rpms/linux-sgx
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix pccs npm security flaws

Browse Source 
Sync patches from Fedora 43, to fix multiple pccs npm security flaws,
and fix typo in pccsadmin help text.

CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2025-13465, CVE-2025-15284

Resolves: RHEL-142527, RHEL-145054, RHEL-144307, RHEL-138123, RHEL-140109
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2026-02-04 15:59:14 +00:00
parent 109f4bc2ff
commit 7ec194d0a3
39 changed files with 4988 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
0100-Drop-use-of-bundled-pre-built-openssl.patch
View File

@ -1,7 +1,7 @@
From cf39f86bcca57579013cee5967d39cdaca15cbc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 100/126] Drop use of bundled pre-built openssl
Subject: [PATCH 100/136] Drop use of bundled pre-built openssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
6 files changed, 14 insertions(+), 24 deletions(-)
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index f5b7be9..f043575 100644
index f5b7be90..f043575f 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -32,7 +32,6 @@
@ -54,7 +54,7 @@ index f5b7be9..f043575 100644
ifndef DEBUG
CNL_Lib_Cpp_Flags += -DDISABLE_TRACE
diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile
index b675e72..204234c 100644
index b675e729..204234c7 100644
--- a/QuoteGeneration/qpl/linux/Makefile
+++ b/QuoteGeneration/qpl/linux/Makefile
@@ -32,7 +32,6 @@
@ -87,7 +87,7 @@ index b675e72..204234c 100644
ifndef DEBUG
diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk
index b25ce40..982c7d5 100644
index b25ce407..982c7d56 100644
--- a/QuoteVerification/buildenv.mk
+++ b/QuoteVerification/buildenv.mk
@@ -56,7 +56,6 @@ PREBUILD_PATH := $(DCAP_QG_DIR)/../prebuilt
@ -99,7 +99,7 @@ index b25ce40..982c7d5 100644
SGX_COMMON_CFLAGS := $(COMMON_FLAGS) -m64 -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants
SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++17
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 74fad4c..894e616 100644
index 74fad4c6..894e616a 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -36,8 +36,8 @@ INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu
@ -131,7 +131,7 @@ index 74fad4c..894e616 100644
QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp)
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
index e0402e9..12c0d35 100644
index e0402e95..12c0d35e 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
@@ -63,10 +63,7 @@ ifndef QG_DIR
@ -165,7 +165,7 @@ index e0402e9..12c0d35 100644
# debug/release switch
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
index a20a3cd..c8e1d01 100644
index a20a3cd5..c8e1d01e 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
@@ -118,7 +118,7 @@ LIB_CPP_OBJECTS := \
@ -188,5 +188,5 @@ index a20a3cd..c8e1d01 100644
debug:
$(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all
--
2.51.1
2.52.0

10
0101-Improve-debuggability-of-build-system.patch
View File

@ -1,7 +1,7 @@
From b36d8f61a5a18dc5edfbd632e5f2373bcf365b3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 12:05:01 +0000
Subject: [PATCH 101/126] Improve debuggability of build system
Subject: [PATCH 101/136] Improve debuggability of build system
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index f043575..bfe9c61 100644
index f043575f..bfe9c613 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -113,7 +113,7 @@ $(CNL_Lib_Name_Static): $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Select
@ -30,7 +30,7 @@ index f043575..bfe9c61 100644
true
diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile
index 139848a..cd361c4 100644
index 139848ac..cd361c48 100644
--- a/QuoteVerification/appraisal/qal/Makefile
+++ b/QuoteVerification/appraisal/qal/Makefile
@@ -128,7 +128,7 @@ $(QAL_CXX_Common_Objs): %.o: ../common/%.cpp
@ -43,7 +43,7 @@ index 139848a..cd361c4 100644
clean:
$(RM) $(QAL_Obj_Files) $(Target_Lib_Name) $(Target_Lib_Name).$(SGX_MAJOR_VER) $(Target_Static_Lib_Name) $(BUILD_DIR)/$(Target_Lib_Name) $(QVL_Cpp_Obj_Files)
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 894e616..7962d10 100644
index 894e616a..7962d102 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -107,13 +107,13 @@ $(BUILD_DIR):
@ -128,5 +128,5 @@ index 894e616..7962d10 100644
.PHONY: qal
qal:
--
2.51.1
2.52.0

28
0102-Support-build-time-setting-of-enclave-load-directory.patch
View File

@ -1,7 +1,7 @@
From 9a185a6103e9637b785e498d4c4e4c990e7a3478 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 102/126] Support build time setting of enclave load directory
Subject: [PATCH 102/136] Support build time setting of enclave load directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -45,7 +45,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
12 files changed, 60 insertions(+), 8 deletions(-)
diff --git a/QuoteGeneration/pce_wrapper/linux/Makefile b/QuoteGeneration/pce_wrapper/linux/Makefile
index debcb41..7ceaaea 100644
index debcb41d..7ceaaea8 100644
--- a/QuoteGeneration/pce_wrapper/linux/Makefile
+++ b/QuoteGeneration/pce_wrapper/linux/Makefile
@@ -40,7 +40,7 @@ INCLUDE += -I$(ROOT_DIR)/ae/common \
@ -58,7 +58,7 @@ index debcb41..7ceaaea 100644
CFLAGS += -fPIC -Werror -g
Link_Flags := $(SGX_COMMON_CFLAGS) -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl
diff --git a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp
index 1b362da..a940d8b 100644
index 1b362da8..a940d8b9 100644
--- a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp
+++ b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp
@@ -112,6 +112,15 @@ bool get_pce_path(
@ -78,7 +78,7 @@ index 1b362da..a940d8b 100644
NULL != dl_info.dli_fname)
{
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index c50fdb3..7d0b398 100644
index c50fdb32..7d0b398f 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -51,7 +51,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I.
@ -91,7 +91,7 @@ index c50fdb3..7d0b398 100644
ifndef DEBUG
diff --git a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp
index 783c27f..0d81066 100644
index 783c27f2..0d81066d 100644
--- a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp
@@ -573,6 +573,15 @@ get_qe_path(const TCHAR *p_file_name,
@ -111,7 +111,7 @@ index 783c27f..0d81066 100644
NULL != dl_info.dli_fname)
{
diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile
index 61ad7f3..fc5bd20 100644
index 61ad7f3c..fc5bd208 100644
--- a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile
@@ -56,7 +56,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ \
@ -124,7 +124,7 @@ index 61ad7f3..fc5bd20 100644
-L$(PCE_Library_Dir) -lsgx_pce_logic -L$(SGX_SDK)/lib64 \
-lsgx_urts -lpthread -ldl
diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp
index dbbe2af..a57e082 100644
index dbbe2afc..a57e0829 100644
--- a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp
@@ -403,6 +403,14 @@ bool tee_att_config_t::get_qe_path(tee_att_ae_type_t type,
@ -143,7 +143,7 @@ index dbbe2af..a57e082 100644
NULL != dl_info.dli_fname)
{
diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile
index cd361c4..ead4a5d 100644
index cd361c48..ead4a5d1 100644
--- a/QuoteVerification/appraisal/qal/Makefile
+++ b/QuoteVerification/appraisal/qal/Makefile
@@ -49,7 +49,7 @@ QAL_Include_Path := -I./ \
@ -156,7 +156,7 @@ index cd361c4..ead4a5d 100644
QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthread \
diff --git a/QuoteVerification/appraisal/qal/qae_wrapper.cpp b/QuoteVerification/appraisal/qal/qae_wrapper.cpp
index 6321611..9597c52 100644
index 63216112..9597c523 100644
--- a/QuoteVerification/appraisal/qal/qae_wrapper.cpp
+++ b/QuoteVerification/appraisal/qal/qae_wrapper.cpp
@@ -101,6 +101,14 @@ static bool get_qae_path(
@ -182,7 +182,7 @@ index 6321611..9597c52 100644
\ No newline at end of file
+}
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 7962d10..c4154b0 100644
index 7962d102..c4154b09 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -55,7 +55,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \
@ -195,7 +195,7 @@ index 7962d10..c4154b0 100644
QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o)
QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o)
diff --git a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp
index d3d4353..2f8f581 100644
index d3d43537..2f8f5814 100644
--- a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp
+++ b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp
@@ -88,6 +88,14 @@ bool get_qve_path(
@ -214,7 +214,7 @@ index d3d4353..2f8f581 100644
NULL != dl_info.dli_fname)
{
diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp
index b2c9307..d77a6eb 100644
index b2c9307a..d77a6eb0 100644
--- a/tools/PCKRetrievalTool/App/utility.cpp
+++ b/tools/PCKRetrievalTool/App/utility.cpp
@@ -235,9 +235,9 @@ bool load_enclave(const char* enclave_name, sgx_enclave_id_t* p_eid)
@ -246,7 +246,7 @@ index b2c9307..d77a6eb 100644
return false;
(void)strncat(enclave_path, enclave_name, strnlen(enclave_name, MAX_PATH));
diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
index d9c2bac..1065949 100644
index d9c2baca..10659496 100644
--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
@@ -108,7 +108,7 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR
@ -259,5 +259,5 @@ index d9c2bac..1065949 100644
App_Link_Flags += -lcurl -ldl -lpthread
ifeq ($(STANDALONE), 1)
--
2.51.1
2.52.0

6
0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
View File

@ -1,7 +1,7 @@
From b92d97f6037cb2e56d343cb979767d51655b097f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 15:46:41 +0000
Subject: [PATCH 103/126] Look for versioned sgx_urts library in
Subject: [PATCH 103/136] Look for versioned sgx_urts library in
PCKRetrievalTool
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp
index d77a6eb..d195717 100644
index d77a6eb0..d195717f 100644
--- a/tools/PCKRetrievalTool/App/utility.cpp
+++ b/tools/PCKRetrievalTool/App/utility.cpp
@@ -82,7 +82,7 @@ typedef sgx_status_t (SGXAPI *sgx_create_enclave_func_t)(const LPCSTR file_name,
@ -40,5 +40,5 @@ index d77a6eb..d195717 100644
}
#endif
--
2.51.1
2.52.0

6
0104-pccsadmin-only-import-pypac-module-on-Windows.patch
View File

@ -1,7 +1,7 @@
From eca1c479b23dd8e8c87e90988204c08b5e0c3edc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 17:41:37 +0100
Subject: [PATCH 104/126] pccsadmin: only import 'pypac' module on Windows
Subject: [PATCH 104/136] pccsadmin: only import 'pypac' module on Windows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index 9f1d224..046c781 100644
index 9f1d2245..046c781d 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -5,8 +5,9 @@ import json
@ -31,5 +31,5 @@ index 9f1d224..046c781 100644
from requests.adapters import HTTPAdapter
from urllib3.util import Retry
--
2.51.1
2.52.0

6
0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
View File

@ -1,7 +1,7 @@
From c8820c38a16ba9c572a6eafefd010b60ba037dde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Feb 2024 14:21:36 +0000
Subject: [PATCH 105/126] Look for PCKRetrievalTool config file in /etc/
Subject: [PATCH 105/136] Look for PCKRetrievalTool config file in /etc/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -15,7 +15,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp
index e423f38..36f219b 100644
index e423f384..36f219ba 100644
--- a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp
+++ b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp
@@ -219,7 +219,8 @@ static void network_configuration(string &url, string &proxy_type, string &proxy
@ -39,5 +39,5 @@ index e423f38..36f219b 100644
if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) {
return false;
--
2.51.1
2.52.0

24
0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
View File

@ -1,7 +1,7 @@
From 06874f59bd6693f0f42a999dcfbdc0233d9a4bd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 28 Mar 2025 16:00:27 +0000
Subject: [PATCH 106/126] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
Subject: [PATCH 106/136] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
libraries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -22,7 +22,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
10 files changed, 24 insertions(+), 21 deletions(-)
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index bfe9c61..531f40b 100644
index bfe9c613..531f40b8 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -46,12 +46,13 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \
@ -43,7 +43,7 @@ index bfe9c61..531f40b 100644
ifdef SELF_SIGNED_CERT
CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT
diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile
index 204234c..d703c45 100644
index 204234c7..d703c45a 100644
--- a/QuoteGeneration/qpl/linux/Makefile
+++ b/QuoteGeneration/qpl/linux/Makefile
@@ -48,9 +48,9 @@ QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Pa
@ -59,7 +59,7 @@ index 204234c..d703c45 100644
ifndef DEBUG
diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile
index 5d87e4d..8228bdf 100644
index 5d87e4d1..8228bdfc 100644
--- a/QuoteGeneration/quote_wrapper/qgs/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs/Makefile
@@ -51,7 +51,7 @@ endif
@ -72,7 +72,7 @@ index 5d87e4d..8228bdf 100644
# add boost_system for link
QGS_LFLAGS += -lboost_system -lboost_thread -lpthread
diff --git a/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/QuoteGeneration/quote_wrapper/ql/linux/Makefile
index c5d877b..2983665 100644
index c5d877b5..29836652 100644
--- a/QuoteGeneration/quote_wrapper/ql/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/ql/linux/Makefile
@@ -48,13 +48,14 @@ QL_Lib_C_Files := se_trace.c se_thread.c
@ -94,7 +94,7 @@ index c5d877b..2983665 100644
QL_Lib_Cpp_Flags += -DDISABLE_TRACE
QL_Lib_Link_Flags += -DDISABLE_TRACE
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index 7d0b398..9b8c936 100644
index 7d0b398f..9b8c936c 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -52,7 +52,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I.
@ -107,7 +107,7 @@ index 7d0b398..9b8c936 100644
ifndef DEBUG
Quote_Cpp_Flags += -DDISABLE_TRACE
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index c4154b0..e125cbf 100644
index c4154b09..e125cbfe 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -54,8 +54,8 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \
@ -131,7 +131,7 @@ index c4154b0..e125cbf 100644
QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp)
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
index 12c0d35..c106ab4 100644
index 12c0d35e..c106ab4f 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
@@ -129,11 +129,11 @@ DEBUG_FLAGS := -m64 -O0 -g
@ -149,7 +149,7 @@ index 12c0d35..c106ab4 100644
# debug/release switch
diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
index 1065949..b6968c6 100644
index 10659496..b6968c6d 100644
--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
@@ -108,8 +108,9 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR
@ -179,7 +179,7 @@ index 1065949..b6968c6 100644
App/%.o: App/%.cpp
diff --git a/tools/SGXPlatformRegistration/package/Makefile b/tools/SGXPlatformRegistration/package/Makefile
index 0c3aec1..adc00f5 100755
index 0c3aec1e..adc00f59 100755
--- a/tools/SGXPlatformRegistration/package/Makefile
+++ b/tools/SGXPlatformRegistration/package/Makefile
@@ -73,7 +73,7 @@ else
@ -192,7 +192,7 @@ index 0c3aec1..adc00f5 100755
all: $(MPA_REGISTRATION_EXEC)
diff --git a/tools/SGXPlatformRegistration/tool/Makefile b/tools/SGXPlatformRegistration/tool/Makefile
index 4937fe9..83aefee 100644
index 4937fe94..83aefeec 100644
--- a/tools/SGXPlatformRegistration/tool/Makefile
+++ b/tools/SGXPlatformRegistration/tool/Makefile
@@ -69,7 +69,7 @@ CPP_SRCS += $(MPA_REGISTRATION_CORE_DIR)/src/AgentConfiguration.cpp $(MPA_REGIST
@ -205,5 +205,5 @@ index 4937fe9..83aefee 100644
LDFLAGS += '-Wl,-rpath,$$ORIGIN'
CXXFLAGS += '-DSTANDALONE'
--
2.51.1
2.52.0

6
0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
View File

@ -1,7 +1,7 @@
From 44eefb7f574b33cb0cf5239948e7d633f1d71dd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 14:42:29 +0100
Subject: [PATCH 107/126] qgs: add space between program name & first arg in
Subject: [PATCH 107/136] qgs: add space between program name & first arg in
usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -13,7 +13,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 478dbfe..3618b5a 100644
index 478dbfe0..3618b5ad 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -75,7 +75,7 @@ int main(int argc, const char* argv[])
@ -35,5 +35,5 @@ index 478dbfe..3618b5a 100644
exit(1);
}
--
2.51.1
2.52.0

6
0108-qgs-protect-against-format-strings-in-QL-log-message.patch
View File

@ -1,7 +1,7 @@
From 6c38e13fbee555045aec98f6e159531a385bce53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 09:43:17 +0100
Subject: [PATCH 108/126] qgs: protect against format strings in QL log
Subject: [PATCH 108/136] qgs: protect against format strings in QL log
messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
index 77838c3..1e97b58 100644
index 77838c31..1e97b586 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
@@ -50,10 +50,10 @@ typedef quote3_error_t (*sgx_ql_set_logging_callback_t)(sgx_ql_logging_callback_
@ -35,5 +35,5 @@ index 77838c3..1e97b58 100644
}
--
2.51.1
2.52.0

12
0109-qgs-add-debug-parameter-to-control-logging.patch
View File

@ -1,7 +1,7 @@
From d1cbef970b8ee800a313b818927449a7dcf1a685 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 16:57:35 +0100
Subject: [PATCH 109/126] qgs: add --debug parameter to control logging
Subject: [PATCH 109/136] qgs: add --debug parameter to control logging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -28,7 +28,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
4 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp
index 1cf1e40..7ae9b75 100644
index 1cf1e40b..7ae9b750 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp
@@ -36,6 +36,8 @@
@ -51,7 +51,7 @@ index 1cf1e40..7ae9b75 100644
switch(level){
case QGS_LOG_LEVEL_FATAL:
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_log.h b/QuoteGeneration/quote_wrapper/qgs/qgs_log.h
index 1d7fd74..05d41a4 100644
index 1d7fd747..05d41a44 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_log.h
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_log.h
@@ -40,6 +40,8 @@
@ -64,7 +64,7 @@ index 1d7fd74..05d41a4 100644
void qgs_log_init_ex(bool nosyslog);
void qgs_log_fini(void);
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
index 1e97b58..db642f7 100644
index 1e97b586..db642f70 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
@@ -113,8 +113,8 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs {
@ -90,7 +90,7 @@ index 1e97b58..db642f7 100644
QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n");
}
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 3618b5a..47f6c26 100644
index 3618b5ad..47f6c264 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -75,7 +75,7 @@ int main(int argc, const char* argv[])
@ -125,5 +125,5 @@ index 3618b5a..47f6c26 100644
exit(1);
}
--
2.51.1
2.52.0

6
0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
View File

@ -1,7 +1,7 @@
From 64c49b04e7e22358f3afee834a434a6cfdff4a9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 8 Oct 2024 10:13:02 +0100
Subject: [PATCH 110/126] pccsadmin: remove leftover debugging 'print(args)'
Subject: [PATCH 110/136] pccsadmin: remove leftover debugging 'print(args)'
statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 1 deletion(-)
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index ffee326..8e447c5 100755
index ffee326d..8e447c50 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -92,7 +92,6 @@ def main():
@ -29,5 +29,5 @@ index ffee326..8e447c5 100755
if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"):
if not args.fmspc or not args.input_file:
--
2.51.1
2.52.0

8
0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
View File

@ -1,7 +1,7 @@
From 32ac12f933e813b80348840821e1deaedf797a00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 17 Jan 2025 15:39:39 +0000
Subject: [PATCH 111/126] Fix soname version for libsgx_qe3_logic.so library
Subject: [PATCH 111/136] Fix soname version for libsgx_qe3_logic.so library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -13,7 +13,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/QuoteGeneration/common/inc/internal/se_version.h b/QuoteGeneration/common/inc/internal/se_version.h
index 93f60cb..9ee51c0 100644
index 93f60cb9..9ee51c0c 100644
--- a/QuoteGeneration/common/inc/internal/se_version.h
+++ b/QuoteGeneration/common/inc/internal/se_version.h
@@ -41,6 +41,11 @@
@ -29,7 +29,7 @@ index 93f60cb..9ee51c0 100644
#define QE3_VERSION "1.22.100.1"
#define QVE_VERSION "1.22.100.1"
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index 9b8c936..c92d782 100644
index 9b8c936c..c92d7827 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -65,6 +65,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o)
@ -51,5 +51,5 @@ index 9b8c936..c92d782 100644
$(BUILD_DIR):
--
2.51.1
2.52.0

6
0112-Workaround-broken-GCC-15.patch
View File

@ -1,7 +1,7 @@
From ac446d8943858e6dccec924451b8a8a3be4d9c4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 6 Feb 2025 20:08:59 +0000
Subject: [PATCH 112/126] Workaround broken GCC 15
Subject: [PATCH 112/136] Workaround broken GCC 15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+)
diff --git a/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h b/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h
index 15fbdd4..4400544 100644
index 15fbdd42..4400544b 100644
--- a/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h
+++ b/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h
@@ -258,7 +258,11 @@ struct alignas(A)randomly_placed_buffer
@ -36,5 +36,5 @@ index 15fbdd4..4400544 100644
private:
struct alignas(A)_T_instantiator_
--
2.51.1
2.52.0

6
0113-Don-t-disable-cf-protection-for-qgs.patch
View File

@ -1,7 +1,7 @@
From fa8c4f150fe32dafd875c5f45a9e588775235e35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 2 Apr 2025 18:39:31 +0100
Subject: [PATCH 113/126] Don't disable cf-protection for qgs
Subject: [PATCH 113/136] Don't disable cf-protection for qgs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -12,7 +12,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile
index 8228bdf..5116d85 100644
index 8228bdfc..5116d85e 100644
--- a/QuoteGeneration/quote_wrapper/qgs/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs/Makefile
@@ -43,10 +43,6 @@ QGS_INC = -I$(SGX_SDK)/include \
@ -27,5 +27,5 @@ index 8228bdf..5116d85 100644
DEPENDS = ${QGS_OBJS test_client.o:.o=.d}
--
2.51.1
2.52.0

24
0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
View File

@ -1,7 +1,7 @@
From 2d83da9d5f5fb7399b0d7ec6ac410a6bf52b2add Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Apr 2025 17:44:48 +0100
Subject: [PATCH 114/126] Delete broken checks for GCC version that break
Subject: [PATCH 114/136] Delete broken checks for GCC version that break
-fstack-protector-strong
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -25,7 +25,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
10 files changed, 11 insertions(+), 52 deletions(-)
diff --git a/QuoteGeneration/buildenv.mk b/QuoteGeneration/buildenv.mk
index 0b677db..3fba935 100644
index 0b677db8..3fba9359 100644
--- a/QuoteGeneration/buildenv.mk
+++ b/QuoteGeneration/buildenv.mk
@@ -128,12 +128,7 @@ ifeq ($(CC_NO_LESS_THAN_8), 1)
@ -43,7 +43,7 @@ index 0b677db..3fba935 100644
ifdef DEBUG
COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
index dff0af2..9ece3cc 100644
index dff0af23..9ece3cc4 100644
--- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
@@ -33,7 +33,7 @@
@ -56,7 +56,7 @@ index dff0af2..9ece3cc 100644
-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
index f0a5e36..20f3022 100644
index f0a5e364..20f30221 100644
--- a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
@@ -33,11 +33,11 @@
@ -74,7 +74,7 @@ index f0a5e36..20f3022 100644
-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile
index cdac5ff..73e0c65 100644
index cdac5ff9..73e0c65b 100644
--- a/QuoteVerification/QvE/Makefile
+++ b/QuoteVerification/QvE/Makefile
@@ -101,12 +101,7 @@ endif
@ -92,7 +92,7 @@ index cdac5ff..73e0c65 100644
ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++17 -DSGX_TRUSTED -DSGX_JWT -DPICOJSON_USE_LOCALE=0
diff --git a/QuoteVerification/dcap_tvl/Makefile b/QuoteVerification/dcap_tvl/Makefile
index 2d62f28..49b4b68 100644
index 2d62f283..49b4b686 100644
--- a/QuoteVerification/dcap_tvl/Makefile
+++ b/QuoteVerification/dcap_tvl/Makefile
@@ -56,12 +56,7 @@ endif
@ -110,7 +110,7 @@ index 2d62f28..49b4b68 100644
ENCLAVE_CXXFLAGS += $(SGX_COMMON_CXXFLAGS) $(COMMON_FLAGS) -fPIC -std=c++11
diff --git a/QuoteVerification/dcap_tvl/Makefile.standalone b/QuoteVerification/dcap_tvl/Makefile.standalone
index 8a1cb73..713d8af 100644
index 8a1cb730..713d8afc 100644
--- a/QuoteVerification/dcap_tvl/Makefile.standalone
+++ b/QuoteVerification/dcap_tvl/Makefile.standalone
@@ -45,12 +45,7 @@ COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack
@ -128,7 +128,7 @@ index 8a1cb73..713d8af 100644
ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks
ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++
diff --git a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
index 662ac3e..868d72d 100644
index 662ac3e5..868d72df 100644
--- a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
+++ b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
@@ -87,13 +87,7 @@ Crypto_Library_Name := sgx_tcrypto
@ -147,7 +147,7 @@ index 662ac3e..868d72d 100644
Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
diff --git a/SampleCode/QuoteGenerationSample/Makefile b/SampleCode/QuoteGenerationSample/Makefile
index 4fdbb36..fd5b4e2 100644
index 4fdbb36e..fd5b4e25 100644
--- a/SampleCode/QuoteGenerationSample/Makefile
+++ b/SampleCode/QuoteGenerationSample/Makefile
@@ -104,11 +104,7 @@ Enclave_Cpp_Files := Enclave/Enclave.cpp
@ -164,7 +164,7 @@ index 4fdbb36..fd5b4e2 100644
Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
diff --git a/SampleCode/QuoteVerificationSample/Makefile b/SampleCode/QuoteVerificationSample/Makefile
index d534615..6164587 100644
index d5346152..61645871 100644
--- a/SampleCode/QuoteVerificationSample/Makefile
+++ b/SampleCode/QuoteVerificationSample/Makefile
@@ -130,13 +130,7 @@ DCAP_DIR ?= ../../
@ -183,7 +183,7 @@ index d534615..6164587 100644
Enclave_Cpp_Flags := $(Enclave_C_Flags) -nostdinc++
diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
index b6968c6..1d2106b 100644
index b6968c6d..1d2106b7 100644
--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
@@ -59,12 +59,7 @@ else
@ -201,5 +201,5 @@ index b6968c6..1d2106b 100644
ifdef DEBUG
COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
--
2.51.1
2.52.0

22
0115-Use-distro-provided-rapidjson-package.patch
View File

@ -1,7 +1,7 @@
From 40d434d75ff4978cd968b4d140af5aa8c8f602c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 115/126] Use distro provided rapidjson package
Subject: [PATCH 115/136] Use distro provided rapidjson package
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
9 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/QuoteGeneration/qcnl/certification_provider.cpp b/QuoteGeneration/qcnl/certification_provider.cpp
index a08ea7e..41e5b9d 100644
index a08ea7e7..41e5b9d0 100644
--- a/QuoteGeneration/qcnl/certification_provider.cpp
+++ b/QuoteGeneration/qcnl/certification_provider.cpp
@@ -36,7 +36,7 @@
@ -33,7 +33,7 @@ index a08ea7e..41e5b9d 100644
#include "pck_cert_selection.h"
#include "qcnl_util.h"
diff --git a/QuoteGeneration/qcnl/inc/pccs_response_object.h b/QuoteGeneration/qcnl/inc/pccs_response_object.h
index f1f545f..2153b6f 100644
index f1f545f0..2153b6fa 100644
--- a/QuoteGeneration/qcnl/inc/pccs_response_object.h
+++ b/QuoteGeneration/qcnl/inc/pccs_response_object.h
@@ -37,7 +37,7 @@
@ -53,7 +53,7 @@ index f1f545f..2153b6f 100644
\ No newline at end of file
+#endif
diff --git a/QuoteGeneration/qcnl/inc/qcnl_config.h b/QuoteGeneration/qcnl/inc/qcnl_config.h
index ff3c744..71b9a99 100644
index ff3c744d..71b9a996 100644
--- a/QuoteGeneration/qcnl/inc/qcnl_config.h
+++ b/QuoteGeneration/qcnl/inc/qcnl_config.h
@@ -38,7 +38,7 @@
@ -66,7 +66,7 @@ index ff3c744..71b9a99 100644
#include <string>
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index 531f40b..5c56951 100644
index 531f40b8..5c569515 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -43,7 +43,7 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \
@ -79,7 +79,7 @@ index 531f40b..5c56951 100644
CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto)
diff --git a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
index 7b74eae..5f20a1e 100644
index 7b74eae0..5f20a1e3 100644
--- a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
+++ b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
@@ -35,7 +35,7 @@
@ -92,7 +92,7 @@ index 7b74eae..5f20a1e 100644
#include <algorithm>
#include <curl/curl.h>
diff --git a/QuoteGeneration/qcnl/qcnl_config.cpp b/QuoteGeneration/qcnl/qcnl_config.cpp
index 42388a0..9be8fee 100644
index 42388a08..9be8feec 100644
--- a/QuoteGeneration/qcnl/qcnl_config.cpp
+++ b/QuoteGeneration/qcnl/qcnl_config.cpp
@@ -36,10 +36,10 @@
@ -110,7 +110,7 @@ index 42388a0..9be8fee 100644
#include <algorithm>
diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk
index 982c7d5..854b70a 100644
index 982c7d56..854b70ac 100644
--- a/QuoteVerification/buildenv.mk
+++ b/QuoteVerification/buildenv.mk
@@ -72,9 +72,9 @@ else
@ -126,7 +126,7 @@ index 982c7d5..854b70a 100644
QVL_LIB_FILES := $(sort $(wildcard $(QVL_LIB_PATH)/src/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*/*.cpp) $(wildcard $(QVL_COMMON_PATH)/src/Utils/*.cpp))
QVL_PARSER_FILES := $(sort $(wildcard $(QVL_PARSER_PATH)/src/*.cpp) $(wildcard $(QVL_PARSER_PATH)/src/*/*.cpp))
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
index c106ab4..117f88f 100644
index c106ab4f..117f88fd 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
@@ -66,7 +66,7 @@ endif
@ -148,7 +148,7 @@ index c106ab4..117f88f 100644
# the library shared object name
LIB_NAME := libPCKCertSelection.so
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
index c8e1d01..6f1440a 100644
index c8e1d01e..6f1440a6 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
@@ -69,7 +69,7 @@ OPENSSL_INC := $(PROJ_ROOT_DIR)/../../prebuilt/openssl/inc
@ -170,5 +170,5 @@ index c8e1d01..6f1440a 100644
# the library shared object name
LIB_NAME := libPCKCertSelection.a
--
2.51.1
2.52.0

6
0116-Don-t-stomp-on-VERBOSE-variable.patch
View File

@ -1,7 +1,7 @@
From 605d9bcc0003c869e785376bbc3dbecc670c934d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Apr 2025 11:48:52 +0100
Subject: [PATCH 116/126] Don't stomp on "VERBOSE" variable
Subject: [PATCH 116/136] Don't stomp on "VERBOSE" variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/driver/win/PLE/Makefile b/driver/win/PLE/Makefile
index 3d474bb..0f593f5 100644
index 3d474bbc..0f593f5e 100644
--- a/driver/win/PLE/Makefile
+++ b/driver/win/PLE/Makefile
@@ -75,9 +75,9 @@ ifneq ($(PUBKEY_FILE),)
@ -97,5 +97,5 @@ index 3d474bb..0f593f5 100644
- $(VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
+ $(CMD_VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
--
2.51.1
2.52.0

6
0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
View File

@ -1,7 +1,7 @@
From d7299915f42cd068744ce02e358865085f2f12bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 May 2025 14:48:24 +0100
Subject: [PATCH 117/126] qgs: add -m=MODE parameter for UNIX socket mode
Subject: [PATCH 117/136] qgs: add -m=MODE parameter for UNIX socket mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 47f6c26..4628b18 100644
index 47f6c264..4628b182 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -73,9 +73,10 @@ int main(int argc, const char* argv[])
@ -99,5 +99,5 @@ index 47f6c26..4628b18 100644
io_service.run();
QGS_LOG_INFO("Quit main loop\n");
--
2.51.1
2.52.0

12
0118-pccs-sanitize-paths-to-all-resources.patch
View File

@ -1,7 +1,7 @@
From b108e8c9a0c9143e8fd930186c21d34d9cddaea7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 13:38:49 +0000
Subject: [PATCH 118/126] pccs: sanitize paths to all resources
Subject: [PATCH 118/136] pccs: sanitize paths to all resources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js b/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
index 17cdf9a..1f7567b 100644
index 17cdf9a9..1f7567b5 100644
--- a/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
+++ b/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
@@ -37,7 +37,7 @@ import { load, DataType, open, close, createPointer, arrayConstructor, restorePo
@ -40,7 +40,7 @@ index 17cdf9a..1f7567b 100644
\ No newline at end of file
+});
diff --git a/QuoteGeneration/pccs/pccs_server.js b/QuoteGeneration/pccs/pccs_server.js
index b41d871..57c1cee 100644
index b41d871e..57c1cee9 100644
--- a/QuoteGeneration/pccs/pccs_server.js
+++ b/QuoteGeneration/pccs/pccs_server.js
@@ -61,9 +61,9 @@ process.on('SIGINT', () => {
@ -67,7 +67,7 @@ index b41d871..57c1cee 100644
logger.error('The private key or certificate for HTTPS server is missing.');
logger.endAndExitProcess();
diff --git a/QuoteGeneration/pccs/utils/Logger.js b/QuoteGeneration/pccs/utils/Logger.js
index 5ac7a48..c774ac4 100644
index 5ac7a488..c774ac40 100644
--- a/QuoteGeneration/pccs/utils/Logger.js
+++ b/QuoteGeneration/pccs/utils/Logger.js
@@ -40,7 +40,7 @@ const { createLogger, format, transports } = winston;
@ -80,7 +80,7 @@ index 5ac7a48..c774ac4 100644
json: false,
colorize: true,
diff --git a/QuoteGeneration/pccs/utils/apputil.js b/QuoteGeneration/pccs/utils/apputil.js
index 6f910ee..6eb9d15 100644
index 6f910eea..6eb9d153 100644
--- a/QuoteGeneration/pccs/utils/apputil.js
+++ b/QuoteGeneration/pccs/utils/apputil.js
@@ -84,8 +84,8 @@ async function test_db_status() {
@ -104,5 +104,5 @@ index 6f910ee..6eb9d15 100644
const migration = migrations.find(migration => migration.name === name);
logger.debug(`Resolving migration: ${name}, found: ${migration ? migration.name : 'none'}`);
--
2.51.1
2.52.0

6
0119-pccs-only-pass-ApiKey-if-it-is-set.patch
View File

@ -1,7 +1,7 @@
From 6c6e7427cf14455a56828db5c39f26ca8658a18d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 9 Jul 2025 16:41:59 +0100
Subject: [PATCH 119/126] pccs: only pass ApiKey if it is set
Subject: [PATCH 119/136] pccs: only pass ApiKey if it is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -23,7 +23,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/pcs_client/pcs_client.js b/QuoteGeneration/pccs/pcs_client/pcs_client.js
index 99ccea6..4f6c903 100644
index 99ccea69..4f6c903b 100644
--- a/QuoteGeneration/pccs/pcs_client/pcs_client.js
+++ b/QuoteGeneration/pccs/pcs_client/pcs_client.js
@@ -66,7 +66,9 @@ async function do_request(url, options) {
@ -67,5 +67,5 @@ index 99ccea6..4f6c903 100644
}
--
2.51.1
2.52.0

6
0120-pccsadmin-make-keyring-module-optional.patch
View File

@ -1,7 +1,7 @@
From 2b540452538b12a47340b03d6118d3df281a6638 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 13:31:54 +0000
Subject: [PATCH 120/126] pccsadmin: make 'keyring' module optional
Subject: [PATCH 120/136] pccsadmin: make 'keyring' module optional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 30 insertions(+), 23 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/credential.py b/tools/PccsAdminTool/lib/intelsgx/credential.py
index 638cd88..cebecad 100644
index 638cd88e..cebecade 100644
--- a/tools/PccsAdminTool/lib/intelsgx/credential.py
+++ b/tools/PccsAdminTool/lib/intelsgx/credential.py
@@ -1,4 +1,7 @@
@ -100,5 +100,5 @@ index 638cd88..cebecad 100644
+ return False
return True
--
2.51.1
2.52.0

6
0121-pccsadmin-convert-from-asn1-to-pyasn1-python-module.patch
View File

@ -1,7 +1,7 @@
From b9954581944446455876728bdab816090d773715 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 13:54:19 +0000
Subject: [PATCH 121/126] pccsadmin: convert from asn1 to pyasn1 python module
Subject: [PATCH 121/136] pccsadmin: convert from asn1 to pyasn1 python module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -15,7 +15,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 177 insertions(+), 90 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pckcert.py b/tools/PccsAdminTool/lib/intelsgx/pckcert.py
index 97aa278..eaed331 100644
index 97aa2783..eaed331b 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pckcert.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pckcert.py
@@ -1,76 +1,171 @@
@ -337,5 +337,5 @@ index 97aa278..eaed331 100644
+ ent= list(filter(lambda e: e['tCBId'] == id_ce_tCB_pCESVN, tcb))[0]
+ return int(ent["tCBValue"]).to_bytes(2, byteorder='little').hex()
--
2.51.1
2.52.0

6
0122-pccsadmin-fully-switch-to-pycryptography-for-CRL-ver.patch
View File

@ -1,7 +1,7 @@
From d44b9ac3e89e17452678758634e6dbca6c5a099a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 8 Dec 2025 17:47:01 +0000
Subject: [PATCH 122/126] pccsadmin: fully switch to pycryptography for CRL
Subject: [PATCH 122/136] pccsadmin: fully switch to pycryptography for CRL
verification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index 046c781..e68864d 100644
index 046c781d..e68864d2 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -101,11 +101,6 @@ class PCS:
@ -63,5 +63,5 @@ index 046c781..e68864d 100644
if not self.verify_crl_trust(pychain, pycrl):
self.error("Could not validate certificate using trust chain")
--
2.51.1
2.52.0

6
0123-pccsadmin-use-more-of-pycryptography-instead-of-pyop.patch
View File

@ -1,7 +1,7 @@
From d14f914ea644d7c1b2312780688d55fbb13892bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 8 Dec 2025 17:48:11 +0000
Subject: [PATCH 123/126] pccsadmin: use more of pycryptography instead of
Subject: [PATCH 123/136] pccsadmin: use more of pycryptography instead of
pyopenssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -19,7 +19,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 28 insertions(+), 21 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index e68864d..f6b58a6 100644
index e68864d2..f6b58a6b 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -5,6 +5,10 @@ import json
@ -174,5 +174,5 @@ index e68864d..f6b58a6 100644
if issuer_subject not in issuer_to:
self.error('cert in chain with no issuer')
--
2.51.1
2.52.0

6
0124-pccsadmin-prefer-pycryptography-over-pyopenssl.patch
View File

@ -1,7 +1,7 @@
From 9d3da2fd99ba2832fcaa4067dd5db3f7f349c306 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 3 Dec 2025 17:59:09 +0000
Subject: [PATCH 124/126] pccsadmin: prefer pycryptography over pyopenssl
Subject: [PATCH 124/136] pccsadmin: prefer pycryptography over pyopenssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -19,7 +19,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 47 insertions(+), 13 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index f6b58a6..eeb2969 100644
index f6b58a6b..eeb29697 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -4,11 +4,28 @@ import requests
@ -100,5 +100,5 @@ index f6b58a6..eeb2969 100644
return True
--
2.51.1
2.52.0

6
0125-pccsadmin-add-fallback-for-when-pyopenssl-is-not-ava.patch
View File

@ -1,7 +1,7 @@
From 262c1cb978d31130d3558d2a29690b1eace52c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 8 Dec 2025 17:56:59 +0000
Subject: [PATCH 125/126] pccsadmin: add fallback for when pyopenssl is not
Subject: [PATCH 125/136] pccsadmin: add fallback for when pyopenssl is not
available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index eeb2969..1368b57 100644
index eeb29697..1368b57b 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -24,7 +24,14 @@ except ImportError:
@ -71,5 +71,5 @@ index eeb2969..1368b57 100644
return True
--
2.51.1
2.52.0

77
0126-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch
View File

@ -1,7 +1,7 @@
From 8081c78698b7a1e5ec183eca3318f98396680545 Mon Sep 17 00:00:00 2001
From 48f3dc21602f2f11f054c740c5efd4c34d5efae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 18:05:14 +0000
Subject: [PATCH 126/126] pccsadmin: ignore errors trying to clear the keyring
Subject: [PATCH 126/136] pccsadmin: ignore errors trying to clear the keyring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -13,11 +13,12 @@ prompted, so there would be nothing to clear either in this case.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
tools/PccsAdminTool/lib/intelsgx/pcs.py | 16 +++++++++++--
tools/PccsAdminTool/pccsadmin.py | 32 +++++++++++++++++++++----
2 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index 1368b57..dd4eba4 100644
index 1368b57b..dd4eba40 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -404,7 +404,13 @@ class PCS:
@ -50,6 +51,70 @@ index 1368b57..dd4eba4 100644
return None
# Verify expected headers
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index 8e447c50..dc5253bb 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -166,7 +166,13 @@ class PccsClient:
if response.status_code == 200:
self._write_output_file(output_file, response)
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
@@ -196,7 +202,13 @@ class PccsClient:
if response.status_code == 200:
print("Collaterals uploaded successfully.")
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
@@ -212,7 +224,13 @@ class PccsClient:
if response.status_code == 200:
print("Policy uploaded successfully with policy ID :" + response.text)
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
@@ -245,7 +263,13 @@ class PccsClient:
if response.status_code == 200:
print("The cache database was refreshed successfully.")
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
--
2.51.1
2.52.0

51
0127-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch Normal file
View File

@ -0,0 +1,51 @@
From f0222324f5896d08457ed0ffb3951081d66e0cf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 6 Jan 2026 18:03:36 +0100
Subject: [PATCH 127/136] [PCS Client Tool] Migrate from deprecated
pkg_resources to packaging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Miro Hrončok <miro@hroncok.cz>
Version 14.0 is the first version that had the Version class.
Ref: https://setuptools.pypa.io/en/latest/pkg_resources.html
Signed-off-by: Miro Hrončok <miro@hroncok.cz>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 2 +-
tools/PccsAdminTool/requirements.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index dd4eba40..7596708c 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -39,7 +39,7 @@ if system() == 'Windows':
from lib.intelsgx.credential import Credentials
from requests.adapters import HTTPAdapter
from urllib3.util import Retry
-from pkg_resources import parse_version
+from packaging.version import Version as parse_version
certBegin= '-----BEGIN CERTIFICATE-----'
certEnd= '-----END CERTIFICATE-----'
diff --git a/tools/PccsAdminTool/requirements.txt b/tools/PccsAdminTool/requirements.txt
index 8a73667f..65f6bf50 100644
--- a/tools/PccsAdminTool/requirements.txt
+++ b/tools/PccsAdminTool/requirements.txt
@@ -1,8 +1,8 @@
asn1>=2.4.1
cryptography>=41.0.7
keyring>=23.0.0
+packaging>=14.0
pyOpenSSL>=23.2.0,<24.3.0
pypac>=0.14.0
Requests>=2.31.0
-setuptools>=65.5.1
urllib3>=1.26.18
--
2.52.0

44
0128-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch Normal file
View File

@ -0,0 +1,44 @@
From a3633a45f16aa80e9be8542ea8702ec32dbf93cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 15 Jan 2026 11:23:35 +0000
Subject: [PATCH 128/136] qgs: add compat for boost 1.87 which drops
asio::io_service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Jonathan Wakely <jwakely@redhat.com>
The asio::io_service type was deprecated since 1.66 in 2017,
with asio::io_context being its drop-in replacement.
Release 1.87 finally dropped the back-compat support for
asio::io_service entirely.
To retain compat with old boost this change conditionally
re-adds the compat definition for asio::io_service.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/quote_wrapper/qgs/qgs_server.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
index f3f5b9f9..91eb41a4 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
@@ -36,6 +36,11 @@
#include <boost/asio.hpp>
#include <boost/scoped_ptr.hpp>
+#if BOOST_VERSION >= 108700
+// Asio no longer defines the deprecated io_service alias.
+namespace boost { namespace asio { using io_service = io_context; } }
+#endif
+
namespace intel { namespace sgx { namespace dcap { namespace qgs {
namespace asio = boost::asio;
--
2.52.0

36
0129-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch Normal file
View File

@ -0,0 +1,36 @@
From 3c73dad4bdab6d3c29f58ca5ca34628c7ef952b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 15 Jan 2026 12:48:19 +0000
Subject: [PATCH 129/136] qgs: add compat for boost 1.89 which deprecated
deadline_timer.hpp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The asio::deadline_timer was deprecated in 1.89 and as a result
the deadline_timer.hpp file is no longer implicitly included by
asio.hpp.
To retain compat with old and new boost the code must explicitly
include the deadline_timer.hpp
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/quote_wrapper/qgs/qgs_server.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
index 91eb41a4..b56b2633 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
@@ -34,6 +34,7 @@
#include <stdint.h>
#include <boost/asio.hpp>
+#include <boost/asio/deadline_timer.hpp>
#include <boost/scoped_ptr.hpp>
#if BOOST_VERSION >= 108700
--
2.52.0

46
0130-Bump-tar-fs-from-2.1.2-to-2.1.3-in-QuoteGeneration-p.patch Normal file
View File

@ -0,0 +1,46 @@
From 64ceff38879265a1844ae1410fa117b8e2745eed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 27 Aug 2025 08:50:27 -0400
Subject: [PATCH 130/136] Bump tar-fs from 2.1.2 to 2.1.3 in
/QuoteGeneration/pccs (#452)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.2 to 2.1.3.
- [Commits](https://github.com/mafintosh/tar-fs/commits)
---
updated-dependencies:
- dependency-name: tar-fs
dependency-version: 2.1.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit be740fc70414b27bbe94398fb77a3d0738569e75)
---
QuoteGeneration/pccs/package-lock.json | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index 8eb75a13..d979ab1c 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -3437,9 +3437,10 @@
}
},
"node_modules/tar-fs": {
- "version": "2.1.2",
- "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.2.tgz",
- "integrity": "sha512-EsaAXwxmx8UB7FRKqeozqEPop69DXcmYwTQwXvyAPF352HJsPdkVhvTaDPYqfNgruveJIJy3TA2l+2zj8LJIJA==",
+ "version": "2.1.3",
+ "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz",
+ "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==",
+ "license": "MIT",
"dependencies": {
"chownr": "^1.1.1",
"mkdirp-classic": "^0.5.2",
--
2.52.0

102
0131-Bump-on-headers-and-morgan-in-QuoteGeneration-pccs-4.patch Normal file
View File

@ -0,0 +1,102 @@
From 3b4b10d4d979a6241309dd9eda790759f3f642ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 27 Aug 2025 08:51:38 -0400
Subject: [PATCH 131/136] Bump on-headers and morgan in /QuoteGeneration/pccs
(#455)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [on-headers](https://github.com/jshttp/on-headers) to 1.1.0 and updates ancestor dependency [morgan](https://github.com/expressjs/morgan). These dependencies need to be updated together.
Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases)
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md)
- [Commits](https://github.com/jshttp/on-headers/compare/v1.0.2...v1.1.0)
Updates `morgan` from 1.10.0 to 1.10.1
- [Release notes](https://github.com/expressjs/morgan/releases)
- [Changelog](https://github.com/expressjs/morgan/blob/master/HISTORY.md)
- [Commits](https://github.com/expressjs/morgan/compare/1.10.0...1.10.1)
---
updated-dependencies:
- dependency-name: on-headers
dependency-version: 1.1.0
dependency-type: indirect
- dependency-name: morgan
dependency-version: 1.10.1
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit e195a67362971db869b7f9fa8a16b5d688e797b8)
---
QuoteGeneration/pccs/package-lock.json | 18 ++++++++++--------
QuoteGeneration/pccs/package.json | 2 +-
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index d979ab1c..7dfcb6be 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -18,7 +18,7 @@
"express": "^4.21.2",
"ffi-rs": "^1.0.64",
"got": "^11.8.6",
- "morgan": "^1.10.0",
+ "morgan": "^1.10.1",
"mysql2": "^3.10.1",
"node-schedule": "^2.1.1",
"sequelize": "^6.37.3",
@@ -2376,15 +2376,16 @@
}
},
"node_modules/morgan": {
- "version": "1.10.0",
- "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.0.tgz",
- "integrity": "sha512-AbegBVI4sh6El+1gNwvD5YIck7nSA36weD7xvIxG4in80j/UoK8AEGaWnnz8v1GxonMCltmlNs5ZKbGvl9b1XQ==",
+ "version": "1.10.1",
+ "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.1.tgz",
+ "integrity": "sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==",
+ "license": "MIT",
"dependencies": {
"basic-auth": "~2.0.1",
"debug": "2.6.9",
"depd": "~2.0.0",
"on-finished": "~2.3.0",
- "on-headers": "~1.0.2"
+ "on-headers": "~1.1.0"
},
"engines": {
"node": ">= 0.8.0"
@@ -2607,9 +2608,10 @@
}
},
"node_modules/on-headers": {
- "version": "1.0.2",
- "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
- "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
+ "version": "1.1.0",
+ "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
+ "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+ "license": "MIT",
"engines": {
"node": ">= 0.8"
}
diff --git a/QuoteGeneration/pccs/package.json b/QuoteGeneration/pccs/package.json
index ea6d29a9..7c498083 100644
--- a/QuoteGeneration/pccs/package.json
+++ b/QuoteGeneration/pccs/package.json
@@ -14,7 +14,7 @@
"express": "^4.21.2",
"ffi-rs": "^1.0.64",
"got": "^11.8.6",
- "morgan": "^1.10.0",
+ "morgan": "^1.10.1",
"mysql2": "^3.10.1",
"node-schedule": "^2.1.1",
"sequelize": "^6.37.3",
--
2.52.0

47
0132-Bump-brace-expansion-from-1.1.11-to-1.1.12-in-QuoteG.patch Normal file
View File

@ -0,0 +1,47 @@
From 39c83bdcf585187cb41c4698b0b2a24679ce3af2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 27 Aug 2025 08:52:37 -0400
Subject: [PATCH 132/136] Bump brace-expansion from 1.1.11 to 1.1.12 in
/QuoteGeneration/pccs (#459)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)
---
updated-dependencies:
- dependency-name: brace-expansion
dependency-version: 1.1.12
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit a46ee8ab10569962c5cd7397b4babd4a47431976)
---
QuoteGeneration/pccs/package-lock.json | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index 7dfcb6be..c946788f 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -750,9 +750,10 @@
}
},
"node_modules/brace-expansion": {
- "version": "1.1.11",
- "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
- "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+ "version": "1.1.12",
+ "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+ "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+ "license": "MIT",
"optional": true,
"dependencies": {
"balanced-match": "^1.0.0",
--
2.52.0

45
0133-Bump-tar-fs-from-2.1.3-to-2.1.4-in-QuoteGeneration-p.patch Normal file
View File

@ -0,0 +1,45 @@
From d91e8d59ccf4c15ebfa4e4760839f41e19107c04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 7 Oct 2025 09:14:30 -0400
Subject: [PATCH 133/136] Bump tar-fs from 2.1.3 to 2.1.4 in
/QuoteGeneration/pccs (#463)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4.
- [Commits](https://github.com/mafintosh/tar-fs/compare/v2.1.3...v2.1.4)
---
updated-dependencies:
- dependency-name: tar-fs
dependency-version: 2.1.4
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 66726e154c6d9e6ffeea3d3035241805cb82bfed)
---
QuoteGeneration/pccs/package-lock.json | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index c946788f..e383c219 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -3440,9 +3440,9 @@
}
},
"node_modules/tar-fs": {
- "version": "2.1.3",
- "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz",
- "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==",
+ "version": "2.1.4",
+ "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz",
+ "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==",
"license": "MIT",
"dependencies": {
"chownr": "^1.1.1",
--
2.52.0

4122
0134-PCCS-dependencies-updated-to-latest-minor.patch Normal file
View File

File diff suppressed because it is too large Load Diff

217
0135-pccs-force-override-tar-module-to-7.0.0-series.patch Normal file
View File

@ -0,0 +1,217 @@
From 416a5f3338e4f3709eb647d56a78a6e22724a284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Jan 2026 16:09:15 +0000
Subject: [PATCH 135/136] pccs: force override "tar" module to 7.0.0 series
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The 6.x series is vulnerable to multiple flaws, however, it is a
depedency of sqlite3. The latter has not been updated in several
years. The new tar 7.x series appears largely back-compatible
despite the major version change, so can override it to force
the new release.
The 'npm audit fix' command was run to update pacakge-lock.json
with new deps for tar 7.x and eliminate other outdated/vunlerable
deps.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/package-lock.json | 97 ++++++++++++++++++++------
QuoteGeneration/pccs/package.json | 3 +
2 files changed, 79 insertions(+), 21 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index e01fde2f..7536872b 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -79,6 +79,27 @@
"license": "MIT",
"optional": true
},
+ "node_modules/@isaacs/fs-minipass": {
+ "version": "4.0.1",
+ "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
+ "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==",
+ "license": "ISC",
+ "dependencies": {
+ "minipass": "^7.0.4"
+ },
+ "engines": {
+ "node": ">=18.0.0"
+ }
+ },
+ "node_modules/@isaacs/fs-minipass/node_modules/minipass": {
+ "version": "7.1.2",
+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+ "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+ "license": "ISC",
+ "engines": {
+ "node": ">=16 || 14 >=14.17"
+ }
+ },
"node_modules/@nodelib/fs.scandir": {
"version": "2.1.5",
"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -1011,6 +1032,7 @@
"resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz",
"integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==",
"license": "ISC",
+ "optional": true,
"engines": {
"node": ">=10"
}
@@ -1664,6 +1686,7 @@
"resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz",
"integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==",
"license": "ISC",
+ "optional": true,
"dependencies": {
"minipass": "^3.0.0"
},
@@ -2340,9 +2363,9 @@
"license": "MIT"
},
"node_modules/lodash": {
- "version": "4.17.21",
- "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
- "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+ "version": "4.17.23",
+ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+ "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
"license": "MIT"
},
"node_modules/logform": {
@@ -2580,6 +2603,7 @@
"resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
"integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
"license": "ISC",
+ "optional": true,
"dependencies": {
"yallist": "^4.0.0"
},
@@ -2662,6 +2686,7 @@
"resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz",
"integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==",
"license": "MIT",
+ "optional": true,
"dependencies": {
"minipass": "^3.0.0",
"yallist": "^4.0.0"
@@ -2675,6 +2700,7 @@
"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
"integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
"license": "MIT",
+ "optional": true,
"bin": {
"mkdirp": "bin/cmd.js"
},
@@ -3175,9 +3201,9 @@
}
},
"node_modules/qs": {
- "version": "6.14.0",
- "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
- "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+ "version": "6.14.1",
+ "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+ "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
"license": "BSD-3-Clause",
"dependencies": {
"side-channel": "^1.1.0"
@@ -4050,20 +4076,19 @@
}
},
"node_modules/tar": {
- "version": "6.2.1",
- "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
- "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
- "license": "ISC",
+ "version": "7.5.7",
+ "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.7.tgz",
+ "integrity": "sha512-fov56fJiRuThVFXD6o6/Q354S7pnWMJIVlDBYijsTNx6jKSE4pvrDTs6lUnmGvNyfJwFQQwWy3owKz1ucIhveQ==",
+ "license": "BlueOak-1.0.0",
"dependencies": {
- "chownr": "^2.0.0",
- "fs-minipass": "^2.0.0",
- "minipass": "^5.0.0",
- "minizlib": "^2.1.1",
- "mkdirp": "^1.0.3",
- "yallist": "^4.0.0"
+ "@isaacs/fs-minipass": "^4.0.0",
+ "chownr": "^3.0.0",
+ "minipass": "^7.1.2",
+ "minizlib": "^3.1.0",
+ "yallist": "^5.0.0"
},
"engines": {
- "node": ">=10"
+ "node": ">=18"
}
},
"node_modules/tar-fs": {
@@ -4100,13 +4125,43 @@
"node": ">=6"
}
},
+ "node_modules/tar/node_modules/chownr": {
+ "version": "3.0.0",
+ "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz",
+ "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==",
+ "license": "BlueOak-1.0.0",
+ "engines": {
+ "node": ">=18"
+ }
+ },
"node_modules/tar/node_modules/minipass": {
- "version": "5.0.0",
- "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz",
- "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==",
+ "version": "7.1.2",
+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+ "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
"license": "ISC",
"engines": {
- "node": ">=8"
+ "node": ">=16 || 14 >=14.17"
+ }
+ },
+ "node_modules/tar/node_modules/minizlib": {
+ "version": "3.1.0",
+ "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.1.0.tgz",
+ "integrity": "sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==",
+ "license": "MIT",
+ "dependencies": {
+ "minipass": "^7.1.2"
+ },
+ "engines": {
+ "node": ">= 18"
+ }
+ },
+ "node_modules/tar/node_modules/yallist": {
+ "version": "5.0.0",
+ "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz",
+ "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==",
+ "license": "BlueOak-1.0.0",
+ "engines": {
+ "node": ">=18"
}
},
"node_modules/text-hex": {
diff --git a/QuoteGeneration/pccs/package.json b/QuoteGeneration/pccs/package.json
index 6d0569f4..e5b470be 100644
--- a/QuoteGeneration/pccs/package.json
+++ b/QuoteGeneration/pccs/package.json
@@ -30,5 +30,8 @@
"test": "NODE_ENV=test mocha ../../../unittests/psw/pccs_ut/test.js --timeout 120000 --exit",
"offline": "NODE_ENV=test_offline mocha ../../../unittests/psw/pccs_ut/test_offline.js --timeout 120000 --exit",
"req": "NODE_ENV=test_req mocha ../../../unittests/psw/pccs_ut/test_req.js --timeout 120000 --exit"
+ },
+ "overrides": {
+ "tar": "^7.0.0"
}
}
--
2.52.0

30
0136-pccsadmin-fix-name-of-input-file-for-cache-command-i.patch Normal file
View File

@ -0,0 +1,30 @@
From 911260b974b5fdbb44e81c95d47bd447a09c4d3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 4 Feb 2026 15:07:30 +0000
Subject: [PATCH 136/136] pccsadmin: fix name of input file for 'cache' command
in help text
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/pccsadmin.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index dc5253bb..4d6b6c7b 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -79,7 +79,7 @@ def main():
parser_cache = subparsers.add_parser('cache')
# add optional arguments for cache
parser_cache.add_argument("-u", "--url", help="The URL of the Intel PCS service; default: https://api.trustedservices.intel.com/sgx/certification/v4/")
- parser_cache.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.csv")
+ parser_cache.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.json")
parser_cache.add_argument("-o", "--output_dir", help="The destination directory for storing the generated cache files")
parser_cache.add_argument("-s", "--sub_dir", help="Store output cache files in subdirectories named according to QE ID or Platform ID", action="store_true")
parser_cache.add_argument("-e", "--expire", type=Utils.check_expire_hours, help="How many hours the cache files will be valid for. Default is 2160 hours (90 days).")
--
2.52.0

66
linux-sgx.spec
View File

@ -58,6 +58,9 @@
%global with_sysusers_scripts 1
%endif
# Change after running pccs-nodejs-bundler
%define node_modules_date 20260204
############################################################
#
# A note about versions
@ -168,6 +171,9 @@ License: %{shrink:
%dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk, node_modules, node-ffi-rs vendor
Apache-2.0 AND
%dnl node_modules
BlueOak-1.0.0 AND
%dnl sdk/cpprt, sdk/tlibc, node_modules
BSD-2-Clause AND
@ -210,6 +216,9 @@ License: %{shrink:
%dnl node_modules, node-ffi-rs vendor
Unlicense AND
%dnl node_modules
WTFPL AND
%dnl sdk/tlibc
LicenseRef-Fedora-Public-Domain
}
@ -296,7 +305,7 @@ Source51: pccs.service
# as record of what was used to create Source54
Source52: pccs-nodejs-bundler
# Pre-created using Source53
Source53: dcap-%{dcap_version}-pccs-node-modules.tar.xz
Source53: dcap-%{dcap_version}-%{node_modules_date}-pccs-node-modules.tar.xz
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source55 & Source56
@ -319,6 +328,9 @@ Provides: bundled(vtune) = 2018
# Distro integration patches
# 0000-0099 -> against linux-sgx.git
#
# Maintained in: https://github.com/berrange/linux-sgx/tree/dist-git-%{linux_sgx_version}-hostsw
#
Patch0000: 0000-Add-support-for-building-against-host-openssl-crypto.patch
Patch0001: 0001-Add-support-for-building-against-host-tinyxml2-lib.patch
Patch0002: 0002-Add-support-for-building-against-host-CppMicroServic.patch
@ -342,7 +354,11 @@ Patch0015: 0015-fix-BOM-for-pccs-with-DCAP-1.23.patch
# Optional patches
Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch
# 0100-0199 -> against SGXDataCenterAttestationPrimitives.git
#
# Maintained in https://github.com/berrange/SGXDataCenterAttestationPrimitives/tree/dist-git-%{dcap_version}-hostsw
#
Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch
Patch0101: 0101-Improve-debuggability-of-build-system.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/437
@ -374,14 +390,40 @@ Patch0123: 0123-pccsadmin-use-more-of-pycryptography-instead-of-pyop.patch
Patch0124: 0124-pccsadmin-prefer-pycryptography-over-pyopenssl.patch
Patch0125: 0125-pccsadmin-add-fallback-for-when-pyopenssl-is-not-ava.patch
Patch0126: 0126-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch
# https://github.com/intel/confidential-computing.tee.dcap/pull/485
Patch0127: 0127-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch
# https://github.com/intel/confidential-computing.tee.dcap/pull/487
Patch0128: 0128-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch
Patch0129: 0129-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch
# Patches 0130->0135 collectively fix:
# CVE-2026-23745: node-tar
# CVE-2026-23950: node-tar
# CVE-2026-24842: node-tar
# CVE-2025-13465: lodash
# CVE-2025-15284: qs
Patch0130: 0130-Bump-tar-fs-from-2.1.2-to-2.1.3-in-QuoteGeneration-p.patch
Patch0131: 0131-Bump-on-headers-and-morgan-in-QuoteGeneration-pccs-4.patch
Patch0132: 0132-Bump-brace-expansion-from-1.1.11-to-1.1.12-in-QuoteG.patch
Patch0133: 0133-Bump-tar-fs-from-2.1.3-to-2.1.4-in-QuoteGeneration-p.patch
Patch0134: 0134-PCCS-dependencies-updated-to-latest-minor.patch
Patch0135: 0135-pccs-force-override-tar-module-to-7.0.0-series.patch
# https://github.com/intel/confidential-computing.tee.dcap/pull/489
Patch0136: 0136-pccsadmin-fix-name-of-input-file-for-cache-command-i.patch
# 0200-0299 -> against intel-sgx-ssl.git
#
# Maintained in https://github.com/berrange/intel-sgx-ssl/tree/dist-git-%{sgx_ssl_version}
#
Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
Patch0201: 0201-Workaround-missing-output-directory.patch
Patch0202: 0202-Disable-various-EC-crypto-features.patch
Patch0203: 0203-Disable-sm2-and-sm4-crypto-algorithms.patch
# 0300-0399 -> against ipp-crypto.git
#
# Maintained in https://github.com/berrange/ipp-crypto/tree/dist-git-%{ipp_crypto_version}
#
Patch0300: 0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch
Patch0301: 0301-Drop-Werror-from-build-flags.patch
@ -541,7 +583,7 @@ Requires: python3-keyring
%endif
Requires: python3-requests
Requires: python3-urllib3
Requires: python3-setuptools
Requires: python3-packaging
%if 0%{?rhel}
Requires: openssl
%endif
@ -980,24 +1022,10 @@ done
rm -f %{vroot}/sgxsdk/lib64/libsgx_urts.so.2
# Pull together all license files relevant to the code
# that is known to be built into the enclaves
# Pull together all license files relevant to the code that is shipped
# Err on the side of pulling in much too much, rather than miss something
mkdir licenses
for f in License.txt \
external/epid-sdk/LICENSE.txt \
external/epid-sdk/ext/argtable3/LICENSE \
sdk/compiler-rt/LICENSE.TXT \
sdk/cpprt/linux/libunwind/LICENSE \
sdk/gperftools/gperftools-2.7/COPYING \
sdk/tlibcxx/LICENSE.TXT \
external/dcap_source/License.txt \
external/dcap_source/QuoteGeneration/ThirdPartyLicenses.txt \
external/dcap_source/tools/PCKRetrievalTool/License.txt \
external/dcap_source/tools/PCKRetrievalTool/ThirdPartyLicenseIndex.txt \
external/dcap_source/tools/PccsAdminTool/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_Network_Components/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_UEFI_Components/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/license.txt
for f in $(find -type f | grep -v '\.pdf' | grep -E -i '(license|copying)')
do
d=$(dirname $f)
mkdir -p licenses/$d

2
sources
View File

@ -12,5 +12,5 @@ SHA512 (openssl-3.1.6.tar.gz) = 18ca07ee6a98d5fe46accfa0156e0354ad770d78bbbbe8e4
SHA512 (prebuilt_dcap_1.23-repacked.tar.gz) = a253b7ea5a9a0c73a31259bb852ad5942d9c11c98ea23616bec3cef028ed135090a5837895a1a5771bc8507caec1c1a6c845bd12e01864bfd79fb1827867ce66
SHA512 (sgx-emm-1.0.3.tar.gz) = 0ec9f0133b3a32409c8af61568a47128a1860407170b9b274647140ac36069851638d7282649e23590131d44ca93f839fd2ffe4b9b39821631d279c1384874bf
SHA512 (wasm-micro-runtime-1.0.0.tar.gz) = fb16a992b54f5c006be386b72ff65c680ededaafe7f2010db163b6e4365d198cc96f06ae60ac42986aaf45609803ffc1722308277474c341673e391f9bc4846e
SHA512 (dcap-1.23-pccs-node-modules.tar.xz) = 7f311e72b3bd66009574cd77b5398cc6081626de2394dfb567308172f1ae325e4720e596f9badc0084a5750dc990c774b025816f509b4e1e73be9af7784c2065
SHA512 (dcap-1.23-20260204-pccs-node-modules.tar.xz) = c075a7f84e8dfcbfc1e4fdf57221f7914394a06b70c2abe5ccf63bc95a3e3228b92931ef0966fbdb85ac6ab5d436a45389e6eed3fa5af49a6b420714593b4f22
SHA512 (tinyxml2-10.0.0.tar.gz) = a359d33bc12fad455b53d81011dbe12727cae0aabfaa5704f1a25807ca216dd854a571291029886c0beedeca5c3b6393dd49c4718773e18a0e008abbdb3de36a