diff --git a/add-secure-compilation-options.patch b/add-secure-compilation-options.patch new file mode 100644 index 0000000000000000000000000000000000000000..c75bad9397917b0a7375cc56c7b659d5ee9661ad --- /dev/null +++ b/add-secure-compilation-options.patch @@ -0,0 +1,179 @@ +From 89a45f1ce701e168dcab9fa0dadec533eff11d6b Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Mon, 30 May 2022 19:18:21 +0800 +Subject: [PATCH] add-secure-compilation-options + +--- + external/ippcp_internal/Makefile | 22 +------------------ + .../ippcp_internal/ipp-crypto/CMakeLists.txt | 3 +++ + .../sources/cmake/linux/GNU8.2.0.cmake | 2 +- + .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake | 2 +- + .../openmp/openmp_code/final/CMakeLists.txt | 2 ++ + .../protobuf_code/cmake/CMakeLists.txt | 2 ++ + .../protobuf_code/cmake/install.cmake | 7 ------ + .../le_launch_service_bundle/CMakeLists.txt | 2 +- + .../source/core/ipc/CMakeLists.txt | 1 + + .../aesm_service/source/utils/CMakeLists.txt | 2 +- + 10 files changed, 13 insertions(+), 32 deletions(-) + +diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile +index 96187ed..7b5ef26 100644 +--- a/external/ippcp_internal/Makefile ++++ b/external/ippcp_internal/Makefile +@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/ + PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5) + CHECK_PATCHED := + +-CHECK_SOURCE := +-# For reproducibility build in docker, the code should be +-# prepared before build. So skip the code check to avoid +-# triggering network request +-ifneq ($(origin NIX_PATH), environment) +-ifneq ($(PATCH_LOG), SGX.) +-CHECK_SOURCE:= ipp_source +-endif +-endif +- + .PHONY: all build_ipp + all: build_ipp + # copy the built out lib, header files and license to the target folder +@@ -84,19 +74,9 @@ all: build_ipp + $(MKDIR) license + $(CP) ipp-crypto/LICENSE ./license/ + +-build_ipp: $(CHECK_SOURCE) ++build_ipp: + cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s + +-.PHONY: ipp_source +-ipp_source: +-ifeq ($(shell git rev-parse --is-inside-work-tree), true) +- git submodule update -f --init --recursive --remote -- $(IPP_SOURCE) +-else +- $(RM) -rf $(IPP_SOURCE) +- git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE) +-endif +- cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch +- + .PHONY: clean + clean: + $(RM) -rf ipp-crypto/build +diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt +index f750c7b..6b1eef3 100644 +--- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt ++++ b/external/ippcp_internal/ipp-crypto/CMakeLists.txt +@@ -20,6 +20,9 @@ + + cmake_minimum_required(VERSION 3.12) + ++set(SGX_PROGRAM_SEARCH_PATH) ++LIST(APPEND CMAKE_PROGRAM_PATH "/usr/local/bin/" ${SGX_PROGRAM_SEARCH_PATH} ...) ++ + include("${CMAKE_CURRENT_SOURCE_DIR}/sources/cmake/ippcp-utils.cmake") + ippcp_getlibversion("${CMAKE_CURRENT_SOURCE_DIR}/include/ippversion.h") + if ((NOT DEFINED IPPCP_VERSION_MAJOR) OR +diff --git a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake +index 24d7e0f..a137ee6 100644 +--- a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake ++++ b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake +@@ -70,7 +70,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flto-report") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99") + if ((${ARCH} MATCHES "ia32") OR (NOT NONPIC_LIB)) + # Stack-based Buffer Overrun Detection (only when not nonpic intel64) +- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector") ++ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong") + endif() + + # Security flag that adds compile-time and run-time checks +diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake +index 5d148a1..0c33a20 100644 +--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake ++++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake +@@ -34,7 +34,7 @@ if(${CMAKE_BUILD_TYPE} STREQUAL "Release") + endif() + + # Stack-based Buffer Overrun Detection +-set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector") ++set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector-strong") + # Stack-based Buffer Overrun Detection + set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-clash-protection") + # Position Independent Execution (PIE) +diff --git a/external/openmp/openmp_code/final/CMakeLists.txt b/external/openmp/openmp_code/final/CMakeLists.txt +index 597eedc..00ee39e 100644 +--- a/external/openmp/openmp_code/final/CMakeLists.txt ++++ b/external/openmp/openmp_code/final/CMakeLists.txt +@@ -1,5 +1,7 @@ + cmake_minimum_required(VERSION 2.8 FATAL_ERROR) + ++add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2) ++ + # Add cmake directory to search for custom cmake functions. + set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH}) + +diff --git a/external/protobuf/protobuf_code/cmake/CMakeLists.txt b/external/protobuf/protobuf_code/cmake/CMakeLists.txt +index 52661f5..ec0b64f 100644 +--- a/external/protobuf/protobuf_code/cmake/CMakeLists.txt ++++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt +@@ -1,6 +1,8 @@ + # Minimum CMake required + cmake_minimum_required(VERSION 3.1.3) + ++add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2) ++ + if(protobuf_VERBOSE) + message(STATUS "Protocol Buffers Configuring...") + endif() +diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake +index 4091bc8..8e12831 100644 +--- a/external/protobuf/protobuf_code/cmake/install.cmake ++++ b/external/protobuf/protobuf_code/cmake/install.cmake +@@ -31,13 +31,6 @@ endforeach() + if (protobuf_BUILD_PROTOC_BINARIES) + install(TARGETS protoc EXPORT protobuf-targets + RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc) +- if (UNIX AND NOT APPLE) +- set_property(TARGET protoc +- PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}") +- elseif (APPLE) +- set_property(TARGET protoc +- PROPERTY INSTALL_RPATH "@loader_path/../lib") +- endif() + endif (protobuf_BUILD_PROTOC_BINARIES) + + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/protobuf.pc ${CMAKE_CURRENT_BINARY_DIR}/protobuf-lite.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") +diff --git a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt +index 9f3aba8..87f6582 100644 +--- a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt +@@ -28,4 +28,4 @@ add_custom_command( + ) + + target_link_libraries(${bundle} oal utils urts_internal) +-set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs") ++set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2") +diff --git a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt +index f233595..72e9246 100644 +--- a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt +@@ -25,4 +25,5 @@ target_link_libraries(ipc + PUBLIC + ${PROTOBUF_LIBRARIES} + ) ++set_property(TARGET ipc APPEND_STRING PROPERTY LINK_FLAGS " -O2 -D_FORTIFY_SOURCE=2") + +diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt +index 77aac37..6d17c19 100644 +--- a/psw/ae/aesm_service/source/utils/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt +@@ -25,7 +25,7 @@ target_compile_definitions(utils PRIVATE + $<$:DBG_LOG> + ) + +-set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs") ++set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2") + + target_link_libraries(utils + ${OPENSSL_LIBRARIES} +-- +2.27.0 + diff --git a/linux-sgx.spec b/linux-sgx.spec index 18896e01ddf0174d15414f5872e5415d70057210..e8f25391cbcf90d6611dce7f01cc00d1baef86e2 100644 --- a/linux-sgx.spec +++ b/linux-sgx.spec @@ -1,6 +1,6 @@ Name: linux-sgx Version: 2.15.1 -Release: 1 +Release: 2 Summary: Intel(R) Software Guard Extensions for Linux* OS ExclusiveArch: x86_64 License: BSD-3-Clause @@ -20,8 +20,9 @@ Source11: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-s Patch0: 0001-disable-the-download-process-in-building.patch Patch1: 0002-fix-building-error-for-systemd.patch +Patch2: add-secure-compilation-options.patch -BuildRequires: gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git +BuildRequires: gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm Requires: glibc @@ -264,6 +265,7 @@ Intel(R) Software Guard Extensions Basic Headers %%patch0 -p1 %%patch1 -p1 +%%patch2 -p1 %build @@ -283,6 +285,8 @@ mv oneDNN-2.5/{.[!.],}* . rm -rf oneDNN-2.5 popd +make -j -C external/ippcp_internal/ + make -j2 sdk_install_pkg_no_mitigation linux/installer/bin/sgx_linux_x64_sdk_2.15.101.1.bin --prefix=./ source ./sgxsdk/environment @@ -1017,5 +1021,8 @@ fi %files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers %changelog +* Mon May 30 2022 houmingyong - 2.15.1-2 +- add secure compilation options + * Thu Dec 9 2021 wangcheng - 2.15.1-1 - init