diff --git a/0001-disable-the-download-process-in-building.patch b/0001-disable-the-download-process-in-building.patch index 7d8103d25c2e9be858444754ace8f908df207188..cec651f84c7521f4df7ef6f40773026360a12689 100644 --- a/0001-disable-the-download-process-in-building.patch +++ b/0001-disable-the-download-process-in-building.patch @@ -1,15 +1,16 @@ -From d046801c2a6eee21fbf6018ce43588e3fe79a045 Mon Sep 17 00:00:00 2001 +From 182690045036bfc425e3a38384691cbf42ccc006 Mon Sep 17 00:00:00 2001 From: wangcheng Date: Thu, 16 Dec 2021 04:51:21 +0000 Subject: [PATCH] disable the download process in building +Signed-off-by: zhoushuiqing --- Makefile | 8 +-- .../QuoteVerification/prepare_sgxssl.sh | 62 +++++++++---------- 2 files changed, 35 insertions(+), 35 deletions(-) diff --git a/Makefile b/Makefile -index 34d43bad..072c5dd2 100644 +index 8bd287c..7f91fa3 100644 --- a/Makefile +++ b/Makefile @@ -50,14 +50,14 @@ tips: @@ -32,13 +33,13 @@ index 34d43bad..072c5dd2 100644 psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) diff --git a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh -index 8a3c9e46..f490a2b7 100755 +index 60ff2b1..5e44288 100755 --- a/external/dcap_source/QuoteVerification/prepare_sgxssl.sh +++ b/external/dcap_source/QuoteVerification/prepare_sgxssl.sh @@ -44,37 +44,37 @@ full_openssl_url_old=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz - sgxssl_chksum=6c33d2178b6b01bdbb1f97804ae14aec13544b0cb45902a0906c20ef7b4032bc - openssl_chksum=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca + sgxssl_chksum=bff5a9059911846e27447acb402c4690346abf46da8e1c26b66d406e8abb1588 + openssl_chksum=8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b -rm -f check_sum_sgxssl.txt check_sum_openssl.txt -if [ ! -f $build_script ]; then - wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1 @@ -70,40 +71,40 @@ index 8a3c9e46..f490a2b7 100755 -if [ "$1" = "nobuild" ]; then - exit 0 -fi -+#rm -f check_sum_sgxssl.txt check_sum_openssl.txt -+#if [ ! -f $build_script ]; then -+# wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1 -+# sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt -+# grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt -+# if [ $? -ne 0 ]; then -+# echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure" -+# rm -f $sgxssl_dir/$sgxssl_file_name.zip -+# exit -1 -+# fi -+# unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1 -+# mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1 -+# rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1 -+# rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1 -+#fi ++# rm -f check_sum_sgxssl.txt check_sum_openssl.txt ++# if [ ! -f $build_script ]; then ++# wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1 ++# sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt ++# grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt ++# if [ $? -ne 0 ]; then ++# echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure" ++# rm -f $sgxssl_dir/$sgxssl_file_name.zip ++# exit -1 ++# fi ++# unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1 ++# mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1 ++# rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1 ++# rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1 ++# fi +# -+#if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then -+# wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1 -+# sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt -+# grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt -+# if [ $? -ne 0 ]; then -+# echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure" -+# rm -f $openssl_out_dir/$openssl_ver_name.tar.gz -+# exit -1 -+# fi -+#fi ++# if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then ++# wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1 ++# sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt ++# grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt ++# if [ $? -ne 0 ]; then ++# echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure" ++# rm -f $openssl_out_dir/$openssl_ver_name.tar.gz ++# exit -1 ++# fi ++# fi +# +# -+#if [ "$1" = "nobuild" ]; then -+# exit 0 -+#fi ++# if [ "$1" = "nobuild" ]; then ++# exit 0 ++# fi pushd $sgxssl_dir/Linux/ make clean sgxssl_no_mitigation -- -2.27.0 +2.33.0 diff --git a/add-secure-compilation-options.patch b/0003-add-secure-compilation-options.patch similarity index 92% rename from add-secure-compilation-options.patch rename to 0003-add-secure-compilation-options.patch index a9279ecb6412e0065ba0d90847e4a8da468f73ad..ddd85bf630c44c49a778a6424ca8bcce9c03a3f4 100644 --- a/add-secure-compilation-options.patch +++ b/0003-add-secure-compilation-options.patch @@ -3,8 +3,9 @@ From: houmingyong Date: Mon, 30 May 2022 19:18:21 +0800 Subject: [PATCH] add-secure-compilation-options +Signed-off-by: zhoushuiqing --- - external/ippcp_internal/Makefile | 22 +------------------ + external/ippcp_internal/Makefile | 20 +------------------ .../ippcp_internal/ipp-crypto/CMakeLists.txt | 3 +++ .../sources/cmake/linux/GNU8.2.0.cmake | 2 +- .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake | 2 +- @@ -14,30 +15,28 @@ Subject: [PATCH] add-secure-compilation-options .../le_launch_service_bundle/CMakeLists.txt | 2 +- .../source/core/ipc/CMakeLists.txt | 1 + .../aesm_service/source/utils/CMakeLists.txt | 2 +- - 10 files changed, 13 insertions(+), 32 deletions(-) + 10 files changed, 13 insertions(+), 30 deletions(-) diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile index 96187ed..7b5ef26 100644 --- a/external/ippcp_internal/Makefile +++ b/external/ippcp_internal/Makefile -@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/ - PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5) - CHECK_PATCHED := +@@ -61,14 +61,6 @@ else ifeq ($(MITIGATION-CVE-2020-0551), CF) + endif + OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/ -CHECK_SOURCE := --# For reproducibility build in docker, the code should be +-# For reproducibility build in docker, the code should be -# prepared before build. So skip the code check to avoid --# triggering network request +-# triggering network request -ifneq ($(origin NIX_STORE), environment) --ifneq ($(PATCH_LOG), SGX.) --CHECK_SOURCE:= ipp_source --endif +-CHECK_SOURCE:= $(IPP_SOURCE)/build -endif - .PHONY: all build_ipp all: build_ipp # copy the built out lib, header files and license to the target folder -@@ -84,19 +74,9 @@ all: build_ipp +@@ -79,19 +71,9 @@ all: build_ipp $(MKDIR) license $(CP) ipp-crypto/LICENSE ./license/ @@ -45,19 +44,19 @@ index 96187ed..7b5ef26 100644 +build_ipp: cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s --.PHONY: ipp_source --ipp_source: +-$(IPP_SOURCE)/build: -ifeq ($(shell git rev-parse --is-inside-work-tree), true) - git submodule update -f --init --recursive --remote -- $(IPP_SOURCE) -else - $(RM) -rf $(IPP_SOURCE) - git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE) -endif -- cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch +- cd $(IPP_SOURCE) && git apply ../0001-IPP-crypto-for-SGX.patch +- mkdir -p $(IPP_SOURCE)/build - .PHONY: clean clean: - $(RM) -rf ipp-crypto/build + $(RM) -rf ipp-crypto/build/* diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt index f750c7b..6b1eef3 100644 --- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt diff --git a/adapt-openssl-CVE.patch b/0004-adapt-openssl-CVE.patch similarity index 100% rename from adapt-openssl-CVE.patch rename to 0004-adapt-openssl-CVE.patch diff --git a/DCAP-disabling-the-rpatch-option.patch b/0005-DCAP-disabling-the-rpatch-option.patch similarity index 100% rename from DCAP-disabling-the-rpatch-option.patch rename to 0005-DCAP-disabling-the-rpatch-option.patch diff --git a/0006-fix-build-error.patch b/0006-fix-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..64f76a4b74e9344596744e6a54f24a6a4dfc8b59 --- /dev/null +++ b/0006-fix-build-error.patch @@ -0,0 +1,39 @@ +From 101b2e8f1db12fc04070daea351247fc7c990683 Mon Sep 17 00:00:00 2001 +From: zhoushuiqing +Date: Fri, 21 Jul 2023 20:40:27 +0800 +Subject: [PATCH] fix-build-error + +Signed-off-by: zhoushuiqing +--- + external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h b/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h +index 01f15907..44ab7bac 100644 +--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h ++++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/pcptool.h +@@ -38,7 +38,10 @@ __INLINE void CopyBlock(const void* pSrc, void* pDst, cpSize numBytes) + Ipp8u* d = (Ipp8u*)pDst; + cpSize k; + for(k=0; k=_IPP_W7) || (_IPP32E>=_IPP32E_M7)) +-- +2.33.0 + diff --git a/DCAP_1.15.tar.gz b/DCAP_1.16.tar.gz similarity index 51% rename from DCAP_1.15.tar.gz rename to DCAP_1.16.tar.gz index 0d4bf9d8a308febab4ecefd687369e9f1ce91f5e..3aedff1ba312d922d5a21a93cb23ef8dd8dba36a 100644 Binary files a/DCAP_1.15.tar.gz and b/DCAP_1.16.tar.gz differ diff --git a/lin_2.18_1.1.1q.tar.gz b/lin_2.18_1.1.1q.tar.gz deleted file mode 100644 index ae7784471f781827b4d7e0cb1c85e484bf543c72..0000000000000000000000000000000000000000 Binary files a/lin_2.18_1.1.1q.tar.gz and /dev/null differ diff --git a/lin_2.19_1.1.1t.tar.gz b/lin_2.19_1.1.1t.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..888991e33c559214cf076ca9cb4485e10c0d3770 Binary files /dev/null and b/lin_2.19_1.1.1t.tar.gz differ diff --git a/linux-sgx.spec b/linux-sgx.spec index 26e0afaa4c52ac61714c8f4eab4ede200110f282..1b216adeffa8b61ef6b3cfd86143e852dd212b0c 100644 --- a/linux-sgx.spec +++ b/linux-sgx.spec @@ -1,15 +1,15 @@ Name: linux-sgx -Version: 2.18.1 +Version: 2.19 Release: 1 Summary: Intel(R) Software Guard Extensions for Linux* OS ExclusiveArch: x86_64 License: BSD-3-Clause URL: https://github.com/intel/linux-sgx -%define DCAP_version 1.15 +%define DCAP_version 1.16 %define protobuf_version 3.20.1 -%define openssl_version 1.1.1q -%define intel_sgx_ssl_version 2.18 +%define openssl_version 1.1.1t +%define intel_sgx_ssl_version 2.19 %define sgx_emm_version 1.0.0 Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{version}.tar.gz @@ -27,9 +27,10 @@ Source11: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx Patch0: 0001-disable-the-download-process-in-building.patch Patch1: 0002-fix-building-error-for-systemd.patch -Patch2: add-secure-compilation-options.patch -Patch3: adapt-openssl-CVE.patch -Patch4: DCAP-disabling-the-rpatch-option.patch +Patch2: 0003-add-secure-compilation-options.patch +Patch3: 0004-adapt-openssl-CVE.patch +Patch4: 0005-DCAP-disabling-the-rpatch-option.patch +Patch5: 0006-fix-build-error.patch BuildRequires: gcc-c++ protobuf-devel libtool ocaml ocaml-ocamlbuild compat-openssl11-devel cmake python curl-devel createrepo_c git nasm BuildRequires: protobuf-lite-devel protobuf-c-devel boost-devel @@ -311,7 +312,7 @@ make preparation make -j -C external/ippcp_internal/ make -j2 sdk_install_pkg_no_mitigation -./linux/installer/bin/sgx_linux_x64_sdk_2.18.101.1.bin --prefix=./ +./linux/installer/bin/sgx_linux_x64_sdk_2.19.100.3.bin --prefix=./ source ./sgxsdk/environment make psw @@ -867,6 +868,9 @@ if [ -x /opt/intel/sgx-dcap-pccs/startup.sh ]; then /opt/intel/sgx-dcap-pccs/sta %files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers %changelog +* Sat Jul 22 2023 zhoushuiqing - 2.19-1 +- Upgrade to 2.19 + * Mon Feb 06 2023 wangyu - 2.18.1-1 - Upgrade to 2.18.1 diff --git a/openssl-1.1.1q.tar.gz b/openssl-1.1.1t.tar.gz similarity index 55% rename from openssl-1.1.1q.tar.gz rename to openssl-1.1.1t.tar.gz index d4ec2dd209229161c0003314925a44b93f2d1697..72a599e07ef95a8126975dbbfbbd31fb29a5eb57 100644 Binary files a/openssl-1.1.1q.tar.gz and b/openssl-1.1.1t.tar.gz differ diff --git a/optimized_libs_2.18.1.tar.gz b/optimized_libs_2.19.tar.gz similarity index 100% rename from optimized_libs_2.18.1.tar.gz rename to optimized_libs_2.19.tar.gz diff --git a/prebuilt_ae_2.18.1.tar.gz b/prebuilt_ae_2.18.1.tar.gz deleted file mode 100644 index 152f2aabb0836c166fa762b05796980232b56fbc..0000000000000000000000000000000000000000 Binary files a/prebuilt_ae_2.18.1.tar.gz and /dev/null differ diff --git a/prebuilt_ae_2.19.tar.gz b/prebuilt_ae_2.19.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..a0962004e3d4435bd1975ae9415d27db66b90e98 Binary files /dev/null and b/prebuilt_ae_2.19.tar.gz differ diff --git a/prebuilt_dcap_1.15.tar.gz b/prebuilt_dcap_1.16.tar.gz similarity index 30% rename from prebuilt_dcap_1.15.tar.gz rename to prebuilt_dcap_1.16.tar.gz index 28c220c36c673f205f4c63ebec7d51342a9ff967..4eb62dbdb5668d3c1465251b7dc86f6505e98160 100644 Binary files a/prebuilt_dcap_1.15.tar.gz and b/prebuilt_dcap_1.16.tar.gz differ diff --git a/sgx_2.18.1.tar.gz b/sgx_2.19.tar.gz similarity index 49% rename from sgx_2.18.1.tar.gz rename to sgx_2.19.tar.gz index d443f2623b9d1b6a2c77f020612e1d97dd7c0d32..94dcb3584e31a60d002a9b1a2146b4fcebefbb97 100644 Binary files a/sgx_2.18.1.tar.gz and b/sgx_2.19.tar.gz differ