rpms/linux-sgx
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to SGX 2.26 / DCAP 1.23, adding PCCS service

Browse Source 
Resolves: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2025-11-13 17:28:47 +00:00
parent e53e83c1ed
commit bc5efa9502
52 changed files with 987 additions and 869 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.gitignore vendored
View File

@ -1,13 +1,17 @@
/dcap_1.22_reproducible.tar.gz
/dcap-qvl-1.21.tar.gz
/dcap-qvs-1.1.0-2885.tar.gz
/intel-sgx-ssl-3.0_Rev4.tar.gz
/ippcp_2021.12.1.tar.gz
/jwt-cpp-0.6.0.tar.gz
/libcbor-0.10.2.tar.gz
/linux-sgx-2.25-reproducible.tar.gz
/openssl-3.0.14.tar.gz
/prebuilt_dcap_1.22-repacked.tar.gz
/sgx-emm-1.0.3.tar.gz
/tinyxml2-10.0.0.tar.gz
/wasm-micro-runtime-1.3.3.tar.gz
/dcap-qvl-*.tar.gz
/dcap-qvs-*.tar.gz
/intel-sgx-ssl-*.tar.gz
/ippcp_*.tar.gz
/jwt-cpp-*.tar.gz
/libcbor-*.tar.gz
/linux-sgx-*.tar.gz
/openssl-*.tar.gz
/prebuilt_dcap_*.tar.gz
/sgx-emm-*.tar.gz
/tinyxml2-*.tar.gz
/wasm-micro-runtime-*.tar.gz
/DCAP_*.tar.gz
*~
/dcap-*-pccs-node-modules.tar.xz
/node-ffi-rs-*-vendor.tar.gz
/node-ffi-rs-*.tar.gz

16
0000-Add-support-for-building-against-host-openssl-crypto.patch
View File

@ -1,7 +1,7 @@
From 035a09af5fa31cdc7ab683c8188168623848f033 Mon Sep 17 00:00:00 2001
From d4f132e1363779aef2c4209789ca364e27f45bb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:12:38 +0000
Subject: [PATCH 00/16] Add support for building against host openssl crypto
Subject: [PATCH 00/15] Add support for building against host openssl crypto
lib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -85,7 +85,7 @@ index a3843bdf..2c9c87b3 100644
${CMAKE_SOURCE_DIR}/../../../../external/rdrand/src/librdrand.a
)
diff --git a/psw/urts/linux/Makefile b/psw/urts/linux/Makefile
index 41797648..4097444c 100644
index 7e0b6a08..3d08ee5c 100644
--- a/psw/urts/linux/Makefile
+++ b/psw/urts/linux/Makefile
@@ -43,8 +43,6 @@ CFLAGS += -fPIC -Werror -g
@ -116,7 +116,7 @@ index 41797648..4097444c 100644
INTERNAL_LDFLAGS += -Wl,--version-script=urts_internal.lds -Wl,--gc-sections
diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
index 3d593972..1eb8d460 100644
index 1ed9f286..ed177c86 100644
--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
@@ -42,9 +42,6 @@ CFLAGS += $(FLAGS)
@ -138,7 +138,7 @@ index 3d593972..1eb8d460 100644
DIR1 := $(LINUX_EXTERNAL_DIR)/tinyxml2/
DIR2 := $(COMMON_DIR)/src/
@@ -89,7 +86,7 @@ all: sgx_sign | $(BUILD_DIR)
@@ -90,7 +87,7 @@ all: sgx_sign | $(BUILD_DIR)
$(BUILD_DIR):
@$(MKDIR) $@
@ -180,7 +180,7 @@ index c66beed2..45ddb576 100644
vpath %.cpp $(LINUX_PSW_DIR)/ae/common \
$(LINUX_SDK_DIR)/simulation/urtssim \
diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile
index dde577ca..505ce8d9 100644
index e756d468..ea8ca78c 100644
--- a/sdk/simulation/urtssim/linux/Makefile
+++ b/sdk/simulation/urtssim/linux/Makefile
@@ -42,9 +42,6 @@ endif
@ -202,7 +202,7 @@ index dde577ca..505ce8d9 100644
CPPFLAGS += -I$(COMMON_DIR)/inc/internal \
-I$(LINUX_PSW_DIR)/urts/linux \
@@ -127,7 +124,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur
@@ -128,7 +125,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur
LIBURTSSIM_SHARED := libsgx_urts_sim.so
LIBURTS_DEPLOY := libsgx_urts_deploy.so
@ -212,5 +212,5 @@ index dde577ca..505ce8d9 100644
.PHONY: all
--
2.48.1
2.49.0

12
0001-Add-support-for-building-against-host-tinyxml2-lib.patch
View File

@ -1,7 +1,7 @@
From a1ebbd0efeb66f23a02e63946d6f2c8ec9c00c00 Mon Sep 17 00:00:00 2001
From e372a1a009f1de14ea5ee01ec022633d88f6d234 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:01:10 +0000
Subject: [PATCH 01/16] Add support for building against host tinyxml2 lib
Subject: [PATCH 01/15] Add support for building against host tinyxml2 lib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -44,7 +44,7 @@ index acae2106..6dac4028 100644
+TINYXML2_DIR = $(LINUX_EXTERNAL_DIR)/tinyxml2/
+endif
diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
index 1eb8d460..219fb5ad 100644
index ed177c86..1dcb6f51 100644
--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
@@ -49,11 +49,11 @@ INC += -I$(COMMON_DIR)/inc \
@ -69,8 +69,8 @@ index 1eb8d460..219fb5ad 100644
+OBJ3 := $(TINYXML2_OBJ)
OBJ4 := loader.o \
se_detect.o
@@ -86,7 +86,7 @@ all: sgx_sign | $(BUILD_DIR)
se_detect.o \
@@ -87,7 +87,7 @@ all: sgx_sign | $(BUILD_DIR)
$(BUILD_DIR):
@$(MKDIR) $@
@ -80,5 +80,5 @@ index 1eb8d460..219fb5ad 100644
sgx_sign: $(OBJS) enclaveparser
--
2.48.1
2.49.0

8
0002-Add-support-for-building-against-host-CppMicroServic.patch
View File

@ -1,7 +1,7 @@
From 90ec590f9b17b878cfe2e338d55362349d5ad67e Mon Sep 17 00:00:00 2001
From 02f4535633d317894629f30daf0583fddcdf3f1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:01:10 +0000
Subject: [PATCH 02/16] Add support for building against host CppMicroServices
Subject: [PATCH 02/15] Add support for building against host CppMicroServices
lib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -125,7 +125,7 @@ index bac84292..89a15875 100644
ifeq ($(RDRAND_MAKEFILE), $(wildcard $(RDRAND_MAKEFILE)))
@$(MAKE) distclean -C $(RDRAND_LIBDIR)
diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt
index 98c724a7..3edd77c7 100644
index da3e0b77..89b3e3ae 100644
--- a/psw/ae/aesm_service/source/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/CMakeLists.txt
@@ -46,7 +46,7 @@ else()
@ -138,5 +138,5 @@ index 98c724a7..3edd77c7 100644
cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION})
cmake_policy(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION})
--
2.48.1
2.49.0

16
0003-Improve-make-debuggability.patch
View File

@ -1,7 +1,7 @@
From 50ba5d706d65359514e973175c34f36b6887a1e8 Mon Sep 17 00:00:00 2001
From e607f7279049d2db090a2bef9c7943cdb55d9de6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 12:53:26 +0000
Subject: [PATCH 03/16] Improve make debuggability
Subject: [PATCH 03/15] Improve make debuggability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -17,10 +17,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/sdk/Makefile.source b/sdk/Makefile.source
index 4bbfd4f3..d3e40036 100644
index e98776df..dfbca6d4 100644
--- a/sdk/Makefile.source
+++ b/sdk/Makefile.source
@@ -78,7 +78,7 @@ tstdc: $(LIBTLIBC)
@@ -77,7 +77,7 @@ tstdc: $(LIBTLIBC)
ifndef SERVTD_ATTEST
$(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv
@ -29,7 +29,7 @@ index 4bbfd4f3..d3e40036 100644
@$(MKDIR) $(BUILD_DIR)/.compiler-rt $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv
@$(RM) -f $(BUILD_DIR)/.compiler-rt/* && cd $(BUILD_DIR)/.compiler-rt && $(AR) x $(LINUX_SDK_DIR)/compiler-rt/libcompiler-rt.a
@$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a
@@ -96,7 +96,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv
@@ -95,7 +95,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv
@$(RM) -rf $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv
else
$(LIBTLIBC): tlibthread tsafecrt tsetjmp tmm_rsrv
@ -38,7 +38,7 @@ index 4bbfd4f3..d3e40036 100644
@$(MKDIR) $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv
@$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a
@$(RM) -f $(BUILD_DIR)/.tsafecrt/* && cd $(BUILD_DIR)/.tsafecrt && $(AR) x $(LINUX_SDK_DIR)/tsafecrt/libsgx_tsafecrt.a
@@ -119,7 +119,7 @@ tsafecrt:
@@ -118,7 +118,7 @@ tsafecrt:
.PHONY: compiler-rt
compiler-rt:
@ -47,7 +47,7 @@ index 4bbfd4f3..d3e40036 100644
.PHONY: tsetjmp
tsetjmp:
@@ -163,7 +163,7 @@ cpprt:
@@ -162,7 +162,7 @@ cpprt:
.PHONY: tlibcxx
tlibcxx: $(BUILD_DIR)
@ -70,5 +70,5 @@ index d1ac38a1..5fb90c21 100644
.PHONY: clean
--
2.48.1
2.49.0

10
0004-Support-disabling-use-of-git-for-ippcp-code.patch
View File

@ -1,7 +1,7 @@
From e9150e028f1d0f567bab4d2c7d5e5fc02cadce06 Mon Sep 17 00:00:00 2001
From 8d858334aeade0a0063456fa03cdbc3f6a55d51f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:37:24 +0000
Subject: [PATCH 04/16] Support disabling use of git for ippcp code
Subject: [PATCH 04/15] Support disabling use of git for ippcp code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+)
diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index b4108cb8..70718f5e 100644
index a57c22a9..d78ba90e 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -33,6 +33,8 @@ include ../../buildenv.mk
@ -37,7 +37,7 @@ index b4108cb8..70718f5e 100644
git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
else
@@ -92,6 +95,7 @@ else
git clone -b ipp-ipp-crypto_2021_12_1 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
git clone -b ipp-crypto_2021_12_1 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
endif
cd $(IPP_SOURCE) && git apply ../0001-IPP-crypto-for-SGX.patch
+endif
@ -45,5 +45,5 @@ index b4108cb8..70718f5e 100644
.PHONY: clean
--
2.48.1
2.49.0

112
0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch → 0005-disable-openmp-protobuf-sample_crypto-builds.patch
View File

@ -1,8 +1,7 @@
From bdeff24e929360b5ecfa5b0fe36513607b98daf3 Mon Sep 17 00:00:00 2001
From e10242ea154af19d527377c9ff885fa0c7e7ce41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 18 Jun 2024 15:57:22 +0100
Subject: [PATCH 05/16] disable openmp, protobuf, mbedtls & sample_crypto
builds
Subject: [PATCH 05/15] disable openmp, protobuf & sample_crypto builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -12,15 +11,15 @@ important, so skip them to reduce amount of bundled package code.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
linux/installer/common/sdk/BOMs/sdk_base.txt | 335 ------------------
.../common/sdk/BOMs/sdk_cve_2020_0551_cf.txt | 3 -
.../sdk/BOMs/sdk_cve_2020_0551_load.txt | 3 -
linux/installer/common/sdk/BOMs/sdk_x64.txt | 4 -
sdk/Makefile.source | 30 +-
5 files changed, 1 insertion(+), 374 deletions(-)
linux/installer/common/sdk/BOMs/sdk_base.txt | 298 ------------------
.../common/sdk/BOMs/sdk_cve_2020_0551_cf.txt | 2 -
.../sdk/BOMs/sdk_cve_2020_0551_load.txt | 2 -
linux/installer/common/sdk/BOMs/sdk_x64.txt | 3 -
sdk/Makefile.source | 24 +-
5 files changed, 1 insertion(+), 328 deletions(-)
diff --git a/linux/installer/common/sdk/BOMs/sdk_base.txt b/linux/installer/common/sdk/BOMs/sdk_base.txt
index 032479d8..ed585066 100644
index d26ee825..ed585066 100644
--- a/linux/installer/common/sdk/BOMs/sdk_base.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_base.txt
@@ -1,5 +1,4 @@
@ -29,7 +28,7 @@ index 032479d8..ed585066 100644
<deliverydir>/common/inc/sgx_attributes.h <installdir>/package/include/sgx_attributes.h 0 main STP
<deliverydir>/common/inc/sgx_capable.h <installdir>/package/include/sgx_capable.h 0 main STP
<deliverydir>/common/inc/sgx_cpuid.h <installdir>/package/include/sgx_cpuid.h 0 main STP
@@ -391,26 +390,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -391,16 +390,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp <installdir>/package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp 0 N/A N/A
<deliverydir>/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl <installdir>/package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl 0 N/A N/A
<deliverydir>/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds <installdir>/package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds 0 N/A N/A
@ -43,20 +42,10 @@ index 032479d8..ed585066 100644
-<deliverydir>/SampleCode/ProtobufSGXDemo/Enclave/Enclave.lds <installdir>/package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.lds 0 N/A N/A
-<deliverydir>/SampleCode/ProtobufSGXDemo/Enclave/person.proto <installdir>/package/SampleCode/ProtobufSGXDemo/Enclave/person.proto 0 N/A N/A
-<deliverydir>/SampleCode/ProtobufSGXDemo/Makefile <installdir>/package/SampleCode/ProtobufSGXDemo/Makefile 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/App/App.cpp <installdir>/package/SampleCode/SampleMbedCrypto/App/App.cpp 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/App/App.h <installdir>/package/SampleCode/SampleMbedCrypto/App/App.h 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Makefile <installdir>/package/SampleCode/SampleMbedCrypto/Makefile 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.cpp <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.cpp 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.lds <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.lds 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave_debug.lds <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave_debug.lds 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.h <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.h 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.edl <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.edl 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.config.xml <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.config.xml 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/README.txt <installdir>/package/SampleCode/SampleMbedCrypto/README.txt 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml <installdir>/package/SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/Enclave/Enclave.cpp <installdir>/package/SampleCode/SampleAEXNotify/Enclave/Enclave.cpp 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/Enclave/Enclave.edl <installdir>/package/SampleCode/SampleAEXNotify/Enclave/Enclave.edl 0 N/A N/A
@@ -422,7 +401,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -412,7 +401,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/SampleCode/SampleAEXNotify/Makefile <installdir>/package/SampleCode/SampleAEXNotify/Makefile 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/README.txt <installdir>/package/SampleCode/SampleAEXNotify/README.txt 0 N/A N/A
<deliverydir>/build/linux/gdb-sgx-plugin/sgx-gdb <installdir>/package/bin/sgx-gdb 0 main STP
@ -64,7 +53,7 @@ index 032479d8..ed585066 100644
<deliverydir>/sdk/tlibcxx/include/CMakeLists.txt <installdir>/package/include/libcxx/CMakeLists.txt 0 main STP
<deliverydir>/sdk/tlibcxx/include/__availability <installdir>/package/include/libcxx/__availability 0 main STP
<deliverydir>/sdk/tlibcxx/include/__bit_reference <installdir>/package/include/libcxx/__bit_reference 0 main STP
@@ -607,317 +585,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -597,290 +585,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/sdk/tlibcxx/include/variant <installdir>/package/include/libcxx/variant 0 main STP
<deliverydir>/sdk/tlibcxx/include/vector <installdir>/package/include/libcxx/vector 0 main STP
<deliverydir>/sdk/tlibcxx/include/version <installdir>/package/include/libcxx/version 0 main STP
@ -354,39 +343,12 @@ index 032479d8..ed585066 100644
-<deliverydir>/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/span.h <installdir>/package/include/tprotobuf/absl/types/span.h 0 main STP
-<deliverydir>/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/variant.h <installdir>/package/include/tprotobuf/absl/types/variant.h 0 main STP
-<deliverydir>/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/utility/utility.h <installdir>/package/include/tprotobuf/absl/utility/utility.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/aes.h <installdir>/package/include/mbedtls/aes.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/bignum.h <installdir>/package/include/mbedtls/bignum.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/build_info.h <installdir>/package/include/mbedtls/build_info.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/check_config.h <installdir>/package/include/mbedtls/check_config.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/cipher.h <installdir>/package/include/mbedtls/cipher.h 0 main STP
-
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_psa.h <installdir>/package/include/mbedtls/config_psa.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ctr_drbg.h <installdir>/package/include/mbedtls/ctr_drbg.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ecdsa.h <installdir>/package/include/mbedtls/ecdsa.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ecp.h <installdir>/package/include/mbedtls/ecp.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/entropy.h <installdir>/package/include/mbedtls/entropy.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/mbedtls_config.h <installdir>/package/include/mbedtls/mbedtls_config.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/md.h <installdir>/package/include/mbedtls/md.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/platform_util.h <installdir>/package/include/mbedtls/platform_util.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/private_access.h <installdir>/package/include/mbedtls/private_access.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/sha1.h <installdir>/package/include/mbedtls/sha1.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/sha256.h <installdir>/package/include/mbedtls/sha256.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/sha512.h <installdir>/package/include/mbedtls/sha512.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/threading.h <installdir>/package/include/mbedtls/threading.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/platform.h <installdir>/package/include/mbedtls/platform.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ecdh.h <installdir>/package/include/mbedtls/ecdh.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/cmac.h <installdir>/package/include/mbedtls/cmac.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/rsa.h <installdir>/package/include/mbedtls/rsa.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/gcm.h <installdir>/package/include/mbedtls/gcm.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_legacy_crypto.h <installdir>/package/include/mbedtls/config_adjust_legacy_crypto.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_x509.h <installdir>/package/include/mbedtls/config_adjust_x509.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_ssl.h <installdir>/package/include/mbedtls/config_adjust_ssl.h 0 main STP
<deliverydir>/common/buildenv.mk <installdir>/package/buildenv.mk 0 main STP
diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt
index d494deba..998def35 100644
index 65d9dca0..086992f9 100644
--- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt
@@ -9,11 +9,8 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -10,9 +10,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/build/linuxCF/libsgx_tswitchless.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_tswitchless.a 0 main STP
<deliverydir>/build/linuxCF/libsgx_tprotected_fs.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_tprotected_fs.a 0 main STP
<deliverydir>/build/linuxCF/libsgx_pcl.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_pcl.a 0 main STP
@ -396,13 +358,11 @@ index d494deba..998def35 100644
<deliverydir>/build/linuxCF/libsgx_ttls.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_ttls.a 0 main STP
<deliverydir>/build/linuxCF/libtdx_tls.a <installdir>/package/lib64/cve_2020_0551_cf/libtdx_tls.a 0 main STP
<deliverydir>/build/linuxCF/libsgx_utls.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_utls.a 0 main STP
-<deliverydir>/build/linuxCF/libsgx_mbedcrypto.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_mbedcrypto.a 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/build/linuxCF/libsgx_dcap_tvl.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_dcap_tvl.a 0 main STP
diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt
index 53c9cfc6..b68b9976 100644
index 71684b38..c26c9e63 100644
--- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt
@@ -9,11 +9,8 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -10,9 +10,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/build/linuxLOAD/libsgx_tswitchless.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_tswitchless.a 0 main STP
<deliverydir>/build/linuxLOAD/libsgx_tprotected_fs.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_tprotected_fs.a 0 main STP
<deliverydir>/build/linuxLOAD/libsgx_pcl.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_pcl.a 0 main STP
@ -412,13 +372,11 @@ index 53c9cfc6..b68b9976 100644
<deliverydir>/build/linuxLOAD/libsgx_ttls.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_ttls.a 0 main STP
<deliverydir>/build/linuxLOAD/libtdx_tls.a <installdir>/package/lib64/cve_2020_0551_load/libtdx_tls.a 0 main STP
<deliverydir>/build/linuxLOAD/libsgx_utls.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_utls.a 0 main STP
-<deliverydir>/build/linuxLOAD/libsgx_mbedcrypto.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_mbedcrypto.a 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/build/linuxLOAD/libsgx_dcap_tvl.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_dcap_tvl.a 0 main STP
diff --git a/linux/installer/common/sdk/BOMs/sdk_x64.txt b/linux/installer/common/sdk/BOMs/sdk_x64.txt
index 629492c1..602a804d 100644
index d713050b..111070ee 100644
--- a/linux/installer/common/sdk/BOMs/sdk_x64.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_x64.txt
@@ -39,14 +39,10 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -40,10 +40,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/build/linux/sgx_edger8r <installdir>/package/bin/x64/sgx_edger8r 0 main STP
<deliverydir>/build/linux/sgx_sign <installdir>/package/bin/x64/sgx_sign 0 main STP
<deliverydir>/build/linux/sgx_encrypt <installdir>/package/bin/x64/sgx_encrypt 0 main STP
@ -429,22 +387,17 @@ index 629492c1..602a804d 100644
<deliverydir>/build/linux/libsgx_ttls.a <installdir>/package/lib64/libsgx_ttls.a 0 main STP
<deliverydir>/build/linux/libtdx_tls.a <installdir>/package/lib64/libtdx_tls.a 0 main STP
<deliverydir>/build/linux/libsgx_utls.a <installdir>/package/lib64/libsgx_utls.a 0 main STP
-<deliverydir>/build/linux/libsgx_mbedcrypto.a <installdir>/package/lib64/libsgx_mbedcrypto.a 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/build/linux/libsgx_dcap_tvl.a <installdir>/package/lib64/libsgx_dcap_tvl.a 0 main STP
<deliverydir>/linux/installer/common/sdk/installConfig.x64 <installdir>/scripts/installConfig 0 main STP
<deliverydir>/linux/installer/common/sdk/pkgconfig/x64/libsgx_uae_service_sim.pc <installdir>/package/pkgconfig/libsgx_uae_service_sim.pc 0 main STP
diff --git a/sdk/Makefile.source b/sdk/Makefile.source
index d3e40036..3bd08d5c 100644
index dfbca6d4..3bd08d5c 100644
--- a/sdk/Makefile.source
+++ b/sdk/Makefile.source
@@ -41,15 +41,11 @@
@@ -41,14 +41,11 @@
# - tprotected_fs: libsgx_tprotected_fs.a
# - tcmalloc: libsgx_tcmalloc.a
# - sgx_pcl: libsgx_pcl.a
-# - openmp: libsgx_omp.a
-# - protobuf: libsgx_protobuf.a
# - ttls: libsgx_ttls.a
-# - mbedtls: libsgx_mbedcrypto.a
# - Untrtusted libraries
# - ukey_exchange: libsgx_ukey_exchange.a
# - uprotected_fs: libsgx_uprotected_fs.a
@ -453,16 +406,16 @@ index d3e40036..3bd08d5c 100644
# - utls: libsgx_utls.a
# - Standalone, untrusted libraries
# - libcapable: libsgx_capable.a libsgx_capable.so
@@ -67,7 +63,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a
@@ -66,7 +63,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a
LIBTSE := $(BUILD_DIR)/libsgx_tservice.a
.PHONY: components
-components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls mbedtls
-components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls
+components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread ttls utls
# ---------------------------------------------------
# tstdc
@@ -221,26 +217,10 @@ tprotected_fs: edger8r
@@ -220,18 +217,6 @@ tprotected_fs: edger8r
sgx_pcl:
$(MAKE) -C protected_code_loader
@ -481,15 +434,7 @@ index d3e40036..3bd08d5c 100644
.PHONY: ttls
ttls: edger8r
$(MAKE) -C ttls
-.PHONY: mbedtls
-mbedtls:
- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls
-
# ---------------------------------------------------
# Untrusted libraries
# ---------------------------------------------------
@@ -256,10 +236,6 @@ uprotected_fs: edger8r
@@ -251,10 +236,6 @@ uprotected_fs: edger8r
ptrace:
$(MAKE) -C debugger_interface/linux/
@ -500,7 +445,7 @@ index d3e40036..3bd08d5c 100644
.PHONY: utls
utls:
$(MAKE) -C utls
@@ -329,7 +305,6 @@ clean:
@@ -324,7 +305,6 @@ clean:
$(MAKE) -C protected_fs/sgx_tprotected_fs/ clean
$(MAKE) -C protected_fs/sgx_uprotected_fs/ clean
$(MAKE) -C debugger_interface/linux/ clean
@ -508,7 +453,7 @@ index d3e40036..3bd08d5c 100644
$(MAKE) -C libcapable/linux/ clean
$(MAKE) -C simulation/ clean
$(MAKE) -C sign_tool/SignTool clean
@@ -340,11 +315,8 @@ clean:
@@ -335,8 +315,6 @@ clean:
$(MAKE) -C switchless/sgx_uswitchless clean
$(MAKE) -C tmm_rsrv/ clean
$(MAKE) -C pthread clean
@ -516,10 +461,7 @@ index d3e40036..3bd08d5c 100644
- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/protobuf clean
$(MAKE) -C ttls clean
$(MAKE) -C utls clean
- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls clean
@$(RM) $(LIBTLIBC) $(LIBTCXX) $(LIBTSE)
@$(RM) $(BUILD_DIR)/libc++_Changes_SGX.txt
@$(RM) -rf $(BUILD_DIR)/.compiler-rt
--
2.48.1
2.49.0

24
0006-Fix-compat-with-gcc-14.patch
View File

@ -1,7 +1,7 @@
From 44c7af2d59a9654009eb1ea6affe771927d24850 Mon Sep 17 00:00:00 2001
From f257662821800cfe5cdb38639a35361aac0802a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 24 Jun 2024 17:36:13 +0100
Subject: [PATCH 06/16] Fix compat with gcc 14
Subject: [PATCH 06/15] Fix compat with gcc 14
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -14,25 +14,11 @@ that std::enable_if_t is available.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
psw/ae/aesm_service/source/CMakeLists.txt | 2 +-
psw/enclave_common/sgx_enclave_common.cpp | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
1 file changed, 1 insertion(+)
diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt
index 3edd77c7..89b3e3ae 100644
--- a/psw/ae/aesm_service/source/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/CMakeLists.txt
@@ -61,7 +61,7 @@ if(REF_LE)
endif()
set(CMAKE_CXX_STANDARD_REQUIRED 1)
-set(CMAKE_CXX_STANDARD 11)
+set(CMAKE_CXX_STANDARD 14)
set(CMAKE_SKIP_BUILD_RPATH true)
########## SGX SDK Settings ##########
diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp
index 9867ecc8..46fcf873 100644
index 9a335c81..399d63b2 100644
--- a/psw/enclave_common/sgx_enclave_common.cpp
+++ b/psw/enclave_common/sgx_enclave_common.cpp
@@ -35,6 +35,7 @@
@ -44,5 +30,5 @@ index 9867ecc8..46fcf873 100644
#include "sgx_urts.h"
#include "arch.h"
--
2.48.1
2.49.0

6
0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
View File

@ -1,7 +1,7 @@
From b613bffdce4d035dab354887539828906920a69e Mon Sep 17 00:00:00 2001
From 089dddf45cda329896d5d94202780209567fed9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 2 Sep 2024 16:49:18 +0100
Subject: [PATCH 07/16] Fix escaping of regexes in sgx-asm-pp
Subject: [PATCH 07/15] Fix escaping of regexes in sgx-asm-pp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -278,5 +278,5 @@ index 2b02396b..0df3fc47 100644
#
# File Operations - read/write
--
2.48.1
2.49.0

30
0008-Disable-use-of-bogus-DEF_WEAK-macro.patch
View File

@ -1,30 +0,0 @@
From 7e6f75bfc9c364a26be6efb0704fb6f58318e59b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 1 Oct 2024 18:53:17 +0100
Subject: [PATCH 08/16] Disable use of bogus DEF_WEAK macro
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
sdk/tlibc/time/strptime.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sdk/tlibc/time/strptime.c b/sdk/tlibc/time/strptime.c
index 08023a7c..9e62adc6 100644
--- a/sdk/tlibc/time/strptime.c
+++ b/sdk/tlibc/time/strptime.c
@@ -89,7 +89,9 @@ strptime(const char *buf, const char *fmt, struct tm *tm)
{
return(_strptime(buf, fmt, tm, 1));
}
+#if 0
DEF_WEAK(strptime);
+#endif
static char *
_strptime(const char *buf, const char *fmt, struct tm *tm, int initialize)
--
2.48.1

8
0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch → 0008-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
View File

@ -1,7 +1,7 @@
From b35c87f751c42cec71c4d3107b88084eddc4f749 Mon Sep 17 00:00:00 2001
From 8967386d8e9eb0f7a11a7e6ce7f97b6b1daf39ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 16:33:20 +0100
Subject: [PATCH 10/16] psw: prefer /dev/sgx_provision & /dev/sgx_enclave
Subject: [PATCH 08/15] psw: prefer /dev/sgx_provision & /dev/sgx_enclave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -21,7 +21,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp
index 46fcf873..651ba83e 100644
index 399d63b2..f63149a0 100644
--- a/psw/enclave_common/sgx_enclave_common.cpp
+++ b/psw/enclave_common/sgx_enclave_common.cpp
@@ -481,11 +481,11 @@ static void enclave_set_provision_access(int hdevice, void* enclave_base)
@ -74,5 +74,5 @@ index 49f2b9aa..fc537a84 100644
}
else if (driver_type == SGX_DRIVER_DCAP)
--
2.48.1
2.49.0

497
0009-Remove-all-references-to-pccs-service.patch
View File

@ -1,497 +0,0 @@
From 2135faf971e82c7dc351dc01baab5c6f716f8f11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 1 Oct 2024 20:18:48 +0100
Subject: [PATCH 09/16] Remove all references to pccs service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The PCCS code was deleted in the DCAP 1.22 release that SGX
references, resulting in a failure to build the installer:
$ /usr/bin/make -I linux/installer/common/psw-dcap -f linux/installer/common/psw-dcap/Makefile SRCDIR=. DESTDIR=build/vroot/psw install
python /var/home/berrange/rpmbuild/BUILD/linux-sgx-sgx_2.25_reproducible/linux/installer/common/gen_source/copy_source.py --bom-file /var/home/berrange/rpmbuild/BUILD/linux-sgx-sgx_2.25_reproducible/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt --src-path . --dst-path build/pkgroot/sgx-dcap-pccs
Error: src directory/file ./external/dcap_source/QuoteGeneration/pccs/config/default.json does not exist!
make: *** [linux/installer/common/psw-dcap/Makefile:195: pre_sgx-dcap-pccs] Error 1
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
README.md | 4 -
.../psw-dcap/BOM_install/sgx-dcap-pccs.txt | 74 -------------------
linux/installer/common/psw-dcap/Makefile | 14 +---
linux/installer/common/psw-dcap/installConfig | 1 -
.../psw-tdx/BOM_install/sgx-dcap-pccs.txt | 74 -------------------
linux/installer/common/psw-tdx/Makefile | 14 +---
linux/installer/common/psw-tdx/installConfig | 1 -
linux/installer/rpm/psw-dcap/build.sh | 1 -
.../installer/rpm/psw-dcap/psw-dcap.spec.tmpl | 21 +-----
linux/installer/rpm/psw-tdx/build.sh | 1 -
linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl | 21 +-----
11 files changed, 6 insertions(+), 220 deletions(-)
delete mode 100644 linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt
delete mode 100644 linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
diff --git a/README.md b/README.md
index fcd11874..9d4011a2 100644
--- a/README.md
+++ b/README.md
@@ -523,10 +523,6 @@ Please follow the [Intel(R) SGX DCAP Installation Guide for Linux* OS](https://d
- Install Quote Provider Library(QPL). You can use your own customized QPL or use default QPL provided by Intel(libsgx-dcap-default-qpl)
-- Install PCK Caching Service. For how to install and configure PCK Caching
-Service, please refer to [SGXDataCenterAttestationPrimitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs)
-- Ensure the PCK Caching Service is setup correctly by local administrator or data center administrator. Also make sure that the configure file of quote provider library (/etc/sgx_default_qcnl.conf) is consistent with the real environment, for example: PCS_URL=https://your_pcs_server:8081/sgx/certification/v1/
-
### Start or Stop aesmd Service
The Intel(R) SGX PSW installer installs an aesmd service in your machine, which is running in a special linux account `aesmd`.
To stop the service: `$ sudo service aesmd stop`
diff --git a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt
deleted file mode 100644
index d70745c9..00000000
--- a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt
+++ /dev/null
@@ -1,74 +0,0 @@
-DeliveryName InstallName FileCheckSum FileFeature FileOwner
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/config/default.json <installdir>/config/default.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/index.js <installdir>/constants/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/pccs_status_code.js <installdir>/constants/pccs_status_code.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/identityController.js <installdir>/controllers/identityController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/index.js <installdir>/controllers/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcertController.js <installdir>/controllers/pckcertController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcrlController.js <installdir>/controllers/pckcrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformCollateralController.js <installdir>/controllers/platformCollateralController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformsController.js <installdir>/controllers/platformsController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/refreshController.js <installdir>/controllers/refreshController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js <installdir>/controllers/rootcacrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js <installdir>/controllers/tcbinfoController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js <installdir>/controllers/crlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js <installdir>/dao/models/fmspc_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js <installdir>/dao/models/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js <installdir>/dao/models/pck_cert.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_certchain.js <installdir>/dao/models/pck_certchain.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_crl.js <installdir>/dao/models/pck_crl.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_certificates.js <installdir>/dao/models/pcs_certificates.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_version.js <installdir>/dao/models/pcs_version.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platform_tcbs.js <installdir>/dao/models/platform_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms_registered.js <installdir>/dao/models/platforms_registered.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js <installdir>/dao/models/platforms.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js <installdir>/dao/models/enclave_identities.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js <installdir>/dao/models/crl_cache.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js <installdir>/dao/fmspcTcbDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js <installdir>/dao/pckCertchainDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js <installdir>/dao/pckcertDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcrlDao.js <installdir>/dao/pckcrlDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsCertificatesDao.js <installdir>/dao/pcsCertificatesDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsVersionDao.js <installdir>/dao/pcsVersionDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsDao.js <installdir>/dao/platformsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsRegDao.js <installdir>/dao/platformsRegDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js <installdir>/dao/platformTcbsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js <installdir>/dao/enclaveIdentityDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js <installdir>/dao/crlCacheDao.js 0 main STP
-<deliverydir>/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so <installdir>/lib/libPCKCertSelection.so 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js <installdir>/lib_wrapper/pcklib_wrapper.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js <installdir>/middleware/auth.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/error.js <installdir>/middleware/error.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js <installdir>/middleware/addRequestId.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql <installdir>/migrations/00_db_initialize.up.sql 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js <installdir>/migrations/01_db_version_1.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js <installdir>/migrations/02_db_version_2.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js <installdir>/pcs_client/pcs_client.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/routes/index.js <installdir>/routes/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/identityService.js <installdir>/services/identityService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/index.js <installdir>/services/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pccs_schemas.js <installdir>/services/pccs_schemas.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcertService.js <installdir>/services/pckcertService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcrlService.js <installdir>/services/pckcrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformCollateralService.js <installdir>/services/platformCollateralService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsRegService.js <installdir>/services/platformsRegService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsService.js <installdir>/services/platformsService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/refreshService.js <installdir>/services/refreshService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js <installdir>/services/rootcacrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js <installdir>/services/tcbinfoService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/crlService.js <installdir>/services/crlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js <installdir>/services/caching_modes/cachingMode.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js <installdir>/services/caching_modes/cachingModeManager.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js <installdir>/services/logic/commonCacheLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js <installdir>/services/logic/qvCollateralLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/Logger.js <installdir>/utils/Logger.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/PccsError.js <installdir>/utils/PccsError.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/apputil.js <installdir>/utils/apputil.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/x509/x509.js <installdir>/x509/x509.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/install.sh <installdir>/install.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/package.json <installdir>/package.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs_server.js <installdir>/pccs_server.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs.service <installdir>/pccs.service 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/startup.sh <installdir>/startup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/cleanup.sh <installdir>/cleanup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/README.md <installdir>/README.md 0 main STP
diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile
index a85c8b82..5e8a8560 100644
--- a/linux/installer/common/psw-dcap/Makefile
+++ b/linux/installer/common/psw-dcap/Makefile
@@ -95,9 +95,6 @@ AESMD_CONF=aesmd.service
AESMD_CONF_DEL=aesmd.conf
AESMD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-PCCS_CONF=pccs.service
-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-
RAD_CONF=mpa_registration_tool.service
RAD_CONF_DEL=mpa_registration_tool.conf
RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
@@ -192,7 +189,7 @@ ALL_PKGS:= $(AESM_SERVICE_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS)
$(foreach PKG,$(AESM_SERVICE_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG))))
$(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG))))
-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
+$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
PHONY+=$(ALL_PKGS)
PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG))
@@ -220,14 +217,6 @@ install_$(AESM_SERVICE_PACKAGE): $(foreach PKG,$(AESM_SERVICE_PKGS),post_$(PKG))
ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \
ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER)
-PHONY+=install_$(DCAP_PCCS_PACKAGE)
-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \
- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \
- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \
- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)
-
PHONY+=$(RA_SERVICE_PACKAGE)
$(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH)
install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \
@@ -351,7 +340,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG))
PHONY+=install
install: install_$(AESM_SERVICE_PACKAGE) \
- install_$(DCAP_PCCS_PACKAGE) \
install_$(RA_SERVICE_PACKAGE) \
install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \
install_ae \
diff --git a/linux/installer/common/psw-dcap/installConfig b/linux/installer/common/psw-dcap/installConfig
index 9f99f032..96acdd9a 100644
--- a/linux/installer/common/psw-dcap/installConfig
+++ b/linux/installer/common/psw-dcap/installConfig
@@ -30,7 +30,6 @@ DCAP_QL_PACKAGE=libsgx-dcap-ql
DCAP_QL_DEV_PACKAGE=libsgx-dcap-ql-devel
DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify
DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel
-DCAP_PCCS_PACKAGE=sgx-dcap-pccs
PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool
RA_NETWORK_PACKAGE=libsgx-ra-network
diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
deleted file mode 100644
index d70745c9..00000000
--- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
+++ /dev/null
@@ -1,74 +0,0 @@
-DeliveryName InstallName FileCheckSum FileFeature FileOwner
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/config/default.json <installdir>/config/default.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/index.js <installdir>/constants/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/pccs_status_code.js <installdir>/constants/pccs_status_code.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/identityController.js <installdir>/controllers/identityController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/index.js <installdir>/controllers/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcertController.js <installdir>/controllers/pckcertController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcrlController.js <installdir>/controllers/pckcrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformCollateralController.js <installdir>/controllers/platformCollateralController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformsController.js <installdir>/controllers/platformsController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/refreshController.js <installdir>/controllers/refreshController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js <installdir>/controllers/rootcacrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js <installdir>/controllers/tcbinfoController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js <installdir>/controllers/crlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js <installdir>/dao/models/fmspc_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js <installdir>/dao/models/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js <installdir>/dao/models/pck_cert.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_certchain.js <installdir>/dao/models/pck_certchain.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_crl.js <installdir>/dao/models/pck_crl.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_certificates.js <installdir>/dao/models/pcs_certificates.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_version.js <installdir>/dao/models/pcs_version.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platform_tcbs.js <installdir>/dao/models/platform_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms_registered.js <installdir>/dao/models/platforms_registered.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js <installdir>/dao/models/platforms.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js <installdir>/dao/models/enclave_identities.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js <installdir>/dao/models/crl_cache.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js <installdir>/dao/fmspcTcbDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js <installdir>/dao/pckCertchainDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js <installdir>/dao/pckcertDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcrlDao.js <installdir>/dao/pckcrlDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsCertificatesDao.js <installdir>/dao/pcsCertificatesDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsVersionDao.js <installdir>/dao/pcsVersionDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsDao.js <installdir>/dao/platformsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsRegDao.js <installdir>/dao/platformsRegDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js <installdir>/dao/platformTcbsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js <installdir>/dao/enclaveIdentityDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js <installdir>/dao/crlCacheDao.js 0 main STP
-<deliverydir>/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so <installdir>/lib/libPCKCertSelection.so 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js <installdir>/lib_wrapper/pcklib_wrapper.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js <installdir>/middleware/auth.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/error.js <installdir>/middleware/error.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js <installdir>/middleware/addRequestId.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql <installdir>/migrations/00_db_initialize.up.sql 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js <installdir>/migrations/01_db_version_1.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js <installdir>/migrations/02_db_version_2.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js <installdir>/pcs_client/pcs_client.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/routes/index.js <installdir>/routes/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/identityService.js <installdir>/services/identityService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/index.js <installdir>/services/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pccs_schemas.js <installdir>/services/pccs_schemas.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcertService.js <installdir>/services/pckcertService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcrlService.js <installdir>/services/pckcrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformCollateralService.js <installdir>/services/platformCollateralService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsRegService.js <installdir>/services/platformsRegService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsService.js <installdir>/services/platformsService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/refreshService.js <installdir>/services/refreshService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js <installdir>/services/rootcacrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js <installdir>/services/tcbinfoService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/crlService.js <installdir>/services/crlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js <installdir>/services/caching_modes/cachingMode.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js <installdir>/services/caching_modes/cachingModeManager.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js <installdir>/services/logic/commonCacheLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js <installdir>/services/logic/qvCollateralLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/Logger.js <installdir>/utils/Logger.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/PccsError.js <installdir>/utils/PccsError.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/apputil.js <installdir>/utils/apputil.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/x509/x509.js <installdir>/x509/x509.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/install.sh <installdir>/install.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/package.json <installdir>/package.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs_server.js <installdir>/pccs_server.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs.service <installdir>/pccs.service 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/startup.sh <installdir>/startup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/cleanup.sh <installdir>/cleanup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/README.md <installdir>/README.md 0 main STP
diff --git a/linux/installer/common/psw-tdx/Makefile b/linux/installer/common/psw-tdx/Makefile
index 4f50ee49..0e8cb3e7 100644
--- a/linux/installer/common/psw-tdx/Makefile
+++ b/linux/installer/common/psw-tdx/Makefile
@@ -80,9 +80,6 @@ QGSD_CONF=qgsd.service
QGSD_CONF_DEL=qgsd.conf
QGSD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-PCCS_CONF=pccs.service
-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-
RAD_CONF=mpa_registration_tool.service
RAD_CONF_DEL=mpa_registration_tool.conf
RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
@@ -160,7 +157,7 @@ ALL_PKGS:= $(TDX_QGS_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS)
$(foreach PKG,$(TDX_QGS_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG))))
$(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG))))
-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
+$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
PHONY+=$(ALL_PKGS)
PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG))
@@ -184,14 +181,6 @@ install_$(TDX_QGS_PACKAGE): $(foreach PKG,$(TDX_QGS_PKGS),post_$(PKG))
$(DESTDIR)/$(TDX_QGS_PACKAGE)/$(ETC_DIR) && \
rm -fr $(DESTDIR)/$(TDX_QGS_PACKAGE)/$(SGX_INSTALL_PATH)/$(TDX_QGS_PACKAGE)/conf))
-PHONY+=install_$(DCAP_PCCS_PACKAGE)
-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \
- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \
- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \
- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)
-
PHONY+=$(RA_SERVICE_PACKAGE)
$(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH)
install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \
@@ -291,7 +280,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG))
PHONY+=install
install: install_$(TDX_QGS_PACKAGE) \
- install_$(DCAP_PCCS_PACKAGE) \
install_$(RA_SERVICE_PACKAGE) \
install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \
install_ae \
diff --git a/linux/installer/common/psw-tdx/installConfig b/linux/installer/common/psw-tdx/installConfig
index 7129b71d..c55a8ada 100644
--- a/linux/installer/common/psw-tdx/installConfig
+++ b/linux/installer/common/psw-tdx/installConfig
@@ -16,7 +16,6 @@ TDX_ATTEST_PACKAGE=libtdx-attest
TDX_ATTEST_DEV_PACKAGE=libtdx-attest-devel
DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify
DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel
-DCAP_PCCS_PACKAGE=sgx-dcap-pccs
PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool
RA_NETWORK_PACKAGE=libsgx-ra-network
RA_NETWORK_DEV_PACKAGE=libsgx-ra-network-devel
diff --git a/linux/installer/rpm/psw-dcap/build.sh b/linux/installer/rpm/psw-dcap/build.sh
index 22c8eef5..6188e816 100755
--- a/linux/installer/rpm/psw-dcap/build.sh
+++ b/linux/installer/rpm/psw-dcap/build.sh
@@ -63,7 +63,6 @@ update_spec() {
-e "s:@dcap_version@:${dcap_version}:" \
-e "s:@aesm_service_path@:${SGX_INSTALL_PATH}/${AESM_SERVICE_PACKAGE}:" \
-e "s:@ra_service_path@:${SGX_INSTALL_PATH}/${RA_SERVICE_PACKAGE}:" \
- -e "s:@dcap_pccs_path@:${SGX_INSTALL_PATH}/${DCAP_PCCS_PACKAGE}:" \
-e "s:@pck_id_retrieval_tool_path@:${SGX_INSTALL_PATH}/${PCK_ID_RETRIEVAL_TOOL_PACKAGE}:" \
${cur_dir}/${psw_dcap}.spec.tmpl > ${cur_dir}/${rpm_build_dir}/SPECS/${psw_dcap}.spec
diff --git a/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl b/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl
index c7ba4c12..66fc4a78 100644
--- a/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl
+++ b/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl
@@ -31,7 +31,6 @@
%define _aesm_service_path @aesm_service_path@
%define _ra_service_path @ra_service_path@
-%define _dcap_pccs_path @dcap_pccs_path@
%define _pck_id_retrieval_tool_path @pck_id_retrieval_tool_path@
%define _psw_version @psw_version@
%define _dcap_version @dcap_version@
@@ -303,14 +302,6 @@ Requires: libsgx-dcap-quote-verify = %{version}-%{release} libsgx-headers >
%description -n libsgx-dcap-quote-verify-devel
Intel(R) Software Guard Extensions Data Center Attestation Primitives Quote Verification Library for Developers
-%package -n sgx-dcap-pccs
-Version: %{_dcap_version}
-Summary: Intel(R) Software Guard Extensions PCK Caching Service
-Requires: gcc gcc-c++ make
-
-%description -n sgx-dcap-pccs
-Intel(R) Software Guard Extensions PCK Caching Service
-
%package -n libsgx-ra-network
Version: %{_dcap_version}
Summary: Intel(R) Software Guard Extensions Registration Agent Network Library
@@ -378,14 +369,13 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
grep -v "^%{_includedir}" | \
grep -v "^%{_sysconfdir}" | \
grep -v "^%{_aesm_service_path}" | \
- grep -v "^%{_dcap_pccs_path}" | \
grep -v "^%{_ra_service_path}" | \
grep -v "^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" > %{_specdir}/list-${pkg}
for f in $(find %{?buildroot}/${pkg}); do
if [ -d ${f} ]; then
echo ${f} | sed -e "s#^%{?buildroot}/${pkg}##" | \
- grep -E "^%{_aesm_service_path}|^%{_dcap_pccs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
+ grep -E "^%{_aesm_service_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" >> %{_specdir}/list-${pkg}
else
echo ${f} | \
@@ -395,7 +385,7 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
cp -r %{?buildroot}/${pkg}/* %{?buildroot}/
rm -fr %{?buildroot}/${pkg}
sed -i -e 's:^/etc/.*\.conf:%config &:' \
- -e 's:^%{_dcap_pccs_path}/config/default\.json:%config &:' %{_specdir}/list-${pkg}
+ %{_specdir}/list-${pkg}
done
rm -fr %{?buildroot}/license
@@ -433,7 +423,6 @@ make clean
%files -n libsgx-dcap-ql-devel -f %{_specdir}/list-libsgx-dcap-ql-devel
%files -n libsgx-dcap-quote-verify -f %{_specdir}/list-libsgx-dcap-quote-verify
%files -n libsgx-dcap-quote-verify-devel -f %{_specdir}/list-libsgx-dcap-quote-verify-devel
-%files -n sgx-dcap-pccs -f %{_specdir}/list-sgx-dcap-pccs
%files -n libsgx-ra-network -f %{_specdir}/list-libsgx-ra-network
%files -n libsgx-ra-network-devel -f %{_specdir}/list-libsgx-ra-network-devel
%files -n libsgx-ra-uefi -f %{_specdir}/list-libsgx-ra-uefi
@@ -447,12 +436,6 @@ if [ -x %{_aesm_service_path}/startup.sh ]; then %{_aesm_service_path}/startup.s
%preun
if [ -x %{_aesm_service_path}/cleanup.sh ]; then %{_aesm_service_path}/cleanup.sh; fi
-%posttrans -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/startup.sh ]; then %{_dcap_pccs_path}/startup.sh; fi
-
-%preun -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/cleanup.sh ]; then %{_dcap_pccs_path}/cleanup.sh; fi
-
%posttrans -n sgx-ra-service
if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi
diff --git a/linux/installer/rpm/psw-tdx/build.sh b/linux/installer/rpm/psw-tdx/build.sh
index f42d6bd2..25a683c8 100755
--- a/linux/installer/rpm/psw-tdx/build.sh
+++ b/linux/installer/rpm/psw-tdx/build.sh
@@ -63,7 +63,6 @@ update_spec() {
-e "s:@dcap_version@:${dcap_version}:" \
-e "s:@tdx_qgs_path@:${SGX_INSTALL_PATH}/${TDX_QGS_PACKAGE}:" \
-e "s:@ra_service_path@:${SGX_INSTALL_PATH}/${RA_SERVICE_PACKAGE}:" \
- -e "s:@dcap_pccs_path@:${SGX_INSTALL_PATH}/${DCAP_PCCS_PACKAGE}:" \
-e "s:@pck_id_retrieval_tool_path@:${SGX_INSTALL_PATH}/${PCK_ID_RETRIEVAL_TOOL_PACKAGE}:" \
${cur_dir}/${psw_tdx}.spec.tmpl > ${cur_dir}/${rpm_build_dir}/SPECS/${psw_tdx}.spec
diff --git a/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl b/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl
index 0dd5fd8c..67eab01a 100644
--- a/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl
+++ b/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl
@@ -31,7 +31,6 @@
%define _tdx_qgs_path @tdx_qgs_path@
%define _ra_service_path @ra_service_path@
-%define _dcap_pccs_path @dcap_pccs_path@
%define _pck_id_retrieval_tool_path @pck_id_retrieval_tool_path@
%define _psw_version @psw_version@
%define _dcap_version @dcap_version@
@@ -198,14 +197,6 @@ Requires: libsgx-dcap-quote-verify = %{version}-%{release} libsgx-headers >
%description -n libsgx-dcap-quote-verify-devel
Intel(R) Software Guard Extensions Data Center Attestation Primitives Quote Verification Library for Developers
-%package -n sgx-dcap-pccs
-Version: %{_dcap_version}
-Summary: Intel(R) Software Guard Extensions PCK Caching Service
-Requires: gcc gcc-c++ make
-
-%description -n sgx-dcap-pccs
-Intel(R) Software Guard Extensions PCK Caching Service
-
%package -n libsgx-ra-network
Version: %{_dcap_version}
Summary: Intel(R) Software Guard Extensions Registration Agent Network Library
@@ -273,14 +264,13 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
grep -v "^%{_includedir}" | \
grep -v "^%{_sysconfdir}" | \
grep -v "^%{_tdx_qgs_path}" | \
- grep -v "^%{_dcap_pccs_path}" | \
grep -v "^%{_ra_service_path}" | \
grep -v "^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" > %{_specdir}/list-${pkg}
for f in $(find %{?buildroot}/${pkg}); do
if [ -d ${f} ]; then
echo ${f} | sed -e "s#^%{?buildroot}/${pkg}##" | \
- grep -E "^%{_tdx_qgs_path}|^%{_dcap_pccs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
+ grep -E "^%{_tdx_qgs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" >> %{_specdir}/list-${pkg}
else
echo ${f} | \
@@ -290,7 +280,7 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
cp -r %{?buildroot}/${pkg}/* %{?buildroot}/
rm -fr %{?buildroot}/${pkg}
sed -i -e 's:^/etc/.*\.conf:%config &:' \
- -e 's:^%{_dcap_pccs_path}/config/default\.json:%config &:' %{_specdir}/list-${pkg}
+ %{_specdir}/list-${pkg}
done
rm -fr %{?buildroot}/license
@@ -315,7 +305,6 @@ make clean
%files -n libtdx-attest-devel -f %{_specdir}/list-libtdx-attest-devel
%files -n libsgx-dcap-quote-verify -f %{_specdir}/list-libsgx-dcap-quote-verify
%files -n libsgx-dcap-quote-verify-devel -f %{_specdir}/list-libsgx-dcap-quote-verify-devel
-%files -n sgx-dcap-pccs -f %{_specdir}/list-sgx-dcap-pccs
%files -n libsgx-ra-network -f %{_specdir}/list-libsgx-ra-network
%files -n libsgx-ra-network-devel -f %{_specdir}/list-libsgx-ra-network-devel
%files -n libsgx-ra-uefi -f %{_specdir}/list-libsgx-ra-uefi
@@ -329,12 +318,6 @@ if [ -x %{_tdx_qgs_path}/startup.sh ]; then %{_tdx_qgs_path}/startup.sh; fi
%preun
if [ -x %{_tdx_qgs_path}/cleanup.sh ]; then %{_tdx_qgs_path}/cleanup.sh; fi
-%posttrans -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/startup.sh ]; then %{_dcap_pccs_path}/startup.sh; fi
-
-%preun -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/cleanup.sh ]; then %{_dcap_pccs_path}/cleanup.sh; fi
-
%posttrans -n sgx-ra-service
if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi
--
2.48.1

6
0011-psw-fix-soname-for-libuae_service.so-library.patch → 0009-psw-fix-soname-for-libuae_service.so-library.patch
View File

@ -1,7 +1,7 @@
From 44fa7a1f6108ae855419f32288573ff3c51f1fa4 Mon Sep 17 00:00:00 2001
From 6d0fee06ee6c87f8f89aac9947bb8b3df9930238 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 17 Jan 2025 15:38:56 +0000
Subject: [PATCH 11/16] psw: fix soname for libuae_service.so library
Subject: [PATCH 09/15] psw: fix soname for libuae_service.so library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -25,5 +25,5 @@ index bffbdc5b..81f5c4b7 100644
$(IPC_SRC:.cpp=.o) : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc
AEServicesImpl.o : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc
--
2.48.1
2.49.0

6
0012-pcl-remove-redundant-use-of-bool-type.patch → 0010-pcl-remove-redundant-use-of-bool-type.patch
View File

@ -1,7 +1,7 @@
From 64e9315acfc84f84299e8f0d8d890f158d972b0f Mon Sep 17 00:00:00 2001
From 26f9569bf1ea44bc2e937b8ccbb1141bb1f88274 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 6 Feb 2025 09:54:33 +0000
Subject: [PATCH 12/16] pcl: remove redundant use of 'bool' type
Subject: [PATCH 10/15] pcl: remove redundant use of 'bool' type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -45,5 +45,5 @@ index 5ad6efde..b78ca907 100644
#endif // #ifdef SE_SIM
--
2.48.1
2.49.0

14
0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch → 0011-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
View File

@ -1,7 +1,7 @@
From 51aa96fc252d5792ca26132478eb5c1c8af1a63c Mon Sep 17 00:00:00 2001
From 5e43013eff1a6d558f1bad189cae185b383c49f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 27 Mar 2025 14:17:01 +0000
Subject: [PATCH 13/16] sdk: honour CFLAGS/LDFLAGS set from environment
Subject: [PATCH 11/15] sdk: honour CFLAGS/LDFLAGS set from environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -49,7 +49,7 @@ index d388dc1d..867de978 100644
LINK_FLAGS := -lcrypto -L$(BUILD_DIR) -lsgx_tservice
CPP_FILES := encryptip.cpp
diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
index 219fb5ad..fe16b392 100644
index 1dcb6f51..1601de09 100644
--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
@@ -40,7 +40,7 @@ FLAGS += -DSE_DEBUG_LEVEL=SE_TRACE_ERROR
@ -88,7 +88,7 @@ index 45ddb576..865d5556 100644
RDRAND_LIBDIR := $(LINUX_EXTERNAL_DIR)/rdrand/src
RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile
diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile
index 505ce8d9..b340463a 100644
index ea8ca78c..dd716f2b 100644
--- a/sdk/simulation/urtssim/linux/Makefile
+++ b/sdk/simulation/urtssim/linux/Makefile
@@ -65,9 +65,9 @@ DIR5 := $(LINUX_PSW_DIR)/../common/src/linux
@ -103,7 +103,7 @@ index 505ce8d9..b340463a 100644
OBJ1 := enclave.o \
tcs.o \
@@ -119,7 +119,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6)
@@ -120,7 +120,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6)
vpath %.S .:$(DIR2):$(DIR5)
vpath %.c .:$(DIR6)
@ -112,7 +112,7 @@ index 505ce8d9..b340463a 100644
LIBURTSSIM_SHARED := libsgx_urts_sim.so
LIBURTS_DEPLOY := libsgx_urts_deploy.so
@@ -133,7 +133,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR)
@@ -134,7 +134,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR)
$(CP) $(LIBURTS_DEPLOY) $|
$(LIBURTSSIM_SHARED): simasm uinst driver_api wrapper uae_service_sim $(OBJ) $(OBJ6) ittnotify
@ -122,5 +122,5 @@ index 505ce8d9..b340463a 100644
$(BUILD_DIR):
@$(MKDIR) $@
--
2.48.1
2.49.0

6
0014-psw-make-aesm_service-build-verbose.patch → 0012-psw-make-aesm_service-build-verbose.patch
View File

@ -1,7 +1,7 @@
From e2f8a9054e512b3c49f4264824892baf07898efc Mon Sep 17 00:00:00 2001
From e9ca38a6045c2ad5d5277cb52bc175eb56ee7466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 27 Mar 2025 16:07:10 +0000
Subject: [PATCH 14/16] psw: make aesm_service build verbose.
Subject: [PATCH 12/15] psw: make aesm_service build verbose.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -25,5 +25,5 @@ index 89a15875..dbfa3fb6 100644
$(CP) $(CPPMICROSERVICES) source/build/bin/
endif
--
2.48.1
2.49.0

6
0015-Fix-modern-C-function-prototype-compliance.patch → 0013-Fix-modern-C-function-prototype-compliance.patch
View File

@ -1,7 +1,7 @@
From f70028402c31652c65277291e93b4c565c8863ad Mon Sep 17 00:00:00 2001
From 0ef77c5de1ae80a8a1df4280af1dbd1fba6ebe46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 31 Mar 2025 10:55:25 +0100
Subject: [PATCH 15/16] Fix modern C function prototype compliance
Subject: [PATCH 13/15] Fix modern C function prototype compliance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -39,5 +39,5 @@ index 8e4e7600..8c38bb68 100644
g_sys_ptrace = (ptrace_t)dlsym(RTLD_NEXT, "ptrace");
g_sys_waitpid = (waitpid_t)dlsym(RTLD_NEXT, "waitpid");
--
2.48.1
2.49.0

8
0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch → 0014-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
View File

@ -1,7 +1,7 @@
From dc2be9ad1955e85006604ef2840357a1dedf856c Mon Sep 17 00:00:00 2001
From 77f998c285d15d31ec9104d413b380f90fa91970 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 2 Apr 2025 17:11:25 +0100
Subject: [PATCH 16/16] Add wrapper for nasm to fix cmake compat
Subject: [PATCH 14/15] Add wrapper for nasm to fix cmake compat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -37,7 +37,7 @@ index 00000000..4ad75f73
+ exec python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@"
+fi
diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index 70718f5e..d8efe418 100644
index d78ba90e..71a40247 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -58,10 +58,12 @@ IPP_CONFIG += -DIPPCP_FIPS_MODE=on -DFIPS_CUSTOM_IPPCP_API_HEADER=$(CURDIR)/inc
@ -65,5 +65,5 @@ index 70718f5e..d8efe418 100644
$(IPP_SOURCE)/build:
ifeq ($(IPP_USE_GIT), 1)
--
2.48.1
2.49.0

72
0015-fix-BOM-for-pccs-with-DCAP-1.23.patch Normal file
View File

@ -0,0 +1,72 @@
From 595343c8d79a45760a30b30e1bd66f4079c61f52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 27 Jun 2025 11:37:26 +0100
Subject: [PATCH 15/15] fix BOM for pccs with DCAP 1.23
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The BOM for pccs is missing various files causing it to fail to start.
This change is synced from the BOM filelist seen in the DCAP git repo.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
.../common/psw-tdx/BOM_install/sgx-dcap-pccs.txt | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
index d70745c9..73c687b3 100644
--- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
+++ b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
@@ -12,6 +12,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js <installdir>/controllers/rootcacrlController.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js <installdir>/controllers/tcbinfoController.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js <installdir>/controllers/crlController.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/appraisalPolicyController.js <installdir>/controllers/appraisalPolicyController.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js <installdir>/dao/models/fmspc_tcbs.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js <installdir>/dao/models/index.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js <installdir>/dao/models/pck_cert.js 0 main STP
@@ -24,6 +25,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js <installdir>/dao/models/platforms.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js <installdir>/dao/models/enclave_identities.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js <installdir>/dao/models/crl_cache.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/appraisal_policy.js <installdir>/dao/models/appraisal_policy.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js <installdir>/dao/fmspcTcbDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js <installdir>/dao/pckCertchainDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js <installdir>/dao/pckcertDao.js 0 main STP
@@ -35,14 +37,19 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js <installdir>/dao/platformTcbsDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js <installdir>/dao/enclaveIdentityDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js <installdir>/dao/crlCacheDao.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/appraisalPolicyDao.js <installdir>/dao/appraisalPolicyDao.js 0 main STP
<deliverydir>/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so <installdir>/lib/libPCKCertSelection.so 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js <installdir>/lib_wrapper/pcklib_wrapper.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js <installdir>/middleware/auth.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/error.js <installdir>/middleware/error.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js <installdir>/middleware/addRequestId.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/filterDuplicatedParams.js <installdir>/middleware/filterDuplicatedParams.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql <installdir>/migrations/00_db_initialize.up.sql 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js <installdir>/migrations/01_db_version_1.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js <installdir>/migrations/02_db_version_2.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/03_db_version_3.js <installdir>/migrations/03_db_version_3.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/04_db_version_4.js <installdir>/migrations/04_db_version_4.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/05_db_version_5.js <installdir>/migrations/05_db_version_5.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js <installdir>/pcs_client/pcs_client.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/routes/index.js <installdir>/routes/index.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/identityService.js <installdir>/services/identityService.js 0 main STP
@@ -57,6 +64,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js <installdir>/services/rootcacrlService.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js <installdir>/services/tcbinfoService.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/crlService.js <installdir>/services/crlService.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/appraisalPolicyService.js <installdir>/services/appraisalPolicyService.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js <installdir>/services/caching_modes/cachingMode.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js <installdir>/services/caching_modes/cachingModeManager.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js <installdir>/services/logic/commonCacheLogic.js 0 main STP
@@ -72,3 +80,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/startup.sh <installdir>/startup.sh 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/cleanup.sh <installdir>/cleanup.sh 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/README.md <installdir>/README.md 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/nodejs.cnf <installdir>/nodejs.cnf 0 main STP
--
2.49.0

14
0050-Disable-inclusion-of-AESM-in-installer.patch
View File

@ -1,4 +1,4 @@
From 07f39d2eb84d66fd19d025856747c5521068f26c Mon Sep 17 00:00:00 2001
From 550144746385554702fdcd65bbe8638cda08d055 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 11 Feb 2025 14:58:58 +0000
Subject: [PATCH] Disable inclusion of AESM in installer
@ -16,10 +16,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 3 insertions(+), 28 deletions(-)
diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile
index 5e8a8560..e8dd018b 100644
index a85c8b82..3ea22440 100644
--- a/linux/installer/common/psw-dcap/Makefile
+++ b/linux/installer/common/psw-dcap/Makefile
@@ -147,13 +147,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH)
@@ -150,13 +150,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH)
cp -fr $$|/$$</* $(DESTDIR)/$$< ) ||:
endef
@ -34,7 +34,7 @@ index 5e8a8560..e8dd018b 100644
$(PCE_LOGIC_PACKAGE)
AE_PKGS:= $(AE_EPID_PACKAGE) \
@@ -197,25 +191,6 @@ PHONY+=$(foreach PKG,$(ALL_PKGS),post_$(PKG))
@@ -200,25 +194,6 @@ PHONY+=$(foreach PKG,$(ALL_PKGS),post_$(PKG))
PHONY+=install_$(AESM_SERVICE_PACKAGE)
install_$(AESM_SERVICE_PACKAGE): $(foreach PKG,$(AESM_SERVICE_PKGS),post_$(PKG))
@ -58,8 +58,8 @@ index 5e8a8560..e8dd018b 100644
- ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \
- ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER)
PHONY+=$(RA_SERVICE_PACKAGE)
$(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH)
PHONY+=install_$(DCAP_PCCS_PACKAGE)
install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH)
diff --git a/psw/ae/Makefile b/psw/ae/Makefile
index a810d6b9..82a07af1 100644
--- a/psw/ae/Makefile
@ -77,5 +77,5 @@ index a810d6b9..82a07af1 100644
# COPY_AES: currently copy le, qe, pve, pce, qe3
--
2.48.1
2.49.0

6
0100-Drop-use-of-bundled-pre-built-openssl.patch
View File

@ -1,7 +1,7 @@
From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001
From 9746d1048b23a3431d898f2375a8d849127ebde7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 100/117] Drop use of bundled pre-built openssl
Subject: [PATCH 100/120] Drop use of bundled pre-built openssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -99,7 +99,7 @@ index b25ce40..982c7d5 100644
SGX_COMMON_CFLAGS := $(COMMON_FLAGS) -m64 -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants
SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++17
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 9820b61..fba7f43 100644
index 74fad4c..894e616 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -36,8 +36,8 @@ INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu

14
0101-Improve-debuggability-of-build-system.patch
View File

@ -1,7 +1,7 @@
From b4d3b1401e16a557bcba1fe02b525bd5c26ee532 Mon Sep 17 00:00:00 2001
From 50bbd267076608a9b0a3b5e23bcbc8bfadfb09d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 12:05:01 +0000
Subject: [PATCH 101/117] Improve debuggability of build system
Subject: [PATCH 101/120] Improve debuggability of build system
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -43,7 +43,7 @@ index 139848a..cd361c4 100644
clean:
$(RM) $(QAL_Obj_Files) $(Target_Lib_Name) $(Target_Lib_Name).$(SGX_MAJOR_VER) $(Target_Static_Lib_Name) $(BUILD_DIR)/$(Target_Lib_Name) $(QVL_Cpp_Obj_Files)
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index fba7f43..5979699 100644
index 894e616..7962d10 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -107,13 +107,13 @@ $(BUILD_DIR):
@ -67,9 +67,9 @@ index fba7f43..5979699 100644
@@ -123,13 +123,13 @@ run: all
######## QVL Library Objects ########
qve_u.h: $(SGX_EDGER8R) $(QVE_SRC_PATH)/Enclave/qve.edl
- @$(SGX_EDGER8R) --untrusted $(QVE_SRC_PATH)/Enclave/qve.edl --search-path $(QVE_SRC_PATH)/Enclave --search-path $(SGX_SDK)/include
+ $(SGX_EDGER8R) --untrusted $(QVE_SRC_PATH)/Enclave/qve.edl --search-path $(QVE_SRC_PATH)/Enclave --search-path $(SGX_SDK)/include
qve_u.h: $(QVE_SRC_PATH)/Enclave/qve.edl $(SGX_EDGER8R)
- @$(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/Enclave $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc))
+ $(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/Enclave $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc))
@echo "GEN => $@"
qve_u.c : qve_u.h
@ -126,7 +126,7 @@ index fba7f43..5979699 100644
+ $(AR) rsD $(QVL_VERIFY_LIB_NAME_Static) $(QVL_VERIFY_CPP_OBJS_STATIC) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVL_LIB_COMMON_OBJS)
.PHONY: qal
qal:
qal:
--
2.49.0

6
0102-Support-build-time-setting-of-enclave-load-directory.patch
View File

@ -1,7 +1,7 @@
From edcd2d044a8e20cf8d2e1cebba7f74f2573c9ae5 Mon Sep 17 00:00:00 2001
From 2f0e63c015f83aa2248b8afa04c1928b6aa8b0fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 102/117] Support build time setting of enclave load directory
Subject: [PATCH 102/120] Support build time setting of enclave load directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -182,7 +182,7 @@ index 6321611..9597c52 100644
\ No newline at end of file
+}
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 5979699..c9f11a0 100644
index 7962d10..c4154b0 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -55,7 +55,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \

4
0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
View File

@ -1,7 +1,7 @@
From 3cbab8069678b15276d7a8d2d0c7aa34532ad4af Mon Sep 17 00:00:00 2001
From 5fddd2225147e4372a6ff09350bdd495c3fdd4f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 15:46:41 +0000
Subject: [PATCH 103/117] Look for versioned sgx_urts library in
Subject: [PATCH 103/120] Look for versioned sgx_urts library in
PCKRetrievalTool
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

4
0104-Don-t-import-pypac-in-pccsadmin.patch
View File

@ -1,7 +1,7 @@
From 2609841a9ddedd4c3f22778bff0aa399ce6d4f9a Mon Sep 17 00:00:00 2001
From d758e815930fe6ca3d19ab880c8cb839001746ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 20:28:24 +0000
Subject: [PATCH 104/117] Don't import pypac in pccsadmin
Subject: [PATCH 104/120] Don't import pypac in pccsadmin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4
0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
View File

@ -1,7 +1,7 @@
From eb1018b10a5adedcdc1ae3cf8f5d8be6de5b7d6d Mon Sep 17 00:00:00 2001
From 1d85ecfb88b08772efdaeb241b09502383e1123c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Feb 2024 14:21:36 +0000
Subject: [PATCH 105/117] Look for PCKRetrievalTool config file in /etc/
Subject: [PATCH 105/120] Look for PCKRetrievalTool config file in /etc/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

6
0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
View File

@ -1,7 +1,7 @@
From c1773ce8ab60a0d887a52b821de28d6fd996b7f4 Mon Sep 17 00:00:00 2001
From ac4041d449135696b66c9d147d29f0967e2df1c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 28 Mar 2025 16:00:27 +0000
Subject: [PATCH 106/117] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
Subject: [PATCH 106/120] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
libraries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -107,7 +107,7 @@ index 7d0b398..9b8c936 100644
ifndef DEBUG
Quote_Cpp_Flags += -DDISABLE_TRACE
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index c9f11a0..56095ac 100644
index c4154b0..e125cbf 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -54,8 +54,8 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \

4
0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
View File

@ -1,7 +1,7 @@
From a74ede38e306ff82ddbaf094d6148dc1bf9e524c Mon Sep 17 00:00:00 2001
From 95b111ae4a42f872e467a58058cfc87d5a5d089d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 14:42:29 +0100
Subject: [PATCH 107/117] qgs: add space between program name & first arg in
Subject: [PATCH 107/120] qgs: add space between program name & first arg in
usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

4
0108-qgs-protect-against-format-strings-in-QL-log-message.patch
View File

@ -1,7 +1,7 @@
From 1e760dc7a67d601121b625e0d2bd7b2fe8b7b042 Mon Sep 17 00:00:00 2001
From 0df9bd861d54722365e891911c18924af16cd732 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 09:43:17 +0100
Subject: [PATCH 108/117] qgs: protect against format strings in QL log
Subject: [PATCH 108/120] qgs: protect against format strings in QL log
messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

4
0109-qgs-add-debug-parameter-to-control-logging.patch
View File

@ -1,7 +1,7 @@
From d43ef4cac2c2c022b89b0938be71a9b36b9a1923 Mon Sep 17 00:00:00 2001
From 480ac4becb93a54184c024fa1945c1a2890488fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 16:57:35 +0100
Subject: [PATCH 109/117] qgs: add --debug parameter to control logging
Subject: [PATCH 109/120] qgs: add --debug parameter to control logging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4
0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
View File

@ -1,7 +1,7 @@
From d375ba770975e565850ac12392bbc44807f28f75 Mon Sep 17 00:00:00 2001
From e559fba635b7736a54a446e25afc268b2a27513c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 8 Oct 2024 10:13:02 +0100
Subject: [PATCH 110/117] pccsadmin: remove leftover debugging 'print(args)'
Subject: [PATCH 110/120] pccsadmin: remove leftover debugging 'print(args)'
statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

16
0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
View File

@ -1,7 +1,7 @@
From 1db2f71aead55201fcd82efa7d1ee99c9fa006b9 Mon Sep 17 00:00:00 2001
From 6a2d951d6a1d21a1c45256c81eaf1acd6f010d46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 17 Jan 2025 15:39:39 +0000
Subject: [PATCH 111/117] Fix soname version for libsgx_qe3_logic.so library
Subject: [PATCH 111/120] Fix soname version for libsgx_qe3_logic.so library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -13,21 +13,21 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/QuoteGeneration/common/inc/internal/se_version.h b/QuoteGeneration/common/inc/internal/se_version.h
index 471784d..22e0dff 100644
index 93f60cb..9ee51c0 100644
--- a/QuoteGeneration/common/inc/internal/se_version.h
+++ b/QuoteGeneration/common/inc/internal/se_version.h
@@ -41,6 +41,11 @@
#define QUOTE_LOADER_VERSION "1.11.109.1"
#define TDQE_WRAPPER_VERSION "1.14.109.1"
#define PCE_WRAPPER_VERSION "1.14.109.1"
#define QUOTE_LOADER_VERSION "1.11.110.0"
#define TDQE_WRAPPER_VERSION "1.14.110.0"
#define PCE_WRAPPER_VERSION "1.14.110.0"
+/*
+ * XXX: downstream hack based on version declared
+ * in linux-sgx.git/linux/installer/common/psw/Makefile
+ */
+#define QE3_WRAPPER_VERSION "1.0.0"
#define QE3_VERSION "1.19.100.1"
#define QVE_VERSION "1.21.100.1"
#define QE3_VERSION "1.22.100.1"
#define QVE_VERSION "1.22.100.1"
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index 9b8c936..c92d782 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile

4
0112-Workaround-broken-GCC-15.patch
View File

@ -1,7 +1,7 @@
From 9c8155bb1b2928390a21408944fd876f40c281e6 Mon Sep 17 00:00:00 2001
From 63e5a14cbae060060ee1de4eae177cc2f7b1f851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 6 Feb 2025 20:08:59 +0000
Subject: [PATCH 112/117] Workaround broken GCC 15
Subject: [PATCH 112/120] Workaround broken GCC 15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4
0113-Don-t-disable-cf-protection-for-qgs.patch
View File

@ -1,7 +1,7 @@
From c4a2855d01b06e1da960a677379c55a5b31b427c Mon Sep 17 00:00:00 2001
From 3cb471cfd9309a61c6cacf99ef8959c8d6c3079c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 2 Apr 2025 18:39:31 +0100
Subject: [PATCH 113/117] Don't disable cf-protection for qgs
Subject: [PATCH 113/120] Don't disable cf-protection for qgs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

6
0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
View File

@ -1,7 +1,7 @@
From 3bcde80a8e81c6f9992085f5a924544fb6082d79 Mon Sep 17 00:00:00 2001
From 218ff444583b58dc122ac69507b50c6e9f711581 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Apr 2025 17:44:48 +0100
Subject: [PATCH 114/117] Delete broken checks for GCC version that break
Subject: [PATCH 114/120] Delete broken checks for GCC version that break
-fstack-protector-strong
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -74,7 +74,7 @@ index f0a5e36..20f3022 100644
-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile
index 6532e8f..e5045dd 100644
index cdac5ff..73e0c65 100644
--- a/QuoteVerification/QvE/Makefile
+++ b/QuoteVerification/QvE/Makefile
@@ -101,12 +101,7 @@ endif

4
0115-Use-distro-provided-rapidjson-package.patch
View File

@ -1,7 +1,7 @@
From e7afd8a28400d47b3864514fde5c2ce62d3937ec Mon Sep 17 00:00:00 2001
From 8c70d52e120ff2f2e878975db2ac7253b28319cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 115/117] Use distro provided rapidjson package
Subject: [PATCH 115/120] Use distro provided rapidjson package
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4
0116-Don-t-stomp-on-VERBOSE-variable.patch
View File

@ -1,7 +1,7 @@
From 224d1fe828bc4fcaa0861c3b59ddcc0c979fc2d6 Mon Sep 17 00:00:00 2001
From 9313ac72fda37a90096979cabae7d4294ef7ba42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Apr 2025 11:48:52 +0100
Subject: [PATCH 116/117] Don't stomp on "VERBOSE" variable
Subject: [PATCH 116/120] Don't stomp on "VERBOSE" variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4
0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
View File

@ -1,7 +1,7 @@
From 8ded27dcf0c5a02c7869568bd1cafd5c2d15c0b0 Mon Sep 17 00:00:00 2001
From 22171373ad5c818b5a57339ba607ff9876e34939 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 May 2025 14:48:24 +0100
Subject: [PATCH 117/117] qgs: add -m=MODE parameter for UNIX socket mode
Subject: [PATCH 117/120] qgs: add -m=MODE parameter for UNIX socket mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

174
0118-Switch-default-PCCS-port-number-from-8081-to-10801.patch Normal file
View File

@ -0,0 +1,174 @@
From 2f42f8333820bb555778df38aaf27d02a5533ef6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 15:46:41 +0000
Subject: [PATCH 118/120] Switch default PCCS port number from 8081 to 10801
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Port 8081 is a very poor choice of port number, since it is
both assigned to existing softrware in /etc/services, and
a fairly common "alternative" HTTP port that application
developers use for ad-hoc services.
Move it to 10801 which is not assigned in /etc/services and
thus unlikely to clash with other software.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/config/default.json | 2 +-
QuoteGeneration/qcnl/inc/qcnl_config.h | 2 +-
QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf | 4 ++--
QuoteGeneration/qcnl/linux/sgx_default_qcnl_dev.conf | 2 +-
tools/PCKRetrievalTool/App/App.cpp | 4 ++--
tools/PCKRetrievalTool/network_setting.conf | 4 ++--
tools/PccsAdminTool/pccsadmin.py | 12 ++++++------
7 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/QuoteGeneration/pccs/config/default.json b/QuoteGeneration/pccs/config/default.json
index 13e00e2..7be5c6e 100644
--- a/QuoteGeneration/pccs/config/default.json
+++ b/QuoteGeneration/pccs/config/default.json
@@ -1,5 +1,5 @@
{
- "HTTPS_PORT" : 8081,
+ "HTTPS_PORT" : 10801,
"hosts" : "127.0.0.1",
"uri": "https://api.trustedservices.intel.com/sgx/certification/v4/",
"ApiKey": "",
diff --git a/QuoteGeneration/qcnl/inc/qcnl_config.h b/QuoteGeneration/qcnl/inc/qcnl_config.h
index 71b9a99..b9f2262 100644
--- a/QuoteGeneration/qcnl/inc/qcnl_config.h
+++ b/QuoteGeneration/qcnl/inc/qcnl_config.h
@@ -82,7 +82,7 @@ protected:
// TCB update type, "early" or "standard"
string tcb_update_type_;
- QcnlConfig() : server_url_("https://localhost:8081/sgx/certification/v4/"),
+ QcnlConfig() : server_url_("https://localhost:10801/sgx/certification/v4/"),
use_secure_cert_(true),
collateral_service_url_(server_url_),
collateral_version_("3.0"),
diff --git a/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf b/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf
index 7df3995..af26a7e 100644
--- a/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf
+++ b/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf
@@ -2,7 +2,7 @@
// *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
//PCCS server address
- "pccs_url": "https://localhost:8081/sgx/certification/v4/"
+ "pccs_url": "https://localhost:10801/sgx/certification/v4/"
// To accept insecure HTTPS certificate, set this option to false
,"use_secure_cert": true
@@ -37,7 +37,7 @@
// If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
// and failover to pccs_url as in legacy mode.
- //,"local_pck_url": "http://localhost:8081/sgx/certification/v4/"
+ //,"local_pck_url": "http://localhost:10801/sgx/certification/v4/"
// If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache.
// The PCK certificates will be cached in memory and then to the disk drive.
diff --git a/QuoteGeneration/qcnl/linux/sgx_default_qcnl_dev.conf b/QuoteGeneration/qcnl/linux/sgx_default_qcnl_dev.conf
index 08ee41c..f398b7d 100644
--- a/QuoteGeneration/qcnl/linux/sgx_default_qcnl_dev.conf
+++ b/QuoteGeneration/qcnl/linux/sgx_default_qcnl_dev.conf
@@ -8,7 +8,7 @@
// It is recommended to use "3.1" for DCAP 1.12 release and later
//PCCS server address
- "pccs_url": "https://localhost:8081/sgx/certification/v4/",
+ "pccs_url": "https://localhost:10801/sgx/certification/v4/",
// To accept insecure HTTPS certificate, set this option to false
"use_secure_cert": false,
diff --git a/tools/PCKRetrievalTool/App/App.cpp b/tools/PCKRetrievalTool/App/App.cpp
index a34710d..17196e2 100644
--- a/tools/PCKRetrievalTool/App/App.cpp
+++ b/tools/PCKRetrievalTool/App/App.cpp
@@ -67,7 +67,7 @@ uint32_t COMM_API sgx_tool_get_launch_token(
void PrintHelp() {
printf("Usage: %s [OPTION] \n", VER_PRODUCTNAME_STR);
- printf("Example: %s -f pck_retrieval_result.csv -url https://localhost:8081 -user_token 123456 -use_secure_cert true -platform_id\n", VER_PRODUCTNAME_STR);
+ printf("Example: %s -f pck_retrieval_result.csv -url https://localhost:10801 -user_token 123456 -use_secure_cert true -platform_id\n", VER_PRODUCTNAME_STR);
printf( "\nOptions:\n");
printf( " -f filename - output the retrieval result to the \"filename\"\n");
printf( " -url cache_server_address - cache server's address \n");
@@ -171,7 +171,7 @@ int parse_arg(int argc, const char *argv[])
}
}
else if (strncmp(argv[i], "-defaulturl", 11) == 0) {
- server_url_string = "https://localhost:8081";
+ server_url_string = "https://localhost:10801";
continue;
}
else if (strncmp(argv[i], "-proxy_type",11) == 0) {
diff --git a/tools/PCKRetrievalTool/network_setting.conf b/tools/PCKRetrievalTool/network_setting.conf
index 7aa5d71..3600191 100644
--- a/tools/PCKRetrievalTool/network_setting.conf
+++ b/tools/PCKRetrievalTool/network_setting.conf
@@ -1,9 +1,9 @@
# #############################################################
# PCCS server address
# support V3 version PCCS
-#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
+#PCCS_URL=https://localhost:10801/sgx/certification/v3/platforms
# support V4 version PCCS
-#PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms
+#PCCS_URL=https://localhost:10801/sgx/certification/v4/platforms
# To accept insecure HTTPS cert, set this option to FALSE
#USE_SECURE_CERT=TRUE
# When PCCS running in REQ mode, set "tcb update type": STANDARD, EARLY or ALL
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index 8e447c5..f286827 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -16,7 +16,7 @@ from urllib.parse import unquote
import traceback
PCS_SERVICE_URL = 'https://api.trustedservices.intel.com/sgx/certification/v4/'
-PCCS_SERVICE_URL = 'https://localhost:8081/sgx/certification/v4'
+PCCS_SERVICE_URL = 'https://localhost:10801/sgx/certification/v4'
def main():
parser = argparse.ArgumentParser(description="Administrator tool for PCCS")
@@ -26,7 +26,7 @@ def main():
# subparser for get
parser_get = subparsers.add_parser('get', formatter_class=argparse.RawTextHelpFormatter)
# add optional arguments for get
- parser_get.add_argument("-u", "--url", help="The URL of the PCCS's GET platforms API; default: https://localhost:8081/sgx/certification/v4/platforms")
+ parser_get.add_argument("-u", "--url", help="The URL of the PCCS's GET platforms API; default: https://localhost:10801/sgx/certification/v4/platforms")
parser_get.add_argument("-o", "--output_file", help="The output file name for platform list; default: platform_list.json")
parser_get.add_argument("-s", "--source", help=
"reg - Get platforms from registration table.(default)\n"
@@ -37,12 +37,12 @@ def main():
# subparser for put
description_put = (
"This put command supports the following formats([] means optional):\n"
- "1. pccsadmin put [-u https://localhost:8081/sgx/certification/v4/platformcollateral] [-i collateral_file(*.json)]\n"
- "2. pccsamdin put -u https://localhost:8081/sgx/certification/v4/appraisalpolicy [-d] -f fmspc -i policy_file(*.jwt)"
+ "1. pccsadmin put [-u https://localhost:10801/sgx/certification/v4/platformcollateral] [-i collateral_file(*.json)]\n"
+ "2. pccsamdin put -u https://localhost:10801/sgx/certification/v4/appraisalpolicy [-d] -f fmspc -i policy_file(*.jwt)"
)
parser_put = subparsers.add_parser('put', description=description_put, formatter_class=argparse.RawTextHelpFormatter)
# add optional arguments for put
- parser_put.add_argument("-u", "--url", help="The URL of the PCCS's API; default: https://localhost:8081/sgx/certification/v4/platformcollateral")
+ parser_put.add_argument("-u", "--url", help="The URL of the PCCS's API; default: https://localhost:10801/sgx/certification/v4/platformcollateral")
parser_put.add_argument("-i", "--input_file", help="The input file name for platform collaterals or appraisal policy;\
\nFor /platformcollateral API, default is platform_collaterals.json;\
\nFor /appraisalpolicy API, the filename of the jwt file must be provided explicitly.")
@@ -71,7 +71,7 @@ def main():
# subparser for refresh
parser_refresh = subparsers.add_parser('refresh')
# add optional arguments for refresh
- parser_refresh.add_argument("-u", "--url", help="The URL of the PCCS's refresh API; default: https://localhost:8081/sgx/certification/v4/refresh")
+ parser_refresh.add_argument("-u", "--url", help="The URL of the PCCS's refresh API; default: https://localhost:10801/sgx/certification/v4/refresh")
parser_refresh.add_argument("-f", "--fmspc", help="Only refresh certificates for specified FMSPCs. Format: [FMSPC1, FMSPC2, ..., FMSPCn]")
parser_refresh.set_defaults(func=pccs_refresh)
--
2.49.0

108
0119-Sanitize-paths-to-all-resources-in-PCCS-server.patch Normal file
View File

@ -0,0 +1,108 @@
From 308e939ffc44c4720833aa518b0d19be1e01a186 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 13:38:49 +0000
Subject: [PATCH 119/120] Sanitize paths to all resources in PCCS server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Look for libPCKCertSelection.so in /lib64
Look for SSL cert config in /etc/pccs/ssl
Look for DB migrations in /usr/share/pccs
Use log file in /var/log/pccs
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js | 4 ++--
QuoteGeneration/pccs/pccs_server.js | 8 ++++----
QuoteGeneration/pccs/utils/Logger.js | 2 +-
QuoteGeneration/pccs/utils/apputil.js | 6 +++---
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js b/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
index 17cdf9a..1f7567b 100644
--- a/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
+++ b/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
@@ -37,7 +37,7 @@ import { load, DataType, open, close, createPointer, arrayConstructor, restorePo
const __dirname = path.dirname(fileURLToPath(import.meta.url));
let libpath = 'PCKCertSelectionLib.dll';
if (process.platform === 'linux') {
- libpath = path.join(__dirname, '../lib/libPCKCertSelection.so');
+ libpath = '/lib64/libPCKCertSelection.so.1';
}
open({
library: 'libPCKCertSelection', // key
@@ -84,4 +84,4 @@ export function pck_cert_select(
// Ensure the library is closed before the process exits
process.on('exit', () => {
close('libPCKCertSelection');
-});
\ No newline at end of file
+});
diff --git a/QuoteGeneration/pccs/pccs_server.js b/QuoteGeneration/pccs/pccs_server.js
index b41d871..57c1cee 100644
--- a/QuoteGeneration/pccs/pccs_server.js
+++ b/QuoteGeneration/pccs/pccs_server.js
@@ -61,9 +61,9 @@ process.on('SIGINT', () => {
});
// Create ./logs if it doesn't exist
-fs.mkdir('./logs', (err) => {
+//fs.mkdir('./logs', (err) => {
/* do nothing */
-});
+//});
const app = express();
@@ -141,8 +141,8 @@ function startHttpsServer() {
let privateKey;
let certificate;
try {
- privateKey = fs.readFileSync('./ssl_key/private.pem', 'utf8');
- certificate = fs.readFileSync('./ssl_key/file.crt', 'utf8');
+ privateKey = fs.readFileSync('/etc/pccs/ssl/server-key.pem', 'utf8');
+ certificate = fs.readFileSync('/etc/pccs/ssl/server-cert.pem', 'utf8');
} catch (err) {
logger.error('The private key or certificate for HTTPS server is missing.');
logger.endAndExitProcess();
diff --git a/QuoteGeneration/pccs/utils/Logger.js b/QuoteGeneration/pccs/utils/Logger.js
index 5ac7a48..c774ac4 100644
--- a/QuoteGeneration/pccs/utils/Logger.js
+++ b/QuoteGeneration/pccs/utils/Logger.js
@@ -40,7 +40,7 @@ const { createLogger, format, transports } = winston;
const options = {
file: {
level: Config.has('LogLevel') ? Config.get('LogLevel') : 'info',
- filename: __dirname + `/../logs/pccs_server.log`,
+ filename: `/var/log/pccs/pccs_server.log`,
handleExceptions: true,
json: false,
colorize: true,
diff --git a/QuoteGeneration/pccs/utils/apputil.js b/QuoteGeneration/pccs/utils/apputil.js
index 6f910ee..6eb9d15 100644
--- a/QuoteGeneration/pccs/utils/apputil.js
+++ b/QuoteGeneration/pccs/utils/apputil.js
@@ -84,8 +84,8 @@ async function test_db_status() {
}
async function db_migration() {
- const migrations = fs.readdirSync('./migrations').map(name => {
- const path = `./migrations/${name}`;
+ const migrations = fs.readdirSync('/usr/lib/node_modules/pccs/migrations').map(name => {
+ const path = `/usr/lib/node_modules/pccs/migrations/${name}`;
return {
name,
@@ -126,7 +126,7 @@ async function db_migration() {
const umzug = new Umzug({
migrations: {
- glob: './migrations/*.{js,up.sql}',
+ glob: '/usr/lib/node_modules/pccs/migrations/*.{js,up.sql}',
resolve: ({ name }) => {
const migration = migrations.find(migration => migration.name === name);
logger.debug(`Resolving migration: ${name}, found: ${migration ? migration.name : 'none'}`);
--
2.49.0

71
0120-pccs-only-pass-ApiKey-if-it-is-set.patch Normal file
View File

@ -0,0 +1,71 @@
From 512591ff394d7b04925893480519ebc1d29aefc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 9 Jul 2025 16:41:59 +0100
Subject: [PATCH 120/120] pccs: only pass ApiKey if it is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some endpoints on the api.trustedservices.intel.com site do not
require an API token. The pcs_client code, however, will always
set the Ocp-Apim-Subscription-Key HTTP header, even if it is
the empty string. The server will reject the empty string
as invalid, rather than prcessing it as an non-authenticated
request.
This leads to PCCS being unable to fetch PCK certs in an out of
the box config unless the admin sets the API token, which should
not be required for "LAZY" caching.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/pcs_client/pcs_client.js | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/pcs_client/pcs_client.js b/QuoteGeneration/pccs/pcs_client/pcs_client.js
index 99ccea6..4f6c903 100644
--- a/QuoteGeneration/pccs/pcs_client/pcs_client.js
+++ b/QuoteGeneration/pccs/pcs_client/pcs_client.js
@@ -66,7 +66,9 @@ async function do_request(url, options) {
if (!options.headers) {
options.headers = {};
}
- options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ if (Config.get('ApiKey') != "") {
+ options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ }
}
// global opitons ( proxy, timeout, etc)
@@ -128,8 +130,11 @@ export async function getCerts(enc_ppid, pceid) {
pceid: pceid,
},
method: 'GET',
- headers: { 'Ocp-Apim-Subscription-Key': Config.get('ApiKey') },
+ headers: {}
};
+ if (Config.get('ApiKey') != "") {
+ options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ }
return do_request(Config.get('uri') + 'pckcerts', options);
}
@@ -142,11 +147,14 @@ export async function getCertsWithManifest(platform_manifest, pceid) {
},
method: 'POST',
headers: {
- 'Ocp-Apim-Subscription-Key': Config.get('ApiKey'),
'Content-Type': 'application/json',
},
};
+ if (Config.get('ApiKey') != "") {
+ options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ }
+
return do_request(Config.get('uri') + 'pckcerts', options);
}
--
2.49.0

24
0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
View File

@ -1,7 +1,7 @@
From aaf1277c7c0aa37d387e8a7983da607498335757 Mon Sep 17 00:00:00 2001
From 89d2bacc8b67eca8decae7b7508080582fc2c60d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Aug 2024 12:23:30 +0100
Subject: [PATCH 200/201] Enable pointing sgxssl build to alternative glibc
Subject: [PATCH 200/203] Enable pointing sgxssl build to alternative glibc
headers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -20,10 +20,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index cd76872..f1c39b6 100755
index 0a99917..4e4a81e 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -83,6 +83,7 @@ fi
@@ -89,6 +89,7 @@ fi
# Mitigation flags
MITIGATION_OPT=""
MITIGATION_FLAGS=""
@ -31,7 +31,7 @@ index cd76872..f1c39b6 100755
CC_VERSION=`gcc -dumpversion`
CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
for arg in "$@"
@@ -123,6 +124,10 @@ do
@@ -129,6 +130,10 @@ do
MITIGATION_FLAGS+=" $arg"
shift
;;
@ -42,7 +42,7 @@ index cd76872..f1c39b6 100755
*)
# Unknown option
shift
@@ -131,6 +136,7 @@ do
@@ -137,6 +142,7 @@ do
done
echo $MITIGATION_OPT
echo $MITIGATION_FLAGS
@ -50,20 +50,20 @@ index cd76872..f1c39b6 100755
echo $SPACE_OPT
sed -i -- 's/OPENSSL_issetugid/OPENSSLd_issetugid/g' $OPENSSL_VERSION/crypto/uid.c || exit 1
@@ -139,7 +145,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
@@ -145,7 +151,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1
sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1
diff --git a/Linux/sgx/Makefile b/Linux/sgx/Makefile
index d08eff7..6555d28 100644
index e4f3f92..ec1a0c3 100644
--- a/Linux/sgx/Makefile
+++ b/Linux/sgx/Makefile
@@ -76,7 +76,7 @@ endif
@@ -85,7 +85,7 @@ endif
endif
$(PACKAGE_LIB)/$(OPENSSL_LIB):
@ -73,5 +73,5 @@ index d08eff7..6555d28 100644
clean:
$(MAKE) -C $(TRUSTED_LIB_DIR) clean
--
2.46.0
2.49.0

10
0201-Workaround-missing-output-directory.patch
View File

@ -1,7 +1,7 @@
From 63f4368171ee5bf78f956c429c37d43618a881e7 Mon Sep 17 00:00:00 2001
From d823d7a67291d51d8b3c57c36f059e1d1d84c2e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Aug 2024 12:50:32 +0100
Subject: [PATCH 201/201] Workaround missing output directory
Subject: [PATCH 201/203] Workaround missing output directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,10 +16,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index f1c39b6..f2cf0b1 100755
index 4e4a81e..d0518e5 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -168,6 +168,7 @@ fi
@@ -174,6 +174,7 @@ fi
make libcrypto.a || exit 1
cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
@ -28,5 +28,5 @@ index f1c39b6..f2cf0b1 100755
grep OPENSSL_VERSION_STR include/openssl/opensslv.h > $SGXSSL_ROOT/sgx/osslverstr.h || exit 1
cp -r include/crypto $SGXSSL_ROOT/sgx/test_app/enclave/ || exit 1
--
2.46.0
2.49.0

10
0202-Disable-various-EC-crypto-features.patch
View File

@ -1,4 +1,4 @@
From 6cf74b032bc9f120a7c4924a0394d22f6ed4767b Mon Sep 17 00:00:00 2001
From 3aea585cfbe4691fea3c584981e36ee06d945bf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 13:24:26 +0000
Subject: [PATCH 202/203] Disable various EC crypto features
@ -20,12 +20,12 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
create mode 100644 openssl_source/0012-Disable-explicit-ec.patch
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index f2cf0b1..7470479 100755
index d0518e5..cf8394b 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -55,6 +55,17 @@ cd $SGXSSL_ROOT/../openssl_source || exit 1
@@ -54,6 +54,17 @@ cd $SGXSSL_ROOT/../openssl_source || exit 1
rm -rf $OPENSSL_VERSION
tar xvf $OPENSSL_VERSION.tar.gz || exit 1
tar xvf $OPENSSL_VERSION.tar.gz > /dev/null || exit 1
+# Disable forbidden EC
+(
@ -1631,5 +1631,5 @@ index 0000000..0cae2fa
+
+ err:
--
2.46.0
2.49.0

37
0203-Disable-sm2-and-sm4-crypto-algorithms.patch
View File

@ -1,4 +1,4 @@
From f429bf3ffd992c678f7d1a041f6a6b5df9a4b6fb Mon Sep 17 00:00:00 2001
From 1c3da2baf4cc84aecd2f6610777d28ac69a47039 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 13:25:14 +0000
Subject: [PATCH 203/203] Disable sm2 and sm4 crypto algorithms
@ -11,45 +11,45 @@ Policy copied from Fedora 39 openssl package
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
Linux/build_openssl.sh | 2 +-
Linux/sgx/test_app/enclave/TestEnclave.cpp | 5 ++++-
Linux/sgx/test_app/enclave/TestEnclave.cpp | 4 ++++
Linux/sgx/test_app/enclave/TestEnclave.h | 4 ++++
Linux/sgx/test_app/enclave/tests/evp_smx.c | 4 ++++
4 files changed, 13 insertions(+), 2 deletions(-)
4 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7470479..e214ccb 100755
index cf8394b..fea2232 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -156,7 +156,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
@@ -162,7 +162,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-sm2 no-sm4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-sm2 no-sm4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1
sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1
diff --git a/Linux/sgx/test_app/enclave/TestEnclave.cpp b/Linux/sgx/test_app/enclave/TestEnclave.cpp
index dac620a..b219e74 100644
index 7b21dd2..65330d5 100644
--- a/Linux/sgx/test_app/enclave/TestEnclave.cpp
+++ b/Linux/sgx/test_app/enclave/TestEnclave.cpp
@@ -413,6 +413,7 @@ void t_sgxssl_call_apis()
@@ -469,6 +469,7 @@ void t_sgxssl_call_apis()
}
printf("test threads_test completed\n");
#ifndef SGXSSL_FIPS
+#if 0
//GM SM2 - sign and verify
ret = ecall_sm2_sign_verify();
if (ret != 0)
@@ -430,6 +431,7 @@ void t_sgxssl_call_apis()
exit(ret);
@@ -486,6 +487,7 @@ void t_sgxssl_call_apis()
goto end;
}
printf("test evp_sm2_encrypt_decrypt completed\n");
+#endif
//GM SM3 - compute digest of message
ret = ecall_sm3();
@@ -440,6 +442,7 @@ void t_sgxssl_call_apis()
@@ -496,6 +498,7 @@ void t_sgxssl_call_apis()
}
printf("test evp_sm3 completed\n");
@ -57,13 +57,14 @@ index dac620a..b219e74 100644
//GM SM4 - cbc encrypt and decrypt
ret = ecall_sm4_cbc();
if (ret != 0)
@@ -457,5 +460,5 @@ void t_sgxssl_call_apis()
exit(ret);
@@ -513,6 +516,7 @@ void t_sgxssl_call_apis()
goto end;
}
printf("test evp_sm4_ctr completed\n");
-
+#endif
}
#endif
printf("ALL tests in t_sgxssl_call_apis passed!\n");
end:
diff --git a/Linux/sgx/test_app/enclave/TestEnclave.h b/Linux/sgx/test_app/enclave/TestEnclave.h
index c2ca854..a989735 100644
--- a/Linux/sgx/test_app/enclave/TestEnclave.h
@ -118,5 +119,5 @@ index a395ce8..f49e5b7 100644
}
+#endif
--
2.46.0
2.49.0

15
download.sh Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
set -e
spec=linux-sgx.spec
for url in $(rpmspec -P ${spec} 2>/dev/null | grep Source | grep http | awk '{print $2}')
do
tarball=$(basename ${url})
echo "Check $url -> $tarball"
if ! test -f ${tarball}
then
wget -O $tarball ${url}
fi
done

277
linux-sgx.spec
View File

@ -67,22 +67,22 @@
# versions based on what the new release depends on (see various
# git submodule tags and code files).
#
%global linux_sgx_version 2.25
%global linux_sgx_version 2.26
# From SGX git submodule
%global dcap_version 1.22
%global dcap_version 1.23
# From DCAP git submodule
%global dcap_qvl_version 1.21
# From DCAP git submodule
%global dcap_qvs_version 1.1.0-2885
# From SGX external/sgxssl/prepare_sgxssl.sh
%global sgx_ssl_version 3.0_Rev4
%global sgx_ssl_version 3.1.6_Rev1
# From SGX git submodule
%global ipp_crypto_version 2021.12.1
# From SGX git submodule
%global sgx_emm_version 1.0.3
# From SGX external/sgxssl/prepare_sgxssl.sh
%global openssl_version 3.0.14
%global openssl_version 3.1.6
# From SGX git submodule
%global libcbor_version 0.10.2
# From protobuf third_party/abseil-cpp
@ -90,7 +90,7 @@
# From DCAP git submodule
%global jwt_cpp_version 0.6.0
# From DCAP git submodule
%global wamr_version 1.3.3
%global wamr_version 1.0.0
# From SGX external/tinyxml2
%global tinyxml2_version 10.0.0
@ -100,6 +100,10 @@
%global rdrand_version 1.1
%global vtune_version 2018
# From SGX external/dcap_source/QuoteGeneration/pccs/package_lock.json
# NB: node_modules/@yuuang/ffi-rs-linux-x64-gnu will likely pull the
# version higher than what is declared for 'ffi-rs' itself.
%global node_ffi_rs_version 1.2.6
# enclaves from prebuilt_dcap_NNN.tar.gz - DCAP version numbers,
# except for pce, which is actually an SGX enclave just bundled
@ -159,13 +163,16 @@ Summary: Intel Linux SGX SDK and Platform Software
# so while the license of the combined work is declared to be
# BSD-3-Clause, there is actually a huge set of licenses to track
License: %{shrink:
%dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk
%dnl node_modules
0BSD AND
%dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk, node_modules, node-ffi-rs vendor
Apache-2.0 AND
%dnl sdk/cpprt, sdk/tlibc
%dnl sdk/cpprt, sdk/tlibc, node_modules
BSD-2-Clause AND
%dnl external/dcap_source, sdk/*
%dnl external/dcap_source, sdk/*, node_modules
BSD-3-Clause AND
%dnl sdk/tlibc
@ -177,10 +184,10 @@ License: %{shrink:
%dnl psd/urts/linux/isgx_user.h
GPL-2.0-only AND
%dnl sdk/tlibc, sdk/pthread
%dnl sdk/tlibc, sdk/pthread, node_modules, node-ffi-rs vendor
ISC AND
%dnl external/cbor/libcbor, sdk/*
%dnl external/cbor/libcbor, sdk/*, node_modules, node-ffi-rs vendor
MIT AND
%dnl sdk/tlibc/stdlib/malloc.c
@ -198,6 +205,12 @@ License: %{shrink:
%dnl sdk/tlibc/math
SunPro AND
%dnl node-ffi-rs vendor
Unicode-3.0 AND
%dnl node_modules, node-ffi-rs vendor
Unlicense AND
%dnl sdk/tlibc
LicenseRef-Fedora-Public-Domain
}
@ -208,14 +221,14 @@ URL: https://github.com/intel/linux-sgx
############################################################
# SGX related projects SourceN for N in (0..9)
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}_reproducible.tar.gz#/linux-sgx-%{linux_sgx_version}-reproducible.tar.gz
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}.tar.gz#/linux-sgx-%{linux_sgx_version}.tar.gz
# repack.sh purges all the prebuilt AE's that we ship in a different RPM
# as well as 'prebuilt/' content (openssl / OPA binaries) that we must
# not distribute.
Source1: repack.sh
Source2: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/dcap_%{dcap_version}_reproducible.tar.gz
Source2: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_%{dcap_version}.tar.gz
Provides: bundled(dcap) = %{dcap_version}
# Upload tarball is:
@ -278,6 +291,20 @@ Source46: qgs.sysconfig
Source48: mpa_registration.service
Source50: pccs.sysusers.conf
Source51: pccs.service
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source54
Source52: pccs-nodejs-bundler
# Pre-created using Source53
Source53: dcap-%{dcap_version}-pccs-node-modules.tar.xz
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source55 & Source56
Source54: pccs-node-ffi-rs-bundler
Source55: node-ffi-rs-%{node_ffi_rs_version}.tar.gz
Source56: node-ffi-rs-%{node_ffi_rs_version}-vendor.tar.gz
############################################################
# External projects that have been copied in tarballs as bundles
@ -299,23 +326,20 @@ Patch0002: 0002-Add-support-for-building-against-host-CppMicroServic.patch
# https://github.com/intel/linux-sgx/pull/1055
Patch0003: 0003-Improve-make-debuggability.patch
Patch0004: 0004-Support-disabling-use-of-git-for-ippcp-code.patch
Patch0005: 0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch
Patch0005: 0005-disable-openmp-protobuf-sample_crypto-builds.patch
# https://github.com/intel/linux-sgx/pull/1063
Patch0006: 0006-Fix-compat-with-gcc-14.patch
# https://github.com/intel/linux-sgx/pull/1056
Patch0007: 0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
# https://github.com/intel/linux-sgx/pull/1058
Patch0008: 0008-Disable-use-of-bogus-DEF_WEAK-macro.patch
# https://github.com/intel/linux-sgx/pull/1057
Patch0009: 0009-Remove-all-references-to-pccs-service.patch
# https://github.com/intel/linux-sgx/pull/1064
Patch0010: 0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
Patch0011: 0011-psw-fix-soname-for-libuae_service.so-library.patch
Patch0012: 0012-pcl-remove-redundant-use-of-bool-type.patch
Patch0013: 0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
Patch0014: 0014-psw-make-aesm_service-build-verbose.patch
Patch0015: 0015-Fix-modern-C-function-prototype-compliance.patch
Patch0016: 0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
Patch0008: 0008-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
Patch0009: 0009-psw-fix-soname-for-libuae_service.so-library.patch
Patch0010: 0010-pcl-remove-redundant-use-of-bool-type.patch
Patch0011: 0011-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
Patch0012: 0012-psw-make-aesm_service-build-verbose.patch
Patch0013: 0013-Fix-modern-C-function-prototype-compliance.patch
Patch0014: 0014-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
Patch0015: 0015-fix-BOM-for-pccs-with-DCAP-1.23.patch
# Optional patches
Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch
@ -342,6 +366,9 @@ Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
#Patch0115: 0115-Use-distro-provided-rapidjson-package.patch
Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch
Patch0117: 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
Patch0118: 0118-Switch-default-PCCS-port-number-from-8081-to-10801.patch
Patch0119: 0119-Sanitize-paths-to-all-resources-in-PCCS-server.patch
Patch0120: 0120-pccs-only-pass-ApiKey-if-it-is-set.patch
# 0200-0299 -> against intel-sgx-ssl.git
Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
@ -367,6 +394,7 @@ BuildRequires: ocaml-ocamlbuild
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: libcurl-devel
BuildRequires: chrpath
BuildRequires: python3-devel
BuildRequires: perl-generators
BuildRequires: perl-interpreter
@ -375,7 +403,12 @@ BuildRequires: perl(FindBin)
BuildRequires: perl(lib)
BuildRequires: perl(IPC::Cmd)
BuildRequires: nasm
BuildRequires: nodejs
BuildRequires: nodejs-devel
BuildRequires: nodejs-npm
BuildRequires: nodejs-packaging
BuildRequires: python-unversioned-command
BuildRequires: sqlite-devel
BuildRequires: systemd-rpm-macros
%if %{with_host_tinyxml2}
BuildRequires: tinyxml2-devel
@ -387,6 +420,11 @@ BuildRequires: CppMicroServices-devel
BuildRequires: protobuf-compiler
BuildRequires: protobuf-devel
BuildRequires: boost-devel
%if 0%{?rhel}
BuildRequires: rust-toolset
%else
BuildRequires: cargo-rpm-macros
%endif
# If dpkg-architecture exists in $PATH, the Makefile
# will change all the install paths, breaking this
@ -457,6 +495,7 @@ Requires: sgx-common = %{version}-%{release}
This package contains the runtime libraries and tools required
to run applications that interact with SGX enclaves on the platform.
%if %{with_aesm}
%package -n sgx-aesm
Summary: SGX platform Architectural Enclave Service Manager
@ -474,6 +513,16 @@ This package contains the Architectural Enclave Service Manager
(AESM) daemon.
%endif
%package -n sgx-pccs
Summary: SGX Provisioning Certificate Caching Service
Requires: nodejs
Requires: sgx-mpa = %{version}-%{release}
%description -n sgx-pccs
SGX Provisioning Certificate Caching Service
%package -n sgx-pccs-admin
Summary: SGX Provisioning Certificate Caching Service Admin Tool
Requires: python3-asn1
@ -483,6 +532,9 @@ Requires: python3-keyring
Requires: python3-requests
Requires: python3-urllib3
Requires: sgx-libs = %{version}-%{release}
# pccs admin tool can be used against a remote pccs
# so don't force a hard dep
Recommends: sgx-pccs = %{version}-%{release}
%description -n sgx-pccs-admin
SGX Provisioning Certificate Caching Service Admin Tool
@ -509,8 +561,20 @@ SGX Multi-package Registration Agent
%package -n tdx-qgs
Summary: TDX Quoting Generation Service
Requires: sgx-libs = %{version}-%{release}
Recommends: sgx-mpa sgx-pckid-tool
Suggests: sgx-pckid-tool
# mpa provides auto-registration of the platform, if it
# is enabled in EFI. If not enabled, it is a no-op so
# safe to have installed by default regardless, but use
# weak dep to allow skipping for optimized installs
Recommends: sgx-mpa = %{version}-%{release}
# If auto-registration is not enabled, the pckid-tool
# is needed for manual registration; it is also useful
# misc admin tasks
Recommends: sgx-pckid-tool = %{version}-%{release}
# In internet isolated hosts pccs can be used to
# provide pre-cached certs, either running it on
# localhost or on the LAN. Weak dep though as it
# is expected that LAN deployment is more common
Suggests: sgx-pccs = %{version}-%{release}
%enclave_requires ide %{enclave_ide_version}
%enclave_requires pce %{enclave_pce_version}
@ -544,7 +608,7 @@ in applications
%prep
%setup -q -n linux-sgx-sgx_%{linux_sgx_version}_reproducible
%setup -q -n linux-sgx-sgx_%{linux_sgx_version}
%autopatch -m 0 -M 49 -p1
%if !%{with_aesm}
@ -572,7 +636,7 @@ rm -rf external/tinyxml2
# Don't intend to package these optional bits since none of
# the required enclaves need this, and thus we can cut down
# on bundling some 3rd party code
rm -rf external/{dnnl,openmp,protobuf,mbedtls} sdk/sample_libcrypto
rm -rf external/{dnnl,openmp,protobuf} sdk/sample_libcrypto
############################################################
# dcap
@ -705,8 +769,9 @@ touch psw/ae/data/prebuilt/libsgx_{le,qe,pve,pce}.signed.so
touch ../prebuilt/opa_bin/policy.wasm
)
# Sanity check that upstream hasn't include more prebult
# files that we've not expected.
# Sanity check that upstream hasn't include more prebuilt
# files that we're not expecting and thus failed to purge
# in the repack.sh script.
find -name '*.a' -o -name '*.o' > prebuilt.txt
if test -s prebuilt.txt
then
@ -830,10 +895,15 @@ done
############################################################
# Fourth, build the Platform Software
# XXX temp override -j1 due to race conditions that have not yet been diagnosed
#
# Perhaps 20% of the time it will fail with error like:
#
# /usr/bin/ld: /builddir/build/BUILD/linux-sgx-2.26-build/linux-sgx-sgx_2.26/common/se_wrapper_psw/libwrapper.a: error adding symbols: file format not recognized
CFLAGS="%{build_cflags}" \
CXXFLAGS="%{build_cxxflags}" \
LDFLAGS="%{build_ldflags}" \
%__make %{?_smp_mflags} \
%__make %{?_smp_mflags} -j1 \
-C psw/ V=1 VERBOSE=1 \
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
SGX_ENCLAVE_PATH=%{sgx_libdir} \
@ -849,6 +919,40 @@ LDFLAGS="%{build_ldflags}" \
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
SGX_ENCLAVE_PATH=%{sgx_libdir}
(
# PCCS NodeJS deps bundle
cd external/dcap_source
tar Jxvf %{SOURCE53}
cd QuoteGeneration/pccs
perl -i -p -e 's,"sqlite%":"internal","sqlite%":"/usr",' node_modules/sqlite3/binding.gyp
perl -i -p -e 's,\(sqlite\)/lib,(sqlite)/lib64,' node_modules/sqlite3/binding.gyp
for pkg in node_modules/*
do
(
cd $pkg
npm run install --if-present --nodedir=/usr
)
done
# Keep brp-mangle-shebangs happy
find node_modules -type f -exec chmod -x {} \;
chrpath --delete node_modules/sqlite3/build/Release/node_sqlite3.node
tar zxvf %{SOURCE55}
(
cd node-ffi-rs-%{node_ffi_rs_version}
tar zxvf %{SOURCE56}
%cargo_prep -v vendor
%cargo_build
mv target/rpm/libffi_rs.so ../node_modules/ffi-rs/ffi-rs.linux-x64-gnu.node
)
)
# SDK provides dummy stub libraries to deal with a circular
# build dependancy problem where the PSW wants these libs
@ -977,6 +1081,7 @@ do
done
cp -a %{vroot}/root/ %{buildroot}/root
# Second, re-arrange the content to match the normal tree
# layout Fedora expects. We rm/rmdir any bits we don't
# want, such that RPM will warn about any files left in
@ -1044,6 +1149,51 @@ rmdir %{buildroot}/root/opt/intel/sgx-aesm-service
%endif
############################################################
# Host PCCS service
# Home dir for 'pccs' user
%__install -d %{buildroot}%{_sharedstatedir}/pccs
%__install -d %{buildroot}%{_localstatedir}/log/pccs
%__install -d %{buildroot}%{_sysconfdir}/pccs
%__install -d %{buildroot}%{_sysconfdir}/pccs/ssl
%__install -d %{buildroot}%{nodejs_sitearch}/pccs
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/lib/libPCKCertSelection.so \
%{buildroot}%{_libdir}/libPCKCertSelection.so.1
ln -s libPCKCertSelection.so.1 %{buildroot}%{_libdir}/libPCKCertSelection.so
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/config/default.json \
%{buildroot}%{_sysconfdir}/pccs/default.json
rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs/config
rm -f %{buildroot}/root/lib/systemd/system/pccs.service
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/* \
%{buildroot}%{nodejs_sitearch}/pccs
rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs
(
# Node JS deps bundle
cd external/dcap_source/QuoteGeneration/pccs
rm -f install.sh README.md
# So find-debuginfo processes it
chmod +x node_modules/sqlite3/build/Release/node_sqlite3.node
cp -a node_modules %{buildroot}%{nodejs_sitearch}/pccs/node_modules
)
cat >>%{buildroot}%{_sbindir}/pccs <<EOF
#!/usr/bin/sh
exec node %{nodejs_sitearch}/pccs/pccs_server.js
EOF
chmod +x %{buildroot}%{_sbindir}/pccs
%__install -m 0644 %{SOURCE50} %{buildroot}%{_sysusersdir}/pccs.conf
%__install -m 0644 %{SOURCE51} %{buildroot}%{_unitdir}/pccs.service
############################################################
# Host PCCS admin tool
@ -1150,18 +1300,16 @@ done
mv %{buildroot}/root/etc/sgx_default_qcnl.conf \
%{buildroot}%{_sysconfdir}/
# PCCS no longer exists, so default to the public API service
perl -i -p -e 's,https://localhost:8081/sgx/certification/v4/,https://api.trustedservices.intel.com/sgx/certification/v4/,' \
# Default to the public API service. If users do deploy pccs
# it probably makes more sense to do so on the LAN, so don't
# assume localhost deployment. This also allows out of the box
# usage without having to create a local x509 CA for PCCS.
perl -i -p -e 's,https://localhost:10801/sgx/certification/v4/,https://api.trustedservices.intel.com/sgx/certification/v4/,' \
%{buildroot}%{_sysconfdir}/sgx_default_qcnl.conf
%__install %{SOURCE42} %{buildroot}%{_sysusersdir}/sgxprv.conf
%__install %{SOURCE43} %{buildroot}%{_udevrulesdir}/92-sgx-provision.rules
# Previously part of PCCS BOM, now we must install manually
mv external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so \
%{buildroot}%{_libdir}/libPCKCertSelection.so.1
ln -s libPCKCertSelection.so.1 %{buildroot}%{_libdir}/libPCKCertSelection.so
############################################################
# Misc cleanup
@ -1371,41 +1519,38 @@ fi
%dir %{sgx_libdir}/
%{sgx_libdir}/libsgx_pthread.a
%{sgx_libdir}/libsgx_tcxx.a
%{sgx_libdir}/libsgx_tprotected_fs.a
%{sgx_libdir}/libsgx_tservice.a
%{sgx_libdir}/libsgx_tstdc.a
%{sgx_libdir}/libsgx_uprotected_fs.a
%{sgx_libdir}/libsgx_uswitchless.a
%{sgx_libdir}/libsgx_dcap_tvl.a
%{_libdir}/libsgx_capable.so
%{_libdir}/libsgx_ptrace.so
%{sgx_libdir}/libsgx_trts.a
%{sgx_libdir}/libsgx_tcrypto.a
%{_libdir}/libsgx_epid_sim.so
%{_libdir}/libsgx_launch_sim.so
%{_libdir}/libsgx_quote_ex_sim.so
%{_libdir}/libsgx_uae_service_sim.so
%{_libdir}/libsgx_urts_sim.so
%{sgx_libdir}/libsgx_capable.a
%{sgx_libdir}/libsgx_dcap_tvl.a
%{sgx_libdir}/libsgx_ossl_fips.a
%{sgx_libdir}/libsgx_pcl.a
%{sgx_libdir}/libsgx_pclsim.a
%{sgx_libdir}/libsgx_pthread.a
%{sgx_libdir}/libsgx_tcmalloc.a
%{sgx_libdir}/libsgx_tcrypto.a
%{sgx_libdir}/libsgx_tcxx.a
%{sgx_libdir}/libsgx_tkey_exchange.a
%{sgx_libdir}/libsgx_tprotected_fs.a
%{sgx_libdir}/libsgx_trts.a
%{sgx_libdir}/libsgx_trts_sim.a
%{sgx_libdir}/libsgx_tservice.a
%{sgx_libdir}/libsgx_tservice_sim.a
%{sgx_libdir}/libsgx_tstdc.a
%{sgx_libdir}/libsgx_tswitchless.a
%{sgx_libdir}/libsgx_ttls.a
%{sgx_libdir}/libsgx_ukey_exchange.a
%{sgx_libdir}/libsgx_uprotected_fs.a
%{sgx_libdir}/libsgx_uswitchless.a
%{sgx_libdir}/libsgx_utls.a
%{sgx_libdir}/libtdx_tls.a
%{_libdir}/libsgx_capable.so
%{_libdir}/libsgx_epid_sim.so
%{_libdir}/libsgx_launch_sim.so
%{_libdir}/libsgx_ptrace.so
%{_libdir}/libsgx_quote_ex_sim.so
%{_libdir}/libsgx_uae_service_sim.so
%{_libdir}/libsgx_urts_sim.so
%{_libdir}/pkgconfig/libsgx_epid_sim.pc
%{_libdir}/pkgconfig/libsgx_launch_sim.pc
%{_libdir}/pkgconfig/libsgx_quote_ex_sim.pc
@ -1521,6 +1666,18 @@ fi
%endif
%files -n sgx-pccs
%{_sbindir}/pccs
%dir %{_sysconfdir}/pccs
%attr(0750,root,pccs) %dir %{_sysconfdir}/pccs/ssl
%config(noreplace) %{_sysconfdir}/pccs/default.json
%{_unitdir}/pccs.service
%{nodejs_sitearch}/pccs
%{_sysusersdir}/pccs.conf
%attr(0700,pccs,pccs) %dir %{_sharedstatedir}/pccs
%attr(0700,pccs,pccs) %dir %{_localstatedir}/log/pccs
%if %{with_pccsadmin}
%files -n sgx-pccs-admin
%{_bindir}/pccsadmin

33
pccs-node-ffi-rs-bundler Executable file
View File

@ -0,0 +1,33 @@
#!/bin/sh
set -v
set -e
if test -z "$1"
then
echo "syntax: $0 VERSION"
exit 1
fi
VERSION=$1
PACKAGE=node-ffi-rs
AUTHOR=zhangyuang
GITURL=https://github.com/${AUTHOR}/${PACKAGE}
if ! test -d $PACKAGE
then
git clone $GITURL
fi
cd $PACKAGE
git checkout master
git reset --hard
git clean -f -x -d
git pull
git archive v${VERSION} -o ../node-ffi-rs-${VERSION}.tar.gz --prefix "node-ffi-rs-${VERSION}/"
git checkout v${VERSION}
cargo vendor-filterer --platform x86_64-unknown-linux-gnu
tar zcvf ../node-ffi-rs-${VERSION}-vendor.tar.gz vendor

55
pccs-nodejs-bundler Executable file
View File

@ -0,0 +1,55 @@
#!/bin/sh
set -v
set -e
if test -z "$1"
then
echo "syntax: $0 VERSION"
exit 1
fi
VERSION=$1
TARBALL=DCAP_${VERSION}.tar.gz
if ! test -f $TARBALL
then
echo "error: $0 missing $TARBALL"
exit 1
fi
tar xfz $TARBALL
DIRNAME=SGXDataCenterAttestationPrimitives-DCAP_${VERSION}
pushd $DIRNAME
pushd QuoteGeneration/pccs
echo " Downloading prod dependencies"
npm install --omit=dev --omit=optional --ignore-scripts
rm -rf node_modules/*/prebuilds
rm -f node_modules/sqlite3/deps/sqlite-autoconf-*.tar.gz
popd
echo "LICENSES IN BUNDLE:"
find . -name "package.json" -exec jq '.license | strings' {} \; >> ../dcap-${VERSION}-pccs-nodejs-licenses.txt
find . -name "package.json" -exec jq '.license | objects | .type' {} \; >> ../dcap-${VERSION}-pccs-nodejs-licenses.txt 2>/dev/null
find . -name "package.json" -exec jq '.licenses[] .type' {} \; >> ../dcap-${VERSION}-pccs-nodejs-licenses.txt 2>/dev/null
sort -u -o ../dcap-${VERSION}-pccs-nodejs-licenses.txt ../dcap-${VERSION}-pccs-nodejs-licenses.txt
# Locate any dependencies without a provided license
find . -type f -name package.json -execdir jq 'if .license==null and .licenses==null then .name else null end' '{}' '+' \
| grep -vE '^null$' | sort -u > ../nolicense.txt
if [ -s ../nolicense.txt ]; then
echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m"
cat ../nolicense.txt
echo -e "\e[5m\e[41m======================================================================\e[0m"
fi
if [ -d QuoteGeneration/pccs/node_modules ] ; then
tar cJf ../dcap-${VERSION}-pccs-node-modules.tar.xz --sort=name $(find QuoteGeneration/pccs -type d -name node_modules)
fi
popd
rm -rf $DIRNAME

23
pccs.service Normal file
View File

@ -0,0 +1,23 @@
[Unit]
Description=Provisioning Certificate Caching Service (PCCS)
Documentation=https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
After=syslog.target network.target auditd.service mpa_registration.service
ConditionPathExists=/dev/sgx_enclave
Requires=mpa_registration.service
[Service]
Type=simple
User=pccs
ExecStart=/usr/sbin/pccs
Restart=on-failure
RestartSec=15s
Environment=NODE_CONFIG_DIR=/etc/pccs
WorkingDirectory=/var/lib/pccs
InaccessibleDirectories=/home
DevicePolicy=closed
DeviceAllow=/dev/sgx_enclave rw
DeviceAllow=/dev/sgx_provision rw
[Install]
WantedBy=multi-user.target

1
pccs.sysusers.conf Normal file
View File

@ -0,0 +1 @@
u pccs - "SGX PCCS Server" /var/lib/pccs

15
sources
View File

@ -1,13 +1,16 @@
SHA512 (dcap_1.22_reproducible.tar.gz) = 1f6d79721f9b7c86a8a935429c8133db9cc24585a8fa3e8e8fbab99f5f0ffebdb206077844c83e630e2ad15d51ec7ad8ea35352f5ccbf7408dc3ced885b89b72
SHA512 (DCAP_1.23.tar.gz) = 02fe956c176362079094c5009ce48d6dc4d17233217a9d6d779707893231e68b065ca02a458d5b06e518b99185f00e3d0e5f6c4165bbde1fe22b87d52f952e29
SHA512 (dcap-qvl-1.21.tar.gz) = 62ab0d9f48c9a8d975cb861ac5161770b990af3bbc8ff67a8b9ca48af86565b6d445cfe87786d332a65efee22114de2e2a4589722625cbc4fc6b58647599626d
SHA512 (dcap-qvs-1.1.0-2885.tar.gz) = 811663f713902f263e3d8ad7cc7d62e92f76f1618c5ac8b5366dc880d79509a0d349328ac2d8f9dc2170e09d80ac00ec934f7cbf3594bec9cb69b6b544ca30e6
SHA512 (intel-sgx-ssl-3.0_Rev4.tar.gz) = 9b8bd2ec3c9eccb3fbbecdaa586b669fa68f4bf68911194dcba6f7ea9c8ec84503a86733c70019124eaeff4ac79c6f178435c2a51530104f22014760146d87fe
SHA512 (intel-sgx-ssl-3.1.6_Rev1.tar.gz) = cbcae2df7a2518fa00e05dacb708b39ba0d1f1aa23f12a97c403dbbd02a81965b3f682257302e20fe837fe6abc00848e955b9e02e12eafb6973a358c24c4a6d5
SHA512 (ippcp_2021.12.1.tar.gz) = cdde7eed0f27b80663bf6a131abd8e6afcf16f0b9897ae12e251dc6bd3a9cc15c7666e4276eb4ba4b3b66fa93b5115c29537e176a6a2fb0de1b17cfcc1b7c426
SHA512 (jwt-cpp-0.6.0.tar.gz) = b6d5ebb3a7eeb6fef9a1d41c707251d1ab05bf47920c280d5203f1b9ee5bf6f8e914cd2ffaed66550cfa6d78c34465d4cf86517a759d5f8739b429faf1c2c0ef
SHA512 (libcbor-0.10.2.tar.gz) = 23c6177443778d4b4833ec7ed0d0e639a0d4863372e3a38d772fdce2673eae6d5cb2a31a2a021d1a699082ea53494977c907fd0e94149b97cb23a4b6d039228a
SHA512 (linux-sgx-2.25-reproducible.tar.gz) = 5fa14448c872822916c5abe4f21e633ee2967ae605de426ccef2cdd4572427a63cf00c76160e9f54c072375d23b52342b7befd59e56816b4226799b8a627f98c
SHA512 (openssl-3.0.14.tar.gz) = 1c59c01e60da902a20780d71f1fa5055d4037f38c4bc3fb27ed5b91f211b36a6018055409441ad4df58b5e9232b2528240d02067272c3c9ccb8c221449ca9ac0
SHA512 (prebuilt_dcap_1.22-repacked.tar.gz) = 306ab63c28635ebee51c194087c9212a6223619a07f8bd50ba1e5d5a7bdd2325edfb40c69f7e59a937fe21bc937248c5d273790eed45ca67fcde9298d5abd2f7
SHA512 (linux-sgx-2.26.tar.gz) = 129ee9d6f2d33157f0d96adef1a6c44a801a1064c1c0c75f8bf61f7085408e1de34f59d7acab26f7db32618b1f3ba2c08e2ffa8879f43450c14f085d902ab687
SHA512 (node-ffi-rs-1.2.6.tar.gz) = 37f95562e5a61b60949c59d024bea2e2d02c6bf1b21a3bc07d558538d05082a03d1ba2eb8e4500fd4ccd7e556aae0c60fc875d487b2d2d54c8302757f69dc003
SHA512 (node-ffi-rs-1.2.6-vendor.tar.gz) = 76d59d69a842ce207dce21f12a8ada3b3b1b81a93ccd3a0b68838cea4aad1cbdba0a314ff7208b43caf6435e820a226ab1e8f8477bedcdb323eec80976ab96be
SHA512 (openssl-3.1.6.tar.gz) = 18ca07ee6a98d5fe46accfa0156e0354ad770d78bbbbe8e4bb92b316a0e4404f17a34eb700f17ed355d826a4b2166894aa46d8dd81fedbcb16aa1aad0926a390
SHA512 (prebuilt_dcap_1.23-repacked.tar.gz) = a253b7ea5a9a0c73a31259bb852ad5942d9c11c98ea23616bec3cef028ed135090a5837895a1a5771bc8507caec1c1a6c845bd12e01864bfd79fb1827867ce66
SHA512 (sgx-emm-1.0.3.tar.gz) = 0ec9f0133b3a32409c8af61568a47128a1860407170b9b274647140ac36069851638d7282649e23590131d44ca93f839fd2ffe4b9b39821631d279c1384874bf
SHA512 (wasm-micro-runtime-1.0.0.tar.gz) = fb16a992b54f5c006be386b72ff65c680ededaafe7f2010db163b6e4365d198cc96f06ae60ac42986aaf45609803ffc1722308277474c341673e391f9bc4846e
SHA512 (dcap-1.23-pccs-node-modules.tar.xz) = 7f311e72b3bd66009574cd77b5398cc6081626de2394dfb567308172f1ae325e4720e596f9badc0084a5750dc990c774b025816f509b4e1e73be9af7784c2065
SHA512 (tinyxml2-10.0.0.tar.gz) = a359d33bc12fad455b53d81011dbe12727cae0aabfaa5704f1a25807ca216dd854a571291029886c0beedeca5c3b6393dd49c4718773e18a0e008abbdb3de36a
SHA512 (wasm-micro-runtime-1.3.3.tar.gz) = 53f2ee3adf55e5b2e207287231621bef50b812c3e228c9306a03b7487ff579e2fc3ed2831da546cbcc337843e139d1add2b0276e87a58b3035eb0c2fbb73b275