diff --git a/0001-disable-the-download-process-in-building.patch b/0001-disable-the-download-process-in-building.patch index 1632617..7d8103d 100644 --- a/0001-disable-the-download-process-in-building.patch +++ b/0001-disable-the-download-process-in-building.patch @@ -12,7 +12,7 @@ diff --git a/Makefile b/Makefile index 34d43bad..072c5dd2 100644 --- a/Makefile +++ b/Makefile -@@ -50,13 +50,13 @@ tips: +@@ -50,14 +50,14 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git @@ -22,6 +22,7 @@ index 34d43bad..072c5dd2 100644 + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R + ./external/sgx-emm/create_symlink.sh @# download prebuilt binaries - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh @@ -30,14 +31,14 @@ index 34d43bad..072c5dd2 100644 psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh +diff --git a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh index 8a3c9e46..f490a2b7 100755 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh +--- a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh ++++ b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh @@ -44,37 +44,37 @@ full_openssl_url_old=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz - sgxssl_chksum=825e58823f2ec39bcfb69c2c62cc4e769bdac057ade10b362cdeac1f5a563954 - openssl_chksum=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 + sgxssl_chksum=6c33d2178b6b01bdbb1f97804ae14aec13544b0cb45902a0906c20ef7b4032bc + openssl_chksum=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca -rm -f check_sum_sgxssl.txt check_sum_openssl.txt -if [ ! -f $build_script ]; then - wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1 diff --git a/0002-fix-building-error-for-systemd.patch b/0002-fix-building-error-for-systemd.patch index 872a184..ce4c22f 100644 --- a/0002-fix-building-error-for-systemd.patch +++ b/0002-fix-building-error-for-systemd.patch @@ -12,45 +12,49 @@ Subject: [PATCH] systemd linux/installer/common/sgx-aesm-service/startup.sh | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile -index 1f3efdb..81592b1 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile +diff --git a/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh b/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh +index ee16324..a3ce6d9 100755 +--- a/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh ++++ b/external/dcap_source/tools/SGXPlatformRegistration/package/cleanup.sh +@@ -38,7 +38,7 @@ if test $(id -u) -ne 0; then + exit 1 + fi + +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl daemon-reload + systemctl stop mpa_registration_tool + systemctl disable mpa_registration_tool ||: +diff --git a/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile b/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile +index 72c7557..2ca16b8 100644 +--- a/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile ++++ b/external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile @@ -37,9 +37,9 @@ PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*)) VAR_OPT_PATH=/var/opt/sgxra USR_LIB_PATH=/usr/$(notdir $(shell gcc -print-multi-os-directory))/$(shell dpkg-architecture -qDEB_HOST_MULTIARCH 2> /dev/null) --RAD_CONF_NAME=$(if $(wildcard /run/systemd/system/.*),mpa_registration_tool.service,$(if $(wildcard /etc/init/.*),mpa_registration_tool.conf,)) --RAD_CONF_DEL=$(if $(wildcard /run/systemd/system/.*),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.*),mpa_registration_tool.service,)) --RAD_CONF_PATH=$(if $(wildcard /run/systemd/system/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/)) -+RAD_CONF_NAME=$(if $(wildcard /run/systemd/users/.*),mpa_registration_tool.service,$(if $(wildcard /etc/init/.*),mpa_registration_tool.conf,)) -+RAD_CONF_DEL=$(if $(wildcard /run/systemd/users/.*),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.*),mpa_registration_tool.service,)) -+RAD_CONF_PATH=$(if $(wildcard /run/systemd/users/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/)) +-RAD_CONF_NAME=$(if $(wildcard /run/systemd/system/.),mpa_registration_tool.service,$(if $(wildcard /etc/init/.),mpa_registration_tool.conf,)) +-RAD_CONF_DEL=$(if $(wildcard /run/systemd/system/.),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.),mpa_registration_tool.service,)) +-RAD_CONF_PATH=$(if $(wildcard /run/systemd/system/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/)) ++RAD_CONF_NAME=$(if $(wildcard /run/systemd/users/.),mpa_registration_tool.service,$(if $(wildcard /etc/init/.),mpa_registration_tool.conf,)) ++RAD_CONF_DEL=$(if $(wildcard /run/systemd/users/.),mpa_registration_tool.conf,$(if $(wildcard /etc/init/.),mpa_registration_tool.service,)) ++RAD_CONF_PATH=$(if $(wildcard /run/systemd/users/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/)) ifeq ($(RAD_CONF_NAME),) ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec -index 89c1d8d..5c10e80 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec -@@ -72,7 +72,7 @@ MPA_DST_PATH=%{_instal_path} - - # Install the MPA service - --if [ -d /run/systemd/system ]; then -+if [ -d /run/systemd/users ]; then - MPA_NAME=mpa_registration_tool.service - MPA_TEMP=$MPA_DST_PATH/$MPA_NAME - if [ -d /lib/systemd/system ]; then -@@ -122,7 +122,7 @@ systemctl start mpa_registration_tool.service - MPA_DST_PATH=%{_install_path} - - # Disable service --if [ -d /run/systemd/system ]; then -+if [ -d /run/systemd/users ]; then - systemctl disable mpa_registration_tool.service +diff --git a/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh b/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh +index e596d99..21849fc 100755 +--- a/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh ++++ b/external/dcap_source/tools/SGXPlatformRegistration/package/startup.sh +@@ -38,7 +38,7 @@ if test $(id -u) -ne 0; then + exit 1 fi +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl enable mpa_registration_tool + systemctl start mpa_registration_tool + elif [ -d /etc/init/ ]; then diff --git a/linux/installer/common/psw/install.sh b/linux/installer/common/psw/install.sh index 042f83c..1ab1e5b 100755 --- a/linux/installer/common/psw/install.sh @@ -134,6 +138,139 @@ index e73c435..9170d7c 100755 systemctl enable aesmd systemctl start aesmd elif [ -d /etc/init/ ]; then + diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile b/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile +index 06f81f5..721a516 100644 +--- a/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile ++++ b/external/dcap_source/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/Makefile +@@ -35,7 +35,7 @@ PACKAGE_ROOT_FOLDER=pkgroot + PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*)) + + PCCS_CONF=pccs.service +-PCCS_CONF_PATH=$(if $(wildcard /run/systemd/system/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/)) ++PCCS_CONF_PATH=$(if $(wildcard /run/systemd/users/.),$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.),/etc/init/)) + + ifeq ($(PCCS_CONF_PATH),) + ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),) +diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile +index fcf4b7f..538c658 100644 +--- a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile ++++ b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile +@@ -34,9 +34,9 @@ include installConfig + PACKAGE_ROOT_FOLDER=pkgroot + PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*)) + +-QGSD_CONF_NAME=$(if $(wildcard /run/systemd/system/.*),qgsd.service,$(if $(wildcard /etc/init/.*),qgsd.conf,)) +-QGSD_CONF_DEL=$(if $(wildcard /run/systemd/system/.*),qgsd.conf,$(if $(wildcard /etc/init/.*),qgsd.service,)) +-QGSD_CONF_PATH=$(if $(wildcard /run/systemd/system/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/)) ++QGSD_CONF_NAME=$(if $(wildcard /run/systemd/users/.*),qgsd.service,$(if $(wildcard /etc/init/.*),qgsd.conf,)) ++QGSD_CONF_DEL=$(if $(wildcard /run/systemd/users/.*),qgsd.conf,$(if $(wildcard /etc/init/.*),qgsd.service,)) ++QGSD_CONF_PATH=$(if $(wildcard /run/systemd/users/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/)) + + ifeq ($(QGSD_CONF_NAME),) + ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),) +diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh +index e0cf354..ba501a5 100755 +--- a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh ++++ b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/cleanup.sh +@@ -39,7 +39,7 @@ if test $(id -u) -ne 0; then + fi + + # Kill qgsd service +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl daemon-reload + systemctl stop qgsd + systemctl disable qgsd 2> /dev/null +diff --git a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh +index 230c666..4d09d54 100755 +--- a/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh ++++ b/external/dcap_source/QuoteGeneration/installer/linux/common/tdx-qgs/startup.sh +@@ -46,7 +46,7 @@ id -u qgsd &> /dev/null || \ + + + # Start the AESMD service +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl enable qgsd + systemctl start qgsd + elif [ -d /etc/init/ ]; then +diff --git a/external/dcap_source/QuoteGeneration/pccs/cleanup.sh b/external/dcap_source/QuoteGeneration/pccs/cleanup.sh +index 7a9e827..aa55b84 100755 +--- a/external/dcap_source/QuoteGeneration/pccs/cleanup.sh ++++ b/external/dcap_source/QuoteGeneration/pccs/cleanup.sh +@@ -43,7 +43,7 @@ rm -rf ${PCCS_HOME}/node_modules + + #Remove PCCS system service + echo -n "Uninstalling PCCS service ..." +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl stop pccs || true + systemctl disable pccs || true + systemctl daemon-reload +diff --git a/external/dcap_source/QuoteGeneration/pccs/startup.sh b/external/dcap_source/QuoteGeneration/pccs/startup.sh +index c6e9993..86fa9a9 100755 +--- a/external/dcap_source/QuoteGeneration/pccs/startup.sh ++++ b/external/dcap_source/QuoteGeneration/pccs/startup.sh +@@ -58,7 +58,7 @@ then + fi + #Install PCCS as system service + echo -n "Installing PCCS service ..." +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl daemon-reload + systemctl enable pccs + if [ "$1" == "debian" ]; then +diff --git a/linux/installer/common/psw-dcap/cleanup.sh b/linux/installer/common/psw-dcap/cleanup.sh +index 968d650..0e80d1b 100755 +--- a/linux/installer/common/psw-dcap/cleanup.sh ++++ b/linux/installer/common/psw-dcap/cleanup.sh +@@ -39,7 +39,7 @@ if test $(id -u) -ne 0; then + fi + + # Kill AESM service +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl daemon-reload + systemctl stop aesmd + systemctl disable aesmd 2> /dev/null +diff --git a/linux/installer/common/psw-dcap/startup.sh b/linux/installer/common/psw-dcap/startup.sh +index 0f6e99c..365373f 100755 +--- a/linux/installer/common/psw-dcap/startup.sh ++++ b/linux/installer/common/psw-dcap/startup.sh +@@ -44,7 +44,7 @@ id -u aesmd &> /dev/null || \ + -d /var/opt/aesmd -s /sbin/nologin aesmd + + # Start the AESMD service +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl enable aesmd + systemctl start aesmd + elif [ -d /etc/init/ ]; then +diff --git a/linux/installer/common/psw-tdx/cleanup.sh b/linux/installer/common/psw-tdx/cleanup.sh +index cf750b1..1e3c1e5 100644 +--- a/linux/installer/common/psw-tdx/cleanup.sh ++++ b/linux/installer/common/psw-tdx/cleanup.sh +@@ -39,7 +39,7 @@ if test $(id -u) -ne 0; then + fi + + # Kill qgsd service +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl daemon-reload + systemctl stop qgsd + systemctl disable qgsd 2> /dev/null +diff --git a/linux/installer/common/psw-tdx/startup.sh b/linux/installer/common/psw-tdx/startup.sh +index 31c564c..0ab9604 100644 +--- a/linux/installer/common/psw-tdx/startup.sh ++++ b/linux/installer/common/psw-tdx/startup.sh +@@ -44,7 +44,7 @@ id -u qgsd &> /dev/null || \ + -d /var/opt/qgsd -s /sbin/nologin qgsd + + # Start the QGSD service +-if [ -d /run/systemd/system ]; then ++if [ -d /run/systemd/users ]; then + systemctl enable qgsd + systemctl start qgsd + elif [ -d /etc/init/ ]; then -- 2.23.0 - diff --git a/DCAP-disabling-the-rpatch-option.patch b/DCAP-disabling-the-rpatch-option.patch index 6d39245..2941f86 100644 --- a/DCAP-disabling-the-rpatch-option.patch +++ b/DCAP-disabling-the-rpatch-option.patch @@ -11,12 +11,12 @@ Subject: [PATCH] DCAP disabling the rpatch option .../tools/PCKRetrievalTool/Qpl/linux/Makefile | 2 +- 5 files changed, 5 insertions(+), 10 deletions(-) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk +diff --git a/external/dcap_source/QuoteGeneration/buildenv.mk b/external/dcap_source/QuoteGeneration/buildenv.mk index 8c87626e..f05ccdaf 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/buildenv.mk -@@ -97,12 +97,7 @@ INCLUDE := - CUR_DIR := $(realpath $(call parent-dir,$(lastword $(wordlist 2,$(words $(MAKEFILE_LIST)),x $(MAKEFILE_LIST))))) +--- a/external/dcap_source/QuoteGeneration/buildenv.mk ++++ b/external/dcap_source/QuoteGeneration/buildenv.mk +@@ -104,12 +104,7 @@ + endif # turn on stack protector for SDK -CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") @@ -29,59 +29,13 @@ index 8c87626e..f05ccdaf 100644 ifdef DEBUG COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile -index 3dde7a10..30009c2d 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration/quote_wrapper/ql/linux/Makefile -@@ -51,7 +51,7 @@ QL_Lib_Include_Paths += -I../../quote/inc -I../../../pce_wrapper/inc -I../inc - QL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths) - - LDUFLAGS:= -pthread $(COMMON_LDFLAGS) --LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections -Wl,-rpath=. -+LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections - - QL_Lib_Cpp_Flags := $(QL_Lib_C_Flags) -std=c++11 - QL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile -index 2068554b..da3d3bea 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKCertSelection/PCKSelectionSample/Makefile -@@ -79,7 +79,7 @@ C_FLAGS:= -DLINUX -fPIC -Werror $(APP_INCLUDE_PATHS) - - # link flags, link CPUSVNCompare library - LINK_FLAGS := -Wl,-rpath,${ORIGIN} -L$(BIN_DIR) -l$(LIB_NAME) --LINK_FLAGS := -Wl,-rpath=. -L$(BIN_DIR) -l$(LIB_NAME) -+LINK_FLAGS := -L$(BIN_DIR) -l$(LIB_NAME) - - # debug/release switch - ifeq ($(DEBUG), 1) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile +diff --git a/external/dcap_source/tools/PCKRetrievalTool/Makefile b/external/dcap_source/tools/PCKRetrievalTool/Makefile index 4596ee9c..116db7d2 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile -@@ -104,7 +104,7 @@ App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths) - - App_Cpp_Flags := $(App_C_Flags) -std=c++11 - App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack --App_Link_Flags += -lcurl -ldl -lpthread -Wl,-rpath=. -+App_Link_Flags += -lcurl -ldl -lpthread - - - App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile -index b046d726..551a133f 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Qpl/linux/Makefile -@@ -91,7 +91,7 @@ LDUFLAGS += -Wl,--gc-sections - - QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11 - --QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -L$(SGX_SDK)/lib64 -lpthread -ldl -Wl,-rpath=. -+QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -L$(SGX_SDK)/lib64 -lpthread -ldl - - - QPL_Lib_Cpp_Objects := $(QPL_Lib_Cpp_Files:.cpp=.o) +--- a/external/dcap_source/tools/PCKRetrievalTool/Makefile ++++ b/external/dcap_source/tools/PCKRetrievalTool/Makefile +@@ -111,3 +111,2 @@ + ifeq ($(STANDALONE), 1) +- App_Link_Flags += -Wl,-rpath=. + endif -- 2.33.0 - - diff --git a/DCAP_1.12.1.tar.gz b/DCAP_1.15.tar.gz similarity index 51% rename from DCAP_1.12.1.tar.gz rename to DCAP_1.15.tar.gz index db5cca0..0d4bf9d 100644 Binary files a/DCAP_1.12.1.tar.gz and b/DCAP_1.15.tar.gz differ diff --git a/adapt-openssl-CVE.patch b/adapt-openssl-CVE.patch index bb87cfd..bdca698 100644 --- a/adapt-openssl-CVE.patch +++ b/adapt-openssl-CVE.patch @@ -4,13 +4,13 @@ Date: Sun, 5 Jun 2022 14:44:37 +0800 Subject: [PATCH] decompress openssl sourece before build --- - .../intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh | 2 -- + .../sgxssl/Linux/build_openssl.sh | 2 -- 1 file changed, 2 deletions(-) -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh +diff --git a/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh b/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh index 7d77b79..43745b8 100755 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh +--- a/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh ++++ b/external/dcap_source/QuoteVerification/sgxssl/Linux/build_openssl.sh @@ -54,8 +54,6 @@ mkdir -p $SGXSSL_ROOT/package/lib64/ # build openssl modules, clean previous openssl dir if it exist diff --git a/add-secure-compilation-options.patch b/add-secure-compilation-options.patch index c75bad9..a9279ec 100644 --- a/add-secure-compilation-options.patch +++ b/add-secure-compilation-options.patch @@ -10,7 +10,7 @@ Subject: [PATCH] add-secure-compilation-options .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake | 2 +- .../openmp/openmp_code/final/CMakeLists.txt | 2 ++ .../protobuf_code/cmake/CMakeLists.txt | 2 ++ - .../protobuf_code/cmake/install.cmake | 7 ------ + .../protobuf_code/cmake/install.cmake | 7 ------- .../le_launch_service_bundle/CMakeLists.txt | 2 +- .../source/core/ipc/CMakeLists.txt | 1 + .../aesm_service/source/utils/CMakeLists.txt | 2 +- @@ -28,7 +28,7 @@ index 96187ed..7b5ef26 100644 -# For reproducibility build in docker, the code should be -# prepared before build. So skip the code check to avoid -# triggering network request --ifneq ($(origin NIX_PATH), environment) +-ifneq ($(origin NIX_STORE), environment) -ifneq ($(PATCH_LOG), SGX.) -CHECK_SOURCE:= ipp_source -endif @@ -116,7 +116,7 @@ index 52661f5..ec0b64f 100644 +++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt @@ -1,6 +1,8 @@ # Minimum CMake required - cmake_minimum_required(VERSION 3.1.3) + cmake_minimum_required(VERSION 3.5) +add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2) + @@ -124,13 +124,13 @@ index 52661f5..ec0b64f 100644 message(STATUS "Protocol Buffers Configuring...") endif() diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake -index 4091bc8..8e12831 100644 +index 4e1c5de..5f9c786 100644 --- a/external/protobuf/protobuf_code/cmake/install.cmake +++ b/external/protobuf/protobuf_code/cmake/install.cmake -@@ -31,13 +31,6 @@ endforeach() - if (protobuf_BUILD_PROTOC_BINARIES) +@@ -32,13 +32,6 @@ if (protobuf_BUILD_PROTOC_BINARIES) install(TARGETS protoc EXPORT protobuf-targets - RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc) + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc + BUNDLE DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc) - if (UNIX AND NOT APPLE) - set_property(TARGET protoc - PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}") @@ -176,4 +176,3 @@ index 77aac37..6d17c19 100644 ${OPENSSL_LIBRARIES} -- 2.27.0 - diff --git a/add-strip-compilation-option-for-pck-id-retrieval-tool.patch b/add-strip-compilation-option-for-pck-id-retrieval-tool.patch deleted file mode 100644 index e34adf4..0000000 --- a/add-strip-compilation-option-for-pck-id-retrieval-tool.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4788eadaf33cc6b88ab883e43804e1f237779104 Mon Sep 17 00:00:00 2001 -From: wangyu -Date: Tue, 20 Sep 2022 15:06:21 +0800 -Subject: [PATCH] add -s to link flags for PCKRetrievalTool - ---- - .../tools/PCKRetrievalTool/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile -index 116db7d..7c13b6e 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/PCKRetrievalTool/Makefile -@@ -142,7 +142,7 @@ Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefau - -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \ - -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections \ - -Wl,-z,relro,-z,now,-z,noexecstack \ -- -Wl,--version-script=Enclave/Enclave.lds -+ -Wl,--version-script=Enclave/Enclave.lds -s - - Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o) - ENCLAVE_LIBRARY_PATH := Enclave/ --- -1.8.3.1 - diff --git a/as.ld.objdump.r4.tar.gz b/as.ld.objdump.r4.tar.gz deleted file mode 100644 index c80bcb7..0000000 Binary files a/as.ld.objdump.r4.tar.gz and /dev/null differ diff --git a/backport-CVE-2021-22570.patch b/backport-CVE-2021-22570.patch deleted file mode 100644 index 835576e..0000000 --- a/backport-CVE-2021-22570.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 77fd494f2acfd6b08f888f342ca721e3f0809b52 Mon Sep 17 00:00:00 2001 -From: wangxiaochao -Date: Fri, 18 Mar 2022 14:46:35 +0800 -Subject: [PATCH] fix CVE-2021-22570 - -Conflict:NA -Reference:https://gitee.com/src-openeuler/protobuf/pulls/64/files - -Signed-off-by: wangxiaochao ---- - .../src/google/protobuf/descriptor.cc | 20 +++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc b/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc -index 8998e1b..e6f7ec2 100644 ---- a/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc -+++ b/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc -@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents, - const Descriptor::ReservedRange* range = reserved_range(i); - if (range->end == range->start + 1) { - strings::SubstituteAndAppend(contents, "$0, ", range->start); -+ } else if (range->end > FieldDescriptor::kMaxNumber) { -+ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); - } else { - strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, - range->end - 1); -@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString( - const EnumDescriptor::ReservedRange* range = reserved_range(i); - if (range->end == range->start) { - strings::SubstituteAndAppend(contents, "$0, ", range->start); -+ } else if (range->end == INT_MAX) { -+ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); - } else { - strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, - range->end); -@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, - // Use its file as the parent instead. - if (parent == nullptr) parent = file_; - -+ if (full_name.find('\0') != std::string::npos) { -+ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, -+ "\"" + full_name + "\" contains null character."); -+ return false; -+ } - if (tables_->AddSymbol(full_name, symbol)) { - if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { - // This is only possible if there was already an error adding something of -@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, - void DescriptorBuilder::AddPackage(const std::string& name, - const Message& proto, - const FileDescriptor* file) { -+ if (name.find('\0') != std::string::npos) { -+ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, -+ "\"" + name + "\" contains null character."); -+ return; -+ } - if (tables_->AddSymbol(name, Symbol(file))) { - // Success. Also add parent package, if any. - std::string::size_type dot_pos = name.find_last_of('.'); -@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( - } - result->pool_ = pool_; - -+ if (result->name().find('\0') != std::string::npos) { -+ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, -+ "\"" + result->name() + "\" contains null character."); -+ return nullptr; -+ } -+ - // Add to tables. - if (!tables_->AddFile(result)) { - AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, --- -2.23.0 - diff --git a/backport-CVE-2022-0778.patch b/backport-CVE-2022-0778.patch deleted file mode 100644 index 53d9052..0000000 --- a/backport-CVE-2022-0778.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 4382b4d9446c34d29b12dedf6b93f35215b9dd3b Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:21 +0100 -Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() - -The calculation in some cases does not finish for non-prime p. - -This fixes CVE-2022-0778. - -Based on patch by David Benjamin . - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell - -Reference: https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65 -Conflict: NA ---- - .../openssl-1.1.1l/crypto/bn/bn_sqrt.c | 30 +++++++++++-------- - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c -index 1723d5d..53b0f55 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c -@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - /* - * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks - * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number -- * Theory", algorithm 1.5.1). 'p' must be prime! -+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or -+ * an incorrect "result" will be returned. - */ - { - BIGNUM *ret = in; -@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - goto vrfy; - } - -- /* find smallest i such that b^(2^i) = 1 */ -- i = 1; -- if (!BN_mod_sqr(t, b, p, ctx)) -- goto end; -- while (!BN_is_one(t)) { -- i++; -- if (i == e) { -- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -- goto end; -+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ -+ for (i = 1; i < e; i++) { -+ if (i == 1) { -+ if (!BN_mod_sqr(t, b, p, ctx)) -+ goto end; -+ -+ } else { -+ if (!BN_mod_mul(t, t, t, p, ctx)) -+ goto end; - } -- if (!BN_mod_mul(t, t, t, p, ctx)) -- goto end; -+ if (BN_is_one(t)) -+ break; -+ } -+ /* If not found, a is not a square or p is not prime. */ -+ if (i >= e) { -+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -+ goto end; - } - - /* t := y^2^(e - i - 1) */ --- -2.23.0 - diff --git a/backport-CVE-2022-0778_test.patch b/backport-CVE-2022-0778_test.patch deleted file mode 100644 index b9a1c80..0000000 --- a/backport-CVE-2022-0778_test.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6ec7f406d2141b78508b5df91597a61de2ac38ed Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:35 +0100 -Subject: [PATCH] Add a negative testcase for BN_mod_sqrt - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell - -Reference: https://github.com/openssl/openssl/commit/3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 -Conflict: NA ---- - .../openssl_source/openssl-1.1.1l/test/bntest.c | 11 ++++++++++- - .../test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ - 2 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c -index 236501e..08c60a2 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c -@@ -1685,8 +1685,17 @@ static int file_modsqrt(STANZA *s) - || !TEST_ptr(ret2 = BN_new())) - goto err; - -+ if (BN_is_negative(mod_sqrt)) { -+ /* A negative testcase */ -+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) -+ goto err; -+ -+ st = 1; -+ goto err; -+ } -+ - /* There are two possible answers. */ -- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) -+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) - || !TEST_true(BN_sub(ret2, p, ret))) - goto err; - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt -index 5ea4d03..e28cc6b 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt -@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f - ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 - A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 - P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f -+ -+# Negative testcases for BN_mod_sqrt() -+ -+# This one triggers an infinite loop with unfixed implementation -+# It should just fail. -+ModSqrt = -1 -+A = 20a7ee -+P = 460201 -+ -+ModSqrt = -1 -+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed -+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f --- -2.23.0 - diff --git a/backport-CVE-2022-1292.patch b/backport-CVE-2022-1292.patch deleted file mode 100644 index 08294e3..0000000 --- a/backport-CVE-2022-1292.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9b495e8d9028ca893019c5b176d913051ea925ac Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 26 Apr 2022 12:40:24 +0200 -Subject: [PATCH] c_rehash: Do not use shell to invoke openssl - -Except on VMS where it is safe. - -This fixes CVE-2022-1292. - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Matt Caswell - -Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 -Conflict:NA - ---- - .../openssl-1.1.1l/tools/c_rehash.in | 29 ++++++++++++++++--- - 1 file changed, 25 insertions(+), 4 deletions(-) - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in -index fa7c6c9..83c1cc8 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in -@@ -152,6 +152,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form . where n is an integer. If the hash value already exists -@@ -161,10 +178,12 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -202,10 +221,12 @@ sub link_hash_cert { - - sub link_hash_crl { - my $fname = $_[0]; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; --- -2.23.0 - diff --git a/backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch b/backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch deleted file mode 100644 index 875a09e..0000000 --- a/backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch +++ /dev/null @@ -1,259 +0,0 @@ -From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001 -From: Daniel Fiala -Date: Sun, 29 May 2022 20:11:24 +0200 -Subject: [PATCH] Fix file operations in c_rehash. - -CVE-2022-2068 - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte - -Reference: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 -Conflict: NA ---- - external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in | 216 +++++++++++++++++++++++----------------------- - 1 file changed, 107 insertions(+), 109 deletions(-) - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in -index cfd18f5da1..9d2a6f6db7 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in -@@ -104,52 +104,78 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -- my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -- my @flist = sort readdir(DIR); -- closedir DIR; -- if ( $removelinks ) { -- # Delete any existing symbolic links -- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -- if (-l $_) { -- print "unlink $_" if $verbose; -- unlink $_ || warn "Can't unlink $_, $!\n"; -- } -- } -- } -- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -- # Check to see if certificates and/or CRLs present. -- my ($cert, $crl) = check_file($fname); -- if (!$cert && !$crl) { -- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -- next; -- } -- link_hash_cert($fname) if ($cert); -- link_hash_crl($fname) if ($crl); -- } -+ my $dir = shift; -+ my %hashlist; -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; -+ my @flist = sort readdir(DIR); -+ closedir DIR; -+ if ( $removelinks ) { -+ # Delete any existing symbolic links -+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -+ if (-l $_) { -+ print "unlink $_\n" if $verbose; -+ unlink $_ || warn "Can't unlink $_, $!\n"; -+ } -+ } -+ } -+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -+ # Check to see if certificates and/or CRLs present. -+ my ($cert, $crl) = check_file($fname); -+ if (!$cert && !$crl) { -+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -+ next; -+ } -+ link_hash_cert($fname) if ($cert); -+ link_hash_crl($fname) if ($crl); -+ } -+ -+ chdir $pwd; - } - - sub check_file { -- my ($is_cert, $is_crl) = (0,0); -- my $fname = $_[0]; -- open IN, $fname; -- while() { -- if (/^-----BEGIN (.*)-----/) { -- my $hdr = $1; -- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -- $is_cert = 1; -- last if ($is_crl); -- } elsif ($hdr eq "X509 CRL") { -- $is_crl = 1; -- last if ($is_cert); -- } -- } -- } -- close IN; -- return ($is_cert, $is_crl); -+ my ($is_cert, $is_crl) = (0,0); -+ my $fname = $_[0]; -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { -+ if (/^-----BEGIN (.*)-----/) { -+ my $hdr = $1; -+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -+ $is_cert = 1; -+ last if ($is_crl); -+ } elsif ($hdr eq "X509 CRL") { -+ $is_crl = 1; -+ last if ($is_cert); -+ } -+ } -+ } -+ close $in; -+ return ($is_cert, $is_crl); - } - - sub compute_hash { -@@ -177,76 +203,48 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'cert'); - } - - # Same as above except for a CRL. CRL links are of the form .r - - sub link_hash_crl { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".r$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'crl'); -+} -+ -+sub link_hash { -+ my ($fname, $type) = @_; -+ my $is_cert = $type eq 'cert'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $is_cert ? $x509hash : $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); -+ chomp $hash; -+ chomp $fprint; -+ return if !$hash; -+ $fprint =~ s/^.*=//; -+ $fprint =~ tr/://d; -+ my $suffix = 0; -+ # Search for an unused hash filename -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { -+ # Hash matches: if fingerprint matches its a duplicate cert -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; -+ return; -+ } -+ $suffix++; -+ } -+ $hash .= ".$crlmark$suffix"; -+ if ($symlink_exists) { -+ print "link $fname -> $hash\n" if $verbose; -+ symlink $fname, $hash || warn "Can't symlink, $!"; -+ } else { -+ print "copy $fname -> $hash\n" if $verbose; -+ copy_file($fname, $hash); -+ } -+ $hashlist{$hash} = $fprint; - } --- -2.23.0 diff --git a/backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch b/backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch deleted file mode 100644 index bb90e9e..0000000 --- a/backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:00:22 +1000 -Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path -that performs operations on 6 16-byte blocks concurrently (the -"grandloop") and then proceeds to handle the "short" tail (which can -be anywhere from 0 to 5 blocks) that remain. - -As part of initialization, the assembly initializes $len to the true -length, less 96 bytes and converts it to a pointer so that the $inp -can be compared to it. Each iteration of "grandloop" checks to see if -there's a full 96-byte chunk to process, and if so, continues. Once -this has been exhausted, it falls through to "short", which handles -the remaining zero to five blocks. - -Unfortunately, the jump at the end of "grandloop" had a fencepost -error, doing a `jb` ("jump below") rather than `jbe` (jump below or -equal). This should be `jbe`, as $inp is pointing to the *end* of the -chunk currently being handled. If $inp == $len, that means that -there's a whole 96-byte chunk waiting to be handled. If $inp > $len, -then there's 5 or fewer 16-byte blocks left to be handled, and the -fall-through is intended. - -The net effect of `jb` instead of `jbe` is that the last 16-byte block -of the last 96-byte chunk was completely omitted. The contents of -`out` in this position were never written to. Additionally, since -those bytes were never processed, the authentication tag generated is -also incorrect. - -The same fencepost error, and identical logic, exists in both -aesni_ocb_encrypt and aesni_ocb_decrypt. - -This addresses CVE-2022-2097. - -Co-authored-by: Alejandro SedeƱo -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz - -Reference:https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431 -Conflict: NA ---- - external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl -index fe2b26542a..812758e02e 100644 ---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl -+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/aes/asm/aesni-x86.pl -@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); --- -2.27.0 - diff --git a/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip b/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip deleted file mode 100644 index 6f8a1ff..0000000 Binary files a/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip and /dev/null differ diff --git a/lin_2.18_1.1.1q.tar.gz b/lin_2.18_1.1.1q.tar.gz new file mode 100644 index 0000000..ae77844 Binary files /dev/null and b/lin_2.18_1.1.1q.tar.gz differ diff --git a/linux-sgx.spec b/linux-sgx.spec index 1b56d4a..26e0afa 100644 --- a/linux-sgx.spec +++ b/linux-sgx.spec @@ -1,39 +1,40 @@ Name: linux-sgx -Version: 2.15.1 -Release: 9 +Version: 2.18.1 +Release: 1 Summary: Intel(R) Software Guard Extensions for Linux* OS ExclusiveArch: x86_64 License: BSD-3-Clause URL: https://github.com/intel/linux-sgx -Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_2.15.1.tar.gz -Source1: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_1.12.1.tar.gz + +%define DCAP_version 1.15 +%define protobuf_version 3.20.1 +%define openssl_version 1.1.1q +%define intel_sgx_ssl_version 2.18 +%define sgx_emm_version 1.0.0 + +Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{version}.tar.gz +Source1: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_%{DCAP_version}.tar.gz Source2: https://github.com/llvm-mirror/openmp/archive/svn-tags/openmp_code.tar.gz Source3: https://github.com/oneapi-src/oneDNN/archive/oneDNN-2.5.tar.gz Source4: https://github.com/intel/ipp-crypto/archive/ipp-crypto.tar.gz -Source5: https://download.01.org/intel-sgx/sgx-linux/2.15.1/optimized_libs_2.15.1.tar.gz -Source6: https://download.01.org/intel-sgx/sgx-linux/2.15.1/prebuilt_ae_2.15.1.tar.gz -Source7: https://github.com/protocolbuffers/protobuf/archive/refs/tags/protobuf_code.tar.gz -Source8: https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/prebuilt_dcap_1.9.tar.gz -Source9: https://download.01.org/intel-sgx/sgx-linux/2.15.1/as.ld.objdump.r4.tar.gz -Source10: https://github.com/openssl/openssl/archive/refs/tags/openssl-1.1.1l.tar.gz -Source11: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip +Source5: https://download.01.org/intel-sgx/sgx-linux/%{version}/optimized_libs_%{version}.tar.gz +Source6: https://download.01.org/intel-sgx/sgx-linux/%{version}/prebuilt_ae_%{version}.tar.gz +Source7: https://github.com/protocolbuffers/protobuf/archive/refs/tags/v%{protobuf_version}.tar.gz +Source8: https://download.01.org/intel-sgx/sgx-dcap/%{DCAP_version}/linux/prebuilt_dcap_%{DCAP_version}.tar.gz +Source9: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz +Source10: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/lin_%{intel_sgx_ssl_version}_%{openssl_version}.tar.gz +Source11: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx_emm_version}.tar.gz Patch0: 0001-disable-the-download-process-in-building.patch Patch1: 0002-fix-building-error-for-systemd.patch Patch2: add-secure-compilation-options.patch -Patch3: backport-CVE-2021-22570.patch -Patch4: backport-CVE-2022-0778.patch -Patch5: backport-CVE-2022-0778_test.patch -Patch6: backport-CVE-2022-1292.patch -Patch7: adapt-openssl-CVE.patch -Patch8: backport-CVE-2022-2068-Fix-file-operations-in-c_rehash.patch -Patch9: backport-CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch -Patch10: DCAP-disabling-the-rpatch-option.patch -Patch11: add-strip-compilation-option-for-pck-id-retrieval-tool.patch +Patch3: adapt-openssl-CVE.patch +Patch4: DCAP-disabling-the-rpatch-option.patch BuildRequires: gcc-c++ protobuf-devel libtool ocaml ocaml-ocamlbuild compat-openssl11-devel cmake python curl-devel createrepo_c git nasm +BuildRequires: protobuf-lite-devel protobuf-c-devel boost-devel -Requires: glibc +Requires: glibc %description Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application @@ -259,174 +260,119 @@ Summary: Intel(R) Software Guard Extensions Basic Headers Intel(R) Software Guard Extensions Basic Headers %package_help + %prep %setup -q -b 0 -n linux-sgx-sgx_%{version} -%%setup -q -D -a 1 -n linux-sgx-sgx_%{version}/external/dcap_source -%%setup -q -D -a 2 -n linux-sgx-sgx_%{version}/external/openmp -%%setup -q -D -a 3 -n linux-sgx-sgx_%{version}/external/dnnl/dnnl -%%setup -q -D -a 4 -n linux-sgx-sgx_%{version}/external/ippcp_internal -%%setup -q -D -a 5 -n linux-sgx-sgx_%{version} -%%setup -q -D -a 6 -n linux-sgx-sgx_%{version} -%%setup -q -D -a 7 -n linux-sgx-sgx_%{version}/external/protobuf -%%setup -q -D -a 8 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration -%%setup -q -D -a 11 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/ -%%setup -q -D -a 10 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source -%%setup -q -D -a 9 -n linux-sgx-sgx_%{version} +%setup -q -D -a 1 -n linux-sgx-sgx_%{version}/external/dcap_source +%setup -q -D -a 2 -n linux-sgx-sgx_%{version}/external/openmp +%setup -q -D -a 3 -n linux-sgx-sgx_%{version}/external/dnnl/dnnl +%setup -q -D -a 4 -n linux-sgx-sgx_%{version}/external/ippcp_internal +%setup -q -D -a 5 -n linux-sgx-sgx_%{version} +%setup -q -D -a 6 -n linux-sgx-sgx_%{version} +%setup -q -D -a 7 -n linux-sgx-sgx_%{version}/external/protobuf +%setup -q -D -a 8 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/QuoteGeneration +%setup -q -D -a 10 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/QuoteVerification/ +%setup -q -D -a 9 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/QuoteVerification/intel-sgx-ssl-lin_%{intel_sgx_ssl_version}_%{openssl_version}/openssl_source +%setup -q -D -a 11 -n linux-sgx-sgx_%{version}/external/sgx-emm/emm_src +%setup -q -D -n linux-sgx-sgx_%{version} -%autopatch -p1 - -%build +pushd external/protobuf +mv protobuf-%{protobuf_version}/{.[!.],}* ./protobuf_code +rm -rf protobuf-%{protobuf_version} +popd pushd external/dcap_source/ -mv SGXDataCenterAttestationPrimitives-DCAP_1.12.1/{.[!.],}* . -rm -rf SGXDataCenterAttestationPrimitives-DCAP_1.12.1 +mv SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version}/{.[!.],}* . +rm -rf SGXDataCenterAttestationPrimitives-DCAP_%{DCAP_version} popd pushd external/dcap_source/QuoteVerification -mv intel-sgx-ssl-lin_2.15.1_1.1.1l sgxssl +mv intel-sgx-ssl-lin_%{intel_sgx_ssl_version}_%{openssl_version} sgxssl popd -cp %{SOURCE10} external/dcap_source/QuoteVerification/sgxssl/openssl_source +cp %{SOURCE9} external/dcap_source/QuoteVerification/sgxssl/openssl_source pushd external/dnnl/dnnl mv oneDNN-2.5/{.[!.],}* . rm -rf oneDNN-2.5 popd +pushd external/sgx-emm/emm_src +mv sgx-emm-sgx-emm-%{sgx_emm_version}/{.[!.],}* . +rm -rf sgx-emm-sgx-emm-%{sgx_emm_version} +popd + +%autopatch -p1 + + +%build +make preparation + make -j -C external/ippcp_internal/ make -j2 sdk_install_pkg_no_mitigation -linux/installer/bin/sgx_linux_x64_sdk_2.15.101.1.bin --prefix=./ +./linux/installer/bin/sgx_linux_x64_sdk_2.18.101.1.bin --prefix=./ source ./sgxsdk/environment -make -j2 psw -%define DCAP_LINUX_INSTALLER_COMMON_DIR external/dcap_source/QuoteGeneration/installer/linux/common/ -%define DCAP_LINUX_INSTALLER_RPM_DIR external/dcap_source/QuoteGeneration/installer/linux/rpm +make psw + +make -C external/dcap_source QuoteGeneration PCKCertSelection PCKRetrievalTool SGXPlatformRegistration + %define LINUX_INSTALLER_COMMON_DIR linux/installer/common %define LINUX_INSTALLER_RPM_DIR linux/installer/rpm +packages1=(libsgx-enclave-common libsgx-epid libsgx-headers libsgx-launch libsgx-quote-ex libsgx-uae-service libsgx-urts psw sdk sgx-aesm-service) +for package1 in ${packages1[@]} +do + if [ ${package1} == sdk -o ${package1} == psw ]; then + source ./%{LINUX_INSTALLER_COMMON_DIR}/${package1}/installConfig.x64 + else + source ./%{LINUX_INSTALLER_COMMON_DIR}/${package1}/installConfig + fi -source ./%{LINUX_INSTALLER_COMMON_DIR}/sdk/installConfig.x64 -%{LINUX_INSTALLER_COMMON_DIR}/sdk/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/sdk/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/sdk/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/sdk/build + %{LINUX_INSTALLER_COMMON_DIR}/${package1}/createTarball.sh + mkdir -p %{LINUX_INSTALLER_RPM_DIR}/${package1}/build + tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/${package1}/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/${package1}/build +done -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qe3/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qe3/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qe3/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build +%define DCAP_LINUX_INSTALLER_COMMON_DIR external/dcap_source/QuoteGeneration/installer/linux/common/ +%define DCAP_LINUX_INSTALLER_RPM_DIR external/dcap_source/QuoteGeneration/installer/linux/rpm +packages2=(libsgx-ae-qe3 libsgx-ae-qve libsgx-dcap-default-qpl libsgx-dcap-ql libsgx-dcap-quote-verify libsgx-pce-logic libsgx-qe3-logic sgx-dcap-pccs) +for package2 in ${packages2[@]} +do + if [ ${package2} == sgx-dcap-pccs ]; then + mkdir -p external/dcap_source/QuoteGeneration/pccs/lib/ + cp external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so external/dcap_source/QuoteGeneration/pccs/lib/ + fi -make -C external/dcap_source/QuoteGeneration pce_logic -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-pce-logic/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-pce-logic/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-pce-logic/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build + source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/${package2}/installConfig + %{DCAP_LINUX_INSTALLER_COMMON_DIR}/${package2}/createTarball.sh + mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/${package2}/build + tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/${package2}/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/${package2}/build +done -make -C external/dcap_source/QuoteGeneration qe3_logic -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-qe3-logic/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-qe3-logic/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-qe3-logic/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build - -make -C external/dcap_source/QuoteGeneration qcnl_wrapper -make -C external/dcap_source/QuoteGeneration qpl_wrapper -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-default-qpl/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-default-qpl/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-default-qpl/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build - -make -C external/dcap_source/tools/PCKCertSelection -mkdir -p external/dcap_source/QuoteGeneration/pccs/lib/ -cp external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so external/dcap_source/QuoteGeneration/pccs/lib/ -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/sgx-dcap-pccs/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/sgx-dcap-pccs/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/sgx-dcap-pccs/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build - -make -C external/dcap_source/QuoteGeneration qve_wrapper -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-ql/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-ql/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-ql/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build - -make -C external/dcap_source/QuoteGeneration qve_wrapper -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qve/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qve/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-ae-qve/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build - -source ./%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-quote-verify/installConfig -%{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-quote-verify/createTarball.sh -mkdir -p %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build -tar -xvf %{DCAP_LINUX_INSTALLER_COMMON_DIR}/libsgx-dcap-quote-verify/output/${TARBALL_NAME} -C %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build - -make -C external/dcap_source/tools/PCKRetrievalTool/ source ./external/dcap_source/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/installConfig external/dcap_source/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/createTarball.sh mkdir -p external/dcap_source/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/build tar -xvf external/dcap_source/tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/output/${TARBALL_NAME} -C external/dcap_source/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/build -source ./%{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/sgx-aesm-service/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/sgx-aesm-service/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-epid/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-epid/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-epid/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-epid/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-epid/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-launch/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-launch/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-launch/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-launch/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-launch/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-quote-ex/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-quote-ex/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-quote-ex/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-quote-ex/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-quote-ex/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-uae-service/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-uae-service/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-uae-service/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-uae-service/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-uae-service/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-enclave-common/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-enclave-common/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-enclave-common/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-enclave-common/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-enclave-common/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-urts/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-urts/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-urts/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-urts/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-urts/build - %define TOOLS_INSTALLER_PLATFORM_DIR external/dcap_source/tools/SGXPlatformRegistration/ %define TOOLS_INSTALLER_COMMON_DIR external/dcap_source/tools/SGXPlatformRegistration/package/installer/common/ %define TOOLS_INSTALLER_RPM_DIR external/dcap_source/tools/SGXPlatformRegistration/package/installer/rpm -make -C %{TOOLS_INSTALLER_PLATFORM_DIR}/package MP_VERIFY_DATA_STRUCTS=$(MP_VERIFY_DATA_STRUCTS) +#make -C %{TOOLS_INSTALLER_PLATFORM_DIR}/package MP_VERIFY_DATA_STRUCTS=$(MP_VERIFY_DATA_STRUCTS) mkdir -p %{TOOLS_INSTALLER_PLATFORM_DIR}/build/installer -source ./%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-uefi/installConfig -%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-uefi/createTarball.sh -mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-uefi/build -tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-uefi/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-uefi/build +packages3=(libsgx-ra-uefi libsgx-ra-network sgx-ra-service) +for package3 in ${packages3[@]} +do + source ./%{TOOLS_INSTALLER_COMMON_DIR}/${package3}/installConfig + %{TOOLS_INSTALLER_COMMON_DIR}/${package3}/createTarball.sh + mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/${package3}/build + tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/${package3}/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/${package3}/build +done -source ./%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-network/installConfig -%{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-network/createTarball.sh -mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-network/build -tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/libsgx-ra-network/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/libsgx-ra-network/build - -source ./%{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/installConfig -%{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/createTarball.sh -mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build -tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build - -source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/installConfig -%{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/createTarball.sh -mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build -tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build %install +%define _install_path /opt/intel/sgxsdk pushd %{LINUX_INSTALLER_RPM_DIR}/sdk/build mkdir %{?buildroot}/sdk-dir/ make DESTDIR=%{?buildroot}/sdk-dir/ install @@ -436,11 +382,12 @@ cp ./sgxsdk/environment %{?buildroot}/sdk-dir/opt/intel/sgxsdk sed -i 's/^.*export SGX_SDK.*$/export SGX_SDK=\/opt\/intel\/sgxsdk/g' %{?buildroot}/sdk-dir/opt/intel/sgxsdk/environment find %{LINUX_INSTALLER_RPM_DIR}/sdk/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/sdk-dir%{_docdir}/sgxsdk/COPYING echo "/opt/intel/sgxsdk" > %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk -find %{?buildroot}/sdk-dir | sort | \ +find %{?buildroot}/sdk-dir/ | sort | \ awk '$0 !~ last "/" {print last} {last=$0} END {print last}' | \ sed -e "s#^%{?buildroot}/sdk-dir##" | \ -grep -v "^/opt/intel/sgxsdk" >> %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk || : -cp -r %{?buildroot}/sdk-dir/* %{?buildroot}/ +grep -v "^/opt/intel/sgxsdk/SampleCode" >> %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk || : +sed -i '2d' %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk +cp -rf %{?buildroot}/sdk-dir/* %{?buildroot}/ rm -rf %{?buildroot}/sdk-dir/ rm -rf %{?buildroot}/opt/intel/sgxsdk/SampleCode @@ -450,10 +397,11 @@ make DESTDIR=%{?buildroot}/libsgx-ae-qe3-dir/ install install -d %{?buildroot}/libsgx-ae-qe3-dir/%{_docdir}/libsgx-ae-qe3 popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-ae-qe3-dir%{_docdir}/libsgx-ae-qe3/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build/list-libsgx-ae-qe3 for f in $(find %{?buildroot}/libsgx-ae-qe3-dir -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-ae-qe3-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qe3/build/list-libsgx-ae-qe3 done -cp -r %{?buildroot}/libsgx-ae-qe3-dir/* %{?buildroot}/ +cp -rf %{?buildroot}/libsgx-ae-qe3-dir/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-ae-qe3-dir/ pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build @@ -462,10 +410,11 @@ make DESTDIR=%{?buildroot}/libsgx-pce-logic-dir/ install install -d %{?buildroot}/libsgx-pce-logic-dir/%{_docdir}/libsgx-pce-logic popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-pce-logic-dir%{_docdir}/libsgx-pce-logic/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build/list-libsgx-pce-logic for f in $(find %{?buildroot}/libsgx-pce-logic-dir -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-pce-logic-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-pce-logic/build/list-libsgx-pce-logic done -cp -r %{?buildroot}/libsgx-pce-logic-dir/* %{?buildroot}/ +cp -rf %{?buildroot}/libsgx-pce-logic-dir/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-pce-logic-dir/ pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build @@ -474,10 +423,11 @@ make DESTDIR=%{?buildroot}/libsgx-qe3-logic-dir/ install install -d %{?buildroot}/libsgx-qe3-logic-dir/%{_docdir}/libsgx-qe3-logic popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-qe3-logic-dir%{_docdir}/libsgx-qe3-logic/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build/list-libsgx-qe3-logic for f in $(find %{?buildroot}/libsgx-qe3-logic-dir -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-qe3-logic-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-qe3-logic/build/list-libsgx-qe3-logic done -cp -r %{?buildroot}/libsgx-qe3-logic-dir/* %{?buildroot}/ +cp -rf %{?buildroot}/libsgx-qe3-logic-dir/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-qe3-logic-dir/ pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build @@ -486,15 +436,16 @@ make DESTDIR=%{?buildroot}/libsgx-dcap-default-qpl-dir/ install install -d %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl%{_docdir}/libsgx-dcap-default-qpl popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl%{_docdir}/libsgx-dcap-default-qpl/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl for f in $(find %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl done -cp -r %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl/* %{?buildroot}/ +cp -rf %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl/ for f in $(find %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl-devel done -cp -r %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev/* %{?buildroot}/ +cp -r %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-dcap-default-qpl-dir/libsgx-dcap-default-qpl-dev/ sed -i 's#^/etc/sgx_default_qcnl.conf#%config &#' %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-default-qpl/build/list-libsgx-dcap-default-qpl @@ -504,9 +455,25 @@ make DESTDIR=%{?buildroot}/sgx-dcap-pccs-dir/ install install -d %{?buildroot}/sgx-dcap-pccs-dir%{_docdir}/sgx-dcap-pccs popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/sgx-dcap-pccs-dir%{_docdir}/sgx-dcap-pccs/COPYING -echo "/opt/intel/sgx-dcap-pccs" > %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs -echo %{_docdir}/sgx-dcap-pccs/COPYING >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs -echo "%config /opt/intel/sgx-dcap-pccs/config/default.json" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs +find %{?buildroot}/sgx-dcap-pccs-dir -type d -links 2 | \ +sed -e "s#^%{?buildroot}/sgx-dcap-pccs-dir##" | \ +grep -v "^%{_libdir}" | \ +grep -v "^%{_bindir}" | \ +grep -v "^%{_sysconfdir}" | \ +grep -v "^%{_install_path}" | \ +sed -e "s#^#%dir #" > %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs +for f in $(find %{?buildroot}/sgx-dcap-pccs-dir); do + if [ -d ${f} ]; then + echo ${f} | \ + sed -e "s#^%{?buildroot}/sgx-dcap-pccs-dir##" | \ + grep "^%{_install_path}" | \ + sed -e "s#^#%dir #" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs + else + echo ${f} | \ + sed -e "s#^%{?buildroot}/sgx-dcap-pccs-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs + fi +done +sed -i 's#^%{_install_path}/config/default.json#%config &#' %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs cp -r %{?buildroot}/sgx-dcap-pccs-dir/* %{?buildroot}/ rm -rf %{?buildroot}/sgx-dcap-pccs-dir/ @@ -516,11 +483,13 @@ make DESTDIR=%{?buildroot}/libsgx-dcap-ql-dir/ install install -d %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql%{_docdir}/libsgx-dcap-ql popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql%{_docdir}/libsgx-dcap-ql/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql for f in $(find %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql done -cp -r %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql/* %{?buildroot}/ +cp -rf %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql-devel for f in $(find %{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql-dev -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-ql-dir/libsgx-dcap-ql-dev##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-ql/build/list-libsgx-dcap-ql-devel done @@ -533,31 +502,32 @@ make DESTDIR=%{?buildroot}/libsgx-ae-qve-dir/ install install -d %{?buildroot}/libsgx-ae-qve-dir%{_docdir}/libsgx-ae-qve popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-ae-qve-dir/%{_docdir}/libsgx-ae-qve/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build/list-libsgx-ae-qve for f in $(find %{?buildroot}/libsgx-ae-qve-dir -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-ae-qve-dir##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-ae-qve/build/list-libsgx-ae-qve done cp -r %{?buildroot}/libsgx-ae-qve-dir/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-ae-qve-dir/ - pushd %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build mkdir -p %{?buildroot}/libsgx-dcap-quote-verify-dir/ make DESTDIR=%{?buildroot}/libsgx-dcap-quote-verify-dir/ install install -d %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify%{_docdir}/libsgx-dcap-quote-verify popd find %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify%{_docdir}/libsgx-dcap-quote-verify/COPYING +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify for f in $(find %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify done cp -r %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify +rm -f %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify-devel for f in $(find %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev -type f -o -type l); do echo $f | sed -e "s#%{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev##" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/libsgx-dcap-quote-verify/build/list-libsgx-dcap-quote-verify-devel done cp -r %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev/* %{?buildroot}/ rm -rf %{?buildroot}/libsgx-dcap-quote-verify-dir/libsgx-dcap-quote-verify-dev - pushd external/dcap_source/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/build mkdir -p %{?buildroot}/sgx-pck-id-retrieval-tool-dir/ make DESTDIR=%{?buildroot}/sgx-pck-id-retrieval-tool-dir/ install @@ -571,7 +541,6 @@ sed -i 's#^/etc/rad.conf#%config &#' external/dcap_source/tools/PCKRetrievalTool cp -r %{?buildroot}/sgx-pck-id-retrieval-tool-dir/* %{?buildroot}/ rm -rf %{?buildroot}/sgx-pck-id-retrieval-tool-dir/ - source ./%{LINUX_INSTALLER_COMMON_DIR}/sgx-aesm-service/installConfig PACKAGE_NAMES[0]=${AESM_SERVICE_PACKAGE_NAME} PACKAGE_NAMES[1]=${AE_EPID_PACKAGE_NAME} @@ -730,7 +699,7 @@ find %{?buildroot}/sgx-ra-service-dir | sort | \ awk '$0 !~ last "/" {print last} {last=$0} END {print last}' | \ sed -e "s#^%{?buildroot}/sgx-ra-service-dir##" | \ grep -v "^/opt/intel/sgx-ra-service" >> %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service || : -sed -i 's#^/etc/rad.conf#%config &#' %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service +sed -i 's#^/etc/mpa_registration.conf#%config &#' %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service cp -r %{?buildroot}/sgx-ra-service-dir/* %{?buildroot}/ rm -rf %{?buildroot}/sgx-ra-service-dir/ @@ -749,7 +718,7 @@ rm -rf %{?buildroot}/libsgx-headers-dir/ %pre -%post -n sgx-aesm-service +%posttrans -n sgx-aesm-service if [ -x /opt/intel/sgx-aesm-service/startup.sh ]; then /opt/intel/sgx-aesm-service/startup.sh; fi %post -n libsgx-enclave-common @@ -762,47 +731,10 @@ trigger_udev() { } trigger_udev -%post -n sgx-dcap-pccs -PCCS_USER=pccs -PCCS_HOME=/opt/intel/sgx-dcap-pccs -if [ ! $(getent group $PCCS_USER) ]; then - groupadd $PCCS_USER -fi -if ! id "$PCCS_USER" &>/dev/null; then - adduser --system $PCCS_USER -g $PCCS_USER --home $PCCS_HOME --no-create-home --shell /bin/bash -fi -chown -R $PCCS_USER:$PCCS_USER $PCCS_HOME -chmod 640 $PCCS_HOME/config/default.json -#Install PCCS as system service -echo -n "Installing PCCS service ..." -if [ -d /run/systemd/system ]; then - PCCS_NAME=pccs.service - PCCS_TEMP=$PCCS_HOME/$PCCS_NAME - if [ -d /lib/systemd/system ]; then - PCCS_DEST=/lib/systemd/system/$PCCS_NAME - else - PCCS_DEST=/usr/lib/systemd/system/$PCCS_NAME - fi - cp $PCCS_TEMP $PCCS_DEST - chmod 0644 $PCCS_DEST - systemctl daemon-reload - systemctl enable pccs -elif [ -d /etc/init/ ]; then - PCCS_NAME=pccs.service - PCCS_TEMP=$PCCS_HOME/$PCCS_NAME - PCCS_DEST=/etc/init/$PCCS_NAME - cp $PCCS_TEMP $PCCS_DEST - chmod 0644 $PCCS_DEST - /sbin/initctl reload-configuration -else - echo " failed." - echo "Unsupported platform - neither systemctl nor initctl was found." - exit 5 -fi -echo "finished." -echo "Installation completed successfully." +%preun -n sgx-dcap-pccs +if [ $1 == 0 -a -x /opt/intel/sgx-dcap-pccs/cleanup.sh ]; then /opt/intel/sgx-dcap-pccs/cleanup.sh; fi -%post -n sgx-pck-id-retrieval-tool +%posttrans -n sgx-pck-id-retrieval-tool ################################################################################ # Set up SGX pck cert id retrieve tool # ################################################################################ @@ -832,84 +764,13 @@ if [ -c /dev/sgx_provision -o -c /dev/sgx/provision ]; then trigger_udev fi -%post -n sgx-ra-service -################################################################################ -# Set up SGX Registration Agent # -################################################################################ - -# Generate the script to setup environment variables -MPA_DST_PATH=/opt/intel/sgx-ra-service - -# Install the MPA service - -if [ -d /run/systemd/users ]; then - MPA_NAME=mpa_registration_tool.service - MPA_TEMP=$MPA_DST_PATH/$MPA_NAME - if [ -d /lib/systemd/system ]; then - MPA_DEST=/lib/systemd/system/$MPA_NAME - else - MPA_DEST=/usr/lib/systemd/system/$MPA_NAME - fi -# sed -e "s:@mpa_folder@:$MPA_DST_PATH:" \ -# $MPA_TEMP > $MPA_DEST - chmod 0644 $MPA_DEST - systemctl enable mpa_registration_tool.service - #systemctl enable systemd-networkd-wait-online - retval=$? -elif [ -d /etc/init/ ]; then - MPA_NAME=mpa_registration_tool.conf - MPA_TEMP=$MPA_DST_PATH/$MPA_NAME - MPA_DEST=/etc/init/$MPA_NAME - sed -e "s:@mpa_folder@:$MPA_DST_PATH:" \ - $MPA_TEMP > $MPA_DEST - chmod 0644 $MPA_DEST - /sbin/initctl reload-configuration - - retval=$? -else - echo "Failed." - echo "Unsupported platform - neither systemctl nor initctl is no found." - exit 5 -fi - -if test $retval -ne 0; then - echo "failed to install $MPA_NAME." - exit 6 -fi - -#Removing config files from temporary location -rm -f $MPA_DST_PATH/mpa_registration_tool.conf -rm -f $MPA_DST_PATH/mpa_registration_tool.service - -echo -e "Installation succeed!" - -#Run service -systemctl start mpa_registration_tool.service - -%postun -n sgx-ra-service +%preun -n sgx-ra-service if [ "$1" = "0" ]; then - # Generate the script to setup environment variables - MPA_DST_PATH=/opt/intel/sgx-ra-service - - # Disable service - if [ -d /run/systemd/users ]; then - systemctl disable mpa_registration_tool.service - fi - - # Removing MPA configuration file - rm -f /etc/init/mpa_registration_tool.conf - rm -f /lib/systemd/system/mpa_registration_tool.service - rm -f /usr/lib/systemd/system/mpa_registration_tool.service - rm -f /etc/systemd/system/mpa_registration_tool.service - - # Removing MPA folder - rm -rf $MPA_DST_PATH - - #Removing log file - rm -f /var/log/mpa_registration.log + if [ -x /opt/intel/sgx-ra-service/cleanup.sh ]; then /opt/intel/sgx-ra-service/cleanup.sh; fi fi -echo -e "Uninstallation succeed!" +%posttrans -n sgx-ra-service +if [ -x /opt/intel/sgx-ra-service/startup.sh ]; then /opt/intel/sgx-ra-service/startup.sh; fi %postun -n sgx-pck-id-retrieval-tool # Removing SGX_PCK_ID_RETRIEVE_TOOL soft link file @@ -924,34 +785,8 @@ if [ "$1" = "0" ]; then if [ -x /opt/intel/sgx-aesm-service/cleanup.sh ]; then /opt/intel/sgx-aesm-service/cleanup.sh; fi fi -%postun -n sgx-dcap-pccs -if [ $1 == 0 ]; then - echo -n "Uninstalling PCCS service ..." - if [ -d /run/systemd/system ]; then - PCCS_NAME=pccs.service - if [ -d /lib/systemd/system ]; then - PCCS_DEST=/lib/systemd/system/$PCCS_NAME - else - PCCS_DEST=/usr/lib/systemd/system/$PCCS_NAME - fi - systemctl stop pccs || true - systemctl disable pccs || true - rm $PCCS_DEST || true - systemctl daemon-reload - elif [ -d /etc/init/ ]; then - PCCS_NAME=pccs.service - PCCS_DEST=/etc/init/$PCCS_NAME - rm $PCCS_DEST || true - /sbin/initctl reload-configuration - fi - echo "finished." - - if [ -d %{_install_path} ]; then - pushd %{_install_path} &> /dev/null - rm -rf node_modules || true - popd &> /dev/null - fi -fi +%post -n sgx-dcap-pccs +if [ -x /opt/intel/sgx-dcap-pccs/startup.sh ]; then /opt/intel/sgx-dcap-pccs/startup.sh; fi %files -n sgxsdk -f %{LINUX_INSTALLER_RPM_DIR}/sdk/build/list-sgxsdk @@ -1032,6 +867,9 @@ fi %files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers %changelog +* Mon Feb 06 2023 wangyu - 2.18.1-1 +- Upgrade to 2.18.1 + * Thu Feb 02 2023 wangyu - 2.15.1-9 - Add ocaml and compat-openssl11-devel to build require diff --git a/openssl-1.1.1l.tar.gz b/openssl-1.1.1q.tar.gz similarity index 54% rename from openssl-1.1.1l.tar.gz rename to openssl-1.1.1q.tar.gz index c8e2e0b..d4ec2dd 100644 Binary files a/openssl-1.1.1l.tar.gz and b/openssl-1.1.1q.tar.gz differ diff --git a/optimized_libs_2.15.1.tar.gz b/optimized_libs_2.18.1.tar.gz similarity index 72% rename from optimized_libs_2.15.1.tar.gz rename to optimized_libs_2.18.1.tar.gz index 0cde057..f6be8bc 100644 Binary files a/optimized_libs_2.15.1.tar.gz and b/optimized_libs_2.18.1.tar.gz differ diff --git a/prebuilt_ae_2.15.1.tar.gz b/prebuilt_ae_2.15.1.tar.gz deleted file mode 100644 index eb555bb..0000000 Binary files a/prebuilt_ae_2.15.1.tar.gz and /dev/null differ diff --git a/prebuilt_ae_2.18.1.tar.gz b/prebuilt_ae_2.18.1.tar.gz new file mode 100644 index 0000000..152f2aa Binary files /dev/null and b/prebuilt_ae_2.18.1.tar.gz differ diff --git a/prebuilt_dcap_1.15.tar.gz b/prebuilt_dcap_1.15.tar.gz new file mode 100644 index 0000000..28c220c Binary files /dev/null and b/prebuilt_dcap_1.15.tar.gz differ diff --git a/prebuilt_dcap_1.9.tar.gz b/prebuilt_dcap_1.9.tar.gz deleted file mode 100644 index 2b706a3..0000000 Binary files a/prebuilt_dcap_1.9.tar.gz and /dev/null differ diff --git a/protobuf_code.tar.gz b/protobuf_code.tar.gz deleted file mode 100644 index 9eccf31..0000000 Binary files a/protobuf_code.tar.gz and /dev/null differ diff --git a/sgx-emm-1.0.0.tar.gz b/sgx-emm-1.0.0.tar.gz new file mode 100644 index 0000000..4216174 Binary files /dev/null and b/sgx-emm-1.0.0.tar.gz differ diff --git a/sgx_2.15.1.tar.gz b/sgx_2.15.1.tar.gz deleted file mode 100644 index 4a929d4..0000000 Binary files a/sgx_2.15.1.tar.gz and /dev/null differ diff --git a/sgx_2.18.1.tar.gz b/sgx_2.18.1.tar.gz new file mode 100644 index 0000000..d443f26 Binary files /dev/null and b/sgx_2.18.1.tar.gz differ diff --git a/v3.20.1.tar.gz b/v3.20.1.tar.gz new file mode 100644 index 0000000..b707911 Binary files /dev/null and b/v3.20.1.tar.gz differ