From b26306ecaeecb3c83788b97d1fa14bb00db690bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 28 Mar 2025 14:55:27 +0000 Subject: [PATCH] Honour CFLAGS/CXXFLAGS/LDFLAGS for host software MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel P. Berrangé --- ...building-against-host-openssl-crypto.patch | 6 +- ...r-building-against-host-tinyxml2-lib.patch | 6 +- ...building-against-host-CppMicroServic.patch | 6 +- 0003-Improve-make-debuggability.patch | 6 +- ...-disabling-use-of-git-for-ippcp-code.patch | 6 +- ...rotobuf-mbedtls-sample_crypto-builds.patch | 6 +- 0006-Fix-compat-with-gcc-14.patch | 6 +- ...ix-escaping-of-regexes-in-sgx-asm-pp.patch | 6 +- ...-Disable-use-of-bogus-DEF_WEAK-macro.patch | 6 +- ...emove-all-references-to-pccs-service.patch | 6 +- ...er-dev-sgx_provision-dev-sgx_enclave.patch | 6 +- ...soname-for-libuae_service.so-library.patch | 6 +- ...cl-remove-redundant-use-of-bool-type.patch | 6 +- ...-CFLAGS-LDFLAGS-set-from-environment.patch | 126 +++++++++++ ...-psw-make-aesm_service-build-verbose.patch | 29 +++ ...dern-C-function-prototype-compliance.patch | 43 ++++ ...wrapper-for-nasm-to-fix-cmake-compat.patch | 69 ++++++ ...sable-inclusion-of-AESM-in-installer.patch | 6 +- ...rop-use-of-bundled-pre-built-openssl.patch | 4 +- ...mprove-debuggability-of-build-system.patch | 22 +- ...me-setting-of-enclave-load-directory.patch | 8 +- ...ed-sgx_urts-library-in-PCKRetrievalT.patch | 6 +- 0104-Don-t-import-pypac-in-pccsadmin.patch | 6 +- ...-PCKRetrievalTool-config-file-in-etc.patch | 6 +- ...XFLAGS-LDFLAGS-for-various-tools-and.patch | 209 ++++++++++++++++++ ...tween-program-name-first-arg-in-usag.patch | 6 +- ...nst-format-strings-in-QL-log-message.patch | 6 +- ...d-debug-parameter-to-control-logging.patch | 6 +- ...-leftover-debugging-print-args-state.patch | 6 +- ...sion-for-libsgx_qe3_logic.so-library.patch | 8 +- 0112-Workaround-broken-GCC-15.patch | 6 +- ...-Don-t-disable-cf-protection-for-qgs.patch | 31 +++ ...ecks-for-GCC-version-that-break-fsta.patch | 205 +++++++++++++++++ ...se-distro-provided-rapidjson-package.patch | 174 +++++++++++++++ 0116-Don-t-stomp-on-VERBOSE-variable.patch | 101 +++++++++ linux-sgx.spec | 61 ++++- 36 files changed, 1135 insertions(+), 87 deletions(-) create mode 100644 0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch create mode 100644 0014-psw-make-aesm_service-build-verbose.patch create mode 100644 0015-Fix-modern-C-function-prototype-compliance.patch create mode 100644 0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch rename 0013-Disable-inclusion-of-AESM-in-installer.patch => 0050-Disable-inclusion-of-AESM-in-installer.patch (96%) create mode 100644 0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch create mode 100644 0113-Don-t-disable-cf-protection-for-qgs.patch create mode 100644 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch create mode 100644 0115-Use-distro-provided-rapidjson-package.patch create mode 100644 0116-Don-t-stomp-on-VERBOSE-variable.patch diff --git a/0000-Add-support-for-building-against-host-openssl-crypto.patch b/0000-Add-support-for-building-against-host-openssl-crypto.patch index 9fe6c5f..1fdfb06 100644 --- a/0000-Add-support-for-building-against-host-openssl-crypto.patch +++ b/0000-Add-support-for-building-against-host-openssl-crypto.patch @@ -1,7 +1,7 @@ -From 3a59361036c6096c817444b68bd3ff6d5e0224cd Mon Sep 17 00:00:00 2001 +From 035a09af5fa31cdc7ab683c8188168623848f033 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:12:38 +0000 -Subject: [PATCH 00/13] Add support for building against host openssl crypto +Subject: [PATCH 00/16] Add support for building against host openssl crypto lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -212,5 +212,5 @@ index dde577ca..505ce8d9 100644 .PHONY: all -- -2.46.0 +2.48.1 diff --git a/0001-Add-support-for-building-against-host-tinyxml2-lib.patch b/0001-Add-support-for-building-against-host-tinyxml2-lib.patch index 007a2c5..f905bc0 100644 --- a/0001-Add-support-for-building-against-host-tinyxml2-lib.patch +++ b/0001-Add-support-for-building-against-host-tinyxml2-lib.patch @@ -1,7 +1,7 @@ -From 6b1e08b5a1f6c035b7f761349c9751a2983c7a4b Mon Sep 17 00:00:00 2001 +From a1ebbd0efeb66f23a02e63946d6f2c8ec9c00c00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:01:10 +0000 -Subject: [PATCH 01/13] Add support for building against host tinyxml2 lib +Subject: [PATCH 01/16] Add support for building against host tinyxml2 lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -80,5 +80,5 @@ index 1eb8d460..219fb5ad 100644 sgx_sign: $(OBJS) enclaveparser -- -2.46.0 +2.48.1 diff --git a/0002-Add-support-for-building-against-host-CppMicroServic.patch b/0002-Add-support-for-building-against-host-CppMicroServic.patch index 920209d..d59d742 100644 --- a/0002-Add-support-for-building-against-host-CppMicroServic.patch +++ b/0002-Add-support-for-building-against-host-CppMicroServic.patch @@ -1,7 +1,7 @@ -From 08e7b92cc7324b954ba773e8d2edb53f364efb64 Mon Sep 17 00:00:00 2001 +From 90ec590f9b17b878cfe2e338d55362349d5ad67e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:01:10 +0000 -Subject: [PATCH 02/13] Add support for building against host CppMicroServices +Subject: [PATCH 02/16] Add support for building against host CppMicroServices lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -138,5 +138,5 @@ index 98c724a7..3edd77c7 100644 cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) cmake_policy(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) -- -2.46.0 +2.48.1 diff --git a/0003-Improve-make-debuggability.patch b/0003-Improve-make-debuggability.patch index fb60641..6680373 100644 --- a/0003-Improve-make-debuggability.patch +++ b/0003-Improve-make-debuggability.patch @@ -1,7 +1,7 @@ -From 1c1ec62d0a754fc477b64cb881a721c316eb58d5 Mon Sep 17 00:00:00 2001 +From 50ba5d706d65359514e973175c34f36b6887a1e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 12:53:26 +0000 -Subject: [PATCH 03/13] Improve make debuggability +Subject: [PATCH 03/16] Improve make debuggability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -70,5 +70,5 @@ index d1ac38a1..5fb90c21 100644 .PHONY: clean -- -2.46.0 +2.48.1 diff --git a/0004-Support-disabling-use-of-git-for-ippcp-code.patch b/0004-Support-disabling-use-of-git-for-ippcp-code.patch index 54fc123..5ccd586 100644 --- a/0004-Support-disabling-use-of-git-for-ippcp-code.patch +++ b/0004-Support-disabling-use-of-git-for-ippcp-code.patch @@ -1,7 +1,7 @@ -From 028b9d1eeb5cdda62d0d3669b1320358402c2bb1 Mon Sep 17 00:00:00 2001 +From e9150e028f1d0f567bab4d2c7d5e5fc02cadce06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:37:24 +0000 -Subject: [PATCH 04/13] Support disabling use of git for ippcp code +Subject: [PATCH 04/16] Support disabling use of git for ippcp code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -45,5 +45,5 @@ index b4108cb8..70718f5e 100644 .PHONY: clean -- -2.46.0 +2.48.1 diff --git a/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch b/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch index 6b26f05..214668f 100644 --- a/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch +++ b/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch @@ -1,7 +1,7 @@ -From 6b9f6d62de22cfcf7ad89ec8a38e292c45ab0e2a Mon Sep 17 00:00:00 2001 +From bdeff24e929360b5ecfa5b0fe36513607b98daf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 18 Jun 2024 15:57:22 +0100 -Subject: [PATCH 05/13] disable openmp, protobuf, mbedtls & sample_crypto +Subject: [PATCH 05/16] disable openmp, protobuf, mbedtls & sample_crypto builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -521,5 +521,5 @@ index d3e40036..3bd08d5c 100644 @$(RM) $(BUILD_DIR)/libc++_Changes_SGX.txt @$(RM) -rf $(BUILD_DIR)/.compiler-rt -- -2.46.0 +2.48.1 diff --git a/0006-Fix-compat-with-gcc-14.patch b/0006-Fix-compat-with-gcc-14.patch index 8f331f3..c70c683 100644 --- a/0006-Fix-compat-with-gcc-14.patch +++ b/0006-Fix-compat-with-gcc-14.patch @@ -1,7 +1,7 @@ -From ec8e718cbcdce69263bb2f61df112118234df7aa Mon Sep 17 00:00:00 2001 +From 44c7af2d59a9654009eb1ea6affe771927d24850 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 24 Jun 2024 17:36:13 +0100 -Subject: [PATCH 06/13] Fix compat with gcc 14 +Subject: [PATCH 06/16] Fix compat with gcc 14 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -44,5 +44,5 @@ index 9867ecc8..46fcf873 100644 #include "sgx_urts.h" #include "arch.h" -- -2.46.0 +2.48.1 diff --git a/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch b/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch index 946ac43..22dd9c5 100644 --- a/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch +++ b/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch @@ -1,7 +1,7 @@ -From 285845dd940042c9dfa3983aa478263b3aeb6d09 Mon Sep 17 00:00:00 2001 +From b613bffdce4d035dab354887539828906920a69e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 2 Sep 2024 16:49:18 +0100 -Subject: [PATCH 07/13] Fix escaping of regexes in sgx-asm-pp +Subject: [PATCH 07/16] Fix escaping of regexes in sgx-asm-pp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -278,5 +278,5 @@ index 2b02396b..0df3fc47 100644 # # File Operations - read/write -- -2.46.0 +2.48.1 diff --git a/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch b/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch index 5601b18..8503d3e 100644 --- a/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch +++ b/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch @@ -1,7 +1,7 @@ -From 0584b938529c615f16dbb9751267e14ce73b37ca Mon Sep 17 00:00:00 2001 +From 7e6f75bfc9c364a26be6efb0704fb6f58318e59b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 1 Oct 2024 18:53:17 +0100 -Subject: [PATCH 08/13] Disable use of bogus DEF_WEAK macro +Subject: [PATCH 08/16] Disable use of bogus DEF_WEAK macro MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -26,5 +26,5 @@ index 08023a7c..9e62adc6 100644 static char * _strptime(const char *buf, const char *fmt, struct tm *tm, int initialize) -- -2.46.0 +2.48.1 diff --git a/0009-Remove-all-references-to-pccs-service.patch b/0009-Remove-all-references-to-pccs-service.patch index 7fb77a1..6cc34cb 100644 --- a/0009-Remove-all-references-to-pccs-service.patch +++ b/0009-Remove-all-references-to-pccs-service.patch @@ -1,7 +1,7 @@ -From d0a7e7bcf090c5a3549e76709b83aaee87197b2b Mon Sep 17 00:00:00 2001 +From 2135faf971e82c7dc351dc01baab5c6f716f8f11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 1 Oct 2024 20:18:48 +0100 -Subject: [PATCH 09/13] Remove all references to pccs service +Subject: [PATCH 09/16] Remove all references to pccs service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -493,5 +493,5 @@ index 0dd5fd8c..67eab01a 100644 if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi -- -2.46.0 +2.48.1 diff --git a/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch b/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch index a81d86c..c7874d8 100644 --- a/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch +++ b/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch @@ -1,7 +1,7 @@ -From b3adcc233373a403654954e364a798cc06a618b4 Mon Sep 17 00:00:00 2001 +From b35c87f751c42cec71c4d3107b88084eddc4f749 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 4 Oct 2024 16:33:20 +0100 -Subject: [PATCH 10/13] psw: prefer /dev/sgx_provision & /dev/sgx_enclave +Subject: [PATCH 10/16] psw: prefer /dev/sgx_provision & /dev/sgx_enclave MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -74,5 +74,5 @@ index 49f2b9aa..fc537a84 100644 } else if (driver_type == SGX_DRIVER_DCAP) -- -2.46.0 +2.48.1 diff --git a/0011-psw-fix-soname-for-libuae_service.so-library.patch b/0011-psw-fix-soname-for-libuae_service.so-library.patch index b8b3829..9d6ac62 100644 --- a/0011-psw-fix-soname-for-libuae_service.so-library.patch +++ b/0011-psw-fix-soname-for-libuae_service.so-library.patch @@ -1,7 +1,7 @@ -From 134a3214bc7d2de69c015204d43453535125907d Mon Sep 17 00:00:00 2001 +From 44fa7a1f6108ae855419f32288573ff3c51f1fa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 17 Jan 2025 15:38:56 +0000 -Subject: [PATCH 11/13] psw: fix soname for libuae_service.so library +Subject: [PATCH 11/16] psw: fix soname for libuae_service.so library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -25,5 +25,5 @@ index bffbdc5b..81f5c4b7 100644 $(IPC_SRC:.cpp=.o) : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc AEServicesImpl.o : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc -- -2.46.0 +2.48.1 diff --git a/0012-pcl-remove-redundant-use-of-bool-type.patch b/0012-pcl-remove-redundant-use-of-bool-type.patch index db425c1..d0906e5 100644 --- a/0012-pcl-remove-redundant-use-of-bool-type.patch +++ b/0012-pcl-remove-redundant-use-of-bool-type.patch @@ -1,7 +1,7 @@ -From d0d00e0d5518c983983eb8dbe4fd8c2c09845e9b Mon Sep 17 00:00:00 2001 +From 64e9315acfc84f84299e8f0d8d890f158d972b0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 6 Feb 2025 09:54:33 +0000 -Subject: [PATCH 12/13] pcl: remove redundant use of 'bool' type +Subject: [PATCH 12/16] pcl: remove redundant use of 'bool' type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -45,5 +45,5 @@ index 5ad6efde..b78ca907 100644 #endif // #ifdef SE_SIM -- -2.46.0 +2.48.1 diff --git a/0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch b/0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch new file mode 100644 index 0000000..ffce807 --- /dev/null +++ b/0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch @@ -0,0 +1,126 @@ +From 51aa96fc252d5792ca26132478eb5c1c8af1a63c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 27 Mar 2025 14:17:01 +0000 +Subject: [PATCH 13/16] sdk: honour CFLAGS/LDFLAGS set from environment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + sdk/debugger_interface/linux/Makefile | 5 +---- + sdk/encrypt_enclave/Makefile | 2 +- + sdk/sign_tool/SignTool/Makefile | 2 +- + sdk/simulation/SEConfigureCPUSVN/linux/Makefile | 2 +- + sdk/simulation/uae_service_sim/linux/Makefile | 2 +- + sdk/simulation/urtssim/linux/Makefile | 8 ++++---- + 6 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/sdk/debugger_interface/linux/Makefile b/sdk/debugger_interface/linux/Makefile +index 8f2847da..808e093f 100644 +--- a/sdk/debugger_interface/linux/Makefile ++++ b/sdk/debugger_interface/linux/Makefile +@@ -31,13 +31,10 @@ + + include ../../../buildenv.mk + +-#Don't CFLAGS +=, because it depend on gdb is m32 or m64 +-CFLAGS := +- + CPPFLAGS += -I$(COMMON_DIR)/inc/ \ + -I$(COMMON_DIR)/inc/internal/ + +-CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic ++CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic -Wno-conversion -Wno-redundant-decls + ifeq ($(CC_BELOW_4_9), 1) + CFLAGS += -fstack-protector + else +diff --git a/sdk/encrypt_enclave/Makefile b/sdk/encrypt_enclave/Makefile +index d388dc1d..867de978 100644 +--- a/sdk/encrypt_enclave/Makefile ++++ b/sdk/encrypt_enclave/Makefile +@@ -39,7 +39,7 @@ endif + + INC_DIR := -I$(COMMON_DIR)/inc -I$(COMMON_DIR)/inc/internal -I. + CXXFLAGS += $(INC_DIR) -Wno-attributes -g -mrdrnd -fpie +-LDFLAGS := -pie $(COMMON_LDFLAGS) ++LDFLAGS += -pie $(COMMON_LDFLAGS) + + LINK_FLAGS := -lcrypto -L$(BUILD_DIR) -lsgx_tservice + CPP_FILES := encryptip.cpp +diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile +index 219fb5ad..fe16b392 100644 +--- a/sdk/sign_tool/SignTool/Makefile ++++ b/sdk/sign_tool/SignTool/Makefile +@@ -40,7 +40,7 @@ FLAGS += -DSE_DEBUG_LEVEL=SE_TRACE_ERROR + endif + CFLAGS += $(FLAGS) + CXXFLAGS += $(FLAGS) +-LDFLAGS := -pie $(COMMON_LDFLAGS) -Wno-odr ++LDFLAGS += -pie $(COMMON_LDFLAGS) -Wno-odr + + INC += $(ADDED_INC) + INC += -I$(COMMON_DIR)/inc \ +diff --git a/sdk/simulation/SEConfigureCPUSVN/linux/Makefile b/sdk/simulation/SEConfigureCPUSVN/linux/Makefile +index fce3a59e..5fd8548e 100644 +--- a/sdk/simulation/SEConfigureCPUSVN/linux/Makefile ++++ b/sdk/simulation/SEConfigureCPUSVN/linux/Makefile +@@ -45,7 +45,7 @@ SRCS += $(SIM_DIR)/urtssim/cpusvn_util.cpp + OBJS := $(sort $(SRCS:.cpp=.o)) + + WRAPPER_LIB_DIR := $(COMMON_DIR)/se_wrapper +-LDFLAGS := -L$(WRAPPER_LIB_DIR) ++LDFLAGS += -L$(WRAPPER_LIB_DIR) + CXXFLAGS += -fpie $(CET_FLAGS) + LDFLAGS += -pie $(COMMON_LDFLAGS) + LDLIBS := -lwrapper +diff --git a/sdk/simulation/uae_service_sim/linux/Makefile b/sdk/simulation/uae_service_sim/linux/Makefile +index 45ddb576..865d5556 100644 +--- a/sdk/simulation/uae_service_sim/linux/Makefile ++++ b/sdk/simulation/uae_service_sim/linux/Makefile +@@ -50,7 +50,7 @@ INCLUDES := -I.. \ + + CXXFLAGS += -Wall -fPIC $(INCLUDES) -Werror -g $(CET_FLAGS) + CFLAGS := $(filter-out -fPIC -Werror, $(CFLAGS)) -Wall $(INCLUDES) $(CET_FLAGS) +- ++LDUFLAGS += $(LDFLAGS) + + RDRAND_LIBDIR := $(LINUX_EXTERNAL_DIR)/rdrand/src + RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile +diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile +index 505ce8d9..b340463a 100644 +--- a/sdk/simulation/urtssim/linux/Makefile ++++ b/sdk/simulation/urtssim/linux/Makefile +@@ -65,9 +65,9 @@ DIR5 := $(LINUX_PSW_DIR)/../common/src/linux + DIR6 := $(LINUX_PSW_DIR)/../common/src + + +-LDFLAGS += -L$(COMMON_DIR)/se_wrapper \ ++LDUFLAGS += -L$(COMMON_DIR)/se_wrapper \ + -L$(SIM_DIR)/uae_service_sim/linux +-LDFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify/ -littnotify -ldl -lpthread ++LDUFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify/ -littnotify -ldl -lpthread + + OBJ1 := enclave.o \ + tcs.o \ +@@ -119,7 +119,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6) + vpath %.S .:$(DIR2):$(DIR5) + vpath %.c .:$(DIR6) + +-LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/urts.lds ++LDUFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/urts.lds + + LIBURTSSIM_SHARED := libsgx_urts_sim.so + LIBURTS_DEPLOY := libsgx_urts_deploy.so +@@ -133,7 +133,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR) + $(CP) $(LIBURTS_DEPLOY) $| + + $(LIBURTSSIM_SHARED): simasm uinst driver_api wrapper uae_service_sim $(OBJ) $(OBJ6) ittnotify +- $(CXX) $(CXXFLAGS) -shared -Wl,-soname=$(SONAME) $(OBJ) $(OBJ6) $(LDFLAGS) $(LDLIBS) -o $@ ++ $(CXX) $(CXXFLAGS) -shared -Wl,-soname=$(SONAME) $(OBJ) $(OBJ6) $(LDUFLAGS) $(LDLIBS) -o $@ + + $(BUILD_DIR): + @$(MKDIR) $@ +-- +2.48.1 + diff --git a/0014-psw-make-aesm_service-build-verbose.patch b/0014-psw-make-aesm_service-build-verbose.patch new file mode 100644 index 0000000..f25cea8 --- /dev/null +++ b/0014-psw-make-aesm_service-build-verbose.patch @@ -0,0 +1,29 @@ +From e2f8a9054e512b3c49f4264824892baf07898efc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 27 Mar 2025 16:07:10 +0000 +Subject: [PATCH 14/16] psw: make aesm_service build verbose. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + psw/ae/aesm_service/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile +index 89a15875..dbfa3fb6 100644 +--- a/psw/ae/aesm_service/Makefile ++++ b/psw/ae/aesm_service/Makefile +@@ -80,7 +80,7 @@ copy_data_file: + @$(CP) $(WHITE_LIST_FILE) data/white_list_cert_to_be_verify.bin + + $(APPNAME): $(CPPMICROSERVICES) source/build/CMakeCache.txt urts RDRAND +- $(MAKE) -C source/build ++ $(MAKE) -C source/build VERBOSE=1 + ifeq ($(USE_HOST_CPPMICROSERVICES), 0) + $(CP) $(CPPMICROSERVICES) source/build/bin/ + endif +-- +2.48.1 + diff --git a/0015-Fix-modern-C-function-prototype-compliance.patch b/0015-Fix-modern-C-function-prototype-compliance.patch new file mode 100644 index 0000000..5a32649 --- /dev/null +++ b/0015-Fix-modern-C-function-prototype-compliance.patch @@ -0,0 +1,43 @@ +From f70028402c31652c65277291e93b4c565c8863ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 31 Mar 2025 10:55:25 +0100 +Subject: [PATCH 15/16] Fix modern C function prototype compliance +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + common/inc/internal/se_cdefs.h | 2 +- + sdk/debugger_interface/linux/se_ptrace.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/inc/internal/se_cdefs.h b/common/inc/internal/se_cdefs.h +index edbe25fa..76083b02 100644 +--- a/common/inc/internal/se_cdefs.h ++++ b/common/inc/internal/se_cdefs.h +@@ -94,7 +94,7 @@ + + #define SGX_ACCESS_VERSION(libname, num) \ + MY_EXTERN char sgx_##libname##_version[]; \ +- MY_EXTERN char * __attribute__((destructor)) libname##_access_version_dummy##num() \ ++ MY_EXTERN char * __attribute__((destructor)) libname##_access_version_dummy##num(void) \ + { \ + sgx_##libname##_version[0] = 's'; \ + return sgx_##libname##_version; \ +diff --git a/sdk/debugger_interface/linux/se_ptrace.c b/sdk/debugger_interface/linux/se_ptrace.c +index 8e4e7600..8c38bb68 100644 +--- a/sdk/debugger_interface/linux/se_ptrace.c ++++ b/sdk/debugger_interface/linux/se_ptrace.c +@@ -76,7 +76,7 @@ typedef pid_t (*waitpid_t)(pid_t pid, int *status, int options); + + static ptrace_t g_sys_ptrace = NULL; + static waitpid_t g_sys_waitpid = NULL; +-__attribute__((constructor)) void init() ++__attribute__((constructor)) void init(void) + { + g_sys_ptrace = (ptrace_t)dlsym(RTLD_NEXT, "ptrace"); + g_sys_waitpid = (waitpid_t)dlsym(RTLD_NEXT, "waitpid"); +-- +2.48.1 + diff --git a/0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch b/0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch new file mode 100644 index 0000000..4432eab --- /dev/null +++ b/0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch @@ -0,0 +1,69 @@ +From dc2be9ad1955e85006604ef2840357a1dedf856c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 2 Apr 2025 17:11:25 +0100 +Subject: [PATCH 16/16] Add wrapper for nasm to fix cmake compat +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cmake needs to detect nasm by running with the '-v' arg, but it +cannot cope with the nasm command being anything other than a +single binary name - it won't accept & pass on args during the +detection phase. Thus a further wrapper is needed. + +Signed-off-by: Daniel P. Berrangé +--- + build-scripts/sgx-nasm.sh | 12 ++++++++++++ + external/ippcp_internal/Makefile | 8 +++++--- + 2 files changed, 17 insertions(+), 3 deletions(-) + create mode 100755 build-scripts/sgx-nasm.sh + +diff --git a/build-scripts/sgx-nasm.sh b/build-scripts/sgx-nasm.sh +new file mode 100755 +index 00000000..4ad75f73 +--- /dev/null ++++ b/build-scripts/sgx-nasm.sh +@@ -0,0 +1,12 @@ ++#!/bin/sh ++ ++set -e ++ ++if test "$1" == "-v" ++then ++ exec nasm -v ++else ++ here=$(dirname $0) ++ echo python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@" ++ exec python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@" ++fi +diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile +index 70718f5e..d8efe418 100644 +--- a/external/ippcp_internal/Makefile ++++ b/external/ippcp_internal/Makefile +@@ -58,10 +58,12 @@ IPP_CONFIG += -DIPPCP_FIPS_MODE=on -DFIPS_CUSTOM_IPPCP_API_HEADER=$(CURDIR)/inc + SUB_DIR = no_mitigation + ifeq ($(MITIGATION-CVE-2020-0551), LOAD) + SUB_DIR = cve_2020_0551_load +- PRE_CONFIG= ASM_NASM="python $(DIR)/../../build-scripts/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=LOAD" ++ PRE_CONFIG = ASM_NASM="$(DIR)/../../build-scripts/sgx-nasm.sh" ++ POST_CONFIG = MITIGATION=LOAD + else ifeq ($(MITIGATION-CVE-2020-0551), CF) + SUB_DIR = cve_2020_0551_cf +- PRE_CONFIG= ASM_NASM="python $(DIR)/../../build-scripts/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=CF" ++ PRE_CONFIG = ASM_NASM="$(DIR)/../../build-scripts/sgx-nasm.sh" ++ POST_CONFIG = MITIGATION=CF + endif + OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/ + +@@ -84,7 +86,7 @@ all: build_ipp + $(CP) ipp-crypto/LICENSE ./license/ + + build_ipp: $(CHECK_SOURCE) +- cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s ++ cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && $(POST_CONFIG) make ippcp_s + + $(IPP_SOURCE)/build: + ifeq ($(IPP_USE_GIT), 1) +-- +2.48.1 + diff --git a/0013-Disable-inclusion-of-AESM-in-installer.patch b/0050-Disable-inclusion-of-AESM-in-installer.patch similarity index 96% rename from 0013-Disable-inclusion-of-AESM-in-installer.patch rename to 0050-Disable-inclusion-of-AESM-in-installer.patch index 082f771..a89a40a 100644 --- a/0013-Disable-inclusion-of-AESM-in-installer.patch +++ b/0050-Disable-inclusion-of-AESM-in-installer.patch @@ -1,7 +1,7 @@ -From 820d3a2491ddc9b9b02bc9530e89bc5f5b557139 Mon Sep 17 00:00:00 2001 +From 07f39d2eb84d66fd19d025856747c5521068f26c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 11 Feb 2025 14:58:58 +0000 -Subject: [PATCH 13/13] Disable inclusion of AESM in installer +Subject: [PATCH] Disable inclusion of AESM in installer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -77,5 +77,5 @@ index a810d6b9..82a07af1 100644 # COPY_AES: currently copy le, qe, pve, pce, qe3 -- -2.46.0 +2.48.1 diff --git a/0100-Drop-use-of-bundled-pre-built-openssl.patch b/0100-Drop-use-of-bundled-pre-built-openssl.patch index 3c8a035..6e4e61a 100644 --- a/0100-Drop-use-of-bundled-pre-built-openssl.patch +++ b/0100-Drop-use-of-bundled-pre-built-openssl.patch @@ -1,7 +1,7 @@ From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 100/112] Drop use of bundled pre-built openssl +Subject: [PATCH 100/116] Drop use of bundled pre-built openssl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -188,5 +188,5 @@ index a20a3cd..c8e1d01 100644 debug: $(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all -- -2.46.0 +2.48.1 diff --git a/0101-Improve-debuggability-of-build-system.patch b/0101-Improve-debuggability-of-build-system.patch index cfb91b5..295414e 100644 --- a/0101-Improve-debuggability-of-build-system.patch +++ b/0101-Improve-debuggability-of-build-system.patch @@ -1,7 +1,7 @@ -From 015be80fb831f9fe5f364f82448acbd0c998df95 Mon Sep 17 00:00:00 2001 +From b4d3b1401e16a557bcba1fe02b525bd5c26ee532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 12:05:01 +0000 -Subject: [PATCH 101/112] Improve debuggability of build system +Subject: [PATCH 101/116] Improve debuggability of build system MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,8 +12,9 @@ Don't hide commands that are run, so compiler flags are visible. Signed-off-by: Daniel P. Berrangé --- QuoteGeneration/qcnl/linux/Makefile | 2 +- + QuoteVerification/appraisal/qal/Makefile | 2 +- .../dcap_quoteverify/linux/Makefile | 28 +++++++++---------- - 2 files changed, 15 insertions(+), 15 deletions(-) + 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile index f043575..bfe9c61 100644 @@ -28,6 +29,19 @@ index f043575..bfe9c61 100644 force_look: true +diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile +index 139848a..cd361c4 100644 +--- a/QuoteVerification/appraisal/qal/Makefile ++++ b/QuoteVerification/appraisal/qal/Makefile +@@ -128,7 +128,7 @@ $(QAL_CXX_Common_Objs): %.o: ../common/%.cpp + $(CXX) $(QAL_Cpp_Flags) -c $< -o $@ + + wasm_lib: +- test -f $(WARM_Lib_Path)/libvmlib.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib) ++ test -f $(WARM_Lib_Path)/libvmlib.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib VERBOSE=1) + + clean: + $(RM) $(QAL_Obj_Files) $(Target_Lib_Name) $(Target_Lib_Name).$(SGX_MAJOR_VER) $(Target_Static_Lib_Name) $(BUILD_DIR)/$(Target_Lib_Name) $(QVL_Cpp_Obj_Files) diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile index fba7f43..5979699 100644 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile @@ -114,5 +128,5 @@ index fba7f43..5979699 100644 .PHONY: qal qal: -- -2.46.0 +2.48.1 diff --git a/0102-Support-build-time-setting-of-enclave-load-directory.patch b/0102-Support-build-time-setting-of-enclave-load-directory.patch index 26a8772..bffa974 100644 --- a/0102-Support-build-time-setting-of-enclave-load-directory.patch +++ b/0102-Support-build-time-setting-of-enclave-load-directory.patch @@ -1,7 +1,7 @@ -From 6433514bb00f1fe166cb99a2b3a0bb979bb11fbd Mon Sep 17 00:00:00 2001 +From edcd2d044a8e20cf8d2e1cebba7f74f2573c9ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 102/112] Support build time setting of enclave load directory +Subject: [PATCH 102/116] Support build time setting of enclave load directory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -143,7 +143,7 @@ index dbbe2af..a57e082 100644 NULL != dl_info.dli_fname) { diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile -index 139848a..c63c1e0 100644 +index cd361c4..ead4a5d 100644 --- a/QuoteVerification/appraisal/qal/Makefile +++ b/QuoteVerification/appraisal/qal/Makefile @@ -49,7 +49,7 @@ QAL_Include_Path := -I./ \ @@ -259,5 +259,5 @@ index d9c2bac..1065949 100644 App_Link_Flags += -lcurl -ldl -lpthread ifeq ($(STANDALONE), 1) -- -2.46.0 +2.48.1 diff --git a/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch index e5a2d1b..079f3dc 100644 --- a/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch +++ b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch @@ -1,7 +1,7 @@ -From f91fe574c57080ca8818473c8f140f555fbafaf7 Mon Sep 17 00:00:00 2001 +From 3cbab8069678b15276d7a8d2d0c7aa34532ad4af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Feb 2024 15:46:41 +0000 -Subject: [PATCH 103/112] Look for versioned sgx_urts library in +Subject: [PATCH 103/116] Look for versioned sgx_urts library in PCKRetrievalTool MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -40,5 +40,5 @@ index d77a6eb..d195717 100644 } #endif -- -2.46.0 +2.48.1 diff --git a/0104-Don-t-import-pypac-in-pccsadmin.patch b/0104-Don-t-import-pypac-in-pccsadmin.patch index e7bb3e4..0e94942 100644 --- a/0104-Don-t-import-pypac-in-pccsadmin.patch +++ b/0104-Don-t-import-pypac-in-pccsadmin.patch @@ -1,7 +1,7 @@ -From 56067e04cecad42779a42420f8acbf2635481f67 Mon Sep 17 00:00:00 2001 +From 2609841a9ddedd4c3f22778bff0aa399ce6d4f9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Feb 2024 20:28:24 +0000 -Subject: [PATCH 104/112] Don't import pypac in pccsadmin +Subject: [PATCH 104/116] Don't import pypac in pccsadmin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -29,5 +29,5 @@ index 9f1d224..af1e78e 100644 from lib.intelsgx.credential import Credentials from requests.adapters import HTTPAdapter -- -2.46.0 +2.48.1 diff --git a/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch index 54ade5b..c8fda25 100644 --- a/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch +++ b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch @@ -1,7 +1,7 @@ -From ec86bb174a3ba05adebbfa9e58d0d3a24888d5dd Mon Sep 17 00:00:00 2001 +From eb1018b10a5adedcdc1ae3cf8f5d8be6de5b7d6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 29 Feb 2024 14:21:36 +0000 -Subject: [PATCH 105/112] Look for PCKRetrievalTool config file in /etc/ +Subject: [PATCH 105/116] Look for PCKRetrievalTool config file in /etc/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -39,5 +39,5 @@ index e423f38..36f219b 100644 if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) { return false; -- -2.46.0 +2.48.1 diff --git a/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch b/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch new file mode 100644 index 0000000..4d232ed --- /dev/null +++ b/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch @@ -0,0 +1,209 @@ +From c1773ce8ab60a0d887a52b821de28d6fd996b7f4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 28 Mar 2025 16:00:27 +0000 +Subject: [PATCH 106/116] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and + libraries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/qcnl/linux/Makefile | 7 ++++--- + QuoteGeneration/qpl/linux/Makefile | 4 ++-- + QuoteGeneration/quote_wrapper/qgs/Makefile | 2 +- + QuoteGeneration/quote_wrapper/ql/linux/Makefile | 7 ++++--- + QuoteGeneration/quote_wrapper/quote/linux/Makefile | 2 +- + QuoteVerification/dcap_quoteverify/linux/Makefile | 6 +++--- + tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 4 ++-- + tools/PCKRetrievalTool/Makefile | 9 +++++---- + tools/SGXPlatformRegistration/package/Makefile | 2 +- + tools/SGXPlatformRegistration/tool/Makefile | 2 +- + 10 files changed, 24 insertions(+), 21 deletions(-) + +diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile +index bfe9c61..531f40b 100644 +--- a/QuoteGeneration/qcnl/linux/Makefile ++++ b/QuoteGeneration/qcnl/linux/Makefile +@@ -46,12 +46,13 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ + -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson \ + -I../../../tools/PCKCertSelection/include + +-CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto) ++CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto) ++CNL_Lib_C_Flags := $(CFLAGS) $(CNL_Lib_Common_Flags) + +-LDUFLAGS:= -pthread $(COMMON_LDFLAGS) ++LDUFLAGS:= $(LDFLAGS) -pthread $(COMMON_LDFLAGS) + LDUFLAGS += -Wl,--version-script=sgx_default_qcnl.lds -Wl,--gc-sections + +-CNL_Lib_Cpp_Flags := $(CNL_Lib_C_Flags) -std=c++11 ++CNL_Lib_Cpp_Flags := $(CXXFLAGS) $(CNL_Lib_Common_Flags) -std=c++11 + + ifdef SELF_SIGNED_CERT + CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT +diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile +index 204234c..d703c45 100644 +--- a/QuoteGeneration/qpl/linux/Makefile ++++ b/QuoteGeneration/qpl/linux/Makefile +@@ -48,9 +48,9 @@ QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Pa + LDUFLAGS:= -pthread $(COMMON_LDFLAGS) + LDUFLAGS += -Wl,--version-script=sgx_default_quote_provider.lds -Wl,--gc-sections + +-QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11 ++QPL_Lib_Cpp_Flags := $(CXXFLAGS) $(QPL_Lib_C_Flags) -std=c++11 + +-QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ ++QPL_Lib_Link_Flags := $(LDFLAGS) $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ + -lcrypto -lsgx_default_qcnl_wrapper -lpthread -ldl + + ifndef DEBUG +diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile +index 5d87e4d..8228bdf 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/Makefile ++++ b/QuoteGeneration/quote_wrapper/qgs/Makefile +@@ -51,7 +51,7 @@ endif + DEPENDS = ${QGS_OBJS test_client.o:.o=.d} + + # SGX related libraries +-QGS_LFLAGS = -L$(TOP_DIR)/build/linux -lsgx_tdx_logic -lsgx_pce_logic -ldl \ ++QGS_LFLAGS = $(LDFLAGS) -L$(TOP_DIR)/build/linux -lsgx_tdx_logic -lsgx_pce_logic -ldl \ + -L$(SGX_SDK)/lib64 -lsgx_urts -g + # add boost_system for link + QGS_LFLAGS += -lboost_system -lboost_thread -lpthread +diff --git a/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/QuoteGeneration/quote_wrapper/ql/linux/Makefile +index c5d877b..2983665 100644 +--- a/QuoteGeneration/quote_wrapper/ql/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/ql/linux/Makefile +@@ -48,13 +48,14 @@ QL_Lib_C_Files := se_trace.c se_thread.c + QL_Lib_Include_Paths := -I../../common/inc -I./ -I$(SGX_SDK)/include -I../../../common/inc/internal + QL_Lib_Include_Paths += -I../../quote/inc -I../../../pce_wrapper/inc -I../inc + +-QL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths) ++QL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths) ++QL_Lib_C_Flags := $(CFLAGS) $(QL_Lib_Common_Flags) + + LDUFLAGS:= -pthread $(COMMON_LDFLAGS) + LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections + +-QL_Lib_Cpp_Flags := $(QL_Lib_C_Flags) -std=c++11 +-QL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl ++QL_Lib_Cpp_Flags := $(CXXFLAGS) $(QL_Lib_Common_Flags) -std=c++11 ++QL_Lib_Link_Flags := $(LDFLAGS) $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl + + QL_Lib_Cpp_Flags += -DDISABLE_TRACE + QL_Lib_Link_Flags += -DDISABLE_TRACE +diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile +index 7d0b398..9b8c936 100644 +--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile +@@ -52,7 +52,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I. + Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(Quote_Include_Paths) + + Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" +-Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl ++Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl $(LDFLAGS) + + ifndef DEBUG + Quote_Cpp_Flags += -DDISABLE_TRACE +diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile +index c9f11a0..56095ac 100644 +--- a/QuoteVerification/dcap_quoteverify/linux/Makefile ++++ b/QuoteVerification/dcap_quoteverify/linux/Makefile +@@ -54,8 +54,8 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ + + QPL_BASE64_CPP_DEP := $(DCAP_QPL_DIR)/sgx_base64.d + +-SGX_COMMON_CFLAGS += -g -fPIC -Wno-attributes -USGX_TRUSTED +-SGX_COMMON_CXXFLAGS += -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" ++SGX_COMMON_CFLAGS += $(CFLAGS) -g -fPIC -Wno-attributes -USGX_TRUSTED ++SGX_COMMON_CXXFLAGS += $(CXXFLAGS) -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + + QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o) + QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o) +@@ -65,7 +65,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation + QVL_LIB_NAME := lib$(QVL_LIB).a + QVL_PARSER_NAME := lib$(QVL_PARSER).a + +-LDUFLAGS := -pthread -ldl -L. -l$(QVL_LIB) -l$(QVL_PARSER) $(COMMON_LDFLAGS) -lcrypto ++LDUFLAGS := $(LDFLAGS) -pthread -ldl -L. -l$(QVL_LIB) -l$(QVL_PARSER) $(COMMON_LDFLAGS) -lcrypto + LDUFLAGS += -Wl,--version-script=sgx_dcap_quoteverify.lds -Wl,--gc-sections + + QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp) +diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +index 12c0d35..c106ab4 100644 +--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile ++++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +@@ -129,11 +129,11 @@ DEBUG_FLAGS := -m64 -O0 -g + RELEASE_FLAGS := -m64 -O2 $(COMMON_FLAGS) + + # basic library c build flags +-C_FLAGS := -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-overloaded-virtual $(LIB_INCLUDE_PATHS) ++C_FLAGS := $(CFLAGS) -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-overloaded-virtual $(LIB_INCLUDE_PATHS) + C_FLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT + + # link flags, link openssl crypto +-LINK_FLAGS := -shared -lcrypto -lpthread -ldl ++LINK_FLAGS := $(LDFLAGS) -shared -lcrypto -lpthread -ldl + LINK_FLAGS += -Wl,--version-script=pck_cert_selection.lds -Wl,--gc-sections + + # debug/release switch +diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile +index 1065949..b6968c6 100644 +--- a/tools/PCKRetrievalTool/Makefile ++++ b/tools/PCKRetrievalTool/Makefile +@@ -108,8 +108,9 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR + + App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths) + +-App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" +-App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack ++App_Cpp_Flags := $(CXXFLAGS) $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" ++App_C_Flags += $(CFLAGS) ++App_Link_Flags := $(CXXFLAGS) $(LDFLAGS) $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack + App_Link_Flags += -lcurl -ldl -lpthread + ifeq ($(STANDALONE), 1) + App_Link_Flags += -Wl,-rpath,$ORIGIN +@@ -139,11 +140,11 @@ App/id_enclave_u.c: + echo "GEN => $@" + + App/id_enclave_u.o: App/id_enclave_u.c +- @$(CC) $(App_C_Flags) -c $< -o $@ ++ $(CC) $(App_C_Flags) -c $< -o $@ + @echo "CC <= $<" + + App/pce_u.o: App/pce_u.c +- @$(CC) $(App_C_Flags) -c $< -o $@ ++ $(CC) $(App_C_Flags) -c $< -o $@ + @echo "CC <= $<" + + App/%.o: App/%.cpp +diff --git a/tools/SGXPlatformRegistration/package/Makefile b/tools/SGXPlatformRegistration/package/Makefile +index 0c3aec1..adc00f5 100755 +--- a/tools/SGXPlatformRegistration/package/Makefile ++++ b/tools/SGXPlatformRegistration/package/Makefile +@@ -73,7 +73,7 @@ else + CXXFLAGS += -DMP_VERIFY_INTERNAL_DATA_STRUCT_WRITE=0 -DMP_VERIFY_INTERNAL_DATA_STRUCT_READ=0 $(COMMON_FLAGS) + endif + +-LDFLAGS := $(COMMON_LDFLAGS) ++LDFLAGS += $(COMMON_LDFLAGS) + + all: $(MPA_REGISTRATION_EXEC) + +diff --git a/tools/SGXPlatformRegistration/tool/Makefile b/tools/SGXPlatformRegistration/tool/Makefile +index 4937fe9..83aefee 100644 +--- a/tools/SGXPlatformRegistration/tool/Makefile ++++ b/tools/SGXPlatformRegistration/tool/Makefile +@@ -69,7 +69,7 @@ CPP_SRCS += $(MPA_REGISTRATION_CORE_DIR)/src/AgentConfiguration.cpp $(MPA_REGIST + CPP_OBJS := $(CPP_SRCS:.cpp=.o) + CPP_DEPS := $(CPP_OBJS:%.o=%.d) + +-LDFLAGS := $(COMMON_LDFLAGS) ++LDFLAGS += $(COMMON_LDFLAGS) + ifeq ($(STANDALONE), 1) + LDFLAGS += '-Wl,-rpath,$$ORIGIN' + CXXFLAGS += '-DSTANDALONE' +-- +2.48.1 + diff --git a/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch index ad4ce77..61db7f3 100644 --- a/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch +++ b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch @@ -1,7 +1,7 @@ -From 17fa2fd409f228623f4b86f5997e74cb43f3bd2f Mon Sep 17 00:00:00 2001 +From a74ede38e306ff82ddbaf094d6148dc1bf9e524c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Oct 2024 14:42:29 +0100 -Subject: [PATCH 107/112] qgs: add space between program name & first arg in +Subject: [PATCH 107/116] qgs: add space between program name & first arg in usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -35,5 +35,5 @@ index 478dbfe..3618b5a 100644 exit(1); } -- -2.46.0 +2.48.1 diff --git a/0108-qgs-protect-against-format-strings-in-QL-log-message.patch b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch index f03a4d3..d75bdee 100644 --- a/0108-qgs-protect-against-format-strings-in-QL-log-message.patch +++ b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch @@ -1,7 +1,7 @@ -From 3f9b4a9fbce0e29f33680fffa881f67ab31d4bb3 Mon Sep 17 00:00:00 2001 +From 1e760dc7a67d601121b625e0d2bd7b2fe8b7b042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 4 Oct 2024 09:43:17 +0100 -Subject: [PATCH 108/112] qgs: protect against format strings in QL log +Subject: [PATCH 108/116] qgs: protect against format strings in QL log messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -35,5 +35,5 @@ index 77838c3..1e97b58 100644 } -- -2.46.0 +2.48.1 diff --git a/0109-qgs-add-debug-parameter-to-control-logging.patch b/0109-qgs-add-debug-parameter-to-control-logging.patch index 35cadad..9c512b7 100644 --- a/0109-qgs-add-debug-parameter-to-control-logging.patch +++ b/0109-qgs-add-debug-parameter-to-control-logging.patch @@ -1,7 +1,7 @@ -From b2a17ca9e38c8d81bcc1fedefd92c59721b2de75 Mon Sep 17 00:00:00 2001 +From ddd7a6a15ed433b1bd75c620f3c075609d5f3c94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Oct 2024 16:57:35 +0100 -Subject: [PATCH 109/112] qgs: add --debug parameter to control logging +Subject: [PATCH 109/116] qgs: add --debug parameter to control logging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -125,5 +125,5 @@ index 3618b5a..a65a985 100644 exit(1); } -- -2.46.0 +2.48.1 diff --git a/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch index 0b4b3a7..aa25999 100644 --- a/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch +++ b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch @@ -1,7 +1,7 @@ -From 497df1056cdc0571a73aa3dc5410a020d1cc6a3e Mon Sep 17 00:00:00 2001 +From d4fa45636b1a58cf832fd7b955ef1b3f2368d526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 8 Oct 2024 10:13:02 +0100 -Subject: [PATCH 110/112] pccsadmin: remove leftover debugging 'print(args)' +Subject: [PATCH 110/116] pccsadmin: remove leftover debugging 'print(args)' statement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -29,5 +29,5 @@ index ffee326..8e447c5 100755 if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"): if not args.fmspc or not args.input_file: -- -2.46.0 +2.48.1 diff --git a/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch index 1fb85d4..f63acb0 100644 --- a/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch +++ b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch @@ -1,7 +1,7 @@ -From 0600caaa2b2f0ce8c6a4667d5d09ffeadcd760d4 Mon Sep 17 00:00:00 2001 +From d9b93bb6836027b94ba93980002d7f2f7cc81415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 17 Jan 2025 15:39:39 +0000 -Subject: [PATCH 111/112] Fix soname version for libsgx_qe3_logic.so library +Subject: [PATCH 111/116] Fix soname version for libsgx_qe3_logic.so library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -29,7 +29,7 @@ index 471784d..22e0dff 100644 #define QE3_VERSION "1.19.100.1" #define QVE_VERSION "1.21.100.1" diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -index 7d0b398..1361c4b 100644 +index 9b8c936..c92d782 100644 --- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile @@ -65,6 +65,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o) @@ -51,5 +51,5 @@ index 7d0b398..1361c4b 100644 $(BUILD_DIR): -- -2.46.0 +2.48.1 diff --git a/0112-Workaround-broken-GCC-15.patch b/0112-Workaround-broken-GCC-15.patch index 338f167..a1a5bfb 100644 --- a/0112-Workaround-broken-GCC-15.patch +++ b/0112-Workaround-broken-GCC-15.patch @@ -1,7 +1,7 @@ -From 546ac41ec1ffe16aac36af0ce4b8572636cc667e Mon Sep 17 00:00:00 2001 +From a3858a707f3f37722d5b851f89cfd61bd9361343 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 6 Feb 2025 20:08:59 +0000 -Subject: [PATCH 112/112] Workaround broken GCC 15 +Subject: [PATCH 112/116] Workaround broken GCC 15 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -36,5 +36,5 @@ index 15fbdd4..4400544 100644 private: struct alignas(A)_T_instantiator_ -- -2.46.0 +2.48.1 diff --git a/0113-Don-t-disable-cf-protection-for-qgs.patch b/0113-Don-t-disable-cf-protection-for-qgs.patch new file mode 100644 index 0000000..2da50f1 --- /dev/null +++ b/0113-Don-t-disable-cf-protection-for-qgs.patch @@ -0,0 +1,31 @@ +From 9a9cee8d5535320ab7f52388d8cd832c50bd100e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 2 Apr 2025 18:39:31 +0100 +Subject: [PATCH 113/116] Don't disable cf-protection for qgs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/quote_wrapper/qgs/Makefile | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile +index 8228bdf..5116d85 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/Makefile ++++ b/QuoteGeneration/quote_wrapper/qgs/Makefile +@@ -43,10 +43,6 @@ QGS_INC = -I$(SGX_SDK)/include \ + -I$(TOP_DIR)/quote_wrapper/qgs_msg_lib/inc + QGS_CFLAGS = -g -MMD $(CFLAGS) $(QGS_INC) + QGS_CXXFLAGS = -g -MMD $(CXXFLAGS) $(QGS_INC) +-ifeq ($(CC_NO_LESS_THAN_8), 1) +- QGS_CFLAGS += -fcf-protection=none +- QGS_CXXFLAGS += -fcf-protection=none +-endif + + DEPENDS = ${QGS_OBJS test_client.o:.o=.d} + +-- +2.48.1 + diff --git a/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch b/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch new file mode 100644 index 0000000..7e21e61 --- /dev/null +++ b/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch @@ -0,0 +1,205 @@ +From c765d43c957cb18c7614883b3a4043fed22b8e92 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 3 Apr 2025 17:44:48 +0100 +Subject: [PATCH 114/116] Delete broken checks for GCC version that break + -fstack-protector-strong +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The expr comparison is performing a string comparison and is thus +broken for any GCC version >= 10, preventing use of -fstack-protector-strong + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/buildenv.mk | 7 +------ + QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile | 2 +- + QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile | 4 ++-- + QuoteVerification/QvE/Makefile | 7 +------ + QuoteVerification/dcap_tvl/Makefile | 7 +------ + QuoteVerification/dcap_tvl/Makefile.standalone | 7 +------ + SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile | 8 +------- + SampleCode/QuoteGenerationSample/Makefile | 6 +----- + SampleCode/QuoteVerificationSample/Makefile | 8 +------- + tools/PCKRetrievalTool/Makefile | 7 +------ + 10 files changed, 11 insertions(+), 52 deletions(-) + +diff --git a/QuoteGeneration/buildenv.mk b/QuoteGeneration/buildenv.mk +index 0b677db..3fba935 100644 +--- a/QuoteGeneration/buildenv.mk ++++ b/QuoteGeneration/buildenv.mk +@@ -128,12 +128,7 @@ ifeq ($(CC_NO_LESS_THAN_8), 1) + endif + + # turn on stack protector for SDK +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- COMMON_FLAGS += -fstack-protector +-else +- COMMON_FLAGS += -fstack-protector-strong +-endif ++COMMON_FLAGS += -fstack-protector-strong + + ifdef DEBUG + COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG +diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile +index dff0af2..9ece3cc 100644 +--- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile +@@ -33,7 +33,7 @@ + TOP_DIR = ../../.. + SDK_NOT_REQUIRED = 1 + ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),) +- CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ ++ CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ + -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \ + -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \ + -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection +diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile +index f0a5e36..20f3022 100644 +--- a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile +@@ -33,11 +33,11 @@ + TOP_DIR = ../../.. + SDK_NOT_REQUIRED = 1 + ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),) +- CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector -O2 \ ++ CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector-strong -O2 \ + -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self \ + -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs \ + -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection +- CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ ++ CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ + -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \ + -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \ + -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection +diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile +index 6532e8f..e5045dd 100644 +--- a/QuoteVerification/QvE/Makefile ++++ b/QuoteVerification/QvE/Makefile +@@ -101,12 +101,7 @@ endif + ifneq ($(DEBUG), 1) + ENCLAVE_CFLAGS += -ffunction-sections -fdata-sections + endif +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- ENCLAVE_CFLAGS += -fstack-protector +-else +- ENCLAVE_CFLAGS += -fstack-protector-strong +-endif ++ENCLAVE_CFLAGS += -fstack-protector-strong + + ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++17 -DSGX_TRUSTED -DSGX_JWT -DPICOJSON_USE_LOCALE=0 + +diff --git a/QuoteVerification/dcap_tvl/Makefile b/QuoteVerification/dcap_tvl/Makefile +index 2d62f28..49b4b68 100644 +--- a/QuoteVerification/dcap_tvl/Makefile ++++ b/QuoteVerification/dcap_tvl/Makefile +@@ -56,12 +56,7 @@ endif + ifneq ($(DEBUG), 1) + COMMON_FLAGS += -ffunction-sections -fdata-sections + endif +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- COMMON_FLAGS += -fstack-protector +-else +- COMMON_FLAGS += -fstack-protector-strong +-endif ++COMMON_FLAGS += -fstack-protector-strong + + ENCLAVE_CXXFLAGS += $(SGX_COMMON_CXXFLAGS) $(COMMON_FLAGS) -fPIC -std=c++11 + +diff --git a/QuoteVerification/dcap_tvl/Makefile.standalone b/QuoteVerification/dcap_tvl/Makefile.standalone +index 8a1cb73..713d8af 100644 +--- a/QuoteVerification/dcap_tvl/Makefile.standalone ++++ b/QuoteVerification/dcap_tvl/Makefile.standalone +@@ -45,12 +45,7 @@ COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack + ifneq ($(DEBUG), 1) + COMMON_FLAGS += -ffunction-sections -fdata-sections + endif +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- COMMON_FLAGS += -fstack-protector +-else +- COMMON_FLAGS += -fstack-protector-strong +-endif ++COMMON_FLAGS += -fstack-protector-strong + + ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks + ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++ +diff --git a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile +index 662ac3e..868d72d 100644 +--- a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile ++++ b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile +@@ -87,13 +87,7 @@ Crypto_Library_Name := sgx_tcrypto + Enclave_Cpp_Files := Enclave/Enclave.cpp + Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc + +-Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections $(MITIGATION_CFLAGS) +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- Enclave_C_Flags += -fstack-protector +-else +- Enclave_C_Flags += -fstack-protector-strong +-endif ++Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections $(MITIGATION_CFLAGS) -fstack-protector-strong + + Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++ + +diff --git a/SampleCode/QuoteGenerationSample/Makefile b/SampleCode/QuoteGenerationSample/Makefile +index 4fdbb36..fd5b4e2 100644 +--- a/SampleCode/QuoteGenerationSample/Makefile ++++ b/SampleCode/QuoteGenerationSample/Makefile +@@ -104,11 +104,7 @@ Enclave_Cpp_Files := Enclave/Enclave.cpp + Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx + + CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector +-else +- Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector-strong +-endif ++Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections + Enclave_C_Flags += $(Enclave_Include_Paths) + Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++ + +diff --git a/SampleCode/QuoteVerificationSample/Makefile b/SampleCode/QuoteVerificationSample/Makefile +index d534615..6164587 100644 +--- a/SampleCode/QuoteVerificationSample/Makefile ++++ b/SampleCode/QuoteVerificationSample/Makefile +@@ -130,13 +130,7 @@ DCAP_DIR ?= ../../ + Enclave_Cpp_Files := Enclave/Enclave.cpp + Enclave_Include_Paths := -IEnclave -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx + +-Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- Enclave_C_Flags += -fstack-protector +-else +- Enclave_C_Flags += -fstack-protector-strong +-endif ++Enclave_C_Flags := $(Enclave_Include_Paths) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector-strong + + Enclave_Cpp_Flags := $(Enclave_C_Flags) -nostdinc++ + +diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile +index b6968c6..1d2106b 100644 +--- a/tools/PCKRetrievalTool/Makefile ++++ b/tools/PCKRetrievalTool/Makefile +@@ -59,12 +59,7 @@ else + endif + + # turn on stack protector for SDK +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-ifeq ($(CC_BELOW_4_9), 1) +- COMMON_FLAGS += -fstack-protector +-else +- COMMON_FLAGS += -fstack-protector-strong +-endif ++COMMON_FLAGS += -fstack-protector-strong + + ifdef DEBUG + COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG +-- +2.48.1 + diff --git a/0115-Use-distro-provided-rapidjson-package.patch b/0115-Use-distro-provided-rapidjson-package.patch new file mode 100644 index 0000000..61c8b8a --- /dev/null +++ b/0115-Use-distro-provided-rapidjson-package.patch @@ -0,0 +1,174 @@ +From 9588a9e5e730e31773437d96fdb1b4e8c1dfc55f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 26 Feb 2024 12:19:51 +0000 +Subject: [PATCH 115/116] Use distro provided rapidjson package +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/qcnl/certification_provider.cpp | 2 +- + QuoteGeneration/qcnl/inc/pccs_response_object.h | 4 ++-- + QuoteGeneration/qcnl/inc/qcnl_config.h | 2 +- + QuoteGeneration/qcnl/linux/Makefile | 2 +- + QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp | 2 +- + QuoteGeneration/qcnl/qcnl_config.cpp | 6 +++--- + QuoteVerification/buildenv.mk | 4 ++-- + tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 4 ++-- + .../PCKCertSelectionLib/Makefile.static_lib | 4 ++-- + 9 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/QuoteGeneration/qcnl/certification_provider.cpp b/QuoteGeneration/qcnl/certification_provider.cpp +index a08ea7e..41e5b9d 100644 +--- a/QuoteGeneration/qcnl/certification_provider.cpp ++++ b/QuoteGeneration/qcnl/certification_provider.cpp +@@ -36,7 +36,7 @@ + */ + #include "certification_provider.h" + #include "certification_service.h" +-#include "document.h" ++#include + #include "local_cache.h" + #include "pck_cert_selection.h" + #include "qcnl_util.h" +diff --git a/QuoteGeneration/qcnl/inc/pccs_response_object.h b/QuoteGeneration/qcnl/inc/pccs_response_object.h +index f1f545f..2153b6f 100644 +--- a/QuoteGeneration/qcnl/inc/pccs_response_object.h ++++ b/QuoteGeneration/qcnl/inc/pccs_response_object.h +@@ -37,7 +37,7 @@ + #define PCCSRESPONSEOBJECT_H_ + #pragma once + +-#include "document.h" ++#include + #include "qcnl_def.h" + #include + #include +@@ -148,4 +148,4 @@ public: + } + }; + +-#endif +\ No newline at end of file ++#endif +diff --git a/QuoteGeneration/qcnl/inc/qcnl_config.h b/QuoteGeneration/qcnl/inc/qcnl_config.h +index ff3c744..71b9a99 100644 +--- a/QuoteGeneration/qcnl/inc/qcnl_config.h ++++ b/QuoteGeneration/qcnl/inc/qcnl_config.h +@@ -38,7 +38,7 @@ + #pragma once + + #include "sgx_default_qcnl_wrapper.h" +-#include "document.h" ++#include + #include + #include + +diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile +index 531f40b..5c56951 100644 +--- a/QuoteGeneration/qcnl/linux/Makefile ++++ b/QuoteGeneration/qcnl/linux/Makefile +@@ -43,7 +43,7 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ + -I../inc -I$(SGX_SDK)/include \ + -I../../common/inc/internal \ + -I../../pce_wrapper/inc \ +- -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson \ ++ $(pkg-config --cflags RapidJSON) \ + -I../../../tools/PCKCertSelection/include + + CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto) +diff --git a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp +index 7b74eae..5f20a1e 100644 +--- a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp ++++ b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp +@@ -35,7 +35,7 @@ + * + */ + +-#include "istreamwrapper.h" ++#include + #include "qcnl_config.h" + #include + #include +diff --git a/QuoteGeneration/qcnl/qcnl_config.cpp b/QuoteGeneration/qcnl/qcnl_config.cpp +index 42388a0..9be8fee 100644 +--- a/QuoteGeneration/qcnl/qcnl_config.cpp ++++ b/QuoteGeneration/qcnl/qcnl_config.cpp +@@ -36,10 +36,10 @@ + */ + + #include "qcnl_config.h" +-#include "error/en.h" +-#include "error/error.h" ++#include ++#include + #include +-#include ++#include + #include + #include + +diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk +index 982c7d5..854b70a 100644 +--- a/QuoteVerification/buildenv.mk ++++ b/QuoteVerification/buildenv.mk +@@ -72,9 +72,9 @@ else + COMMON_INCLUDE := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx -I$(SGXSSL_PACKAGE_PATH)/include + endif + +-QVL_LIB_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_LIB_PATH)/include -I$(QVL_LIB_PATH)/src -I$(QVL_PARSER_PATH)/include -I$(QVL_SRC_PATH)/ThirdParty/rapidjson/include -I$(DCAP_EXTERNAL_DIR)/jwt-cpp/include ++QVL_LIB_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_LIB_PATH)/include -I$(QVL_LIB_PATH)/src -I$(QVL_PARSER_PATH)/include $(pkg-config --cflags RapidJSON) -I$(DCAP_EXTERNAL_DIR)/jwt-cpp/include + +-QVL_PARSER_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_SRC_PATH) -I$(QVL_PARSER_PATH)/include -I$(QVL_PARSER_PATH)/src -I$(QVL_LIB_PATH)/include -I$(QVL_SRC_PATH)/ThirdParty/rapidjson/include ++QVL_PARSER_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_SRC_PATH) -I$(QVL_PARSER_PATH)/include -I$(QVL_PARSER_PATH)/src -I$(QVL_LIB_PATH)/include $(pkg-config --cflags RapidJSON) + + QVL_LIB_FILES := $(sort $(wildcard $(QVL_LIB_PATH)/src/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*/*.cpp) $(wildcard $(QVL_COMMON_PATH)/src/Utils/*.cpp)) + QVL_PARSER_FILES := $(sort $(wildcard $(QVL_PARSER_PATH)/src/*.cpp) $(wildcard $(QVL_PARSER_PATH)/src/*/*.cpp)) +diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +index c106ab4..117f88f 100644 +--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile ++++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +@@ -66,7 +66,7 @@ endif + OPENSSL_INC := $(pkg-config --cflags libcrypto) + + # JSON parser include dir +-JSON_INC := $(QVL_DIR)/ThirdParty/rapidjson/include ++JSON_INC := $(pkg-config --cflags RapidJSON) + + # QVL Attestation Parsers include directory + PARSERS_INC := $(QVL_DIR)/AttestationParsers/include +@@ -113,7 +113,7 @@ LIB_CPP_OBJECTS := \ + $(UTILS_CPP_FILES:.cpp=.o) + + # include paths, local, parser and openssl +-LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include $(OPENSSL_INC) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) ++LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include $(OPENSSL_INC) $(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) + + # the library shared object name + LIB_NAME := libPCKCertSelection.so +diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib +index c8e1d01..6f1440a 100644 +--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib ++++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib +@@ -69,7 +69,7 @@ OPENSSL_INC := $(PROJ_ROOT_DIR)/../../prebuilt/openssl/inc + OPENSSL_LIB := $(PROJ_ROOT_DIR)/../../prebuilt/openssl/lib/linux64 + + # JSON parser include dir +-JSON_INC := $(QVL_DIR)/ThirdParty/rapidjson/include ++JSON_INC := $(pkg-config --cflags RapidJSON) + + # QVL Attestation Parsers include directory + PARSERS_INC := $(QVL_DIR)/AttestationParsers/include +@@ -118,7 +118,7 @@ LIB_CPP_OBJECTS := \ + LIB_CPP_OBJECTS := $(addprefix $(BIN_DIR)/, $(LIB_CPP_OBJECTS)) + + # include paths, local, parser and openssl +-LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include $(pkg-config --cflags libcrypto) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) ++LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include $(pkg-config --cflags libcrypto) $(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) + + # the library shared object name + LIB_NAME := libPCKCertSelection.a +-- +2.48.1 + diff --git a/0116-Don-t-stomp-on-VERBOSE-variable.patch b/0116-Don-t-stomp-on-VERBOSE-variable.patch new file mode 100644 index 0000000..57c135e --- /dev/null +++ b/0116-Don-t-stomp-on-VERBOSE-variable.patch @@ -0,0 +1,101 @@ +From 35efa4bf39f88b0fe172b43e6c8ce81f4bb40dfc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 16 Apr 2025 11:48:52 +0100 +Subject: [PATCH 116/116] Don't stomp on "VERBOSE" variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The VERBOSE=1 variable is set to make various cmake builds run in +verbose mode. It must not be used for other purposes by the makefiles +otherwise the usage will clash. + +Signed-off-by: Daniel P. Berrangé +--- + driver/win/PLE/Makefile | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/driver/win/PLE/Makefile b/driver/win/PLE/Makefile +index 3d474bb..0f593f5 100644 +--- a/driver/win/PLE/Makefile ++++ b/driver/win/PLE/Makefile +@@ -75,9 +75,9 @@ ifneq ($(PUBKEY_FILE),) + CSS_PUBKEY_FILE = $(shell realpath $(PUBKEY_FILE)) + endif + +-VERBOSE := @ ++CMD_VERBOSE := @ + ifeq ($(V),1) +- VERBOSE := ++ CMD_VERBOSE := + endif + + SGX_LE_SIGNING_KEY_PATH := sgx_signing_key.pem +@@ -89,47 +89,47 @@ PUBLIC_KEY_PATH := $(shell realpath $(SGX_LE_PUBLIC_KEY_PATH)) + SIGNING_MATERIAL := $(shell realpath $(SGX_LE_SIGNING_MATERIAL)) + + $(SIGNING_KEY_PATH): +- $(VERBOSE) openssl genrsa -3 -out $(SIGNING_KEY_PATH) 3072 ++ $(CMD_VERBOSE) openssl genrsa -3 -out $(SIGNING_KEY_PATH) 3072 + + $(PUBLIC_KEY_PATH): $(SIGNING_KEY_PATH) +- $(VERBOSE) openssl rsa -in $(SIGNING_KEY_PATH) -outform PEM -pubout -out $(PUBLIC_KEY_PATH) ++ $(CMD_VERBOSE) openssl rsa -in $(SIGNING_KEY_PATH) -outform PEM -pubout -out $(PUBLIC_KEY_PATH) + + SGX_LE_C_OBJS := $(addprefix $(TARGET)/,main.o string.o cmac.o) + SGX_LE_S_OBJS := $(addprefix $(TARGET)/,encl_bootstrap.o) + + $(TARGET): +- $(VERBOSE) mkdir $@ ++ $(CMD_VERBOSE) mkdir $@ + + $(SGX_LE_C_OBJS): $(TARGET)/%.o: %.c | $(TARGET) +- $(VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@ ++ $(CMD_VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@ + + $(SGX_LE_S_OBJS): $(TARGET)/%.o: %.S | $(TARGET) +- $(VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@ ++ $(CMD_VERBOSE) $(CC) -c $(CFLAGS) $(INCLUDES) $< -o $@ + + $(TARGET)/sgx_le.elf: sgx_le.lds $(SGX_LE_C_OBJS) $(SGX_LE_S_OBJS) +- $(VERBOSE) $(LD) $(LDFLAGS) -T $^ -o $@ ++ $(CMD_VERBOSE) $(LD) $(LDFLAGS) -T $^ -o $@ + + $(TARGET)/sgx_le.bin: $(TARGET)/sgx_le.elf +- $(VERBOSE) objcopy --remove-section=.got.plt -O binary $< $@ ++ $(CMD_VERBOSE) objcopy --remove-section=.got.plt -O binary $< $@ + + $(TARGET)/sgxsign: sgxsign.c | $(TARGET) +- $(VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $< -lcrypto ++ $(CMD_VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $< -lcrypto + + $(TARGET)/bin2c: bin2c.c | $(TARGET) +- $(VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $< ++ $(CMD_VERBOSE) $(CC) -Wall $(INCLUDES) -o $@ $< + + sign: $(SIGNING_KEY_PATH) $(TARGET)/sgx_le.bin $(TARGET)/sgxsign $(TARGET)/bin2c +- $(VERBOSE) $(TARGET)/sgxsign sign $(SIGNING_KEY_PATH) $(TARGET)/sgx_le.bin $(TARGET)/sgx_le.ss $(SIGN_EXTRA) +- $(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob +- $(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss ++ $(CMD_VERBOSE) $(TARGET)/sgxsign sign $(SIGNING_KEY_PATH) $(TARGET)/sgx_le.bin $(TARGET)/sgx_le.ss $(SIGN_EXTRA) ++ $(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob ++ $(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss + + gendata: $(TARGET)/sgx_le.bin $(TARGET)/sgxsign +- $(VERBOSE) $(TARGET)/sgxsign gendata $(TARGET)/sgx_le.bin $(SIGNING_MATERIAL) $(SIGN_EXTRA) ++ $(CMD_VERBOSE) $(TARGET)/sgxsign gendata $(TARGET)/sgx_le.bin $(SIGNING_MATERIAL) $(SIGN_EXTRA) + + usesig: $(TARGET)/sgx_le.bin $(TARGET)/sgxsign $(TARGET)/bin2c +- $(VERBOSE) $(TARGET)/sgxsign usesig $(CSS_PUBKEY_FILE) $(TARGET)/sgx_le.bin $(CSS_SIG_FILE) $(TARGET)/sgx_le.ss $(SIGN_EXTRA) +- $(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob +- $(VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss ++ $(CMD_VERBOSE) $(TARGET)/sgxsign usesig $(CSS_PUBKEY_FILE) $(TARGET)/sgx_le.bin $(CSS_SIG_FILE) $(TARGET)/sgx_le.ss $(SIGN_EXTRA) ++ $(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.bin $(TARGET)/sgx_le_blob.h sgx_le_blob ++ $(CMD_VERBOSE) $(TARGET)/bin2c $(TARGET)/sgx_le.ss $(TARGET)/sgx_le_ss.h sgx_le_ss + + clean: +- $(VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL) ++ $(CMD_VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL) +-- +2.48.1 + diff --git a/linux-sgx.spec b/linux-sgx.spec index 72f0799..a416d35 100644 --- a/linux-sgx.spec +++ b/linux-sgx.spec @@ -4,6 +4,15 @@ # native code. Thus we cannot globally set the CFLAGS etc %undefine _auto_set_build_flags +# When -flto is set, something (possibly cmake related) +# causes the build of psw/ae/aesm_service to add -fpie +# to the build flags. This conflicts with the need to +# build everything with -fPIC, and causes linker failures +# +# /usr/bin/ld: /tmp/ccWKJhwL.ltrans0.ltrans.o: warning: relocation against `stdout@@GLIBC_2.2.5' in read-only section `.text.sgx_proc_log_report' +# /usr/bin/ld: /tmp/ccWKJhwL.ltrans0.ltrans.o: relocation R_X86_64_PC32 against symbol `_Z16aesm_thread_procPv' can not be used when making a shared object; recompile with -fPIC +%global _lto_cflags %nil + ############################################################ # # Note about the approach to bundling... @@ -303,7 +312,12 @@ Patch0009: 0009-Remove-all-references-to-pccs-service.patch Patch0010: 0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch Patch0011: 0011-psw-fix-soname-for-libuae_service.so-library.patch Patch0012: 0012-pcl-remove-redundant-use-of-bool-type.patch -Patch0013: 0013-Disable-inclusion-of-AESM-in-installer.patch +Patch0013: 0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch +Patch0014: 0014-psw-make-aesm_service-build-verbose.patch +Patch0015: 0015-Fix-modern-C-function-prototype-compliance.patch +Patch0016: 0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch +# Optional patches +Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch # 0100-0199 -> against SGXDataCenterAttestationPrimitives.git Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch @@ -315,8 +329,7 @@ Patch0103: 0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/429 Patch0104: 0104-Don-t-import-pypac-in-pccsadmin.patch Patch0105: 0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch -# XXX enclaves must use bundled -#Patch0106: 0106-Use-distro-provided-rapidjson-package.patch +Patch0106: 0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/428 Patch0107: 0107-qgs-add-space-between-program-name-first-arg-in-usag.patch Patch0108: 0108-qgs-protect-against-format-strings-in-QL-log-message.patch @@ -324,6 +337,10 @@ Patch0109: 0109-qgs-add-debug-parameter-to-control-logging.patch Patch0110: 0110-pccsadmin-remove-leftover-debugging-print-args-state.patch Patch0111: 0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch Patch0112: 0112-Workaround-broken-GCC-15.patch +Patch0113: 0113-Don-t-disable-cf-protection-for-qgs.patch +Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch +#Patch0115: 0115-Use-distro-provided-rapidjson-package.patch +Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch # 0200-0299 -> against intel-sgx-ssl.git Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch @@ -528,9 +545,9 @@ in applications %prep %setup -q -n linux-sgx-sgx_%{linux_sgx_version}_reproducible -%autopatch -m 0 -M 12 -p1 +%autopatch -m 0 -M 49 -p1 %if !%{with_aesm} -%autopatch -m 13 -M 13 -p1 +%autopatch -m 50 -M 99 -p1 %endif ############################################################ @@ -750,6 +767,30 @@ do MITIGATION-CVE-2020-0551=$mitigation done +NATIVE="sign_tool/SignTool" +NATIVE="$NATIVE encrypt_enclave" +NATIVE="$NATIVE libcapable/linux" +NATIVE="$NATIVE debugger_interface/linux" +NATIVE="$NATIVE simulation" + +# Most of 'sdk/' is enclave code, but there's some +# important native code we must now re-build with +# proper flags enabled to get distro hardening. +for dir in $NATIVE +do + %__make %{?_smp_mflags} \ + -C sdk/$dir clean + + # XXX temp override -j1 due to race conditions that have not yet been diagnosed + CFLAGS="%{build_cflags}" \ + CXXFLAGS="%{build_cxxflags}" \ + LDFLAGS="%{build_ldflags}" \ + %__make %{?_smp_mflags} -j1 \ + -C sdk/$dir V=1 \ + MITIGATION-CVE-2020-0551= \ + USE_HOST_OPENSSL_CRYPTO=1 \ + USE_HOST_TINYXML2=%{with_host_tinyxml2} +done ############################################################ # Second, install the SDK into a temporary tree, since this @@ -788,16 +829,22 @@ done ############################################################ # Fourth, build the Platform Software +CFLAGS="%{build_cflags}" \ +CXXFLAGS="%{build_cxxflags}" \ +LDFLAGS="%{build_ldflags}" \ %__make %{?_smp_mflags} \ - -C psw/ V=1 \ + -C psw/ V=1 VERBOSE=1 \ SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ SGX_ENCLAVE_PATH=%{sgx_libdir} \ USE_HOST_OPENSSL_CRYPTO=1 \ USE_HOST_CPPMICROSERVICES=1 # XXX temp override -j1 due to race conditions that have not yet been diagnosed +CFLAGS="%{build_cflags}" \ +CXXFLAGS="%{build_cxxflags}" \ +LDFLAGS="%{build_ldflags}" \ %__make %{?_smp_mflags} -j1 \ - -C external/dcap_source/ V=1 \ + -C external/dcap_source/ V=1 VERBOSE=1 \ SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ SGX_ENCLAVE_PATH=%{sgx_libdir}