Honour CFLAGS/CXXFLAGS/LDFLAGS for host software

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2025-03-28 14:55:27 +00:00 · 2025-03-28 14:55:27 +00:00 · b26306ecae
commit b26306ecae
parent 5ccd6e4136
36 changed files with 1135 additions and 87 deletions
--- a/0000-Add-support-for-building-against-host-openssl-crypto.patch
+++ b/0000-Add-support-for-building-against-host-openssl-crypto.patch
@ -1,7 +1,7 @@
-From 3a59361036c6096c817444b68bd3ff6d5e0224cd Mon Sep 17 00:00:00 2001
+From 035a09af5fa31cdc7ab683c8188168623848f033 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 13 Feb 2025 14:12:38 +0000
-Subject: [PATCH 00/13] Add support for building against host openssl crypto
+Subject: [PATCH 00/16] Add support for building against host openssl crypto
 lib
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -212,5 +212,5 @@ index dde577ca..505ce8d9 100644
 
 .PHONY: all
 -- 
-2.46.0
+2.48.1

--- a/0001-Add-support-for-building-against-host-tinyxml2-lib.patch
+++ b/0001-Add-support-for-building-against-host-tinyxml2-lib.patch
@ -1,7 +1,7 @@
-From 6b1e08b5a1f6c035b7f761349c9751a2983c7a4b Mon Sep 17 00:00:00 2001
+From a1ebbd0efeb66f23a02e63946d6f2c8ec9c00c00 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 13 Feb 2025 14:01:10 +0000
-Subject: [PATCH 01/13] Add support for building against host tinyxml2 lib
+Subject: [PATCH 01/16] Add support for building against host tinyxml2 lib
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -80,5 +80,5 @@ index 1eb8d460..219fb5ad 100644
 
 sgx_sign: $(OBJS) enclaveparser
 -- 
-2.46.0
+2.48.1

--- a/0002-Add-support-for-building-against-host-CppMicroServic.patch
+++ b/0002-Add-support-for-building-against-host-CppMicroServic.patch
@ -1,7 +1,7 @@
-From 08e7b92cc7324b954ba773e8d2edb53f364efb64 Mon Sep 17 00:00:00 2001
+From 90ec590f9b17b878cfe2e338d55362349d5ad67e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 13 Feb 2025 14:01:10 +0000
-Subject: [PATCH 02/13] Add support for building against host CppMicroServices
+Subject: [PATCH 02/16] Add support for building against host CppMicroServices
 lib
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -138,5 +138,5 @@ index 98c724a7..3edd77c7 100644
 cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION})
 cmake_policy(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION})
 -- 
-2.46.0
+2.48.1

--- a/0003-Improve-make-debuggability.patch
+++ b/0003-Improve-make-debuggability.patch
@ -1,7 +1,7 @@
-From 1c1ec62d0a754fc477b64cb881a721c316eb58d5 Mon Sep 17 00:00:00 2001
+From 50ba5d706d65359514e973175c34f36b6887a1e8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 1 Mar 2024 12:53:26 +0000
-Subject: [PATCH 03/13] Improve make debuggability
+Subject: [PATCH 03/16] Improve make debuggability
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -70,5 +70,5 @@ index d1ac38a1..5fb90c21 100644
 
 .PHONY: clean
 -- 
-2.46.0
+2.48.1

--- a/0004-Support-disabling-use-of-git-for-ippcp-code.patch
+++ b/0004-Support-disabling-use-of-git-for-ippcp-code.patch
@ -1,7 +1,7 @@
-From 028b9d1eeb5cdda62d0d3669b1320358402c2bb1 Mon Sep 17 00:00:00 2001
+From e9150e028f1d0f567bab4d2c7d5e5fc02cadce06 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 13 Feb 2025 14:37:24 +0000
-Subject: [PATCH 04/13] Support disabling use of git for ippcp code
+Subject: [PATCH 04/16] Support disabling use of git for ippcp code
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -45,5 +45,5 @@ index b4108cb8..70718f5e 100644
 
 .PHONY: clean
 -- 
-2.46.0
+2.48.1

--- a/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch
+++ b/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch
@ -1,7 +1,7 @@
-From 6b9f6d62de22cfcf7ad89ec8a38e292c45ab0e2a Mon Sep 17 00:00:00 2001
+From bdeff24e929360b5ecfa5b0fe36513607b98daf3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 18 Jun 2024 15:57:22 +0100
-Subject: [PATCH 05/13] disable openmp, protobuf, mbedtls & sample_crypto
+Subject: [PATCH 05/16] disable openmp, protobuf, mbedtls & sample_crypto
 builds
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -521,5 +521,5 @@ index d3e40036..3bd08d5c 100644
 	@$(RM) $(BUILD_DIR)/libc++_Changes_SGX.txt
 	@$(RM) -rf $(BUILD_DIR)/.compiler-rt
 -- 
-2.46.0
+2.48.1

--- a/0006-Fix-compat-with-gcc-14.patch
+++ b/0006-Fix-compat-with-gcc-14.patch
@ -1,7 +1,7 @@
-From ec8e718cbcdce69263bb2f61df112118234df7aa Mon Sep 17 00:00:00 2001
+From 44c7af2d59a9654009eb1ea6affe771927d24850 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Mon, 24 Jun 2024 17:36:13 +0100
-Subject: [PATCH 06/13] Fix compat with gcc 14
+Subject: [PATCH 06/16] Fix compat with gcc 14
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -44,5 +44,5 @@ index 9867ecc8..46fcf873 100644
 #include "sgx_urts.h"
 #include "arch.h"
 -- 
-2.46.0
+2.48.1

--- a/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
+++ b/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
@ -1,7 +1,7 @@
-From 285845dd940042c9dfa3983aa478263b3aeb6d09 Mon Sep 17 00:00:00 2001
+From b613bffdce4d035dab354887539828906920a69e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Mon, 2 Sep 2024 16:49:18 +0100
-Subject: [PATCH 07/13] Fix escaping of regexes in sgx-asm-pp
+Subject: [PATCH 07/16] Fix escaping of regexes in sgx-asm-pp
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -278,5 +278,5 @@ index 2b02396b..0df3fc47 100644
 #
 # File Operations - read/write
 -- 
-2.46.0
+2.48.1

--- a/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch
+++ b/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch
@ -1,7 +1,7 @@
-From 0584b938529c615f16dbb9751267e14ce73b37ca Mon Sep 17 00:00:00 2001
+From 7e6f75bfc9c364a26be6efb0704fb6f58318e59b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 1 Oct 2024 18:53:17 +0100
-Subject: [PATCH 08/13] Disable use of bogus DEF_WEAK macro
+Subject: [PATCH 08/16] Disable use of bogus DEF_WEAK macro
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -26,5 +26,5 @@ index 08023a7c..9e62adc6 100644
 static char *
 _strptime(const char *buf, const char *fmt, struct tm *tm, int initialize)
 -- 
-2.46.0
+2.48.1

--- a/0009-Remove-all-references-to-pccs-service.patch
+++ b/0009-Remove-all-references-to-pccs-service.patch
@ -1,7 +1,7 @@
-From d0a7e7bcf090c5a3549e76709b83aaee87197b2b Mon Sep 17 00:00:00 2001
+From 2135faf971e82c7dc351dc01baab5c6f716f8f11 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 1 Oct 2024 20:18:48 +0100
-Subject: [PATCH 09/13] Remove all references to pccs service
+Subject: [PATCH 09/16] Remove all references to pccs service
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -493,5 +493,5 @@ index 0dd5fd8c..67eab01a 100644
 if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi
 
 -- 
-2.46.0
+2.48.1

--- a/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
+++ b/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
@ -1,7 +1,7 @@
-From b3adcc233373a403654954e364a798cc06a618b4 Mon Sep 17 00:00:00 2001
+From b35c87f751c42cec71c4d3107b88084eddc4f749 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 4 Oct 2024 16:33:20 +0100
-Subject: [PATCH 10/13] psw: prefer /dev/sgx_provision & /dev/sgx_enclave
+Subject: [PATCH 10/16] psw: prefer /dev/sgx_provision & /dev/sgx_enclave
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -74,5 +74,5 @@ index 49f2b9aa..fc537a84 100644
     }
     else if (driver_type == SGX_DRIVER_DCAP)
 -- 
-2.46.0
+2.48.1

--- a/0011-psw-fix-soname-for-libuae_service.so-library.patch
+++ b/0011-psw-fix-soname-for-libuae_service.so-library.patch
@ -1,7 +1,7 @@
-From 134a3214bc7d2de69c015204d43453535125907d Mon Sep 17 00:00:00 2001
+From 44fa7a1f6108ae855419f32288573ff3c51f1fa4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 17 Jan 2025 15:38:56 +0000
-Subject: [PATCH 11/13] psw: fix soname for libuae_service.so library
+Subject: [PATCH 11/16] psw: fix soname for libuae_service.so library
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -25,5 +25,5 @@ index bffbdc5b..81f5c4b7 100644
 $(IPC_SRC:.cpp=.o) : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc
 AEServicesImpl.o : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc
 -- 
-2.46.0
+2.48.1

--- a/0012-pcl-remove-redundant-use-of-bool-type.patch
+++ b/0012-pcl-remove-redundant-use-of-bool-type.patch
@ -1,7 +1,7 @@
-From d0d00e0d5518c983983eb8dbe4fd8c2c09845e9b Mon Sep 17 00:00:00 2001
+From 64e9315acfc84f84299e8f0d8d890f158d972b0f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 6 Feb 2025 09:54:33 +0000
-Subject: [PATCH 12/13] pcl: remove redundant use of 'bool' type
+Subject: [PATCH 12/16] pcl: remove redundant use of 'bool' type
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -45,5 +45,5 @@ index 5ad6efde..b78ca907 100644
 #endif // #ifdef SE_SIM 
 
 -- 
-2.46.0
+2.48.1

--- a/0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
+++ b/0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
@ -0,0 +1,126 @@
+From 51aa96fc252d5792ca26132478eb5c1c8af1a63c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 27 Mar 2025 14:17:01 +0000
+Subject: [PATCH 13/16] sdk: honour CFLAGS/LDFLAGS set from environment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ sdk/debugger_interface/linux/Makefile           | 5 +----
+ sdk/encrypt_enclave/Makefile                    | 2 +-
+ sdk/sign_tool/SignTool/Makefile                 | 2 +-
+ sdk/simulation/SEConfigureCPUSVN/linux/Makefile | 2 +-
+ sdk/simulation/uae_service_sim/linux/Makefile   | 2 +-
+ sdk/simulation/urtssim/linux/Makefile           | 8 ++++----
+ 6 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/sdk/debugger_interface/linux/Makefile b/sdk/debugger_interface/linux/Makefile
+index 8f2847da..808e093f 100644
+--- a/sdk/debugger_interface/linux/Makefile
+++ b/sdk/debugger_interface/linux/Makefile
+@@ -31,13 +31,10 @@
+ 
+ include ../../../buildenv.mk
+ 
+-#Don't CFLAGS +=, because it depend on gdb is m32 or m64
+-CFLAGS :=
+-
+ CPPFLAGS += -I$(COMMON_DIR)/inc/           \
+             -I$(COMMON_DIR)/inc/internal/
+ 
+-CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic
+CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic -Wno-conversion -Wno-redundant-decls
+ ifeq ($(CC_BELOW_4_9), 1)
+ 	CFLAGS += -fstack-protector
+ else
+diff --git a/sdk/encrypt_enclave/Makefile b/sdk/encrypt_enclave/Makefile
+index d388dc1d..867de978 100644
+--- a/sdk/encrypt_enclave/Makefile
+++ b/sdk/encrypt_enclave/Makefile
+@@ -39,7 +39,7 @@ endif
+ 
+ INC_DIR	:= -I$(COMMON_DIR)/inc -I$(COMMON_DIR)/inc/internal -I.
+ CXXFLAGS += $(INC_DIR) -Wno-attributes -g -mrdrnd -fpie
+-LDFLAGS := -pie $(COMMON_LDFLAGS)
+LDFLAGS += -pie $(COMMON_LDFLAGS)
+ 
+ LINK_FLAGS := -lcrypto -L$(BUILD_DIR) -lsgx_tservice
+ CPP_FILES := encryptip.cpp
+diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
+index 219fb5ad..fe16b392 100644
+--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
+@@ -40,7 +40,7 @@ FLAGS += -DSE_DEBUG_LEVEL=SE_TRACE_ERROR
+ endif
+ CFLAGS += $(FLAGS)
+ CXXFLAGS += $(FLAGS)
+-LDFLAGS := -pie $(COMMON_LDFLAGS) -Wno-odr
+LDFLAGS += -pie $(COMMON_LDFLAGS) -Wno-odr
+ 
+ INC += $(ADDED_INC)
+ INC +=  -I$(COMMON_DIR)/inc                         \
+diff --git a/sdk/simulation/SEConfigureCPUSVN/linux/Makefile b/sdk/simulation/SEConfigureCPUSVN/linux/Makefile
+index fce3a59e..5fd8548e 100644
+--- a/sdk/simulation/SEConfigureCPUSVN/linux/Makefile
+++ b/sdk/simulation/SEConfigureCPUSVN/linux/Makefile
+@@ -45,7 +45,7 @@ SRCS += $(SIM_DIR)/urtssim/cpusvn_util.cpp
+ OBJS := $(sort $(SRCS:.cpp=.o))
+ 
+ WRAPPER_LIB_DIR := $(COMMON_DIR)/se_wrapper
+-LDFLAGS := -L$(WRAPPER_LIB_DIR)
+LDFLAGS += -L$(WRAPPER_LIB_DIR)
+ CXXFLAGS += -fpie $(CET_FLAGS)
+ LDFLAGS += -pie $(COMMON_LDFLAGS)
+ LDLIBS  := -lwrapper
+diff --git a/sdk/simulation/uae_service_sim/linux/Makefile b/sdk/simulation/uae_service_sim/linux/Makefile
+index 45ddb576..865d5556 100644
+--- a/sdk/simulation/uae_service_sim/linux/Makefile
+++ b/sdk/simulation/uae_service_sim/linux/Makefile
+@@ -50,7 +50,7 @@ INCLUDES := -I..                                            \
+ 
+ CXXFLAGS += -Wall -fPIC $(INCLUDES) -Werror -g $(CET_FLAGS)
+ CFLAGS := $(filter-out -fPIC -Werror, $(CFLAGS)) -Wall $(INCLUDES) $(CET_FLAGS)
+-
+LDUFLAGS += $(LDFLAGS)
+ 
+ RDRAND_LIBDIR := $(LINUX_EXTERNAL_DIR)/rdrand/src
+ RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile
+diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile
+index 505ce8d9..b340463a 100644
+--- a/sdk/simulation/urtssim/linux/Makefile
+++ b/sdk/simulation/urtssim/linux/Makefile
+@@ -65,9 +65,9 @@ DIR5 := $(LINUX_PSW_DIR)/../common/src/linux
+ DIR6 := $(LINUX_PSW_DIR)/../common/src
+ 
+ 
+-LDFLAGS += -L$(COMMON_DIR)/se_wrapper \
+LDUFLAGS += -L$(COMMON_DIR)/se_wrapper \
+            -L$(SIM_DIR)/uae_service_sim/linux
+-LDFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify/ -littnotify -ldl -lpthread
+LDUFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify/ -littnotify -ldl -lpthread
+ 
+ OBJ1 := enclave.o         \
+         tcs.o             \
+@@ -119,7 +119,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6)
+ vpath %.S   .:$(DIR2):$(DIR5)
+ vpath %.c .:$(DIR6)
+ 
+-LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/urts.lds
+LDUFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/urts.lds
+ 
+ LIBURTSSIM_SHARED := libsgx_urts_sim.so
+ LIBURTS_DEPLOY := libsgx_urts_deploy.so
+@@ -133,7 +133,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR)
+ 	$(CP) $(LIBURTS_DEPLOY) $|
+ 
+ $(LIBURTSSIM_SHARED): simasm uinst driver_api wrapper uae_service_sim $(OBJ) $(OBJ6) ittnotify
+-	$(CXX) $(CXXFLAGS) -shared -Wl,-soname=$(SONAME) $(OBJ) $(OBJ6) $(LDFLAGS) $(LDLIBS) -o $@
+	$(CXX) $(CXXFLAGS) -shared -Wl,-soname=$(SONAME) $(OBJ) $(OBJ6) $(LDUFLAGS) $(LDLIBS) -o $@
+ 
+ $(BUILD_DIR):
+ 	@$(MKDIR) $@
+-- 
+2.48.1
+
--- a/0014-psw-make-aesm_service-build-verbose.patch
+++ b/0014-psw-make-aesm_service-build-verbose.patch
@ -0,0 +1,29 @@
+From e2f8a9054e512b3c49f4264824892baf07898efc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 27 Mar 2025 16:07:10 +0000
+Subject: [PATCH 14/16] psw: make aesm_service build verbose.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ psw/ae/aesm_service/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile
+index 89a15875..dbfa3fb6 100644
+--- a/psw/ae/aesm_service/Makefile
+++ b/psw/ae/aesm_service/Makefile
+@@ -80,7 +80,7 @@ copy_data_file:
+ 	@$(CP) $(WHITE_LIST_FILE) data/white_list_cert_to_be_verify.bin
+ 
+ $(APPNAME): $(CPPMICROSERVICES) source/build/CMakeCache.txt urts RDRAND
+-	$(MAKE) -C source/build
+	$(MAKE) -C source/build VERBOSE=1
+ ifeq ($(USE_HOST_CPPMICROSERVICES), 0)
+ 	$(CP) $(CPPMICROSERVICES) source/build/bin/
+ endif
+-- 
+2.48.1
+
--- a/0015-Fix-modern-C-function-prototype-compliance.patch
+++ b/0015-Fix-modern-C-function-prototype-compliance.patch
@ -0,0 +1,43 @@
+From f70028402c31652c65277291e93b4c565c8863ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 31 Mar 2025 10:55:25 +0100
+Subject: [PATCH 15/16] Fix modern C function prototype compliance
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ common/inc/internal/se_cdefs.h           | 2 +-
+ sdk/debugger_interface/linux/se_ptrace.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/inc/internal/se_cdefs.h b/common/inc/internal/se_cdefs.h
+index edbe25fa..76083b02 100644
+--- a/common/inc/internal/se_cdefs.h
+++ b/common/inc/internal/se_cdefs.h
+@@ -94,7 +94,7 @@
+ 
+ #define SGX_ACCESS_VERSION(libname, num)                    \
+     MY_EXTERN char sgx_##libname##_version[];          \
+-    MY_EXTERN char * __attribute__((destructor)) libname##_access_version_dummy##num()      \
+    MY_EXTERN char * __attribute__((destructor)) libname##_access_version_dummy##num(void)  \
+     {                                                                                       \
+         sgx_##libname##_version[0] = 's';                                                   \
+         return sgx_##libname##_version;                                                     \
+diff --git a/sdk/debugger_interface/linux/se_ptrace.c b/sdk/debugger_interface/linux/se_ptrace.c
+index 8e4e7600..8c38bb68 100644
+--- a/sdk/debugger_interface/linux/se_ptrace.c
+++ b/sdk/debugger_interface/linux/se_ptrace.c
+@@ -76,7 +76,7 @@ typedef pid_t (*waitpid_t)(pid_t pid, int *status, int options);
+ 
+ static ptrace_t g_sys_ptrace = NULL;
+ static waitpid_t g_sys_waitpid = NULL;
+-__attribute__((constructor)) void init()
+__attribute__((constructor)) void init(void)
+ {
+     g_sys_ptrace = (ptrace_t)dlsym(RTLD_NEXT, "ptrace");
+     g_sys_waitpid = (waitpid_t)dlsym(RTLD_NEXT, "waitpid");
+-- 
+2.48.1
+
--- a/0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
+++ b/0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
@ -0,0 +1,69 @@
+From dc2be9ad1955e85006604ef2840357a1dedf856c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 2 Apr 2025 17:11:25 +0100
+Subject: [PATCH 16/16] Add wrapper for nasm to fix cmake compat
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cmake needs to detect nasm by running with the '-v' arg, but it
+cannot cope with the nasm command being anything other than a
+single binary name - it won't accept & pass on args during the
+detection phase. Thus a further wrapper is needed.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ build-scripts/sgx-nasm.sh        | 12 ++++++++++++
+ external/ippcp_internal/Makefile |  8 +++++---
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+ create mode 100755 build-scripts/sgx-nasm.sh
+
+diff --git a/build-scripts/sgx-nasm.sh b/build-scripts/sgx-nasm.sh
+new file mode 100755
+index 00000000..4ad75f73
+--- /dev/null
+++ b/build-scripts/sgx-nasm.sh
+@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+if test "$1" == "-v"
+then
+    exec nasm -v
+else
+    here=$(dirname $0)
+    echo python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@"
+    exec python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@"
+fi
+diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
+index 70718f5e..d8efe418 100644
+--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
+@@ -58,10 +58,12 @@ IPP_CONFIG += -DIPPCP_FIPS_MODE=on  -DFIPS_CUSTOM_IPPCP_API_HEADER=$(CURDIR)/inc
+ SUB_DIR = no_mitigation
+ ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
+ 	SUB_DIR = cve_2020_0551_load
+-	PRE_CONFIG= ASM_NASM="python $(DIR)/../../build-scripts/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=LOAD"
+	PRE_CONFIG = ASM_NASM="$(DIR)/../../build-scripts/sgx-nasm.sh"
+        POST_CONFIG = MITIGATION=LOAD
+ else ifeq ($(MITIGATION-CVE-2020-0551), CF)
+ 	SUB_DIR = cve_2020_0551_cf
+-	PRE_CONFIG= ASM_NASM="python $(DIR)/../../build-scripts/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=CF"
+	PRE_CONFIG = ASM_NASM="$(DIR)/../../build-scripts/sgx-nasm.sh"
+	POST_CONFIG = MITIGATION=CF
+ endif
+ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
+ 
+@@ -84,7 +86,7 @@ all: build_ipp
+ 	$(CP) ipp-crypto/LICENSE ./license/
+ 
+ build_ipp: $(CHECK_SOURCE)
+-	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
+	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && $(POST_CONFIG) make ippcp_s
+ 
+ $(IPP_SOURCE)/build:
+ ifeq ($(IPP_USE_GIT), 1)
+-- 
+2.48.1
+
--- a/0050-Disable-inclusion-of-AESM-in-installer.patch
+++ b/0050-Disable-inclusion-of-AESM-in-installer.patch
@ -1,7 +1,7 @@
-From 820d3a2491ddc9b9b02bc9530e89bc5f5b557139 Mon Sep 17 00:00:00 2001
+From 07f39d2eb84d66fd19d025856747c5521068f26c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 11 Feb 2025 14:58:58 +0000
-Subject: [PATCH 13/13] Disable inclusion of AESM in installer
+Subject: [PATCH] Disable inclusion of AESM in installer
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -77,5 +77,5 @@ index a810d6b9..82a07af1 100644
 
 # COPY_AES: currently copy le, qe, pve, pce, qe3
 -- 
-2.46.0
+2.48.1

--- a/0100-Drop-use-of-bundled-pre-built-openssl.patch
+++ b/0100-Drop-use-of-bundled-pre-built-openssl.patch
@ -1,7 +1,7 @@
 From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Mon, 26 Feb 2024 12:19:51 +0000
-Subject: [PATCH 100/112] Drop use of bundled pre-built openssl
+Subject: [PATCH 100/116] Drop use of bundled pre-built openssl
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -188,5 +188,5 @@ index a20a3cd..c8e1d01 100644
 debug:
 	$(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all
 -- 
-2.46.0
+2.48.1

--- a/0101-Improve-debuggability-of-build-system.patch
+++ b/0101-Improve-debuggability-of-build-system.patch
@ -1,7 +1,7 @@
-From 015be80fb831f9fe5f364f82448acbd0c998df95 Mon Sep 17 00:00:00 2001
+From b4d3b1401e16a557bcba1fe02b525bd5c26ee532 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 1 Mar 2024 12:05:01 +0000
-Subject: [PATCH 101/112] Improve debuggability of build system
+Subject: [PATCH 101/116] Improve debuggability of build system
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -12,8 +12,9 @@ Don't hide commands that are run, so compiler flags are visible.
 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 ---
 QuoteGeneration/qcnl/linux/Makefile           |  2 +-
+ QuoteVerification/appraisal/qal/Makefile      |  2 +-
 .../dcap_quoteverify/linux/Makefile           | 28 +++++++++----------
- 2 files changed, 15 insertions(+), 15 deletions(-)
+ 3 files changed, 16 insertions(+), 16 deletions(-)

 diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
 index f043575..bfe9c61 100644
@ -28,6 +29,19 @@ index f043575..bfe9c61 100644
 force_look:
 	true
 
+diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile
+index 139848a..cd361c4 100644
+--- a/QuoteVerification/appraisal/qal/Makefile
+++ b/QuoteVerification/appraisal/qal/Makefile
+@@ -128,7 +128,7 @@ $(QAL_CXX_Common_Objs): %.o: ../common/%.cpp
+ 	$(CXX) $(QAL_Cpp_Flags) -c $< -o $@
+ 
+ wasm_lib:
+-	test -f $(WARM_Lib_Path)/libvmlib.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib)
+	test -f $(WARM_Lib_Path)/libvmlib.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib VERBOSE=1)
+ 
+ clean:
+ 	$(RM) $(QAL_Obj_Files) $(Target_Lib_Name) $(Target_Lib_Name).$(SGX_MAJOR_VER) $(Target_Static_Lib_Name) $(BUILD_DIR)/$(Target_Lib_Name) $(QVL_Cpp_Obj_Files)
 diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
 index fba7f43..5979699 100644
 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile
@ -114,5 +128,5 @@ index fba7f43..5979699 100644
 .PHONY: qal
 qal: 
 -- 
-2.46.0
+2.48.1

--- a/0102-Support-build-time-setting-of-enclave-load-directory.patch
+++ b/0102-Support-build-time-setting-of-enclave-load-directory.patch
@ -1,7 +1,7 @@
-From 6433514bb00f1fe166cb99a2b3a0bb979bb11fbd Mon Sep 17 00:00:00 2001
+From edcd2d044a8e20cf8d2e1cebba7f74f2573c9ae5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Mon, 26 Feb 2024 12:19:51 +0000
-Subject: [PATCH 102/112] Support build time setting of enclave load directory
+Subject: [PATCH 102/116] Support build time setting of enclave load directory
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -143,7 +143,7 @@ index dbbe2af..a57e082 100644
         NULL != dl_info.dli_fname)
     {
 diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile
-index 139848a..c63c1e0 100644
+index cd361c4..ead4a5d 100644
 --- a/QuoteVerification/appraisal/qal/Makefile
 +++ b/QuoteVerification/appraisal/qal/Makefile
@@ -49,7 +49,7 @@ QAL_Include_Path := -I./ \
@ -259,5 +259,5 @@ index d9c2bac..1065949 100644
 App_Link_Flags +=  -lcurl -ldl -lpthread
 ifeq ($(STANDALONE), 1)
 -- 
-2.46.0
+2.48.1

--- a/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
+++ b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
@ -1,7 +1,7 @@
-From f91fe574c57080ca8818473c8f140f555fbafaf7 Mon Sep 17 00:00:00 2001
+From 3cbab8069678b15276d7a8d2d0c7aa34532ad4af Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 27 Feb 2024 15:46:41 +0000
-Subject: [PATCH 103/112] Look for versioned sgx_urts library in
+Subject: [PATCH 103/116] Look for versioned sgx_urts library in
 PCKRetrievalTool
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -40,5 +40,5 @@ index d77a6eb..d195717 100644
     }
 #endif
 -- 
-2.46.0
+2.48.1

--- a/0104-Don-t-import-pypac-in-pccsadmin.patch
+++ b/0104-Don-t-import-pypac-in-pccsadmin.patch
@ -1,7 +1,7 @@
-From 56067e04cecad42779a42420f8acbf2635481f67 Mon Sep 17 00:00:00 2001
+From 2609841a9ddedd4c3f22778bff0aa399ce6d4f9a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 27 Feb 2024 20:28:24 +0000
-Subject: [PATCH 104/112] Don't import pypac in pccsadmin
+Subject: [PATCH 104/116] Don't import pypac in pccsadmin
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -29,5 +29,5 @@ index 9f1d224..af1e78e 100644
 from lib.intelsgx.credential import Credentials
 from requests.adapters import HTTPAdapter
 -- 
-2.46.0
+2.48.1

--- a/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
+++ b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
@ -1,7 +1,7 @@
-From ec86bb174a3ba05adebbfa9e58d0d3a24888d5dd Mon Sep 17 00:00:00 2001
+From eb1018b10a5adedcdc1ae3cf8f5d8be6de5b7d6d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 29 Feb 2024 14:21:36 +0000
-Subject: [PATCH 105/112] Look for PCKRetrievalTool config file in /etc/
+Subject: [PATCH 105/116] Look for PCKRetrievalTool config file in /etc/
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -39,5 +39,5 @@ index e423f38..36f219b 100644
         if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) {
             return false;
 -- 
-2.46.0
+2.48.1

--- a/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
+++ b/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
@ -0,0 +1,209 @@
+From c1773ce8ab60a0d887a52b821de28d6fd996b7f4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 28 Mar 2025 16:00:27 +0000
+Subject: [PATCH 106/116] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
+ libraries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ QuoteGeneration/qcnl/linux/Makefile                 | 7 ++++---
+ QuoteGeneration/qpl/linux/Makefile                  | 4 ++--
+ QuoteGeneration/quote_wrapper/qgs/Makefile          | 2 +-
+ QuoteGeneration/quote_wrapper/ql/linux/Makefile     | 7 ++++---
+ QuoteGeneration/quote_wrapper/quote/linux/Makefile  | 2 +-
+ QuoteVerification/dcap_quoteverify/linux/Makefile   | 6 +++---
+ tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 4 ++--
+ tools/PCKRetrievalTool/Makefile                     | 9 +++++----
+ tools/SGXPlatformRegistration/package/Makefile      | 2 +-
+ tools/SGXPlatformRegistration/tool/Makefile         | 2 +-
+ 10 files changed, 24 insertions(+), 21 deletions(-)
+
+diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
+index bfe9c61..531f40b 100644
+--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
+@@ -46,12 +46,13 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc       \
+                          -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson	\
+                          -I../../../tools/PCKCertSelection/include
+ 
+-CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto)
+CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto)
+CNL_Lib_C_Flags := $(CFLAGS) $(CNL_Lib_Common_Flags)
+ 
+-LDUFLAGS:= -pthread $(COMMON_LDFLAGS)
+LDUFLAGS:= $(LDFLAGS) -pthread $(COMMON_LDFLAGS)
+ LDUFLAGS += -Wl,--version-script=sgx_default_qcnl.lds -Wl,--gc-sections
+ 
+-CNL_Lib_Cpp_Flags := $(CNL_Lib_C_Flags) -std=c++11
+CNL_Lib_Cpp_Flags := $(CXXFLAGS) $(CNL_Lib_Common_Flags) -std=c++11
+ 
+ ifdef SELF_SIGNED_CERT
+ CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT
+diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile
+index 204234c..d703c45 100644
+--- a/QuoteGeneration/qpl/linux/Makefile
+++ b/QuoteGeneration/qpl/linux/Makefile
+@@ -48,9 +48,9 @@ QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Pa
+ LDUFLAGS:= -pthread $(COMMON_LDFLAGS)
+ LDUFLAGS += -Wl,--version-script=sgx_default_quote_provider.lds -Wl,--gc-sections
+ 
+-QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11
+QPL_Lib_Cpp_Flags := $(CXXFLAGS) $(QPL_Lib_C_Flags) -std=c++11
+ 
+-QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \
+QPL_Lib_Link_Flags := $(LDFLAGS) $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \
+         -lcrypto -lsgx_default_qcnl_wrapper -lpthread -ldl
+  
+ ifndef DEBUG
+diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile
+index 5d87e4d..8228bdf 100644
+--- a/QuoteGeneration/quote_wrapper/qgs/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs/Makefile
+@@ -51,7 +51,7 @@ endif
+ DEPENDS = ${QGS_OBJS test_client.o:.o=.d}
+ 
+ # SGX related libraries
+-QGS_LFLAGS = -L$(TOP_DIR)/build/linux -lsgx_tdx_logic -lsgx_pce_logic -ldl \
+QGS_LFLAGS = $(LDFLAGS) -L$(TOP_DIR)/build/linux -lsgx_tdx_logic -lsgx_pce_logic -ldl \
+              -L$(SGX_SDK)/lib64 -lsgx_urts -g
+ # add boost_system for link
+ QGS_LFLAGS += -lboost_system -lboost_thread -lpthread
+diff --git a/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/QuoteGeneration/quote_wrapper/ql/linux/Makefile
+index c5d877b..2983665 100644
+--- a/QuoteGeneration/quote_wrapper/ql/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/ql/linux/Makefile
+@@ -48,13 +48,14 @@ QL_Lib_C_Files := se_trace.c se_thread.c
+ QL_Lib_Include_Paths := -I../../common/inc -I./ -I$(SGX_SDK)/include -I../../../common/inc/internal 
+ QL_Lib_Include_Paths += -I../../quote/inc -I../../../pce_wrapper/inc -I../inc
+ 
+-QL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths)
+QL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths)
+QL_Lib_C_Flags := $(CFLAGS) $(QL_Lib_Common_Flags)
+ 
+ LDUFLAGS:= -pthread $(COMMON_LDFLAGS)
+ LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections
+ 
+-QL_Lib_Cpp_Flags := $(QL_Lib_C_Flags) -std=c++11
+-QL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl
+QL_Lib_Cpp_Flags := $(CXXFLAGS) $(QL_Lib_Common_Flags) -std=c++11
+QL_Lib_Link_Flags := $(LDFLAGS) $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl
+ 
+ QL_Lib_Cpp_Flags += -DDISABLE_TRACE
+ QL_Lib_Link_Flags += -DDISABLE_TRACE
+diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+index 7d0b398..9b8c936 100644
+--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+@@ -52,7 +52,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I.
+ Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(Quote_Include_Paths)
+ 
+ Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\""
+-Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl
+Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl $(LDFLAGS)
+ 
+ ifndef DEBUG
+ Quote_Cpp_Flags += -DDISABLE_TRACE
+diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
+index c9f11a0..56095ac 100644
+--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
+@@ -54,8 +54,8 @@ QVL_VERIFY_INC	:= -I$(QVE_SRC_PATH)/Include \
+ 
+ QPL_BASE64_CPP_DEP	:= $(DCAP_QPL_DIR)/sgx_base64.d
+ 
+-SGX_COMMON_CFLAGS	+= -g -fPIC -Wno-attributes -USGX_TRUSTED
+-SGX_COMMON_CXXFLAGS	+= -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\""
+SGX_COMMON_CFLAGS	+= $(CFLAGS) -g -fPIC -Wno-attributes -USGX_TRUSTED
+SGX_COMMON_CXXFLAGS	+= $(CXXFLAGS) -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\""
+ 
+ QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o)
+ QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o)
+@@ -65,7 +65,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation
+ QVL_LIB_NAME := lib$(QVL_LIB).a
+ QVL_PARSER_NAME := lib$(QVL_PARSER).a
+ 
+-LDUFLAGS	:= -pthread -ldl -L. -l$(QVL_LIB) -l$(QVL_PARSER) $(COMMON_LDFLAGS) -lcrypto
+LDUFLAGS	:= $(LDFLAGS) -pthread -ldl -L. -l$(QVL_LIB) -l$(QVL_PARSER) $(COMMON_LDFLAGS) -lcrypto
+ LDUFLAGS	+= -Wl,--version-script=sgx_dcap_quoteverify.lds -Wl,--gc-sections
+ 
+ QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp)
+diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+index 12c0d35..c106ab4 100644
+--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+@@ -129,11 +129,11 @@ DEBUG_FLAGS := -m64 -O0 -g
+ RELEASE_FLAGS := -m64 -O2 $(COMMON_FLAGS)
+ 
+ # basic library c build flags
+-C_FLAGS	:= -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-overloaded-virtual $(LIB_INCLUDE_PATHS)
+C_FLAGS	:= $(CFLAGS) -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-overloaded-virtual $(LIB_INCLUDE_PATHS)
+ C_FLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT
+ 
+ # link flags, link openssl crypto
+-LINK_FLAGS := -shared -lcrypto -lpthread -ldl
+LINK_FLAGS := $(LDFLAGS) -shared -lcrypto -lpthread -ldl
+ LINK_FLAGS += -Wl,--version-script=pck_cert_selection.lds -Wl,--gc-sections
+ 
+ # debug/release switch
+diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
+index 1065949..b6968c6 100644
+--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
+@@ -108,8 +108,9 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR
+ 
+ App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
+ 
+-App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\""
+-App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack
+App_Cpp_Flags := $(CXXFLAGS) $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\""
+App_C_Flags += $(CFLAGS)
+App_Link_Flags := $(CXXFLAGS) $(LDFLAGS) $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack
+ App_Link_Flags +=  -lcurl -ldl -lpthread
+ ifeq ($(STANDALONE), 1)
+ 	App_Link_Flags += -Wl,-rpath,$ORIGIN
+@@ -139,11 +140,11 @@ App/id_enclave_u.c:
+ 	echo "GEN  =>  $@"
+ 
+ App/id_enclave_u.o: App/id_enclave_u.c
+-	@$(CC) $(App_C_Flags) -c $< -o $@
+	$(CC) $(App_C_Flags) -c $< -o $@
+ 	@echo "CC   <=  $<"
+ 
+ App/pce_u.o: App/pce_u.c
+-	@$(CC) $(App_C_Flags) -c $< -o $@
+	$(CC) $(App_C_Flags) -c $< -o $@
+ 	@echo "CC   <=  $<"
+ 
+ App/%.o: App/%.cpp
+diff --git a/tools/SGXPlatformRegistration/package/Makefile b/tools/SGXPlatformRegistration/package/Makefile
+index 0c3aec1..adc00f5 100755
+--- a/tools/SGXPlatformRegistration/package/Makefile
+++ b/tools/SGXPlatformRegistration/package/Makefile
+@@ -73,7 +73,7 @@ else
+ 	CXXFLAGS += -DMP_VERIFY_INTERNAL_DATA_STRUCT_WRITE=0 -DMP_VERIFY_INTERNAL_DATA_STRUCT_READ=0 $(COMMON_FLAGS)
+ endif
+ 
+-LDFLAGS := $(COMMON_LDFLAGS)
+LDFLAGS += $(COMMON_LDFLAGS)
+ 
+ all: $(MPA_REGISTRATION_EXEC) 
+ 
+diff --git a/tools/SGXPlatformRegistration/tool/Makefile b/tools/SGXPlatformRegistration/tool/Makefile
+index 4937fe9..83aefee 100644
+--- a/tools/SGXPlatformRegistration/tool/Makefile
+++ b/tools/SGXPlatformRegistration/tool/Makefile
+@@ -69,7 +69,7 @@ CPP_SRCS += $(MPA_REGISTRATION_CORE_DIR)/src/AgentConfiguration.cpp $(MPA_REGIST
+ CPP_OBJS := $(CPP_SRCS:.cpp=.o)
+ CPP_DEPS := $(CPP_OBJS:%.o=%.d)
+ 
+-LDFLAGS := $(COMMON_LDFLAGS)
+LDFLAGS += $(COMMON_LDFLAGS)
+ ifeq ($(STANDALONE), 1)
+ 	LDFLAGS += '-Wl,-rpath,$$ORIGIN'
+ 	CXXFLAGS += '-DSTANDALONE'
+-- 
+2.48.1
+
--- a/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
+++ b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
@ -1,7 +1,7 @@
-From 17fa2fd409f228623f4b86f5997e74cb43f3bd2f Mon Sep 17 00:00:00 2001
+From a74ede38e306ff82ddbaf094d6148dc1bf9e524c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 3 Oct 2024 14:42:29 +0100
-Subject: [PATCH 107/112] qgs: add space between program name & first arg in
+Subject: [PATCH 107/116] qgs: add space between program name & first arg in
 usage
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -35,5 +35,5 @@ index 478dbfe..3618b5a 100644
             exit(1);
         }
 -- 
-2.46.0
+2.48.1

--- a/0108-qgs-protect-against-format-strings-in-QL-log-message.patch
+++ b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch
@ -1,7 +1,7 @@
-From 3f9b4a9fbce0e29f33680fffa881f67ab31d4bb3 Mon Sep 17 00:00:00 2001
+From 1e760dc7a67d601121b625e0d2bd7b2fe8b7b042 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 4 Oct 2024 09:43:17 +0100
-Subject: [PATCH 108/112] qgs: protect against format strings in QL log
+Subject: [PATCH 108/116] qgs: protect against format strings in QL log
 messages
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -35,5 +35,5 @@ index 77838c3..1e97b58 100644
 }
 
 -- 
-2.46.0
+2.48.1

--- a/0109-qgs-add-debug-parameter-to-control-logging.patch
+++ b/0109-qgs-add-debug-parameter-to-control-logging.patch
@ -1,7 +1,7 @@
-From b2a17ca9e38c8d81bcc1fedefd92c59721b2de75 Mon Sep 17 00:00:00 2001
+From ddd7a6a15ed433b1bd75c620f3c075609d5f3c94 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 3 Oct 2024 16:57:35 +0100
-Subject: [PATCH 109/112] qgs: add --debug parameter to control logging
+Subject: [PATCH 109/116] qgs: add --debug parameter to control logging
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -125,5 +125,5 @@ index 3618b5a..a65a985 100644
             exit(1);
         }
 -- 
-2.46.0
+2.48.1

--- a/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
+++ b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
@ -1,7 +1,7 @@
-From 497df1056cdc0571a73aa3dc5410a020d1cc6a3e Mon Sep 17 00:00:00 2001
+From d4fa45636b1a58cf832fd7b955ef1b3f2368d526 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 8 Oct 2024 10:13:02 +0100
-Subject: [PATCH 110/112] pccsadmin: remove leftover debugging 'print(args)'
+Subject: [PATCH 110/116] pccsadmin: remove leftover debugging 'print(args)'
 statement
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -29,5 +29,5 @@ index ffee326..8e447c5 100755
     if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"):
         if not args.fmspc or not args.input_file:
 -- 
-2.46.0
+2.48.1

--- a/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
+++ b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
@ -1,7 +1,7 @@
-From 0600caaa2b2f0ce8c6a4667d5d09ffeadcd760d4 Mon Sep 17 00:00:00 2001
+From d9b93bb6836027b94ba93980002d7f2f7cc81415 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 17 Jan 2025 15:39:39 +0000
-Subject: [PATCH 111/112] Fix soname version for libsgx_qe3_logic.so library
+Subject: [PATCH 111/116] Fix soname version for libsgx_qe3_logic.so library
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -29,7 +29,7 @@ index 471784d..22e0dff 100644
 #define QE3_VERSION                  "1.19.100.1"
 #define QVE_VERSION                  "1.21.100.1"
 diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
-index 7d0b398..1361c4b 100644
+index 9b8c936..c92d782 100644
 --- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
 +++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -65,6 +65,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o)
@ -51,5 +51,5 @@ index 7d0b398..1361c4b 100644
 
 $(BUILD_DIR):
 -- 
-2.46.0
+2.48.1

--- a/0112-Workaround-broken-GCC-15.patch
+++ b/0112-Workaround-broken-GCC-15.patch
@ -1,7 +1,7 @@
-From 546ac41ec1ffe16aac36af0ce4b8572636cc667e Mon Sep 17 00:00:00 2001
+From a3858a707f3f37722d5b851f89cfd61bd9361343 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Thu, 6 Feb 2025 20:08:59 +0000
-Subject: [PATCH 112/112] Workaround broken GCC 15
+Subject: [PATCH 112/116] Workaround broken GCC 15
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -36,5 +36,5 @@ index 15fbdd4..4400544 100644
 private:
     struct alignas(A)_T_instantiator_
 -- 
-2.46.0
+2.48.1

--- a/0113-Don-t-disable-cf-protection-for-qgs.patch
+++ b/0113-Don-t-disable-cf-protection-for-qgs.patch
@ -0,0 +1,31 @@
+From 9a9cee8d5535320ab7f52388d8cd832c50bd100e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 2 Apr 2025 18:39:31 +0100
+Subject: [PATCH 113/116] Don't disable cf-protection for qgs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ QuoteGeneration/quote_wrapper/qgs/Makefile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile
+index 8228bdf..5116d85 100644
+--- a/QuoteGeneration/quote_wrapper/qgs/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs/Makefile
+@@ -43,10 +43,6 @@ QGS_INC = -I$(SGX_SDK)/include \
+ 		  -I$(TOP_DIR)/quote_wrapper/qgs_msg_lib/inc
+ QGS_CFLAGS = -g  -MMD $(CFLAGS) $(QGS_INC)
+ QGS_CXXFLAGS = -g  -MMD $(CXXFLAGS) $(QGS_INC)
+-ifeq ($(CC_NO_LESS_THAN_8), 1)
+-    QGS_CFLAGS += -fcf-protection=none
+-    QGS_CXXFLAGS += -fcf-protection=none
+-endif
+ 
+ DEPENDS = ${QGS_OBJS test_client.o:.o=.d}
+ 
+-- 
+2.48.1
+
--- a/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
+++ b/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
@ -0,0 +1,205 @@
+From c765d43c957cb18c7614883b3a4043fed22b8e92 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 3 Apr 2025 17:44:48 +0100
+Subject: [PATCH 114/116] Delete broken checks for GCC version that break
+ -fstack-protector-strong
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The expr comparison is performing a string comparison and is thus
+broken for any GCC version >= 10, preventing use of -fstack-protector-strong
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ QuoteGeneration/buildenv.mk                              | 7 +------
+ QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile | 2 +-
+ QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile  | 4 ++--
+ QuoteVerification/QvE/Makefile                           | 7 +------
+ QuoteVerification/dcap_tvl/Makefile                      | 7 +------
+ QuoteVerification/dcap_tvl/Makefile.standalone           | 7 +------
+ SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile    | 8 +-------
+ SampleCode/QuoteGenerationSample/Makefile                | 6 +-----
+ SampleCode/QuoteVerificationSample/Makefile              | 8 +-------
+ tools/PCKRetrievalTool/Makefile                          | 7 +------
+ 10 files changed, 11 insertions(+), 52 deletions(-)
+
+diff --git a/QuoteGeneration/buildenv.mk b/QuoteGeneration/buildenv.mk
+index 0b677db..3fba935 100644
+--- a/QuoteGeneration/buildenv.mk
+++ b/QuoteGeneration/buildenv.mk
+@@ -128,12 +128,7 @@ ifeq ($(CC_NO_LESS_THAN_8), 1)
+ endif
+ 
+ # turn on stack protector for SDK
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-    COMMON_FLAGS += -fstack-protector
+-else
+-    COMMON_FLAGS += -fstack-protector-strong
+-endif
+COMMON_FLAGS += -fstack-protector-strong
+ 
+ ifdef DEBUG
+     COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
+diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
+index dff0af2..9ece3cc 100644
+--- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
+@@ -33,7 +33,7 @@
+ TOP_DIR  = ../../..
+ SDK_NOT_REQUIRED = 1
+ ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),)
+-	CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \
+	CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \
+ 		-ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \
+ 		-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
+ 		-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
+diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
+index f0a5e36..20f3022 100644
+--- a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
+@@ -33,11 +33,11 @@
+ TOP_DIR  = ../../..
+ SDK_NOT_REQUIRED = 1
+ ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),)
+-	CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector -O2 \
+	CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector-strong -O2 \
+ 		-D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self \
+ 		-Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs \
+ 		-Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
+-	CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \
+	CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \
+ 		-ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \
+ 		-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
+ 		-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
+diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile
+index 6532e8f..e5045dd 100644
+--- a/QuoteVerification/QvE/Makefile
+++ b/QuoteVerification/QvE/Makefile
+@@ -101,12 +101,7 @@ endif
+ ifneq ($(DEBUG), 1)
+     ENCLAVE_CFLAGS += -ffunction-sections -fdata-sections
+ endif
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-	ENCLAVE_CFLAGS += -fstack-protector
+-else
+-	ENCLAVE_CFLAGS += -fstack-protector-strong
+-endif
+ENCLAVE_CFLAGS += -fstack-protector-strong
+ 
+ ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++17 -DSGX_TRUSTED -DSGX_JWT -DPICOJSON_USE_LOCALE=0
+ 
+diff --git a/QuoteVerification/dcap_tvl/Makefile b/QuoteVerification/dcap_tvl/Makefile
+index 2d62f28..49b4b68 100644
+--- a/QuoteVerification/dcap_tvl/Makefile
+++ b/QuoteVerification/dcap_tvl/Makefile
+@@ -56,12 +56,7 @@ endif
+ ifneq ($(DEBUG), 1)
+     COMMON_FLAGS += -ffunction-sections -fdata-sections
+ endif
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-    COMMON_FLAGS += -fstack-protector
+-else
+-    COMMON_FLAGS += -fstack-protector-strong
+-endif
+COMMON_FLAGS += -fstack-protector-strong
+ 
+ ENCLAVE_CXXFLAGS += $(SGX_COMMON_CXXFLAGS) $(COMMON_FLAGS) -fPIC -std=c++11
+ 
+diff --git a/QuoteVerification/dcap_tvl/Makefile.standalone b/QuoteVerification/dcap_tvl/Makefile.standalone
+index 8a1cb73..713d8af 100644
+--- a/QuoteVerification/dcap_tvl/Makefile.standalone
+++ b/QuoteVerification/dcap_tvl/Makefile.standalone
+@@ -45,12 +45,7 @@ COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack
+ ifneq ($(DEBUG), 1)
+     COMMON_FLAGS += -ffunction-sections -fdata-sections
+ endif
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-    COMMON_FLAGS += -fstack-protector
+-else
+-    COMMON_FLAGS += -fstack-protector-strong
+-endif
+COMMON_FLAGS += -fstack-protector-strong
+ 
+ ENCLAVE_CFLAGS   = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks
+ ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++
+diff --git a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
+index 662ac3e..868d72d 100644
+--- a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
+++ b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
+@@ -87,13 +87,7 @@ Crypto_Library_Name := sgx_tcrypto
+ Enclave_Cpp_Files := Enclave/Enclave.cpp
+ Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc 
+ 
+-Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections $(MITIGATION_CFLAGS)
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-    Enclave_C_Flags += -fstack-protector
+-else
+-    Enclave_C_Flags += -fstack-protector-strong
+-endif
+Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections $(MITIGATION_CFLAGS) -fstack-protector-strong
+ 
+ Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
+ 
+diff --git a/SampleCode/QuoteGenerationSample/Makefile b/SampleCode/QuoteGenerationSample/Makefile
+index 4fdbb36..fd5b4e2 100644
+--- a/SampleCode/QuoteGenerationSample/Makefile
+++ b/SampleCode/QuoteGenerationSample/Makefile
+@@ -104,11 +104,7 @@ Enclave_Cpp_Files := Enclave/Enclave.cpp
+ Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx
+ 
+ CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-        Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector
+-else
+-        Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector-strong
+-endif
+Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections
+ Enclave_C_Flags += $(Enclave_Include_Paths)
+ Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
+ 
+diff --git a/SampleCode/QuoteVerificationSample/Makefile b/SampleCode/QuoteVerificationSample/Makefile
+index d534615..6164587 100644
+--- a/SampleCode/QuoteVerificationSample/Makefile
+++ b/SampleCode/QuoteVerificationSample/Makefile
+@@ -130,13 +130,7 @@ DCAP_DIR  ?= ../../
+ Enclave_Cpp_Files := Enclave/Enclave.cpp
+ Enclave_Include_Paths := -IEnclave -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx
+ 
+-Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-	Enclave_C_Flags += -fstack-protector
+-else
+-	Enclave_C_Flags += -fstack-protector-strong
+-endif
+Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector-strong
+ 
+ Enclave_Cpp_Flags := $(Enclave_C_Flags) -nostdinc++
+ 
+diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
+index b6968c6..1d2106b 100644
+--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
+@@ -59,12 +59,7 @@ else
+ endif
+ 
+ # turn on stack protector for SDK
+-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9")
+-ifeq ($(CC_BELOW_4_9), 1)
+-    COMMON_FLAGS += -fstack-protector
+-else
+-    COMMON_FLAGS += -fstack-protector-strong
+-endif
+COMMON_FLAGS += -fstack-protector-strong
+ 
+ ifdef DEBUG
+     COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
+-- 
+2.48.1
+
--- a/0115-Use-distro-provided-rapidjson-package.patch
+++ b/0115-Use-distro-provided-rapidjson-package.patch
@ -0,0 +1,174 @@
+From 9588a9e5e730e31773437d96fdb1b4e8c1dfc55f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 26 Feb 2024 12:19:51 +0000
+Subject: [PATCH 115/116] Use distro provided rapidjson package
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ QuoteGeneration/qcnl/certification_provider.cpp             | 2 +-
+ QuoteGeneration/qcnl/inc/pccs_response_object.h             | 4 ++--
+ QuoteGeneration/qcnl/inc/qcnl_config.h                      | 2 +-
+ QuoteGeneration/qcnl/linux/Makefile                         | 2 +-
+ QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp             | 2 +-
+ QuoteGeneration/qcnl/qcnl_config.cpp                        | 6 +++---
+ QuoteVerification/buildenv.mk                               | 4 ++--
+ tools/PCKCertSelection/PCKCertSelectionLib/Makefile         | 4 ++--
+ .../PCKCertSelectionLib/Makefile.static_lib                 | 4 ++--
+ 9 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/QuoteGeneration/qcnl/certification_provider.cpp b/QuoteGeneration/qcnl/certification_provider.cpp
+index a08ea7e..41e5b9d 100644
+--- a/QuoteGeneration/qcnl/certification_provider.cpp
+++ b/QuoteGeneration/qcnl/certification_provider.cpp
+@@ -36,7 +36,7 @@
+  */
+ #include "certification_provider.h"
+ #include "certification_service.h"
+-#include "document.h"
+#include <rapidjson/document.h>
+ #include "local_cache.h"
+ #include "pck_cert_selection.h"
+ #include "qcnl_util.h"
+diff --git a/QuoteGeneration/qcnl/inc/pccs_response_object.h b/QuoteGeneration/qcnl/inc/pccs_response_object.h
+index f1f545f..2153b6f 100644
+--- a/QuoteGeneration/qcnl/inc/pccs_response_object.h
+++ b/QuoteGeneration/qcnl/inc/pccs_response_object.h
+@@ -37,7 +37,7 @@
+ #define PCCSRESPONSEOBJECT_H_
+ #pragma once
+ 
+-#include "document.h"
+#include <rapidjson/document.h>
+ #include "qcnl_def.h"
+ #include <sstream>
+ #include <string>
+@@ -148,4 +148,4 @@ public:
+     }
+ };
+ 
+-#endif
+\ No newline at end of file
+#endif
+diff --git a/QuoteGeneration/qcnl/inc/qcnl_config.h b/QuoteGeneration/qcnl/inc/qcnl_config.h
+index ff3c744..71b9a99 100644
+--- a/QuoteGeneration/qcnl/inc/qcnl_config.h
+++ b/QuoteGeneration/qcnl/inc/qcnl_config.h
+@@ -38,7 +38,7 @@
+ #pragma once
+ 
+ #include "sgx_default_qcnl_wrapper.h"
+-#include "document.h"
+#include <rapidjson/document.h>
+ #include <memory>
+ #include <string>
+ 
+diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
+index 531f40b..5c56951 100644
+--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
+@@ -43,7 +43,7 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc       \
+                          -I../inc -I$(SGX_SDK)/include          \
+                          -I../../common/inc/internal            \
+                          -I../../pce_wrapper/inc                \
+-                         -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson	\
+                         $(pkg-config --cflags RapidJSON) \
+                          -I../../../tools/PCKCertSelection/include
+ 
+ CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto)
+diff --git a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
+index 7b74eae..5f20a1e 100644
+--- a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
+++ b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
+@@ -35,7 +35,7 @@
+  *
+  */
+ 
+-#include "istreamwrapper.h"
+#include <rapidjson/istreamwrapper.h>
+ #include "qcnl_config.h"
+ #include <algorithm>
+ #include <curl/curl.h>
+diff --git a/QuoteGeneration/qcnl/qcnl_config.cpp b/QuoteGeneration/qcnl/qcnl_config.cpp
+index 42388a0..9be8fee 100644
+--- a/QuoteGeneration/qcnl/qcnl_config.cpp
+++ b/QuoteGeneration/qcnl/qcnl_config.cpp
+@@ -36,10 +36,10 @@
+  */
+ 
+ #include "qcnl_config.h"
+-#include "error/en.h"
+-#include "error/error.h"
+#include <rapidjson/error/en.h>
+#include <rapidjson/error/error.h>
+ #include <fstream>
+-#include <istreamwrapper.h>
+#include <rapidjson/istreamwrapper.h>
+ #include <mutex>
+ #include <algorithm>
+ 
+diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk
+index 982c7d5..854b70a 100644
+--- a/QuoteVerification/buildenv.mk
+++ b/QuoteVerification/buildenv.mk
+@@ -72,9 +72,9 @@ else
+ COMMON_INCLUDE := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx -I$(SGXSSL_PACKAGE_PATH)/include
+ endif
+ 
+-QVL_LIB_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_LIB_PATH)/include -I$(QVL_LIB_PATH)/src -I$(QVL_PARSER_PATH)/include -I$(QVL_SRC_PATH)/ThirdParty/rapidjson/include  -I$(DCAP_EXTERNAL_DIR)/jwt-cpp/include
+QVL_LIB_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_LIB_PATH)/include -I$(QVL_LIB_PATH)/src -I$(QVL_PARSER_PATH)/include $(pkg-config --cflags RapidJSON)  -I$(DCAP_EXTERNAL_DIR)/jwt-cpp/include
+ 
+-QVL_PARSER_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_SRC_PATH) -I$(QVL_PARSER_PATH)/include -I$(QVL_PARSER_PATH)/src -I$(QVL_LIB_PATH)/include -I$(QVL_SRC_PATH)/ThirdParty/rapidjson/include
+QVL_PARSER_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_SRC_PATH) -I$(QVL_PARSER_PATH)/include -I$(QVL_PARSER_PATH)/src -I$(QVL_LIB_PATH)/include $(pkg-config --cflags RapidJSON)
+ 
+ QVL_LIB_FILES := $(sort $(wildcard $(QVL_LIB_PATH)/src/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*/*.cpp) $(wildcard $(QVL_COMMON_PATH)/src/Utils/*.cpp))
+ QVL_PARSER_FILES := $(sort $(wildcard $(QVL_PARSER_PATH)/src/*.cpp) $(wildcard $(QVL_PARSER_PATH)/src/*/*.cpp))
+diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+index c106ab4..117f88f 100644
+--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+@@ -66,7 +66,7 @@ endif
+ OPENSSL_INC 		:= $(pkg-config --cflags libcrypto)
+ 
+ # JSON parser include dir
+-JSON_INC		:= $(QVL_DIR)/ThirdParty/rapidjson/include
+JSON_INC		:= $(pkg-config --cflags RapidJSON)
+ 
+ # QVL Attestation Parsers include directory
+ PARSERS_INC 		:= $(QVL_DIR)/AttestationParsers/include
+@@ -113,7 +113,7 @@ LIB_CPP_OBJECTS 	:= \
+ 	$(UTILS_CPP_FILES:.cpp=.o)
+ 
+ # include paths, local, parser and openssl
+-LIB_INCLUDE_PATHS	:= -I. -I$(PROJ_ROOT_DIR)/include $(OPENSSL_INC) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC)
+LIB_INCLUDE_PATHS	:= -I. -I$(PROJ_ROOT_DIR)/include $(OPENSSL_INC) $(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC)
+ 
+ # the library shared object name
+ LIB_NAME		:= libPCKCertSelection.so
+diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+index c8e1d01..6f1440a 100644
+--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+@@ -69,7 +69,7 @@ OPENSSL_INC 		:= $(PROJ_ROOT_DIR)/../../prebuilt/openssl/inc
+ OPENSSL_LIB 		:= $(PROJ_ROOT_DIR)/../../prebuilt/openssl/lib/linux64
+ 
+ # JSON parser include dir
+-JSON_INC		:= $(QVL_DIR)/ThirdParty/rapidjson/include
+JSON_INC		:= $(pkg-config --cflags RapidJSON)
+ 
+ # QVL Attestation Parsers include directory
+ PARSERS_INC 		:= $(QVL_DIR)/AttestationParsers/include
+@@ -118,7 +118,7 @@ LIB_CPP_OBJECTS 	:= \
+ LIB_CPP_OBJECTS := $(addprefix $(BIN_DIR)/, $(LIB_CPP_OBJECTS))
+ 
+ # include paths, local, parser and openssl
+-LIB_INCLUDE_PATHS	:= -I. -I$(PROJ_ROOT_DIR)/include $(pkg-config --cflags libcrypto) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC)
+LIB_INCLUDE_PATHS	:= -I. -I$(PROJ_ROOT_DIR)/include $(pkg-config --cflags libcrypto) $(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC)
+ 
+ # the library shared object name
+ LIB_NAME		:= libPCKCertSelection.a
+-- 
+2.48.1
+
--- a/0116-Don-t-stomp-on-VERBOSE-variable.patch
+++ b/0116-Don-t-stomp-on-VERBOSE-variable.patch
@ -0,0 +1,101 @@
+From 35efa4bf39f88b0fe172b43e6c8ce81f4bb40dfc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 16 Apr 2025 11:48:52 +0100
+Subject: [PATCH 116/116] Don't stomp on "VERBOSE" variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The VERBOSE=1 variable is set to make various cmake builds run in
+verbose mode. It must not be used for other purposes by the makefiles
+otherwise the usage will clash.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ driver/win/PLE/Makefile | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/driver/win/PLE/Makefile b/driver/win/PLE/Makefile
+index 3d474bb..0f593f5 100644
+--- a/driver/win/PLE/Makefile
+++ b/driver/win/PLE/Makefile
+@@ -75,9 +75,9 @@ ifneq ($(PUBKEY_FILE),)
+ 	CSS_PUBKEY_FILE = $(shell realpath $(PUBKEY_FILE))
+ endif
+ 
+-VERBOSE := @
+CMD_VERBOSE := @
+ ifeq ($(V),1)
+-	VERBOSE :=
+	CMD_VERBOSE :=
+ endif
+ 
+ SGX_LE_SIGNING_KEY_PATH := sgx_signing_key.pem
+@@ -89,47 +89,47 @@ PUBLIC_KEY_PATH := $(shell realpath $(SGX_LE_PUBLIC_KEY_PATH))
+ SIGNING_MATERIAL := $(shell realpath $(SGX_LE_SIGNING_MATERIAL))
+ 
+ $(SIGNING_KEY_PATH):
+-	$(VERBOSE) openssl genrsa -3 -out $(SIGNING_KEY_PATH) 3072
+	$(CMD_VERBOSE) openssl genrsa -3 -out $(SIGNING_KEY_PATH) 3072
+ 
+ $(PUBLIC_KEY_PATH): $(SIGNING_KEY_PATH)
+-	$(VERBOSE) openssl rsa -in $(SIGNING_KEY_PATH) -outform PEM -pubout -out $(PUBLIC_KEY_PATH)
+	$(CMD_VERBOSE) openssl rsa -in $(SIGNING_KEY_PATH) -outform PEM -pubout -out $(PUBLIC_KEY_PATH)
+ 
+ SGX_LE_C_OBJS := $(addprefix $(TARGET)/,main.o string.o cmac.o)
+ SGX_LE_S_OBJS := $(addprefix $(TARGET)/,encl_bootstrap.o)
+ 
+ $(TARGET):
+-	$(VERBOSE) mkdir $@
+	$(CMD_VERBOSE) mkdir $@
+ 
+ $(SGX_LE_C_OBJS): $(TARGET)/%.o: %.c | $(TARGET)
+-	$(VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@
+	$(CMD_VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@
+ 
+ $(SGX_LE_S_OBJS): $(TARGET)/%.o: %.S | $(TARGET)
+-	$(VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@
+	$(CMD_VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@
+ 
+ $(TARGET)/sgx_le.elf: sgx_le.lds $(SGX_LE_C_OBJS) $(SGX_LE_S_OBJS)
+-	$(VERBOSE) $(LD) $(LDFLAGS) -T $^ -o $@
+	$(CMD_VERBOSE) $(LD) $(LDFLAGS) -T $^ -o $@
+ 
+ $(TARGET)/sgx_le.bin: $(TARGET)/sgx_le.elf
+-	$(VERBOSE) objcopy --remove-section=.got.plt -O binary $< $@
+	$(CMD_VERBOSE) objcopy --remove-section=.got.plt -O binary $< $@
+ 
+ $(TARGET)/sgxsign: sgxsign.c | $(TARGET)
+-	$(VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $< -lcrypto
+	$(CMD_VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $< -lcrypto
+ 
+ $(TARGET)/bin2c: bin2c.c | $(TARGET)
+-	$(VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $<
+	$(CMD_VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $<
+ 
+ sign: $(SIGNING_KEY_PATH) $(TARGET)/sgx_le.bin $(TARGET)/sgxsign $(TARGET)/bin2c
+-	$(VERBOSE) $(TARGET)/sgxsign sign $(SIGNING_KEY_PATH) $(TARGET)/sgx_le.bin $(TARGET)/sgx_le.ss $(SIGN_EXTRA)
+-	$(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob
+-	$(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss
+	$(CMD_VERBOSE) $(TARGET)/sgxsign sign $(SIGNING_KEY_PATH) $(TARGET)/sgx_le.bin $(TARGET)/sgx_le.ss $(SIGN_EXTRA)
+	$(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob
+	$(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss
+ 
+ gendata: $(TARGET)/sgx_le.bin $(TARGET)/sgxsign
+-	$(VERBOSE) $(TARGET)/sgxsign gendata $(TARGET)/sgx_le.bin $(SIGNING_MATERIAL) $(SIGN_EXTRA)
+	$(CMD_VERBOSE) $(TARGET)/sgxsign gendata $(TARGET)/sgx_le.bin $(SIGNING_MATERIAL) $(SIGN_EXTRA)
+ 
+ usesig: $(TARGET)/sgx_le.bin $(TARGET)/sgxsign $(TARGET)/bin2c
+-	$(VERBOSE) $(TARGET)/sgxsign usesig $(CSS_PUBKEY_FILE) $(TARGET)/sgx_le.bin $(CSS_SIG_FILE) $(TARGET)/sgx_le.ss $(SIGN_EXTRA)
+-	$(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob
+-	$(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss
+	$(CMD_VERBOSE) $(TARGET)/sgxsign usesig $(CSS_PUBKEY_FILE) $(TARGET)/sgx_le.bin $(CSS_SIG_FILE) $(TARGET)/sgx_le.ss $(SIGN_EXTRA)
+	$(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob
+	$(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss
+ 
+ clean:
+-	$(VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
+	$(CMD_VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
+-- 
+2.48.1
+
--- a/linux-sgx.spec
+++ b/linux-sgx.spec
@ -4,6 +4,15 @@
 # native code. Thus we cannot globally set the CFLAGS etc
 %undefine _auto_set_build_flags

+# When -flto is set, something (possibly cmake related)
+# causes the build of psw/ae/aesm_service to add -fpie
+# to the build flags. This conflicts with the need to
+# build everything with -fPIC, and causes linker failures
+#
+# /usr/bin/ld: /tmp/ccWKJhwL.ltrans0.ltrans.o: warning: relocation against `stdout@@GLIBC_2.2.5' in read-only section `.text.sgx_proc_log_report'
+# /usr/bin/ld: /tmp/ccWKJhwL.ltrans0.ltrans.o: relocation R_X86_64_PC32 against symbol `_Z16aesm_thread_procPv' can not be used when making a shared object; recompile with -fPIC
+%global _lto_cflags %nil
+
 ############################################################
 #
 # Note about the approach to bundling...
@ -303,7 +312,12 @@ Patch0009: 0009-Remove-all-references-to-pccs-service.patch
 Patch0010: 0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
 Patch0011: 0011-psw-fix-soname-for-libuae_service.so-library.patch
 Patch0012: 0012-pcl-remove-redundant-use-of-bool-type.patch
-Patch0013: 0013-Disable-inclusion-of-AESM-in-installer.patch
+Patch0013: 0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
+Patch0014: 0014-psw-make-aesm_service-build-verbose.patch
+Patch0015: 0015-Fix-modern-C-function-prototype-compliance.patch
+Patch0016: 0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
+# Optional patches
+Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch

 # 0100-0199 -> against SGXDataCenterAttestationPrimitives.git
 Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch
@ -315,8 +329,7 @@ Patch0103: 0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
 # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/429
 Patch0104: 0104-Don-t-import-pypac-in-pccsadmin.patch
 Patch0105: 0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
-# XXX enclaves must use bundled
-#Patch0106: 0106-Use-distro-provided-rapidjson-package.patch
+Patch0106: 0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
 # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/428
 Patch0107: 0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
 Patch0108: 0108-qgs-protect-against-format-strings-in-QL-log-message.patch
@ -324,6 +337,10 @@ Patch0109: 0109-qgs-add-debug-parameter-to-control-logging.patch
 Patch0110: 0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
 Patch0111: 0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
 Patch0112: 0112-Workaround-broken-GCC-15.patch
+Patch0113: 0113-Don-t-disable-cf-protection-for-qgs.patch
+Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
+#Patch0115: 0115-Use-distro-provided-rapidjson-package.patch
+Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch

 # 0200-0299 -> against intel-sgx-ssl.git
 Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
@ -528,9 +545,9 @@ in applications
 %prep
 %setup -q -n linux-sgx-sgx_%{linux_sgx_version}_reproducible

-%autopatch -m 0 -M 12 -p1
+%autopatch -m 0 -M 49 -p1
 %if !%{with_aesm}
-%autopatch -m 13 -M 13 -p1
+%autopatch -m 50 -M 99 -p1
 %endif

 ############################################################
@ -750,6 +767,30 @@ do
    MITIGATION-CVE-2020-0551=$mitigation
 done

+NATIVE="sign_tool/SignTool"
+NATIVE="$NATIVE encrypt_enclave"
+NATIVE="$NATIVE libcapable/linux"
+NATIVE="$NATIVE debugger_interface/linux"
+NATIVE="$NATIVE simulation"
+
+# Most of 'sdk/' is enclave code, but there's some
+# important native code we must now re-build with
+# proper flags enabled to get distro hardening.
+for dir in $NATIVE
+do
+  %__make %{?_smp_mflags} \
+    -C sdk/$dir clean
+
+  # XXX temp override -j1 due to race conditions that have not yet been diagnosed
+  CFLAGS="%{build_cflags}" \
+  CXXFLAGS="%{build_cxxflags}" \
+  LDFLAGS="%{build_ldflags}" \
+  %__make %{?_smp_mflags} -j1 \
+    -C sdk/$dir V=1 \
+    MITIGATION-CVE-2020-0551= \
+    USE_HOST_OPENSSL_CRYPTO=1 \
+    USE_HOST_TINYXML2=%{with_host_tinyxml2}
+done

 ############################################################
 # Second, install the SDK into a temporary tree, since this
@ -788,16 +829,22 @@ done
 ############################################################
 # Fourth, build the Platform Software

+CFLAGS="%{build_cflags}" \
+CXXFLAGS="%{build_cxxflags}" \
+LDFLAGS="%{build_ldflags}" \
 %__make %{?_smp_mflags} \
-  -C psw/ V=1 \
+  -C psw/ V=1 VERBOSE=1 \
  SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
  SGX_ENCLAVE_PATH=%{sgx_libdir} \
  USE_HOST_OPENSSL_CRYPTO=1 \
  USE_HOST_CPPMICROSERVICES=1

 # XXX temp override -j1 due to race conditions that have not yet been diagnosed
+CFLAGS="%{build_cflags}" \
+CXXFLAGS="%{build_cxxflags}" \
+LDFLAGS="%{build_ldflags}" \
 %__make %{?_smp_mflags} -j1 \
-  -C external/dcap_source/ V=1 \
+  -C external/dcap_source/ V=1 VERBOSE=1 \
  SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
  SGX_ENCLAVE_PATH=%{sgx_libdir}