diff --git a/.gitignore b/.gitignore index e69de29..c5927e4 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,13 @@ +/dcap_1.22_reproducible.tar.gz +/dcap-qvl-1.21.tar.gz +/dcap-qvs-1.1.0-2885.tar.gz +/intel-sgx-ssl-3.0_Rev4.tar.gz +/ippcp_2021.12.1.tar.gz +/jwt-cpp-0.6.0.tar.gz +/libcbor-0.10.2.tar.gz +/linux-sgx-2.25-reproducible.tar.gz +/openssl-3.0.14.tar.gz +/prebuilt_dcap_1.22-repacked.tar.gz +/sgx-emm-1.0.3.tar.gz +/tinyxml2-10.0.0.tar.gz +/wasm-micro-runtime-1.3.3.tar.gz diff --git a/0000-Add-support-for-building-against-host-openssl-crypto.patch b/0000-Add-support-for-building-against-host-openssl-crypto.patch new file mode 100644 index 0000000..9fe6c5f --- /dev/null +++ b/0000-Add-support-for-building-against-host-openssl-crypto.patch @@ -0,0 +1,216 @@ +From 3a59361036c6096c817444b68bd3ff6d5e0224cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 13 Feb 2025 14:12:38 +0000 +Subject: [PATCH 00/13] Add support for building against host openssl crypto + lib +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For the host tools/libraries it is desirable to be build +against the host provided openssl crypto library, such +that security updates automatically propagate from the +distro vendor. + +This is enabled as an opt-in by setting the make variable + + USE_HOST_OPENSSL_CRYPTO=1 + +Signed-off-by: Daniel P. Berrangé +--- + buildenv.mk | 13 +++++++++++++ + psw/ae/aesm_service/Makefile | 3 +++ + psw/ae/aesm_service/source/utils/CMakeLists.txt | 4 ++-- + psw/urts/linux/Makefile | 8 +++----- + sdk/sign_tool/SignTool/Makefile | 7 ++----- + sdk/simulation/uae_service_sim/linux/Makefile | 7 ++----- + sdk/simulation/urtssim/linux/Makefile | 7 ++----- + 7 files changed, 27 insertions(+), 22 deletions(-) + +diff --git a/buildenv.mk b/buildenv.mk +index 4689c603..acae2106 100644 +--- a/buildenv.mk ++++ b/buildenv.mk +@@ -371,3 +371,16 @@ else + SGX_LIB_DIR := $(SGX_SDK)/lib64/$(MITIGATION_LIB_PATH) + SGX_BIN_DIR := $(SGX_SDK)/bin/x64 + endif ++ ++USE_HOST_OPENSSL_CRYPTO ?= 0 ++ ++ifeq ($(USE_HOST_OPENSSL_CRYPTO), 1) ++OPENSSL_CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto) ++OPENSSL_CRYPTO_LDFLAGS = $(shell pkg-config --libs libcrypto) ++OPENSSL_CRYPTO_LIBS = $(shell pkg-config --libs libcrypto) ++else ++OPENSSL_CRYPTO_PREBUILT_DIR := $(LINUX_EXTERNAL_DIR)/dcap_source/prebuilt/openssl ++OPENSSL_CRYPTO_CFLAGS = -I$(OPENSSL_CRYPTO_PREBUILT_DIR)/inc ++OPENSSL_CRYPTO_LDFLAGS = -L$(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64 -lcrypto ++OPENSSL_CRYPTO_LIBS = $(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64/libcrypto.a ++endif +diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile +index 498d6e2f..bac84292 100644 +--- a/psw/ae/aesm_service/Makefile ++++ b/psw/ae/aesm_service/Makefile +@@ -46,6 +46,9 @@ ifeq ($(BUILD_REF_LE), 1) + AESM_CONFIG += -DREF_LE=ON + endif + ++AESM_CONFIG += -DOPENSSL_CRYPTO_CFLAGS=$(OPENSSL_CRYPTO_CFLAGS) ++AESM_CONFIG += -DOPENSSL_CRYPTO_LIBS=$(OPENSSL_CRYPTO_LIBS) ++ + ifeq ($(ARCH), x86) + SQLITECFLAGS += -m32 + else +diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt +index a3843bdf..2c9c87b3 100644 +--- a/psw/ae/aesm_service/source/utils/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt +@@ -45,7 +45,7 @@ target_include_directories(utils PRIVATE + ${PROJECT_SOURCE_DIR}/../../../../external/epid-sdk + ${PROJECT_SOURCE_DIR}/../../../../external/rdrand + ${PROJECT_SOURCE_DIR}/../../data/constants/linux +- ${PROJECT_SOURCE_DIR}/../../../../external/dcap_source/prebuilt/openssl/inc ++ ${OPENSSL_CRYPTO_CFLAGS} + ) + + target_compile_definitions(utils PRIVATE +@@ -55,7 +55,7 @@ target_compile_definitions(utils PRIVATE + set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs") + + target_link_libraries(utils +- ${PROJECT_SOURCE_DIR}/../../../../external/dcap_source/prebuilt/openssl/lib/linux64/libcrypto.a ++ ${OPENSSL_CRYPTO_LIBS} + oal + ${CMAKE_SOURCE_DIR}/../../../../external/rdrand/src/librdrand.a + ) +diff --git a/psw/urts/linux/Makefile b/psw/urts/linux/Makefile +index 41797648..4097444c 100644 +--- a/psw/urts/linux/Makefile ++++ b/psw/urts/linux/Makefile +@@ -43,8 +43,6 @@ CFLAGS += -fPIC -Werror -g + CFLAGS += $(ADDED_INC) + + VTUNE_DIR = $(LINUX_EXTERNAL_DIR)/vtune/linux +-PREBUILT_OPENSSL_DIR := $(LINUX_EXTERNAL_DIR)/dcap_source/prebuilt/openssl +-CRYPTO_LIB := -L$(PREBUILT_OPENSSL_DIR)/lib/linux64 -lcrypto + + INC += -I$(SGX_HEADER_DIR) \ + -I$(COMMON_DIR)/inc/internal \ +@@ -55,14 +53,14 @@ INC += -I$(SGX_HEADER_DIR) \ + -I$(LINUX_PSW_DIR)/urts/parser \ + -I$(VTUNE_DIR)/include \ + -I$(VTUNE_DIR)/sdk/src/ittnotify \ +- -I$(PREBUILT_OPENSSL_DIR)/inc ++ $(OPENSSL_CRYPTO_CFLAGS) + + LDFLAGS := -lwrapper + INTERNAL_LDFLAGS := -lwrapper + LDFLAGS += $(COMMON_LDFLAGS) -Wl,-Bdynamic -L$(BUILD_DIR) -lsgx_enclave_common -lpthread + INTERNAL_LDFLAGS += $(COMMON_LDFLAGS) -lpthread +-LDFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify -littnotify -ldl $(CRYPTO_LIB) +-INTERNAL_LDFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify -littnotify -ldl $(CRYPTO_LIB) ++LDFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify -littnotify -ldl $(OPENSSL_CRYPTO_LDFLAGS) ++INTERNAL_LDFLAGS += -L$(VTUNE_DIR)/sdk/src/ittnotify -littnotify -ldl $(OPENSSL_CRYPTO_LDFLAGS) + LDFLAGS += -Wl,--version-script=urts.lds -Wl,--gc-sections + INTERNAL_LDFLAGS += -Wl,--version-script=urts_internal.lds -Wl,--gc-sections + +diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile +index 3d593972..1eb8d460 100644 +--- a/sdk/sign_tool/SignTool/Makefile ++++ b/sdk/sign_tool/SignTool/Makefile +@@ -42,9 +42,6 @@ CFLAGS += $(FLAGS) + CXXFLAGS += $(FLAGS) + LDFLAGS := -pie $(COMMON_LDFLAGS) -Wno-odr + +-PREBUILT_OPENSSL_DIR := $(LINUX_EXTERNAL_DIR)/dcap_source/prebuilt/openssl +-CRYPTO_LIB := -L$(PREBUILT_OPENSSL_DIR)/lib/linux64 -lcrypto +- + INC += $(ADDED_INC) + INC += -I$(COMMON_DIR)/inc \ + -I$(COMMON_DIR)/inc/internal \ +@@ -54,7 +51,7 @@ INC += -I$(COMMON_DIR)/inc \ + -I$(LINUX_PSW_DIR)/urts/linux \ + -I$(LINUX_EXTERNAL_DIR)/tinyxml2 \ + -I$(LINUX_PSW_DIR)/urts/parser \ +- -I$(PREBUILT_OPENSSL_DIR)/inc ++ $(OPENSSL_CRYPTO_CFLAGS) + + DIR1 := $(LINUX_EXTERNAL_DIR)/tinyxml2/ + DIR2 := $(COMMON_DIR)/src/ +@@ -89,7 +86,7 @@ all: sgx_sign | $(BUILD_DIR) + $(BUILD_DIR): + @$(MKDIR) $@ + +-sgx_sign: PRIVATE_LDLIBS := -lpthread -lenclaveparser $(CRYPTO_LIB) -ldl ++sgx_sign: PRIVATE_LDLIBS := -lpthread -lenclaveparser $(OPENSSL_CRYPTO_LDFLAGS) -ldl + sgx_sign: PRIVATE_LDFLAGS := -L$(LINUX_PSW_DIR)/urts/parser $(LDFLAGS) + + sgx_sign: $(OBJS) enclaveparser +diff --git a/sdk/simulation/uae_service_sim/linux/Makefile b/sdk/simulation/uae_service_sim/linux/Makefile +index c66beed2..45ddb576 100644 +--- a/sdk/simulation/uae_service_sim/linux/Makefile ++++ b/sdk/simulation/uae_service_sim/linux/Makefile +@@ -34,9 +34,6 @@ include $(TOP_DIR)/buildenv.mk + + get_version_name = $(addsuffix _VERSION,$(shell echo $(subst _deploy,,$(subst libsgx_,,$(basename $1))) | tr a-z A-Z)) + +-PREBUILT_OPENSSL_DIR := $(LINUX_EXTERNAL_DIR)/dcap_source/prebuilt/openssl +-CRYPTO_LIB := -L$(PREBUILT_OPENSSL_DIR)/lib/linux64 -lcrypto +- + INCLUDES := -I.. \ + -I$(COMMON_DIR)/inc \ + -I$(COMMON_DIR)/inc/internal \ +@@ -48,7 +45,7 @@ INCLUDES := -I.. \ + -I$(LINUX_PSW_DIR)/ae/inc \ + -I$(LINUX_PSW_DIR)/ae/inc/internal \ + -I$(LINUX_PSW_DIR)/ae/common \ +- -I$(PREBUILT_OPENSSL_DIR)/inc ++ $(OPENSSL_CRYPTO_CFLAGS) + + + CXXFLAGS += -Wall -fPIC $(INCLUDES) -Werror -g $(CET_FLAGS) +@@ -60,7 +57,7 @@ RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile + + EXTERNAL_LIB += -L$(RDRAND_LIBDIR) -lrdrand + EXTERNAL_LIB += -L$(RDRAND_LIBDIR) -lrt +-EXTERNAL_LIB += -ldl $(CRYPTO_LIB) ++EXTERNAL_LIB += -ldl $(OPENSSL_CRYPTO_LDFLAGS) + + vpath %.cpp $(LINUX_PSW_DIR)/ae/common \ + $(LINUX_SDK_DIR)/simulation/urtssim \ +diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile +index dde577ca..505ce8d9 100644 +--- a/sdk/simulation/urtssim/linux/Makefile ++++ b/sdk/simulation/urtssim/linux/Makefile +@@ -42,9 +42,6 @@ endif + CXXFLAGS += -fPIC -DSE_SIM -Werror -g $(CET_FLAGS) + CFLAGS += -fPIC -DSE_SIM -Werror -g $(CET_FLAGS) + +-PREBUILT_OPENSSL_DIR := $(LINUX_EXTERNAL_DIR)/dcap_source/prebuilt/openssl +-CRYPTO_LIB := -L$(PREBUILT_OPENSSL_DIR)/lib/linux64 -lcrypto +- + CPPFLAGS += $(ADDED_INC) #for ubuntu 11 and later version + CPPFLAGS += -I$(COMMON_DIR)/inc \ + -I$(COMMON_DIR)/inc/internal/linux \ +@@ -53,7 +50,7 @@ CPPFLAGS += -I$(COMMON_DIR)/inc \ + -I$(LINUX_PSW_DIR)/urts/parser \ + -I$(VTUNE_DIR)/include \ + -I$(VTUNE_DIR)/sdk/src/ittnotify \ +- -I$(PREBUILT_OPENSSL_DIR)/inc ++ $(OPENSSL_CRYPTO_CFLAGS) + + CPPFLAGS += -I$(COMMON_DIR)/inc/internal \ + -I$(LINUX_PSW_DIR)/urts/linux \ +@@ -127,7 +124,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur + LIBURTSSIM_SHARED := libsgx_urts_sim.so + LIBURTS_DEPLOY := libsgx_urts_deploy.so + +-LDLIBS += -lwrapper $(CRYPTO_LIB) -Wl,-Bdynamic -Wl,-Bsymbolic -lsgx_uae_service_sim ++LDLIBS += -lwrapper $(OPENSSL_CRYPTO_LDFLAGS) -Wl,-Bdynamic -Wl,-Bsymbolic -lsgx_uae_service_sim + SONAME = $(LIBURTSSIM_SHARED) + + .PHONY: all +-- +2.46.0 + diff --git a/0001-Add-support-for-building-against-host-tinyxml2-lib.patch b/0001-Add-support-for-building-against-host-tinyxml2-lib.patch new file mode 100644 index 0000000..007a2c5 --- /dev/null +++ b/0001-Add-support-for-building-against-host-tinyxml2-lib.patch @@ -0,0 +1,84 @@ +From 6b1e08b5a1f6c035b7f761349c9751a2983c7a4b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 13 Feb 2025 14:01:10 +0000 +Subject: [PATCH 01/13] Add support for building against host tinyxml2 lib +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For the host tools/libraries it is desirable to be build +against the host provided tinyxml2 library, such that +security updates automatically propagate from the distro +vendor. + +This is enabled as an opt-in by setting the make variable + + USE_HOST_TINYXML2=1 + +Signed-off-by: Daniel P. Berrangé +--- + buildenv.mk | 14 ++++++++++++++ + sdk/sign_tool/SignTool/Makefile | 8 ++++---- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/buildenv.mk b/buildenv.mk +index acae2106..6dac4028 100644 +--- a/buildenv.mk ++++ b/buildenv.mk +@@ -384,3 +384,17 @@ OPENSSL_CRYPTO_CFLAGS = -I$(OPENSSL_CRYPTO_PREBUILT_DIR)/inc + OPENSSL_CRYPTO_LDFLAGS = -L$(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64 -lcrypto + OPENSSL_CRYPTO_LIBS = $(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64/libcrypto.a + endif ++ ++USE_HOST_TINYXML2 ?= 0 ++ ++ifeq ($(USE_HOST_TINYXML2), 1) ++TINYXML2_CFLAGS = $(shell pkg-config --cflags tinyxml2) ++TINYXML2_LDFLAGS = $(shell pkg-config --libs tinyxml2) ++TINYXML2_OBJ = ++TINYXML2_DIR = ++else ++TINYXML2_CFLAGS = -I$(LINUX_EXTERNAL_DIR)/tinyxml2 ++TINYXML2_LDFLAGS = ++TINYXML2_OBJ = tinyxml2.o ++TINYXML2_DIR = $(LINUX_EXTERNAL_DIR)/tinyxml2/ ++endif +diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile +index 1eb8d460..219fb5ad 100644 +--- a/sdk/sign_tool/SignTool/Makefile ++++ b/sdk/sign_tool/SignTool/Makefile +@@ -49,11 +49,11 @@ INC += -I$(COMMON_DIR)/inc \ + -I$(LINUX_PSW_DIR)/enclave_common \ + -I$(LINUX_PSW_DIR)/urts \ + -I$(LINUX_PSW_DIR)/urts/linux \ +- -I$(LINUX_EXTERNAL_DIR)/tinyxml2 \ ++ $(TINYXML2_CFLAGS) \ + -I$(LINUX_PSW_DIR)/urts/parser \ + $(OPENSSL_CRYPTO_CFLAGS) + +-DIR1 := $(LINUX_EXTERNAL_DIR)/tinyxml2/ ++DIR1 := $(TINYXML2_DIR) + DIR2 := $(COMMON_DIR)/src/ + DIR3 := $(LINUX_PSW_DIR)/urts/ + DIR4 := $(LINUX_PSW_DIR)/urts/linux +@@ -68,7 +68,7 @@ OBJ1 := manage_metadata.o \ + + OBJ2 := sgx_memset_s.o crypto_evp_digest.o crypto_rsa_key.o crypto_rsa3072.o + +-OBJ3 := tinyxml2.o ++OBJ3 := $(TINYXML2_OBJ) + + OBJ4 := loader.o \ + se_detect.o +@@ -86,7 +86,7 @@ all: sgx_sign | $(BUILD_DIR) + $(BUILD_DIR): + @$(MKDIR) $@ + +-sgx_sign: PRIVATE_LDLIBS := -lpthread -lenclaveparser $(OPENSSL_CRYPTO_LDFLAGS) -ldl ++sgx_sign: PRIVATE_LDLIBS := -lpthread -lenclaveparser $(OPENSSL_CRYPTO_LDFLAGS) -ldl $(TINYXML2_LDFLAGS) + sgx_sign: PRIVATE_LDFLAGS := -L$(LINUX_PSW_DIR)/urts/parser $(LDFLAGS) + + sgx_sign: $(OBJS) enclaveparser +-- +2.46.0 + diff --git a/0002-Add-support-for-building-against-host-CppMicroServic.patch b/0002-Add-support-for-building-against-host-CppMicroServic.patch new file mode 100644 index 0000000..920209d --- /dev/null +++ b/0002-Add-support-for-building-against-host-CppMicroServic.patch @@ -0,0 +1,142 @@ +From 08e7b92cc7324b954ba773e8d2edb53f364efb64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 13 Feb 2025 14:01:10 +0000 +Subject: [PATCH 02/13] Add support for building against host CppMicroServices + lib +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For the aesm_sevice it is desirable to be build against the host +provided CppMicroServices library, such that security updates +automatically propagate from the distro vendor. + +This is enabled as an opt-in by setting the make variable + + USE_HOST_CPPMICROSERVICES=1 + +The in-tree bundle of CppMicroServices ships a 6 year outdated +git snapshot that claims to be version 4.0.0, since that time +upstream reverted the version to 3.x.x. Hence the cmake path +used for the host is looking for 'cppmicroservices3' not +'cppmicroservices4' which is used for the ancient bundled copy. + +Signed-off-by: Daniel P. Berrangé +--- + buildenv.mk | 10 +++++++++ + psw/ae/aesm_service/Makefile | 27 ++++++++++++++--------- + psw/ae/aesm_service/source/CMakeLists.txt | 2 +- + 3 files changed, 28 insertions(+), 11 deletions(-) + +diff --git a/buildenv.mk b/buildenv.mk +index 6dac4028..915e2eb4 100644 +--- a/buildenv.mk ++++ b/buildenv.mk +@@ -398,3 +398,13 @@ TINYXML2_LDFLAGS = + TINYXML2_OBJ = tinyxml2.o + TINYXML2_DIR = $(LINUX_EXTERNAL_DIR)/tinyxml2/ + endif ++ ++USE_HOST_CPPMICROSERVICES ?= 0 ++ ++ifeq ($(USE_HOST_CPPMICROSERVICES), 1) ++CPPMICROSERVICES_CMAKE_DIR = /usr/share/cppmicroservices3/cmake ++else ++CPPMICROSERVICES_SRC_DIR = $(LINUX_EXTERNAL_DIR)/CppMicroServices ++CPPMICROSERVICES_INSTALL_DIR = $(CPPMICROSERVICES_SRC_DIR)/local-install ++CPPMICROSERVICES_CMAKE_DIR = $(CPPMICROSERVICES_INSTALL_DIR)/share/cppmicroservices4/cmake ++endif +diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile +index bac84292..89a15875 100644 +--- a/psw/ae/aesm_service/Makefile ++++ b/psw/ae/aesm_service/Makefile +@@ -32,10 +32,8 @@ + TOP_DIR = ../../.. + include $(TOP_DIR)/buildenv.mk + +-CPPMICROSERVICES_DIR := $(LINUX_EXTERNAL_DIR)/CppMicroServices +-CPPMICROSERVICES_INSTALL := $(CPPMICROSERVICES_DIR)/local-install + AESM_CONFIG := -DBUILD_SHARED_LIBS=ON -DUS_BUILD_SHARED_LIBS=ON +-CPPMICROSERVICES_CONFIG := -DCMAKE_INSTALL_PREFIX=$(CPPMICROSERVICES_INSTALL) -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_FLAGS= -DCMAKE_CXX_FLAGS= -DFORTIFY_SOURCE_VAL=$(FORTIFY_SOURCE_VAL) ++CPPMICROSERVICES_CONFIG := -DCMAKE_INSTALL_PREFIX=$(CPPMICROSERVICES_INSTALL_DIR) -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_FLAGS= -DCMAKE_CXX_FLAGS= -DFORTIFY_SOURCE_VAL=$(FORTIFY_SOURCE_VAL) + ifdef DEBUG + AESM_CONFIG += -DCMAKE_BUILD_TYPE=Debug + else +@@ -48,6 +46,7 @@ endif + + AESM_CONFIG += -DOPENSSL_CRYPTO_CFLAGS=$(OPENSSL_CRYPTO_CFLAGS) + AESM_CONFIG += -DOPENSSL_CRYPTO_LIBS=$(OPENSSL_CRYPTO_LIBS) ++AESM_CONFIG += -DCPPMICROSERVICES_CMAKE_DIR=$(CPPMICROSERVICES_CMAKE_DIR) + + ifeq ($(ARCH), x86) + SQLITECFLAGS += -m32 +@@ -66,7 +65,9 @@ CFLAGS := $(filter-out -Werror, $(CFLAGS)) + + WHITE_LIST_FILE := $(LINUX_PSW_DIR)/ae/data/prebuilt/white_list_cert_to_be_verify.bin + APPNAME := source/build/bin/aesm_service +-CPPMICROSERVICES:= $(CPPMICROSERVICES_DIR)/build/lib/libCppMicroServices.so.4.0.0 ++ifeq ($(USE_HOST_CPPMICROSERVICES), 0) ++CPPMICROSERVICES:= $(CPPMICROSERVICES_SRC_DIR)/build/lib/libCppMicroServices.so.4.0.0 ++endif + RDRAND_LIBDIR :=$(LINUX_EXTERNAL_DIR)/rdrand/src + RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile + +@@ -80,21 +81,25 @@ copy_data_file: + + $(APPNAME): $(CPPMICROSERVICES) source/build/CMakeCache.txt urts RDRAND + $(MAKE) -C source/build ++ifeq ($(USE_HOST_CPPMICROSERVICES), 0) + $(CP) $(CPPMICROSERVICES) source/build/bin/ ++endif + + CMAKE_VERSION_MAJOR=$(shell cmake --version | head -n 1 | cut -d \ -f 3 | cut -d . -f 1) + CMAKE_VERSION_MINOR=$(shell cmake --version | head -n 1 | cut -d \ -f 3 | cut -d . -f 2 | xargs printf '%02d') + CMAKE_VERSION=$(CMAKE_VERSION_MAJOR)$(CMAKE_VERSION_MINOR) + CMAKE := $(HOME)/cache/bin/cmake + ++ifeq ($(USE_HOST_CPPMICROSERVICES), 0) + .PHONY: CPPMICROSERVICES + $(CPPMICROSERVICES): +- mkdir -p $(CPPMICROSERVICES_DIR)/build ++ mkdir -p $(CPPMICROSERVICES_SRC_DIR)/build + ifeq ($(shell test $(CMAKE_VERSION) -lt 302 && echo 1), 1) +- $(CPPMICROSERVICES_DIR)/install_cmake.sh +- cd $(CPPMICROSERVICES_DIR)/build && $(CMAKE) -DCMAKE_COMMAND=$(CMAKE) $(CPPMICROSERVICES_CONFIG) ../ && $(MAKE) && $(MAKE) install ++ $(CPPMICROSERVICES_SRC_DIR)/install_cmake.sh ++ cd $(CPPMICROSERVICES_SRC_DIR)/build && $(CMAKE) -DCMAKE_COMMAND=$(CMAKE) $(CPPMICROSERVICES_CONFIG) ../ && $(MAKE) && $(MAKE) install + else +- cd $(CPPMICROSERVICES_DIR)/build && cmake $(CPPMICROSERVICES_CONFIG) ../ && $(MAKE) && $(MAKE) install ++ cd $(CPPMICROSERVICES_SRC_DIR)/build && cmake $(CPPMICROSERVICES_CONFIG) ../ && $(MAKE) && $(MAKE) install ++endif + endif + + source/build/CMakeCache.txt: $(CPPMICROSERVICES) +@@ -124,8 +129,10 @@ $(BUILD_DIR): + .PHONY: clean + clean: + @$(RM) -r source/build +- @$(RM) -r $(CPPMICROSERVICES_DIR)/build +- @$(RM) -r $(CPPMICROSERVICES_INSTALL) ++ifeq ($(USE_HOST_CPPMICROSERVICES), 0) ++ @$(RM) -r $(CPPMICROSERVICES_SRC_DIR)/build ++ @$(RM) -r $(CPPMICROSERVICES_INSTALL_DIR) ++endif + @$(RM) -r data + ifeq ($(RDRAND_MAKEFILE), $(wildcard $(RDRAND_MAKEFILE))) + @$(MAKE) distclean -C $(RDRAND_LIBDIR) +diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt +index 98c724a7..3edd77c7 100644 +--- a/psw/ae/aesm_service/source/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/CMakeLists.txt +@@ -46,7 +46,7 @@ else() + endif() + + # check if CppMicroServices was found +-set(CppMicroServices_DIR ../../../../external/CppMicroServices/local-install/share/cppmicroservices4/cmake) ++set(CppMicroServices_DIR ${CPPMICROSERVICES_CMAKE_DIR}) + find_package(CppMicroServices NO_MODULE REQUIRED) + cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) + cmake_policy(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) +-- +2.46.0 + diff --git a/0003-Improve-make-debuggability.patch b/0003-Improve-make-debuggability.patch new file mode 100644 index 0000000..fb60641 --- /dev/null +++ b/0003-Improve-make-debuggability.patch @@ -0,0 +1,74 @@ +From 1c1ec62d0a754fc477b64cb881a721c316eb58d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 1 Mar 2024 12:53:26 +0000 +Subject: [PATCH 03/13] Improve make debuggability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Stop discarding stderr output +Stop hardcoding parallelism to 'nproc' value and allow user +specified setting to propagate to sub-make invocations. + +Signed-off-by: Daniel P. Berrangé +--- + sdk/Makefile.source | 8 ++++---- + sdk/cpprt/Makefile | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sdk/Makefile.source b/sdk/Makefile.source +index 4bbfd4f3..d3e40036 100644 +--- a/sdk/Makefile.source ++++ b/sdk/Makefile.source +@@ -78,7 +78,7 @@ tstdc: $(LIBTLIBC) + + ifndef SERVTD_ATTEST + $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv +- $(MAKE) -C tlibc/ -j$(shell nproc) 2> /dev/null ++ $(MAKE) -C tlibc/ + @$(MKDIR) $(BUILD_DIR)/.compiler-rt $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv + @$(RM) -f $(BUILD_DIR)/.compiler-rt/* && cd $(BUILD_DIR)/.compiler-rt && $(AR) x $(LINUX_SDK_DIR)/compiler-rt/libcompiler-rt.a + @$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a +@@ -96,7 +96,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv + @$(RM) -rf $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv + else + $(LIBTLIBC): tlibthread tsafecrt tsetjmp tmm_rsrv +- $(MAKE) -C tlibc/ SERVTD_ATTEST=1 -j$(shell nproc) 2> /dev/null ++ $(MAKE) -C tlibc/ SERVTD_ATTEST=1 + @$(MKDIR) $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv + @$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a + @$(RM) -f $(BUILD_DIR)/.tsafecrt/* && cd $(BUILD_DIR)/.tsafecrt && $(AR) x $(LINUX_SDK_DIR)/tsafecrt/libsgx_tsafecrt.a +@@ -119,7 +119,7 @@ tsafecrt: + + .PHONY: compiler-rt + compiler-rt: +- $(MAKE) -C compiler-rt/ 2> /dev/null ++ $(MAKE) -C compiler-rt/ + + .PHONY: tsetjmp + tsetjmp: +@@ -163,7 +163,7 @@ cpprt: + + .PHONY: tlibcxx + tlibcxx: $(BUILD_DIR) +- $(MAKE) -C tlibcxx/ 2> /dev/null ++ $(MAKE) -C tlibcxx/ + $(CP) tlibcxx/README.sgx $(BUILD_DIR)/libc++_Changes_SGX.txt + + # --------------------------------------------------- +diff --git a/sdk/cpprt/Makefile b/sdk/cpprt/Makefile +index d1ac38a1..5fb90c21 100644 +--- a/sdk/cpprt/Makefile ++++ b/sdk/cpprt/Makefile +@@ -83,7 +83,7 @@ $(CPPRT): $(OBJS) prepare-libunwind libunwind + libunwind: + cd $(LIBUNWIND_DIR)/ && \ + ( test -f Makefile || CFLAGS="$(CFLAGS)" ./autogen.sh ) && \ +- $(MAKE) -j$(shell nproc) ++ $(MAKE) + + + .PHONY: clean +-- +2.46.0 + diff --git a/0004-Support-disabling-use-of-git-for-ippcp-code.patch b/0004-Support-disabling-use-of-git-for-ippcp-code.patch new file mode 100644 index 0000000..54fc123 --- /dev/null +++ b/0004-Support-disabling-use-of-git-for-ippcp-code.patch @@ -0,0 +1,49 @@ +From 028b9d1eeb5cdda62d0d3669b1320358402c2bb1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 13 Feb 2025 14:37:24 +0000 +Subject: [PATCH 04/13] Support disabling use of git for ippcp code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allow the user to provide the ippcp source ahead of time, +to avoid use of git in environments where there is no +network access available. + +Signed-off-by: Daniel P. Berrangé +--- + external/ippcp_internal/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile +index b4108cb8..70718f5e 100644 +--- a/external/ippcp_internal/Makefile ++++ b/external/ippcp_internal/Makefile +@@ -33,6 +33,8 @@ include ../../buildenv.mk + + DIR = $(CURDIR) + ++IPP_USE_GIT := 1 ++ + IPP_CONFIG = -Bbuild -DCMAKE_VERBOSE_MAKEFILE=on + + # Ignore the CMAKE C/C++ compiler check to avoid conflicts with mitigation options +@@ -85,6 +87,7 @@ build_ipp: $(CHECK_SOURCE) + cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s + + $(IPP_SOURCE)/build: ++ifeq ($(IPP_USE_GIT), 1) + ifeq ($(shell git rev-parse --is-inside-work-tree), true) + git submodule update -f --init --recursive --remote -- $(IPP_SOURCE) + else +@@ -92,6 +95,7 @@ else + git clone -b ipp-ipp-crypto_2021_12_1 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE) + endif + cd $(IPP_SOURCE) && git apply ../0001-IPP-crypto-for-SGX.patch ++endif + mkdir -p $(IPP_SOURCE)/build + + .PHONY: clean +-- +2.46.0 + diff --git a/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch b/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch new file mode 100644 index 0000000..6b26f05 --- /dev/null +++ b/0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch @@ -0,0 +1,525 @@ +From 6b9f6d62de22cfcf7ad89ec8a38e292c45ab0e2a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 18 Jun 2024 15:57:22 +0100 +Subject: [PATCH 05/13] disable openmp, protobuf, mbedtls & sample_crypto + builds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These libraries are demoware, not known to be used for anything +important, so skip them to reduce amount of bundled package code. + +Signed-off-by: Daniel P. Berrangé +--- + linux/installer/common/sdk/BOMs/sdk_base.txt | 335 ------------------ + .../common/sdk/BOMs/sdk_cve_2020_0551_cf.txt | 3 - + .../sdk/BOMs/sdk_cve_2020_0551_load.txt | 3 - + linux/installer/common/sdk/BOMs/sdk_x64.txt | 4 - + sdk/Makefile.source | 30 +- + 5 files changed, 1 insertion(+), 374 deletions(-) + +diff --git a/linux/installer/common/sdk/BOMs/sdk_base.txt b/linux/installer/common/sdk/BOMs/sdk_base.txt +index 032479d8..ed585066 100644 +--- a/linux/installer/common/sdk/BOMs/sdk_base.txt ++++ b/linux/installer/common/sdk/BOMs/sdk_base.txt +@@ -1,5 +1,4 @@ + DeliveryName InstallName FileCheckSum FileFeature FileOwner +-/build/linux/libsample_libcrypto.so /package/SampleCode/RemoteAttestation/sample_libcrypto/libsample_libcrypto.so 0 main STP + /common/inc/sgx_attributes.h /package/include/sgx_attributes.h 0 main STP + /common/inc/sgx_capable.h /package/include/sgx_capable.h 0 main STP + /common/inc/sgx_cpuid.h /package/include/sgx_cpuid.h 0 main STP +@@ -391,26 +390,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner + /SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp /package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp 0 N/A N/A + /SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl /package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl 0 N/A N/A + /SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds /package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/App/App.h /package/SampleCode/ProtobufSGXDemo/App/App.h 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/App/App.cpp /package/SampleCode/ProtobufSGXDemo/App/App.cpp 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/Enclave.config.xml /package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.config.xml 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/Enclave.cpp /package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.cpp 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/Enclave_debug.lds /package/SampleCode/ProtobufSGXDemo/Enclave/Enclave_debug.lds 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/Enclave.edl /package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.edl 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/Enclave.h /package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.h 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/Enclave.lds /package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.lds 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Enclave/person.proto /package/SampleCode/ProtobufSGXDemo/Enclave/person.proto 0 N/A N/A +-/SampleCode/ProtobufSGXDemo/Makefile /package/SampleCode/ProtobufSGXDemo/Makefile 0 N/A N/A +-/SampleCode/SampleMbedCrypto/App/App.cpp /package/SampleCode/SampleMbedCrypto/App/App.cpp 0 N/A N/A +-/SampleCode/SampleMbedCrypto/App/App.h /package/SampleCode/SampleMbedCrypto/App/App.h 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Makefile /package/SampleCode/SampleMbedCrypto/Makefile 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Enclave/Enclave.cpp /package/SampleCode/SampleMbedCrypto/Enclave/Enclave.cpp 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Enclave/Enclave.lds /package/SampleCode/SampleMbedCrypto/Enclave/Enclave.lds 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Enclave/Enclave_debug.lds /package/SampleCode/SampleMbedCrypto/Enclave/Enclave_debug.lds 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Enclave/Enclave.h /package/SampleCode/SampleMbedCrypto/Enclave/Enclave.h 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Enclave/Enclave.edl /package/SampleCode/SampleMbedCrypto/Enclave/Enclave.edl 0 N/A N/A +-/SampleCode/SampleMbedCrypto/Enclave/Enclave.config.xml /package/SampleCode/SampleMbedCrypto/Enclave/Enclave.config.xml 0 N/A N/A +-/SampleCode/SampleMbedCrypto/README.txt /package/SampleCode/SampleMbedCrypto/README.txt 0 N/A N/A + /SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml /package/SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml 0 N/A N/A + /SampleCode/SampleAEXNotify/Enclave/Enclave.cpp /package/SampleCode/SampleAEXNotify/Enclave/Enclave.cpp 0 N/A N/A + /SampleCode/SampleAEXNotify/Enclave/Enclave.edl /package/SampleCode/SampleAEXNotify/Enclave/Enclave.edl 0 N/A N/A +@@ -422,7 +401,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner + /SampleCode/SampleAEXNotify/Makefile /package/SampleCode/SampleAEXNotify/Makefile 0 N/A N/A + /SampleCode/SampleAEXNotify/README.txt /package/SampleCode/SampleAEXNotify/README.txt 0 N/A N/A + /build/linux/gdb-sgx-plugin/sgx-gdb /package/bin/sgx-gdb 0 main STP +-/sdk/sample_libcrypto/sample_libcrypto.h /package/SampleCode/RemoteAttestation/sample_libcrypto/sample_libcrypto.h 0 main STP + /sdk/tlibcxx/include/CMakeLists.txt /package/include/libcxx/CMakeLists.txt 0 main STP + /sdk/tlibcxx/include/__availability /package/include/libcxx/__availability 0 main STP + /sdk/tlibcxx/include/__bit_reference /package/include/libcxx/__bit_reference 0 main STP +@@ -607,317 +585,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner + /sdk/tlibcxx/include/variant /package/include/libcxx/variant 0 main STP + /sdk/tlibcxx/include/vector /package/include/libcxx/vector 0 main STP + /sdk/tlibcxx/include/version /package/include/libcxx/version 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/any.h /package/include/tprotobuf/google/protobuf/any.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/any.pb.h /package/include/tprotobuf/google/protobuf/any.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/any.proto /package/include/tprotobuf/google/protobuf/any.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/api.pb.h /package/include/tprotobuf/google/protobuf/api.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/api.proto /package/include/tprotobuf/google/protobuf/api.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arena.h /package/include/tprotobuf/google/protobuf/arena.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arena_align.h /package/include/tprotobuf/google/protobuf/arena_align.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arena_allocation_policy.h /package/include/tprotobuf/google/protobuf/arena_allocation_policy.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arena_cleanup.h /package/include/tprotobuf/google/protobuf/arena_cleanup.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arena_config.h /package/include/tprotobuf/google/protobuf/arena_config.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arenastring.h /package/include/tprotobuf/google/protobuf/arenastring.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/arenaz_sampler.h /package/include/tprotobuf/google/protobuf/arenaz_sampler.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/descriptor.h /package/include/tprotobuf/google/protobuf/descriptor.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/descriptor.pb.h /package/include/tprotobuf/google/protobuf/descriptor.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/descriptor.proto /package/include/tprotobuf/google/protobuf/descriptor.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/descriptor_database.h /package/include/tprotobuf/google/protobuf/descriptor_database.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/descriptor_legacy.h /package/include/tprotobuf/google/protobuf/descriptor_legacy.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/dynamic_message.h /package/include/tprotobuf/google/protobuf/dynamic_message.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/empty.pb.h /package/include/tprotobuf/google/protobuf/empty.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/empty.proto /package/include/tprotobuf/google/protobuf/empty.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/endian.h /package/include/tprotobuf/google/protobuf/endian.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/explicitly_constructed.h /package/include/tprotobuf/google/protobuf/explicitly_constructed.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/extension_set.h /package/include/tprotobuf/google/protobuf/extension_set.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/extension_set_inl.h /package/include/tprotobuf/google/protobuf/extension_set_inl.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/field_access_listener.h /package/include/tprotobuf/google/protobuf/field_access_listener.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/field_mask.pb.h /package/include/tprotobuf/google/protobuf/field_mask.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/field_mask.proto /package/include/tprotobuf/google/protobuf/field_mask.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/generated_enum_reflection.h /package/include/tprotobuf/google/protobuf/generated_enum_reflection.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/generated_enum_util.h /package/include/tprotobuf/google/protobuf/generated_enum_util.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/generated_message_bases.h /package/include/tprotobuf/google/protobuf/generated_message_bases.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/generated_message_reflection.h /package/include/tprotobuf/google/protobuf/generated_message_reflection.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/generated_message_tctable_decl.h /package/include/tprotobuf/google/protobuf/generated_message_tctable_decl.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/generated_message_util.h /package/include/tprotobuf/google/protobuf/generated_message_util.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/has_bits.h /package/include/tprotobuf/google/protobuf/has_bits.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/implicit_weak_message.h /package/include/tprotobuf/google/protobuf/implicit_weak_message.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/inlined_string_field.h /package/include/tprotobuf/google/protobuf/inlined_string_field.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/coded_stream.h /package/include/tprotobuf/google/protobuf/io/coded_stream.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/printer.h /package/include/tprotobuf/google/protobuf/io/printer.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/strtod.h /package/include/tprotobuf/google/protobuf/io/strtod.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/tokenizer.h /package/include/tprotobuf/google/protobuf/io/tokenizer.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/zero_copy_stream.h /package/include/tprotobuf/google/protobuf/io/zero_copy_stream.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/zero_copy_stream_impl.h /package/include/tprotobuf/google/protobuf/io/zero_copy_stream_impl.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/io/zero_copy_stream_impl_lite.h /package/include/tprotobuf/google/protobuf/io/zero_copy_stream_impl_lite.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map.h /package/include/tprotobuf/google/protobuf/map.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map_entry.h /package/include/tprotobuf/google/protobuf/map_entry.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map_entry_lite.h /package/include/tprotobuf/google/protobuf/map_entry_lite.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map_field.h /package/include/tprotobuf/google/protobuf/map_field.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map_field_inl.h /package/include/tprotobuf/google/protobuf/map_field_inl.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map_field_lite.h /package/include/tprotobuf/google/protobuf/map_field_lite.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/map_type_handler.h /package/include/tprotobuf/google/protobuf/map_type_handler.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/message.h /package/include/tprotobuf/google/protobuf/message.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/message_lite.h /package/include/tprotobuf/google/protobuf/message_lite.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/metadata.h /package/include/tprotobuf/google/protobuf/metadata.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/metadata_lite.h /package/include/tprotobuf/google/protobuf/metadata_lite.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/parse_context.h /package/include/tprotobuf/google/protobuf/parse_context.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/port.h /package/include/tprotobuf/google/protobuf/port.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/port_def.inc /package/include/tprotobuf/google/protobuf/port_def.inc 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/port_undef.inc /package/include/tprotobuf/google/protobuf/port_undef.inc 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/reflection.h /package/include/tprotobuf/google/protobuf/reflection.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/reflection_mode.h /package/include/tprotobuf/google/protobuf/reflection_mode.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/reflection_ops.h /package/include/tprotobuf/google/protobuf/reflection_ops.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/repeated_field.h /package/include/tprotobuf/google/protobuf/repeated_field.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/repeated_ptr_field.h /package/include/tprotobuf/google/protobuf/repeated_ptr_field.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/serial_arena.h /package/include/tprotobuf/google/protobuf/serial_arena.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/service.h /package/include/tprotobuf/google/protobuf/service.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/source_context.pb.h /package/include/tprotobuf/google/protobuf/source_context.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/source_context.proto /package/include/tprotobuf/google/protobuf/source_context.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/string_block.h /package/include/tprotobuf/google/protobuf/string_block.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/string_member_robber.h /package/include/tprotobuf/google/protobuf/string_member_robber.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/struct.pb.h /package/include/tprotobuf/google/protobuf/struct.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/struct.proto /package/include/tprotobuf/google/protobuf/struct.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/stubs/callback.h /package/include/tprotobuf/google/protobuf/stubs/callback.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/stubs/common.h /package/include/tprotobuf/google/protobuf/stubs/common.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/stubs/platform_macros.h /package/include/tprotobuf/google/protobuf/stubs/platform_macros.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/stubs/port.h /package/include/tprotobuf/google/protobuf/stubs/port.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/stubs/status_macros.h /package/include/tprotobuf/google/protobuf/stubs/status_macros.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/text_format.h /package/include/tprotobuf/google/protobuf/text_format.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/thread_safe_arena.h /package/include/tprotobuf/google/protobuf/thread_safe_arena.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/type.pb.h /package/include/tprotobuf/google/protobuf/type.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/type.proto /package/include/tprotobuf/google/protobuf/type.proto 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/unknown_field_set.h /package/include/tprotobuf/google/protobuf/unknown_field_set.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/varint_shuffle.h /package/include/tprotobuf/google/protobuf/varint_shuffle.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/wire_format.h /package/include/tprotobuf/google/protobuf/wire_format.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/wire_format_lite.h /package/include/tprotobuf/google/protobuf/wire_format_lite.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/wrappers.pb.h /package/include/tprotobuf/google/protobuf/wrappers.pb.h 0 main STP +-/external/protobuf/protobuf_code/src/google/protobuf/wrappers.proto /package/include/tprotobuf/google/protobuf/wrappers.proto 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/algorithm/algorithm.h /package/include/tprotobuf/absl/algorithm/algorithm.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/algorithm/container.h /package/include/tprotobuf/absl/algorithm/container.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/attributes.h /package/include/tprotobuf/absl/base/attributes.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/call_once.h /package/include/tprotobuf/absl/base/call_once.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/casts.h /package/include/tprotobuf/absl/base/casts.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/config.h /package/include/tprotobuf/absl/base/config.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/const_init.h /package/include/tprotobuf/absl/base/const_init.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/dynamic_annotations.h /package/include/tprotobuf/absl/base/dynamic_annotations.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/atomic_hook.h /package/include/tprotobuf/absl/base/internal/atomic_hook.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/dynamic_annotations.h /package/include/tprotobuf/absl/base/internal/dynamic_annotations.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/endian.h /package/include/tprotobuf/absl/base/internal/endian.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/errno_saver.h /package/include/tprotobuf/absl/base/internal/errno_saver.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/identity.h /package/include/tprotobuf/absl/base/internal/identity.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/inline_variable.h /package/include/tprotobuf/absl/base/internal/inline_variable.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/invoke.h /package/include/tprotobuf/absl/base/internal/invoke.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/low_level_alloc.h /package/include/tprotobuf/absl/base/internal/low_level_alloc.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/low_level_scheduling.h /package/include/tprotobuf/absl/base/internal/low_level_scheduling.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/per_thread_tls.h /package/include/tprotobuf/absl/base/internal/per_thread_tls.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/prefetch.h /package/include/tprotobuf/absl/base/internal/prefetch.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/raw_logging.h /package/include/tprotobuf/absl/base/internal/raw_logging.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/scheduling_mode.h /package/include/tprotobuf/absl/base/internal/scheduling_mode.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/spinlock.h /package/include/tprotobuf/absl/base/internal/spinlock.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/spinlock_wait.h /package/include/tprotobuf/absl/base/internal/spinlock_wait.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/thread_annotations.h /package/include/tprotobuf/absl/base/internal/thread_annotations.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/thread_identity.h /package/include/tprotobuf/absl/base/internal/thread_identity.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/throw_delegate.h /package/include/tprotobuf/absl/base/internal/throw_delegate.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/tsan_mutex_interface.h /package/include/tprotobuf/absl/base/internal/tsan_mutex_interface.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/internal/unaligned_access.h /package/include/tprotobuf/absl/base/internal/unaligned_access.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/log_severity.h /package/include/tprotobuf/absl/base/log_severity.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/macros.h /package/include/tprotobuf/absl/base/macros.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/optimization.h /package/include/tprotobuf/absl/base/optimization.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/options.h /package/include/tprotobuf/absl/base/options.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/policy_checks.h /package/include/tprotobuf/absl/base/policy_checks.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/port.h /package/include/tprotobuf/absl/base/port.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/base/thread_annotations.h /package/include/tprotobuf/absl/base/thread_annotations.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/cleanup/cleanup.h /package/include/tprotobuf/absl/cleanup/cleanup.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/btree_map.h /package/include/tprotobuf/absl/container/btree_map.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/btree_set.h /package/include/tprotobuf/absl/container/btree_set.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/fixed_array.h /package/include/tprotobuf/absl/container/fixed_array.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/flat_hash_map.h /package/include/tprotobuf/absl/container/flat_hash_map.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/flat_hash_set.h /package/include/tprotobuf/absl/container/flat_hash_set.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/inlined_vector.h /package/include/tprotobuf/absl/container/inlined_vector.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/btree.h /package/include/tprotobuf/absl/container/internal/btree.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/btree_container.h /package/include/tprotobuf/absl/container/internal/btree_container.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/common.h /package/include/tprotobuf/absl/container/internal/common.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/common_policy_traits.h /package/include/tprotobuf/absl/container/internal/common_policy_traits.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/compressed_tuple.h /package/include/tprotobuf/absl/container/internal/compressed_tuple.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/container_memory.h /package/include/tprotobuf/absl/container/internal/container_memory.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/hash_function_defaults.h /package/include/tprotobuf/absl/container/internal/hash_function_defaults.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/hash_policy_traits.h /package/include/tprotobuf/absl/container/internal/hash_policy_traits.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/hashtable_debug_hooks.h /package/include/tprotobuf/absl/container/internal/hashtable_debug_hooks.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h /package/include/tprotobuf/absl/container/internal/hashtablez_sampler.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/inlined_vector.h /package/include/tprotobuf/absl/container/internal/inlined_vector.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/layout.h /package/include/tprotobuf/absl/container/internal/layout.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/raw_hash_map.h /package/include/tprotobuf/absl/container/internal/raw_hash_map.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/internal/raw_hash_set.h /package/include/tprotobuf/absl/container/internal/raw_hash_set.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/node_hash_map.h /package/include/tprotobuf/absl/container/node_hash_map.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/container/node_hash_set.h /package/include/tprotobuf/absl/container/node_hash_set.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/crc/crc32c.h /package/include/tprotobuf/absl/crc/crc32c.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/crc/internal/crc32_x86_arm_combined_simd.h /package/include/tprotobuf/absl/crc/internal/crc32_x86_arm_combined_simd.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/crc/internal/crc32c_inline.h /package/include/tprotobuf/absl/crc/internal/crc32c_inline.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/crc/internal/crc_cord_state.h /package/include/tprotobuf/absl/crc/internal/crc_cord_state.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/failure_signal_handler.h /package/include/tprotobuf/absl/debugging/failure_signal_handler.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/leak_check.h /package/include/tprotobuf/absl/debugging/leak_check.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/stacktrace.h /package/include/tprotobuf/absl/debugging/stacktrace.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/symbolize.h /package/include/tprotobuf/absl/debugging/symbolize.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/symbolize_darwin.inc /package/include/tprotobuf/absl/debugging/symbolize_darwin.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/symbolize_elf.inc /package/include/tprotobuf/absl/debugging/symbolize_elf.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/symbolize_emscripten.inc /package/include/tprotobuf/absl/debugging/symbolize_emscripten.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/symbolize_unimplemented.inc /package/include/tprotobuf/absl/debugging/symbolize_unimplemented.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/debugging/symbolize_win32.inc /package/include/tprotobuf/absl/debugging/symbolize_win32.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/commandlineflag.h /package/include/tprotobuf/absl/flags/commandlineflag.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/config.h /package/include/tprotobuf/absl/flags/config.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/declare.h /package/include/tprotobuf/absl/flags/declare.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/flag.h /package/include/tprotobuf/absl/flags/flag.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/flag_benchmark.lds /package/include/tprotobuf/absl/flags/flag_benchmark.lds 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/marshalling.h /package/include/tprotobuf/absl/flags/marshalling.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/parse.h /package/include/tprotobuf/absl/flags/parse.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/reflection.h /package/include/tprotobuf/absl/flags/reflection.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/usage.h /package/include/tprotobuf/absl/flags/usage.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/flags/usage_config.h /package/include/tprotobuf/absl/flags/usage_config.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/functional/any_invocable.h /package/include/tprotobuf/absl/functional/any_invocable.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/functional/bind_front.h /package/include/tprotobuf/absl/functional/bind_front.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/functional/function_ref.h /package/include/tprotobuf/absl/functional/function_ref.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/functional/internal/function_ref.h /package/include/tprotobuf/absl/functional/internal/function_ref.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/hash/hash.h /package/include/tprotobuf/absl/hash/hash.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/hash/internal/city.h /package/include/tprotobuf/absl/hash/internal/city.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/hash/internal/hash.h /package/include/tprotobuf/absl/hash/internal/hash.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/hash/internal/low_level_hash.h /package/include/tprotobuf/absl/hash/internal/low_level_hash.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/absl_check.h /package/include/tprotobuf/absl/log/absl_check.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/absl_log.h /package/include/tprotobuf/absl/log/absl_log.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/check.h /package/include/tprotobuf/absl/log/check.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/die_if_null.h /package/include/tprotobuf/absl/log/die_if_null.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/flags.h /package/include/tprotobuf/absl/log/flags.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/globals.h /package/include/tprotobuf/absl/log/globals.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/initialize.h /package/include/tprotobuf/absl/log/initialize.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/check_impl.h /package/include/tprotobuf/absl/log/internal/check_impl.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/check_op.h /package/include/tprotobuf/absl/log/internal/check_op.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/conditions.h /package/include/tprotobuf/absl/log/internal/conditions.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/config.h /package/include/tprotobuf/absl/log/internal/config.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/log_impl.h /package/include/tprotobuf/absl/log/internal/log_impl.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/log_message.h /package/include/tprotobuf/absl/log/internal/log_message.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/nullguard.h /package/include/tprotobuf/absl/log/internal/nullguard.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/nullstream.h /package/include/tprotobuf/absl/log/internal/nullstream.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/strip.h /package/include/tprotobuf/absl/log/internal/strip.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/internal/voidify.h /package/include/tprotobuf/absl/log/internal/voidify.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/log.h /package/include/tprotobuf/absl/log/log.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/log_entry.h /package/include/tprotobuf/absl/log/log_entry.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/log_sink.h /package/include/tprotobuf/absl/log/log_sink.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/log_sink_registry.h /package/include/tprotobuf/absl/log/log_sink_registry.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/log_streamer.h /package/include/tprotobuf/absl/log/log_streamer.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/scoped_mock_log.h /package/include/tprotobuf/absl/log/scoped_mock_log.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/log/structured.h /package/include/tprotobuf/absl/log/structured.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/memory/memory.h /package/include/tprotobuf/absl/memory/memory.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/meta/type_traits.h /package/include/tprotobuf/absl/meta/type_traits.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/numeric/bits.h /package/include/tprotobuf/absl/numeric/bits.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/numeric/int128.h /package/include/tprotobuf/absl/numeric/int128.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/numeric/int128_have_intrinsic.inc /package/include/tprotobuf/absl/numeric/int128_have_intrinsic.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/numeric/int128_no_intrinsic.inc /package/include/tprotobuf/absl/numeric/int128_no_intrinsic.inc 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/numeric/internal/bits.h /package/include/tprotobuf/absl/numeric/internal/bits.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/profiling/internal/sample_recorder.h /package/include/tprotobuf/absl/profiling/internal/sample_recorder.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/bernoulli_distribution.h /package/include/tprotobuf/absl/random/bernoulli_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/beta_distribution.h /package/include/tprotobuf/absl/random/beta_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/bit_gen_ref.h /package/include/tprotobuf/absl/random/bit_gen_ref.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/discrete_distribution.h /package/include/tprotobuf/absl/random/discrete_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/distributions.h /package/include/tprotobuf/absl/random/distributions.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/exponential_distribution.h /package/include/tprotobuf/absl/random/exponential_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/gaussian_distribution.h /package/include/tprotobuf/absl/random/gaussian_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/log_uniform_int_distribution.h /package/include/tprotobuf/absl/random/log_uniform_int_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/mock_distributions.h /package/include/tprotobuf/absl/random/mock_distributions.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/mocking_bit_gen.h /package/include/tprotobuf/absl/random/mocking_bit_gen.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/poisson_distribution.h /package/include/tprotobuf/absl/random/poisson_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/random.h /package/include/tprotobuf/absl/random/random.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/seed_gen_exception.h /package/include/tprotobuf/absl/random/seed_gen_exception.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/seed_sequences.h /package/include/tprotobuf/absl/random/seed_sequences.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/uniform_int_distribution.h /package/include/tprotobuf/absl/random/uniform_int_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/uniform_real_distribution.h /package/include/tprotobuf/absl/random/uniform_real_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/random/zipf_distribution.h /package/include/tprotobuf/absl/random/zipf_distribution.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/status/status.h /package/include/tprotobuf/absl/status/status.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/status/status_payload_printer.h /package/include/tprotobuf/absl/status/status_payload_printer.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/status/statusor.h /package/include/tprotobuf/absl/status/statusor.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/ascii.h /package/include/tprotobuf/absl/strings/ascii.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/charconv.h /package/include/tprotobuf/absl/strings/charconv.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/cord.h /package/include/tprotobuf/absl/strings/cord.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/cord_analysis.h /package/include/tprotobuf/absl/strings/cord_analysis.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/cord_buffer.h /package/include/tprotobuf/absl/strings/cord_buffer.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/escaping.h /package/include/tprotobuf/absl/strings/escaping.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_data_edge.h /package/include/tprotobuf/absl/strings/internal/cord_data_edge.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_internal.h /package/include/tprotobuf/absl/strings/internal/cord_internal.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_rep_btree.h /package/include/tprotobuf/absl/strings/internal/cord_rep_btree.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_rep_btree_navigator.h /package/include/tprotobuf/absl/strings/internal/cord_rep_btree_navigator.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_rep_btree_reader.h /package/include/tprotobuf/absl/strings/internal/cord_rep_btree_reader.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_rep_crc.h /package/include/tprotobuf/absl/strings/internal/cord_rep_crc.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_rep_flat.h /package/include/tprotobuf/absl/strings/internal/cord_rep_flat.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cord_rep_ring.h /package/include/tprotobuf/absl/strings/internal/cord_rep_ring.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cordz_functions.h /package/include/tprotobuf/absl/strings/internal/cordz_functions.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cordz_handle.h /package/include/tprotobuf/absl/strings/internal/cordz_handle.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cordz_info.h /package/include/tprotobuf/absl/strings/internal/cordz_info.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cordz_statistics.h /package/include/tprotobuf/absl/strings/internal/cordz_statistics.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cordz_update_scope.h /package/include/tprotobuf/absl/strings/internal/cordz_update_scope.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/cordz_update_tracker.h /package/include/tprotobuf/absl/strings/internal/cordz_update_tracker.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/has_absl_stringify.h /package/include/tprotobuf/absl/strings/internal/has_absl_stringify.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/resize_uninitialized.h /package/include/tprotobuf/absl/strings/internal/resize_uninitialized.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/string_constant.h /package/include/tprotobuf/absl/strings/internal/string_constant.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/internal/stringify_sink.h /package/include/tprotobuf/absl/strings/internal/stringify_sink.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/match.h /package/include/tprotobuf/absl/strings/match.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/numbers.h /package/include/tprotobuf/absl/strings/numbers.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/str_cat.h /package/include/tprotobuf/absl/strings/str_cat.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/str_format.h /package/include/tprotobuf/absl/strings/str_format.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/str_join.h /package/include/tprotobuf/absl/strings/str_join.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/str_replace.h /package/include/tprotobuf/absl/strings/str_replace.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/str_split.h /package/include/tprotobuf/absl/strings/str_split.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/string_view.h /package/include/tprotobuf/absl/strings/string_view.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/strip.h /package/include/tprotobuf/absl/strings/strip.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/strings/substitute.h /package/include/tprotobuf/absl/strings/substitute.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/barrier.h /package/include/tprotobuf/absl/synchronization/barrier.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/blocking_counter.h /package/include/tprotobuf/absl/synchronization/blocking_counter.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/internal/create_thread_identity.h /package/include/tprotobuf/absl/synchronization/internal/create_thread_identity.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/internal/kernel_timeout.h /package/include/tprotobuf/absl/synchronization/internal/kernel_timeout.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/internal/per_thread_sem.h /package/include/tprotobuf/absl/synchronization/internal/per_thread_sem.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/mutex.h /package/include/tprotobuf/absl/synchronization/mutex.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/synchronization/notification.h /package/include/tprotobuf/absl/synchronization/notification.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/time/civil_time.h /package/include/tprotobuf/absl/time/civil_time.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/time/clock.h /package/include/tprotobuf/absl/time/clock.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time.h /package/include/tprotobuf/absl/time/internal/cctz/include/cctz/civil_time.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/civil_time_detail.h /package/include/tprotobuf/absl/time/internal/cctz/include/cctz/civil_time_detail.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/time/internal/cctz/include/cctz/time_zone.h /package/include/tprotobuf/absl/time/internal/cctz/include/cctz/time_zone.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/time/time.h /package/include/tprotobuf/absl/time/time.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/any.h /package/include/tprotobuf/absl/types/any.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/bad_any_cast.h /package/include/tprotobuf/absl/types/bad_any_cast.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/bad_optional_access.h /package/include/tprotobuf/absl/types/bad_optional_access.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/bad_variant_access.h /package/include/tprotobuf/absl/types/bad_variant_access.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/compare.h /package/include/tprotobuf/absl/types/compare.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/internal/span.h /package/include/tprotobuf/absl/types/internal/span.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/internal/variant.h /package/include/tprotobuf/absl/types/internal/variant.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/internal/optional.h /package/include/tprotobuf/absl/types/internal/optional.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/optional.h /package/include/tprotobuf/absl/types/optional.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/span.h /package/include/tprotobuf/absl/types/span.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/variant.h /package/include/tprotobuf/absl/types/variant.h 0 main STP +-/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/utility/utility.h /package/include/tprotobuf/absl/utility/utility.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/aes.h /package/include/mbedtls/aes.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/bignum.h /package/include/mbedtls/bignum.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/build_info.h /package/include/mbedtls/build_info.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/check_config.h /package/include/mbedtls/check_config.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/cipher.h /package/include/mbedtls/cipher.h 0 main STP +- +-/external/mbedtls/mbedtls_code/include/mbedtls/config_psa.h /package/include/mbedtls/config_psa.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/ctr_drbg.h /package/include/mbedtls/ctr_drbg.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/ecdsa.h /package/include/mbedtls/ecdsa.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/ecp.h /package/include/mbedtls/ecp.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/entropy.h /package/include/mbedtls/entropy.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/mbedtls_config.h /package/include/mbedtls/mbedtls_config.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/md.h /package/include/mbedtls/md.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/platform_util.h /package/include/mbedtls/platform_util.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/private_access.h /package/include/mbedtls/private_access.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/sha1.h /package/include/mbedtls/sha1.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/sha256.h /package/include/mbedtls/sha256.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/sha512.h /package/include/mbedtls/sha512.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/threading.h /package/include/mbedtls/threading.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/platform.h /package/include/mbedtls/platform.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/ecdh.h /package/include/mbedtls/ecdh.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/cmac.h /package/include/mbedtls/cmac.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/rsa.h /package/include/mbedtls/rsa.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/gcm.h /package/include/mbedtls/gcm.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_legacy_crypto.h /package/include/mbedtls/config_adjust_legacy_crypto.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_x509.h /package/include/mbedtls/config_adjust_x509.h 0 main STP +-/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_ssl.h /package/include/mbedtls/config_adjust_ssl.h 0 main STP + /common/buildenv.mk /package/buildenv.mk 0 main STP +diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt +index d494deba..998def35 100644 +--- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt ++++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt +@@ -9,11 +9,8 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner + /build/linuxCF/libsgx_tswitchless.a /package/lib64/cve_2020_0551_cf/libsgx_tswitchless.a 0 main STP + /build/linuxCF/libsgx_tprotected_fs.a /package/lib64/cve_2020_0551_cf/libsgx_tprotected_fs.a 0 main STP + /build/linuxCF/libsgx_pcl.a /package/lib64/cve_2020_0551_cf/libsgx_pcl.a 0 main STP +-/build/linuxCF/libsgx_omp.a /package/lib64/cve_2020_0551_cf/libsgx_omp.a 0 main STP + /build/linuxCF/libsgx_pthread.a /package/lib64/cve_2020_0551_cf/libsgx_pthread.a 0 main STP +-/build/linuxCF/libsgx_protobuf.a /package/lib64/cve_2020_0551_cf/libsgx_protobuf.a 0 main STP + /build/linuxCF/libsgx_ttls.a /package/lib64/cve_2020_0551_cf/libsgx_ttls.a 0 main STP + /build/linuxCF/libtdx_tls.a /package/lib64/cve_2020_0551_cf/libtdx_tls.a 0 main STP + /build/linuxCF/libsgx_utls.a /package/lib64/cve_2020_0551_cf/libsgx_utls.a 0 main STP +-/build/linuxCF/libsgx_mbedcrypto.a /package/lib64/cve_2020_0551_cf/libsgx_mbedcrypto.a 0 main STP + /external/dcap_source/QuoteGeneration/build/linuxCF/libsgx_dcap_tvl.a /package/lib64/cve_2020_0551_cf/libsgx_dcap_tvl.a 0 main STP +diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt +index 53c9cfc6..b68b9976 100644 +--- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt ++++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt +@@ -9,11 +9,8 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner + /build/linuxLOAD/libsgx_tswitchless.a /package/lib64/cve_2020_0551_load/libsgx_tswitchless.a 0 main STP + /build/linuxLOAD/libsgx_tprotected_fs.a /package/lib64/cve_2020_0551_load/libsgx_tprotected_fs.a 0 main STP + /build/linuxLOAD/libsgx_pcl.a /package/lib64/cve_2020_0551_load/libsgx_pcl.a 0 main STP +-/build/linuxLOAD/libsgx_omp.a /package/lib64/cve_2020_0551_load/libsgx_omp.a 0 main STP + /build/linuxLOAD/libsgx_pthread.a /package/lib64/cve_2020_0551_load/libsgx_pthread.a 0 main STP +-/build/linuxLOAD/libsgx_protobuf.a /package/lib64/cve_2020_0551_load/libsgx_protobuf.a 0 main STP + /build/linuxLOAD/libsgx_ttls.a /package/lib64/cve_2020_0551_load/libsgx_ttls.a 0 main STP + /build/linuxLOAD/libtdx_tls.a /package/lib64/cve_2020_0551_load/libtdx_tls.a 0 main STP + /build/linuxLOAD/libsgx_utls.a /package/lib64/cve_2020_0551_load/libsgx_utls.a 0 main STP +-/build/linuxLOAD/libsgx_mbedcrypto.a /package/lib64/cve_2020_0551_load/libsgx_mbedcrypto.a 0 main STP + /external/dcap_source/QuoteGeneration/build/linuxLOAD/libsgx_dcap_tvl.a /package/lib64/cve_2020_0551_load/libsgx_dcap_tvl.a 0 main STP +diff --git a/linux/installer/common/sdk/BOMs/sdk_x64.txt b/linux/installer/common/sdk/BOMs/sdk_x64.txt +index 629492c1..602a804d 100644 +--- a/linux/installer/common/sdk/BOMs/sdk_x64.txt ++++ b/linux/installer/common/sdk/BOMs/sdk_x64.txt +@@ -39,14 +39,10 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner + /build/linux/sgx_edger8r /package/bin/x64/sgx_edger8r 0 main STP + /build/linux/sgx_sign /package/bin/x64/sgx_sign 0 main STP + /build/linux/sgx_encrypt /package/bin/x64/sgx_encrypt 0 main STP +-/build/linux/sgx_protoc /package/bin/x64/sgx_protoc 0 main STP + /build/linux/libsgx_pthread.a /package/lib64/libsgx_pthread.a 0 main STP +-/build/linux/libsgx_omp.a /package/lib64/libsgx_omp.a 0 main STP +-/build/linux/libsgx_protobuf.a /package/lib64/libsgx_protobuf.a 0 main STP + /build/linux/libsgx_ttls.a /package/lib64/libsgx_ttls.a 0 main STP + /build/linux/libtdx_tls.a /package/lib64/libtdx_tls.a 0 main STP + /build/linux/libsgx_utls.a /package/lib64/libsgx_utls.a 0 main STP +-/build/linux/libsgx_mbedcrypto.a /package/lib64/libsgx_mbedcrypto.a 0 main STP + /external/dcap_source/QuoteGeneration/build/linux/libsgx_dcap_tvl.a /package/lib64/libsgx_dcap_tvl.a 0 main STP + /linux/installer/common/sdk/installConfig.x64 /scripts/installConfig 0 main STP + /linux/installer/common/sdk/pkgconfig/x64/libsgx_uae_service_sim.pc /package/pkgconfig/libsgx_uae_service_sim.pc 0 main STP +diff --git a/sdk/Makefile.source b/sdk/Makefile.source +index d3e40036..3bd08d5c 100644 +--- a/sdk/Makefile.source ++++ b/sdk/Makefile.source +@@ -41,15 +41,11 @@ + # - tprotected_fs: libsgx_tprotected_fs.a + # - tcmalloc: libsgx_tcmalloc.a + # - sgx_pcl: libsgx_pcl.a +-# - openmp: libsgx_omp.a +-# - protobuf: libsgx_protobuf.a + # - ttls: libsgx_ttls.a +-# - mbedtls: libsgx_mbedcrypto.a + # - Untrtusted libraries + # - ukey_exchange: libsgx_ukey_exchange.a + # - uprotected_fs: libsgx_uprotected_fs.a + # - ptrace: libsgx_ptrace.so, gdb-sgx-plugin +-# - sample_crypto: libsample_crypto.so (for sample code use) + # - utls: libsgx_utls.a + # - Standalone, untrusted libraries + # - libcapable: libsgx_capable.a libsgx_capable.so +@@ -67,7 +63,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a + LIBTSE := $(BUILD_DIR)/libsgx_tservice.a + + .PHONY: components +-components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls mbedtls ++components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread ttls utls + + # --------------------------------------------------- + # tstdc +@@ -221,26 +217,10 @@ tprotected_fs: edger8r + sgx_pcl: + $(MAKE) -C protected_code_loader + +-.PHONY: openmp +-openmp: +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/openmp +- +-.PHONY: protobuf +-protobuf: +-ifeq ($(MITIGATION-CVE-2020-0551),) +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/protobuf BUILD_PROTOC=1 +-else +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/protobuf +-endif +- + .PHONY: ttls + ttls: edger8r + $(MAKE) -C ttls + +-.PHONY: mbedtls +-mbedtls: +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls +- + # --------------------------------------------------- + # Untrusted libraries + # --------------------------------------------------- +@@ -256,10 +236,6 @@ uprotected_fs: edger8r + ptrace: + $(MAKE) -C debugger_interface/linux/ + +-.PHONY: sample_crypto +-sample_crypto: +- $(MAKE) -C sample_libcrypto +- + .PHONY: utls + utls: + $(MAKE) -C utls +@@ -329,7 +305,6 @@ clean: + $(MAKE) -C protected_fs/sgx_tprotected_fs/ clean + $(MAKE) -C protected_fs/sgx_uprotected_fs/ clean + $(MAKE) -C debugger_interface/linux/ clean +- $(MAKE) -C sample_libcrypto/ clean + $(MAKE) -C libcapable/linux/ clean + $(MAKE) -C simulation/ clean + $(MAKE) -C sign_tool/SignTool clean +@@ -340,11 +315,8 @@ clean: + $(MAKE) -C switchless/sgx_uswitchless clean + $(MAKE) -C tmm_rsrv/ clean + $(MAKE) -C pthread clean +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/openmp clean +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/protobuf clean + $(MAKE) -C ttls clean + $(MAKE) -C utls clean +- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls clean + @$(RM) $(LIBTLIBC) $(LIBTCXX) $(LIBTSE) + @$(RM) $(BUILD_DIR)/libc++_Changes_SGX.txt + @$(RM) -rf $(BUILD_DIR)/.compiler-rt +-- +2.46.0 + diff --git a/0006-Fix-compat-with-gcc-14.patch b/0006-Fix-compat-with-gcc-14.patch new file mode 100644 index 0000000..8f331f3 --- /dev/null +++ b/0006-Fix-compat-with-gcc-14.patch @@ -0,0 +1,48 @@ +From ec8e718cbcdce69263bb2f61df112118234df7aa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 24 Jun 2024 17:36:13 +0100 +Subject: [PATCH 06/13] Fix compat with gcc 14 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With refactoring of libstdc++, the header is no +longer pulled in indirectly, so must be explicitly requested. + +The C++ standard for aesm must also be bumped to 14 to ensure +that std::enable_if_t is available. + +Signed-off-by: Daniel P. Berrangé +--- + psw/ae/aesm_service/source/CMakeLists.txt | 2 +- + psw/enclave_common/sgx_enclave_common.cpp | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt +index 3edd77c7..89b3e3ae 100644 +--- a/psw/ae/aesm_service/source/CMakeLists.txt ++++ b/psw/ae/aesm_service/source/CMakeLists.txt +@@ -61,7 +61,7 @@ if(REF_LE) + endif() + + set(CMAKE_CXX_STANDARD_REQUIRED 1) +-set(CMAKE_CXX_STANDARD 11) ++set(CMAKE_CXX_STANDARD 14) + set(CMAKE_SKIP_BUILD_RPATH true) + + ########## SGX SDK Settings ########## +diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp +index 9867ecc8..46fcf873 100644 +--- a/psw/enclave_common/sgx_enclave_common.cpp ++++ b/psw/enclave_common/sgx_enclave_common.cpp +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "sgx_enclave_common.h" + #include "sgx_urts.h" + #include "arch.h" +-- +2.46.0 + diff --git a/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch b/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch new file mode 100644 index 0000000..946ac43 --- /dev/null +++ b/0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch @@ -0,0 +1,282 @@ +From 285845dd940042c9dfa3983aa478263b3aeb6d09 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 2 Sep 2024 16:49:18 +0100 +Subject: [PATCH 07/13] Fix escaping of regexes in sgx-asm-pp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Running sgx-asm-pp.py on recent Python generates many warnings + + sgx-asm-pp.py:64: SyntaxWarning: invalid escape sequence '\s' + sgx-asm-pp.py:85: SyntaxWarning: invalid escape sequence '\s' + sgx-asm-pp.py:65: SyntaxWarning: invalid escape sequence '\s' + sgx-asm-pp.py:86: SyntaxWarning: invalid escape sequence '\s' + sgx-asm-pp.py:66: SyntaxWarning: invalid escape sequence '\s' + +Signed-off-by: Daniel P. Berrangé +--- + build-scripts/sgx-asm-pp.py | 242 ++++++++++++++++++------------------ + 1 file changed, 121 insertions(+), 121 deletions(-) + +diff --git a/build-scripts/sgx-asm-pp.py b/build-scripts/sgx-asm-pp.py +index 2b02396b..0df3fc47 100644 +--- a/build-scripts/sgx-asm-pp.py ++++ b/build-scripts/sgx-asm-pp.py +@@ -38,132 +38,132 @@ import re + import shutil + import argparse + +-LOCK = 'lock' +-REP = 'rep[a-z]*' +-REX = 'rex(?:\.[a-zA-Z]+)?' +-SCALAR = '(?:(?:[+-]\s*)?(?:[0-9][0-9a-fA-F]*|0x[0-9a-fA-F]+))' +-IMMEDIATE = '(?:%s[hb]?)' %(SCALAR) +-REG = '(?:[a-zA-Z][a-zA-Z0-9]*)' +-SYM = '(?:[_a-zA-Z][_a-zA-Z0-9]*(?:@[0-9a-zA-Z]+)?)' +-LABEL = '(?:[._a-zA-Z0-9]+)' +-SEP = '(?:(?:^|:)\s*)' +-PFX = '(?:%s\s+)?' %(REX) +-CONST = '(?:(?:%s|%s|%s)(?:\s*[/*+-]\s*(?:%s|%s|%s))*)' %(SYM, SCALAR, LABEL, SYM, SCALAR, LABEL) +-OFFSET = '(?:%s|%s|%s\s*:\s*(?:%s|%s|))' %(CONST, SYM, REG, CONST, SYM) +-MEMORYOP = '(?:\[*(?:[a-zA-Z]+\s+)*(?:%s\s*:\s*%s?|(?:%s\s*)?\[[^]]+\]\]*))' %(REG, CONST, OFFSET) +-ANYOP = '(?:%s|%s|%s|%s|%s)' %(MEMORYOP, IMMEDIATE, REG, SYM, LABEL) +-MEMORYOP = '(?:%s|(?:[a-zA-Z]+\s+(?:ptr|PTR)\s+%s))' %(MEMORYOP, ANYOP) +-MEMORYSRC = '(?:%s\s*,\s*)+%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) +-MEMORYANY = '(?:%s\s*,\s*)*%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) ++LOCK = r'lock' ++REP = r'rep[a-z]*' ++REX = r'rex(?:\.[a-zA-Z]+)?' ++SCALAR = r'(?:(?:[+-]\s*)?(?:[0-9][0-9a-fA-F]*|0x[0-9a-fA-F]+))' ++IMMEDIATE = r'(?:%s[hb]?)' %(SCALAR) ++REG = r'(?:[a-zA-Z][a-zA-Z0-9]*)' ++SYM = r'(?:[_a-zA-Z][_a-zA-Z0-9]*(?:@[0-9a-zA-Z]+)?)' ++LABEL = r'(?:[._a-zA-Z0-9]+)' ++SEP = r'(?:(?:^|:)\s*)' ++PFX = r'(?:%s\s+)?' %(REX) ++CONST = r'(?:(?:%s|%s|%s)(?:\s*[/*+-]\s*(?:%s|%s|%s))*)' %(SYM, SCALAR, LABEL, SYM, SCALAR, LABEL) ++OFFSET = r'(?:%s|%s|%s\s*:\s*(?:%s|%s|))' %(CONST, SYM, REG, CONST, SYM) ++MEMORYOP = r'(?:\[*(?:[a-zA-Z]+\s+)*(?:%s\s*:\s*%s?|(?:%s\s*)?\[[^]]+\]\]*))' %(REG, CONST, OFFSET) ++ANYOP = r'(?:%s|%s|%s|%s|%s)' %(MEMORYOP, IMMEDIATE, REG, SYM, LABEL) ++MEMORYOP = r'(?:%s|(?:[a-zA-Z]+\s+(?:ptr|PTR)\s+%s))' %(MEMORYOP, ANYOP) ++MEMORYSRC = r'(?:%s\s*,\s*)+%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) ++MEMORYANY = r'(?:%s\s*,\s*)*%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) + ATTSTAR = '' +-GPR = '(?:rax|rcx|rdx|rbx|rdi|rsi|rbp|rsp|r8|r9|r10|r11|r12|r13|r14|r15|RAX|RCX|RDX|RBX|RDI|RSI|RBP|RSP|R8|R9|R10|R11|R12|R13|R14|R15)' ++GPR = r'(?:rax|rcx|rdx|rbx|rdi|rsi|rbp|rsp|r8|r9|r10|r11|r12|r13|r14|r15|RAX|RCX|RDX|RBX|RDI|RSI|RBP|RSP|R8|R9|R10|R11|R12|R13|R14|R15)' + + LFENCE = [ +- '(?:%s%smov(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%s(?:vpmask|vmask|mask|c|v|p|vp)mov[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%spop[bswlqt]?\s+(?:%s|%s))' %(SEP, PFX, MEMORYOP, REG), +- '(?:%s%spopad?\s+%s\s*)' %(SEP, PFX, REG), +- '(?:%s%s(?:%s\s+)?xchg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?(?:x|p|vp|ph|h|pm|vpm|)add[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?(?:p|vp|ph|h|)sub[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?ad[co]x?[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?sbb[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?v?p?cmp(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?inc[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?dec[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?not[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?neg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:i|v|p|vp|)mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%s(?:i|v|p|vp|)div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%spopcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%scrc32[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%s(?:%s\s+)?v?p?and[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?v?p?or[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%s(?:%s\s+)?v?p?xor[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%sv?p?test[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%ss[ah][lr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%ssar[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%s(?:vp|)ro(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%src(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%s(?:%s\s+)?bt[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), +- '(?:%s%sbs[fr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%s(?:vp|)[lt]zcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sblsi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sblsmsk[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sblsr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sbextr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sbzhi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%spdep[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%spext[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%s(?:%s\s+)?lods[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), +- '(?:%s%s(?:%s\s+)?scas[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), +- '(?:%s%s(?:%s\s+)?outs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), +- '(?:%s%s(?:%s\s+)?cmps[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), +- '(?:%s%s(?:%s\s+)?movs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), +- '(?:%s%slddqu\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?pack[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?p?unpck[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?p?shuf[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?p?align[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?pblend[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%svperm[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?p?insr[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?insert[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?p?expand[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%svp?broadcast[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svp?gather[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?pavg[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?p?min[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?p?max[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?phminpos[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?pabs[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?psign[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?(?:m|db|)psad[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?psll[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?psrl[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?psra[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?pclmulqdq\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?aesdec(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?aesenc(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?aesimc\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?aeskeygenassist\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?sha(?:1|256)(?:nexte|rnds4|msg1|msg2)\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?cvt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?rcp(?:ss|ps)\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?u?comis[sd]\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?round[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?dpp[sd]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sv?r?sqrt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), +- '(?:%s%sv?ldmxcsr\s+%s)' %(SEP, PFX, MEMORYOP), +- '(?:%s%sf?x?rstors?\s+%s)' %(SEP, PFX, MEMORYOP), +- '(?:%s%sl[gi]dt\s+%s)' %(SEP, PFX, MEMORYOP), +- '(?:%s%slmsw\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svmptrld\s+%s)' %(SEP, PFX, MEMORYOP), +- '(?:%s%sf(?:b|i|)ld[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sfi?add[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sfi?sub[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sfi?mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sfi?div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sf(?:i|u|)com[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sleave[bswlqt]?)' %(SEP, PFX), +- '(?:%s%spopf[bswlqt]?)' %(SEP, PFX), +- '(?:%s%svfixupimm[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svf[m|n]add[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svfpclass[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svget[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svpconflict[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svpternlog[d|q]\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svrange[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svreduce[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svrndscale[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%svscalef[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sxlat\s+%s)' %(SEP, PFX, MEMORYANY), +- '(?:%s%sxlatb?)' %(SEP, PFX), ++ r'(?:%s%smov(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%s(?:vpmask|vmask|mask|c|v|p|vp)mov[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%spop[bswlqt]?\s+(?:%s|%s))' %(SEP, PFX, MEMORYOP, REG), ++ r'(?:%s%spopad?\s+%s\s*)' %(SEP, PFX, REG), ++ r'(?:%s%s(?:%s\s+)?xchg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?(?:x|p|vp|ph|h|pm|vpm|)add[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?(?:p|vp|ph|h|)sub[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?ad[co]x?[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?sbb[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?v?p?cmp(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?inc[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?dec[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?not[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?neg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:i|v|p|vp|)mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%s(?:i|v|p|vp|)div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%spopcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%scrc32[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?v?p?and[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?v?p?or[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?v?p?xor[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%sv?p?test[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%ss[ah][lr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%ssar[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%s(?:vp|)ro(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%src(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%s(?:%s\s+)?bt[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), ++ r'(?:%s%sbs[fr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%s(?:vp|)[lt]zcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sblsi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sblsmsk[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sblsr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sbextr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sbzhi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%spdep[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%spext[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%s(?:%s\s+)?lods[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), ++ r'(?:%s%s(?:%s\s+)?scas[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), ++ r'(?:%s%s(?:%s\s+)?outs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), ++ r'(?:%s%s(?:%s\s+)?cmps[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), ++ r'(?:%s%s(?:%s\s+)?movs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), ++ r'(?:%s%slddqu\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?pack[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?p?unpck[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?p?shuf[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?p?align[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?pblend[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%svperm[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?p?insr[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?insert[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?p?expand[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%svp?broadcast[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svp?gather[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?pavg[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?p?min[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?p?max[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?phminpos[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?pabs[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?psign[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?(?:m|db|)psad[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?psll[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?psrl[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?psra[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?pclmulqdq\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?aesdec(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?aesenc(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?aesimc\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?aeskeygenassist\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?sha(?:1|256)(?:nexte|rnds4|msg1|msg2)\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?cvt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?rcp(?:ss|ps)\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?u?comis[sd]\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?round[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?dpp[sd]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sv?r?sqrt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), ++ r'(?:%s%sv?ldmxcsr\s+%s)' %(SEP, PFX, MEMORYOP), ++ r'(?:%s%sf?x?rstors?\s+%s)' %(SEP, PFX, MEMORYOP), ++ r'(?:%s%sl[gi]dt\s+%s)' %(SEP, PFX, MEMORYOP), ++ r'(?:%s%slmsw\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svmptrld\s+%s)' %(SEP, PFX, MEMORYOP), ++ r'(?:%s%sf(?:b|i|)ld[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sfi?add[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sfi?sub[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sfi?mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sfi?div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sf(?:i|u|)com[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sleave[bswlqt]?)' %(SEP, PFX), ++ r'(?:%s%spopf[bswlqt]?)' %(SEP, PFX), ++ r'(?:%s%svfixupimm[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svf[m|n]add[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svfpclass[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svget[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svpconflict[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svpternlog[d|q]\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svrange[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svreduce[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svrndscale[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%svscalef[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sxlat\s+%s)' %(SEP, PFX, MEMORYANY), ++ r'(?:%s%sxlatb?)' %(SEP, PFX), + ] + +-RET = '(?:%s%sret[a-z]*(?:\s+%s)?(?:#|$))' %(SEP, PFX, IMMEDIATE) +-MEM_INDBR = '(?:%s%s(?:call|jmp)[a-z]*\s+%s%s)' %(SEP, PFX, ATTSTAR, MEMORYOP) +-REG_INDBR = '(?:%s%s(?:call|jmp)[a-z]*\s+%s)' %(SEP, PFX, GPR) ++RET = r'(?:%s%sret[a-z]*(?:\s+%s)?(?:#|$))' %(SEP, PFX, IMMEDIATE) ++MEM_INDBR = r'(?:%s%s(?:call|jmp)[a-z]*\s+%s%s)' %(SEP, PFX, ATTSTAR, MEMORYOP) ++REG_INDBR = r'(?:%s%s(?:call|jmp)[a-z]*\s+%s)' %(SEP, PFX, GPR) + + # + # File Operations - read/write +-- +2.46.0 + diff --git a/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch b/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch new file mode 100644 index 0000000..5601b18 --- /dev/null +++ b/0008-Disable-use-of-bogus-DEF_WEAK-macro.patch @@ -0,0 +1,30 @@ +From 0584b938529c615f16dbb9751267e14ce73b37ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 1 Oct 2024 18:53:17 +0100 +Subject: [PATCH 08/13] Disable use of bogus DEF_WEAK macro +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + sdk/tlibc/time/strptime.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sdk/tlibc/time/strptime.c b/sdk/tlibc/time/strptime.c +index 08023a7c..9e62adc6 100644 +--- a/sdk/tlibc/time/strptime.c ++++ b/sdk/tlibc/time/strptime.c +@@ -89,7 +89,9 @@ strptime(const char *buf, const char *fmt, struct tm *tm) + { + return(_strptime(buf, fmt, tm, 1)); + } ++#if 0 + DEF_WEAK(strptime); ++#endif + + static char * + _strptime(const char *buf, const char *fmt, struct tm *tm, int initialize) +-- +2.46.0 + diff --git a/0009-Remove-all-references-to-pccs-service.patch b/0009-Remove-all-references-to-pccs-service.patch new file mode 100644 index 0000000..7fb77a1 --- /dev/null +++ b/0009-Remove-all-references-to-pccs-service.patch @@ -0,0 +1,497 @@ +From d0a7e7bcf090c5a3549e76709b83aaee87197b2b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 1 Oct 2024 20:18:48 +0100 +Subject: [PATCH 09/13] Remove all references to pccs service +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The PCCS code was deleted in the DCAP 1.22 release that SGX +references, resulting in a failure to build the installer: + + $ /usr/bin/make -I linux/installer/common/psw-dcap -f linux/installer/common/psw-dcap/Makefile SRCDIR=. DESTDIR=build/vroot/psw install + python /var/home/berrange/rpmbuild/BUILD/linux-sgx-sgx_2.25_reproducible/linux/installer/common/gen_source/copy_source.py --bom-file /var/home/berrange/rpmbuild/BUILD/linux-sgx-sgx_2.25_reproducible/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt --src-path . --dst-path build/pkgroot/sgx-dcap-pccs + Error: src directory/file ./external/dcap_source/QuoteGeneration/pccs/config/default.json does not exist! + make: *** [linux/installer/common/psw-dcap/Makefile:195: pre_sgx-dcap-pccs] Error 1 + +Signed-off-by: Daniel P. Berrangé +--- + README.md | 4 - + .../psw-dcap/BOM_install/sgx-dcap-pccs.txt | 74 ------------------- + linux/installer/common/psw-dcap/Makefile | 14 +--- + linux/installer/common/psw-dcap/installConfig | 1 - + .../psw-tdx/BOM_install/sgx-dcap-pccs.txt | 74 ------------------- + linux/installer/common/psw-tdx/Makefile | 14 +--- + linux/installer/common/psw-tdx/installConfig | 1 - + linux/installer/rpm/psw-dcap/build.sh | 1 - + .../installer/rpm/psw-dcap/psw-dcap.spec.tmpl | 21 +----- + linux/installer/rpm/psw-tdx/build.sh | 1 - + linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl | 21 +----- + 11 files changed, 6 insertions(+), 220 deletions(-) + delete mode 100644 linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt + delete mode 100644 linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt + +diff --git a/README.md b/README.md +index fcd11874..9d4011a2 100644 +--- a/README.md ++++ b/README.md +@@ -523,10 +523,6 @@ Please follow the [Intel(R) SGX DCAP Installation Guide for Linux* OS](https://d + + - Install Quote Provider Library(QPL). You can use your own customized QPL or use default QPL provided by Intel(libsgx-dcap-default-qpl) + +-- Install PCK Caching Service. For how to install and configure PCK Caching +-Service, please refer to [SGXDataCenterAttestationPrimitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs) +-- Ensure the PCK Caching Service is setup correctly by local administrator or data center administrator. Also make sure that the configure file of quote provider library (/etc/sgx_default_qcnl.conf) is consistent with the real environment, for example: PCS_URL=https://your_pcs_server:8081/sgx/certification/v1/ +- + ### Start or Stop aesmd Service + The Intel(R) SGX PSW installer installs an aesmd service in your machine, which is running in a special linux account `aesmd`. + To stop the service: `$ sudo service aesmd stop` +diff --git a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt +deleted file mode 100644 +index d70745c9..00000000 +--- a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt ++++ /dev/null +@@ -1,74 +0,0 @@ +-DeliveryName InstallName FileCheckSum FileFeature FileOwner +-/external/dcap_source/QuoteGeneration/pccs/config/default.json /config/default.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/constants/index.js /constants/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/constants/pccs_status_code.js /constants/pccs_status_code.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/identityController.js /controllers/identityController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/index.js /controllers/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/pckcertController.js /controllers/pckcertController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/pckcrlController.js /controllers/pckcrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/platformCollateralController.js /controllers/platformCollateralController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/platformsController.js /controllers/platformsController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/refreshController.js /controllers/refreshController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js /controllers/rootcacrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js /controllers/tcbinfoController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js /controllers/crlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js /dao/models/fmspc_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js /dao/models/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js /dao/models/pck_cert.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_certchain.js /dao/models/pck_certchain.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_crl.js /dao/models/pck_crl.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_certificates.js /dao/models/pcs_certificates.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_version.js /dao/models/pcs_version.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/platform_tcbs.js /dao/models/platform_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms_registered.js /dao/models/platforms_registered.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js /dao/models/platforms.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js /dao/models/enclave_identities.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js /dao/models/crl_cache.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js /dao/fmspcTcbDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js /dao/pckCertchainDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js /dao/pckcertDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pckcrlDao.js /dao/pckcrlDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pcsCertificatesDao.js /dao/pcsCertificatesDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pcsVersionDao.js /dao/pcsVersionDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/platformsDao.js /dao/platformsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/platformsRegDao.js /dao/platformsRegDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js /dao/platformTcbsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js /dao/enclaveIdentityDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js /dao/crlCacheDao.js 0 main STP +-/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so /lib/libPCKCertSelection.so 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js /lib_wrapper/pcklib_wrapper.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js /middleware/auth.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/middleware/error.js /middleware/error.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/routes/index.js /routes/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/identityService.js /services/identityService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/index.js /services/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/pccs_schemas.js /services/pccs_schemas.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/pckcertService.js /services/pckcertService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/pckcrlService.js /services/pckcrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/platformCollateralService.js /services/platformCollateralService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/platformsRegService.js /services/platformsRegService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/platformsService.js /services/platformsService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/refreshService.js /services/refreshService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js /services/rootcacrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js /services/tcbinfoService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/crlService.js /services/crlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js /services/caching_modes/cachingMode.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js /services/caching_modes/cachingModeManager.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js /services/logic/commonCacheLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js /services/logic/qvCollateralLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/utils/Logger.js /utils/Logger.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/utils/PccsError.js /utils/PccsError.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/utils/apputil.js /utils/apputil.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/x509/x509.js /x509/x509.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/install.sh /install.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/package.json /package.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/pccs_server.js /pccs_server.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/pccs.service /pccs.service 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/startup.sh /startup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/cleanup.sh /cleanup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/README.md /README.md 0 main STP +diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile +index a85c8b82..5e8a8560 100644 +--- a/linux/installer/common/psw-dcap/Makefile ++++ b/linux/installer/common/psw-dcap/Makefile +@@ -95,9 +95,6 @@ AESMD_CONF=aesmd.service + AESMD_CONF_DEL=aesmd.conf + AESMD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) + +-PCCS_CONF=pccs.service +-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +- + RAD_CONF=mpa_registration_tool.service + RAD_CONF_DEL=mpa_registration_tool.conf + RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +@@ -192,7 +189,7 @@ ALL_PKGS:= $(AESM_SERVICE_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS) + + $(foreach PKG,$(AESM_SERVICE_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG)))) + $(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG)))) +-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) ++$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) + + PHONY+=$(ALL_PKGS) + PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG)) +@@ -220,14 +217,6 @@ install_$(AESM_SERVICE_PACKAGE): $(foreach PKG,$(AESM_SERVICE_PKGS),post_$(PKG)) + ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \ + ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER) + +-PHONY+=install_$(DCAP_PCCS_PACKAGE) +-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \ +- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \ +- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \ +- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE) +- + PHONY+=$(RA_SERVICE_PACKAGE) + $(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH) + install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \ +@@ -351,7 +340,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG)) + + PHONY+=install + install: install_$(AESM_SERVICE_PACKAGE) \ +- install_$(DCAP_PCCS_PACKAGE) \ + install_$(RA_SERVICE_PACKAGE) \ + install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \ + install_ae \ +diff --git a/linux/installer/common/psw-dcap/installConfig b/linux/installer/common/psw-dcap/installConfig +index 9f99f032..96acdd9a 100644 +--- a/linux/installer/common/psw-dcap/installConfig ++++ b/linux/installer/common/psw-dcap/installConfig +@@ -30,7 +30,6 @@ DCAP_QL_PACKAGE=libsgx-dcap-ql + DCAP_QL_DEV_PACKAGE=libsgx-dcap-ql-devel + DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify + DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel +-DCAP_PCCS_PACKAGE=sgx-dcap-pccs + + PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool + RA_NETWORK_PACKAGE=libsgx-ra-network +diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt +deleted file mode 100644 +index d70745c9..00000000 +--- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt ++++ /dev/null +@@ -1,74 +0,0 @@ +-DeliveryName InstallName FileCheckSum FileFeature FileOwner +-/external/dcap_source/QuoteGeneration/pccs/config/default.json /config/default.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/constants/index.js /constants/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/constants/pccs_status_code.js /constants/pccs_status_code.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/identityController.js /controllers/identityController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/index.js /controllers/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/pckcertController.js /controllers/pckcertController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/pckcrlController.js /controllers/pckcrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/platformCollateralController.js /controllers/platformCollateralController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/platformsController.js /controllers/platformsController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/refreshController.js /controllers/refreshController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js /controllers/rootcacrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js /controllers/tcbinfoController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js /controllers/crlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js /dao/models/fmspc_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js /dao/models/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js /dao/models/pck_cert.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_certchain.js /dao/models/pck_certchain.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_crl.js /dao/models/pck_crl.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_certificates.js /dao/models/pcs_certificates.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_version.js /dao/models/pcs_version.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/platform_tcbs.js /dao/models/platform_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms_registered.js /dao/models/platforms_registered.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js /dao/models/platforms.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js /dao/models/enclave_identities.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js /dao/models/crl_cache.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js /dao/fmspcTcbDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js /dao/pckCertchainDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js /dao/pckcertDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pckcrlDao.js /dao/pckcrlDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pcsCertificatesDao.js /dao/pcsCertificatesDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/pcsVersionDao.js /dao/pcsVersionDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/platformsDao.js /dao/platformsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/platformsRegDao.js /dao/platformsRegDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js /dao/platformTcbsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js /dao/enclaveIdentityDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js /dao/crlCacheDao.js 0 main STP +-/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so /lib/libPCKCertSelection.so 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js /lib_wrapper/pcklib_wrapper.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js /middleware/auth.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/middleware/error.js /middleware/error.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/routes/index.js /routes/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/identityService.js /services/identityService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/index.js /services/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/pccs_schemas.js /services/pccs_schemas.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/pckcertService.js /services/pckcertService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/pckcrlService.js /services/pckcrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/platformCollateralService.js /services/platformCollateralService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/platformsRegService.js /services/platformsRegService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/platformsService.js /services/platformsService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/refreshService.js /services/refreshService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js /services/rootcacrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js /services/tcbinfoService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/crlService.js /services/crlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js /services/caching_modes/cachingMode.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js /services/caching_modes/cachingModeManager.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js /services/logic/commonCacheLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js /services/logic/qvCollateralLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/utils/Logger.js /utils/Logger.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/utils/PccsError.js /utils/PccsError.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/utils/apputil.js /utils/apputil.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/x509/x509.js /x509/x509.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/install.sh /install.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/package.json /package.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/pccs_server.js /pccs_server.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/pccs.service /pccs.service 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/startup.sh /startup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/cleanup.sh /cleanup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/README.md /README.md 0 main STP +diff --git a/linux/installer/common/psw-tdx/Makefile b/linux/installer/common/psw-tdx/Makefile +index 4f50ee49..0e8cb3e7 100644 +--- a/linux/installer/common/psw-tdx/Makefile ++++ b/linux/installer/common/psw-tdx/Makefile +@@ -80,9 +80,6 @@ QGSD_CONF=qgsd.service + QGSD_CONF_DEL=qgsd.conf + QGSD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) + +-PCCS_CONF=pccs.service +-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +- + RAD_CONF=mpa_registration_tool.service + RAD_CONF_DEL=mpa_registration_tool.conf + RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +@@ -160,7 +157,7 @@ ALL_PKGS:= $(TDX_QGS_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS) + + $(foreach PKG,$(TDX_QGS_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG)))) + $(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG)))) +-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) ++$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) + + PHONY+=$(ALL_PKGS) + PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG)) +@@ -184,14 +181,6 @@ install_$(TDX_QGS_PACKAGE): $(foreach PKG,$(TDX_QGS_PKGS),post_$(PKG)) + $(DESTDIR)/$(TDX_QGS_PACKAGE)/$(ETC_DIR) && \ + rm -fr $(DESTDIR)/$(TDX_QGS_PACKAGE)/$(SGX_INSTALL_PATH)/$(TDX_QGS_PACKAGE)/conf)) + +-PHONY+=install_$(DCAP_PCCS_PACKAGE) +-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \ +- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \ +- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \ +- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE) +- + PHONY+=$(RA_SERVICE_PACKAGE) + $(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH) + install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \ +@@ -291,7 +280,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG)) + + PHONY+=install + install: install_$(TDX_QGS_PACKAGE) \ +- install_$(DCAP_PCCS_PACKAGE) \ + install_$(RA_SERVICE_PACKAGE) \ + install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \ + install_ae \ +diff --git a/linux/installer/common/psw-tdx/installConfig b/linux/installer/common/psw-tdx/installConfig +index 7129b71d..c55a8ada 100644 +--- a/linux/installer/common/psw-tdx/installConfig ++++ b/linux/installer/common/psw-tdx/installConfig +@@ -16,7 +16,6 @@ TDX_ATTEST_PACKAGE=libtdx-attest + TDX_ATTEST_DEV_PACKAGE=libtdx-attest-devel + DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify + DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel +-DCAP_PCCS_PACKAGE=sgx-dcap-pccs + PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool + RA_NETWORK_PACKAGE=libsgx-ra-network + RA_NETWORK_DEV_PACKAGE=libsgx-ra-network-devel +diff --git a/linux/installer/rpm/psw-dcap/build.sh b/linux/installer/rpm/psw-dcap/build.sh +index 22c8eef5..6188e816 100755 +--- a/linux/installer/rpm/psw-dcap/build.sh ++++ b/linux/installer/rpm/psw-dcap/build.sh +@@ -63,7 +63,6 @@ update_spec() { + -e "s:@dcap_version@:${dcap_version}:" \ + -e "s:@aesm_service_path@:${SGX_INSTALL_PATH}/${AESM_SERVICE_PACKAGE}:" \ + -e "s:@ra_service_path@:${SGX_INSTALL_PATH}/${RA_SERVICE_PACKAGE}:" \ +- -e "s:@dcap_pccs_path@:${SGX_INSTALL_PATH}/${DCAP_PCCS_PACKAGE}:" \ + -e "s:@pck_id_retrieval_tool_path@:${SGX_INSTALL_PATH}/${PCK_ID_RETRIEVAL_TOOL_PACKAGE}:" \ + ${cur_dir}/${psw_dcap}.spec.tmpl > ${cur_dir}/${rpm_build_dir}/SPECS/${psw_dcap}.spec + +diff --git a/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl b/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl +index c7ba4c12..66fc4a78 100644 +--- a/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl ++++ b/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl +@@ -31,7 +31,6 @@ + + %define _aesm_service_path @aesm_service_path@ + %define _ra_service_path @ra_service_path@ +-%define _dcap_pccs_path @dcap_pccs_path@ + %define _pck_id_retrieval_tool_path @pck_id_retrieval_tool_path@ + %define _psw_version @psw_version@ + %define _dcap_version @dcap_version@ +@@ -303,14 +302,6 @@ Requires: libsgx-dcap-quote-verify = %{version}-%{release} libsgx-headers > + %description -n libsgx-dcap-quote-verify-devel + Intel(R) Software Guard Extensions Data Center Attestation Primitives Quote Verification Library for Developers + +-%package -n sgx-dcap-pccs +-Version: %{_dcap_version} +-Summary: Intel(R) Software Guard Extensions PCK Caching Service +-Requires: gcc gcc-c++ make +- +-%description -n sgx-dcap-pccs +-Intel(R) Software Guard Extensions PCK Caching Service +- + %package -n libsgx-ra-network + Version: %{_dcap_version} + Summary: Intel(R) Software Guard Extensions Registration Agent Network Library +@@ -378,14 +369,13 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do + grep -v "^%{_includedir}" | \ + grep -v "^%{_sysconfdir}" | \ + grep -v "^%{_aesm_service_path}" | \ +- grep -v "^%{_dcap_pccs_path}" | \ + grep -v "^%{_ra_service_path}" | \ + grep -v "^%{_pck_id_retrieval_tool_path}" | \ + sed -e "s#^#%dir #" > %{_specdir}/list-${pkg} + for f in $(find %{?buildroot}/${pkg}); do + if [ -d ${f} ]; then + echo ${f} | sed -e "s#^%{?buildroot}/${pkg}##" | \ +- grep -E "^%{_aesm_service_path}|^%{_dcap_pccs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \ ++ grep -E "^%{_aesm_service_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \ + sed -e "s#^#%dir #" >> %{_specdir}/list-${pkg} + else + echo ${f} | \ +@@ -395,7 +385,7 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do + cp -r %{?buildroot}/${pkg}/* %{?buildroot}/ + rm -fr %{?buildroot}/${pkg} + sed -i -e 's:^/etc/.*\.conf:%config &:' \ +- -e 's:^%{_dcap_pccs_path}/config/default\.json:%config &:' %{_specdir}/list-${pkg} ++ %{_specdir}/list-${pkg} + done + rm -fr %{?buildroot}/license + +@@ -433,7 +423,6 @@ make clean + %files -n libsgx-dcap-ql-devel -f %{_specdir}/list-libsgx-dcap-ql-devel + %files -n libsgx-dcap-quote-verify -f %{_specdir}/list-libsgx-dcap-quote-verify + %files -n libsgx-dcap-quote-verify-devel -f %{_specdir}/list-libsgx-dcap-quote-verify-devel +-%files -n sgx-dcap-pccs -f %{_specdir}/list-sgx-dcap-pccs + %files -n libsgx-ra-network -f %{_specdir}/list-libsgx-ra-network + %files -n libsgx-ra-network-devel -f %{_specdir}/list-libsgx-ra-network-devel + %files -n libsgx-ra-uefi -f %{_specdir}/list-libsgx-ra-uefi +@@ -447,12 +436,6 @@ if [ -x %{_aesm_service_path}/startup.sh ]; then %{_aesm_service_path}/startup.s + %preun + if [ -x %{_aesm_service_path}/cleanup.sh ]; then %{_aesm_service_path}/cleanup.sh; fi + +-%posttrans -n sgx-dcap-pccs +-if [ -x %{_dcap_pccs_path}/startup.sh ]; then %{_dcap_pccs_path}/startup.sh; fi +- +-%preun -n sgx-dcap-pccs +-if [ -x %{_dcap_pccs_path}/cleanup.sh ]; then %{_dcap_pccs_path}/cleanup.sh; fi +- + %posttrans -n sgx-ra-service + if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi + +diff --git a/linux/installer/rpm/psw-tdx/build.sh b/linux/installer/rpm/psw-tdx/build.sh +index f42d6bd2..25a683c8 100755 +--- a/linux/installer/rpm/psw-tdx/build.sh ++++ b/linux/installer/rpm/psw-tdx/build.sh +@@ -63,7 +63,6 @@ update_spec() { + -e "s:@dcap_version@:${dcap_version}:" \ + -e "s:@tdx_qgs_path@:${SGX_INSTALL_PATH}/${TDX_QGS_PACKAGE}:" \ + -e "s:@ra_service_path@:${SGX_INSTALL_PATH}/${RA_SERVICE_PACKAGE}:" \ +- -e "s:@dcap_pccs_path@:${SGX_INSTALL_PATH}/${DCAP_PCCS_PACKAGE}:" \ + -e "s:@pck_id_retrieval_tool_path@:${SGX_INSTALL_PATH}/${PCK_ID_RETRIEVAL_TOOL_PACKAGE}:" \ + ${cur_dir}/${psw_tdx}.spec.tmpl > ${cur_dir}/${rpm_build_dir}/SPECS/${psw_tdx}.spec + +diff --git a/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl b/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl +index 0dd5fd8c..67eab01a 100644 +--- a/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl ++++ b/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl +@@ -31,7 +31,6 @@ + + %define _tdx_qgs_path @tdx_qgs_path@ + %define _ra_service_path @ra_service_path@ +-%define _dcap_pccs_path @dcap_pccs_path@ + %define _pck_id_retrieval_tool_path @pck_id_retrieval_tool_path@ + %define _psw_version @psw_version@ + %define _dcap_version @dcap_version@ +@@ -198,14 +197,6 @@ Requires: libsgx-dcap-quote-verify = %{version}-%{release} libsgx-headers > + %description -n libsgx-dcap-quote-verify-devel + Intel(R) Software Guard Extensions Data Center Attestation Primitives Quote Verification Library for Developers + +-%package -n sgx-dcap-pccs +-Version: %{_dcap_version} +-Summary: Intel(R) Software Guard Extensions PCK Caching Service +-Requires: gcc gcc-c++ make +- +-%description -n sgx-dcap-pccs +-Intel(R) Software Guard Extensions PCK Caching Service +- + %package -n libsgx-ra-network + Version: %{_dcap_version} + Summary: Intel(R) Software Guard Extensions Registration Agent Network Library +@@ -273,14 +264,13 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do + grep -v "^%{_includedir}" | \ + grep -v "^%{_sysconfdir}" | \ + grep -v "^%{_tdx_qgs_path}" | \ +- grep -v "^%{_dcap_pccs_path}" | \ + grep -v "^%{_ra_service_path}" | \ + grep -v "^%{_pck_id_retrieval_tool_path}" | \ + sed -e "s#^#%dir #" > %{_specdir}/list-${pkg} + for f in $(find %{?buildroot}/${pkg}); do + if [ -d ${f} ]; then + echo ${f} | sed -e "s#^%{?buildroot}/${pkg}##" | \ +- grep -E "^%{_tdx_qgs_path}|^%{_dcap_pccs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \ ++ grep -E "^%{_tdx_qgs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \ + sed -e "s#^#%dir #" >> %{_specdir}/list-${pkg} + else + echo ${f} | \ +@@ -290,7 +280,7 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do + cp -r %{?buildroot}/${pkg}/* %{?buildroot}/ + rm -fr %{?buildroot}/${pkg} + sed -i -e 's:^/etc/.*\.conf:%config &:' \ +- -e 's:^%{_dcap_pccs_path}/config/default\.json:%config &:' %{_specdir}/list-${pkg} ++ %{_specdir}/list-${pkg} + done + rm -fr %{?buildroot}/license + +@@ -315,7 +305,6 @@ make clean + %files -n libtdx-attest-devel -f %{_specdir}/list-libtdx-attest-devel + %files -n libsgx-dcap-quote-verify -f %{_specdir}/list-libsgx-dcap-quote-verify + %files -n libsgx-dcap-quote-verify-devel -f %{_specdir}/list-libsgx-dcap-quote-verify-devel +-%files -n sgx-dcap-pccs -f %{_specdir}/list-sgx-dcap-pccs + %files -n libsgx-ra-network -f %{_specdir}/list-libsgx-ra-network + %files -n libsgx-ra-network-devel -f %{_specdir}/list-libsgx-ra-network-devel + %files -n libsgx-ra-uefi -f %{_specdir}/list-libsgx-ra-uefi +@@ -329,12 +318,6 @@ if [ -x %{_tdx_qgs_path}/startup.sh ]; then %{_tdx_qgs_path}/startup.sh; fi + %preun + if [ -x %{_tdx_qgs_path}/cleanup.sh ]; then %{_tdx_qgs_path}/cleanup.sh; fi + +-%posttrans -n sgx-dcap-pccs +-if [ -x %{_dcap_pccs_path}/startup.sh ]; then %{_dcap_pccs_path}/startup.sh; fi +- +-%preun -n sgx-dcap-pccs +-if [ -x %{_dcap_pccs_path}/cleanup.sh ]; then %{_dcap_pccs_path}/cleanup.sh; fi +- + %posttrans -n sgx-ra-service + if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi + +-- +2.46.0 + diff --git a/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch b/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch new file mode 100644 index 0000000..a81d86c --- /dev/null +++ b/0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch @@ -0,0 +1,78 @@ +From b3adcc233373a403654954e364a798cc06a618b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 4 Oct 2024 16:33:20 +0100 +Subject: [PATCH 10/13] psw: prefer /dev/sgx_provision & /dev/sgx_enclave +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The default behaviour for SGX deployments in upstream Linux is to +have /dev/sgx_provision & /dev/sgx_enclave device paths, instead of +the old /dev/sgx/provision & /dev/sgx/enclave paths + +The code should prefer opening the current default device paths first, +with the old paths as the fallback, so the common case will be an +immediate success. + +Signed-off-by: Daniel P. Berrangé +--- + psw/enclave_common/sgx_enclave_common.cpp | 6 +++--- + psw/urts/linux/edmm_utility.cpp | 12 ++++++------ + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp +index 46fcf873..651ba83e 100644 +--- a/psw/enclave_common/sgx_enclave_common.cpp ++++ b/psw/enclave_common/sgx_enclave_common.cpp +@@ -481,11 +481,11 @@ static void enclave_set_provision_access(int hdevice, void* enclave_base) + + if (s_driver_type == SGX_DRIVER_IN_KERNEL) + { +- hdev_prov = open("/dev/sgx/provision", O_RDWR); ++ hdev_prov = open("/dev/sgx_provision", O_RDWR); + if (-1 == hdev_prov) + { +- //if /dev/sgx/provision is not present, try to open /dev/sgx_provision +- hdev_prov = open("/dev/sgx_provision", O_RDWR); ++ //if /dev/sgx_provision is not present, try to open /dev/sgx/provision ++ hdev_prov = open("/dev/sgx/provision", O_RDWR); + } + if (-1 == hdev_prov) + { +diff --git a/psw/urts/linux/edmm_utility.cpp b/psw/urts/linux/edmm_utility.cpp +index 49f2b9aa..fc537a84 100644 +--- a/psw/urts/linux/edmm_utility.cpp ++++ b/psw/urts/linux/edmm_utility.cpp +@@ -99,11 +99,11 @@ bool get_driver_type(int *driver_type) + *driver_type = sgx_driver_type; + } + +- int hdev = open("/dev/sgx/enclave", O_RDWR); //attempt to open the in-kernel driver ++ int hdev = open("/dev/sgx_enclave", O_RDWR); //attempt to open the in-kernel driver + if (-1 == hdev) + { +- //if /dev/sgx/enclave is not present, try to open /dev/sgx_enclave +- hdev = open("/dev/sgx_enclave", O_RDWR); ++ //if /dev/sgx_enclave is not present, try to open /dev/sgx/enclave ++ hdev = open("/dev/sgx/enclave", O_RDWR); + } + if (-1 == hdev) + { +@@ -154,11 +154,11 @@ extern "C" bool open_se_device(int driver_type, int *hdevice) + *hdevice = -1; + if (driver_type == SGX_DRIVER_IN_KERNEL) + { +- *hdevice = open("/dev/sgx/enclave", O_RDWR); //attempt to open the in-kernel driver +- //if /dev/sgx/enclave is not present, try to open /dev/sgx_enclave ++ *hdevice = open("/dev/sgx_enclave", O_RDWR); //attempt to open the in-kernel driver ++ //if /dev/sgx_enclave is not present, try to open /dev/sgx/enclave + if(-1 == *hdevice) + { +- *hdevice = open("/dev/sgx_enclave", O_RDWR); ++ *hdevice = open("/dev/sgx/enclave", O_RDWR); + } + } + else if (driver_type == SGX_DRIVER_DCAP) +-- +2.46.0 + diff --git a/0011-psw-fix-soname-for-libuae_service.so-library.patch b/0011-psw-fix-soname-for-libuae_service.so-library.patch new file mode 100644 index 0000000..b8b3829 --- /dev/null +++ b/0011-psw-fix-soname-for-libuae_service.so-library.patch @@ -0,0 +1,29 @@ +From 134a3214bc7d2de69c015204d43453535125907d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 17 Jan 2025 15:38:56 +0000 +Subject: [PATCH 11/13] psw: fix soname for libuae_service.so library +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + psw/uae_service/linux/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/psw/uae_service/linux/Makefile b/psw/uae_service/linux/Makefile +index bffbdc5b..81f5c4b7 100644 +--- a/psw/uae_service/linux/Makefile ++++ b/psw/uae_service/linux/Makefile +@@ -143,7 +143,7 @@ libsgx_%.so: $(OBJ) %_version.o + $(CXX) $(CXXFLAGS) $^ -shared $(LDUFLAGS) -Wl,--version-script=$(@:.so=.lds) -Wl,--gc-sections $(EXTERNAL_LIB) -Wl,-soname=$@.$(call get_major_version,$(call get_version_name,$@)) -o $@ + + $(LEGACY_LIBNAME): $(LEGACY_OBJ) +- $(CXX) $(CXXFLAGS) $^ -shared $(LDUFLAGS) -ldl -Wl,--version-script=uae_service.lds -Wl,--gc-sections -Wl,-soname=$@ -o $@ ++ $(CXX) $(CXXFLAGS) $^ -shared $(LDUFLAGS) -ldl -Wl,--version-script=uae_service.lds -Wl,--gc-sections -Wl,-soname=$@.$(call get_major_version,$(call get_version_name,$@)) -o $@ + + $(IPC_SRC:.cpp=.o) : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc + AEServicesImpl.o : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc +-- +2.46.0 + diff --git a/0012-pcl-remove-redundant-use-of-bool-type.patch b/0012-pcl-remove-redundant-use-of-bool-type.patch new file mode 100644 index 0000000..db425c1 --- /dev/null +++ b/0012-pcl-remove-redundant-use-of-bool-type.patch @@ -0,0 +1,49 @@ +From d0d00e0d5518c983983eb8dbe4fd8c2c09845e9b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 6 Feb 2025 09:54:33 +0000 +Subject: [PATCH 12/13] pcl: remove redundant use of 'bool' type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'typedef unsigned int bool' statement is a compile error with +GCC 15, since c23 defaults 'bool' as a built-in type / reserved +keyword. + +The original openssl code from which pcl_vpaes_cbc_encrypt is +copied simply used 'int', the actual method impl is asm code +which just expects an int, and the only callers just pass the +integer value 1. Remove use of the bool typedef since it is +serving no purpose. + +Signed-off-by: Daniel P. Berrangé +--- + sdk/protected_code_loader/crypto/pcl_crypto_internal.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/sdk/protected_code_loader/crypto/pcl_crypto_internal.h b/sdk/protected_code_loader/crypto/pcl_crypto_internal.h +index 5ad6efde..b78ca907 100644 +--- a/sdk/protected_code_loader/crypto/pcl_crypto_internal.h ++++ b/sdk/protected_code_loader/crypto/pcl_crypto_internal.h +@@ -36,9 +36,6 @@ + + extern "C" + { +-#else // Not C++, must define bool: +- +-typedef unsigned int bool; + + #endif // #ifdef __cplusplus + +@@ -106,7 +103,7 @@ void pcl_vpaes_cbc_encrypt( + size_t len, + AES_KEY* wide_key_p, + uint8_t* iv, +- bool encrypt); ++ int encrypt); + + #endif // #ifdef SE_SIM + +-- +2.46.0 + diff --git a/0013-Disable-inclusion-of-AESM-in-installer.patch b/0013-Disable-inclusion-of-AESM-in-installer.patch new file mode 100644 index 0000000..082f771 --- /dev/null +++ b/0013-Disable-inclusion-of-AESM-in-installer.patch @@ -0,0 +1,81 @@ +From 820d3a2491ddc9b9b02bc9530e89bc5f5b557139 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 11 Feb 2025 14:58:58 +0000 +Subject: [PATCH 13/13] Disable inclusion of AESM in installer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Disabling AESM will allow optionally building without the +CppMicroServices dependency + +Signed-off-by: Daniel P. Berrangé +--- + linux/installer/common/psw-dcap/Makefile | 27 +----------------------- + psw/ae/Makefile | 4 ++-- + 2 files changed, 3 insertions(+), 28 deletions(-) + +diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile +index 5e8a8560..e8dd018b 100644 +--- a/linux/installer/common/psw-dcap/Makefile ++++ b/linux/installer/common/psw-dcap/Makefile +@@ -147,13 +147,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH) + cp -fr $$|/$$ $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(AESMD_CONF_PATH)/$(AESMD_CONF) +- rm -f $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm/$(AESMD_CONF) +- rm -f $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm/$(AESMD_CONF_DEL) +- $(if $(wildcard $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm/conf/*), \ +- install -d $(shell readlink -m $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(ETC_DIR)) && \ +- cp -fr $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm/conf/* \ +- $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(ETC_DIR) && \ +- rm -fr $(DESTDIR)/$(AESM_SERVICE_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm/conf) +- cd $(shell readlink -m $(DESTDIR)/$(AESM_ECDSA_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm) && \ +- ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_qe3.signed.so.$(QE3_MAJOR_VER)) && \ +- ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_qe3.signed.so) +- cd $(shell readlink -m $(DESTDIR)/$(AESM_PCE_PACKAGE)/$(SGX_INSTALL_PATH)/$(AESM_SERVICE_PACKAGE)/aesm) && \ +- ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so.$(PCE_MAJOR_VER)) && \ +- ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \ +- ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER) + + PHONY+=$(RA_SERVICE_PACKAGE) + $(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH) +diff --git a/psw/ae/Makefile b/psw/ae/Makefile +index a810d6b9..82a07af1 100644 +--- a/psw/ae/Makefile ++++ b/psw/ae/Makefile +@@ -46,9 +46,9 @@ endif + + .PHONY: all + ifeq ($(BUILD_REF_LE), 1) +-all: $(CMAKE_RESULT) AESM REF_LE COPY_AES| $(BUILD_DIR) ++all: $(CMAKE_RESULT) REF_LE COPY_AES| $(BUILD_DIR) + else +-all: $(CMAKE_RESULT) AESM COPY_AES| $(BUILD_DIR) ++all: $(CMAKE_RESULT) COPY_AES| $(BUILD_DIR) + endif #($(BUILD_REF_LE), 1) + + # COPY_AES: currently copy le, qe, pve, pce, qe3 +-- +2.46.0 + diff --git a/0100-Drop-use-of-bundled-pre-built-openssl.patch b/0100-Drop-use-of-bundled-pre-built-openssl.patch new file mode 100644 index 0000000..3c8a035 --- /dev/null +++ b/0100-Drop-use-of-bundled-pre-built-openssl.patch @@ -0,0 +1,192 @@ +From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 26 Feb 2024 12:19:51 +0000 +Subject: [PATCH 100/112] Drop use of bundled pre-built openssl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use pkg-config to find the host distro libcrypto library. +Tweaked rules to dynamically link to the distro library. + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/qcnl/linux/Makefile | 8 +++----- + QuoteGeneration/qpl/linux/Makefile | 8 +++----- + QuoteVerification/buildenv.mk | 1 - + QuoteVerification/dcap_quoteverify/linux/Makefile | 7 ++++--- + tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 9 +++------ + .../PCKCertSelectionLib/Makefile.static_lib | 5 +---- + 6 files changed, 14 insertions(+), 24 deletions(-) + +diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile +index f5b7be9..f043575 100644 +--- a/QuoteGeneration/qcnl/linux/Makefile ++++ b/QuoteGeneration/qcnl/linux/Makefile +@@ -32,7 +32,6 @@ + ######## SGX SDK Settings ######## + TOP_DIR = ../.. + include $(TOP_DIR)/buildenv.mk +-PREBUILD_OPENSSL_PATH = ../../../prebuilt/openssl + + ######## SGX CNL Library Settings ######## + +@@ -45,10 +44,9 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ + -I../../common/inc/internal \ + -I../../pce_wrapper/inc \ + -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson \ +- -I../../../tools/PCKCertSelection/include \ +- -I$(PREBUILD_OPENSSL_PATH)/inc ++ -I../../../tools/PCKCertSelection/include + +-CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) ++CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto) + + LDUFLAGS:= -pthread $(COMMON_LDFLAGS) + LDUFLAGS += -Wl,--version-script=sgx_default_qcnl.lds -Wl,--gc-sections +@@ -60,7 +58,7 @@ CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT + endif + + CNL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ +- -lpthread -ldl ../../../tools/PCKCertSelection/static_out/libPCKCertSelection.a ++ -lpthread -ldl ../../../tools/PCKCertSelection/static_out/libPCKCertSelection.a $(pkg-config --libs libcrypto) + + ifndef DEBUG + CNL_Lib_Cpp_Flags += -DDISABLE_TRACE +diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile +index b675e72..204234c 100644 +--- a/QuoteGeneration/qpl/linux/Makefile ++++ b/QuoteGeneration/qpl/linux/Makefile +@@ -32,7 +32,6 @@ + ######## SGX SDK Settings ######## + TOP_DIR = ../.. + include $(TOP_DIR)/buildenv.mk +-PREBUILD_OPENSSL_PATH = ../../../prebuilt/openssl + + ######## SGX QPL Library Settings ######## + +@@ -42,17 +41,16 @@ QPL_Lib_Cpp_Files := $(wildcard *.cpp ../*.cpp) + QPL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ + -I../inc -I$(SGX_SDK)/include \ + -I../../common/inc/internal \ +- -I../../qcnl/inc \ +- -I$(PREBUILD_OPENSSL_PATH)/inc ++ -I../../qcnl/inc + +-QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Paths) ++QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Paths) $(pkg-config --cflags libcrypto) + + LDUFLAGS:= -pthread $(COMMON_LDFLAGS) + LDUFLAGS += -Wl,--version-script=sgx_default_quote_provider.lds -Wl,--gc-sections + + QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11 + +-QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 \ ++QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ + -lcrypto -lsgx_default_qcnl_wrapper -lpthread -ldl + + ifndef DEBUG +diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk +index b25ce40..982c7d5 100644 +--- a/QuoteVerification/buildenv.mk ++++ b/QuoteVerification/buildenv.mk +@@ -56,7 +56,6 @@ PREBUILD_PATH := $(DCAP_QG_DIR)/../prebuilt + DCAP_QV_DIR := $(DCAP_QG_DIR)/../QuoteVerification + QVL_SRC_PATH ?= $(DCAP_QV_DIR)/QVL/Src + SGXSSL_PACKAGE_PATH ?= $(DCAP_QV_DIR)/sgxssl/Linux/package +-PREBUILD_OPENSSL_PATH ?= $(PREBUILD_PATH)/openssl + + SGX_COMMON_CFLAGS := $(COMMON_FLAGS) -m64 -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants + SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++17 +diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile +index 9820b61..fba7f43 100644 +--- a/QuoteVerification/dcap_quoteverify/linux/Makefile ++++ b/QuoteVerification/dcap_quoteverify/linux/Makefile +@@ -36,8 +36,8 @@ INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu + QVE_SRC_PATH := $(DCAP_QV_DIR)/QvE + DCAP_QPL_DIR := $(DCAP_QG_DIR)/qpl + +-QVL_LIB_INC += -I$(PREBUILD_OPENSSL_PATH)/inc -I$(QVE_SRC_PATH)/Include +-QVL_PARSER_INC += -I$(PREBUILD_OPENSSL_PATH)/inc ++QVL_LIB_INC += $(pkg-config --cflags libcrypto) -I$(QVE_SRC_PATH)/Include ++QVL_PARSER_INC += $(pkg-config --cflags libcrypto) + QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ + -I../inc \ + -I$(DCAP_QG_DIR)/quote_wrapper/common/inc \ +@@ -45,6 +45,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ + -I$(DCAP_QG_DIR)/common/inc/internal \ + -I$(DCAP_QG_DIR)/common/inc/internal/linux \ + -I$(DCAP_QG_DIR)/pce_wrapper/inc \ ++ $(pkg-config --cflags libcrypto) \ + -I$(PREBUILD_OPENSSL_PATH)/inc \ + $(QVL_LIB_INC) \ + -I$(DCAP_QPL_DIR)/inc \ +@@ -64,7 +65,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation + QVL_LIB_NAME := lib$(QVL_LIB).a + QVL_PARSER_NAME := lib$(QVL_PARSER).a + +-LDUFLAGS := -pthread -ldl -L. -l$(QVL_LIB) -l$(QVL_PARSER) $(COMMON_LDFLAGS) -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto ++LDUFLAGS := -pthread -ldl -L. -l$(QVL_LIB) -l$(QVL_PARSER) $(COMMON_LDFLAGS) -lcrypto + LDUFLAGS += -Wl,--version-script=sgx_dcap_quoteverify.lds -Wl,--gc-sections + + QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp) +diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +index e0402e9..12c0d35 100644 +--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile ++++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +@@ -63,10 +63,7 @@ ifndef QG_DIR + endif + + # openssl include dir +-OPENSSL_INC := $(PROJ_ROOT_DIR)/../../prebuilt/openssl/inc +- +-# openssl lib dir +-OPENSSL_LIB := $(PROJ_ROOT_DIR)/../../prebuilt/openssl/lib/linux64 ++OPENSSL_INC := $(pkg-config --cflags libcrypto) + + # JSON parser include dir + JSON_INC := $(QVL_DIR)/ThirdParty/rapidjson/include +@@ -116,7 +113,7 @@ LIB_CPP_OBJECTS := \ + $(UTILS_CPP_FILES:.cpp=.o) + + # include paths, local, parser and openssl +-LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include -I$(OPENSSL_INC) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) ++LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include $(OPENSSL_INC) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) + + # the library shared object name + LIB_NAME := libPCKCertSelection.so +@@ -136,7 +133,7 @@ C_FLAGS := -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-ov + C_FLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT + + # link flags, link openssl crypto +-LINK_FLAGS := -shared -L$(OPENSSL_LIB) -lcrypto -lpthread -ldl ++LINK_FLAGS := -shared -lcrypto -lpthread -ldl + LINK_FLAGS += -Wl,--version-script=pck_cert_selection.lds -Wl,--gc-sections + + # debug/release switch +diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib +index a20a3cd..c8e1d01 100644 +--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib ++++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib +@@ -118,7 +118,7 @@ LIB_CPP_OBJECTS := \ + LIB_CPP_OBJECTS := $(addprefix $(BIN_DIR)/, $(LIB_CPP_OBJECTS)) + + # include paths, local, parser and openssl +-LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include -I$(OPENSSL_INC) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) ++LIB_INCLUDE_PATHS := -I. -I$(PROJ_ROOT_DIR)/include $(pkg-config --cflags libcrypto) -I$(JSON_INC) -I$(PARSERS_INC) -I$(PARSERS_COMM_INC) -I$(PARSERS_DIR) -I$(VER_DIR) -I$(PARSERS_UTIL_INC) + + # the library shared object name + LIB_NAME := libPCKCertSelection.a +@@ -197,9 +197,6 @@ $(BIN_DIR)/%.o: $(UTILS_DIR)/%.cpp + $(LIB_NAME): $(LIB_CPP_OBJECTS) + $(PCKCERTSEL_VERBOSE)echo "Archiving..." + $(PCKCERTSEL_VERBOSE)$(AR) -rcs $(BIN_DIR)/$@ $^ +- $(PCKCERTSEL_VERBOSE)@$(MKDIR) $(BIN_DIR)/.libcrypto +- $(PCKCERTSEL_VERBOSE)@$(RM) -f $(BIN_DIR)/.libcrypto/* && cd $(BIN_DIR)/.libcrypto && $(AR) x $(OPENSSL_LIB)/libcrypto.a +- $(PCKCERTSEL_VERBOSE)$(AR) qD $(BIN_DIR)/$@ $(BIN_DIR)/.libcrypto/*.o + + debug: + $(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all +-- +2.46.0 + diff --git a/0101-Improve-debuggability-of-build-system.patch b/0101-Improve-debuggability-of-build-system.patch new file mode 100644 index 0000000..cfb91b5 --- /dev/null +++ b/0101-Improve-debuggability-of-build-system.patch @@ -0,0 +1,118 @@ +From 015be80fb831f9fe5f364f82448acbd0c998df95 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 1 Mar 2024 12:05:01 +0000 +Subject: [PATCH 101/112] Improve debuggability of build system +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Preserve make args by using $(MAKE). +Don't hide commands that are run, so compiler flags are visible. + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/qcnl/linux/Makefile | 2 +- + .../dcap_quoteverify/linux/Makefile | 28 +++++++++---------- + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile +index f043575..bfe9c61 100644 +--- a/QuoteGeneration/qcnl/linux/Makefile ++++ b/QuoteGeneration/qcnl/linux/Makefile +@@ -113,7 +113,7 @@ $(CNL_Lib_Name_Static): $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Select + $(AR) rsD $(CNL_Lib_Name_Static) $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Selection_Cpp_Objects) + + $(PCK_Selection_Lib_Static): +- make -C ../../../tools/PCKCertSelection/PCKCertSelectionLib -f Makefile.static_lib ++ $(MAKE) -C ../../../tools/PCKCertSelection/PCKCertSelectionLib -f Makefile.static_lib VERBOSE=1 + force_look: + true + +diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile +index fba7f43..5979699 100644 +--- a/QuoteVerification/dcap_quoteverify/linux/Makefile ++++ b/QuoteVerification/dcap_quoteverify/linux/Makefile +@@ -107,13 +107,13 @@ $(BUILD_DIR): + @$(MKDIR) $@ + + install_lib: $(QVL_VERIFY_LIB_NAME_Dynamic) | $(BUILD_DIR) +- @$(CP) $(QVL_VERIFY_LIB_NAME_Dynamic) $|/$(QVL_VERIFY_LIB_NAME_Dynamic_Full) +- @$(LN) $(QVL_VERIFY_LIB_NAME_Dynamic_Full) $|/$(QVL_VERIFY_LIB_NAME_Dynamic_Major) +- @$(LN) $(QVL_VERIFY_LIB_NAME_Dynamic_Major) $|/$(QVL_VERIFY_LIB_NAME_Dynamic) ++ $(CP) $(QVL_VERIFY_LIB_NAME_Dynamic) $|/$(QVL_VERIFY_LIB_NAME_Dynamic_Full) ++ $(LN) $(QVL_VERIFY_LIB_NAME_Dynamic_Full) $|/$(QVL_VERIFY_LIB_NAME_Dynamic_Major) ++ $(LN) $(QVL_VERIFY_LIB_NAME_Dynamic_Major) $|/$(QVL_VERIFY_LIB_NAME_Dynamic) + $(CP) $(PREBUILD_PATH)/opa_bin/policy.wasm $|/tee_appraisal_policy.wasm + + ifeq ($(GEN_STATIC),1) +- @$(MAKE) $(QVL_VERIFY_LIB_NAME_Static) ++ $(MAKE) $(QVL_VERIFY_LIB_NAME_Static) + @$(CP) $(QVL_VERIFY_LIB_NAME_Static) $| + endif + +@@ -123,13 +123,13 @@ run: all + ######## QVL Library Objects ######## + + qve_u.h: $(SGX_EDGER8R) $(QVE_SRC_PATH)/Enclave/qve.edl +- @$(SGX_EDGER8R) --untrusted $(QVE_SRC_PATH)/Enclave/qve.edl --search-path $(QVE_SRC_PATH)/Enclave --search-path $(SGX_SDK)/include ++ $(SGX_EDGER8R) --untrusted $(QVE_SRC_PATH)/Enclave/qve.edl --search-path $(QVE_SRC_PATH)/Enclave --search-path $(SGX_SDK)/include + @echo "GEN => $@" + + qve_u.c : qve_u.h + + $(QVL_VERIFY_C_OBJS): %.o: %.c qve_u.c +- @$(CC) $(SGX_COMMON_CFLAGS) $(QVL_VERIFY_INC) -c $< -o $@ ++ $(CC) $(SGX_COMMON_CFLAGS) $(QVL_VERIFY_INC) -c $< -o $@ + @echo "CC <= $<" + + -include $(QPL_BASE64_CPP_DEP) +@@ -143,30 +143,30 @@ ec_key.o: $(DCAP_QV_DIR)/appraisal/common/ec_key.cpp + @echo "CXX <= $<" + + $(QVL_VERIFY_CPP_OBJS): %.o: %.cpp qve_u.h +- @$(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_VERIFY_INC) -c $< -o $@ ++ $(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_VERIFY_INC) -c $< -o $@ + @echo "CXX <= $<" + + $(QVL_VERIFY_CPP_OBJS_STATIC): %_s.o: %.cpp qve_u.h +- @$(CXX) -DGEN_STATIC $(SGX_COMMON_CXXFLAGS) $(QVL_VERIFY_INC) -c $< -o $@ ++ $(CXX) -DGEN_STATIC $(SGX_COMMON_CXXFLAGS) $(QVL_VERIFY_INC) -c $< -o $@ + @echo "CXX <= $<" + + $(QVE_CPP_OBJ): $(QVE_CPP_SRC) +- @$(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_VERIFY_INC) -c $< -o $(QVE_CPP_OBJ) ++ $(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_VERIFY_INC) -c $< -o $(QVE_CPP_OBJ) + @echo "CXX <= $<" + + $(QVL_LIB_OBJS): %_untrusted.o: %.cpp +- @$(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ ++ $(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ + @echo "CXX <= $<" + + $(QVL_PARSER_OBJS): %_untrusted.o: %.cpp +- @$(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_PARSER_INC) -c $< -o $@ ++ $(CXX) $(SGX_COMMON_CXXFLAGS) $(QVL_PARSER_INC) -c $< -o $@ + @echo "CXX <= $<" + + $(QVL_LIB_NAME): $(QVL_LIB_OBJS) +- @$(AR) rsD $(QVL_LIB_NAME) $(QVL_LIB_OBJS) ++ $(AR) rsD $(QVL_LIB_NAME) $(QVL_LIB_OBJS) + + $(QVL_PARSER_NAME): $(QVL_PARSER_OBJS) +- @$(AR) rsD $(QVL_PARSER_NAME) $(QVL_PARSER_OBJS) ++ $(AR) rsD $(QVL_PARSER_NAME) $(QVL_PARSER_OBJS) + + + $(QVL_VERIFY_LIB_NAME_Dynamic): $(QVL_VERIFY_CPP_OBJS) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVL_LIB_NAME) $(QVL_PARSER_NAME) $(QVL_LIB_COMMON_OBJS) qal +@@ -174,7 +174,7 @@ $(QVL_VERIFY_LIB_NAME_Dynamic): $(QVL_VERIFY_CPP_OBJS) $(QVL_VERIFY_C_OBJS) $(QV + @ln -sf $(QVL_VERIFY_LIB_NAME_Dynamic) $(QVL_VERIFY_LIB_NAME_Dynamic).1 + + $(QVL_VERIFY_LIB_NAME_Static): $(QVL_VERIFY_CPP_OBJS_STATIC) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVL_LIB_NAME) $(QVL_PARSER_NAME) $(QVL_LIB_COMMON_OBJS) +- @$(AR) rsD $(QVL_VERIFY_LIB_NAME_Static) $(QVL_VERIFY_CPP_OBJS_STATIC) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVL_LIB_COMMON_OBJS) ++ $(AR) rsD $(QVL_VERIFY_LIB_NAME_Static) $(QVL_VERIFY_CPP_OBJS_STATIC) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVL_LIB_COMMON_OBJS) + + .PHONY: qal + qal: +-- +2.46.0 + diff --git a/0102-Support-build-time-setting-of-enclave-load-directory.patch b/0102-Support-build-time-setting-of-enclave-load-directory.patch new file mode 100644 index 0000000..26a8772 --- /dev/null +++ b/0102-Support-build-time-setting-of-enclave-load-directory.patch @@ -0,0 +1,263 @@ +From 6433514bb00f1fe166cb99a2b3a0bb979bb11fbd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 26 Feb 2024 12:19:51 +0000 +Subject: [PATCH 102/112] Support build time setting of enclave load directory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The current code for loading enclaves (pce, id_enclave, qe3, tdqe, qve) +tries to find the enclave file in the directory of the currently +loaded library (as reported by dladdr), or in the directory of the +current executable (as reported by /proc/self/exe). + +Neither of these approaches is sufficiently flexible to work with +all Linux distro filesystem layout policies. In particular distros +may desire to have a specific directory location exclusively for +the shipping of enclaves, separate from any native libraries or +executables. + +This introduces support for an "SGX_ENCLAVE_PATH" variable in the +makefiles, which is used to define an SGX_ENCLAVE_PATH symbol in +code. + +By default SGX_ENCLAVE_PATH path will get defined to an empty +string at the C level and so current code behaviour will not +be changed. + +If this is set though, then it will be used to locate the enclaves, +with no fallback to searching relative to the library or binary. + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/pce_wrapper/linux/Makefile | 2 +- + QuoteGeneration/pce_wrapper/pce_wrapper.cpp | 9 +++++++++ + QuoteGeneration/quote_wrapper/quote/linux/Makefile | 2 +- + QuoteGeneration/quote_wrapper/quote/qe_logic.cpp | 9 +++++++++ + .../quote_wrapper/tdx_quote/linux/Makefile | 2 +- + .../quote_wrapper/tdx_quote/td_ql_logic.cpp | 8 ++++++++ + QuoteVerification/appraisal/qal/Makefile | 2 +- + QuoteVerification/appraisal/qal/qae_wrapper.cpp | 10 +++++++++- + QuoteVerification/dcap_quoteverify/linux/Makefile | 2 +- + .../dcap_quoteverify/linux/qve_parser.cpp | 8 ++++++++ + tools/PCKRetrievalTool/App/utility.cpp | 12 +++++++++++- + tools/PCKRetrievalTool/Makefile | 2 +- + 12 files changed, 60 insertions(+), 8 deletions(-) + +diff --git a/QuoteGeneration/pce_wrapper/linux/Makefile b/QuoteGeneration/pce_wrapper/linux/Makefile +index debcb41..7ceaaea 100644 +--- a/QuoteGeneration/pce_wrapper/linux/Makefile ++++ b/QuoteGeneration/pce_wrapper/linux/Makefile +@@ -40,7 +40,7 @@ INCLUDE += -I$(ROOT_DIR)/ae/common \ + -I$(ROOT_DIR)/ae/inc \ + -I$(ROOT_DIR)/ae/inc/internal + +-CXXFLAGS += -fPIC -Werror -g ++CXXFLAGS += -fPIC -Werror -g -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + + CFLAGS += -fPIC -Werror -g + Link_Flags := $(SGX_COMMON_CFLAGS) -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl +diff --git a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp +index 1b362da..a940d8b 100644 +--- a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp ++++ b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp +@@ -112,6 +112,15 @@ bool get_pce_path( + p_file_path[buf_size - 1] = '\0'; //null terminate the string + return true; + } ++ else if (*SGX_ENCLAVE_PATH) ++ { ++ if ((strlen(SGX_ENCLAVE_PATH) + 1 + strlen(PCE_ENCLAVE_NAME) + 1) > buf_size) { ++ return false; ++ } ++ strcpy(p_file_path, SGX_ENCLAVE_PATH); ++ strcat(p_file_path, "/"); ++ strcat(p_file_path, PCE_ENCLAVE_NAME); ++ } + else if(0 != dladdr(__builtin_return_address(0), &dl_info) && + NULL != dl_info.dli_fname) + { +diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile +index c50fdb3..7d0b398 100644 +--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile +@@ -51,7 +51,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I. + + Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(Quote_Include_Paths) + +-Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 ++Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl + + ifndef DEBUG +diff --git a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp +index 783c27f..0d81066 100644 +--- a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp ++++ b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp +@@ -573,6 +573,15 @@ get_qe_path(const TCHAR *p_file_name, + p_file_path[buf_size - 1] = '\0'; //null terminate the string + return true; + } ++ else if (*SGX_ENCLAVE_PATH) ++ { ++ if ((strlen(SGX_ENCLAVE_PATH) + 1 + strlen(p_file_name) + 1) > buf_size) { ++ return false; ++ } ++ strcpy(p_file_path, SGX_ENCLAVE_PATH); ++ strcat(p_file_path, "/"); ++ strcat(p_file_path, p_file_name); ++ } + else if(0 != dladdr(__builtin_return_address(0), &dl_info) && + NULL != dl_info.dli_fname) + { +diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile +index 61ad7f3..fc5bd20 100644 +--- a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile +@@ -56,7 +56,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ \ + + Quote_C_Flags := $(CFLAGS) -g -MMD -fPIC -Wno-attributes $(Quote_Include_Paths) + +-Quote_Cpp_Flags := $(CXXFLAGS) -g -MMD -fPIC -Wno-attributes $(Quote_Include_Paths) ++Quote_Cpp_Flags := $(CXXFLAGS) -g -MMD -fPIC -Wno-attributes $(Quote_Include_Paths) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + Quote_Link_Flags := $(COMMON_LDFLAGS) -g -L$(ROOT_DIR)/build/linux \ + -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(SGX_SDK)/lib64 \ + -lsgx_urts -lpthread -ldl +diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp +index dbbe2af..a57e082 100644 +--- a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp ++++ b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp +@@ -403,6 +403,14 @@ bool tee_att_config_t::get_qe_path(tee_att_ae_type_t type, + p_file_path[len] = '\0'; //null terminate the string + return true; + } ++ else if (*SGX_ENCLAVE_PATH) { ++ if ((strlen(SGX_ENCLAVE_PATH) + 1 + strlen(p_file_name) + 1) > buf_size) { ++ return false; ++ } ++ strcpy(p_file_path, SGX_ENCLAVE_PATH); ++ strcat(p_file_path, "/"); ++ strcat(p_file_path, p_file_name); ++ } + else if(0 != dladdr(__builtin_return_address(0), &dl_info) && + NULL != dl_info.dli_fname) + { +diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile +index 139848a..c63c1e0 100644 +--- a/QuoteVerification/appraisal/qal/Makefile ++++ b/QuoteVerification/appraisal/qal/Makefile +@@ -49,7 +49,7 @@ QAL_Include_Path := -I./ \ + -I../common/ \ + -I$(RAPIDJSON_DIR)/ + +-QAL_Cpp_Flags := $(CXXFLAGS) -g -fPIC $(QAL_Include_Path) ++QAL_Cpp_Flags := $(CXXFLAGS) -g -fPIC $(QAL_Include_Path) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + QAL_C_Flags := $(CFLAGS) -g -fPIC $(QAL_Include_Path) + + QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthread \ +diff --git a/QuoteVerification/appraisal/qal/qae_wrapper.cpp b/QuoteVerification/appraisal/qal/qae_wrapper.cpp +index 6321611..9597c52 100644 +--- a/QuoteVerification/appraisal/qal/qae_wrapper.cpp ++++ b/QuoteVerification/appraisal/qal/qae_wrapper.cpp +@@ -101,6 +101,14 @@ static bool get_qae_path( + p_file_path[buf_size - 1] = '\0'; // null terminate the string + return true; + } ++ else if (*SGX_ENCLAVE_PATH) ++ { ++ if ((strlen(SGX_ENCLAVE_PATH) + 1 + 1) > buf_size) { ++ return false; ++ } ++ (void)strcpy(p_file_path, SGX_ENCLAVE_PATH); ++ (void)strcat(p_file_path, "/"); ++ } + else if (0 != dladdr(__builtin_return_address(0), &dl_info) && + NULL != dl_info.dli_fname) + { +@@ -360,4 +368,4 @@ quote3_error_t ecall_authenticate_policy_owner(sgx_enclave_id_t eid, + retval = SGX_QL_ERROR_UNEXPECTED; + } + return retval; +-} +\ No newline at end of file ++} +diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile +index 5979699..c9f11a0 100644 +--- a/QuoteVerification/dcap_quoteverify/linux/Makefile ++++ b/QuoteVerification/dcap_quoteverify/linux/Makefile +@@ -55,7 +55,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ + QPL_BASE64_CPP_DEP := $(DCAP_QPL_DIR)/sgx_base64.d + + SGX_COMMON_CFLAGS += -g -fPIC -Wno-attributes -USGX_TRUSTED +-SGX_COMMON_CXXFLAGS += -g -fPIC -USGX_TRUSTED ++SGX_COMMON_CXXFLAGS += -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + + QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o) + QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o) +diff --git a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp +index d3d4353..2f8f581 100644 +--- a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp ++++ b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp +@@ -88,6 +88,14 @@ bool get_qve_path( + p_file_path[buf_size - 1] = '\0'; //null terminate the string + return true; + } ++ else if (*SGX_ENCLAVE_PATH) ++ { ++ if ((strlen(SGX_ENCLAVE_PATH) + 1 + 1) > buf_size) { ++ return false; ++ } ++ (void)strcpy(p_file_path, SGX_ENCLAVE_PATH); ++ (void)strcat(p_file_path, "/"); ++ } + else if(0 != dladdr(__builtin_return_address(0), &dl_info) && + NULL != dl_info.dli_fname) + { +diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp +index b2c9307..d77a6eb 100644 +--- a/tools/PCKRetrievalTool/App/utility.cpp ++++ b/tools/PCKRetrievalTool/App/utility.cpp +@@ -235,9 +235,9 @@ bool load_enclave(const char* enclave_name, sgx_enclave_id_t* p_eid) + char enclave_path[MAX_PATH] = ""; + #endif + ++#if defined(_MSC_VER) + if (!get_program_path(enclave_path, MAX_PATH - 1)) + return false; +-#if defined(_MSC_VER) + if (_tcsnlen(enclave_path, MAX_PATH) + _tcsnlen(enclave_name, MAX_PATH) + sizeof(char) > MAX_PATH) + return false; + (void)_tcscat_s(enclave_path, MAX_PATH, enclave_name); +@@ -248,6 +248,16 @@ bool load_enclave(const char* enclave_name, sgx_enclave_id_t* p_eid) + sgx_create_enclave_func_t p_sgx_create_enclave = (sgx_create_enclave_func_t)FINDFUNCTIONSYM(sgx_urts_handle, "sgx_create_enclavea"); + #endif + #else ++ if (*SGX_ENCLAVE_PATH) { ++ if ((strlen(SGX_ENCLAVE_PATH) + 1 + 1) > MAX_PATH) { ++ return false; ++ } ++ (void)strcpy(enclave_path, SGX_ENCLAVE_PATH); ++ (void)strcat(enclave_path, "/"); ++ } else { ++ if (!get_program_path(enclave_path, MAX_PATH - 1)) ++ return false; ++ } + if (strnlen(enclave_path, MAX_PATH) + strnlen(enclave_name, MAX_PATH) + sizeof(char) > MAX_PATH) + return false; + (void)strncat(enclave_path, enclave_name, strnlen(enclave_name, MAX_PATH)); +diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile +index d9c2bac..1065949 100644 +--- a/tools/PCKRetrievalTool/Makefile ++++ b/tools/PCKRetrievalTool/Makefile +@@ -108,7 +108,7 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR + + App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths) + +-App_Cpp_Flags := $(App_C_Flags) -std=c++11 ++App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack + App_Link_Flags += -lcurl -ldl -lpthread + ifeq ($(STANDALONE), 1) +-- +2.46.0 + diff --git a/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch new file mode 100644 index 0000000..e5a2d1b --- /dev/null +++ b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch @@ -0,0 +1,44 @@ +From f91fe574c57080ca8818473c8f140f555fbafaf7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 27 Feb 2024 15:46:41 +0000 +Subject: [PATCH 103/112] Look for versioned sgx_urts library in + PCKRetrievalTool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Other code is already looking for the versioned library soname, +so switch to that for PCKRetrievalTool too. The unversioned +library is typically only installed by -devel packages, not the +runtime package. + +Signed-off-by: Daniel P. Berrangé +--- + tools/PCKRetrievalTool/App/utility.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp +index d77a6eb..d195717 100644 +--- a/tools/PCKRetrievalTool/App/utility.cpp ++++ b/tools/PCKRetrievalTool/App/utility.cpp +@@ -82,7 +82,7 @@ typedef sgx_status_t (SGXAPI *sgx_create_enclave_func_t)(const LPCSTR file_name, + #else + #define PCE_ENCLAVE_NAME "libsgx_pce.signed.so.1" + #define ID_ENCLAVE_NAME "libsgx_id_enclave.signed.so.1" +-#define SGX_URTS_LIBRARY "libsgx_urts.so" ++#define SGX_URTS_LIBRARY "libsgx_urts.so.2" + #define SGX_MULTI_PACKAGE_AGENT_UEFI_LIBRARY "libmpa_uefi.so.1" + #define FINDFUNCTIONSYM dlsym + #define CLOSELIBRARYHANDLE dlclose +@@ -204,7 +204,7 @@ bool get_urts_library_handle() + #else + sgx_urts_handle = dlopen(SGX_URTS_LIBRARY, RTLD_LAZY); + if (sgx_urts_handle == NULL) { +- printf("ERROR: didn't find the sgx_urts.so library, please make sure you have installed sgx_urts installer package. \n"); ++ printf("ERROR: didn't find the " SGX_URTS_LIBRARY " library, please make sure you have installed sgx_urts installer package. \n"); + return false; + } + #endif +-- +2.46.0 + diff --git a/0104-Don-t-import-pypac-in-pccsadmin.patch b/0104-Don-t-import-pypac-in-pccsadmin.patch new file mode 100644 index 0000000..e7bb3e4 --- /dev/null +++ b/0104-Don-t-import-pypac-in-pccsadmin.patch @@ -0,0 +1,33 @@ +From 56067e04cecad42779a42420f8acbf2635481f67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 27 Feb 2024 20:28:24 +0000 +Subject: [PATCH 104/112] Don't import pypac in pccsadmin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The code only uses the pypac module when executing on Windows +hosts. It should not be imported when packaged for Linux +environments to avoid a redundant python dependency. + +Signed-off-by: Daniel P. Berrangé +--- + tools/PccsAdminTool/lib/intelsgx/pcs.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py +index 9f1d224..af1e78e 100644 +--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py ++++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py +@@ -5,7 +5,7 @@ import json + import binascii + from urllib import parse + from OpenSSL import crypto +-from pypac import PACSession ++#from pypac import PACSession + from platform import system + from lib.intelsgx.credential import Credentials + from requests.adapters import HTTPAdapter +-- +2.46.0 + diff --git a/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch new file mode 100644 index 0000000..54ade5b --- /dev/null +++ b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch @@ -0,0 +1,43 @@ +From ec86bb174a3ba05adebbfa9e58d0d3a24888d5dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 29 Feb 2024 14:21:36 +0000 +Subject: [PATCH 105/112] Look for PCKRetrievalTool config file in /etc/ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Looking for config files in the same directory as the binary is +inappropriate. + +Signed-off-by: Daniel P. Berrangé +--- + tools/PCKRetrievalTool/App/linux/network_wrapper.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp +index e423f38..36f219b 100644 +--- a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp ++++ b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp +@@ -219,7 +219,8 @@ static void network_configuration(string &url, string &proxy_type, string &proxy + { + //firstly read local configuration File + char local_configuration_file_path[MAX_PATH] = ""; +- bool ret = get_program_path(local_configuration_file_path, MAX_PATH -1); ++ bool ret = true; ++ strcpy(local_configuration_file_path, "/etc/PCKIDRetrievalTool/"); + if (ret) { + if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) { + ret = false; +@@ -378,7 +379,8 @@ network_post_error_t network_https_post(const uint8_t* raw_data, const uint32_t + + bool is_server_url_available() { + char local_configuration_file_path[MAX_PATH] = ""; +- bool ret = get_program_path(local_configuration_file_path, MAX_PATH -1); ++ bool ret = true; ++ strcpy(local_configuration_file_path, "/etc/PCKIDRetrievalTool/"); + if (ret) { + if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) { + return false; +-- +2.46.0 + diff --git a/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch new file mode 100644 index 0000000..ad4ce77 --- /dev/null +++ b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch @@ -0,0 +1,39 @@ +From 17fa2fd409f228623f4b86f5997e74cb43f3bd2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 3 Oct 2024 14:42:29 +0100 +Subject: [PATCH 107/112] qgs: add space between program name & first arg in + usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/quote_wrapper/qgs/server_main.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +index 478dbfe..3618b5a 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp ++++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +@@ -75,7 +75,7 @@ int main(int argc, const char* argv[]) + unsigned long int num_threads = 0; + char *endptr = NULL; + if (argc > 4) { +- cout << "Usage: " << argv[0] << "[--no-daemon] [-p=port_number] [-n=number_threads]" ++ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads]" + << endl; + exit(1); + } +@@ -114,7 +114,7 @@ int main(int argc, const char* argv[]) + cout << "thread number [" << num_threads << "] found in cmdline" << endl; + continue; + } else { +- cout << "Usage: " << argv[0] << "[--no-daemon] [-p=port_number] [-n=number_threads]" ++ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads]" + << endl; + exit(1); + } +-- +2.46.0 + diff --git a/0108-qgs-protect-against-format-strings-in-QL-log-message.patch b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch new file mode 100644 index 0000000..f03a4d3 --- /dev/null +++ b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch @@ -0,0 +1,39 @@ +From 3f9b4a9fbce0e29f33680fffa881f67ab31d4bb3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 4 Oct 2024 09:43:17 +0100 +Subject: [PATCH 108/112] qgs: protect against format strings in QL log + messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The sgx_proc_log_report() method takes a format string and +var-args. It is unsafe to accept a non-const string from +the QL library and pass it to sgx_proc_log_report(), as the +log message may contain format strings from user data. + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +index 77838c3..1e97b58 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp ++++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +@@ -50,10 +50,10 @@ typedef quote3_error_t (*sgx_ql_set_logging_callback_t)(sgx_ql_logging_callback_ + + void sgx_ql_logging_callback(sgx_ql_log_level_t level, const char *message) { + if (level == SGX_QL_LOG_ERROR) { +- sgx_proc_log_report(1, message); ++ sgx_proc_log_report(1, "%s", message); + + } else if (level == SGX_QL_LOG_INFO) { +- sgx_proc_log_report(3, message); ++ sgx_proc_log_report(3, "%s", message); + } + } + +-- +2.46.0 + diff --git a/0109-qgs-add-debug-parameter-to-control-logging.patch b/0109-qgs-add-debug-parameter-to-control-logging.patch new file mode 100644 index 0000000..35cadad --- /dev/null +++ b/0109-qgs-add-debug-parameter-to-control-logging.patch @@ -0,0 +1,129 @@ +From b2a17ca9e38c8d81bcc1fedefd92c59721b2de75 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 3 Oct 2024 16:57:35 +0100 +Subject: [PATCH 109/112] qgs: add --debug parameter to control logging +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently qgs prints all log messages to syslog or stderr +unconditionally, even those at QGS_LOG_LEVEL_INFO. At the +same time it hardcodes SGX_QL_LOG_ERROR for the quote +provider library making it impossible to debug it. + +This adds a --debug flag to qgs with two effects: + + * QGS_LOG_LEVEL_INFO is discarded unless --debug was set + making QGS quiet by default, only printing warnings/errors. + + * The quote provider logging is increased to + QGS_LOG_LEVEL_DEBUG if --debug is set + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp | 5 +++++ + QuoteGeneration/quote_wrapper/qgs/qgs_log.h | 2 ++ + QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp | 8 ++++---- + QuoteGeneration/quote_wrapper/qgs/server_main.cpp | 10 ++++++++-- + 4 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp +index 1cf1e40..7ae9b75 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp ++++ b/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp +@@ -36,6 +36,8 @@ + #include "qgs_log.h" + + static bool _nosyslog = false; ++bool qgs_debug = false; ++bool qgs_verbose = false; + + void qgs_log_init(void) + { +@@ -68,6 +70,9 @@ void sgx_proc_log_report(int level, const char *format, ...) + // so we can always add newline + if (!format || !(*format)) + return;//ignore ++ if (!qgs_verbose && ++ level == QGS_LOG_LEVEL_INFO) ++ return;//ignore + va_start(ap, format); + switch(level){ + case QGS_LOG_LEVEL_FATAL: +diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_log.h b/QuoteGeneration/quote_wrapper/qgs/qgs_log.h +index 1d7fd74..05d41a4 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/qgs_log.h ++++ b/QuoteGeneration/quote_wrapper/qgs/qgs_log.h +@@ -40,6 +40,8 @@ + #ifdef __cplusplus + extern "C" { + #endif/*__cplusplus*/ ++ extern bool qgs_debug; ++ extern bool qgs_verbose; + void qgs_log_init(void); + void qgs_log_init_ex(bool nosyslog); + void qgs_log_fini(void); +diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +index 1e97b58..db642f7 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp ++++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +@@ -113,8 +113,8 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { + sgx_ql_set_logging_callback_t ql_set_logging_callback = + (sgx_ql_set_logging_callback_t)dlsym(p_handle, "sgx_ql_set_logging_callback"); + if (dlerror() == NULL && ql_set_logging_callback) { +- // Set log level to SGX_QL_LOG_ERROR +- ql_set_logging_callback(sgx_ql_logging_callback, SGX_QL_LOG_ERROR); ++ ql_set_logging_callback(sgx_ql_logging_callback, ++ qgs_debug ? SGX_QL_LOG_INFO : SGX_QL_LOG_ERROR); + } else { + QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n"); + } +@@ -355,8 +355,8 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { + sgx_ql_set_logging_callback_t ql_set_logging_callback = + (sgx_ql_set_logging_callback_t)dlsym(p_handle, "sgx_ql_set_logging_callback"); + if (dlerror() == NULL && ql_set_logging_callback) { +- // Set log level to SGX_QL_LOG_ERROR +- ql_set_logging_callback(sgx_ql_logging_callback, SGX_QL_LOG_ERROR); ++ ql_set_logging_callback(sgx_ql_logging_callback, ++ qgs_debug ? SGX_QL_LOG_INFO : SGX_QL_LOG_ERROR); + } else { + QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n"); + } +diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +index 3618b5a..a65a985 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp ++++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +@@ -75,7 +75,7 @@ int main(int argc, const char* argv[]) + unsigned long int num_threads = 0; + char *endptr = NULL; + if (argc > 4) { +- cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads]" ++ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads] [--verbose] [--debug]" + << endl; + exit(1); + } +@@ -87,6 +87,12 @@ int main(int argc, const char* argv[]) + << endl; + no_daemon = true; + continue; ++ } else if (strcmp(argv[i], "--debug") == 0) { ++ qgs_verbose = qgs_debug = true; ++ continue; ++ } else if (strcmp(argv[i], "--verbose") == 0) { ++ qgs_verbose = true; ++ continue; + } else if (strncmp(argv[i], "-p=", 3 ) == 0) { + if (strspn(argv[i] + 3, "0123456789") != strlen(argv[i] + 3)) { + cout << "Please input valid port number" << endl; +@@ -114,7 +120,7 @@ int main(int argc, const char* argv[]) + cout << "thread number [" << num_threads << "] found in cmdline" << endl; + continue; + } else { +- cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads]" ++ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads] [--verbose] [--debug]" + << endl; + exit(1); + } +-- +2.46.0 + diff --git a/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch new file mode 100644 index 0000000..0b4b3a7 --- /dev/null +++ b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch @@ -0,0 +1,33 @@ +From 497df1056cdc0571a73aa3dc5410a020d1cc6a3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 8 Oct 2024 10:13:02 +0100 +Subject: [PATCH 110/112] pccsadmin: remove leftover debugging 'print(args)' + statement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Dumping the python "Namespace" object to stdout after parsing argv +serves no user purpose. Remove what is presumably a leftover +debugging statement. + +Signed-off-by: Daniel P. Berrangé +--- + tools/PccsAdminTool/pccsadmin.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py +index ffee326..8e447c5 100755 +--- a/tools/PccsAdminTool/pccsadmin.py ++++ b/tools/PccsAdminTool/pccsadmin.py +@@ -92,7 +92,6 @@ def main(): + parser.print_help() + parser.exit() + +- print(args) + # Check mandatory arguments for appraisalpolicy + if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"): + if not args.fmspc or not args.input_file: +-- +2.46.0 + diff --git a/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch new file mode 100644 index 0000000..1fb85d4 --- /dev/null +++ b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch @@ -0,0 +1,55 @@ +From 0600caaa2b2f0ce8c6a4667d5d09ffeadcd760d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 17 Jan 2025 15:39:39 +0000 +Subject: [PATCH 111/112] Fix soname version for libsgx_qe3_logic.so library +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/common/inc/internal/se_version.h | 5 +++++ + QuoteGeneration/quote_wrapper/quote/linux/Makefile | 4 +++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/QuoteGeneration/common/inc/internal/se_version.h b/QuoteGeneration/common/inc/internal/se_version.h +index 471784d..22e0dff 100644 +--- a/QuoteGeneration/common/inc/internal/se_version.h ++++ b/QuoteGeneration/common/inc/internal/se_version.h +@@ -41,6 +41,11 @@ + #define QUOTE_LOADER_VERSION "1.11.109.1" + #define TDQE_WRAPPER_VERSION "1.14.109.1" + #define PCE_WRAPPER_VERSION "1.14.109.1" ++/* ++ * XXX: downstream hack based on version declared ++ * in linux-sgx.git/linux/installer/common/psw/Makefile ++ */ ++#define QE3_WRAPPER_VERSION "1.0.0" + + #define QE3_VERSION "1.19.100.1" + #define QVE_VERSION "1.21.100.1" +diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile +index 7d0b398..1361c4b 100644 +--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile ++++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile +@@ -65,6 +65,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o) + Quote_Cpp_Objects := $(Quote_Cpp_Files:.cpp=.o) + + Quote_Name := libsgx_qe3_logic.so ++Quote_Full := $(Quote_Name).$(call get_full_version,QE3_WRAPPER_VERSION) ++Quote_Major := $(Quote_Name).$(call get_major_version,QE3_WRAPPER_VERSION) + + .PHONY: all + all: install_lib +@@ -94,7 +96,7 @@ $(Quote_Cpp_Objects): %.o: %.cpp + @echo "CXX <= $<" + + $(Quote_Name): $(Quote_C_Objects) $(Quote_Cpp_Objects) +- $(CXX) $(Quote_C_Objects) $(Quote_Cpp_Objects) -shared -Wl,-soname=$@ $(Quote_Link_Flags) -o $@ ++ $(CXX) $(Quote_C_Objects) $(Quote_Cpp_Objects) -shared -Wl,-soname=$(Quote_Major) $(Quote_Link_Flags) -o $@ + @echo "LINK => $@" + + $(BUILD_DIR): +-- +2.46.0 + diff --git a/0112-Workaround-broken-GCC-15.patch b/0112-Workaround-broken-GCC-15.patch new file mode 100644 index 0000000..338f167 --- /dev/null +++ b/0112-Workaround-broken-GCC-15.patch @@ -0,0 +1,40 @@ +From 546ac41ec1ffe16aac36af0ce4b8572636cc667e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 6 Feb 2025 20:08:59 +0000 +Subject: [PATCH 112/112] Workaround broken GCC 15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The C++ standard does not allow 'alignas' to be applied to type +aliases. GNU C++ has allowed it as a non-standard extension, but +strictly that should have been expressed using 'gnu::aligned' +instead of 'alignas'. Regardless of the syntax, however, GCC 15 +has a regression causing it to reject alignment requests entirely +on template aliases. + +https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118773 +Signed-off-by: Daniel P. Berrangé +--- + .../common/inc/internal/linux/sgx_random_buffers.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h b/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h +index 15fbdd4..4400544 100644 +--- a/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h ++++ b/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h +@@ -258,7 +258,11 @@ struct alignas(A)randomly_placed_buffer + } + + template ++#if __GNUC__ == 15 && __GNUC_MINOR__ == 0 ++ using storage = char[size(C)]; ++#else + using storage = char[size(C)] alignas(A); ++#endif + + private: + struct alignas(A)_T_instantiator_ +-- +2.46.0 + diff --git a/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch b/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch new file mode 100644 index 0000000..1d94f3b --- /dev/null +++ b/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch @@ -0,0 +1,77 @@ +From aaf1277c7c0aa37d387e8a7983da607498335757 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 29 Aug 2024 12:23:30 +0100 +Subject: [PATCH 200/201] Enable pointing sgxssl build to alternative glibc + headers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The enclave must be built with headers from a specific glibc version +for the sake of reproducibility. It does not actually link to glibc, +merely requiring a few self contained definitions. + +The ENCLAVE_SYSTEM_INCLUDES make var can be set from RPM builds. + +Signed-off-by: Daniel P. Berrangé +--- + Linux/build_openssl.sh | 8 +++++++- + Linux/sgx/Makefile | 2 +- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh +index cd76872..f1c39b6 100755 +--- a/Linux/build_openssl.sh ++++ b/Linux/build_openssl.sh +@@ -83,6 +83,7 @@ fi + # Mitigation flags + MITIGATION_OPT="" + MITIGATION_FLAGS="" ++ENCLAVE_CFLAGS="" + CC_VERSION=`gcc -dumpversion` + CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.` + for arg in "$@" +@@ -123,6 +124,10 @@ do + MITIGATION_FLAGS+=" $arg" + shift + ;; ++ -isystem*) ++ ENCLAVE_CFLAGS+=" $arg" ++ shift ++ ;; + *) + # Unknown option + shift +@@ -131,6 +136,7 @@ do + done + echo $MITIGATION_OPT + echo $MITIGATION_FLAGS ++echo $ENCLAVE_CFLAGS + echo $SPACE_OPT + + sed -i -- 's/OPENSSL_issetugid/OPENSSLd_issetugid/g' $OPENSSL_VERSION/crypto/uid.c || exit 1 +@@ -139,7 +145,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 + cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1 + + cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1 +-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1 ++perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1 + + sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1 + sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1 +diff --git a/Linux/sgx/Makefile b/Linux/sgx/Makefile +index d08eff7..6555d28 100644 +--- a/Linux/sgx/Makefile ++++ b/Linux/sgx/Makefile +@@ -76,7 +76,7 @@ endif + endif + + $(PACKAGE_LIB)/$(OPENSSL_LIB): +- test -f $(PACKAGE_LIB)/$(OPENSSL_LIB) || $(BUILD_OPENSSL) $(OPENSSL_CONFIG) $(MITIGATION-CVE-2020-0551) $(MITIGATION_CFLAGS) ++ test -f $(PACKAGE_LIB)/$(OPENSSL_LIB) || $(BUILD_OPENSSL) $(OPENSSL_CONFIG) $(MITIGATION-CVE-2020-0551) $(MITIGATION_CFLAGS) $(ENCLAVE_SYSTEM_INCLUDES) + + clean: + $(MAKE) -C $(TRUSTED_LIB_DIR) clean +-- +2.46.0 + diff --git a/0201-Workaround-missing-output-directory.patch b/0201-Workaround-missing-output-directory.patch new file mode 100644 index 0000000..884374c --- /dev/null +++ b/0201-Workaround-missing-output-directory.patch @@ -0,0 +1,32 @@ +From 63f4368171ee5bf78f956c429c37d43618a881e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Thu, 29 Aug 2024 12:50:32 +0100 +Subject: [PATCH 201/201] Workaround missing output directory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Something is causing the output directory to be unexpectedly deleted. +Until the root cause is identified, workaround this by creating the +required directory again. + +Signed-off-by: Daniel P. Berrangé +--- + Linux/build_openssl.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh +index f1c39b6..f2cf0b1 100755 +--- a/Linux/build_openssl.sh ++++ b/Linux/build_openssl.sh +@@ -168,6 +168,7 @@ fi + make libcrypto.a || exit 1 + cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1 + objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1 ++mkdir -p $SGXSSL_ROOT/package/include/openssl/ + cp include/openssl/* $SGXSSL_ROOT/package/include/openssl/ || exit 1 + grep OPENSSL_VERSION_STR include/openssl/opensslv.h > $SGXSSL_ROOT/sgx/osslverstr.h || exit 1 + cp -r include/crypto $SGXSSL_ROOT/sgx/test_app/enclave/ || exit 1 +-- +2.46.0 + diff --git a/0202-Disable-various-EC-crypto-features.patch b/0202-Disable-various-EC-crypto-features.patch new file mode 100644 index 0000000..90815e5 --- /dev/null +++ b/0202-Disable-various-EC-crypto-features.patch @@ -0,0 +1,1635 @@ +From 6cf74b032bc9f120a7c4924a0394d22f6ed4767b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 1 Mar 2024 13:24:26 +0000 +Subject: [PATCH 202/203] Disable various EC crypto features +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Patches & policy copied from Fedora 39 openssl package. + +Signed-off-by: Daniel P. Berrangé +--- + Linux/build_openssl.sh | 11 + + ...10-Add-changes-to-ectest-and-eccurve.patch | 1127 +++++++++++++++++ + openssl_source/0011-Remove-EC-curves.patch | 236 ++++ + openssl_source/0012-Disable-explicit-ec.patch | 208 +++ + 4 files changed, 1582 insertions(+) + create mode 100644 openssl_source/0010-Add-changes-to-ectest-and-eccurve.patch + create mode 100644 openssl_source/0011-Remove-EC-curves.patch + create mode 100644 openssl_source/0012-Disable-explicit-ec.patch + +diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh +index f2cf0b1..7470479 100755 +--- a/Linux/build_openssl.sh ++++ b/Linux/build_openssl.sh +@@ -55,6 +55,17 @@ cd $SGXSSL_ROOT/../openssl_source || exit 1 + rm -rf $OPENSSL_VERSION + tar xvf $OPENSSL_VERSION.tar.gz || exit 1 + ++# Disable forbidden EC ++( ++ cd $OPENSSL_VERSION ++ ++ for i in $SGXSSL_ROOT/../openssl_source/*.patch ++ do ++ echo "Apply $i" ++ patch -p1 < $i ++ done ++) ++ + # Remove AESBS to support only AESNI and VPAES + sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure + +diff --git a/openssl_source/0010-Add-changes-to-ectest-and-eccurve.patch b/openssl_source/0010-Add-changes-to-ectest-and-eccurve.patch +new file mode 100644 +index 0000000..aac242b +--- /dev/null ++++ b/openssl_source/0010-Add-changes-to-ectest-and-eccurve.patch +@@ -0,0 +1,1127 @@ ++diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c ++--- ./crypto/ec/ec_curve.c.remove-ec 2023-03-13 16:50:09.278933578 +0100 +++++ ./crypto/ec/ec_curve.c 2023-03-21 12:38:57.696531941 +0100 ++@@ -32,38 +32,6 @@ typedef struct { ++ /* the nist prime curves */ ++ static const struct { ++ EC_CURVE_DATA h; ++- unsigned char data[20 + 24 * 6]; ++-} _EC_NIST_PRIME_192 = { ++- { ++- NID_X9_62_prime_field, 20, 24, 1 ++- }, ++- { ++- /* seed */ ++- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28, ++- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, 0xE9, 0xAB, ++- 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1, ++- /* x */ ++- 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, 0x20, 0xEB, ++- 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12, ++- /* y */ ++- 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, ++- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, ++- /* order */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++ unsigned char data[20 + 28 * 6]; ++ } _EC_NIST_PRIME_224 = { ++ { ++@@ -200,187 +168,6 @@ static const struct { ++ } ++ }; ++ ++-# ifndef FIPS_MODULE ++-/* the x9.62 prime curves (minus the nist prime curves) */ ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 24 * 6]; ++-} _EC_X9_62_PRIME_192V2 = { ++- { ++- NID_X9_62_prime_field, 20, 24, 1 ++- }, ++- { ++- /* seed */ ++- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E, ++- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, 0x0D, 0x63, ++- 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, 0x16, 0x68, 0xD9, 0x53, ++- /* x */ ++- 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, 0x77, 0x69, ++- 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, 0x6F, 0x48, 0x03, 0x4A, ++- /* y */ ++- 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, ++- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, ++- /* order */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, ++- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 24 * 6]; ++-} _EC_X9_62_PRIME_192V3 = { ++- { ++- NID_X9_62_prime_field, 20, 24, 1 ++- }, ++- { ++- /* seed */ ++- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9, ++- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, 0x3D, 0xAE, ++- 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, 0x6B, 0xD5, 0x69, 0x16, ++- /* x */ ++- 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, 0x37, 0x16, ++- 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, 0x22, 0x8F, 0x18, 0x96, ++- /* y */ ++- 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, ++- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, ++- /* order */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 30 * 6]; ++-} _EC_X9_62_PRIME_239V1 = { ++- { ++- NID_X9_62_prime_field, 20, 30, 1 ++- }, ++- { ++- /* seed */ ++- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79, ++- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, ++- /* p */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, 0x54, 0x92, ++- 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, 0x7D, 0x1D, 0x37, 0x79, ++- 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, ++- /* x */ ++- 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, 0xB8, 0x64, ++- 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, 0x3D, 0x3F, 0x27, 0xFB, ++- 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, ++- /* y */ ++- 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, ++- 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, ++- 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, ++- /* order */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1, ++- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 30 * 6]; ++-} _EC_X9_62_PRIME_239V2 = { ++- { ++- NID_X9_62_prime_field, 20, 30, 1 ++- }, ++- { ++- /* seed */ ++- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99, ++- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, ++- /* p */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, 0x0D, 0x99, ++- 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, 0xA0, 0x03, 0x8C, 0x7A, ++- 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, ++- /* x */ ++- 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, 0x21, 0xBB, ++- 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, 0xF3, 0x57, 0x57, 0xA0, ++- 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, ++- /* y */ ++- 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, ++- 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, ++- 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, ++- /* order */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0, ++- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 30 * 6]; ++-} _EC_X9_62_PRIME_239V3 = { ++- { ++- NID_X9_62_prime_field, 20, 30, 1 ++- }, ++- { ++- /* seed */ ++- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76, ++- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, ++- /* p */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, 0xCB, 0x03, ++- 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, 0xD4, 0x98, 0x87, 0x17, ++- 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, ++- /* x */ ++- 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, 0x5C, 0x94, ++- 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, 0x60, 0xBB, 0xF8, 0x54, ++- 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, ++- /* y */ ++- 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, ++- 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, ++- 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, ++- /* order */ ++- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C, ++- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 ++- } ++-}; ++-#endif /* FIPS_MODULE */ ++- ++ static const struct { ++ EC_CURVE_DATA h; ++ unsigned char data[20 + 32 * 6]; ++@@ -423,294 +210,6 @@ static const struct { ++ /* the secg prime curves (minus the nist and x9.62 prime curves) */ ++ static const struct { ++ EC_CURVE_DATA h; ++- unsigned char data[20 + 14 * 6]; ++-} _EC_SECG_PRIME_112R1 = { ++- { ++- NID_X9_62_prime_field, 20, 14, 1 ++- }, ++- { ++- /* seed */ ++- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, ++- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, ++- /* p */ ++- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, ++- 0x20, 0x8B, ++- /* a */ ++- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, ++- 0x20, 0x88, ++- /* b */ ++- 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, 0x11, 0x70, ++- 0x2B, 0x22, ++- /* x */ ++- 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, 0xF9, 0xC2, ++- 0xF0, 0x98, ++- /* y */ ++- 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, ++- 0x75, 0x00, ++- /* order */ ++- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65, ++- 0x61, 0xC5 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 14 * 6]; ++-} _EC_SECG_PRIME_112R2 = { ++- { ++- NID_X9_62_prime_field, 20, 14, 4 ++- }, ++- { ++- /* seed */ ++- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, ++- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, ++- /* p */ ++- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, ++- 0x20, 0x8B, ++- /* a */ ++- 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, 0x5C, 0x0E, ++- 0xF0, 0x2C, ++- /* b */ ++- 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, 0x4C, 0x85, ++- 0xD7, 0x09, ++- /* x */ ++- 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, 0xD0, 0x92, ++- 0x86, 0x43, ++- /* y */ ++- 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, ++- 0x6e, 0x97, ++- /* order */ ++- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20, ++- 0xD0, 0x4B ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 16 * 6]; ++-} _EC_SECG_PRIME_128R1 = { ++- { ++- NID_X9_62_prime_field, 20, 16, 1 ++- }, ++- { ++- /* seed */ ++- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, ++- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, 0x99, 0x3C, ++- 0x2C, 0xEE, 0x5E, 0xD3, ++- /* x */ ++- 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, 0x60, 0x7C, ++- 0xA5, 0x2C, 0x5B, 0x86, ++- /* y */ ++- 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, ++- 0xdd, 0xed, 0x7a, 0x83, ++- /* order */ ++- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B, ++- 0x90, 0x38, 0xA1, 0x15 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 16 * 6]; ++-} _EC_SECG_PRIME_128R2 = { ++- { ++- NID_X9_62_prime_field, 20, 16, 4 ++- }, ++- { ++- /* seed */ ++- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8, ++- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, 0xCC, 0x9B, ++- 0xBF, 0xF9, 0xAE, 0xE1, ++- /* b */ ++- 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, 0x65, 0x58, ++- 0xBB, 0x6D, 0x8A, 0x5D, ++- /* x */ ++- 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, 0x32, 0xA7, ++- 0xCD, 0xEB, 0xC1, 0x40, ++- /* y */ ++- 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, ++- 0x5f, 0xc3, 0x4b, 0x44, ++- /* order */ ++- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72, ++- 0x06, 0x13, 0xB5, 0xA3 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 21 * 6]; ++-} _EC_SECG_PRIME_160K1 = { ++- { ++- NID_X9_62_prime_field, 0, 21, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, ++- /* a */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- /* b */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, ++- /* x */ ++- 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, 0x01, 0x9E, ++- 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, 0xBB, ++- /* y */ ++- 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, ++- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, ++- /* order */ ++- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8, ++- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 21 * 6]; ++-} _EC_SECG_PRIME_160R1 = { ++- { ++- NID_X9_62_prime_field, 20, 21, 1 ++- }, ++- { ++- /* seed */ ++- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, ++- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, ++- /* p */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, ++- /* a */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFC, ++- /* b */ ++- 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, 0xAC, 0xF8, ++- 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, 0x45, ++- /* x */ ++- 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, 0x64, 0x69, ++- 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, 0x82, ++- /* y */ ++- 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, ++- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, ++- /* order */ ++- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4, ++- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[20 + 21 * 6]; ++-} _EC_SECG_PRIME_160R2 = { ++- { ++- NID_X9_62_prime_field, 20, 21, 1 ++- }, ++- { ++- /* seed */ ++- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6, ++- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, ++- /* p */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, ++- /* a */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x70, ++- /* b */ ++- 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, 0x57, 0x27, ++- 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, 0xBA, ++- /* x */ ++- 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, 0x4F, 0xF1, ++- 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, 0x6D, ++- /* y */ ++- 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, ++- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, ++- /* order */ ++- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, ++- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 24 * 6]; ++-} _EC_SECG_PRIME_192K1 = { ++- { ++- NID_X9_62_prime_field, 0, 24, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37, ++- /* a */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- /* b */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, ++- /* x */ ++- 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, 0x7D, 0x02, ++- 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, 0xEA, 0xE0, 0x6C, 0x7D, ++- /* y */ ++- 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, ++- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, ++- /* order */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, ++- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 29 * 6]; ++-} _EC_SECG_PRIME_224K1 = { ++- { ++- NID_X9_62_prime_field, 0, 29, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, ++- /* a */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, ++- /* b */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x05, ++- /* x */ ++- 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, 0xFC, 0x28, ++- 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, 0xA9, 0x0F, 0x7E, 0x65, ++- 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, ++- /* y */ ++- 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, ++- 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, ++- 0xdb, 0x55, 0x6d, 0x61, 0xa5, ++- /* order */ ++- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9, ++- 0x71, 0x76, 0x9F, 0xB1, 0xF7 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++ unsigned char data[0 + 32 * 6]; ++ } _EC_SECG_PRIME_256K1 = { ++ { ++@@ -745,102 +244,6 @@ static const struct { ++ } ++ }; ++ ++-/* some wap/wtls curves */ ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 15 * 6]; ++-} _EC_WTLS_8 = { ++- { ++- NID_X9_62_prime_field, 0, 15, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFD, 0xE7, ++- /* a */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, ++- /* b */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x03, ++- /* x */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x01, ++- /* y */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x02, ++- /* order */ ++- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A, ++- 0xD8, 0x37, 0xE9 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 21 * 6]; ++-} _EC_WTLS_9 = { ++- { ++- NID_X9_62_prime_field, 0, 21, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F, ++- /* a */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- /* b */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, ++- /* x */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, ++- /* y */ ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, ++- /* order */ ++- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD, ++- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 28 * 6]; ++-} _EC_WTLS_12 = { ++- { ++- NID_X9_62_prime_field, 0, 28, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++- 0x00, 0x00, 0x00, 0x01, ++- /* a */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0xFF, 0xFE, ++- /* b */ ++- 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, ++- 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, ++- 0x23, 0x55, 0xFF, 0xB4, ++- /* x */ ++- 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, ++- 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, ++- 0x11, 0x5C, 0x1D, 0x21, ++- /* y */ ++- 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, ++- 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, ++- 0x85, 0x00, 0x7e, 0x34, ++- /* order */ ++- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, ++- 0x5C, 0x5C, 0x2A, 0x3D ++- } ++-}; ++ #endif /* FIPS_MODULE */ ++ ++ #ifndef OPENSSL_NO_EC2M ++@@ -2238,198 +1641,6 @@ static const struct { ++ #ifndef FIPS_MODULE ++ static const struct { ++ EC_CURVE_DATA h; ++- unsigned char data[0 + 20 * 6]; ++-} _EC_brainpoolP160r1 = { ++- { ++- NID_X9_62_prime_field, 0, 20, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, ++- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, ++- /* a */ ++- 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, 0x61, 0xBA, ++- 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, ++- /* b */ ++- 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, 0xAA, 0x2D, ++- 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, ++- /* x */ ++- 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, 0x8C, 0x46, ++- 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, ++- /* y */ ++- 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, 0x47, 0x41, ++- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, ++- /* order */ ++- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, ++- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 20 * 6]; ++-} _EC_brainpoolP160t1 = { ++- { ++- NID_X9_62_prime_field, 0, 20, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, ++- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, ++- /* a */ ++- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, ++- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, ++- /* b */ ++- 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, 0x2C, 0x4D, ++- 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, ++- /* x */ ++- 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, 0x64, 0xBA, ++- 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, ++- /* y */ ++- 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, 0x1B, 0x84, ++- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, ++- /* order */ ++- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, ++- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 24 * 6]; ++-} _EC_brainpoolP192r1 = { ++- { ++- NID_X9_62_prime_field, 0, 24, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, ++- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, ++- /* a */ ++- 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, 0xC0, 0x31, ++- 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, 0xC6, 0x9A, 0x28, 0xEF, ++- /* b */ ++- 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, 0x1D, 0x04, ++- 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, 0x6F, 0xBF, 0x25, 0xC9, ++- /* x */ ++- 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, 0x33, 0xC5, ++- 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, 0x53, 0x37, 0x5F, 0xD6, ++- /* y */ ++- 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, 0x48, 0x28, ++- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F, ++- /* order */ ++- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, ++- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 24 * 6]; ++-} _EC_brainpoolP192t1 = { ++- { ++- NID_X9_62_prime_field, 0, 24, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, ++- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, ++- /* a */ ++- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, ++- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x94, ++- /* b */ ++- 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, 0xDE, 0xB4, ++- 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, 0x27, 0x89, 0x7B, 0x79, ++- /* x */ ++- 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, 0x1F, 0xE7, ++- 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, 0xF4, 0x61, 0x81, 0x29, ++- /* y */ ++- 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, 0xB5, 0xCA, ++- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9, ++- /* order */ ++- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, ++- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 28 * 6]; ++-} _EC_brainpoolP224r1 = { ++- { ++- NID_X9_62_prime_field, 0, 28, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, ++- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, ++- 0x7E, 0xC8, 0xC0, 0xFF, ++- /* a */ ++- 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, 0x03, 0xA6, ++- 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, 0xB0, 0x04, 0x2A, 0x59, ++- 0xCA, 0xD2, 0x9F, 0x43, ++- /* b */ ++- 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, 0x13, 0xB1, ++- 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, 0x66, 0xDB, 0xB3, 0x72, ++- 0x38, 0x6C, 0x40, 0x0B, ++- /* x */ ++- 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, 0x23, 0xB2, ++- 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, 0x4C, 0x1E, 0x6E, 0xFD, ++- 0xEE, 0x12, 0xC0, 0x7D, ++- /* y */ ++- 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, 0xB8, 0x9E, ++- 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, 0xCA, 0xA3, 0xF6, 0xD3, ++- 0x76, 0x14, 0x02, 0xCD, ++- /* order */ ++- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, ++- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, ++- 0xA5, 0xA7, 0x93, 0x9F ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++- unsigned char data[0 + 28 * 6]; ++-} _EC_brainpoolP224t1 = { ++- { ++- NID_X9_62_prime_field, 0, 28, 1 ++- }, ++- { ++- /* no seed */ ++- /* p */ ++- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, ++- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, ++- 0x7E, 0xC8, 0xC0, 0xFF, ++- /* a */ ++- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, ++- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, ++- 0x7E, 0xC8, 0xC0, 0xFC, ++- /* b */ ++- 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, 0x1B, 0xF6, ++- 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, 0xB3, 0xBB, 0x64, 0xF1, ++- 0x8A, 0x60, 0x88, 0x8D, ++- /* x */ ++- 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, 0x4E, 0x7F, ++- 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, 0x8A, 0xC0, 0xC7, 0x60, ++- 0x29, 0xB4, 0xD5, 0x80, ++- /* y */ ++- 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, 0x3F, 0x4D, ++- 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, 0x1C, 0x6A, 0xBD, 0x5F, ++- 0x1A, 0x46, 0xDB, 0x4C, ++- /* order */ ++- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, ++- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, ++- 0xA5, 0xA7, 0x93, 0x9F ++- } ++-}; ++- ++-static const struct { ++- EC_CURVE_DATA h; ++ unsigned char data[0 + 32 * 6]; ++ } _EC_brainpoolP256r1 = { ++ { ++@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[ ++ "NIST/SECG curve over a 521 bit prime field"}, ++ ++ /* X9.62 curves */ ++- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, ++- "NIST/X9.62/SECG curve over a 192 bit prime field"}, ++ {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, ++ # if defined(ECP_NISTZ256_ASM) ++ EC_GFp_nistz256_method, ++@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[ ++ static const ec_list_element curve_list[] = { ++ /* prime field curves */ ++ /* secg curves */ ++- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, ++- "SECG/WTLS curve over a 112 bit prime field"}, ++- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, ++- "SECG curve over a 112 bit prime field"}, ++- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, ++- "SECG curve over a 128 bit prime field"}, ++- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, ++- "SECG curve over a 128 bit prime field"}, ++- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, ++- "SECG curve over a 160 bit prime field"}, ++- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, ++- "SECG curve over a 160 bit prime field"}, ++- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, ++- "SECG/WTLS curve over a 160 bit prime field"}, ++- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ ++- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, ++- "SECG curve over a 192 bit prime field"}, ++- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, ++- "SECG curve over a 224 bit prime field"}, ++ # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 ++ {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, ++ "NIST/SECG curve over a 224 bit prime field"}, ++@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[ ++ # endif ++ "NIST/SECG curve over a 521 bit prime field"}, ++ /* X9.62 curves */ ++- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, ++- "NIST/X9.62/SECG curve over a 192 bit prime field"}, ++- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, ++- "X9.62 curve over a 192 bit prime field"}, ++- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, ++- "X9.62 curve over a 192 bit prime field"}, ++- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, ++- "X9.62 curve over a 239 bit prime field"}, ++- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, ++- "X9.62 curve over a 239 bit prime field"}, ++- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, ++- "X9.62 curve over a 239 bit prime field"}, ++ {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, ++ # if defined(ECP_NISTZ256_ASM) ++ EC_GFp_nistz256_method, ++@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[ ++ {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, ++ "X9.62 curve over a 163 bit binary field"}, ++ # endif ++- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, ++- "SECG/WTLS curve over a 112 bit prime field"}, ++- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, ++- "SECG/WTLS curve over a 160 bit prime field"}, ++- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, ++- "WTLS curve over a 112 bit prime field"}, ++- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, ++- "WTLS curve over a 160 bit prime field"}, ++ # ifndef OPENSSL_NO_EC2M ++ {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, ++ "NIST/SECG/WTLS curve over a 233 bit binary field"}, ++ {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, ++ "NIST/SECG/WTLS curve over a 233 bit binary field"}, ++ # endif ++- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, ++- "WTLS curve over a 224 bit prime field"}, ++ # ifndef OPENSSL_NO_EC2M ++ /* IPSec curves */ ++ {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, ++@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[ ++ "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, ++ # endif ++ /* brainpool curves */ ++- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, ++- "RFC 5639 curve over a 160 bit prime field"}, ++- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, ++- "RFC 5639 curve over a 160 bit prime field"}, ++- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, ++- "RFC 5639 curve over a 192 bit prime field"}, ++- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, ++- "RFC 5639 curve over a 192 bit prime field"}, ++- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, ++- "RFC 5639 curve over a 224 bit prime field"}, ++- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, ++- "RFC 5639 curve over a 224 bit prime field"}, ++ {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, ++ "RFC 5639 curve over a 256 bit prime field"}, ++ {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, ++diff -up ./test/ectest.c.remove-ec ./test/ectest.c ++--- ./test/ectest.c.remove-ec 2023-03-13 18:39:30.544642912 +0100 +++++ ./test/ectest.c 2023-03-20 07:27:26.403212965 +0100 ++@@ -175,184 +175,26 @@ static int prime_field_tests(void) ++ || !TEST_ptr(p = BN_new()) ++ || !TEST_ptr(a = BN_new()) ++ || !TEST_ptr(b = BN_new()) ++- || !TEST_true(BN_hex2bn(&p, "17")) ++- || !TEST_true(BN_hex2bn(&a, "1")) ++- || !TEST_true(BN_hex2bn(&b, "1")) ++- || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) ++- || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) +++ /* +++ * applications should use EC_GROUP_new_curve_GFp so +++ * that the library gets to choose the EC_METHOD +++ */ +++ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) ++ goto err; ++ ++- TEST_info("Curve defined by Weierstrass equation"); ++- TEST_note(" y^2 = x^3 + a*x + b (mod p)"); ++- test_output_bignum("a", a); ++- test_output_bignum("b", b); ++- test_output_bignum("p", p); ++- ++ buf[0] = 0; ++ if (!TEST_ptr(P = EC_POINT_new(group)) ++ || !TEST_ptr(Q = EC_POINT_new(group)) ++ || !TEST_ptr(R = EC_POINT_new(group)) ++- || !TEST_true(EC_POINT_set_to_infinity(group, P)) ++- || !TEST_true(EC_POINT_is_at_infinity(group, P)) ++- || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) ++- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) ++- || !TEST_true(EC_POINT_is_at_infinity(group, P)) ++ || !TEST_ptr(x = BN_new()) ++ || !TEST_ptr(y = BN_new()) ++ || !TEST_ptr(z = BN_new()) ++- || !TEST_ptr(yplusone = BN_new()) ++- || !TEST_true(BN_hex2bn(&x, "D")) ++- || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) ++- goto err; ++- ++- if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { ++- if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) ++- goto err; ++- TEST_info("Point is not on curve"); ++- test_output_bignum("x", x); ++- test_output_bignum("y", y); ++- goto err; ++- } ++- ++- TEST_note("A cyclic subgroup:"); ++- k = 100; ++- do { ++- if (!TEST_int_ne(k--, 0)) ++- goto err; ++- ++- if (EC_POINT_is_at_infinity(group, P)) { ++- TEST_note(" point at infinity"); ++- } else { ++- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ++- ctx))) ++- goto err; ++- ++- test_output_bignum("x", x); ++- test_output_bignum("y", y); ++- } ++- ++- if (!TEST_true(EC_POINT_copy(R, P)) ++- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) ++- goto err; ++- ++- } while (!EC_POINT_is_at_infinity(group, P)); ++- ++- if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) ++- || !TEST_true(EC_POINT_is_at_infinity(group, P))) ++- goto err; ++- ++- len = ++- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, ++- sizeof(buf), ctx); ++- if (!TEST_size_t_ne(len, 0) ++- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) ++- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) ++- goto err; ++- test_output_memory("Generator as octet string, compressed form:", ++- buf, len); ++- ++- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, ++- buf, sizeof(buf), ctx); ++- if (!TEST_size_t_ne(len, 0) ++- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) ++- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) ++- goto err; ++- test_output_memory("Generator as octet string, uncompressed form:", ++- buf, len); ++- ++- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, ++- buf, sizeof(buf), ctx); ++- if (!TEST_size_t_ne(len, 0) ++- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) ++- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) ++- goto err; ++- test_output_memory("Generator as octet string, hybrid form:", ++- buf, len); ++- ++- if (!TEST_true(EC_POINT_invert(group, P, ctx)) ++- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) ++- ++- /* ++- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, ++- * 2000) -- not a NIST curve, but commonly used ++- */ ++- ++- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" ++- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) ++- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) ++- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" ++- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) ++- || !TEST_true(BN_hex2bn(&b, "1C97BEFC" ++- "54BD7A8B65ACF89F81D4D4ADC565FA45")) ++- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) ++- || !TEST_true(BN_hex2bn(&x, "4A96B568" ++- "8EF573284664698968C38BB913CBFC82")) ++- || !TEST_true(BN_hex2bn(&y, "23a62855" ++- "3168947d59dcc912042351377ac5fb32")) ++- || !TEST_true(BN_add(yplusone, y, BN_value_one())) ++- /* ++- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, ++- * and therefore setting the coordinates should fail. ++- */ ++- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ++- ctx)) ++- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) ++- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) ++- || !TEST_true(BN_hex2bn(&z, "0100000000" ++- "000000000001F4C8F927AED3CA752257")) ++- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) ++- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) ++- goto err; ++- TEST_info("SEC2 curve secp160r1 -- Generator"); ++- test_output_bignum("x", x); ++- test_output_bignum("y", y); ++- /* G_y value taken from the standard: */ ++- if (!TEST_true(BN_hex2bn(&z, "23a62855" ++- "3168947d59dcc912042351377ac5fb32")) ++- || !TEST_BN_eq(y, z) ++- || !TEST_int_eq(EC_GROUP_get_degree(group), 160) ++- || !group_order_tests(group) ++- ++- /* Curve P-192 (FIPS PUB 186-2, App. 6) */ ++- ++- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" ++- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ++- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) ++- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" ++- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ++- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" ++- "0FA7E9AB72243049FEB8DEECC146B9B1")) ++- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) ++- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" ++- "7CBF20EB43A18800F4FF0AFD82FF1012")) ++- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) ++- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) ++- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" ++- "FFFFFFFF99DEF836146BC9B1B4D22831")) ++- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) ++- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) +++ || !TEST_ptr(yplusone = BN_new())) ++ goto err; ++ ++- TEST_info("NIST curve P-192 -- Generator"); ++- test_output_bignum("x", x); ++- test_output_bignum("y", y); ++- /* G_y value taken from the standard: */ ++- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" ++- "631011ED6B24CDD573F977A11E794811")) ++- || !TEST_BN_eq(y, z) ++- || !TEST_true(BN_add(yplusone, y, BN_value_one())) ++- /* ++- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, ++- * and therefore setting the coordinates should fail. ++- */ ++- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, ++- ctx)) ++- || !TEST_int_eq(EC_GROUP_get_degree(group), 192) ++- || !group_order_tests(group) ++- ++ /* Curve P-224 (FIPS PUB 186-2, App. 6) */ ++ ++- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" +++ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFF000000000000000000000001")) ++ || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) ++ || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" ++@@ -3015,7 +2857,7 @@ int setup_tests(void) ++ return 0; ++ ++ ADD_TEST(parameter_test); ++- ADD_TEST(cofactor_range_test); +++ /* ADD_TEST(cofactor_range_test); */ ++ ADD_ALL_TESTS(cardinality_test, crv_len); ++ ADD_TEST(prime_field_tests); ++ #ifndef OPENSSL_NO_EC2M +diff --git a/openssl_source/0011-Remove-EC-curves.patch b/openssl_source/0011-Remove-EC-curves.patch +new file mode 100644 +index 0000000..f6c733a +--- /dev/null ++++ b/openssl_source/0011-Remove-EC-curves.patch +@@ -0,0 +1,236 @@ ++diff -up ./apps/speed.c.ec-curves ./apps/speed.c ++--- ./apps/speed.c.ec-curves 2023-03-14 04:44:12.545437892 +0100 +++++ ./apps/speed.c 2023-03-14 04:48:28.606729067 +0100 ++@@ -366,7 +366,7 @@ static double ffdh_results[FFDH_NUM][1]; ++ #endif /* OPENSSL_NO_DH */ ++ ++ enum ec_curves_t { ++- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, +++ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, ++ #ifndef OPENSSL_NO_EC2M ++ R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, ++ R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, ++@@ -376,8 +376,6 @@ enum ec_curves_t { ++ }; ++ /* list of ecdsa curves */ ++ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { ++- {"ecdsap160", R_EC_P160}, ++- {"ecdsap192", R_EC_P192}, ++ {"ecdsap224", R_EC_P224}, ++ {"ecdsap256", R_EC_P256}, ++ {"ecdsap384", R_EC_P384}, ++@@ -404,8 +402,6 @@ static const OPT_PAIR ecdsa_choices[ECDS ++ enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; ++ /* list of ecdh curves, extension of |ecdsa_choices| list above */ ++ static const OPT_PAIR ecdh_choices[EC_NUM] = { ++- {"ecdhp160", R_EC_P160}, ++- {"ecdhp192", R_EC_P192}, ++ {"ecdhp224", R_EC_P224}, ++ {"ecdhp256", R_EC_P256}, ++ {"ecdhp384", R_EC_P384}, ++@@ -1422,8 +1418,6 @@ int speed_main(int argc, char **argv) ++ */ ++ static const EC_CURVE ec_curves[EC_NUM] = { ++ /* Prime Curves */ ++- {"secp160r1", NID_secp160r1, 160}, ++- {"nistp192", NID_X9_62_prime192v1, 192}, ++ {"nistp224", NID_secp224r1, 224}, ++ {"nistp256", NID_X9_62_prime256v1, 256}, ++ {"nistp384", NID_secp384r1, 384}, ++diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c ++--- ./crypto/evp/ec_support.c.ec-curves 2023-03-14 06:22:41.542310442 +0100 +++++ ./crypto/evp/ec_support.c 2023-03-21 11:24:18.378451683 +0100 ++@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { ++ static const EC_NAME2NID curve_list[] = { ++ /* prime field curves */ ++ /* secg curves */ ++- {"secp112r1", NID_secp112r1 }, ++- {"secp112r2", NID_secp112r2 }, ++- {"secp128r1", NID_secp128r1 }, ++- {"secp128r2", NID_secp128r2 }, ++- {"secp160k1", NID_secp160k1 }, ++- {"secp160r1", NID_secp160r1 }, ++- {"secp160r2", NID_secp160r2 }, ++- {"secp192k1", NID_secp192k1 }, ++- {"secp224k1", NID_secp224k1 }, ++ {"secp224r1", NID_secp224r1 }, ++ {"secp256k1", NID_secp256k1 }, ++ {"secp384r1", NID_secp384r1 }, ++ {"secp521r1", NID_secp521r1 }, ++ /* X9.62 curves */ ++- {"prime192v1", NID_X9_62_prime192v1 }, ++- {"prime192v2", NID_X9_62_prime192v2 }, ++- {"prime192v3", NID_X9_62_prime192v3 }, ++- {"prime239v1", NID_X9_62_prime239v1 }, ++- {"prime239v2", NID_X9_62_prime239v2 }, ++- {"prime239v3", NID_X9_62_prime239v3 }, ++ {"prime256v1", NID_X9_62_prime256v1 }, ++ /* characteristic two field curves */ ++ /* NIST/SECG curves */ ++- {"sect113r1", NID_sect113r1 }, ++- {"sect113r2", NID_sect113r2 }, ++- {"sect131r1", NID_sect131r1 }, ++- {"sect131r2", NID_sect131r2 }, ++- {"sect163k1", NID_sect163k1 }, ++- {"sect163r1", NID_sect163r1 }, ++- {"sect163r2", NID_sect163r2 }, ++- {"sect193r1", NID_sect193r1 }, ++- {"sect193r2", NID_sect193r2 }, ++- {"sect233k1", NID_sect233k1 }, ++- {"sect233r1", NID_sect233r1 }, ++- {"sect239k1", NID_sect239k1 }, ++- {"sect283k1", NID_sect283k1 }, ++- {"sect283r1", NID_sect283r1 }, ++- {"sect409k1", NID_sect409k1 }, ++- {"sect409r1", NID_sect409r1 }, ++- {"sect571k1", NID_sect571k1 }, ++- {"sect571r1", NID_sect571r1 }, ++- /* X9.62 curves */ ++- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, ++- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, ++- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, ++- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, ++- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, ++- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, ++- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, ++- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, ++- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, ++- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, ++- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, ++- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, ++- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, ++- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, ++- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, ++- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, ++- /* ++- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves ++- * from X9.62] ++- */ ++- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, ++- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, ++- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, ++- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, ++- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, ++- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, ++- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, ++- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, ++- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, ++- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, ++- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, ++- /* IPSec curves */ ++- {"Oakley-EC2N-3", NID_ipsec3 }, ++- {"Oakley-EC2N-4", NID_ipsec4 }, ++ /* brainpool curves */ ++- {"brainpoolP160r1", NID_brainpoolP160r1 }, ++- {"brainpoolP160t1", NID_brainpoolP160t1 }, ++- {"brainpoolP192r1", NID_brainpoolP192r1 }, ++- {"brainpoolP192t1", NID_brainpoolP192t1 }, ++- {"brainpoolP224r1", NID_brainpoolP224r1 }, ++- {"brainpoolP224t1", NID_brainpoolP224t1 }, ++ {"brainpoolP256r1", NID_brainpoolP256r1 }, ++ {"brainpoolP256t1", NID_brainpoolP256t1 }, ++ {"brainpoolP320r1", NID_brainpoolP320r1 }, ++@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = ++ {"brainpoolP384t1", NID_brainpoolP384t1 }, ++ {"brainpoolP512r1", NID_brainpoolP512r1 }, ++ {"brainpoolP512t1", NID_brainpoolP512t1 }, ++- /* SM2 curve */ ++- {"SM2", NID_sm2 }, ++ }; ++ ++ const char *OSSL_EC_curve_nid2name(int nid) ++diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc ++--- ./test/acvp_test.inc.ec-curves 2023-03-14 06:38:20.563712586 +0100 +++++ ./test/acvp_test.inc 2023-03-14 06:39:01.631080059 +0100 ++@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ ++ }; ++ static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { ++ { ++- "SHA-1", ++- "P-192", ++- ITM(ecdsa_sigver_msg0), ++- ITM(ecdsa_sigver_pub0), ++- ITM(ecdsa_sigver_r0), ++- ITM(ecdsa_sigver_s0), ++- PASS, ++- }, ++- { ++ "SHA2-512", ++ "P-521", ++ ITM(ecdsa_sigver_msg1), ++diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h ++--- ./test/ecdsatest.h.ec-curves 2023-03-14 04:49:16.148154472 +0100 +++++ ./test/ecdsatest.h 2023-03-14 04:51:01.376096037 +0100 ++@@ -32,23 +32,6 @@ typedef struct { ++ } ecdsa_cavs_kat_t; ++ ++ static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { ++- /* prime KATs from X9.62 */ ++- {NID_X9_62_prime192v1, NID_sha1, ++- "616263", /* "abc" */ ++- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", ++- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" ++- "5ca5c0d69716dfcb3474373902", ++- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", ++- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", ++- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, ++- {NID_X9_62_prime239v1, NID_sha1, ++- "616263", /* "abc" */ ++- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", ++- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" ++- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", ++- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", ++- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", ++- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, ++ /* prime KATs from NIST CAVP */ ++ {NID_secp224r1, NID_sha224, ++ "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" ++diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t ++--- ./test/recipes/15-test_genec.t.ec-curves 2023-03-14 04:51:45.215488277 +0100 +++++ ./test/recipes/15-test_genec.t 2023-03-21 11:26:58.613885435 +0100 ++@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport ++ if disabled("ec"); ++ ++ my @prime_curves = qw( ++- secp112r1 ++- secp112r2 ++- secp128r1 ++- secp128r2 ++- secp160k1 ++- secp160r1 ++- secp160r2 ++- secp192k1 ++- secp224k1 ++ secp224r1 ++ secp256k1 ++ secp384r1 ++ secp521r1 ++- prime192v1 ++- prime192v2 ++- prime192v3 ++- prime239v1 ++- prime239v2 ++- prime239v3 ++ prime256v1 ++- wap-wsg-idm-ecid-wtls6 ++- wap-wsg-idm-ecid-wtls7 ++- wap-wsg-idm-ecid-wtls8 ++- wap-wsg-idm-ecid-wtls9 ++- wap-wsg-idm-ecid-wtls12 ++- brainpoolP160r1 ++- brainpoolP160t1 ++- brainpoolP192r1 ++- brainpoolP192t1 ++- brainpoolP224r1 ++- brainpoolP224t1 ++ brainpoolP256r1 ++ brainpoolP256t1 ++ brainpoolP320r1 ++@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') ++ if !disabled("sm2"); ++ ++ my @curve_aliases = qw( ++- P-192 ++ P-224 ++ P-256 ++ P-384 +diff --git a/openssl_source/0012-Disable-explicit-ec.patch b/openssl_source/0012-Disable-explicit-ec.patch +new file mode 100644 +index 0000000..0cae2fa +--- /dev/null ++++ b/openssl_source/0012-Disable-explicit-ec.patch +@@ -0,0 +1,208 @@ ++diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c ++--- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100 +++++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100 ++@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP ** ++ if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) ++ group->decoded_from_explicit_params = 1; ++ +++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { +++ EC_GROUP_free(group); +++ ECPKPARAMETERS_free(params); +++ return NULL; +++ } +++ ++ if (a) { ++ EC_GROUP_free(*a); ++ *a = group; ++@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con ++ goto err; ++ } ++ +++ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) { +++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); +++ goto err; +++ } +++ ++ ret->version = priv_key->version; ++ ++ if (priv_key->privateKey) { ++diff -up openssl-3.0.9/crypto/ec/ec_lib.c.noec openssl-3.0.9/crypto/ec/ec_lib.c ++--- openssl-3.0.9/crypto/ec/ec_lib.c.noec 2023-07-27 10:32:52.870910095 +0200 +++++ openssl-3.0.9/crypto/ec/ec_lib.c 2023-07-27 10:35:18.029151181 +0200 ++@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const ++ goto err; ++ } ++ if (named_group == group) { +++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { +++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); +++ goto err; +++ } +++#if 0 ++ /* ++ * If we did not find a named group then the encoding should be explicit ++ * if it was specified ++@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const ++ goto err; ++ } ++ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); +++#endif ++ } else { ++ EC_GROUP_free(group); ++ group = named_group; ++diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c ++--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100 +++++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100 ++@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL; ++ static OSSL_PARAM_BLD *bld_prime_nc = NULL; ++ static OSSL_PARAM_BLD *bld_prime = NULL; ++ static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; ++-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL; +++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/ ++ ++ # ifndef OPENSSL_NO_EC2M ++ static OSSL_PARAM_BLD *bld_tri_nc = NULL; ++@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") ++ DOMAIN_KEYS(ECExplicitPrimeNamedCurve); ++ IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) ++ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") ++-DOMAIN_KEYS(ECExplicitPrime2G); ++-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0) ++-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC") +++/*DOMAIN_KEYS(ECExplicitPrime2G);*/ +++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ +++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ ++ # ifndef OPENSSL_NO_EC2M ++ DOMAIN_KEYS(ECExplicitTriNamedCurve); ++ IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) ++@@ -1318,7 +1318,7 @@ int setup_tests(void) ++ || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) ++ || !create_ec_explicit_prime_params(bld_prime) ++ || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) ++- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime)) +++/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/ ++ # ifndef OPENSSL_NO_EC2M ++ || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) ++ || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) ++@@ -1346,7 +1346,7 @@ int setup_tests(void) ++ TEST_info("Generating EC keys..."); ++ MAKE_DOMAIN_KEYS(EC, "EC", EC_params); ++ MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); ++- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit); +++/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/ ++ # ifndef OPENSSL_NO_EC2M ++ MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); ++ MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); ++@@ -1389,8 +1389,8 @@ int setup_tests(void) ++ ADD_TEST_SUITE_LEGACY(EC); ++ ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); ++ ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); ++- ADD_TEST_SUITE(ECExplicitPrime2G); ++- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G); +++/* ADD_TEST_SUITE(ECExplicitPrime2G);*/ +++/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/ ++ # ifndef OPENSSL_NO_EC2M ++ ADD_TEST_SUITE(ECExplicitTriNamedCurve); ++ ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); ++@@ -1427,7 +1427,7 @@ void cleanup_tests(void) ++ { ++ #ifndef OPENSSL_NO_EC ++ OSSL_PARAM_free(ec_explicit_prime_params_nc); ++- OSSL_PARAM_free(ec_explicit_prime_params_explicit); +++/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/ ++ OSSL_PARAM_BLD_free(bld_prime_nc); ++ OSSL_PARAM_BLD_free(bld_prime); ++ # ifndef OPENSSL_NO_EC2M ++@@ -1449,7 +1449,7 @@ void cleanup_tests(void) ++ #ifndef OPENSSL_NO_EC ++ FREE_DOMAIN_KEYS(EC); ++ FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); ++- FREE_DOMAIN_KEYS(ECExplicitPrime2G); +++/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/ ++ # ifndef OPENSSL_NO_EC2M ++ FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); ++ FREE_DOMAIN_KEYS(ECExplicitTri2G); ++diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100 +++++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100 ++@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB ++ 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl ++ -----END PRIVATE KEY----- ++ ++-PrivateKey = EC_EXPLICIT ++------BEGIN PRIVATE KEY----- ++-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB ++-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA ++-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV ++-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG ++-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A ++-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk ++-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL ++-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg ++------END PRIVATE KEY----- ++- ++ PrivateKey = B-163 ++ -----BEGIN PRIVATE KEY----- ++ MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K ++diff -up openssl-3.0.9/test/ectest.c.noec openssl-3.0.9/test/ectest.c ++--- openssl-3.0.9/test/ectest.c.noec 2023-07-27 11:30:24.078979261 +0200 +++++ openssl-3.0.9/test/ectest.c 2023-07-27 11:35:12.335576107 +0200 ++@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromd ++ if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) ++ || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) ++ || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) ++- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, +++ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam, ++ EVP_PKEY_KEY_PARAMETERS, params), 0)) ++ goto err; ++- +++/* As creating the key should fail, the rest of the test is pointless */ +++# if 0 ++ /*- Check that all the set values are retrievable -*/ ++ ++ /* There should be no match to a group name since the generator changed */ ++@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromd ++ #endif ++ ) ++ goto err; +++#endif ++ ret = 1; ++ err: ++ BN_free(order_out); ++@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) ++ ++ /* Compute keyexchange in both directions */ ++ if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) ++- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) ++- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) +++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0) +++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) ++ || !TEST_int_gt(bsize, sslen) ++- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) +++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/) ++ goto err; ++ if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) ++- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) ++- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) +++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1) +++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) ++ || !TEST_int_gt(bsize, t) ++ || !TEST_int_le(sslen, t) ++- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) +++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */) ++ goto err; ++- +++#if 0 ++ /* Both sides should expect the same shared secret */ ++ if (!TEST_mem_eq(buf1, sslen, buf2, t)) ++ goto err; ++@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) ++ /* compare with previous result */ ++ || !TEST_mem_eq(buf1, t, buf2, sslen)) ++ goto err; ++- +++#endif ++ ret = 1; ++ ++ err: +-- +2.46.0 + diff --git a/0203-Disable-sm2-and-sm4-crypto-algorithms.patch b/0203-Disable-sm2-and-sm4-crypto-algorithms.patch new file mode 100644 index 0000000..b4c32ee --- /dev/null +++ b/0203-Disable-sm2-and-sm4-crypto-algorithms.patch @@ -0,0 +1,122 @@ +From f429bf3ffd992c678f7d1a041f6a6b5df9a4b6fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 1 Mar 2024 13:25:14 +0000 +Subject: [PATCH 203/203] Disable sm2 and sm4 crypto algorithms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Policy copied from Fedora 39 openssl package + +Signed-off-by: Daniel P. Berrangé +--- + Linux/build_openssl.sh | 2 +- + Linux/sgx/test_app/enclave/TestEnclave.cpp | 5 ++++- + Linux/sgx/test_app/enclave/TestEnclave.h | 4 ++++ + Linux/sgx/test_app/enclave/tests/evp_smx.c | 4 ++++ + 4 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh +index 7470479..e214ccb 100755 +--- a/Linux/build_openssl.sh ++++ b/Linux/build_openssl.sh +@@ -156,7 +156,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 + cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1 + + cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1 +-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1 ++perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-sm2 no-sm4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1 + + sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1 + sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1 +diff --git a/Linux/sgx/test_app/enclave/TestEnclave.cpp b/Linux/sgx/test_app/enclave/TestEnclave.cpp +index dac620a..b219e74 100644 +--- a/Linux/sgx/test_app/enclave/TestEnclave.cpp ++++ b/Linux/sgx/test_app/enclave/TestEnclave.cpp +@@ -413,6 +413,7 @@ void t_sgxssl_call_apis() + } + printf("test threads_test completed\n"); + ++#if 0 + //GM SM2 - sign and verify + ret = ecall_sm2_sign_verify(); + if (ret != 0) +@@ -430,6 +431,7 @@ void t_sgxssl_call_apis() + exit(ret); + } + printf("test evp_sm2_encrypt_decrypt completed\n"); ++#endif + + //GM SM3 - compute digest of message + ret = ecall_sm3(); +@@ -440,6 +442,7 @@ void t_sgxssl_call_apis() + } + printf("test evp_sm3 completed\n"); + ++#if 0 + //GM SM4 - cbc encrypt and decrypt + ret = ecall_sm4_cbc(); + if (ret != 0) +@@ -457,5 +460,5 @@ void t_sgxssl_call_apis() + exit(ret); + } + printf("test evp_sm4_ctr completed\n"); +- ++#endif + } +diff --git a/Linux/sgx/test_app/enclave/TestEnclave.h b/Linux/sgx/test_app/enclave/TestEnclave.h +index c2ca854..a989735 100644 +--- a/Linux/sgx/test_app/enclave/TestEnclave.h ++++ b/Linux/sgx/test_app/enclave/TestEnclave.h +@@ -66,11 +66,15 @@ int sha256_test(); + int sha1_test(); + int hmac_tests(); + int threads_test(); ++#if 0 + int ecall_sm2_sign_verify(); + int ecall_sm2_encrypt_decrypt(); ++#endif + int ecall_sm3(); ++#if 0 + int ecall_sm4_cbc(); + int ecall_sm4_ctr(); ++#endif + + #if defined(__cplusplus) + } +diff --git a/Linux/sgx/test_app/enclave/tests/evp_smx.c b/Linux/sgx/test_app/enclave/tests/evp_smx.c +index a395ce8..f49e5b7 100644 +--- a/Linux/sgx/test_app/enclave/tests/evp_smx.c ++++ b/Linux/sgx/test_app/enclave/tests/evp_smx.c +@@ -44,6 +44,7 @@ + #define SAFE_FREE(ptr, size) {if (NULL != (ptr)) {memset_s(ptr, size, 0, size); free(ptr); (ptr)=NULL;}} + #endif + ++#if 0 + // Default sm2_user_id and its length defined by openssl + unsigned char sm2_user_id[] = "1234567812345678"; + unsigned int sm2_user_id_len = sizeof(sm2_user_id)-1; +@@ -512,6 +513,7 @@ end: + + return ret; + } ++#endif + + /* Compute a SM3 digest of a message. */ + int ecall_sm3(void) +@@ -571,6 +573,7 @@ end: + return ret; + } + ++#if 0 + /* SM4 block cipher mode(cbc) of operation. */ + int ecall_sm4_cbc(void) + { +@@ -743,3 +746,4 @@ end: + + return ret; + } ++#endif +-- +2.46.0 + diff --git a/0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch b/0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch new file mode 100644 index 0000000..63bb426 --- /dev/null +++ b/0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch @@ -0,0 +1,29 @@ +From 22a2f289d7e613e070e23897596ff8451402d680 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 3 Sep 2024 10:11:45 +0100 +Subject: [PATCH 300/301] Drop min openssl from 3.0.8 to 3.0.7 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + sources/ippcp/crypto_mb/CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sources/ippcp/crypto_mb/CMakeLists.txt b/sources/ippcp/crypto_mb/CMakeLists.txt +index 6e810567..d92f6c68 100644 +--- a/sources/ippcp/crypto_mb/CMakeLists.txt ++++ b/sources/ippcp/crypto_mb/CMakeLists.txt +@@ -76,7 +76,7 @@ if(BORINGSSL OR BABASSL) # off by default + # by find_package(OpenSSL) + find_package(OpenSSL REQUIRED) + else() +- find_package(OpenSSL 3.0.8 REQUIRED) # set -DOPENSSL_INCLUDE_DIR= -DOPENSSL_LIBRARIES= -DOPENSSL_ROOT_DIR= to use patched ++ find_package(OpenSSL 3.0.7 REQUIRED) # set -DOPENSSL_INCLUDE_DIR= -DOPENSSL_LIBRARIES= -DOPENSSL_ROOT_DIR= to use patched + endif() + + if(BN_OPENSSL_PATCH) +-- +2.46.0 + diff --git a/0301-Drop-Werror-from-build-flags.patch b/0301-Drop-Werror-from-build-flags.patch new file mode 100644 index 0000000..caba1ea --- /dev/null +++ b/0301-Drop-Werror-from-build-flags.patch @@ -0,0 +1,71 @@ +From b073f869a15483ef1d843c9dfaa5d8dcdc0d7836 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 3 Sep 2024 10:14:31 +0100 +Subject: [PATCH 301/301] Drop -Werror from build flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Daniel P. Berrangé +--- + sources/cmake/linux/Clang9.0.0.cmake | 2 +- + sources/cmake/linux/GNU8.2.0.cmake | 2 +- + sources/cmake/linux/Intel19.0.0.cmake | 2 +- + sources/cmake/linux/IntelLLVM2023.1.0.cmake | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sources/cmake/linux/Clang9.0.0.cmake b/sources/cmake/linux/Clang9.0.0.cmake +index 18e5182a..fa9ee20a 100644 +--- a/sources/cmake/linux/Clang9.0.0.cmake ++++ b/sources/cmake/linux/Clang9.0.0.cmake +@@ -106,7 +106,7 @@ if(SANITIZERS) + endif(SANITIZERS) + + # Optimization level = 3, no-debug definition (turns off asserts), warnings=errors +-set (CMAKE_C_FLAGS_RELEASE " -O3 -DNDEBUG -Werror") ++set (CMAKE_C_FLAGS_RELEASE " -O3 -DNDEBUG") + + # DEBUG flags - optimization level = 0, generation GDB information (-g) + set (CMAKE_C_FLAGS_DEBUG " -O0 -g") +diff --git a/sources/cmake/linux/GNU8.2.0.cmake b/sources/cmake/linux/GNU8.2.0.cmake +index 96658a8d..93cd079a 100644 +--- a/sources/cmake/linux/GNU8.2.0.cmake ++++ b/sources/cmake/linux/GNU8.2.0.cmake +@@ -96,7 +96,7 @@ if(${ARCH} MATCHES "ia32") + endif(${ARCH} MATCHES "ia32") + + # Optimization level = 3, no-debug definition (turns off asserts), warnings=errors +-set (CMAKE_C_FLAGS_RELEASE " -O3 -DNDEBUG -Werror") ++set (CMAKE_C_FLAGS_RELEASE " -O3 -DNDEBUG") + + set(w7_opt "${w7_opt} -march=pentium4 -msse2") + set(s8_opt "${s8_opt} -march=core2 -mssse3") +diff --git a/sources/cmake/linux/Intel19.0.0.cmake b/sources/cmake/linux/Intel19.0.0.cmake +index c1d48508..133a7e18 100644 +--- a/sources/cmake/linux/Intel19.0.0.cmake ++++ b/sources/cmake/linux/Intel19.0.0.cmake +@@ -99,7 +99,7 @@ if(CODE_COVERAGE) + endif() + + # Optimization level = 3, no-debug definition (turns off asserts), warning level = 3, treat warnings as errors +-set (CMAKE_C_FLAGS_RELEASE " -O3 -DNDEBUG -w3 -Werror") ++set (CMAKE_C_FLAGS_RELEASE " -O3 -DNDEBUG -w3") + # DEBUG flags Optimization level = 0, generation maximum GDB information (-g3) + set (CMAKE_C_FLAGS_DEBUG " -O0 -g3") + +diff --git a/sources/cmake/linux/IntelLLVM2023.1.0.cmake b/sources/cmake/linux/IntelLLVM2023.1.0.cmake +index babc289a..59a74d10 100644 +--- a/sources/cmake/linux/IntelLLVM2023.1.0.cmake ++++ b/sources/cmake/linux/IntelLLVM2023.1.0.cmake +@@ -95,7 +95,7 @@ if(CODE_COVERAGE) + endif() + + # Optimization level = 3, no-debug definition (turns off asserts), warning level = 3, treat warnings as errors +-set (CMAKE_C_FLAGS_RELEASE " -Ofast -DNDEBUG -Wall -Wno-unused-function -Wno-missing-braces -Werror") ++set (CMAKE_C_FLAGS_RELEASE " -Ofast -DNDEBUG -Wall -Wno-unused-function -Wno-missing-braces") + + # Alignment for structures on byte boundaries (= 16) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Zp16") +-- +2.46.0 + diff --git a/92-sgx-provision.rules b/92-sgx-provision.rules new file mode 100644 index 0000000..895e2cc --- /dev/null +++ b/92-sgx-provision.rules @@ -0,0 +1 @@ +SUBSYSTEM=="misc",KERNEL=="sgx_provision",GROUP="sgxprv",MODE="0660" diff --git a/aesmd.service b/aesmd.service new file mode 100644 index 0000000..b37644a --- /dev/null +++ b/aesmd.service @@ -0,0 +1,21 @@ +[Unit] +Description=SGX Architectural Enclave Service Manager +After=syslog.target auditd.service +ConditionPathExists=/dev/sgx_enclave + +[Service] +Type=simple +User=aesmd +ExecStart=/usr/bin/aesmd --no-daemon +ExecReload=/bin/kill -SIGHUP $MAINPID +Restart=on-failure +RestartSec=15s + +WorkingDirectory=/var/lib/aesmd +InaccessibleDirectories=/home +DevicePolicy=closed +DeviceAllow=/dev/sgx_enclave rw +DeviceAllow=/dev/sgx_provision rw + +[Install] +WantedBy=multi-user.target diff --git a/aesmd.sysusers.conf b/aesmd.sysusers.conf new file mode 100644 index 0000000..746515a --- /dev/null +++ b/aesmd.sysusers.conf @@ -0,0 +1,3 @@ +u aesmd - " SGX Architectural Enclave Service Manager" /var/lib/aesmd +m aesmd sgx +m aesmd sgxprv diff --git a/linux-sgx.spec b/linux-sgx.spec new file mode 100644 index 0000000..72f0799 --- /dev/null +++ b/linux-sgx.spec @@ -0,0 +1,1511 @@ + +# The enclave code must be built with very specific build +# flags, that are different from what is used to build +# native code. Thus we cannot globally set the CFLAGS etc +%undefine _auto_set_build_flags + +############################################################ +# +# Note about the approach to bundling... +# +# The linux-sgx project build system is written with the assumption +# that a monolithic repo is being used with all dependencies +# present at specific versions and in particular locations. +# +# Fully untangling this is impractical/unsustainable, because the +# build system in fact has circular dependencies between what might +# otherwise look like independent projects. ie linux-sgx depends +# on headers from dcap, but dcap depends on headers from linux-sgx. +# In addition, some of the 3rd party projects that are consumed are +# patched with SGX enclave specific changes. +# +# For enclave builds, there will be no ability to share existing +# binaries built for native Fedora, as everything must be built +# for the enclave environment, with its own C runtime. Thus trying +# to unbundle has little benefit for enclave related dependencies. +# +# This package is thus written such +# +# * All the SGX related projects provided by Intel are bundled +# whether used for enclave or native OS code. +# * SGX enclave code is built with bundled 3rd party projects. +# * Native OS code is built with system packages for non-SGX +# related dependancies. +# +# Focusing on unbundling only 3rd party projects involved in native +# builds maximises the benefits of system package usage, without an +# unreasonable burden fighting the build system for enclave pieces. + +%global with_aesm 0 +%global with_host_tinyxml2 0 +%global with_pccsadmin 0 +%if 0%{?fedora} +%global with_aesm 1 +%global with_host_tinyxml2 1 +%global with_pccsadmin 1 +%endif + +%global with_sysusers_scripts 0 +%if 0%{?rhel} <= 10 +%global with_sysusers_scripts 1 +%endif + +############################################################ +# +# A note about versions +# +# When rebasing to new linux-sgx releases, bump all the following +# versions based on what the new release depends on (see various +# git submodule tags and code files). +# +%global linux_sgx_version 2.25 +# From SGX git submodule +%global dcap_version 1.22 +# From DCAP git submodule +%global dcap_qvl_version 1.21 +# From DCAP git submodule +%global dcap_qvs_version 1.1.0-2885 +# From SGX external/sgxssl/prepare_sgxssl.sh +%global sgx_ssl_version 3.0_Rev4 +# From SGX git submodule +%global ipp_crypto_version 2021.12.1 +# From SGX git submodule +%global sgx_emm_version 1.0.3 + +# From SGX external/sgxssl/prepare_sgxssl.sh +%global openssl_version 3.0.14 +# From SGX git submodule +%global libcbor_version 0.10.2 +# From protobuf third_party/abseil-cpp +%global abseil_cpp_version 20230125.3 +# From DCAP git submodule +%global jwt_cpp_version 0.6.0 +# From DCAP git submodule +%global wamr_version 1.3.3 +# From SGX external/tinyxml2 +%global tinyxml2_version 10.0.0 + +# From SGX external/epid-sdk/CHANGELOG.md +%global epid_version 6.0.0 +# From SGX external/rdrand/src/configure.ac +%global rdrand_version 1.1 +%global vtune_version 2018 + + +# enclaves from prebuilt_dcap_NNN.tar.gz - DCAP version numbers, +# except for pce, which is actually an SGX enclave just bundled +# with the DCAP enclaves +%global enclave_pce_version 2.25 +%global enclave_ide_version 1.22 +%global enclave_qe3_version 1.22 +%global enclave_tdqe_version 1.22 +%global enclave_qve_version 1.22 + +# Whether to build & ship unsigned enclaves with latest distro +# tool-chain, as opposed to a reproducible build done in other +# packages +%global with_enclaves 1 + +# Provisioning Certification Enclave. Required. ECDSA quote signing +%global with_enclave_pce 1 + +# ID Enclave. Required. Hardware identification +%global with_enclave_ide 1 + +# Quoting Enclave. Required for non-TDX usage. ECDSA quote generation +%global with_enclave_qe3 1 + +# Quoting Enclave. Required for TDX usage. ECDSA quote generation +%global with_enclave_tdqe 1 + +# Quote Verification Enclave. Optional. ECDSA quote verification +# +# Note this package has removed the unapproved crypto this +# enclave links to in upstream builds, to make it possible +# to ship in Fedora. +# XXX disabled until time to investigate jwt-cpp build errors +%global with_enclave_qve 0 + + +%global _with_enclave_pce %{expr:%{with_enclaves} ? %{with_enclave_pce} : 0} +%global _with_enclave_ide %{expr:%{with_enclaves} ? %{with_enclave_ide} : 0} +%global _with_enclave_qe3 %{expr:%{with_enclaves} ? %{with_enclave_qe3} : 0} +%global _with_enclave_tdqe %{expr:%{with_enclaves} ? %{with_enclave_tdqe} : 0} +%global _with_enclave_qve %{expr:%{with_enclaves} ? %{with_enclave_qve} : 0} + + +# We prefer deployments using the pre-built enclaves +# signed by Intel, but permit replacing with enclaves +# signed by a different party +%global enclave_requires() \ +Requires: sgx-enclave(%1:signed) >= %2 \ +Recommends: sgx-enclave(%1:signed:prebuilt) >= %2 + +Name: linux-sgx +Version: %{linux_sgx_version} +Release: %autorelease +Summary: Intel Linux SGX SDK and Platform Software + +# The project pulls together source from a wide variety of places, +# so while the license of the combined work is declared to be +# BSD-3-Clause, there is actually a huge set of licenses to track +License: %{shrink: + %dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk + Apache-2.0 AND + + %dnl sdk/cpprt, sdk/tlibc + BSD-2-Clause AND + + %dnl external/dcap_source, sdk/* + BSD-3-Clause AND + + %dnl sdk/tlibc + BSD-4-Clause AND + + %dnl sdk/tlibc + BSD-4-Clause-UC AND + + %dnl psd/urts/linux/isgx_user.h + GPL-2.0-only AND + + %dnl sdk/tlibc, sdk/pthread + ISC AND + + %dnl external/cbor/libcbor, sdk/* + MIT AND + + %dnl sdk/tlibc/stdlib/malloc.c + MIT-0 AND + + %dnl sdk/compiler-rt + NCSA AND + + %dnl sdk/protected_code_loader + OpenSSL AND + + %dnl sdk/tlibc/gdtoa + SMLNJ AND + + %dnl sdk/tlibc/math + SunPro AND + + %dnl sdk/tlibc + LicenseRef-Fedora-Public-Domain +} + +URL: https://github.com/intel/linux-sgx + + +############################################################ +# SGX related projects SourceN for N in (0..9) + +Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}_reproducible.tar.gz#/linux-sgx-%{linux_sgx_version}-reproducible.tar.gz + +# repack.sh purges all the prebuilt AE's that we ship in a different RPM +# as well as 'prebuilt/' content (openssl / OPA binaries) that we must +# not distribute. +Source1: repack.sh + +Source2: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/dcap_%{dcap_version}_reproducible.tar.gz +Provides: bundled(dcap) = %{dcap_version} + +# Upload tarball is: +# +# https://download.01.org/intel-sgx/sgx-dcap/%{dcap_version}/linux/prebuilt_dcap_%{dcap_version}.tar.gz +# +# but is then post-processed using repack.sh to create this +Source3: prebuilt_dcap_%{dcap_version}-repacked.tar.gz + +Source4: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/%{sgx_ssl_version}.tar.gz#/intel-sgx-ssl-%{sgx_ssl_version}.tar.gz +Provides: bundled(sgxssl) = %{sgx_ssl_version} + +Source5: https://github.com/intel/ipp-crypto/archive/refs/tags/ippcp_%{ipp_crypto_version}.tar.gz +Provides: bundled(ipp-crypto) = %{ipp_crypto_version} + +Source6: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx_emm_version}.tar.gz +Provides: bundled(sgx-emm) = %{sgx_emm_version} + +Source7: https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/archive/refs/heads/DCAP/%{dcap_qvl_version}.tar.gz#/dcap-qvl-%{dcap_qvl_version}.tar.gz +Provides: bundled(dcap-qvl} = %{dcap_qvl_version} + +Source8: https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationService/archive/refs/tags/v%{dcap_qvs_version}.tar.gz#/dcap-qvs-%{dcap_qvs_version}.tar.gz +Provides: bundled(dcap-qvs} = %{dcap_qvs_version} + + +############################################################ +# 3rd party projects SourceN for N in (10..19) + +Source10: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz +Provides: bundled(openssl) = %{openssl_version} + +Source11: https://github.com/PJK/libcbor/archive/refs/tags/v%{libcbor_version}.tar.gz#/libcbor-%{libcbor_version}.tar.gz +Provides: bundled(libcbor) = %{libcbor_version} + +# XXX unbundle me, only used in native code, or also in enclaves ? +Source12: https://github.com/Thalhammer/jwt-cpp/archive/refs/tags/v%{jwt_cpp_version}.tar.gz#/jwt-cpp-%{jwt_cpp_version}.tar.gz +Provides: bundled(jwt-cpp) = %{jwt_cpp_version} + +Source13: https://github.com/bytecodealliance/wasm-micro-runtime/archive/refs/tags/WAMR-%{wamr_version}.tar.gz#/wasm-micro-runtime-%{wamr_version}.tar.gz +Provides: bundled(wasm-micro-runtime} = %{wamr_version} + +Source14: https://github.com/leethomason/tinyxml2/archive/refs/tags/%{tinyxml2_version}.tar.gz#/tinyxml2-%{tinyxml2_version}.tar.gz +%if ! %{with_host_tinyxml2} +Provides: bundled(tinyxml2) = %{tinyxml2_version} +%endif + + +############################################################ +# Misc distro integration files SourceN in (40..59) + +Source40: aesmd.sysusers.conf +Source41: aesmd.service + +Source42: sgxprv.sysusers.conf +Source43: 92-sgx-provision.rules + +Source44: qgs.sysusers.conf +Source45: qgs.service +Source46: qgs.sysconfig + +Source48: mpa_registration.service + + +############################################################ +# External projects that have been copied in tarballs as bundles + +# In external/epid-sdk/ +Provides: bundled(epid-sdk) = 6.0.0 +# In external/rdrand/ +Provides: bundled(RdRand) = 1.1 +# In external/vtune/ +Provides: bundled(vtune) = 2018 + +############################################################ +# Distro integration patches + +# 0000-0099 -> against linux-sgx.git +Patch0000: 0000-Add-support-for-building-against-host-openssl-crypto.patch +Patch0001: 0001-Add-support-for-building-against-host-tinyxml2-lib.patch +Patch0002: 0002-Add-support-for-building-against-host-CppMicroServic.patch +# https://github.com/intel/linux-sgx/pull/1055 +Patch0003: 0003-Improve-make-debuggability.patch +Patch0004: 0004-Support-disabling-use-of-git-for-ippcp-code.patch +Patch0005: 0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch +# https://github.com/intel/linux-sgx/pull/1063 +Patch0006: 0006-Fix-compat-with-gcc-14.patch +# https://github.com/intel/linux-sgx/pull/1056 +Patch0007: 0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch +# https://github.com/intel/linux-sgx/pull/1058 +Patch0008: 0008-Disable-use-of-bogus-DEF_WEAK-macro.patch +# https://github.com/intel/linux-sgx/pull/1057 +Patch0009: 0009-Remove-all-references-to-pccs-service.patch +# https://github.com/intel/linux-sgx/pull/1064 +Patch0010: 0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch +Patch0011: 0011-psw-fix-soname-for-libuae_service.so-library.patch +Patch0012: 0012-pcl-remove-redundant-use-of-bool-type.patch +Patch0013: 0013-Disable-inclusion-of-AESM-in-installer.patch + +# 0100-0199 -> against SGXDataCenterAttestationPrimitives.git +Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch +Patch0101: 0101-Improve-debuggability-of-build-system.patch +# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/437 +Patch0102: 0102-Support-build-time-setting-of-enclave-load-directory.patch +# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/434 +Patch0103: 0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch +# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/429 +Patch0104: 0104-Don-t-import-pypac-in-pccsadmin.patch +Patch0105: 0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch +# XXX enclaves must use bundled +#Patch0106: 0106-Use-distro-provided-rapidjson-package.patch +# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/428 +Patch0107: 0107-qgs-add-space-between-program-name-first-arg-in-usag.patch +Patch0108: 0108-qgs-protect-against-format-strings-in-QL-log-message.patch +Patch0109: 0109-qgs-add-debug-parameter-to-control-logging.patch +Patch0110: 0110-pccsadmin-remove-leftover-debugging-print-args-state.patch +Patch0111: 0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch +Patch0112: 0112-Workaround-broken-GCC-15.patch + +# 0200-0299 -> against intel-sgx-ssl.git +Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch +Patch0201: 0201-Workaround-missing-output-directory.patch +Patch0202: 0202-Disable-various-EC-crypto-features.patch +Patch0203: 0203-Disable-sm2-and-sm4-crypto-algorithms.patch + +# 0300-0399 -> against ipp-crypto.git +Patch0300: 0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch +Patch0301: 0301-Drop-Werror-from-build-flags.patch + +BuildRequires: sgx-rpm-macros +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: binutils +BuildRequires: libtool +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: make +BuildRequires: cmake +BuildRequires: ocaml +BuildRequires: ocaml-ocamlbuild +BuildRequires: openssl +BuildRequires: openssl-devel +BuildRequires: libcurl-devel +BuildRequires: python3-devel +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl-devel +BuildRequires: perl(FindBin) +BuildRequires: perl(lib) +BuildRequires: perl(IPC::Cmd) +BuildRequires: nasm +BuildRequires: python-unversioned-command +BuildRequires: systemd-rpm-macros +%if %{with_host_tinyxml2} +BuildRequires: tinyxml2-devel +%endif +%if %{with_aesm} +BuildRequires: CppMicroServices-devel +%endif +#BuildRequires: rapidjson-devel +BuildRequires: protobuf-compiler +BuildRequires: protobuf-devel +BuildRequires: boost-devel + +# If dpkg-architecture exists in $PATH, the Makefile +# will change all the install paths, breaking this +# spec's expected locations +BuildConflicts: dpkg-dev + +# SGX is a technology that only exists in Intel x86 CPUs +ExclusiveArch: x86_64 + +%description +The Intel SGX SDK is a collection of APIs, libraries, documentations and +tools that allow software developers to create and debug Intel SGX +enabled applications in C/C++. + +%package -n sgx-common +Summary: Intel SGX SDK & runtime common + +%description -n sgx-common +Common files for the Intel SGX SDK & runtime + +# We only provide the unsigned enclaves. The pre-built +# signed enclaves and shipped separately for ease of +# updating +%global do_package() \ +%if %2 \ +%package -n sgx-enclave-latest-%1-unsigned \ +Summary: SGX %1 enclave (unsigned, latest tool-chain) \ +\ +Provides: sgx-enclave(%1:unsigned) = %3 \ +Provides: sgx-enclave(%1:unsigned:latest) = %3 \ +Requires: sgx-common = %{version}-%{release} \ +\ +%description -n sgx-enclave-latest-%1-unsigned \ +This package contains the unsigned SGX %1 enclave, \ +built with latest tool-chain and libraries. \ +\ +%endif + +%do_package pce %{_with_enclave_pce} %{linux_sgx_version} +%do_package ide %{_with_enclave_ide} %{dcap_version} +%do_package qe3 %{_with_enclave_qe3} %{dcap_version} +%do_package tdqe %{_with_enclave_tdqe} %{dcap_version} +%do_package qve %{_with_enclave_qve} %{dcap_version} + +%package -n sgx-enclave-devel +Summary: SGX enclave libraries development +Requires: sgx-libs = %{version}-%{release} + +%description -n sgx-enclave-devel +This package contains the header files, libraries and tools required +to create SGX enclaves. + + +%package -n sgx-devel +Summary: SGX platform libraries development +Requires: sgx-libs = %{version}-%{release} + +%description -n sgx-devel +This package contains the header files, libraries and tools required +to build applications that interact with SGX enclaves on the platform. + + +%package -n sgx-libs +Summary: SGX platform libraries runtime +Requires: sgx-common = %{version}-%{release} + +%description -n sgx-libs +This package contains the runtime libraries and tools required +to run applications that interact with SGX enclaves on the platform. + +%if %{with_aesm} +%package -n sgx-aesm +Summary: SGX platform Architectural Enclave Service Manager +Requires: CppMicroServices +Requires: sgx-libs = %{version}-%{release} + +Suggests: sgx-enclave(pce:signed) >= %{enclave_pce_version} +Suggests: sgx-enclave(qe3:signed) >= %{enclave_qe3_version} +Suggests: sgx-enclave(qve:signed) >= %{enclave_qve_version} +Suggests: sgx-enclave(ide:signed) >= %{enclave_ide_version} +Suggests: sgx-enclave(tdqe:signed) >= %{enclave_tdqe_version} + +%description -n sgx-aesm +This package contains the Architectural Enclave Service Manager +(AESM) daemon. +%endif + +%package -n sgx-pccs-admin +Summary: SGX Provisioning Certificate Caching Service Admin Tool +Requires: python3-asn1 +Requires: python3-pyOpenSSL +Requires: python3-cryptography +Requires: python3-keyring +Requires: python3-requests +Requires: python3-urllib3 +Requires: sgx-libs = %{version}-%{release} + +%description -n sgx-pccs-admin +SGX Provisioning Certificate Caching Service Admin Tool + + +%package -n sgx-pckid-tool +Summary: SGX PCK Cert ID Retrieval Tool +Requires: sgx-libs = %{version}-%{release} +%enclave_requires ide %{enclave_ide_version} +%enclave_requires pce %{enclave_pce_version} + +%description -n sgx-pckid-tool +SGX PCK Cert ID Retrieval Tool + + +%package -n sgx-mpa +Summary: SGX Multi-package Registration Agent +Requires: sgx-libs = %{version}-%{release} + +%description -n sgx-mpa +SGX Multi-package Registration Agent + + +%package -n tdx-qgs +Summary: TDX Quoting Generation Service +Requires: sgx-libs = %{version}-%{release} +Recommends: sgx-mpa sgx-pckid-tool +Suggests: sgx-pckid-tool + +%enclave_requires ide %{enclave_ide_version} +%enclave_requires pce %{enclave_pce_version} +%enclave_requires tdqe %{enclave_tdqe_version} + + +%description -n tdx-qgs +TDX Quoting Generation Service + + +%package -n tdx-attest-libs +Summary: TDX attestation libraries +Requires: sgx-common = %{version}-%{release} + +%description -n tdx-attest-libs +TDX attestation libraries + +This assists guest applications in attesting +their virtual machine environment. + + +%package -n tdx-attest-devel +Summary: TDX attestation libraries development +Requires: tdx-attest-libs = %{version}-%{release} + +%description -n tdx-attest-devel +TDX attestation libraries development + +This enables integration of support for attestation +in applications + + +%prep +%setup -q -n linux-sgx-sgx_%{linux_sgx_version}_reproducible + +%autopatch -m 0 -M 12 -p1 +%if !%{with_aesm} +%autopatch -m 13 -M 13 -p1 +%endif + +############################################################ +# +# 'make preparation' is required first build step, and would +# pull in many git submodules, apply patches for various +# things, download pre-built enclaves, etc. +# +# What follows simulates 'make preparation' with functionally +# equivalent actions to get the source tree setup in the +# expected manner for performing the build +# +############################################################ + +# Will use system package instead +rm -rf external/CppMicroServices +%if %{with_host_tinyxml2} +rm -rf external/tinyxml2 +%endif + +# Don't intend to package these optional bits since none of +# the required enclaves need this, and thus we can cut down +# on bundling some 3rd party code +rm -rf external/{dnnl,openmp,protobuf,mbedtls} sdk/sample_libcrypto + +############################################################ +# dcap +( + cd external/dcap_source + + tar zxf %{SOURCE2} --strip 1 + + %autopatch -m 100 -M 199 -p1 + + ( + mkdir QuoteVerification/sgxssl + cd QuoteVerification/sgxssl + + tar zxf %{SOURCE4} --strip 1 + %autopatch -m 200 -M 299 -p1 + + cp %{SOURCE10} openssl_source/ + ) + + ( + cd QuoteVerification/QVL + + tar zxf %{SOURCE7} --strip 1 + ) + + ( + cd QuoteVerification/QuoteVerificationService + + tar zxf %{SOURCE8} --strip 1 + ) + + ( + cd external/jwt-cpp + + tar zxf %{SOURCE12} --strip 1 + ) + + ( + cd external/wasm-micro-runtime + + tar zxf %{SOURCE13} --strip 1 + ) +) + +############################################################ +# sgxssl +( + cd external/sgxssl + tar zxf %{SOURCE4} --strip 1 + %autopatch -m 200 -M 299 -p1 + + cp %{SOURCE10} openssl_source/ +) + +############################################################ +# ippcrypto +( + # XXX sanity check that all ipp-crypto is permitted by Fedora + cd external/ippcp_internal/ipp-crypto + tar zxf %{SOURCE5} --strip 1 + %autopatch -m 300 -M 399 -p1 +) + +############################################################ +# sgx-emm +( + cd external/sgx-emm/emm_src + tar zxf %{SOURCE6} --strip 1 +) +./external/sgx-emm/create_symlink.sh + +############################################################ +# libcbor +( + cd external/cbor/libcbor + tar zxf %{SOURCE11} --strip 1 + cd .. + cp -a libcbor sgx_libcbor + cd libcbor + patch -p1 < ../raw_cbor.patch + cd .. + cd sgx_libcbor + patch -p1 < ../sgx_cbor.patch +) + + +############################################################ +# tinyxml2 +%if ! %{with_host_tinyxml2} +( + cd external/tinyxml2 + tar zxf %{SOURCE14} --strip 1 +) +%endif + +############################################################ +# prebuilt enclaves + +# repack.sh strips pre-built enclaves we don't ship, but +# the build process still looks for them, so pretend +# everything exists +mkdir -p psw/ae/data/prebuilt/ +touch psw/ae/data/prebuilt/libsgx_{le,qe,pve,pce}.signed.so + +( + cd external/dcap_source/QuoteGeneration + tar zxf %{SOURCE3} + + # Again just pretend everything exists to placate build + touch psw/ae/data/prebuilt/libsgx_{pce,id_enclave,qe3,tdqe,qve}.signed.so + + # the header files need to be up 1 level + # + # XXX these headers shouldn't really be needed, since DCAP + # already unpacks & build openssl as a side effect of + # sgxssl. Somewhere the headers from that build are discarded + # and QuoteVerification makefiles are set to look at these + # pre-built headers instead. This is a bug in DCAP that needs + # fixing and sending upstream + mkdir -p ../prebuilt/openssl/inc ../prebuilt/opa_bin + mv prebuilt/openssl/inc/* ../prebuilt/openssl/inc/ + + # Source3 contains a pre-built policy.wasm file which repack.sh + # purges. There are no instructions for how to create this file + # but the build system needs it to exist, so we touch it. Despite + # all this it never gets installed as while it was added to the + # BOM in dcap, it was missed from the BOMs in linux-sgx. + # https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/427 + touch ../prebuilt/opa_bin/policy.wasm +) + +# Sanity check that upstream hasn't include more prebult +# files that we've not expected. +find -name '*.a' -o -name '*.o' > prebuilt.txt +if test -s prebuilt.txt +then + echo "ERROR: Found pre-built files in source tree." + echo "ERROR: The following files must be removed from the source archives:" + cat prebuilt.txt + exit 1 +fi + +%build + +# Workaround for cmake >= 4.0 which drops compat with +# cmake_minimum_required(VERSION 3.0.0) +export CMAKE_POLICY_VERSION_MINIMUM=3.5 + +############################################################ +# First, build the SDK + +# IPP Crypto needs to be pre-built for the SDK. +# Note, that the 'make clean' doesn't delete the +# output '.a' files we need, only the '.o' files +# So when complete we have 3 builds of IPP Crypto +# in external/ippcp_internal/lib/linux/intel64/ +for mitigation in '' LOAD CF +do + %__make %{?_smp_mflags} \ + -C external/ippcp_internal \ + IPP_USE_GIT=0 \ + clean + + %__make %{?_smp_mflags} \ + -C external/ippcp_internal \ + MITIGATION-CVE-2020-0551=$mitigation \ + IPP_USE_GIT=0 +done + +# Now we can build the actual SDK +for mitigation in LOAD CF '' +do + %__make %{?_smp_mflags} \ + -C sdk/ V=1 \ + MITIGATION-CVE-2020-0551=$mitigation \ + clean + + %__make %{?_smp_mflags} \ + -C external/dcap_source/QuoteVerification/dcap_tvl \ + MITIGATION-CVE-2020-0551=$mitigation \ + clean + + # XXX temp override -j1 due to race conditions that have not yet been diagnosed + %__make %{?_smp_mflags} -j1 \ + -C sdk/ V=1 \ + MITIGATION-CVE-2020-0551=$mitigation \ + USE_HOST_OPENSSL_CRYPTO=1 \ + USE_HOST_TINYXML2=%{with_host_tinyxml2} + + %__make %{?_smp_mflags} \ + -C external/dcap_source/QuoteVerification/dcap_tvl \ + MITIGATION-CVE-2020-0551=$mitigation +done + + +############################################################ +# Second, install the SDK into a temporary tree, since this +# dir tree is needed by the next build phase. + +%global vroot build/vroot + +./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551 +./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=%{vroot} + + +############################################################ +# Third, build the AEs (Architectural Enclaves). + +# XXX temp override -j1 due to race condition setting up sgxssl headers with QvE +%global do_build() \ +%if %1 \ + %if "%3" == "qve.so" \ + %make_build -C %2 \\\ + SGX_SDK=$(pwd)/%{vroot}/sgxsdk \\\ + %3 -j1 \ + %else \ + %make_build -C %2 \\\ + SGX_SDK=$(pwd)/%{vroot}/sgxsdk \\\ + %3 \ + %endif \ +%endif + +%do_build %{_with_enclave_pce} psw/ae/pce pce.so +%do_build %{_with_enclave_ide} external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux id_enclave.so +%do_build %{_with_enclave_qe3} external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux qe3.so +%do_build %{_with_enclave_tdqe} external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux tdqe.so +%do_build %{_with_enclave_qve} external/dcap_source/QuoteVerification/QvE qve.so + + +############################################################ +# Fourth, build the Platform Software + +%__make %{?_smp_mflags} \ + -C psw/ V=1 \ + SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ + SGX_ENCLAVE_PATH=%{sgx_libdir} \ + USE_HOST_OPENSSL_CRYPTO=1 \ + USE_HOST_CPPMICROSERVICES=1 + +# XXX temp override -j1 due to race conditions that have not yet been diagnosed +%__make %{?_smp_mflags} -j1 \ + -C external/dcap_source/ V=1 \ + SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ + SGX_ENCLAVE_PATH=%{sgx_libdir} + + +# SDK provides dummy stub libraries to deal with a circular +# build dependancy problem where the PSW wants these libs +# before it has built its own real copies. Delete them now, +# since we've done the PSW build and don't want these dummy +# stubs installed +for i in epid launch quote_ex uae_service urts +do + rm -f %{vroot}/sgxsdk/lib64/libsgx_$i.so +done +rm -f %{vroot}/sgxsdk/lib64/libsgx_urts.so.2 + + +# Pull together all license files relevant to the code +# that is known to be built into the enclaves +mkdir licenses +for f in License.txt \ + external/epid-sdk/LICENSE.txt \ + external/epid-sdk/ext/argtable3/LICENSE \ + sdk/compiler-rt/LICENSE.TXT \ + sdk/cpprt/linux/libunwind/LICENSE \ + sdk/gperftools/gperftools-2.7/COPYING \ + sdk/tlibcxx/LICENSE.TXT \ + external/dcap_source/License.txt \ + external/dcap_source/QuoteGeneration/ThirdPartyLicenses.txt \ + external/dcap_source/tools/PCKRetrievalTool/License.txt \ + external/dcap_source/tools/PCKRetrievalTool/ThirdPartyLicenseIndex.txt \ + external/dcap_source/tools/PccsAdminTool/License.txt \ + external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_Network_Components/License.txt \ + external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_UEFI_Components/License.txt \ + external/dcap_source/tools/SGXPlatformRegistration/license.txt +do + d=$(dirname $f) + mkdir -p licenses/$d + cp $f licenses/$f +done + +%install + +############################################################ +# Install phase +# +# There's nothing useful like 'make install' to install +# everything in the right place :-( + +# Dirs for host OS software +%__install -d %{buildroot}%{_bindir} +%__install -d %{buildroot}%{_sbindir} +%__install -d %{buildroot}%{_libdir}/pkgconfig +%__install -d %{buildroot}%{_libexecdir} +%__install -d %{buildroot}%{_datadir} +%__install -d %{buildroot}%{_includedir} +%__install -d %{buildroot}%{_unitdir} +%__install -d %{buildroot}%{_sysusersdir} +%__install -d %{buildroot}%{_udevrulesdir} + +# Dirs for enclave software +%__install -d %{buildroot}%{sgx_includedir} +%__install -d %{buildroot}%{sgx_libdir} + +############################################################ +# First the SDK stuff we put into the 'vroot' earlier + +mv %{vroot}/sgxsdk/bin/sgx* %{buildroot}%{_bindir}/ +mv %{vroot}/sgxsdk/bin/x64/sgx* %{buildroot}%{_bindir}/ +mv %{vroot}/sgxsdk/include/* %{buildroot}%{sgx_includedir}/ +mv %{vroot}/sgxsdk/lib64/libsgx*.a %{buildroot}%{sgx_libdir}/ +mv %{vroot}/sgxsdk/lib64/libtdx*.a %{buildroot}%{sgx_libdir}/ +mv %{vroot}/sgxsdk/lib64/libsgx*.so* %{buildroot}%{_libdir}/ +mv %{vroot}/sgxsdk/lib64/gdb-sgx-plugin %{buildroot}%{_datadir}/sgx-gdb-plugin +mv %{vroot}/sgxsdk/pkgconfig/libsgx*pc %{buildroot}%{_libdir}/pkgconfig/ + +rm -rf %{vroot}/sgxsdk/SampleCode + +############################################################ +# Second the (unsigned) architectural enclaves + +# @arg1: boolean condition for whether to ship this enclave +# @arg2: base name of the enclave +# @arg3: directory containing locally built enclave +# @arg4: directory containing pre-bult enclave +# @arg5: symbol name that defines the enclave SO version +%global do_install() \ +%if %1 \ +%__install -m 0755 %3/%2.so %{buildroot}%{sgx_libdir}/libsgx_%2.so \ +%endif + +version_file=common/inc/internal/se_version.h +%do_install %{_with_enclave_pce} pce psw/ae/pce psw/ae/data/prebuilt PCE_VERSION + +version_file=external/dcap_source/QuoteGeneration/common/inc/internal/se_version.h +%do_install %{_with_enclave_ide} id_enclave external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt IDE_VERSION +%do_install %{_with_enclave_qe3} qe3 external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QE3_VERSION +%do_install %{_with_enclave_tdqe} tdqe external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt TDQE_VERSION +%do_install %{_with_enclave_qve} qve external/dcap_source/QuoteVerification/QvE external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QVE_VERSION + + +############################################################ +# Third the Platform Software +# +# Neither of these fully installs all of the software, so we +# have to run both. There's a little overlap in what they +# install but that's harmless as duplicated content should +# match between them. For further info go to the source +# and compare: +# +# $ cd linux/installer/common +# $ diff -rup psw-dcap/BOM_install/ psw-tdx/BOM_install/ +sed -i '/libCppMicroServices/g' linux/installer/common/psw-dcap/BOM_install/sgx-aesm-service.txt +%__make -I linux/installer/common/psw-dcap -f linux/installer/common/psw-dcap/Makefile SRCDIR=. DESTDIR=%{vroot}/psw install +%__make -I linux/installer/common/psw-tdx -f linux/installer/common/psw-tdx/Makefile SRCDIR=. DESTDIR=%{vroot}/psw install + +# The above commands don't actually install into a single +# usable tree, instead they create multiple top level FS +# trees, each of which reflects the non-upstream Debian/RPM +# packages that Intel propose. These RPMs don't reflect the +# Fedora packaging guidelines, so we're ignoring their layout +# and re-arranging things in a more normal manner. +# +# First merge all the top level dirs together into one +# tree under the final build root +mkdir %{vroot}/root +for dir in %{vroot}/psw/* +do + cp -a $dir/* %{vroot}/root/ +done +cp -a %{vroot}/root/ %{buildroot}/root + +# Second, re-arrange the content to match the normal tree +# layout Fedora expects. We rm/rmdir any bits we don't +# want, such that RPM will warn about any files left in +# the build root that aren't listed as 'files', so we catch +# new files appearing in future versions + +############################################################ +# Host AESM service + +%if %{with_aesm} +%__install -d %{buildroot}%{_sysconfdir}/aesmd +%__install -d %{buildroot}%{_libdir}/aesmd +%__install -d %{buildroot}%{_datadir}/aesmd +%__install -d %{buildroot}%{_sharedstatedir}/aesmd +%__install -d %{buildroot}%{_rundir}/aesmd +%endif + +# Enclaves to be provided by a separate package, so we purge these +rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/*signed.so* + +%if %{with_aesm} +rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/linksgx.sh +rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/libsgx_urts.so.2 +rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/startup.sh +rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/cleanup.sh + + +mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/le_prod_css.bin %{buildroot}%{_datadir}/aesmd/ +mv %{buildroot}/root/var/opt/aesmd/data/white_list_cert_to_be_verify.bin %{buildroot}%{_datadir}/aesmd/ +rmdir %{buildroot}/root/var/opt/aesmd/data/ +rmdir %{buildroot}/root/var/opt/aesmd + +mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/* %{buildroot}%{_libdir}/aesmd/ +rmdir %{buildroot}/root/opt/intel/sgx-aesm-service/aesm +rmdir %{buildroot}/root/opt/intel/sgx-aesm-service + +mv %{buildroot}/root/etc/aesmd.conf %{buildroot}%{_sysconfdir}/ + +# Workarounds for code that assumes all files are in the same dir +# XXX patch the source to just look in the right place to begin with +ln -s ../../..%{_sysconfdir}/aesmd.conf \ + %{buildroot}%{_libdir}/aesmd/aesmd.conf +ln -s ../../..%{_datadir}/aesmd/le_prod_css.bin \ + %{buildroot}%{_libdir}/aesmd/le_prod_css.bin +ln -s ../../..%{_datadir}/aesmd/white_list_cert_to_be_verify.bin \ + %{buildroot}%{_libdir}/aesmd/white_list_cert_to_be_verify.bin + +# XXX it looks for files relative to its binary, so we +# need this wrapper. Patch the source and kill this +cat >> %{buildroot}%{_sbindir}/aesmd < %{buildroot}%{_bindir}/pccsadmin <