{_docdir}/libsgx-dcap-ql
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql%{_docdir}/libsgx-dcap-ql/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql
for f in $(find %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql
done
cp -r %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql/* %{?buildroot}/
cp -rf %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql-devel
for f in $(find %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql-dev -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql-dev##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql-devel
done
@ -533,31 +502,32 @@ make DESTDIR=%{?buildroot}/libsgx-ae-qve-dir/ install
install -d %{?buildroot}/libsgx-ae-qve-dir%{_docdir}/libsgx-ae-qve
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-ae-qve-dir/%{_docdir}/libsgx-ae-qve/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build/list-libsgx-ae-qve
for f in $(find %{?buildroot}/libsgx-ae-qve-dir -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-ae-qve-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build/list-libsgx-ae-qve
done
cp -r %{?buildroot}/libsgx-ae-qve-dir/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-ae-qve-dir/
pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build
mkdir -p %{?buildroot}/libsgx-dcap-quote-verify-dir/
make DESTDIR=%{?buildroot}/libsgx-dcap-quote-verify-dir/ install
install -d %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify%{_docdir}/libsgx-dcap-quote-verify
popd
find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify%{_docdir}/libsgx-dcap-quote-verify/COPYING
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify
for f in $(find %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify
done
cp -r %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify
rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify-devel
for f in $(find %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev -type f -o -type l); do
echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify-devel
done
cp -r %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev/* %{?buildroot}/
rm -rf %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev
pushd external/dcap_source/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/build
mkdir -p %{?buildroot}/sgx-pck-id-retrieval-tool-dir/
make DESTDIR=%{?buildroot}/sgx-pck-id-retrieval-tool-dir/ install
@ -571,7 +541,6 @@ sed -i 's#^/etc/rad.conf#%config &#' external/dcap_source/tools/PCKRetrievalTool
cp -r %{?buildroot}/sgx-pck-id-retrieval-tool-dir/* %{?buildroot}/
rm -rf %{?buildroot}/sgx-pck-id-retrieval-tool-dir/
source ./%{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/installConfig
PACKAGE_NAMES[0]=${AESM_SERVICE_PACKAGE_NAME}
PACKAGE_NAMES[1]=${AE_EPID_PACKAGE_NAME}
@ -730,7 +699,7 @@ find %{?buildroot}/sgx-ra-service-dir | sort | \
awk '$0 !~ last "/" {print last} {last=$0} END {print last}' | \
sed -e "s#^%{?buildroot}/sgx-ra-service-dir##" | \
grep -v "^/opt/intel/sgx-ra-service" >> %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service || :
sed -i 's#^/etc/rad.conf#%config &#' %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service
sed -i 's#^/etc/mpa_registration.conf#%config &#' %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service
cp -r %{?buildroot}/sgx-ra-service-dir/* %{?buildroot}/
rm -rf %{?buildroot}/sgx-ra-service-dir/
@ -749,7 +718,7 @@ rm -rf %{?buildroot}/libsgx-headers-dir/
%pre
%post -n sgx-aesm-service
%posttrans -n sgx-aesm-service
if [ -x /opt/intel/sgx-aesm-service/startup.sh ]; then /opt/intel/sgx-aesm-service/startup.sh; fi
%post -n libsgx-enclave-common
@ -762,47 +731,10 @@ trigger_udev() {
}
trigger_udev
%post -n sgx-dcap-pccs
PCCS_USER=pccs
PCCS_HOME=/opt/intel/sgx-dcap-pccs
if [ ! $(getent group $PCCS_USER) ]; then
groupadd $PCCS_USER
fi
if ! id "$PCCS_USER" &>/dev/null; then
adduser --system $PCCS_USER -g $PCCS_USER --home $PCCS_HOME --no-create-home --shell /bin/bash
fi
chown -R $PCCS_USER:$PCCS_USER $PCCS_HOME
chmod 640 $PCCS_HOME/config/default.json
#Install PCCS as system service
echo -n "Installing PCCS service ..."
if [ -d /run/systemd/system ]; then
PCCS_NAME=pccs.service
PCCS_TEMP=$PCCS_HOME/$PCCS_NAME
if [ -d /lib/systemd/system ]; then
PCCS_DEST=/lib/systemd/system/$PCCS_NAME
else
PCCS_DEST=/usr/lib/systemd/system/$PCCS_NAME
fi
cp $PCCS_TEMP $PCCS_DEST
chmod 0644 $PCCS_DEST
systemctl daemon-reload
systemctl enable pccs
elif [ -d /etc/init/ ]; then
PCCS_NAME=pccs.service
PCCS_TEMP=$PCCS_HOME/$PCCS_NAME
PCCS_DEST=/etc/init/$PCCS_NAME
cp $PCCS_TEMP $PCCS_DEST
chmod 0644 $PCCS_DEST
/sbin/initctl reload-configuration
else
echo " failed."
echo "Unsupported platform - neither systemctl nor initctl was found."
exit 5
fi
echo "finished."
echo "Installation completed successfully."
%preun -n sgx-dcap-pccs
if [ $1 == 0 -a -x /opt/intel/sgx-dcap-pccs/cleanup.sh ]; then /opt/intel/sgx-dcap-pccs/cleanup.sh; fi
%post -n sgx-pck-id-retrieval-tool
%posttrans -n sgx-pck-id-retrieval-tool
################################################################################
# Set up SGX pck cert id retrieve tool #
################################################################################
@ -832,84 +764,13 @@ if [ -c /dev/sgx_provision -o -c /dev/sgx/provision ]; then
trigger_udev
fi
%post -n sgx-ra-service
################################################################################
# Set up SGX Registration Agent #
################################################################################
# Generate the script to setup environment variables
MPA_DST_PATH=/opt/intel/sgx-ra-service
# Install the MPA service
if [ -d /run/systemd/users ]; then
MPA_NAME=mpa_registration_tool.service
MPA_TEMP=$MPA_DST_PATH/$MPA_NAME
if [ -d /lib/systemd/system ]; then
MPA_DEST=/lib/systemd/system/$MPA_NAME
else
MPA_DEST=/usr/lib/systemd/system/$MPA_NAME
fi
# sed -e "s:@mpa_folder@:$MPA_DST_PATH:" \
# $MPA_TEMP > $MPA_DEST
chmod 0644 $MPA_DEST
systemctl enable mpa_registration_tool.service
#systemctl enable systemd-networkd-wait-online
retval=$?
elif [ -d /etc/init/ ]; then
MPA_NAME=mpa_registration_tool.conf
MPA_TEMP=$MPA_DST_PATH/$MPA_NAME
MPA_DEST=/etc/init/$MPA_NAME
sed -e "s:@mpa_folder@:$MPA_DST_PATH:" \
$MPA_TEMP > $MPA_DEST
chmod 0644 $MPA_DEST
/sbin/initctl reload-configuration
retval=$?
else
echo "Failed."
echo "Unsupported platform - neither systemctl nor initctl is no found."
exit 5
fi
if test $retval -ne 0; then
echo "failed to install $MPA_NAME."
exit 6
fi
#Removing config files from temporary location
rm -f $MPA_DST_PATH/mpa_registration_tool.conf
rm -f $MPA_DST_PATH/mpa_registration_tool.service
echo -e "Installation succeed!"
#Run service
systemctl start mpa_registration_tool.service
%postun -n sgx-ra-service
%preun -n sgx-ra-service
if [ "$1" = "0" ]; then
# Generate the script to setup environment variables
MPA_DST_PATH=/opt/intel/sgx-ra-service
# Disable service
if [ -d /run/systemd/users ]; then
systemctl disable mpa_registration_tool.service
fi
# Removing MPA configuration file
rm -f /etc/init/mpa_registration_tool.conf
rm -f /lib/systemd/system/mpa_registration_tool.service
rm -f /usr/lib/systemd/system/mpa_registration_tool.service
rm -f /etc/systemd/system/mpa_registration_tool.service
# Removing MPA folder
rm -rf $MPA_DST_PATH
#Removing log file
rm -f /var/log/mpa_registration.log
if [ -x /opt/intel/sgx-ra-service/cleanup.sh ]; then /opt/intel/sgx-ra-service/cleanup.sh; fi
fi
echo -e "Uninstallation succeed!"
%posttrans -n sgx-ra-service
if [ -x /opt/intel/sgx-ra-service/startup.sh ]; then /opt/intel/sgx-ra-service/startup.sh; fi
%postun -n sgx-pck-id-retrieval-tool
# Removing SGX_PCK_ID_RETRIEVE_TOOL soft link file
@ -924,34 +785,8 @@ if [ "$1" = "0" ]; then
if [ -x /opt/intel/sgx-aesm-service/cleanup.sh ]; then /opt/intel/sgx-aesm-service/cleanup.sh; fi
fi
%postun -n sgx-dcap-pccs
if [ $1 == 0 ]; then
echo -n "Uninstalling PCCS service ..."
if [ -d /run/systemd/system ]; then
PCCS_NAME=pccs.service
if [ -d /lib/systemd/system ]; then
PCCS_DEST=/lib/systemd/system/$PCCS_NAME
else
PCCS_DEST=/usr/lib/systemd/system/$PCCS_NAME
fi
systemctl stop pccs || true
systemctl disable pccs || true
rm $PCCS_DEST || true
systemctl daemon-reload
elif [ -d /etc/init/ ]; then
PCCS_NAME=pccs.service
PCCS_DEST=/etc/init/$PCCS_NAME
rm $PCCS_DEST || true
/sbin/initctl reload-configuration
fi
echo "finished."
if [ -d %{_install_path} ]; then
pushd %{_install_path} &> /dev/null
rm -rf node_modules || true
popd &> /dev/null
fi
fi
%post -n sgx-dcap-pccs
if [ -x /opt/intel/sgx-dcap-pccs/startup.sh ]; then /opt/intel/sgx-dcap-pccs/startup.sh; fi
%files -n sgxsdk -f %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk
@ -1032,6 +867,9 @@ fi
%files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
%changelog
* Mon Feb 06 2023 wangyu <wangyu283@huawei.com> - 2.18.1-1
- Upgrade to 2.18.1
* Thu Feb 02 2023 wangyu <wangyu283@huawei.com> - 2.15.1-9
- Add ocaml and compat-openssl11-devel to build require

BIN
openssl-1.1.1l.tar.gz → openssl-1.1.1q.tar.gz
View File

Binary file not shown.

BIN
optimized_libs_2.15.1.tar.gz → optimized_libs_2.18.1.tar.gz
View File

Binary file not shown.

BIN
prebuilt_ae_2.15.1.tar.gz
View File

Binary file not shown.

BIN
prebuilt_ae_2.18.1.tar.gz Normal file
View File

Binary file not shown.

BIN
prebuilt_dcap_1.15.tar.gz Normal file
View File

Binary file not shown.

BIN
prebuilt_dcap_1.9.tar.gz
View File

Binary file not shown.

BIN
protobuf_code.tar.gz
View File

Binary file not shown.

BIN
sgx-emm-1.0.0.tar.gz Normal file
View File

Binary file not shown.

BIN
sgx_2.15.1.tar.gz
View File

Binary file not shown.

BIN
sgx_2.18.1.tar.gz Normal file
View File

Binary file not shown.

BIN
v3.20.1.tar.gz Normal file
View File

Binary file not shown.