From 39b78b9ac39ffe430b59487914f0bfde1cb036db Mon Sep 17 00:00:00 2001 From: "Li, Xun" Date: Wed, 11 Nov 2020 14:01:19 +0800 Subject: [PATCH] Linux 2.12 Open Source Gold Release Added Ubuntu 20.04 and CentOS 8.2 support. Added Intel(R) Provisioning Certification Service V3 API support for ECDSA attestation. Fixed bugs. Signed-off-by: Li, Xun --- Makefile | 18 ++- README.md | 93 ++++++-------- buildenv.mk | 2 +- common/inc/internal/se_version.h | 16 +-- download_prebuilt.sh | 10 +- external/dcap_source | 2 +- .../openmp/0001-Enable-OpenMP-in-SGX.patch | 39 ++++-- external/sgxssl/prepare_sgxssl.sh | 10 +- .../BOMs/libsgx-enclave-common-dev.txt | 3 +- .../BOMs/libsgx-headers-package.txt | 3 + .../libsgx-headers/BOMs/libsgx-headers.txt | 13 ++ .../installer/common/libsgx-headers/Makefile | 46 +++++++ .../common/libsgx-headers/createTarball.sh | 60 +++++++++ .../common/libsgx-headers/installConfig | 6 + .../libsgx-enclave-common-1.0/debian/control | 2 +- .../libsgx-epid-1.0/debian/control | 2 +- linux/installer/deb/libsgx-headers/build.sh | 118 ++++++++++++++++++ linux/installer/deb/libsgx-headers/clean.sh | 47 +++++++ .../libsgx-headers-1.0/debian/changelog | 5 + .../libsgx-headers-1.0/debian/compat | 1 + .../libsgx-headers-1.0/debian/control | 12 ++ .../libsgx-headers-1.0/debian/docs | 0 .../libsgx-headers-1.0/debian/rules | 8 ++ .../libsgx-headers-1.0/debian/source/format | 1 + .../libsgx-launch-1.0/debian/control | 2 +- .../libsgx-quote-ex-1.0/debian/control | 2 +- .../sgx-aesm-service-1.0/debian/control | 4 +- .../libsgx-enclave-common.spec | 2 +- .../rpm/libsgx-epid/libsgx-epid.spec | 2 +- linux/installer/rpm/libsgx-headers/build.sh | 88 +++++++++++++ linux/installer/rpm/libsgx-headers/clean.sh | 41 ++++++ .../rpm/libsgx-headers/libsgx-headers.spec | 63 ++++++++++ .../rpm/libsgx-launch/libsgx-launch.spec | 2 +- .../rpm/libsgx-quote-ex/libsgx-quote-ex.spec | 2 +- .../libsgx-aesm-ecdsa-plugin.spec | 2 +- .../libsgx-aesm-pce-plugin.spec | 2 +- linux/reproducibility/README.md | 22 ++-- .../ecdsa_quote_service_bundle.cpp | 16 +++ .../platform_info_logic.cpp | 12 +- sdk/simulation/urtssim/linux/Makefile | 1 - sdk/tlibcrypto/Makefile | 2 +- sdk/tlibcrypto/sgxssl/sgx_ecc256.cpp | 10 +- sdk/tlibcrypto/sgxssl/sgx_ecc256_ecdsa.cpp | 2 +- sdk/tlibcrypto/sgxssl/sgx_ecc256_internal.cpp | 4 +- sdk/trts/trts_veh.cpp | 3 +- 45 files changed, 677 insertions(+), 124 deletions(-) create mode 100644 linux/installer/common/libsgx-headers/BOMs/libsgx-headers-package.txt create mode 100644 linux/installer/common/libsgx-headers/BOMs/libsgx-headers.txt create mode 100644 linux/installer/common/libsgx-headers/Makefile create mode 100755 linux/installer/common/libsgx-headers/createTarball.sh create mode 100644 linux/installer/common/libsgx-headers/installConfig create mode 100755 linux/installer/deb/libsgx-headers/build.sh create mode 100755 linux/installer/deb/libsgx-headers/clean.sh create mode 100644 linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/changelog create mode 100644 linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/compat create mode 100644 linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/control create mode 100644 linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/docs create mode 100755 linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/rules create mode 100644 linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/source/format create mode 100755 linux/installer/rpm/libsgx-headers/build.sh create mode 100755 linux/installer/rpm/libsgx-headers/clean.sh create mode 100644 linux/installer/rpm/libsgx-headers/libsgx-headers.spec diff --git a/Makefile b/Makefile index 8d803d624..fbe209bf9 100644 --- a/Makefile +++ b/Makefile @@ -137,9 +137,13 @@ deb_libsgx_enclave_common: psw deb_libsgx_urts: psw ./linux/installer/deb/libsgx-urts/build.sh +.PHONY: deb_libsgx_headers_pkg +deb_libsgx_headers_pkg: + ./linux/installer/deb/libsgx-headers/build.sh + ifeq ($(CC_BELOW_5_2), 1) .PHONY: deb_psw_pkg -deb_psw_pkg: deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 +deb_psw_pkg: deb_libsgx_headers_pkg deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 else .PHONY: deb_libsgx_dcap_default_qpl deb_libsgx_dcap_default_qpl: @@ -183,7 +187,7 @@ deb_sgx_ra_service_pkg: .PHONY: deb_psw_pkg -deb_psw_pkg: deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 deb_libsgx_dcap_default_qpl deb_libsgx_dcap_pccs deb_libsgx_dcap_ql deb_libsgx_ae_qve deb_sgx_dcap_quote_verify deb_sgx_pck_id_retrieval_tool_pkg deb_sgx_ra_service_pkg +deb_psw_pkg: deb_libsgx_headers_pkg deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 deb_libsgx_dcap_default_qpl deb_libsgx_dcap_pccs deb_libsgx_dcap_ql deb_libsgx_ae_qve deb_sgx_dcap_quote_verify deb_sgx_pck_id_retrieval_tool_pkg deb_sgx_ra_service_pkg endif .PHONY: deb_local_repo @@ -238,9 +242,13 @@ rpm_libsgx_urts: psw rpm_sdk_pkg: sdk ./linux/installer/rpm/sdk/build.sh +.PHONY: rpm_libsgx_headers_pkg +rpm_libsgx_headers_pkg: + ./linux/installer/rpm/libsgx-headers/build.sh + ifeq ($(CC_BELOW_5_2), 1) .PHONY: rpm_psw_pkg -rpm_psw_pkg: rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 +rpm_psw_pkg: rpm_libsgx_headers_pkg rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 else .PHONY: rpm_libsgx_dcap_default_qpl rpm_libsgx_dcap_default_qpl: @@ -282,7 +290,7 @@ rpm_sgx_ra_service_pkg: $(CP) external/dcap_source/tools/SGXPlatformRegistration/build/installer/libsgx-ra-*rpm ./linux/installer/rpm/sgx-aesm-service/ .PHONY: rpm_psw_pkg -rpm_psw_pkg: rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 rpm_libsgx_dcap_default_qpl rpm_libsgx_dcap_pccs rpm_libsgx_dcap_ql rpm_libsgx_ae_qve rpm_sgx_dcap_quote_verify rpm_sgx_pck_id_retrieval_tool_pkg rpm_sgx_ra_service_pkg +rpm_psw_pkg: rpm_libsgx_headers_pkg rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 rpm_libsgx_dcap_default_qpl rpm_libsgx_dcap_pccs rpm_libsgx_dcap_ql rpm_libsgx_ae_qve rpm_sgx_dcap_quote_verify rpm_sgx_pck_id_retrieval_tool_pkg rpm_sgx_ra_service_pkg endif .PHONY: rpm_local_repo @@ -304,6 +312,7 @@ clean: ./linux/installer/deb/libsgx-uae-service/clean.sh ./linux/installer/deb/libsgx-enclave-common/clean.sh ./linux/installer/deb/libsgx-urts/clean.sh + ./linux/installer/deb/libsgx-headers/clean.sh ./linux/installer/common/local_repo_builder/local_repo_builder.sh debian clean ./linux/installer/rpm/sgx-aesm-service/clean.sh ./linux/installer/rpm/libsgx-epid/clean.sh @@ -312,6 +321,7 @@ clean: ./linux/installer/rpm/libsgx-uae-service/clean.sh ./linux/installer/rpm/libsgx-enclave-common/clean.sh ./linux/installer/rpm/libsgx-urts/clean.sh + ./linux/installer/rpm/libsgx-headers/clean.sh ./linux/installer/rpm/sdk/clean.sh ./linux/installer/common/local_repo_builder/local_repo_builder.sh rpm clean ifeq ("$(shell test -f external/dcap_source/QuoteVerification/dcap_tvl/Makefile && echo TVL Makefile exists)", "TVL Makefile exists") diff --git a/README.md b/README.md index 8da24509d..f294f2718 100644 --- a/README.md +++ b/README.md @@ -55,11 +55,12 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package * Ubuntu\* 16.04 LTS Server 64bits * Ubuntu\* 18.04 LTS Desktop 64bits * Ubuntu\* 18.04 LTS Server 64bits + * Ubuntu\* 20.04 LTS Desktop 64bits + * Ubuntu\* 20.04 LTS Server 64bits * Red Hat Enterprise Linux Server release 7.6 64bits * Red Hat Enterprise Linux Server release 8.2 64bits - * CentOS 8.1 64bits + * CentOS 8.2 64bits * Fedora 31 Server 64bits - * SUSE Linux Enterprise Server 15 64bits - Use the following command(s) to install the required tools to build the Intel(R) SGX SDK: * On Ubuntu 16.04: @@ -70,13 +71,17 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package ``` $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python libssl-dev git cmake perl ``` + * On Ubuntu 20.04: + ``` + $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl + ``` * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2: ``` $ sudo yum groupinstall 'Development Tools' $ sudo yum install ocaml ocaml-ocamlbuild wget python2 openssl-devel git cmake perl $ sudo alternatives --set python /usr/bin/python2 ``` - * On CentOS 8.1: + * On CentOS 8.2: ``` $ sudo dnf group install 'Development Tools' $ sudo dnf --enablerepo=PowerTools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2 @@ -86,16 +91,11 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package ``` $ sudo yum groupinstall 'C Development Tools and Libraries' $ sudo yum install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget python rpm-build git cmake perl - ``` - * On SUSE Linux Enterprise Server 15: - ``` - $ sudo zypper install --type pattern devel_basis - $ sudo zypper install ocaml ocaml-ocamlbuild automake autoconf libtool wget python libopenssl-devel rpm-build git cmake perl ``` **Note**: To build Intel(R) SGX SDK, gcc version is required to be 7.3 or above and glibc version is required to be 2.27 or above. For Ubuntu 16.04, Red Hat Enterprise Linux 7.6, you may need to update gcc and glibc version manually. - Use the following command to install additional required tools and latest Intel(R) SGX SDK Installer to build the Intel(R) SGX PSW: 1) To install the additional required tools: - * On Ubuntu 16.04 and Ubuntu 18.04: + * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04: ``` $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip ``` @@ -103,20 +103,16 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package ``` $ sudo yum install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils ``` - * On CentOS 8.1: + * On CentOS 8.2: ``` $ sudo dnf --enablerepo=PowerTools install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils ``` - * On SUSE Linux Enterprise Server 15: - ``` - $ sudo zypper install libopenssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo - ``` 2) To install latest Intel(R) SGX SDK Installer Ensure that you have downloaded latest Intel(R) SGX SDK Installer from the [Intel(R) SGX SDK](https://software.intel.com/en-us/sgx-sdk/download) and followed the Installation Guide in the same page to install latest Intel(R) SGX SDK Installer. - Download the source code and prepare the submodules and prebuilt binaries: ``` - $ git clone https://github.com/intel/linux-sgx.git + $ git clone https://github.com/intel/linux-sgx.git $ cd linux-sgx && make preparation ``` The above ``make preparation`` would trigger the script ``download_prebuilt.sh`` to download the prebuilt binaries. You may need to set an https proxy for the `wget` tool used by the script (such as ``export https_proxy=http://test-proxy:test-port``) @@ -188,13 +184,13 @@ You can find the tools and libraries generated in the `build/linux` directory. $ make ``` - To build the Intel(R) SGX PSW installer, enter the following command: - * On Ubuntu 16.04 and Ubuntu 18.04: + * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04: ``` $ make deb_psw_pkg ``` You can find the generated Intel(R) SGX PSW installers located under `linux/installer/deb/libsgx-urts`, `linux/installer/deb/libsgx-enclave-common`, `linux/installer/deb/libsgx-uae-service`, `linux/installer/deb/libsgx-epid`, `linux/installer/deb/libsgx-launch`, `linux/installer/deb/libsgx-quote-ex` and `linux/installer/deb/sgx-aesm-service` respectively. - **Note**: On Ubuntu 18.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``package-name-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped: + **Note**: On Ubuntu 18.04 and Ubuntu 20.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``package-name-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped: ``` $ export DEB_BUILD_OPTIONS="nostrip" ``` @@ -204,7 +200,7 @@ You can find the tools and libraries generated in the `build/linux` directory. ``` $ make deb_psw_pkg DEBUG=1 ``` - * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31 and SUSE Linux Enterprise Server 15: + * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2 and Fedora 31: ``` $ make rpm_psw_pkg ``` @@ -233,8 +229,12 @@ You can find the tools and libraries generated in the `build/linux` directory. ``` deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO bionic main ``` + * On Ubuntu 20.04: + ``` + deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO focal main + ``` After that, you need to update the apt: - * On Ubuntu 16.04 and Ubuntu 18.04: + * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04: ``` $ sudo apt update ``` @@ -248,23 +248,15 @@ You can find the tools and libraries generated in the `build/linux` directory. **Note**: The above command builds the local package repository. If you want to use it, you need to add it to the system repository configuration. Since the local package repository is not signed with GPG, you should ignore the gpgcheck when installing the packages. - To add the local RPM package repository to the system repository configuration, you can use the following command. You need to replace PATH_TO_LOCAL_REPO with the proper path on your system: - * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31: + * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31: ``` $ sudo yum-config-manager --add-repo file://PATH_TO_LOCAL_REPO ``` - * On SUSE Linux Enterprise Server 15, you need to replace LOCAL_REPO_ALIAS with proper alias name for the local repo: - ``` - $ sudo zypper addrepo PATH_TO_LOCAL_REPO LOCAL_REPO_ALIAS - ``` - To ignore the gpgcheck when you install the package, enter the following command: - * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31: + * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31: ``` $ sudo yum --nogpgcheck install ``` - * On SUSE Linux Enterprise Server 15: - ``` - $ sudo zypper --no-gpg-checks install - ``` Install the Intel(R) SGX SDK ------------------------ @@ -274,17 +266,18 @@ Install the Intel(R) SGX SDK * Ubuntu\* 16.04 LTS Server 64bits * Ubuntu\* 18.04 LTS Desktop 64bits * Ubuntu\* 18.04 LTS Server 64bits + * Ubuntu\* 20.04 LTS Desktop 64bits + * Ubuntu\* 20.04 LTS Server 64bits * Red Hat Enterprise Linux Server release 7.6 64bits * Red Hat Enterprise Linux Server release 8.2 64bits - * CentOS 8.1 64bits + * CentOS 8.2 64bits * Fedora 31 Server 64bits - * SUSE Linux Enterprise Server 15 64bits - Use the following command to install the required tool to use Intel(R) SGX SDK: - * On Ubuntu 16.04 and Ubuntu 18.04: + * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04: ``` $ sudo apt-get install build-essential python ``` - * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and CentOS 8.1: + * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and CentOS 8.2: ``` $ sudo yum groupinstall 'Development Tools' $ sudo yum install python2 @@ -294,11 +287,6 @@ Install the Intel(R) SGX SDK ``` $ sudo yum groupinstall 'C Development Tools and Libraries' ``` - * On SUSE Linux Enterprise Server 15: - ``` - $ sudo zypper install --type pattern devel_basis - $ sudo zypper install python - ``` ### Install the Intel(R) SGX SDK To install the Intel(R) SGX SDK, invoke the installer, as follows: @@ -344,17 +332,18 @@ Install the Intel(R) SGX PSW * Ubuntu\* 16.04 LTS Server 64bits * Ubuntu\* 18.04 LTS Desktop 64bits * Ubuntu\* 18.04 LTS Server 64bits + * Ubuntu\* 20.04 LTS Desktop 64bits + * Ubuntu\* 20.04 LTS Server 64bits * Red Hat Enterprise Linux Server release 7.6 64bits * Red Hat Enterprise Linux Server release 8.2 64bits - * CentOS 8.1 64bits + * CentOS 8.2 64bits * Fedora 31 Server 64bits - * SUSE Linux Enterprise Server 15 64bits - Ensure that you have a system with the following required hardware: * 6th Generation Intel(R) Core(TM) Processor or newer - Configure the system with the **Intel SGX hardware enabled** option and install Intel(R) SGX driver in advance. See the earlier topic, *Build and Install the Intel(R) SGX Driver*, for information on how to install the Intel(R) SGX driver. - Install the library using the following command: - * On Ubuntu 16.04 and Ubuntu 18.04: + * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04: ``` $ sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev ``` @@ -362,26 +351,22 @@ Install the Intel(R) SGX PSW ``` $ sudo yum install openssl-devel libcurl-devel protobuf-devel ``` - * On CentOS 8.1: + * On CentOS 8.2: ``` $ sudo dnf --enablerepo=PowerTools install libcurl-devel protobuf-devel ``` - * On SUSE Linux Enterprise Server 15: - ``` - $ sudo zypper install libopenssl-devel libcurl-devel protobuf-devel - ``` ### Install the Intel(R) SGX PSW - The SGX PSW provides 3 services: launch, EPID-based attestation, and algorithm agnostic attestation. Starting with the 2.8 release, the SGX PSW is split into smaller packages and the user can choose which features and services to install. There are 2 methods to install the required packages: Using individual packages or using the local repo generated by the build system. Using the local repo is recommended since the system will resolve the dependencies automatically. Currently, we support .deb and .rpm based repos. #### Using the local repo(recommended) - | |Ubuntu 16.04, Ubuntu 18.04|Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.1, Fedora 31|SUSE Linux Enterprise Server 15| - | ------------ | ------------ | ------------ | ------------ | - |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts|zypper install libsgx-launch libsgx-urts| - |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts|zypper install libsgx-epid libsgx-urts|| - |algorithm agnostic attestation service|apt-get install libsgx-quote-ex libsgx-urts|yum install libsgx-quote-ex libsgx-urts|zypper install libsgx-quote-ex libsgx-urts| - |DCAP ECDSA-based service(Ubuntu16.04 not included)|apt-get install libsgx-dcap-ql|yum install libsgx-dcap-ql|zypper install libsgx-dcap-ql| + | |Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04|Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31| + | ------------ | ------------ | ------------ | + |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts| + |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts| + |algorithm agnostic attestation service|apt-get install libsgx-quote-ex libsgx-urts|yum install libsgx-quote-ex libsgx-urts| + |DCAP ECDSA-based service(Ubuntu16.04 not included)|apt-get install libsgx-dcap-ql|yum install libsgx-dcap-ql| Optionally, you can install *-dbgsym or *-debuginfo packages to get the debug symbols, and install *-dev or *-devel packages to get the header files for development. @@ -391,7 +376,7 @@ Install the Intel(R) SGX PSW Please refer [Intel_SGX_Installation_Guide_Linux](https://download.01.org/intel-sgx/latest/linux-latest/docs/) for detail. #### Upgrade from a legacy installation - Before release 2.8, SGX PSW is installed as a single package named as libsgx-enclave-common. Starting with the 2.8 release, SGX PSW is split into smaller packages. libsgx-enclave-common is one of them. As a result, a simple upgrade will end up with a subset of the SGX PSW being installed on the system. You need to install additional packages to enable the required feature. At the same time, you will encounter some error message when you try to upgrade to release 2.8 from an old installation. You can use 2 methods to address it. + Sometimes we will split old package into smaller ones or move file between different packages. In such cases, you will encounter error messages like: "dpkg: error processing archive ....(--unpack): trying to overwrite ...". You can use 2 methods to address it. * Uninstall the old installation first, then install new packages. * Add ``-o Dpkg::Options::="--force-overwrite"`` option to overwrite existing files and use “``dist-upgrade``” instead of "upgrade" to install new packages when upgrading. In short, you should use this command: ``` @@ -399,7 +384,7 @@ Install the Intel(R) SGX PSW ``` #### Configure the installation Some packages are configured with recommended dependency on other packages that are not required for certain usage. For instance, the background daemon is not required for container usage. It will be installed by default, but you can drop it by using the additional option during the installation. - * On Ubuntu 16.04, Ubuntu 18.04: + * On Ubuntu 16.04, Ubuntu 18.04 and Ubuntu 20.04: ``` --no-install-recommends ``` diff --git a/buildenv.mk b/buildenv.mk index 331611d76..fd9167265 100644 --- a/buildenv.mk +++ b/buildenv.mk @@ -273,7 +273,7 @@ LD_IPP := -lippcp ######## SGX SDK Settings ######## SGX_SDK ?= /opt/intel/sgxsdk -SGX_HEADER_DIR := $(SGX_SDK)/include +SGX_HEADER_DIR ?= $(SGX_SDK)/include ifeq ($(ARCH), x86) SGX_COMMON_CFLAGS := -m32 diff --git a/common/inc/internal/se_version.h b/common/inc/internal/se_version.h index d09a0c3db..4c816f0fc 100644 --- a/common/inc/internal/se_version.h +++ b/common/inc/internal/se_version.h @@ -31,20 +31,20 @@ #ifndef _SE_VERSION_H_ #define _SE_VERSION_H_ -#define STRFILEVER "2.11.100.2" +#define STRFILEVER "2.12.100.3" #define SGX_MAJOR_VERSION 2 -#define SGX_MINOR_VERSION 11 +#define SGX_MINOR_VERSION 12 #define SGX_REVISION_VERSION 100 #define MAKE_VERSION_UINT(major,minor,rev) (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev) #define VERSION_UINT MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION) #define COPYRIGHT "Copyright (C) 2020 Intel Corporation" -#define UAE_SERVICE_VERSION "2.3.205.2" -#define URTS_VERSION "1.1.109.2" -#define ENCLAVE_COMMON_VERSION "1.0.112.2" -#define LAUNCH_VERSION "1.0.107.2" -#define EPID_VERSION "1.0.107.2" -#define QUOTE_EX_VERSION "1.1.107.2" +#define UAE_SERVICE_VERSION "2.3.206.3" +#define URTS_VERSION "1.1.110.3" +#define ENCLAVE_COMMON_VERSION "1.0.113.3" +#define LAUNCH_VERSION "1.0.108.3" +#define EPID_VERSION "1.0.108.3" +#define QUOTE_EX_VERSION "1.1.108.3" #endif diff --git a/download_prebuilt.sh b/download_prebuilt.sh index be972962e..ced050340 100755 --- a/download_prebuilt.sh +++ b/download_prebuilt.sh @@ -33,11 +33,11 @@ top_dir=`dirname $0` out_dir=$top_dir -optlib_name=optimized_libs_2.11.tar.gz -ae_file_name=prebuilt_ae_2.11.tar.gz -binutils_file_name=as.ld.objdump.gold.r2.tar.gz -checksum_file=SHA256SUM_prebuilt_2.11.txt -server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.11/ +optlib_name=optimized_libs_2.12.tar.gz +ae_file_name=prebuilt_ae_2.12.tar.gz +binutils_file_name=as.ld.objdump.gold.r3.tar.gz +checksum_file=SHA256SUM_prebuilt_2.12.cfg +server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.12/ server_optlib_url=$server_url_path/$optlib_name server_ae_url=$server_url_path/$ae_file_name server_binutils_url=$server_url_path/$binutils_file_name diff --git a/external/dcap_source b/external/dcap_source index c9b707408..98976322e 160000 --- a/external/dcap_source +++ b/external/dcap_source @@ -1 +1 @@ -Subproject commit c9b707408d14fc1f1dcc519950bafb8bc58f0f42 +Subproject commit 98976322e8b58e23256355f5cf90b9e30e37d8c1 diff --git a/external/openmp/0001-Enable-OpenMP-in-SGX.patch b/external/openmp/0001-Enable-OpenMP-in-SGX.patch index e0c432b8b..35c8862ed 100644 --- a/external/openmp/0001-Enable-OpenMP-in-SGX.patch +++ b/external/openmp/0001-Enable-OpenMP-in-SGX.patch @@ -1,19 +1,19 @@ -From ebb889669626966aa2b5a3775d76d6cff16f7059 Mon Sep 17 00:00:00 2001 +From 0ce73c45cfd4850de6c28f05d836b2fd1ed4eee0 Mon Sep 17 00:00:00 2001 From: Zhang Lili Z -Date: Wed, 11 Dec 2019 23:28:56 +0800 -Subject: [PATCH] Enable OpenMP in SGX. +Date: Tue, 18 Aug 2020 18:58:53 +0800 +Subject: [PATCH] Enable OpenMP in SGX Signed-off-by: Zhang Lili Z --- final/CMakeLists.txt | 2 +- - final/runtime/CMakeLists.txt | 10 ++- + final/runtime/CMakeLists.txt | 12 +++- final/runtime/cmake/LibompDefinitions.cmake | 1 + final/runtime/cmake/LibompHandleFlags.cmake | 7 ++ final/runtime/cmake/config-ix.cmake | 2 +- final/runtime/src/CMakeLists.txt | 5 ++ final/runtime/src/kmp.h | 42 ++++++++++- final/runtime/src/kmp_affinity.h | 4 ++ - final/runtime/src/kmp_config.h.cmake | 10 +++ + final/runtime/src/kmp_config.h.cmake | 12 ++++ final/runtime/src/kmp_csupport.cpp | 12 ++++ final/runtime/src/kmp_environment.cpp | 11 ++- final/runtime/src/kmp_ftn_entry.h | 10 +++ @@ -30,7 +30,7 @@ Signed-off-by: Zhang Lili Z final/runtime/src/sgx_stub.cpp | 63 ++++++++++++++++ final/runtime/src/sgx_stub.h | 51 +++++++++++++ final/runtime/src/z_Linux_util.cpp | 79 +++++++++++++++++++-- - 25 files changed, 394 insertions(+), 20 deletions(-) + 25 files changed, 397 insertions(+), 21 deletions(-) create mode 100644 final/runtime/src/sgx_stub.cpp create mode 100644 final/runtime/src/sgx_stub.h @@ -48,7 +48,7 @@ index 597eedc..bfeda38 100644 # Since the device plugins are only supported on Linux anyway, # there is no point in trying to compile libomptarget on other OSes. diff --git a/final/runtime/CMakeLists.txt b/final/runtime/CMakeLists.txt -index 447b3cd..c146e18 100644 +index 447b3cd..3d3018c 100644 --- a/final/runtime/CMakeLists.txt +++ b/final/runtime/CMakeLists.txt @@ -20,6 +20,8 @@ set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH}) @@ -60,6 +60,15 @@ index 447b3cd..c146e18 100644 # These include files are in the cmake/ subdirectory include(LibompUtils) include(LibompGetArchitecture) +@@ -33,7 +35,7 @@ if(${OPENMP_STANDALONE_BUILD}) + set(LIBOMP_ARCH ${LIBOMP_DETECTED_ARCH} CACHE STRING + "The architecture to build for (x86_64/i386/arm/ppc64/ppc64le/aarch64/mic/mips/mips64).") + # Should assertions be enabled? They are on by default. +- set(LIBOMP_ENABLE_ASSERTIONS TRUE CACHE BOOL ++ set(LIBOMP_ENABLE_ASSERTIONS FALSE CACHE BOOL + "enable assertions?") + else() # Part of LLVM build + # Determine the native architecture from LLVM. @@ -282,7 +284,7 @@ if(LIBOMP_STATS) endif() @@ -330,10 +339,20 @@ index 34147fd..1cc2dd4 100644 bool operator==(const AddrUnsPair &b) const { if (first != b.first) diff --git a/final/runtime/src/kmp_config.h.cmake b/final/runtime/src/kmp_config.h.cmake -index c9ebbc0..1f2c2c1 100644 +index c9ebbc0..17c1f66 100644 --- a/final/runtime/src/kmp_config.h.cmake +++ b/final/runtime/src/kmp_config.h.cmake -@@ -95,11 +95,16 @@ +@@ -53,7 +53,9 @@ + #cmakedefine01 LIBOMP_USE_INTERNODE_ALIGNMENT + #define KMP_USE_INTERNODE_ALIGNMENT LIBOMP_USE_INTERNODE_ALIGNMENT + #cmakedefine01 LIBOMP_ENABLE_ASSERTIONS ++#if LIBOMP_ENABLE_ASSERTIONS + #define KMP_USE_ASSERT LIBOMP_ENABLE_ASSERTIONS ++#endif + #cmakedefine01 LIBOMP_USE_HIER_SCHED + #define KMP_USE_HIER_SCHED LIBOMP_USE_HIER_SCHED + #cmakedefine01 STUBS_LIBRARY +@@ -95,11 +97,16 @@ #define USE_ITT_BUILD LIBOMP_USE_ITT_NOTIFY #define INTEL_ITTNOTIFY_PREFIX __kmp_itt_ #if ! KMP_MIC @@ -350,7 +369,7 @@ index c9ebbc0..1f2c2c1 100644 #if STUBS_LIBRARY # define KMP_STUB 1 #endif -@@ -107,6 +112,11 @@ +@@ -107,6 +114,11 @@ # define KMP_DEBUG 1 #endif diff --git a/external/sgxssl/prepare_sgxssl.sh b/external/sgxssl/prepare_sgxssl.sh index 5eb629157..bc79e3bb8 100755 --- a/external/sgxssl/prepare_sgxssl.sh +++ b/external/sgxssl/prepare_sgxssl.sh @@ -35,14 +35,14 @@ openssl_out_dir=$top_dir/openssl_source openssl_ver=1.1.1g openssl_ver_name=openssl-$openssl_ver sgxssl_github_archive=https://github.com/intel/intel-sgx-ssl/archive -sgxssl_ver=2.10 +sgxssl_ver=2.11 sgxssl_ver_name=v$sgx_ver sgxssl_file_name=lin_$sgxssl_ver\_$openssl_ver build_script=$top_dir/Linux/build_openssl.sh server_url_path=https://www.openssl.org/source full_openssl_url=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz -sgxssl_chksum=5fb5328fdd55d643cc125dd43cbd0a1f7d74ead7948b52cf15d8533d47a0d266 +sgxssl_chksum=12828839c4555e0f5e88e86db090c995053d98d99091862c498fc55f379183fc openssl_chksum=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 rm -f check_sum_sgxssl.txt check_sum_openssl.txt if [ ! -f $build_script ]; then @@ -72,5 +72,9 @@ if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then fi pushd $top_dir/Linux/ -make clean all LINUX_SGX_BUILD=1 DEBUG=$DEBUG +if [ "$MITIGATION" != "" ]; then + make clean all LINUX_SGX_BUILD=1 DEBUG=$DEBUG +else + make clean sgxssl_no_mitigation LINUX_SGX_BUILD=1 DEBUG=$DEBUG +fi popd diff --git a/linux/installer/common/libsgx-enclave-common/BOMs/libsgx-enclave-common-dev.txt b/linux/installer/common/libsgx-enclave-common/BOMs/libsgx-enclave-common-dev.txt index b2605db0e..e0c0e1225 100644 --- a/linux/installer/common/libsgx-enclave-common/BOMs/libsgx-enclave-common-dev.txt +++ b/linux/installer/common/libsgx-enclave-common/BOMs/libsgx-enclave-common-dev.txt @@ -1,3 +1,2 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner -/common/inc/sgx_attributes.h /include/sgx_attributes.h 0 main STP -/psw/enclave_common/sgx_enclave_common.h /include/sgx_enclave_common.h 0 main STP \ No newline at end of file +/psw/enclave_common/sgx_enclave_common.h /include/sgx_enclave_common.h 0 main STP diff --git a/linux/installer/common/libsgx-headers/BOMs/libsgx-headers-package.txt b/linux/installer/common/libsgx-headers/BOMs/libsgx-headers-package.txt new file mode 100644 index 000000000..209dfa7aa --- /dev/null +++ b/linux/installer/common/libsgx-headers/BOMs/libsgx-headers-package.txt @@ -0,0 +1,3 @@ +DeliveryName InstallName FileCheckSum FileFeature FileOwner +/linux/installer/common/libsgx-headers/installConfig /installConfig 0 main STP +/linux/installer/common/libsgx-headers/Makefile /Makefile 0 main STP diff --git a/linux/installer/common/libsgx-headers/BOMs/libsgx-headers.txt b/linux/installer/common/libsgx-headers/BOMs/libsgx-headers.txt new file mode 100644 index 000000000..eeb63e11e --- /dev/null +++ b/linux/installer/common/libsgx-headers/BOMs/libsgx-headers.txt @@ -0,0 +1,13 @@ +DeliveryName InstallName FileCheckSum FileFeature FileOwner +/common/inc/sgx_attributes.h /include/sgx_attributes.h 0 main STP +/common/inc/sgx_defs.h /include/sgx_defs.h 0 main STP +/common/inc/sgx_eid.h /include/sgx_eid.h 0 main STP +/common/inc/sgx_error.h /include/sgx_error.h 0 main STP +/common/inc/sgx_report.h /include/sgx_report.h main STP +/common/inc/sgx_key.h /include/sgx_key.h 0 main STP +/common/inc/sgx_quote.h /include/sgx_quote.h 0 main STP +/common/inc/sgx_urts.h /include/sgx_urts.h 0 main STP +/dcap-trunk/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h /include/sgx_ql_lib_common.h 0 main STP +/dcap-trunk/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_3.h /include/sgx_quote_3.h 0 main STP +/dcap-trunk/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_quote.h /include/sgx_ql_quote.h 0 main STP +/dcap-trunk/dcap_source/QuoteGeneration/pce_wrapper/inc/sgx_pce.h /include/sgx_pce.h 0 main STP diff --git a/linux/installer/common/libsgx-headers/Makefile b/linux/installer/common/libsgx-headers/Makefile new file mode 100644 index 000000000..84d58f9f0 --- /dev/null +++ b/linux/installer/common/libsgx-headers/Makefile @@ -0,0 +1,46 @@ +# +# Copyright (C) 2011-2020 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + +include installConfig + +PACKAGE_ROOT_FOLDER=pkgroot +PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*)) + +USR_INC_PATH=/usr/$(INC_DIR) + +default: + +install: $(PACKAGES) + +$(PACKAGES): + $(if $(wildcard $(PACKAGE_ROOT_FOLDER)/$@/$(INC_DIR)/.*), \ + install -d $(shell readlink -m $(DESTDIR)/$(USR_INC_PATH)) && \ + mv $(PACKAGE_ROOT_FOLDER)/$@/$(INC_DIR)/* $(DESTDIR)/$(USR_INC_PATH)) diff --git a/linux/installer/common/libsgx-headers/createTarball.sh b/linux/installer/common/libsgx-headers/createTarball.sh new file mode 100755 index 000000000..f3547280b --- /dev/null +++ b/linux/installer/common/libsgx-headers/createTarball.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# +# Copyright (C) 2011-2020 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + + +set -e + +SCRIPT_DIR=$(dirname "$0") +ROOT_DIR="${SCRIPT_DIR}/../../../../" +LINUX_INSTALLER_DIR="${ROOT_DIR}/linux/installer" +LINUX_INSTALLER_COMMON_DIR="${LINUX_INSTALLER_DIR}/common" + +INSTALL_PATH=${SCRIPT_DIR}/output + +# Cleanup +rm -fr ${INSTALL_PATH} + +# Get the configuration for this package +source ${SCRIPT_DIR}/installConfig + +# Fetch the gen_source script +cp ${LINUX_INSTALLER_COMMON_DIR}/gen_source/gen_source.py ${SCRIPT_DIR} + +# Copy the files according to the BOM +python ${SCRIPT_DIR}/gen_source.py --bom=BOMs/libsgx-headers.txt --installdir=pkgroot/libsgx-headers +python ${SCRIPT_DIR}/gen_source.py --bom=BOMs/libsgx-headers-package.txt --cleanup=false +python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=false + +# Create the tarball +pushd ${INSTALL_PATH} &> /dev/null +tar -zcvf ${TARBALL_NAME} * +popd &> /dev/null diff --git a/linux/installer/common/libsgx-headers/installConfig b/linux/installer/common/libsgx-headers/installConfig new file mode 100644 index 000000000..f6c46b127 --- /dev/null +++ b/linux/installer/common/libsgx-headers/installConfig @@ -0,0 +1,6 @@ +SGX_HEADERS_VERSION="1.0" +TARBALL_NAME=libsgx-headers_1.0.orig.tar.gz + +SGX_HEADERS_PACKAGE_NAME=libsgx-headers + +INC_DIR=include diff --git a/linux/installer/deb/libsgx-enclave-common/libsgx-enclave-common-1.0/debian/control b/linux/installer/deb/libsgx-enclave-common/libsgx-enclave-common-1.0/debian/control index 8fc30ebd4..d0e450434 100644 --- a/linux/installer/deb/libsgx-enclave-common/libsgx-enclave-common-1.0/debian/control +++ b/linux/installer/deb/libsgx-enclave-common/libsgx-enclave-common-1.0/debian/control @@ -15,5 +15,5 @@ Description: Intel(R) Software Guard Extensions Enclave Common Loader Package: libsgx-enclave-common-dev Section: devel Architecture: amd64 -Depends: libsgx-enclave-common (= @dep_version@) +Depends: libsgx-enclave-common (= @dep_version@), libsgx-headers (>= @dep_version@) Description: Intel(R) Software Guard Extensions Enclave Common Loader for Developers diff --git a/linux/installer/deb/libsgx-epid/libsgx-epid-1.0/debian/control b/linux/installer/deb/libsgx-epid/libsgx-epid-1.0/debian/control index b280386b9..9809d8bb0 100644 --- a/linux/installer/deb/libsgx-epid/libsgx-epid-1.0/debian/control +++ b/linux/installer/deb/libsgx-epid/libsgx-epid-1.0/debian/control @@ -15,5 +15,5 @@ Description: Intel(R) Software Guard Extensions EPID Quote Service Package: libsgx-epid-dev Section: devel Architecture: amd64 -Depends: libsgx-epid (= @dep_version@) +Depends: libsgx-epid (= @dep_version@), libsgx-headers (>= @dep_version@) Description: Intel(R) Software Guard Extensions EPID Quote Service for Developers diff --git a/linux/installer/deb/libsgx-headers/build.sh b/linux/installer/deb/libsgx-headers/build.sh new file mode 100755 index 000000000..5267a7777 --- /dev/null +++ b/linux/installer/deb/libsgx-headers/build.sh @@ -0,0 +1,118 @@ +#!/usr/bin/env bash +# +# Copyright (C) 2011-2020 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + + +set -e + +SCRIPT_DIR=$(dirname "$0") +ROOT_DIR="${SCRIPT_DIR}/../../../../" +LINUX_BUILD_DIR=$(readlink -m "${ROOT_DIR}/build/linux") +LINUX_INSTALLER_DIR="${ROOT_DIR}/linux/installer" +LINUX_INSTALLER_COMMON_DIR="${LINUX_INSTALLER_DIR}/common" +LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR="${LINUX_INSTALLER_COMMON_DIR}/libsgx-headers" + +source ${LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR}/installConfig +DEB_FOLDER=${SGX_HEADERS_PACKAGE_NAME}-${SGX_HEADERS_VERSION} + +SGX_VERSION=$(awk '/STRFILEVER/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/') +DEB_BUILD_FOLDER=${SGX_HEADERS_PACKAGE_NAME}-${SGX_VERSION} + +main() { + pre_build + create_upstream_tarball + unpack_upstream_tarball + generate_copyright + update_version + rename_tarball + build_deb_package + post_build +} + +pre_build() { + rm -fR ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} + cp -fR ${SCRIPT_DIR}/${DEB_FOLDER} ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} +} + +post_build() { + rm -fR ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} +} + +create_upstream_tarball() { + ${LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR}/createTarball.sh + cp ${LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR}/output/${TARBALL_NAME} ${SCRIPT_DIR} +} + +unpack_upstream_tarball() { + pushd ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} + cp ../${TARBALL_NAME} . + tar xvf ${TARBALL_NAME} + rm -f ${TARBALL_NAME} + popd +} + +generate_copyright() { + pushd ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} + rm -f debian/copyright + find package/licenses/ -type f -print0 | xargs -0 -n1 cat >> debian/copyright + popd +} + +get_os_code() { + OS_CODE=$(lsb_release -cs 2> /dev/null) + if [ -z ${OS_CODE} ]; then + OS_CODE=$(grep "VERSION_CODENAME" /etc/os-release 2> /dev/null | cut -d= -f2) + fi + echo ${OS_CODE} +} + +update_version() { + pushd ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} + INS_VERSION=$(echo $(dpkg-parsechangelog |grep "Version" | cut -d: -f2)) + DEB_VERSION=$(echo $INS_VERSION | cut -d- -f2) + + FULL_VERSION=${SGX_VERSION}-$(get_os_code)${DEB_VERSION} + sed -i "s/${INS_VERSION}/${FULL_VERSION}/" debian/changelog + popd +} + +rename_tarball() { + TARBALL_NAME_NEW_VERSION=$(echo ${TARBALL_NAME} | sed "s/${SGX_HEADERS_VERSION}/${SGX_VERSION}/") + mv ${SCRIPT_DIR}/${TARBALL_NAME} ${SCRIPT_DIR}/${TARBALL_NAME_NEW_VERSION} +} + +build_deb_package() { + pushd ${SCRIPT_DIR}/${DEB_BUILD_FOLDER} + SOURCE_DATE_EPOCH="$(date +%s)" LINUX_BUILD_DIR="${LINUX_BUILD_DIR}" dpkg-buildpackage -us -uc + popd +} + +main $@ diff --git a/linux/installer/deb/libsgx-headers/clean.sh b/linux/installer/deb/libsgx-headers/clean.sh new file mode 100755 index 000000000..d8c48102c --- /dev/null +++ b/linux/installer/deb/libsgx-headers/clean.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +# +# Copyright (C) 2011-2020 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + + +set -e + +SCRIPT_DIR=$(dirname "$0") +COMMON_DIR="${SCRIPT_DIR}/../../common/libsgx-headers" + +rm -f ${SCRIPT_DIR}/libsgx-headers*.deb +rm -f ${SCRIPT_DIR}/libsgx-headers-dbgsym*.ddeb +rm -f ${SCRIPT_DIR}/libsgx-headers*.tar.gz +rm -f ${SCRIPT_DIR}/libsgx-headers*.tar.xz +rm -f ${SCRIPT_DIR}/libsgx-headers*.dsc +rm -f ${SCRIPT_DIR}/libsgx-headers*.changes +rm -f ${SCRIPT_DIR}/libsgx-headers*.buildinfo +rm -f ${COMMON_DIR}/gen_source.py +rm -rf ${COMMON_DIR}/output diff --git a/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/changelog b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/changelog new file mode 100644 index 000000000..1abe72799 --- /dev/null +++ b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/changelog @@ -0,0 +1,5 @@ +libsgx-headers (1.0-1) unstable; urgency=low + + * Initial Release + + -- Xiangquan Liu Sun, 23 Aug 2020 15:23:51 +0800 diff --git a/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/compat b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/compat new file mode 100644 index 000000000..ec635144f --- /dev/null +++ b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/compat @@ -0,0 +1 @@ +9 diff --git a/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/control b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/control new file mode 100644 index 000000000..dcc69f803 --- /dev/null +++ b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/control @@ -0,0 +1,12 @@ +Source: libsgx-headers +Section: devel +Priority: optional +Maintainer: +Build-Depends: debhelper (>= 8.0.0) +Standards-Version: 3.9.4 +Homepage: https://github.com/intel/linux-sgx + +Package: libsgx-headers +Section: devel +Architecture: amd64 +Description: Intel(R) Software Guard Extensions Basic Headers for Developers diff --git a/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/docs b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/docs new file mode 100644 index 000000000..e69de29bb diff --git a/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/rules b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/rules new file mode 100755 index 000000000..218df65d8 --- /dev/null +++ b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/rules @@ -0,0 +1,8 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ diff --git a/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/source/format b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/linux/installer/deb/libsgx-headers/libsgx-headers-1.0/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/linux/installer/deb/libsgx-launch/libsgx-launch-1.0/debian/control b/linux/installer/deb/libsgx-launch/libsgx-launch-1.0/debian/control index b6c907dd0..9cad159d5 100644 --- a/linux/installer/deb/libsgx-launch/libsgx-launch-1.0/debian/control +++ b/linux/installer/deb/libsgx-launch/libsgx-launch-1.0/debian/control @@ -15,5 +15,5 @@ Description: Intel(R) Software Guard Extensions Launch Service Package: libsgx-launch-dev Section: devel Architecture: amd64 -Depends: libsgx-launch (= @dep_version@) +Depends: libsgx-launch (= @dep_version@), libsgx-headers (>= @dep_version@) Description: Intel(R) Software Guard Extensions Launch Service for Developers diff --git a/linux/installer/deb/libsgx-quote-ex/libsgx-quote-ex-1.0/debian/control b/linux/installer/deb/libsgx-quote-ex/libsgx-quote-ex-1.0/debian/control index 8f4ce2ecf..de42710c3 100644 --- a/linux/installer/deb/libsgx-quote-ex/libsgx-quote-ex-1.0/debian/control +++ b/linux/installer/deb/libsgx-quote-ex/libsgx-quote-ex-1.0/debian/control @@ -15,5 +15,5 @@ Description: Intel(R) Software Guard Extensions Unified Quote Service Package: libsgx-quote-ex-dev Section: devel Architecture: amd64 -Depends: libsgx-quote-ex (= @dep_version@) +Depends: libsgx-quote-ex (= @dep_version@), libsgx-headers (>= @dep_version@) Description: Intel(R) Software Guard Extensions Unified Quote Service for Developers diff --git a/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control b/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control index 532c3683e..ad41548bc 100644 --- a/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control +++ b/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control @@ -37,12 +37,12 @@ Description: Unified Quote Plugin for Intel(R) Software Guard Extensions AESM Se Package: libsgx-aesm-ecdsa-plugin Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-qe3-logic(>= 1.8), libsgx-aesm-pce-plugin(>= @dep_version@) +Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-qe3-logic(>= 1.9), libsgx-aesm-pce-plugin(>= @dep_version@) Description: ECDSA Quote Plugin for Intel(R) Software Guard Extensions AESM Service Package: libsgx-aesm-pce-plugin Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-pce-logic(>= 1.8), libsgx-ae-pce(>= @dep_version@) +Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-pce-logic(>= 1.9), libsgx-ae-pce(>= @dep_version@) Description: PCE Plugin for Intel(R) Software Guard Extensions AESM Service Package: libsgx-ae-pce diff --git a/linux/installer/rpm/libsgx-enclave-common/libsgx-enclave-common.spec b/linux/installer/rpm/libsgx-enclave-common/libsgx-enclave-common.spec index 3153ffd92..680b8430b 100644 --- a/linux/installer/rpm/libsgx-enclave-common/libsgx-enclave-common.spec +++ b/linux/installer/rpm/libsgx-enclave-common/libsgx-enclave-common.spec @@ -48,7 +48,7 @@ Intel(R) Software Guard Extensions Enclave Common Loader %package devel Summary: Intel(R) Software Guard Extensions Enclave Common Loader for Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} libsgx-headers >= %{version}-%{release} %description devel Intel(R) Software Guard Extensions Enclave Common Loader for Developers diff --git a/linux/installer/rpm/libsgx-epid/libsgx-epid.spec b/linux/installer/rpm/libsgx-epid/libsgx-epid.spec index 0f1f03f94..d3b2036bc 100644 --- a/linux/installer/rpm/libsgx-epid/libsgx-epid.spec +++ b/linux/installer/rpm/libsgx-epid/libsgx-epid.spec @@ -48,7 +48,7 @@ Intel(R) Software Guard Extensions EPID Quote Service %package devel Summary: Intel(R) Software Guard Extensions EPID Quote Service for Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} libsgx-headers >= %{version}-%{release} %description devel Intel(R) Software Guard Extensions EPID Quote Service for Developers diff --git a/linux/installer/rpm/libsgx-headers/build.sh b/linux/installer/rpm/libsgx-headers/build.sh new file mode 100755 index 000000000..06e1b5695 --- /dev/null +++ b/linux/installer/rpm/libsgx-headers/build.sh @@ -0,0 +1,88 @@ +#!/usr/bin/env bash +# +# Copyright (C) 2011-2020 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + + +set -e + +SCRIPT_DIR=$(dirname "$0") +ROOT_DIR="${SCRIPT_DIR}/../../../../" +LINUX_INSTALLER_DIR="${ROOT_DIR}/linux/installer" +LINUX_INSTALLER_COMMON_DIR="${LINUX_INSTALLER_DIR}/common" +LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR="${LINUX_INSTALLER_COMMON_DIR}/libsgx-headers" + +source ${LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR}/installConfig + +SGX_VERSION=$(awk '/STRFILEVER/ {print $3}' ${ROOT_DIR}/common/inc/internal/se_version.h|sed 's/^\"\(.*\)\"$/\1/') +RPM_BUILD_FOLDER=${SGX_HEADERS_PACKAGE_NAME}-${SGX_VERSION} + +main() { + pre_build + update_version + create_upstream_tarball + build_rpm_package + post_build +} + +pre_build() { + rm -fR ${SCRIPT_DIR}/${RPM_BUILD_FOLDER} + mkdir -p ${SCRIPT_DIR}/${RPM_BUILD_FOLDER}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} + cp -f ${SCRIPT_DIR}/${SGX_HEADERS_PACKAGE_NAME}.spec ${SCRIPT_DIR}/${RPM_BUILD_FOLDER}/SPECS +} + +post_build() { + for FILE in $(find ${SCRIPT_DIR}/${RPM_BUILD_FOLDER} -name "*.rpm" 2> /dev/null); do + cp "${FILE}" ${SCRIPT_DIR} + done + rm -fR ${SCRIPT_DIR}/${RPM_BUILD_FOLDER} +} + +update_version() { + pushd ${SCRIPT_DIR}/${RPM_BUILD_FOLDER} + sed -i "s/@version@/${SGX_VERSION}/" SPECS/${SGX_HEADERS_PACKAGE_NAME}.spec + popd +} + +create_upstream_tarball() { + ${LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR}/createTarball.sh + tar -xvf ${LINUX_INSTALLER_COMMON_SGX_HEADERS_DIR}/output/${TARBALL_NAME} -C ${SCRIPT_DIR}/${RPM_BUILD_FOLDER}/SOURCES + pushd ${SCRIPT_DIR}/${RPM_BUILD_FOLDER}/SOURCES + tar -zcvf ${RPM_BUILD_FOLDER}$(echo ${TARBALL_NAME}|awk -F'.' '{print "."$(NF-1)"."$(NF)}') * + popd +} + +build_rpm_package() { + pushd ${SCRIPT_DIR}/${RPM_BUILD_FOLDER} + rpmbuild --define="_topdir `pwd`" --define='_debugsource_template %{nil}' -ba SPECS/${SGX_HEADERS_PACKAGE_NAME}.spec + popd +} + +main $@ diff --git a/linux/installer/rpm/libsgx-headers/clean.sh b/linux/installer/rpm/libsgx-headers/clean.sh new file mode 100755 index 000000000..f05ef08b9 --- /dev/null +++ b/linux/installer/rpm/libsgx-headers/clean.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# +# Copyright (C) 2011-2020 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + + +set -e + +SCRIPT_DIR=$(dirname "$0") +COMMON_DIR="${SCRIPT_DIR}/../../common/libsgx-headers" + +rm -f ${SCRIPT_DIR}/libsgx-headers*.rpm +rm -f ${COMMON_DIR}/gen_source.py +rm -rf ${COMMON_DIR}/output diff --git a/linux/installer/rpm/libsgx-headers/libsgx-headers.spec b/linux/installer/rpm/libsgx-headers/libsgx-headers.spec new file mode 100644 index 000000000..34d3d595a --- /dev/null +++ b/linux/installer/rpm/libsgx-headers/libsgx-headers.spec @@ -0,0 +1,63 @@ +# +# Copyright (C) 2011-2019 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + +%define _license_file COPYING + +Name: libsgx-headers +Version: @version@ +Release: 1%{?dist} +Summary: Intel(R) Software Guard Extensions Basic Headers +Group: Development + +License: BSD License +URL: https://github.com/intel/linux-sgx +Source0: %{name}-%{version}.tar.gz + +%description +Intel(R) Software Guard Extensions Basic Headers + +%prep +%setup -qc + +%install +make DESTDIR=%{?buildroot} install +install -d %{?buildroot}%{_docdir}/%{name} +find %{?_sourcedir}/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}%{_docdir}/%{name}/%{_license_file} +rm -f %{_specdir}/list-%{name} +for f in $(find %{?buildroot} -type f -o -type l); do + echo $f | sed -e "s#%{?buildroot}##" >> %{_specdir}/list-%{name} +done + +%files -f %{_specdir}/list-%{name} + +%changelog +* Sun Aug 23 2020 SGX Team +- Initial Release diff --git a/linux/installer/rpm/libsgx-launch/libsgx-launch.spec b/linux/installer/rpm/libsgx-launch/libsgx-launch.spec index 820cbde03..567f3e949 100644 --- a/linux/installer/rpm/libsgx-launch/libsgx-launch.spec +++ b/linux/installer/rpm/libsgx-launch/libsgx-launch.spec @@ -48,7 +48,7 @@ Intel(R) Software Guard Extensions Launch Service %package devel Summary: Intel(R) Software Guard Extensions Launch Service for Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} libsgx-headers >= %{version}-%{release} %description devel Intel(R) Software Guard Extensions Launch Service for Developers diff --git a/linux/installer/rpm/libsgx-quote-ex/libsgx-quote-ex.spec b/linux/installer/rpm/libsgx-quote-ex/libsgx-quote-ex.spec index 2e097757e..ab350573a 100644 --- a/linux/installer/rpm/libsgx-quote-ex/libsgx-quote-ex.spec +++ b/linux/installer/rpm/libsgx-quote-ex/libsgx-quote-ex.spec @@ -48,7 +48,7 @@ Intel(R) Software Guard Extensions Unified Quote Service %package devel Summary: Intel(R) Software Guard Extensions Unified Quote Service for Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} libsgx-headers >= %{version}-%{release} %description devel Intel(R) Software Guard Extensions Unified Quote Service for Developers diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec index b74322ca6..0ceed5395 100644 --- a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec +++ b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec @@ -38,7 +38,7 @@ Version: @version@ Release: 1%{?dist} Summary: ECDSA Quote Plugin for Intel(R) Software Guard Extensions AESM Service Group: Development/System -Requires: sgx-aesm-service >= %{version}-%{release} libsgx-qe3-logic >= 1.8 libsgx-aesm-pce-plugin >= %{version}-%{release} +Requires: sgx-aesm-service >= %{version}-%{release} libsgx-qe3-logic >= 1.9 libsgx-aesm-pce-plugin >= %{version}-%{release} License: BSD License URL: https://github.com/intel/linux-sgx diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec index a99e0e849..94d31c172 100644 --- a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec +++ b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec @@ -38,7 +38,7 @@ Version: @version@ Release: 1%{?dist} Summary: PCE Plugin for Intel(R) Software Guard Extensions AESM Service Group: Development/System -Requires: sgx-aesm-service >= %{version}-%{release} libsgx-pce-logic >= 1.8 +Requires: sgx-aesm-service >= %{version}-%{release} libsgx-pce-logic >= 1.9 License: BSD License URL: https://github.com/intel/linux-sgx diff --git a/linux/reproducibility/README.md b/linux/reproducibility/README.md index 270a9e72b..ee40c23a1 100644 --- a/linux/reproducibility/README.md +++ b/linux/reproducibility/README.md @@ -31,21 +31,27 @@ In order to reproduce the enclave build, there are three requirements:1. stable ``` $ ./build_and_launch_docker.sh ``` + c) Below command triggers the reproducible build for 'ae' using a specified reproducible SGX SDK installer and code repo. Of course, you need to prepare the SGX SDK installer and SGX source repo beforehand. + ``` + $ ./build_and_launch_docker.sh --reproduce-type ae --code-dir ~/code_dir --sdk-installer {prepared_sdk_installer} --sgx-src-dir {prepared_sgx_src} + ``` **Note**: To reproduce QVE, you need to apply below patch to the [build_and_launch_docker.sh](./build_and_launch_docker.sh) before start the reproducible build with the script. ``` diff --git a/linux/reproducibility/build_and_launch_docker.sh b/linux/reproducibility/build_and_launch_docker.sh -index c43c76af..bb49b48b 100755 +index b85eda85..f8bc6812 100755 --- a/linux/reproducibility/build_and_launch_docker.sh +++ b/linux/reproducibility/build_and_launch_docker.sh -@@ -136,6 +136,7 @@ prepare_dcap_src() - exit -1 +@@ -188,6 +188,7 @@ prepare_sgx_src() fi - cd ${sgx_repo} && make dcap_source && cd - -+ cd $sgx_repo && mkdir dcap-trunk/ && mv external/dcap_source/ dcap-trunk/ && ln -sfr dcap-trunk/dcap_source external/dcap_source && cd - - $sgx_repo/external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild - } + + cd "$sgx_repo" && make preparation ++ mkdir dcap-trunk/ && mv external/dcap_source/ dcap-trunk/ && ln -sfr dcap-trunk/dcap_source external/dcap_source + popd + + } ``` - + + diff --git a/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp b/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp index dc507eebf..43fd8ed56 100644 --- a/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp +++ b/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp @@ -204,6 +204,9 @@ extern "C" __attribute__((visibility("default"))) sgx_pce_error_t sgx_pce_sign_r return ae_error_to_pce_error(g_pce_service->pce_sign_report(p_isv_svn, p_cpu_svn, p_report, p_sig, sig_size, p_sig_out_size)); } +extern "C" quote3_error_t load_qe(sgx_enclave_id_t *p_qe_eid, + sgx_misc_attribute_t *p_qe_attributes, + sgx_launch_token_t *p_launch_token); class EcdsaQuoteServiceImp : public IQuoteProviderService { @@ -244,6 +247,19 @@ class EcdsaQuoteServiceImp : public IQuoteProviderService return AE_FAILURE; } + quote3_error_t ret = SGX_QL_SUCCESS; + sgx_enclave_id_t qe_eid = 0; + sgx_misc_attribute_t qe_attributes ={ 0 }; + sgx_launch_token_t launch_token = { 0 }; + + ret = load_qe(&qe_eid, &qe_attributes, &launch_token); + if (SGX_QL_SUCCESS != ret) + { + AESM_LOG_ERROR("Failed to load QE3: 0x%x", ret); + AESM_DBG_ERROR("Starting ecdsa bundle failed because QE3 failed to load"); + return AE_FAILURE; + } + initialized = true; AESM_DBG_INFO("ecdsa bundle started"); return AE_SUCCESS; diff --git a/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/platform_info_logic.cpp b/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/platform_info_logic.cpp index 9446f691a..fc3826adb 100644 --- a/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/platform_info_logic.cpp +++ b/psw/ae/aesm_service/source/bundles/epid_quote_service_bundle/platform_info_logic.cpp @@ -152,7 +152,7 @@ aesm_error_t PlatformInfoLogic::check_update_status( // presence of platform info is conditional, on whether we're up to date // if we're up to date, no platform info and no need for update info // - if (((NULL != platform_info) && (sizeof(pibw.platform_info_blob) > platform_info_size)) || ((NULL != update_info) && (sizeof(sgx_update_info_bit_t) > update_info_size))) + if (((NULL != platform_info) && (sizeof(pibw.platform_info_blob) != platform_info_size)) || ((NULL != update_info) && (sizeof(sgx_update_info_bit_t) != update_info_size))) { return AESM_PARAMETER_ERROR; } @@ -166,7 +166,9 @@ aesm_error_t PlatformInfoLogic::check_update_status( if (NULL != platform_info) { pibw.valid_info_blob = false; - memcpy_s(&pibw.platform_info_blob, sizeof(pibw.platform_info_blob), platform_info, platform_info_size); + if (0 != memcpy_s(&pibw.platform_info_blob, sizeof(pibw.platform_info_blob), platform_info, sizeof(pibw.platform_info_blob))) { + return AESM_UNEXPECTED_ERROR; + } // // contents of input platform info can get stale, but not by virtue of anything we do @@ -327,12 +329,14 @@ aesm_error_t PlatformInfoLogic::report_attestation_status( // presence of platform info is conditional, on whether we're up to date // if we're up to date, no platform info and no need for update info // - if (((sizeof(pibw.platform_info_blob) > platform_info_size)) || ((NULL != update_info) && (sizeof(sgx_update_info_bit_t) > update_info_size))) { + if (((sizeof(pibw.platform_info_blob) != platform_info_size)) || ((NULL != update_info) && (sizeof(sgx_update_info_bit_t) != update_info_size))) { return AESM_PARAMETER_ERROR; } pibw.valid_info_blob = false; - memcpy_s(&pibw.platform_info_blob, sizeof(pibw.platform_info_blob), platform_info, platform_info_size); + if (0 != memcpy_s(&pibw.platform_info_blob, sizeof(pibw.platform_info_blob), platform_info, sizeof(pibw.platform_info_blob))) { + return AESM_UNEXPECTED_ERROR; + } aesm_error_t status = AESM_SUCCESS; // status only tells app to look at updateInfo diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile index a30087a1f..a4dd22b82 100644 --- a/sdk/simulation/urtssim/linux/Makefile +++ b/sdk/simulation/urtssim/linux/Makefile @@ -146,7 +146,6 @@ endif $(BUILD_DIR): @$(MKDIR) $@ - $(OBJ6): | uinst simasm driver_api $(OBJ4): %.o: %.S diff --git a/sdk/tlibcrypto/Makefile b/sdk/tlibcrypto/Makefile index 08c72fc92..5bfcf8f53 100644 --- a/sdk/tlibcrypto/Makefile +++ b/sdk/tlibcrypto/Makefile @@ -69,7 +69,7 @@ endif PREPARE_SGXSSL := $(LINUX_EXTERNAL_DIR)/sgxssl/prepare_sgxssl.sh PREPRARE_SGX_SSL: chmod 755 $(PREPARE_SGXSSL) - test -f $(OPENSSL_LIBRARY_PATH)/lib$(SGXSSL_Library_Name).a || $(PREPARE_SGXSSL) + test -f $(OPENSSL_LIBRARY_PATH)/lib$(SGXSSL_Library_Name).a || MITIGATION=$(MITIGATION-CVE-2020-0551) $(PREPARE_SGXSSL) CPPFLAGS += -I$(OPENSSL_PACKAGE)/include -fPIC CXXFLAGS += -DUSE_SGXSSL diff --git a/sdk/tlibcrypto/sgxssl/sgx_ecc256.cpp b/sdk/tlibcrypto/sgxssl/sgx_ecc256.cpp index 001c40706..7ed669761 100644 --- a/sdk/tlibcrypto/sgxssl/sgx_ecc256.cpp +++ b/sdk/tlibcrypto/sgxssl/sgx_ecc256.cpp @@ -36,7 +36,7 @@ #include #include "sgx_tcrypto.h" #include "ssl_wrapper.h" -#define POINT_NOT_ON_CURVE 0x1007c06b +#define POINT_NOT_ON_CURVE 0x1012606b /* * Elliptic Curve Cryptography - Based on GF(p), 256 bit @@ -143,7 +143,7 @@ sgx_status_t sgx_ecc256_create_key_pair(sgx_ec256_private_t *p_private, // extract two BNs representing the public key // - if (!EC_POINT_get_affine_coordinates_GFp(ec_group, public_k, pub_k_x, pub_k_y, NULL)) { + if (!EC_POINT_get_affine_coordinates(ec_group, public_k, pub_k_x, pub_k_y, NULL)) { break; } @@ -230,7 +230,7 @@ sgx_status_t sgx_ecc256_check_point(const sgx_ec256_public_t *p_point, // sets point based on x,y coordinates // - if (1 != EC_POINT_set_affine_coordinates_GFp((const EC_GROUP*)ecc_handle, ec_point, b_x, b_y, NULL)) { + if (1 != EC_POINT_set_affine_coordinates((const EC_GROUP*)ecc_handle, ec_point, b_x, b_y, NULL)) { internal_openssl_error = ERR_get_error(); if (internal_openssl_error == POINT_NOT_ON_CURVE) { /* fails if point not on curve */ @@ -316,7 +316,7 @@ sgx_status_t sgx_ecc256_compute_shared_dhkey(const sgx_ec256_private_t *p_privat // create point (public key) based on public key's x,y coordinates // - if (EC_POINT_set_affine_coordinates_GFp(ec_group, point_pubA, pubA_gx, pubA_gy, NULL) != 1) { + if (EC_POINT_set_affine_coordinates(ec_group, point_pubA, pubA_gx, pubA_gy, NULL) != 1) { break; } @@ -450,7 +450,7 @@ sgx_status_t sgx_ecc256_calculate_pub_from_priv(const sgx_ec256_private_t *p_att //retrieve x and y coordinates into BNs // - if (!EC_POINT_get_affine_coordinates_GFp(ec_group, pub_ec_point, bn_x, bn_y, tmp)) { + if (!EC_POINT_get_affine_coordinates(ec_group, pub_ec_point, bn_x, bn_y, tmp)) { break; } diff --git a/sdk/tlibcrypto/sgxssl/sgx_ecc256_ecdsa.cpp b/sdk/tlibcrypto/sgxssl/sgx_ecc256_ecdsa.cpp index 0e16c6da0..19b468c62 100644 --- a/sdk/tlibcrypto/sgxssl/sgx_ecc256_ecdsa.cpp +++ b/sdk/tlibcrypto/sgxssl/sgx_ecc256_ecdsa.cpp @@ -240,7 +240,7 @@ sgx_status_t sgx_ecdsa_verify_hash(const uint8_t *p_data, // sets point based on public key's x,y coordinates // - if (1 != EC_POINT_set_affine_coordinates_GFp((EC_GROUP*)ecc_handle, public_point, bn_pub_x, bn_pub_y, NULL)) { + if (1 != EC_POINT_set_affine_coordinates((EC_GROUP*)ecc_handle, public_point, bn_pub_x, bn_pub_y, NULL)) { break; } diff --git a/sdk/tlibcrypto/sgxssl/sgx_ecc256_internal.cpp b/sdk/tlibcrypto/sgxssl/sgx_ecc256_internal.cpp index 29f854f4d..28812f804 100644 --- a/sdk/tlibcrypto/sgxssl/sgx_ecc256_internal.cpp +++ b/sdk/tlibcrypto/sgxssl/sgx_ecc256_internal.cpp @@ -93,7 +93,7 @@ sgx_status_t sgx_ecc256_compute_shared_point(sgx_ec256_private_t *p_private_b, //create point (public key) based on public key's x,y coordinates // - if (EC_POINT_set_affine_coordinates_GFp(ec_group, point_pubA, pubA_gx, pubA_gy, NULL) != 1) { + if (EC_POINT_set_affine_coordinates(ec_group, point_pubA, pubA_gx, pubA_gy, NULL) != 1) { break; } @@ -135,7 +135,7 @@ sgx_status_t sgx_ecc256_compute_shared_point(sgx_ec256_private_t *p_private_b, break; } - if (EC_POINT_get_affine_coordinates_GFp(ec_group, point_R, BN_dh_shared_x, BN_dh_shared_y, NULL) != 1) { + if (EC_POINT_get_affine_coordinates(ec_group, point_R, BN_dh_shared_x, BN_dh_shared_y, NULL) != 1) { break; } diff --git a/sdk/trts/trts_veh.cpp b/sdk/trts/trts_veh.cpp index 8941fa049..8461d980f 100644 --- a/sdk/trts/trts_veh.cpp +++ b/sdk/trts/trts_veh.cpp @@ -223,8 +223,7 @@ extern "C" __attribute__((regparm(1))) void internal_handle_exception(sgx_except //instruction triggering the exception will be executed again. continue_execution(info); } - - // The customer handler may never return, use alloca instead of malloc + // The customer handler may never return, use alloca instead of malloc if ((nhead = (uintptr_t *)alloca(size)) == NULL) { sgx_spin_unlock(&g_handler_lock);