rpms/linux-sgx
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c9-beta
Branches Tags
rpms:c10s
rpms:c9s
rpms:c9-beta
rpms:imports/c10s/linux-sgx-2.26-7.el10
rpms:imports/c10s/linux-sgx-2.26-6.el10
rpms:imports/c10s/linux-sgx-2.26-1.el10
rpms:imports/c9-beta/linux-sgx-2.25-6.el9
rpms:imports/c10s/linux-sgx-2.25-6.el10
...
pull from: rpms:c10s
Branches Tags
rpms:c10s
rpms:c9s
rpms:c9-beta
rpms:imports/c10s/linux-sgx-2.26-7.el10
rpms:imports/c10s/linux-sgx-2.26-6.el10
rpms:imports/c10s/linux-sgx-2.26-1.el10
rpms:imports/c9-beta/linux-sgx-2.25-6.el9
rpms:imports/c10s/linux-sgx-2.25-6.el10

8 Commits
c9-beta ... c10s

Author SHA1 Message Date
Daniel P. Berrangé
3c00769e65 Fix pccs npm security flaws 
Sync patches from Fedora 43, to fix multiple pccs npm security flaws,
and fix typo in pccsadmin help text.

CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2025-13465, CVE-2025-15284

Resolves: RHEL-145005, RHEL-144190, RHEL-142482, RHEL-138075, RHEL-140108
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2026-02-05 11:52:25 +00:00
Daniel P. Berrangé
12589a1af6 Port to pycryptography and pyasn1 and make keyring optional 
pyOpenSSL 24.0.0 removed several APIs required by pccsadmin, so
porting to pycryptography is required on Fedora. Since RHEL does
not ship pyOpenSSL, the port is useful here too.

Using pyasn1 instead of asn1 gives stronger validation during
parsing and brings compatibility with RHEL that lacks python3-asn1

The keyring package needs to be optional on RHEL which lacks this
module (currently).

Also drop the inappropriate pccs port number change

Related: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-12-10 11:17:54 +00:00
Daniel P. Berrangé
391d603fde Sync specfile changes from Fedora 
Related: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-12-10 11:17:53 +00:00
Daniel P. Berrangé
a60a22210b Drop sgx-mpa dep from sgx-pccs 
While pccs can be run node-local, a typical deployment would
have pccs on the LAN to cache certs across many hosts. As
such a dep on sgx-mpa is inappropriate, and tdx-qgs already
has a weak dep for this.

Related: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-12-10 11:15:57 +00:00
Daniel P. Berrangé
bab0c46cd5 Add scriptlets for PCCS 
Related: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-12-10 11:15:55 +00:00
Daniel P. Berrangé
a0bdc65f62 Enable pccsadmin everywhere 
Since pccs was reintroduced the pccsadmin tool is now relevant on
both RHEL and Fedora

Related: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-12-10 11:15:48 +00:00
Daniel P. Berrangé
bc5efa9502 Update to SGX 2.26 / DCAP 1.23, adding PCCS service 
Resolves: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-11-18 18:29:56 +00:00
Daniel P. Berrangé
e53e83c1ed Trigger udev to set perms on /dev/sgx_provision 
This ensures that if qgs is started, without a reboot after install,
it will have permissions to access /dev/sgx_provision

Resolves: https://issues.redhat.com/browse/RHEL-110112
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 2025-10-14 17:55:40 +01:00
68 changed files with 6715 additions and 977 deletions
Show Stats Expand all files Collapse all files

30
.gitignore vendored
View File

@ -1,13 +1,17 @@
/dcap_1.22_reproducible.tar.gz
/dcap-qvl-1.21.tar.gz
/dcap-qvs-1.1.0-2885.tar.gz
/intel-sgx-ssl-3.0_Rev4.tar.gz
/ippcp_2021.12.1.tar.gz
/jwt-cpp-0.6.0.tar.gz
/libcbor-0.10.2.tar.gz
/linux-sgx-2.25-reproducible.tar.gz
/openssl-3.0.14.tar.gz
/prebuilt_dcap_1.22-repacked.tar.gz
/sgx-emm-1.0.3.tar.gz
/tinyxml2-10.0.0.tar.gz
/wasm-micro-runtime-1.3.3.tar.gz
/dcap-qvl-*.tar.gz
/dcap-qvs-*.tar.gz
/intel-sgx-ssl-*.tar.gz
/ippcp_*.tar.gz
/jwt-cpp-*.tar.gz
/libcbor-*.tar.gz
/linux-sgx-*.tar.gz
/openssl-*.tar.gz
/prebuilt_dcap_*.tar.gz
/sgx-emm-*.tar.gz
/tinyxml2-*.tar.gz
/wasm-micro-runtime-*.tar.gz
/DCAP_*.tar.gz
*~
/dcap-*-pccs-node-modules.tar.xz
/node-ffi-rs-*-vendor.tar.gz
/node-ffi-rs-*.tar.gz

16
0000-Add-support-for-building-against-host-openssl-crypto.patch
View File

@ -1,7 +1,7 @@
From 035a09af5fa31cdc7ab683c8188168623848f033 Mon Sep 17 00:00:00 2001
From d4f132e1363779aef2c4209789ca364e27f45bb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:12:38 +0000
Subject: [PATCH 00/16] Add support for building against host openssl crypto
Subject: [PATCH 00/15] Add support for building against host openssl crypto
lib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -85,7 +85,7 @@ index a3843bdf..2c9c87b3 100644
${CMAKE_SOURCE_DIR}/../../../../external/rdrand/src/librdrand.a
)
diff --git a/psw/urts/linux/Makefile b/psw/urts/linux/Makefile
index 41797648..4097444c 100644
index 7e0b6a08..3d08ee5c 100644
--- a/psw/urts/linux/Makefile
+++ b/psw/urts/linux/Makefile
@@ -43,8 +43,6 @@ CFLAGS += -fPIC -Werror -g
@ -116,7 +116,7 @@ index 41797648..4097444c 100644
INTERNAL_LDFLAGS += -Wl,--version-script=urts_internal.lds -Wl,--gc-sections
diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
index 3d593972..1eb8d460 100644
index 1ed9f286..ed177c86 100644
--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
@@ -42,9 +42,6 @@ CFLAGS += $(FLAGS)
@ -138,7 +138,7 @@ index 3d593972..1eb8d460 100644
DIR1 := $(LINUX_EXTERNAL_DIR)/tinyxml2/
DIR2 := $(COMMON_DIR)/src/
@@ -89,7 +86,7 @@ all: sgx_sign | $(BUILD_DIR)
@@ -90,7 +87,7 @@ all: sgx_sign | $(BUILD_DIR)
$(BUILD_DIR):
@$(MKDIR) $@
@ -180,7 +180,7 @@ index c66beed2..45ddb576 100644
vpath %.cpp $(LINUX_PSW_DIR)/ae/common \
$(LINUX_SDK_DIR)/simulation/urtssim \
diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile
index dde577ca..505ce8d9 100644
index e756d468..ea8ca78c 100644
--- a/sdk/simulation/urtssim/linux/Makefile
+++ b/sdk/simulation/urtssim/linux/Makefile
@@ -42,9 +42,6 @@ endif
@ -202,7 +202,7 @@ index dde577ca..505ce8d9 100644
CPPFLAGS += -I$(COMMON_DIR)/inc/internal \
-I$(LINUX_PSW_DIR)/urts/linux \
@@ -127,7 +124,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur
@@ -128,7 +125,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur
LIBURTSSIM_SHARED := libsgx_urts_sim.so
LIBURTS_DEPLOY := libsgx_urts_deploy.so
@ -212,5 +212,5 @@ index dde577ca..505ce8d9 100644
.PHONY: all
--
2.48.1
2.49.0

12
0001-Add-support-for-building-against-host-tinyxml2-lib.patch
View File

@ -1,7 +1,7 @@
From a1ebbd0efeb66f23a02e63946d6f2c8ec9c00c00 Mon Sep 17 00:00:00 2001
From e372a1a009f1de14ea5ee01ec022633d88f6d234 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:01:10 +0000
Subject: [PATCH 01/16] Add support for building against host tinyxml2 lib
Subject: [PATCH 01/15] Add support for building against host tinyxml2 lib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -44,7 +44,7 @@ index acae2106..6dac4028 100644
+TINYXML2_DIR = $(LINUX_EXTERNAL_DIR)/tinyxml2/
+endif
diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
index 1eb8d460..219fb5ad 100644
index ed177c86..1dcb6f51 100644
--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
@@ -49,11 +49,11 @@ INC += -I$(COMMON_DIR)/inc \
@ -69,8 +69,8 @@ index 1eb8d460..219fb5ad 100644
+OBJ3 := $(TINYXML2_OBJ)
OBJ4 := loader.o \
se_detect.o
@@ -86,7 +86,7 @@ all: sgx_sign | $(BUILD_DIR)
se_detect.o \
@@ -87,7 +87,7 @@ all: sgx_sign | $(BUILD_DIR)
$(BUILD_DIR):
@$(MKDIR) $@
@ -80,5 +80,5 @@ index 1eb8d460..219fb5ad 100644
sgx_sign: $(OBJS) enclaveparser
--
2.48.1
2.49.0

8
0002-Add-support-for-building-against-host-CppMicroServic.patch
View File

@ -1,7 +1,7 @@
From 90ec590f9b17b878cfe2e338d55362349d5ad67e Mon Sep 17 00:00:00 2001
From 02f4535633d317894629f30daf0583fddcdf3f1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:01:10 +0000
Subject: [PATCH 02/16] Add support for building against host CppMicroServices
Subject: [PATCH 02/15] Add support for building against host CppMicroServices
lib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -125,7 +125,7 @@ index bac84292..89a15875 100644
ifeq ($(RDRAND_MAKEFILE), $(wildcard $(RDRAND_MAKEFILE)))
@$(MAKE) distclean -C $(RDRAND_LIBDIR)
diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt
index 98c724a7..3edd77c7 100644
index da3e0b77..89b3e3ae 100644
--- a/psw/ae/aesm_service/source/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/CMakeLists.txt
@@ -46,7 +46,7 @@ else()
@ -138,5 +138,5 @@ index 98c724a7..3edd77c7 100644
cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION})
cmake_policy(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION})
--
2.48.1
2.49.0

16
0003-Improve-make-debuggability.patch
View File

@ -1,7 +1,7 @@
From 50ba5d706d65359514e973175c34f36b6887a1e8 Mon Sep 17 00:00:00 2001
From e607f7279049d2db090a2bef9c7943cdb55d9de6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 12:53:26 +0000
Subject: [PATCH 03/16] Improve make debuggability
Subject: [PATCH 03/15] Improve make debuggability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -17,10 +17,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/sdk/Makefile.source b/sdk/Makefile.source
index 4bbfd4f3..d3e40036 100644
index e98776df..dfbca6d4 100644
--- a/sdk/Makefile.source
+++ b/sdk/Makefile.source
@@ -78,7 +78,7 @@ tstdc: $(LIBTLIBC)
@@ -77,7 +77,7 @@ tstdc: $(LIBTLIBC)
ifndef SERVTD_ATTEST
$(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv
@ -29,7 +29,7 @@ index 4bbfd4f3..d3e40036 100644
@$(MKDIR) $(BUILD_DIR)/.compiler-rt $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv
@$(RM) -f $(BUILD_DIR)/.compiler-rt/* && cd $(BUILD_DIR)/.compiler-rt && $(AR) x $(LINUX_SDK_DIR)/compiler-rt/libcompiler-rt.a
@$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a
@@ -96,7 +96,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv
@@ -95,7 +95,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv
@$(RM) -rf $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv
else
$(LIBTLIBC): tlibthread tsafecrt tsetjmp tmm_rsrv
@ -38,7 +38,7 @@ index 4bbfd4f3..d3e40036 100644
@$(MKDIR) $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv
@$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a
@$(RM) -f $(BUILD_DIR)/.tsafecrt/* && cd $(BUILD_DIR)/.tsafecrt && $(AR) x $(LINUX_SDK_DIR)/tsafecrt/libsgx_tsafecrt.a
@@ -119,7 +119,7 @@ tsafecrt:
@@ -118,7 +118,7 @@ tsafecrt:
.PHONY: compiler-rt
compiler-rt:
@ -47,7 +47,7 @@ index 4bbfd4f3..d3e40036 100644
.PHONY: tsetjmp
tsetjmp:
@@ -163,7 +163,7 @@ cpprt:
@@ -162,7 +162,7 @@ cpprt:
.PHONY: tlibcxx
tlibcxx: $(BUILD_DIR)
@ -70,5 +70,5 @@ index d1ac38a1..5fb90c21 100644
.PHONY: clean
--
2.48.1
2.49.0

10
0004-Support-disabling-use-of-git-for-ippcp-code.patch
View File

@ -1,7 +1,7 @@
From e9150e028f1d0f567bab4d2c7d5e5fc02cadce06 Mon Sep 17 00:00:00 2001
From 8d858334aeade0a0063456fa03cdbc3f6a55d51f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 13 Feb 2025 14:37:24 +0000
Subject: [PATCH 04/16] Support disabling use of git for ippcp code
Subject: [PATCH 04/15] Support disabling use of git for ippcp code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+)
diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index b4108cb8..70718f5e 100644
index a57c22a9..d78ba90e 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -33,6 +33,8 @@ include ../../buildenv.mk
@ -37,7 +37,7 @@ index b4108cb8..70718f5e 100644
git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
else
@@ -92,6 +95,7 @@ else
git clone -b ipp-ipp-crypto_2021_12_1 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
git clone -b ipp-crypto_2021_12_1 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
endif
cd $(IPP_SOURCE) && git apply ../0001-IPP-crypto-for-SGX.patch
+endif
@ -45,5 +45,5 @@ index b4108cb8..70718f5e 100644
.PHONY: clean
--
2.48.1
2.49.0

112
0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch → 0005-disable-openmp-protobuf-sample_crypto-builds.patch
View File

@ -1,8 +1,7 @@
From bdeff24e929360b5ecfa5b0fe36513607b98daf3 Mon Sep 17 00:00:00 2001
From e10242ea154af19d527377c9ff885fa0c7e7ce41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 18 Jun 2024 15:57:22 +0100
Subject: [PATCH 05/16] disable openmp, protobuf, mbedtls & sample_crypto
builds
Subject: [PATCH 05/15] disable openmp, protobuf & sample_crypto builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -12,15 +11,15 @@ important, so skip them to reduce amount of bundled package code.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
linux/installer/common/sdk/BOMs/sdk_base.txt | 335 ------------------
.../common/sdk/BOMs/sdk_cve_2020_0551_cf.txt | 3 -
.../sdk/BOMs/sdk_cve_2020_0551_load.txt | 3 -
linux/installer/common/sdk/BOMs/sdk_x64.txt | 4 -
sdk/Makefile.source | 30 +-
5 files changed, 1 insertion(+), 374 deletions(-)
linux/installer/common/sdk/BOMs/sdk_base.txt | 298 ------------------
.../common/sdk/BOMs/sdk_cve_2020_0551_cf.txt | 2 -
.../sdk/BOMs/sdk_cve_2020_0551_load.txt | 2 -
linux/installer/common/sdk/BOMs/sdk_x64.txt | 3 -
sdk/Makefile.source | 24 +-
5 files changed, 1 insertion(+), 328 deletions(-)
diff --git a/linux/installer/common/sdk/BOMs/sdk_base.txt b/linux/installer/common/sdk/BOMs/sdk_base.txt
index 032479d8..ed585066 100644
index d26ee825..ed585066 100644
--- a/linux/installer/common/sdk/BOMs/sdk_base.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_base.txt
@@ -1,5 +1,4 @@
@ -29,7 +28,7 @@ index 032479d8..ed585066 100644
<deliverydir>/common/inc/sgx_attributes.h <installdir>/package/include/sgx_attributes.h 0 main STP
<deliverydir>/common/inc/sgx_capable.h <installdir>/package/include/sgx_capable.h 0 main STP
<deliverydir>/common/inc/sgx_cpuid.h <installdir>/package/include/sgx_cpuid.h 0 main STP
@@ -391,26 +390,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -391,16 +390,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp <installdir>/package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp 0 N/A N/A
<deliverydir>/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl <installdir>/package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl 0 N/A N/A
<deliverydir>/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds <installdir>/package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds 0 N/A N/A
@ -43,20 +42,10 @@ index 032479d8..ed585066 100644
-<deliverydir>/SampleCode/ProtobufSGXDemo/Enclave/Enclave.lds <installdir>/package/SampleCode/ProtobufSGXDemo/Enclave/Enclave.lds 0 N/A N/A
-<deliverydir>/SampleCode/ProtobufSGXDemo/Enclave/person.proto <installdir>/package/SampleCode/ProtobufSGXDemo/Enclave/person.proto 0 N/A N/A
-<deliverydir>/SampleCode/ProtobufSGXDemo/Makefile <installdir>/package/SampleCode/ProtobufSGXDemo/Makefile 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/App/App.cpp <installdir>/package/SampleCode/SampleMbedCrypto/App/App.cpp 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/App/App.h <installdir>/package/SampleCode/SampleMbedCrypto/App/App.h 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Makefile <installdir>/package/SampleCode/SampleMbedCrypto/Makefile 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.cpp <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.cpp 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.lds <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.lds 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave_debug.lds <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave_debug.lds 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.h <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.h 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.edl <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.edl 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/Enclave/Enclave.config.xml <installdir>/package/SampleCode/SampleMbedCrypto/Enclave/Enclave.config.xml 0 N/A N/A
-<deliverydir>/SampleCode/SampleMbedCrypto/README.txt <installdir>/package/SampleCode/SampleMbedCrypto/README.txt 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml <installdir>/package/SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/Enclave/Enclave.cpp <installdir>/package/SampleCode/SampleAEXNotify/Enclave/Enclave.cpp 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/Enclave/Enclave.edl <installdir>/package/SampleCode/SampleAEXNotify/Enclave/Enclave.edl 0 N/A N/A
@@ -422,7 +401,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -412,7 +401,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/SampleCode/SampleAEXNotify/Makefile <installdir>/package/SampleCode/SampleAEXNotify/Makefile 0 N/A N/A
<deliverydir>/SampleCode/SampleAEXNotify/README.txt <installdir>/package/SampleCode/SampleAEXNotify/README.txt 0 N/A N/A
<deliverydir>/build/linux/gdb-sgx-plugin/sgx-gdb <installdir>/package/bin/sgx-gdb 0 main STP
@ -64,7 +53,7 @@ index 032479d8..ed585066 100644
<deliverydir>/sdk/tlibcxx/include/CMakeLists.txt <installdir>/package/include/libcxx/CMakeLists.txt 0 main STP
<deliverydir>/sdk/tlibcxx/include/__availability <installdir>/package/include/libcxx/__availability 0 main STP
<deliverydir>/sdk/tlibcxx/include/__bit_reference <installdir>/package/include/libcxx/__bit_reference 0 main STP
@@ -607,317 +585,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -597,290 +585,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/sdk/tlibcxx/include/variant <installdir>/package/include/libcxx/variant 0 main STP
<deliverydir>/sdk/tlibcxx/include/vector <installdir>/package/include/libcxx/vector 0 main STP
<deliverydir>/sdk/tlibcxx/include/version <installdir>/package/include/libcxx/version 0 main STP
@ -354,39 +343,12 @@ index 032479d8..ed585066 100644
-<deliverydir>/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/span.h <installdir>/package/include/tprotobuf/absl/types/span.h 0 main STP
-<deliverydir>/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/types/variant.h <installdir>/package/include/tprotobuf/absl/types/variant.h 0 main STP
-<deliverydir>/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/utility/utility.h <installdir>/package/include/tprotobuf/absl/utility/utility.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/aes.h <installdir>/package/include/mbedtls/aes.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/bignum.h <installdir>/package/include/mbedtls/bignum.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/build_info.h <installdir>/package/include/mbedtls/build_info.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/check_config.h <installdir>/package/include/mbedtls/check_config.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/cipher.h <installdir>/package/include/mbedtls/cipher.h 0 main STP
-
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_psa.h <installdir>/package/include/mbedtls/config_psa.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ctr_drbg.h <installdir>/package/include/mbedtls/ctr_drbg.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ecdsa.h <installdir>/package/include/mbedtls/ecdsa.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ecp.h <installdir>/package/include/mbedtls/ecp.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/entropy.h <installdir>/package/include/mbedtls/entropy.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/mbedtls_config.h <installdir>/package/include/mbedtls/mbedtls_config.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/md.h <installdir>/package/include/mbedtls/md.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/platform_util.h <installdir>/package/include/mbedtls/platform_util.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/private_access.h <installdir>/package/include/mbedtls/private_access.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/sha1.h <installdir>/package/include/mbedtls/sha1.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/sha256.h <installdir>/package/include/mbedtls/sha256.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/sha512.h <installdir>/package/include/mbedtls/sha512.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/threading.h <installdir>/package/include/mbedtls/threading.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/platform.h <installdir>/package/include/mbedtls/platform.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/ecdh.h <installdir>/package/include/mbedtls/ecdh.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/cmac.h <installdir>/package/include/mbedtls/cmac.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/rsa.h <installdir>/package/include/mbedtls/rsa.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/gcm.h <installdir>/package/include/mbedtls/gcm.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_legacy_crypto.h <installdir>/package/include/mbedtls/config_adjust_legacy_crypto.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_x509.h <installdir>/package/include/mbedtls/config_adjust_x509.h 0 main STP
-<deliverydir>/external/mbedtls/mbedtls_code/include/mbedtls/config_adjust_ssl.h <installdir>/package/include/mbedtls/config_adjust_ssl.h 0 main STP
<deliverydir>/common/buildenv.mk <installdir>/package/buildenv.mk 0 main STP
diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt
index d494deba..998def35 100644
index 65d9dca0..086992f9 100644
--- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt
@@ -9,11 +9,8 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -10,9 +10,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/build/linuxCF/libsgx_tswitchless.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_tswitchless.a 0 main STP
<deliverydir>/build/linuxCF/libsgx_tprotected_fs.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_tprotected_fs.a 0 main STP
<deliverydir>/build/linuxCF/libsgx_pcl.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_pcl.a 0 main STP
@ -396,13 +358,11 @@ index d494deba..998def35 100644
<deliverydir>/build/linuxCF/libsgx_ttls.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_ttls.a 0 main STP
<deliverydir>/build/linuxCF/libtdx_tls.a <installdir>/package/lib64/cve_2020_0551_cf/libtdx_tls.a 0 main STP
<deliverydir>/build/linuxCF/libsgx_utls.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_utls.a 0 main STP
-<deliverydir>/build/linuxCF/libsgx_mbedcrypto.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_mbedcrypto.a 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/build/linuxCF/libsgx_dcap_tvl.a <installdir>/package/lib64/cve_2020_0551_cf/libsgx_dcap_tvl.a 0 main STP
diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt
index 53c9cfc6..b68b9976 100644
index 71684b38..c26c9e63 100644
--- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt
@@ -9,11 +9,8 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -10,9 +10,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/build/linuxLOAD/libsgx_tswitchless.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_tswitchless.a 0 main STP
<deliverydir>/build/linuxLOAD/libsgx_tprotected_fs.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_tprotected_fs.a 0 main STP
<deliverydir>/build/linuxLOAD/libsgx_pcl.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_pcl.a 0 main STP
@ -412,13 +372,11 @@ index 53c9cfc6..b68b9976 100644
<deliverydir>/build/linuxLOAD/libsgx_ttls.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_ttls.a 0 main STP
<deliverydir>/build/linuxLOAD/libtdx_tls.a <installdir>/package/lib64/cve_2020_0551_load/libtdx_tls.a 0 main STP
<deliverydir>/build/linuxLOAD/libsgx_utls.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_utls.a 0 main STP
-<deliverydir>/build/linuxLOAD/libsgx_mbedcrypto.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_mbedcrypto.a 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/build/linuxLOAD/libsgx_dcap_tvl.a <installdir>/package/lib64/cve_2020_0551_load/libsgx_dcap_tvl.a 0 main STP
diff --git a/linux/installer/common/sdk/BOMs/sdk_x64.txt b/linux/installer/common/sdk/BOMs/sdk_x64.txt
index 629492c1..602a804d 100644
index d713050b..111070ee 100644
--- a/linux/installer/common/sdk/BOMs/sdk_x64.txt
+++ b/linux/installer/common/sdk/BOMs/sdk_x64.txt
@@ -39,14 +39,10 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
@@ -40,10 +40,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/build/linux/sgx_edger8r <installdir>/package/bin/x64/sgx_edger8r 0 main STP
<deliverydir>/build/linux/sgx_sign <installdir>/package/bin/x64/sgx_sign 0 main STP
<deliverydir>/build/linux/sgx_encrypt <installdir>/package/bin/x64/sgx_encrypt 0 main STP
@ -429,22 +387,17 @@ index 629492c1..602a804d 100644
<deliverydir>/build/linux/libsgx_ttls.a <installdir>/package/lib64/libsgx_ttls.a 0 main STP
<deliverydir>/build/linux/libtdx_tls.a <installdir>/package/lib64/libtdx_tls.a 0 main STP
<deliverydir>/build/linux/libsgx_utls.a <installdir>/package/lib64/libsgx_utls.a 0 main STP
-<deliverydir>/build/linux/libsgx_mbedcrypto.a <installdir>/package/lib64/libsgx_mbedcrypto.a 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/build/linux/libsgx_dcap_tvl.a <installdir>/package/lib64/libsgx_dcap_tvl.a 0 main STP
<deliverydir>/linux/installer/common/sdk/installConfig.x64 <installdir>/scripts/installConfig 0 main STP
<deliverydir>/linux/installer/common/sdk/pkgconfig/x64/libsgx_uae_service_sim.pc <installdir>/package/pkgconfig/libsgx_uae_service_sim.pc 0 main STP
diff --git a/sdk/Makefile.source b/sdk/Makefile.source
index d3e40036..3bd08d5c 100644
index dfbca6d4..3bd08d5c 100644
--- a/sdk/Makefile.source
+++ b/sdk/Makefile.source
@@ -41,15 +41,11 @@
@@ -41,14 +41,11 @@
# - tprotected_fs: libsgx_tprotected_fs.a
# - tcmalloc: libsgx_tcmalloc.a
# - sgx_pcl: libsgx_pcl.a
-# - openmp: libsgx_omp.a
-# - protobuf: libsgx_protobuf.a
# - ttls: libsgx_ttls.a
-# - mbedtls: libsgx_mbedcrypto.a
# - Untrtusted libraries
# - ukey_exchange: libsgx_ukey_exchange.a
# - uprotected_fs: libsgx_uprotected_fs.a
@ -453,16 +406,16 @@ index d3e40036..3bd08d5c 100644
# - utls: libsgx_utls.a
# - Standalone, untrusted libraries
# - libcapable: libsgx_capable.a libsgx_capable.so
@@ -67,7 +63,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a
@@ -66,7 +63,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a
LIBTSE := $(BUILD_DIR)/libsgx_tservice.a
.PHONY: components
-components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls mbedtls
-components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls
+components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread ttls utls
# ---------------------------------------------------
# tstdc
@@ -221,26 +217,10 @@ tprotected_fs: edger8r
@@ -220,18 +217,6 @@ tprotected_fs: edger8r
sgx_pcl:
$(MAKE) -C protected_code_loader
@ -481,15 +434,7 @@ index d3e40036..3bd08d5c 100644
.PHONY: ttls
ttls: edger8r
$(MAKE) -C ttls
-.PHONY: mbedtls
-mbedtls:
- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls
-
# ---------------------------------------------------
# Untrusted libraries
# ---------------------------------------------------
@@ -256,10 +236,6 @@ uprotected_fs: edger8r
@@ -251,10 +236,6 @@ uprotected_fs: edger8r
ptrace:
$(MAKE) -C debugger_interface/linux/
@ -500,7 +445,7 @@ index d3e40036..3bd08d5c 100644
.PHONY: utls
utls:
$(MAKE) -C utls
@@ -329,7 +305,6 @@ clean:
@@ -324,7 +305,6 @@ clean:
$(MAKE) -C protected_fs/sgx_tprotected_fs/ clean
$(MAKE) -C protected_fs/sgx_uprotected_fs/ clean
$(MAKE) -C debugger_interface/linux/ clean
@ -508,7 +453,7 @@ index d3e40036..3bd08d5c 100644
$(MAKE) -C libcapable/linux/ clean
$(MAKE) -C simulation/ clean
$(MAKE) -C sign_tool/SignTool clean
@@ -340,11 +315,8 @@ clean:
@@ -335,8 +315,6 @@ clean:
$(MAKE) -C switchless/sgx_uswitchless clean
$(MAKE) -C tmm_rsrv/ clean
$(MAKE) -C pthread clean
@ -516,10 +461,7 @@ index d3e40036..3bd08d5c 100644
- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/protobuf clean
$(MAKE) -C ttls clean
$(MAKE) -C utls clean
- $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls clean
@$(RM) $(LIBTLIBC) $(LIBTCXX) $(LIBTSE)
@$(RM) $(BUILD_DIR)/libc++_Changes_SGX.txt
@$(RM) -rf $(BUILD_DIR)/.compiler-rt
--
2.48.1
2.49.0

24
0006-Fix-compat-with-gcc-14.patch
View File

@ -1,7 +1,7 @@
From 44c7af2d59a9654009eb1ea6affe771927d24850 Mon Sep 17 00:00:00 2001
From f257662821800cfe5cdb38639a35361aac0802a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 24 Jun 2024 17:36:13 +0100
Subject: [PATCH 06/16] Fix compat with gcc 14
Subject: [PATCH 06/15] Fix compat with gcc 14
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -14,25 +14,11 @@ that std::enable_if_t is available.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
psw/ae/aesm_service/source/CMakeLists.txt | 2 +-
psw/enclave_common/sgx_enclave_common.cpp | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
1 file changed, 1 insertion(+)
diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt
index 3edd77c7..89b3e3ae 100644
--- a/psw/ae/aesm_service/source/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/CMakeLists.txt
@@ -61,7 +61,7 @@ if(REF_LE)
endif()
set(CMAKE_CXX_STANDARD_REQUIRED 1)
-set(CMAKE_CXX_STANDARD 11)
+set(CMAKE_CXX_STANDARD 14)
set(CMAKE_SKIP_BUILD_RPATH true)
########## SGX SDK Settings ##########
diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp
index 9867ecc8..46fcf873 100644
index 9a335c81..399d63b2 100644
--- a/psw/enclave_common/sgx_enclave_common.cpp
+++ b/psw/enclave_common/sgx_enclave_common.cpp
@@ -35,6 +35,7 @@
@ -44,5 +30,5 @@ index 9867ecc8..46fcf873 100644
#include "sgx_urts.h"
#include "arch.h"
--
2.48.1
2.49.0

6
0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
View File

@ -1,7 +1,7 @@
From b613bffdce4d035dab354887539828906920a69e Mon Sep 17 00:00:00 2001
From 089dddf45cda329896d5d94202780209567fed9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 2 Sep 2024 16:49:18 +0100
Subject: [PATCH 07/16] Fix escaping of regexes in sgx-asm-pp
Subject: [PATCH 07/15] Fix escaping of regexes in sgx-asm-pp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -278,5 +278,5 @@ index 2b02396b..0df3fc47 100644
#
# File Operations - read/write
--
2.48.1
2.49.0

30
0008-Disable-use-of-bogus-DEF_WEAK-macro.patch
View File

@ -1,30 +0,0 @@
From 7e6f75bfc9c364a26be6efb0704fb6f58318e59b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 1 Oct 2024 18:53:17 +0100
Subject: [PATCH 08/16] Disable use of bogus DEF_WEAK macro
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
sdk/tlibc/time/strptime.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sdk/tlibc/time/strptime.c b/sdk/tlibc/time/strptime.c
index 08023a7c..9e62adc6 100644
--- a/sdk/tlibc/time/strptime.c
+++ b/sdk/tlibc/time/strptime.c
@@ -89,7 +89,9 @@ strptime(const char *buf, const char *fmt, struct tm *tm)
{
return(_strptime(buf, fmt, tm, 1));
}
+#if 0
DEF_WEAK(strptime);
+#endif
static char *
_strptime(const char *buf, const char *fmt, struct tm *tm, int initialize)
--
2.48.1

8
0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch → 0008-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
View File

@ -1,7 +1,7 @@
From b35c87f751c42cec71c4d3107b88084eddc4f749 Mon Sep 17 00:00:00 2001
From 8967386d8e9eb0f7a11a7e6ce7f97b6b1daf39ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 16:33:20 +0100
Subject: [PATCH 10/16] psw: prefer /dev/sgx_provision & /dev/sgx_enclave
Subject: [PATCH 08/15] psw: prefer /dev/sgx_provision & /dev/sgx_enclave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -21,7 +21,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp
index 46fcf873..651ba83e 100644
index 399d63b2..f63149a0 100644
--- a/psw/enclave_common/sgx_enclave_common.cpp
+++ b/psw/enclave_common/sgx_enclave_common.cpp
@@ -481,11 +481,11 @@ static void enclave_set_provision_access(int hdevice, void* enclave_base)
@ -74,5 +74,5 @@ index 49f2b9aa..fc537a84 100644
}
else if (driver_type == SGX_DRIVER_DCAP)
--
2.48.1
2.49.0

497
0009-Remove-all-references-to-pccs-service.patch
View File

@ -1,497 +0,0 @@
From 2135faf971e82c7dc351dc01baab5c6f716f8f11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 1 Oct 2024 20:18:48 +0100
Subject: [PATCH 09/16] Remove all references to pccs service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The PCCS code was deleted in the DCAP 1.22 release that SGX
references, resulting in a failure to build the installer:
$ /usr/bin/make -I linux/installer/common/psw-dcap -f linux/installer/common/psw-dcap/Makefile SRCDIR=. DESTDIR=build/vroot/psw install
python /var/home/berrange/rpmbuild/BUILD/linux-sgx-sgx_2.25_reproducible/linux/installer/common/gen_source/copy_source.py --bom-file /var/home/berrange/rpmbuild/BUILD/linux-sgx-sgx_2.25_reproducible/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt --src-path . --dst-path build/pkgroot/sgx-dcap-pccs
Error: src directory/file ./external/dcap_source/QuoteGeneration/pccs/config/default.json does not exist!
make: *** [linux/installer/common/psw-dcap/Makefile:195: pre_sgx-dcap-pccs] Error 1
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
README.md | 4 -
.../psw-dcap/BOM_install/sgx-dcap-pccs.txt | 74 -------------------
linux/installer/common/psw-dcap/Makefile | 14 +---
linux/installer/common/psw-dcap/installConfig | 1 -
.../psw-tdx/BOM_install/sgx-dcap-pccs.txt | 74 -------------------
linux/installer/common/psw-tdx/Makefile | 14 +---
linux/installer/common/psw-tdx/installConfig | 1 -
linux/installer/rpm/psw-dcap/build.sh | 1 -
.../installer/rpm/psw-dcap/psw-dcap.spec.tmpl | 21 +-----
linux/installer/rpm/psw-tdx/build.sh | 1 -
linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl | 21 +-----
11 files changed, 6 insertions(+), 220 deletions(-)
delete mode 100644 linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt
delete mode 100644 linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
diff --git a/README.md b/README.md
index fcd11874..9d4011a2 100644
--- a/README.md
+++ b/README.md
@@ -523,10 +523,6 @@ Please follow the [Intel(R) SGX DCAP Installation Guide for Linux* OS](https://d
- Install Quote Provider Library(QPL). You can use your own customized QPL or use default QPL provided by Intel(libsgx-dcap-default-qpl)
-- Install PCK Caching Service. For how to install and configure PCK Caching
-Service, please refer to [SGXDataCenterAttestationPrimitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs)
-- Ensure the PCK Caching Service is setup correctly by local administrator or data center administrator. Also make sure that the configure file of quote provider library (/etc/sgx_default_qcnl.conf) is consistent with the real environment, for example: PCS_URL=https://your_pcs_server:8081/sgx/certification/v1/
-
### Start or Stop aesmd Service
The Intel(R) SGX PSW installer installs an aesmd service in your machine, which is running in a special linux account `aesmd`.
To stop the service: `$ sudo service aesmd stop`
diff --git a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt
deleted file mode 100644
index d70745c9..00000000
--- a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt
+++ /dev/null
@@ -1,74 +0,0 @@
-DeliveryName InstallName FileCheckSum FileFeature FileOwner
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/config/default.json <installdir>/config/default.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/index.js <installdir>/constants/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/pccs_status_code.js <installdir>/constants/pccs_status_code.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/identityController.js <installdir>/controllers/identityController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/index.js <installdir>/controllers/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcertController.js <installdir>/controllers/pckcertController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcrlController.js <installdir>/controllers/pckcrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformCollateralController.js <installdir>/controllers/platformCollateralController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformsController.js <installdir>/controllers/platformsController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/refreshController.js <installdir>/controllers/refreshController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js <installdir>/controllers/rootcacrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js <installdir>/controllers/tcbinfoController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js <installdir>/controllers/crlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js <installdir>/dao/models/fmspc_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js <installdir>/dao/models/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js <installdir>/dao/models/pck_cert.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_certchain.js <installdir>/dao/models/pck_certchain.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_crl.js <installdir>/dao/models/pck_crl.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_certificates.js <installdir>/dao/models/pcs_certificates.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_version.js <installdir>/dao/models/pcs_version.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platform_tcbs.js <installdir>/dao/models/platform_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms_registered.js <installdir>/dao/models/platforms_registered.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js <installdir>/dao/models/platforms.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js <installdir>/dao/models/enclave_identities.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js <installdir>/dao/models/crl_cache.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js <installdir>/dao/fmspcTcbDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js <installdir>/dao/pckCertchainDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js <installdir>/dao/pckcertDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcrlDao.js <installdir>/dao/pckcrlDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsCertificatesDao.js <installdir>/dao/pcsCertificatesDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsVersionDao.js <installdir>/dao/pcsVersionDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsDao.js <installdir>/dao/platformsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsRegDao.js <installdir>/dao/platformsRegDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js <installdir>/dao/platformTcbsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js <installdir>/dao/enclaveIdentityDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js <installdir>/dao/crlCacheDao.js 0 main STP
-<deliverydir>/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so <installdir>/lib/libPCKCertSelection.so 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js <installdir>/lib_wrapper/pcklib_wrapper.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js <installdir>/middleware/auth.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/error.js <installdir>/middleware/error.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js <installdir>/middleware/addRequestId.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql <installdir>/migrations/00_db_initialize.up.sql 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js <installdir>/migrations/01_db_version_1.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js <installdir>/migrations/02_db_version_2.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js <installdir>/pcs_client/pcs_client.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/routes/index.js <installdir>/routes/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/identityService.js <installdir>/services/identityService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/index.js <installdir>/services/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pccs_schemas.js <installdir>/services/pccs_schemas.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcertService.js <installdir>/services/pckcertService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcrlService.js <installdir>/services/pckcrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformCollateralService.js <installdir>/services/platformCollateralService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsRegService.js <installdir>/services/platformsRegService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsService.js <installdir>/services/platformsService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/refreshService.js <installdir>/services/refreshService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js <installdir>/services/rootcacrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js <installdir>/services/tcbinfoService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/crlService.js <installdir>/services/crlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js <installdir>/services/caching_modes/cachingMode.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js <installdir>/services/caching_modes/cachingModeManager.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js <installdir>/services/logic/commonCacheLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js <installdir>/services/logic/qvCollateralLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/Logger.js <installdir>/utils/Logger.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/PccsError.js <installdir>/utils/PccsError.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/apputil.js <installdir>/utils/apputil.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/x509/x509.js <installdir>/x509/x509.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/install.sh <installdir>/install.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/package.json <installdir>/package.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs_server.js <installdir>/pccs_server.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs.service <installdir>/pccs.service 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/startup.sh <installdir>/startup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/cleanup.sh <installdir>/cleanup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/README.md <installdir>/README.md 0 main STP
diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile
index a85c8b82..5e8a8560 100644
--- a/linux/installer/common/psw-dcap/Makefile
+++ b/linux/installer/common/psw-dcap/Makefile
@@ -95,9 +95,6 @@ AESMD_CONF=aesmd.service
AESMD_CONF_DEL=aesmd.conf
AESMD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-PCCS_CONF=pccs.service
-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-
RAD_CONF=mpa_registration_tool.service
RAD_CONF_DEL=mpa_registration_tool.conf
RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
@@ -192,7 +189,7 @@ ALL_PKGS:= $(AESM_SERVICE_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS)
$(foreach PKG,$(AESM_SERVICE_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG))))
$(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG))))
-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
+$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
PHONY+=$(ALL_PKGS)
PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG))
@@ -220,14 +217,6 @@ install_$(AESM_SERVICE_PACKAGE): $(foreach PKG,$(AESM_SERVICE_PKGS),post_$(PKG))
ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \
ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER)
-PHONY+=install_$(DCAP_PCCS_PACKAGE)
-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \
- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \
- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \
- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)
-
PHONY+=$(RA_SERVICE_PACKAGE)
$(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH)
install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \
@@ -351,7 +340,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG))
PHONY+=install
install: install_$(AESM_SERVICE_PACKAGE) \
- install_$(DCAP_PCCS_PACKAGE) \
install_$(RA_SERVICE_PACKAGE) \
install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \
install_ae \
diff --git a/linux/installer/common/psw-dcap/installConfig b/linux/installer/common/psw-dcap/installConfig
index 9f99f032..96acdd9a 100644
--- a/linux/installer/common/psw-dcap/installConfig
+++ b/linux/installer/common/psw-dcap/installConfig
@@ -30,7 +30,6 @@ DCAP_QL_PACKAGE=libsgx-dcap-ql
DCAP_QL_DEV_PACKAGE=libsgx-dcap-ql-devel
DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify
DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel
-DCAP_PCCS_PACKAGE=sgx-dcap-pccs
PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool
RA_NETWORK_PACKAGE=libsgx-ra-network
diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
deleted file mode 100644
index d70745c9..00000000
--- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
+++ /dev/null
@@ -1,74 +0,0 @@
-DeliveryName InstallName FileCheckSum FileFeature FileOwner
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/config/default.json <installdir>/config/default.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/index.js <installdir>/constants/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/constants/pccs_status_code.js <installdir>/constants/pccs_status_code.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/identityController.js <installdir>/controllers/identityController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/index.js <installdir>/controllers/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcertController.js <installdir>/controllers/pckcertController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/pckcrlController.js <installdir>/controllers/pckcrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformCollateralController.js <installdir>/controllers/platformCollateralController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/platformsController.js <installdir>/controllers/platformsController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/refreshController.js <installdir>/controllers/refreshController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js <installdir>/controllers/rootcacrlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js <installdir>/controllers/tcbinfoController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js <installdir>/controllers/crlController.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js <installdir>/dao/models/fmspc_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js <installdir>/dao/models/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js <installdir>/dao/models/pck_cert.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_certchain.js <installdir>/dao/models/pck_certchain.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_crl.js <installdir>/dao/models/pck_crl.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_certificates.js <installdir>/dao/models/pcs_certificates.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pcs_version.js <installdir>/dao/models/pcs_version.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platform_tcbs.js <installdir>/dao/models/platform_tcbs.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms_registered.js <installdir>/dao/models/platforms_registered.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js <installdir>/dao/models/platforms.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js <installdir>/dao/models/enclave_identities.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js <installdir>/dao/models/crl_cache.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js <installdir>/dao/fmspcTcbDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js <installdir>/dao/pckCertchainDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js <installdir>/dao/pckcertDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcrlDao.js <installdir>/dao/pckcrlDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsCertificatesDao.js <installdir>/dao/pcsCertificatesDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pcsVersionDao.js <installdir>/dao/pcsVersionDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsDao.js <installdir>/dao/platformsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformsRegDao.js <installdir>/dao/platformsRegDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js <installdir>/dao/platformTcbsDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js <installdir>/dao/enclaveIdentityDao.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js <installdir>/dao/crlCacheDao.js 0 main STP
-<deliverydir>/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so <installdir>/lib/libPCKCertSelection.so 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js <installdir>/lib_wrapper/pcklib_wrapper.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js <installdir>/middleware/auth.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/error.js <installdir>/middleware/error.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js <installdir>/middleware/addRequestId.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql <installdir>/migrations/00_db_initialize.up.sql 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js <installdir>/migrations/01_db_version_1.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js <installdir>/migrations/02_db_version_2.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js <installdir>/pcs_client/pcs_client.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/routes/index.js <installdir>/routes/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/identityService.js <installdir>/services/identityService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/index.js <installdir>/services/index.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pccs_schemas.js <installdir>/services/pccs_schemas.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcertService.js <installdir>/services/pckcertService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/pckcrlService.js <installdir>/services/pckcrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformCollateralService.js <installdir>/services/platformCollateralService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsRegService.js <installdir>/services/platformsRegService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/platformsService.js <installdir>/services/platformsService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/refreshService.js <installdir>/services/refreshService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js <installdir>/services/rootcacrlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js <installdir>/services/tcbinfoService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/crlService.js <installdir>/services/crlService.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js <installdir>/services/caching_modes/cachingMode.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js <installdir>/services/caching_modes/cachingModeManager.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js <installdir>/services/logic/commonCacheLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js <installdir>/services/logic/qvCollateralLogic.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/Logger.js <installdir>/utils/Logger.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/PccsError.js <installdir>/utils/PccsError.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/utils/apputil.js <installdir>/utils/apputil.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/x509/x509.js <installdir>/x509/x509.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/install.sh <installdir>/install.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/package.json <installdir>/package.json 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs_server.js <installdir>/pccs_server.js 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pccs.service <installdir>/pccs.service 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/startup.sh <installdir>/startup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/cleanup.sh <installdir>/cleanup.sh 0 main STP
-<deliverydir>/external/dcap_source/QuoteGeneration/pccs/README.md <installdir>/README.md 0 main STP
diff --git a/linux/installer/common/psw-tdx/Makefile b/linux/installer/common/psw-tdx/Makefile
index 4f50ee49..0e8cb3e7 100644
--- a/linux/installer/common/psw-tdx/Makefile
+++ b/linux/installer/common/psw-tdx/Makefile
@@ -80,9 +80,6 @@ QGSD_CONF=qgsd.service
QGSD_CONF_DEL=qgsd.conf
QGSD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-PCCS_CONF=pccs.service
-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
-
RAD_CONF=mpa_registration_tool.service
RAD_CONF_DEL=mpa_registration_tool.conf
RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system)
@@ -160,7 +157,7 @@ ALL_PKGS:= $(TDX_QGS_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS)
$(foreach PKG,$(TDX_QGS_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG))))
$(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG))))
-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
+$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG))))
PHONY+=$(ALL_PKGS)
PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG))
@@ -184,14 +181,6 @@ install_$(TDX_QGS_PACKAGE): $(foreach PKG,$(TDX_QGS_PKGS),post_$(PKG))
$(DESTDIR)/$(TDX_QGS_PACKAGE)/$(ETC_DIR) && \
rm -fr $(DESTDIR)/$(TDX_QGS_PACKAGE)/$(SGX_INSTALL_PATH)/$(TDX_QGS_PACKAGE)/conf))
-PHONY+=install_$(DCAP_PCCS_PACKAGE)
-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \
- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \
- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF)
- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \
- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)
-
PHONY+=$(RA_SERVICE_PACKAGE)
$(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH)
install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \
@@ -291,7 +280,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG))
PHONY+=install
install: install_$(TDX_QGS_PACKAGE) \
- install_$(DCAP_PCCS_PACKAGE) \
install_$(RA_SERVICE_PACKAGE) \
install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \
install_ae \
diff --git a/linux/installer/common/psw-tdx/installConfig b/linux/installer/common/psw-tdx/installConfig
index 7129b71d..c55a8ada 100644
--- a/linux/installer/common/psw-tdx/installConfig
+++ b/linux/installer/common/psw-tdx/installConfig
@@ -16,7 +16,6 @@ TDX_ATTEST_PACKAGE=libtdx-attest
TDX_ATTEST_DEV_PACKAGE=libtdx-attest-devel
DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify
DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel
-DCAP_PCCS_PACKAGE=sgx-dcap-pccs
PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool
RA_NETWORK_PACKAGE=libsgx-ra-network
RA_NETWORK_DEV_PACKAGE=libsgx-ra-network-devel
diff --git a/linux/installer/rpm/psw-dcap/build.sh b/linux/installer/rpm/psw-dcap/build.sh
index 22c8eef5..6188e816 100755
--- a/linux/installer/rpm/psw-dcap/build.sh
+++ b/linux/installer/rpm/psw-dcap/build.sh
@@ -63,7 +63,6 @@ update_spec() {
-e "s:@dcap_version@:${dcap_version}:" \
-e "s:@aesm_service_path@:${SGX_INSTALL_PATH}/${AESM_SERVICE_PACKAGE}:" \
-e "s:@ra_service_path@:${SGX_INSTALL_PATH}/${RA_SERVICE_PACKAGE}:" \
- -e "s:@dcap_pccs_path@:${SGX_INSTALL_PATH}/${DCAP_PCCS_PACKAGE}:" \
-e "s:@pck_id_retrieval_tool_path@:${SGX_INSTALL_PATH}/${PCK_ID_RETRIEVAL_TOOL_PACKAGE}:" \
${cur_dir}/${psw_dcap}.spec.tmpl > ${cur_dir}/${rpm_build_dir}/SPECS/${psw_dcap}.spec
diff --git a/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl b/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl
index c7ba4c12..66fc4a78 100644
--- a/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl
+++ b/linux/installer/rpm/psw-dcap/psw-dcap.spec.tmpl
@@ -31,7 +31,6 @@
%define _aesm_service_path @aesm_service_path@
%define _ra_service_path @ra_service_path@
-%define _dcap_pccs_path @dcap_pccs_path@
%define _pck_id_retrieval_tool_path @pck_id_retrieval_tool_path@
%define _psw_version @psw_version@
%define _dcap_version @dcap_version@
@@ -303,14 +302,6 @@ Requires: libsgx-dcap-quote-verify = %{version}-%{release} libsgx-headers >
%description -n libsgx-dcap-quote-verify-devel
Intel(R) Software Guard Extensions Data Center Attestation Primitives Quote Verification Library for Developers
-%package -n sgx-dcap-pccs
-Version: %{_dcap_version}
-Summary: Intel(R) Software Guard Extensions PCK Caching Service
-Requires: gcc gcc-c++ make
-
-%description -n sgx-dcap-pccs
-Intel(R) Software Guard Extensions PCK Caching Service
-
%package -n libsgx-ra-network
Version: %{_dcap_version}
Summary: Intel(R) Software Guard Extensions Registration Agent Network Library
@@ -378,14 +369,13 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
grep -v "^%{_includedir}" | \
grep -v "^%{_sysconfdir}" | \
grep -v "^%{_aesm_service_path}" | \
- grep -v "^%{_dcap_pccs_path}" | \
grep -v "^%{_ra_service_path}" | \
grep -v "^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" > %{_specdir}/list-${pkg}
for f in $(find %{?buildroot}/${pkg}); do
if [ -d ${f} ]; then
echo ${f} | sed -e "s#^%{?buildroot}/${pkg}##" | \
- grep -E "^%{_aesm_service_path}|^%{_dcap_pccs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
+ grep -E "^%{_aesm_service_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" >> %{_specdir}/list-${pkg}
else
echo ${f} | \
@@ -395,7 +385,7 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
cp -r %{?buildroot}/${pkg}/* %{?buildroot}/
rm -fr %{?buildroot}/${pkg}
sed -i -e 's:^/etc/.*\.conf:%config &:' \
- -e 's:^%{_dcap_pccs_path}/config/default\.json:%config &:' %{_specdir}/list-${pkg}
+ %{_specdir}/list-${pkg}
done
rm -fr %{?buildroot}/license
@@ -433,7 +423,6 @@ make clean
%files -n libsgx-dcap-ql-devel -f %{_specdir}/list-libsgx-dcap-ql-devel
%files -n libsgx-dcap-quote-verify -f %{_specdir}/list-libsgx-dcap-quote-verify
%files -n libsgx-dcap-quote-verify-devel -f %{_specdir}/list-libsgx-dcap-quote-verify-devel
-%files -n sgx-dcap-pccs -f %{_specdir}/list-sgx-dcap-pccs
%files -n libsgx-ra-network -f %{_specdir}/list-libsgx-ra-network
%files -n libsgx-ra-network-devel -f %{_specdir}/list-libsgx-ra-network-devel
%files -n libsgx-ra-uefi -f %{_specdir}/list-libsgx-ra-uefi
@@ -447,12 +436,6 @@ if [ -x %{_aesm_service_path}/startup.sh ]; then %{_aesm_service_path}/startup.s
%preun
if [ -x %{_aesm_service_path}/cleanup.sh ]; then %{_aesm_service_path}/cleanup.sh; fi
-%posttrans -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/startup.sh ]; then %{_dcap_pccs_path}/startup.sh; fi
-
-%preun -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/cleanup.sh ]; then %{_dcap_pccs_path}/cleanup.sh; fi
-
%posttrans -n sgx-ra-service
if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi
diff --git a/linux/installer/rpm/psw-tdx/build.sh b/linux/installer/rpm/psw-tdx/build.sh
index f42d6bd2..25a683c8 100755
--- a/linux/installer/rpm/psw-tdx/build.sh
+++ b/linux/installer/rpm/psw-tdx/build.sh
@@ -63,7 +63,6 @@ update_spec() {
-e "s:@dcap_version@:${dcap_version}:" \
-e "s:@tdx_qgs_path@:${SGX_INSTALL_PATH}/${TDX_QGS_PACKAGE}:" \
-e "s:@ra_service_path@:${SGX_INSTALL_PATH}/${RA_SERVICE_PACKAGE}:" \
- -e "s:@dcap_pccs_path@:${SGX_INSTALL_PATH}/${DCAP_PCCS_PACKAGE}:" \
-e "s:@pck_id_retrieval_tool_path@:${SGX_INSTALL_PATH}/${PCK_ID_RETRIEVAL_TOOL_PACKAGE}:" \
${cur_dir}/${psw_tdx}.spec.tmpl > ${cur_dir}/${rpm_build_dir}/SPECS/${psw_tdx}.spec
diff --git a/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl b/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl
index 0dd5fd8c..67eab01a 100644
--- a/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl
+++ b/linux/installer/rpm/psw-tdx/psw-tdx.spec.tmpl
@@ -31,7 +31,6 @@
%define _tdx_qgs_path @tdx_qgs_path@
%define _ra_service_path @ra_service_path@
-%define _dcap_pccs_path @dcap_pccs_path@
%define _pck_id_retrieval_tool_path @pck_id_retrieval_tool_path@
%define _psw_version @psw_version@
%define _dcap_version @dcap_version@
@@ -198,14 +197,6 @@ Requires: libsgx-dcap-quote-verify = %{version}-%{release} libsgx-headers >
%description -n libsgx-dcap-quote-verify-devel
Intel(R) Software Guard Extensions Data Center Attestation Primitives Quote Verification Library for Developers
-%package -n sgx-dcap-pccs
-Version: %{_dcap_version}
-Summary: Intel(R) Software Guard Extensions PCK Caching Service
-Requires: gcc gcc-c++ make
-
-%description -n sgx-dcap-pccs
-Intel(R) Software Guard Extensions PCK Caching Service
-
%package -n libsgx-ra-network
Version: %{_dcap_version}
Summary: Intel(R) Software Guard Extensions Registration Agent Network Library
@@ -273,14 +264,13 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
grep -v "^%{_includedir}" | \
grep -v "^%{_sysconfdir}" | \
grep -v "^%{_tdx_qgs_path}" | \
- grep -v "^%{_dcap_pccs_path}" | \
grep -v "^%{_ra_service_path}" | \
grep -v "^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" > %{_specdir}/list-${pkg}
for f in $(find %{?buildroot}/${pkg}); do
if [ -d ${f} ]; then
echo ${f} | sed -e "s#^%{?buildroot}/${pkg}##" | \
- grep -E "^%{_tdx_qgs_path}|^%{_dcap_pccs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
+ grep -E "^%{_tdx_qgs_path}|^%{_ra_service_path}|^%{_pck_id_retrieval_tool_path}" | \
sed -e "s#^#%dir #" >> %{_specdir}/list-${pkg}
else
echo ${f} | \
@@ -290,7 +280,7 @@ for pkg in $(ls -A %{?buildroot} 2> /dev/null |grep -v "license"); do
cp -r %{?buildroot}/${pkg}/* %{?buildroot}/
rm -fr %{?buildroot}/${pkg}
sed -i -e 's:^/etc/.*\.conf:%config &:' \
- -e 's:^%{_dcap_pccs_path}/config/default\.json:%config &:' %{_specdir}/list-${pkg}
+ %{_specdir}/list-${pkg}
done
rm -fr %{?buildroot}/license
@@ -315,7 +305,6 @@ make clean
%files -n libtdx-attest-devel -f %{_specdir}/list-libtdx-attest-devel
%files -n libsgx-dcap-quote-verify -f %{_specdir}/list-libsgx-dcap-quote-verify
%files -n libsgx-dcap-quote-verify-devel -f %{_specdir}/list-libsgx-dcap-quote-verify-devel
-%files -n sgx-dcap-pccs -f %{_specdir}/list-sgx-dcap-pccs
%files -n libsgx-ra-network -f %{_specdir}/list-libsgx-ra-network
%files -n libsgx-ra-network-devel -f %{_specdir}/list-libsgx-ra-network-devel
%files -n libsgx-ra-uefi -f %{_specdir}/list-libsgx-ra-uefi
@@ -329,12 +318,6 @@ if [ -x %{_tdx_qgs_path}/startup.sh ]; then %{_tdx_qgs_path}/startup.sh; fi
%preun
if [ -x %{_tdx_qgs_path}/cleanup.sh ]; then %{_tdx_qgs_path}/cleanup.sh; fi
-%posttrans -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/startup.sh ]; then %{_dcap_pccs_path}/startup.sh; fi
-
-%preun -n sgx-dcap-pccs
-if [ -x %{_dcap_pccs_path}/cleanup.sh ]; then %{_dcap_pccs_path}/cleanup.sh; fi
-
%posttrans -n sgx-ra-service
if [ -x %{_ra_service_path}/startup.sh ]; then %{_ra_service_path}/startup.sh; fi
--
2.48.1

6
0011-psw-fix-soname-for-libuae_service.so-library.patch → 0009-psw-fix-soname-for-libuae_service.so-library.patch
View File

@ -1,7 +1,7 @@
From 44fa7a1f6108ae855419f32288573ff3c51f1fa4 Mon Sep 17 00:00:00 2001
From 6d0fee06ee6c87f8f89aac9947bb8b3df9930238 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 17 Jan 2025 15:38:56 +0000
Subject: [PATCH 11/16] psw: fix soname for libuae_service.so library
Subject: [PATCH 09/15] psw: fix soname for libuae_service.so library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -25,5 +25,5 @@ index bffbdc5b..81f5c4b7 100644
$(IPC_SRC:.cpp=.o) : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc
AEServicesImpl.o : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc
--
2.48.1
2.49.0

6
0012-pcl-remove-redundant-use-of-bool-type.patch → 0010-pcl-remove-redundant-use-of-bool-type.patch
View File

@ -1,7 +1,7 @@
From 64e9315acfc84f84299e8f0d8d890f158d972b0f Mon Sep 17 00:00:00 2001
From 26f9569bf1ea44bc2e937b8ccbb1141bb1f88274 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 6 Feb 2025 09:54:33 +0000
Subject: [PATCH 12/16] pcl: remove redundant use of 'bool' type
Subject: [PATCH 10/15] pcl: remove redundant use of 'bool' type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -45,5 +45,5 @@ index 5ad6efde..b78ca907 100644
#endif // #ifdef SE_SIM
--
2.48.1
2.49.0

14
0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch → 0011-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
View File

@ -1,7 +1,7 @@
From 51aa96fc252d5792ca26132478eb5c1c8af1a63c Mon Sep 17 00:00:00 2001
From 5e43013eff1a6d558f1bad189cae185b383c49f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 27 Mar 2025 14:17:01 +0000
Subject: [PATCH 13/16] sdk: honour CFLAGS/LDFLAGS set from environment
Subject: [PATCH 11/15] sdk: honour CFLAGS/LDFLAGS set from environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -49,7 +49,7 @@ index d388dc1d..867de978 100644
LINK_FLAGS := -lcrypto -L$(BUILD_DIR) -lsgx_tservice
CPP_FILES := encryptip.cpp
diff --git a/sdk/sign_tool/SignTool/Makefile b/sdk/sign_tool/SignTool/Makefile
index 219fb5ad..fe16b392 100644
index 1dcb6f51..1601de09 100644
--- a/sdk/sign_tool/SignTool/Makefile
+++ b/sdk/sign_tool/SignTool/Makefile
@@ -40,7 +40,7 @@ FLAGS += -DSE_DEBUG_LEVEL=SE_TRACE_ERROR
@ -88,7 +88,7 @@ index 45ddb576..865d5556 100644
RDRAND_LIBDIR := $(LINUX_EXTERNAL_DIR)/rdrand/src
RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile
diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile
index 505ce8d9..b340463a 100644
index ea8ca78c..dd716f2b 100644
--- a/sdk/simulation/urtssim/linux/Makefile
+++ b/sdk/simulation/urtssim/linux/Makefile
@@ -65,9 +65,9 @@ DIR5 := $(LINUX_PSW_DIR)/../common/src/linux
@ -103,7 +103,7 @@ index 505ce8d9..b340463a 100644
OBJ1 := enclave.o \
tcs.o \
@@ -119,7 +119,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6)
@@ -120,7 +120,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6)
vpath %.S .:$(DIR2):$(DIR5)
vpath %.c .:$(DIR6)
@ -112,7 +112,7 @@ index 505ce8d9..b340463a 100644
LIBURTSSIM_SHARED := libsgx_urts_sim.so
LIBURTS_DEPLOY := libsgx_urts_deploy.so
@@ -133,7 +133,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR)
@@ -134,7 +134,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR)
$(CP) $(LIBURTS_DEPLOY) $|
$(LIBURTSSIM_SHARED): simasm uinst driver_api wrapper uae_service_sim $(OBJ) $(OBJ6) ittnotify
@ -122,5 +122,5 @@ index 505ce8d9..b340463a 100644
$(BUILD_DIR):
@$(MKDIR) $@
--
2.48.1
2.49.0

6
0014-psw-make-aesm_service-build-verbose.patch → 0012-psw-make-aesm_service-build-verbose.patch
View File

@ -1,7 +1,7 @@
From e2f8a9054e512b3c49f4264824892baf07898efc Mon Sep 17 00:00:00 2001
From e9ca38a6045c2ad5d5277cb52bc175eb56ee7466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 27 Mar 2025 16:07:10 +0000
Subject: [PATCH 14/16] psw: make aesm_service build verbose.
Subject: [PATCH 12/15] psw: make aesm_service build verbose.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -25,5 +25,5 @@ index 89a15875..dbfa3fb6 100644
$(CP) $(CPPMICROSERVICES) source/build/bin/
endif
--
2.48.1
2.49.0

6
0015-Fix-modern-C-function-prototype-compliance.patch → 0013-Fix-modern-C-function-prototype-compliance.patch
View File

@ -1,7 +1,7 @@
From f70028402c31652c65277291e93b4c565c8863ad Mon Sep 17 00:00:00 2001
From 0ef77c5de1ae80a8a1df4280af1dbd1fba6ebe46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 31 Mar 2025 10:55:25 +0100
Subject: [PATCH 15/16] Fix modern C function prototype compliance
Subject: [PATCH 13/15] Fix modern C function prototype compliance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -39,5 +39,5 @@ index 8e4e7600..8c38bb68 100644
g_sys_ptrace = (ptrace_t)dlsym(RTLD_NEXT, "ptrace");
g_sys_waitpid = (waitpid_t)dlsym(RTLD_NEXT, "waitpid");
--
2.48.1
2.49.0

8
0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch → 0014-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
View File

@ -1,7 +1,7 @@
From dc2be9ad1955e85006604ef2840357a1dedf856c Mon Sep 17 00:00:00 2001
From 77f998c285d15d31ec9104d413b380f90fa91970 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 2 Apr 2025 17:11:25 +0100
Subject: [PATCH 16/16] Add wrapper for nasm to fix cmake compat
Subject: [PATCH 14/15] Add wrapper for nasm to fix cmake compat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -37,7 +37,7 @@ index 00000000..4ad75f73
+ exec python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@"
+fi
diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index 70718f5e..d8efe418 100644
index d78ba90e..71a40247 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -58,10 +58,12 @@ IPP_CONFIG += -DIPPCP_FIPS_MODE=on -DFIPS_CUSTOM_IPPCP_API_HEADER=$(CURDIR)/inc
@ -65,5 +65,5 @@ index 70718f5e..d8efe418 100644
$(IPP_SOURCE)/build:
ifeq ($(IPP_USE_GIT), 1)
--
2.48.1
2.49.0

72
0015-fix-BOM-for-pccs-with-DCAP-1.23.patch Normal file
View File

@ -0,0 +1,72 @@
From 595343c8d79a45760a30b30e1bd66f4079c61f52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 27 Jun 2025 11:37:26 +0100
Subject: [PATCH 15/15] fix BOM for pccs with DCAP 1.23
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The BOM for pccs is missing various files causing it to fail to start.
This change is synced from the BOM filelist seen in the DCAP git repo.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
.../common/psw-tdx/BOM_install/sgx-dcap-pccs.txt | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
index d70745c9..73c687b3 100644
--- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
+++ b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt
@@ -12,6 +12,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/rootcacrlController.js <installdir>/controllers/rootcacrlController.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/tcbinfoController.js <installdir>/controllers/tcbinfoController.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/crlController.js <installdir>/controllers/crlController.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/controllers/appraisalPolicyController.js <installdir>/controllers/appraisalPolicyController.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js <installdir>/dao/models/fmspc_tcbs.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/index.js <installdir>/dao/models/index.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/pck_cert.js <installdir>/dao/models/pck_cert.js 0 main STP
@@ -24,6 +25,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/platforms.js <installdir>/dao/models/platforms.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/enclave_identities.js <installdir>/dao/models/enclave_identities.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/crl_cache.js <installdir>/dao/models/crl_cache.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/models/appraisal_policy.js <installdir>/dao/models/appraisal_policy.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/fmspcTcbDao.js <installdir>/dao/fmspcTcbDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckCertchainDao.js <installdir>/dao/pckCertchainDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/pckcertDao.js <installdir>/dao/pckcertDao.js 0 main STP
@@ -35,14 +37,19 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/platformTcbsDao.js <installdir>/dao/platformTcbsDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/enclaveIdentityDao.js <installdir>/dao/enclaveIdentityDao.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/crlCacheDao.js <installdir>/dao/crlCacheDao.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/dao/appraisalPolicyDao.js <installdir>/dao/appraisalPolicyDao.js 0 main STP
<deliverydir>/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so <installdir>/lib/libPCKCertSelection.so 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js <installdir>/lib_wrapper/pcklib_wrapper.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/auth.js <installdir>/middleware/auth.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/error.js <installdir>/middleware/error.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/addRequestId.js <installdir>/middleware/addRequestId.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/middleware/filterDuplicatedParams.js <installdir>/middleware/filterDuplicatedParams.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/00_db_initialize.up.sql <installdir>/migrations/00_db_initialize.up.sql 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/01_db_version_1.js <installdir>/migrations/01_db_version_1.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/02_db_version_2.js <installdir>/migrations/02_db_version_2.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/03_db_version_3.js <installdir>/migrations/03_db_version_3.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/04_db_version_4.js <installdir>/migrations/04_db_version_4.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/migrations/05_db_version_5.js <installdir>/migrations/05_db_version_5.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/pcs_client/pcs_client.js <installdir>/pcs_client/pcs_client.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/routes/index.js <installdir>/routes/index.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/identityService.js <installdir>/services/identityService.js 0 main STP
@@ -57,6 +64,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/rootcacrlService.js <installdir>/services/rootcacrlService.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/tcbinfoService.js <installdir>/services/tcbinfoService.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/crlService.js <installdir>/services/crlService.js 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/appraisalPolicyService.js <installdir>/services/appraisalPolicyService.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingMode.js <installdir>/services/caching_modes/cachingMode.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js <installdir>/services/caching_modes/cachingModeManager.js 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/services/logic/commonCacheLogic.js <installdir>/services/logic/commonCacheLogic.js 0 main STP
@@ -72,3 +80,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/startup.sh <installdir>/startup.sh 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/cleanup.sh <installdir>/cleanup.sh 0 main STP
<deliverydir>/external/dcap_source/QuoteGeneration/pccs/README.md <installdir>/README.md 0 main STP
+<deliverydir>/external/dcap_source/QuoteGeneration/pccs/nodejs.cnf <installdir>/nodejs.cnf 0 main STP
--
2.49.0

14
0050-Disable-inclusion-of-AESM-in-installer.patch
View File

@ -1,4 +1,4 @@
From 07f39d2eb84d66fd19d025856747c5521068f26c Mon Sep 17 00:00:00 2001
From 550144746385554702fdcd65bbe8638cda08d055 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 11 Feb 2025 14:58:58 +0000
Subject: [PATCH] Disable inclusion of AESM in installer
@ -16,10 +16,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 3 insertions(+), 28 deletions(-)
diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile
index 5e8a8560..e8dd018b 100644
index a85c8b82..3ea22440 100644
--- a/linux/installer/common/psw-dcap/Makefile
+++ b/linux/installer/common/psw-dcap/Makefile
@@ -147,13 +147,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH)
@@ -150,13 +150,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH)
cp -fr $$|/$$</* $(DESTDIR)/$$< ) ||:
endef
@ -34,7 +34,7 @@ index 5e8a8560..e8dd018b 100644
$(PCE_LOGIC_PACKAGE)
AE_PKGS:= $(AE_EPID_PACKAGE) \
@@ -197,25 +191,6 @@ PHONY+=$(foreach PKG,$(ALL_PKGS),post_$(PKG))
@@ -200,25 +194,6 @@ PHONY+=$(foreach PKG,$(ALL_PKGS),post_$(PKG))
PHONY+=install_$(AESM_SERVICE_PACKAGE)
install_$(AESM_SERVICE_PACKAGE): $(foreach PKG,$(AESM_SERVICE_PKGS),post_$(PKG))
@ -58,8 +58,8 @@ index 5e8a8560..e8dd018b 100644
- ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \
- ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER)
PHONY+=$(RA_SERVICE_PACKAGE)
$(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH)
PHONY+=install_$(DCAP_PCCS_PACKAGE)
install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH)
diff --git a/psw/ae/Makefile b/psw/ae/Makefile
index a810d6b9..82a07af1 100644
--- a/psw/ae/Makefile
@ -77,5 +77,5 @@ index a810d6b9..82a07af1 100644
# COPY_AES: currently copy le, qe, pve, pce, qe3
--
2.48.1
2.49.0

18
0100-Drop-use-of-bundled-pre-built-openssl.patch
View File

@ -1,7 +1,7 @@
From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001
From cf39f86bcca57579013cee5967d39cdaca15cbc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 100/117] Drop use of bundled pre-built openssl
Subject: [PATCH 100/136] Drop use of bundled pre-built openssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
6 files changed, 14 insertions(+), 24 deletions(-)
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index f5b7be9..f043575 100644
index f5b7be90..f043575f 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -32,7 +32,6 @@
@ -54,7 +54,7 @@ index f5b7be9..f043575 100644
ifndef DEBUG
CNL_Lib_Cpp_Flags += -DDISABLE_TRACE
diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile
index b675e72..204234c 100644
index b675e729..204234c7 100644
--- a/QuoteGeneration/qpl/linux/Makefile
+++ b/QuoteGeneration/qpl/linux/Makefile
@@ -32,7 +32,6 @@
@ -87,7 +87,7 @@ index b675e72..204234c 100644
ifndef DEBUG
diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk
index b25ce40..982c7d5 100644
index b25ce407..982c7d56 100644
--- a/QuoteVerification/buildenv.mk
+++ b/QuoteVerification/buildenv.mk
@@ -56,7 +56,6 @@ PREBUILD_PATH := $(DCAP_QG_DIR)/../prebuilt
@ -99,7 +99,7 @@ index b25ce40..982c7d5 100644
SGX_COMMON_CFLAGS := $(COMMON_FLAGS) -m64 -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants
SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++17
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 9820b61..fba7f43 100644
index 74fad4c6..894e616a 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -36,8 +36,8 @@ INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu
@ -131,7 +131,7 @@ index 9820b61..fba7f43 100644
QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp)
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
index e0402e9..12c0d35 100644
index e0402e95..12c0d35e 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
@@ -63,10 +63,7 @@ ifndef QG_DIR
@ -165,7 +165,7 @@ index e0402e9..12c0d35 100644
# debug/release switch
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
index a20a3cd..c8e1d01 100644
index a20a3cd5..c8e1d01e 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
@@ -118,7 +118,7 @@ LIB_CPP_OBJECTS := \
@ -188,5 +188,5 @@ index a20a3cd..c8e1d01 100644
debug:
$(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all
--
2.49.0
2.52.0

20
0101-Improve-debuggability-of-build-system.patch
View File

@ -1,7 +1,7 @@
From b4d3b1401e16a557bcba1fe02b525bd5c26ee532 Mon Sep 17 00:00:00 2001
From b36d8f61a5a18dc5edfbd632e5f2373bcf365b3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 12:05:01 +0000
Subject: [PATCH 101/117] Improve debuggability of build system
Subject: [PATCH 101/136] Improve debuggability of build system
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index f043575..bfe9c61 100644
index f043575f..bfe9c613 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -113,7 +113,7 @@ $(CNL_Lib_Name_Static): $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Select
@ -30,7 +30,7 @@ index f043575..bfe9c61 100644
true
diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile
index 139848a..cd361c4 100644
index 139848ac..cd361c48 100644
--- a/QuoteVerification/appraisal/qal/Makefile
+++ b/QuoteVerification/appraisal/qal/Makefile
@@ -128,7 +128,7 @@ $(QAL_CXX_Common_Objs): %.o: ../common/%.cpp
@ -43,7 +43,7 @@ index 139848a..cd361c4 100644
clean:
$(RM) $(QAL_Obj_Files) $(Target_Lib_Name) $(Target_Lib_Name).$(SGX_MAJOR_VER) $(Target_Static_Lib_Name) $(BUILD_DIR)/$(Target_Lib_Name) $(QVL_Cpp_Obj_Files)
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index fba7f43..5979699 100644
index 894e616a..7962d102 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -107,13 +107,13 @@ $(BUILD_DIR):
@ -67,9 +67,9 @@ index fba7f43..5979699 100644
@@ -123,13 +123,13 @@ run: all
######## QVL Library Objects ########
qve_u.h: $(SGX_EDGER8R) $(QVE_SRC_PATH)/Enclave/qve.edl
- @$(SGX_EDGER8R) --untrusted $(QVE_SRC_PATH)/Enclave/qve.edl --search-path $(QVE_SRC_PATH)/Enclave --search-path $(SGX_SDK)/include
+ $(SGX_EDGER8R) --untrusted $(QVE_SRC_PATH)/Enclave/qve.edl --search-path $(QVE_SRC_PATH)/Enclave --search-path $(SGX_SDK)/include
qve_u.h: $(QVE_SRC_PATH)/Enclave/qve.edl $(SGX_EDGER8R)
- @$(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/Enclave $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc))
+ $(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/Enclave $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc))
@echo "GEN => $@"
qve_u.c : qve_u.h
@ -126,7 +126,7 @@ index fba7f43..5979699 100644
+ $(AR) rsD $(QVL_VERIFY_LIB_NAME_Static) $(QVL_VERIFY_CPP_OBJS_STATIC) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVL_LIB_COMMON_OBJS)
.PHONY: qal
qal:
qal:
--
2.49.0
2.52.0

30
0102-Support-build-time-setting-of-enclave-load-directory.patch
View File

@ -1,7 +1,7 @@
From edcd2d044a8e20cf8d2e1cebba7f74f2573c9ae5 Mon Sep 17 00:00:00 2001
From 9a185a6103e9637b785e498d4c4e4c990e7a3478 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 102/117] Support build time setting of enclave load directory
Subject: [PATCH 102/136] Support build time setting of enclave load directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -45,7 +45,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
12 files changed, 60 insertions(+), 8 deletions(-)
diff --git a/QuoteGeneration/pce_wrapper/linux/Makefile b/QuoteGeneration/pce_wrapper/linux/Makefile
index debcb41..7ceaaea 100644
index debcb41d..7ceaaea8 100644
--- a/QuoteGeneration/pce_wrapper/linux/Makefile
+++ b/QuoteGeneration/pce_wrapper/linux/Makefile
@@ -40,7 +40,7 @@ INCLUDE += -I$(ROOT_DIR)/ae/common \
@ -58,7 +58,7 @@ index debcb41..7ceaaea 100644
CFLAGS += -fPIC -Werror -g
Link_Flags := $(SGX_COMMON_CFLAGS) -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl
diff --git a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp
index 1b362da..a940d8b 100644
index 1b362da8..a940d8b9 100644
--- a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp
+++ b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp
@@ -112,6 +112,15 @@ bool get_pce_path(
@ -78,7 +78,7 @@ index 1b362da..a940d8b 100644
NULL != dl_info.dli_fname)
{
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index c50fdb3..7d0b398 100644
index c50fdb32..7d0b398f 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -51,7 +51,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I.
@ -91,7 +91,7 @@ index c50fdb3..7d0b398 100644
ifndef DEBUG
diff --git a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp
index 783c27f..0d81066 100644
index 783c27f2..0d81066d 100644
--- a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp
@@ -573,6 +573,15 @@ get_qe_path(const TCHAR *p_file_name,
@ -111,7 +111,7 @@ index 783c27f..0d81066 100644
NULL != dl_info.dli_fname)
{
diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile
index 61ad7f3..fc5bd20 100644
index 61ad7f3c..fc5bd208 100644
--- a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile
@@ -56,7 +56,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ \
@ -124,7 +124,7 @@ index 61ad7f3..fc5bd20 100644
-L$(PCE_Library_Dir) -lsgx_pce_logic -L$(SGX_SDK)/lib64 \
-lsgx_urts -lpthread -ldl
diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp
index dbbe2af..a57e082 100644
index dbbe2afc..a57e0829 100644
--- a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp
@@ -403,6 +403,14 @@ bool tee_att_config_t::get_qe_path(tee_att_ae_type_t type,
@ -143,7 +143,7 @@ index dbbe2af..a57e082 100644
NULL != dl_info.dli_fname)
{
diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile
index cd361c4..ead4a5d 100644
index cd361c48..ead4a5d1 100644
--- a/QuoteVerification/appraisal/qal/Makefile
+++ b/QuoteVerification/appraisal/qal/Makefile
@@ -49,7 +49,7 @@ QAL_Include_Path := -I./ \
@ -156,7 +156,7 @@ index cd361c4..ead4a5d 100644
QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthread \
diff --git a/QuoteVerification/appraisal/qal/qae_wrapper.cpp b/QuoteVerification/appraisal/qal/qae_wrapper.cpp
index 6321611..9597c52 100644
index 63216112..9597c523 100644
--- a/QuoteVerification/appraisal/qal/qae_wrapper.cpp
+++ b/QuoteVerification/appraisal/qal/qae_wrapper.cpp
@@ -101,6 +101,14 @@ static bool get_qae_path(
@ -182,7 +182,7 @@ index 6321611..9597c52 100644
\ No newline at end of file
+}
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index 5979699..c9f11a0 100644
index 7962d102..c4154b09 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -55,7 +55,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \
@ -195,7 +195,7 @@ index 5979699..c9f11a0 100644
QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o)
QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o)
diff --git a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp
index d3d4353..2f8f581 100644
index d3d43537..2f8f5814 100644
--- a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp
+++ b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp
@@ -88,6 +88,14 @@ bool get_qve_path(
@ -214,7 +214,7 @@ index d3d4353..2f8f581 100644
NULL != dl_info.dli_fname)
{
diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp
index b2c9307..d77a6eb 100644
index b2c9307a..d77a6eb0 100644
--- a/tools/PCKRetrievalTool/App/utility.cpp
+++ b/tools/PCKRetrievalTool/App/utility.cpp
@@ -235,9 +235,9 @@ bool load_enclave(const char* enclave_name, sgx_enclave_id_t* p_eid)
@ -246,7 +246,7 @@ index b2c9307..d77a6eb 100644
return false;
(void)strncat(enclave_path, enclave_name, strnlen(enclave_name, MAX_PATH));
diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
index d9c2bac..1065949 100644
index d9c2baca..10659496 100644
--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
@@ -108,7 +108,7 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR
@ -259,5 +259,5 @@ index d9c2bac..1065949 100644
App_Link_Flags += -lcurl -ldl -lpthread
ifeq ($(STANDALONE), 1)
--
2.49.0
2.52.0

8
0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
View File

@ -1,7 +1,7 @@
From 3cbab8069678b15276d7a8d2d0c7aa34532ad4af Mon Sep 17 00:00:00 2001
From b92d97f6037cb2e56d343cb979767d51655b097f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 15:46:41 +0000
Subject: [PATCH 103/117] Look for versioned sgx_urts library in
Subject: [PATCH 103/136] Look for versioned sgx_urts library in
PCKRetrievalTool
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp
index d77a6eb..d195717 100644
index d77a6eb0..d195717f 100644
--- a/tools/PCKRetrievalTool/App/utility.cpp
+++ b/tools/PCKRetrievalTool/App/utility.cpp
@@ -82,7 +82,7 @@ typedef sgx_status_t (SGXAPI *sgx_create_enclave_func_t)(const LPCSTR file_name,
@ -40,5 +40,5 @@ index d77a6eb..d195717 100644
}
#endif
--
2.49.0
2.52.0

26
0104-Don-t-import-pypac-in-pccsadmin.patch → 0104-pccsadmin-only-import-pypac-module-on-Windows.patch
View File

@ -1,33 +1,35 @@
From 2609841a9ddedd4c3f22778bff0aa399ce6d4f9a Mon Sep 17 00:00:00 2001
From eca1c479b23dd8e8c87e90988204c08b5e0c3edc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 20:28:24 +0000
Subject: [PATCH 104/117] Don't import pypac in pccsadmin
Date: Fri, 4 Oct 2024 17:41:37 +0100
Subject: [PATCH 104/136] pccsadmin: only import 'pypac' module on Windows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The code only uses the pypac module when executing on Windows
hosts. It should not be imported when packaged for Linux
environments to avoid a redundant python dependency.
The PACSession object is only used in a code path that runs on
Windows, so don't try to import this on Linux, to avoid the
redundant dependency.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
tools/PccsAdminTool/lib/intelsgx/pcs.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index 9f1d224..af1e78e 100644
index 9f1d2245..046c781d 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -5,7 +5,7 @@ import json
@@ -5,8 +5,9 @@ import json
import binascii
from urllib import parse
from OpenSSL import crypto
-from pypac import PACSession
+#from pypac import PACSession
from platform import system
+if system() == 'Windows':
+ from pypac import PACSession
from lib.intelsgx.credential import Credentials
from requests.adapters import HTTPAdapter
from urllib3.util import Retry
--
2.49.0
2.52.0

8
0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
View File

@ -1,7 +1,7 @@
From eb1018b10a5adedcdc1ae3cf8f5d8be6de5b7d6d Mon Sep 17 00:00:00 2001
From c8820c38a16ba9c572a6eafefd010b60ba037dde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Feb 2024 14:21:36 +0000
Subject: [PATCH 105/117] Look for PCKRetrievalTool config file in /etc/
Subject: [PATCH 105/136] Look for PCKRetrievalTool config file in /etc/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -15,7 +15,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp
index e423f38..36f219b 100644
index e423f384..36f219ba 100644
--- a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp
+++ b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp
@@ -219,7 +219,8 @@ static void network_configuration(string &url, string &proxy_type, string &proxy
@ -39,5 +39,5 @@ index e423f38..36f219b 100644
if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) {
return false;
--
2.49.0
2.52.0

26
0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
View File

@ -1,7 +1,7 @@
From c1773ce8ab60a0d887a52b821de28d6fd996b7f4 Mon Sep 17 00:00:00 2001
From 06874f59bd6693f0f42a999dcfbdc0233d9a4bd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 28 Mar 2025 16:00:27 +0000
Subject: [PATCH 106/117] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
Subject: [PATCH 106/136] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
libraries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -22,7 +22,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
10 files changed, 24 insertions(+), 21 deletions(-)
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index bfe9c61..531f40b 100644
index bfe9c613..531f40b8 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -46,12 +46,13 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \
@ -43,7 +43,7 @@ index bfe9c61..531f40b 100644
ifdef SELF_SIGNED_CERT
CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT
diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile
index 204234c..d703c45 100644
index 204234c7..d703c45a 100644
--- a/QuoteGeneration/qpl/linux/Makefile
+++ b/QuoteGeneration/qpl/linux/Makefile
@@ -48,9 +48,9 @@ QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Pa
@ -59,7 +59,7 @@ index 204234c..d703c45 100644
ifndef DEBUG
diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile
index 5d87e4d..8228bdf 100644
index 5d87e4d1..8228bdfc 100644
--- a/QuoteGeneration/quote_wrapper/qgs/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs/Makefile
@@ -51,7 +51,7 @@ endif
@ -72,7 +72,7 @@ index 5d87e4d..8228bdf 100644
# add boost_system for link
QGS_LFLAGS += -lboost_system -lboost_thread -lpthread
diff --git a/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/QuoteGeneration/quote_wrapper/ql/linux/Makefile
index c5d877b..2983665 100644
index c5d877b5..29836652 100644
--- a/QuoteGeneration/quote_wrapper/ql/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/ql/linux/Makefile
@@ -48,13 +48,14 @@ QL_Lib_C_Files := se_trace.c se_thread.c
@ -94,7 +94,7 @@ index c5d877b..2983665 100644
QL_Lib_Cpp_Flags += -DDISABLE_TRACE
QL_Lib_Link_Flags += -DDISABLE_TRACE
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index 7d0b398..9b8c936 100644
index 7d0b398f..9b8c936c 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -52,7 +52,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I.
@ -107,7 +107,7 @@ index 7d0b398..9b8c936 100644
ifndef DEBUG
Quote_Cpp_Flags += -DDISABLE_TRACE
diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile
index c9f11a0..56095ac 100644
index c4154b09..e125cbfe 100644
--- a/QuoteVerification/dcap_quoteverify/linux/Makefile
+++ b/QuoteVerification/dcap_quoteverify/linux/Makefile
@@ -54,8 +54,8 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \
@ -131,7 +131,7 @@ index c9f11a0..56095ac 100644
QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp)
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
index 12c0d35..c106ab4 100644
index 12c0d35e..c106ab4f 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
@@ -129,11 +129,11 @@ DEBUG_FLAGS := -m64 -O0 -g
@ -149,7 +149,7 @@ index 12c0d35..c106ab4 100644
# debug/release switch
diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
index 1065949..b6968c6 100644
index 10659496..b6968c6d 100644
--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
@@ -108,8 +108,9 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR
@ -179,7 +179,7 @@ index 1065949..b6968c6 100644
App/%.o: App/%.cpp
diff --git a/tools/SGXPlatformRegistration/package/Makefile b/tools/SGXPlatformRegistration/package/Makefile
index 0c3aec1..adc00f5 100755
index 0c3aec1e..adc00f59 100755
--- a/tools/SGXPlatformRegistration/package/Makefile
+++ b/tools/SGXPlatformRegistration/package/Makefile
@@ -73,7 +73,7 @@ else
@ -192,7 +192,7 @@ index 0c3aec1..adc00f5 100755
all: $(MPA_REGISTRATION_EXEC)
diff --git a/tools/SGXPlatformRegistration/tool/Makefile b/tools/SGXPlatformRegistration/tool/Makefile
index 4937fe9..83aefee 100644
index 4937fe94..83aefeec 100644
--- a/tools/SGXPlatformRegistration/tool/Makefile
+++ b/tools/SGXPlatformRegistration/tool/Makefile
@@ -69,7 +69,7 @@ CPP_SRCS += $(MPA_REGISTRATION_CORE_DIR)/src/AgentConfiguration.cpp $(MPA_REGIST
@ -205,5 +205,5 @@ index 4937fe9..83aefee 100644
LDFLAGS += '-Wl,-rpath,$$ORIGIN'
CXXFLAGS += '-DSTANDALONE'
--
2.49.0
2.52.0

8
0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
View File

@ -1,7 +1,7 @@
From a74ede38e306ff82ddbaf094d6148dc1bf9e524c Mon Sep 17 00:00:00 2001
From 44eefb7f574b33cb0cf5239948e7d633f1d71dd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 14:42:29 +0100
Subject: [PATCH 107/117] qgs: add space between program name & first arg in
Subject: [PATCH 107/136] qgs: add space between program name & first arg in
usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -13,7 +13,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 478dbfe..3618b5a 100644
index 478dbfe0..3618b5ad 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -75,7 +75,7 @@ int main(int argc, const char* argv[])
@ -35,5 +35,5 @@ index 478dbfe..3618b5a 100644
exit(1);
}
--
2.49.0
2.52.0

8
0108-qgs-protect-against-format-strings-in-QL-log-message.patch
View File

@ -1,7 +1,7 @@
From 1e760dc7a67d601121b625e0d2bd7b2fe8b7b042 Mon Sep 17 00:00:00 2001
From 6c38e13fbee555045aec98f6e159531a385bce53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 09:43:17 +0100
Subject: [PATCH 108/117] qgs: protect against format strings in QL log
Subject: [PATCH 108/136] qgs: protect against format strings in QL log
messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
index 77838c3..1e97b58 100644
index 77838c31..1e97b586 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
@@ -50,10 +50,10 @@ typedef quote3_error_t (*sgx_ql_set_logging_callback_t)(sgx_ql_logging_callback_
@ -35,5 +35,5 @@ index 77838c3..1e97b58 100644
}
--
2.49.0
2.52.0

14
0109-qgs-add-debug-parameter-to-control-logging.patch
View File

@ -1,7 +1,7 @@
From d43ef4cac2c2c022b89b0938be71a9b36b9a1923 Mon Sep 17 00:00:00 2001
From d1cbef970b8ee800a313b818927449a7dcf1a685 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 16:57:35 +0100
Subject: [PATCH 109/117] qgs: add --debug parameter to control logging
Subject: [PATCH 109/136] qgs: add --debug parameter to control logging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -28,7 +28,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
4 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp
index 1cf1e40..7ae9b75 100644
index 1cf1e40b..7ae9b750 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_log.cpp
@@ -36,6 +36,8 @@
@ -51,7 +51,7 @@ index 1cf1e40..7ae9b75 100644
switch(level){
case QGS_LOG_LEVEL_FATAL:
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_log.h b/QuoteGeneration/quote_wrapper/qgs/qgs_log.h
index 1d7fd74..05d41a4 100644
index 1d7fd747..05d41a44 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_log.h
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_log.h
@@ -40,6 +40,8 @@
@ -64,7 +64,7 @@ index 1d7fd74..05d41a4 100644
void qgs_log_init_ex(bool nosyslog);
void qgs_log_fini(void);
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
index 1e97b58..db642f7 100644
index 1e97b586..db642f70 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp
@@ -113,8 +113,8 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs {
@ -90,7 +90,7 @@ index 1e97b58..db642f7 100644
QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n");
}
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 3618b5a..47f6c26 100644
index 3618b5ad..47f6c264 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -75,7 +75,7 @@ int main(int argc, const char* argv[])
@ -125,5 +125,5 @@ index 3618b5a..47f6c26 100644
exit(1);
}
--
2.49.0
2.52.0

8
0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
View File

@ -1,7 +1,7 @@
From d375ba770975e565850ac12392bbc44807f28f75 Mon Sep 17 00:00:00 2001
From 64c49b04e7e22358f3afee834a434a6cfdff4a9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 8 Oct 2024 10:13:02 +0100
Subject: [PATCH 110/117] pccsadmin: remove leftover debugging 'print(args)'
Subject: [PATCH 110/136] pccsadmin: remove leftover debugging 'print(args)'
statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 1 deletion(-)
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index ffee326..8e447c5 100755
index ffee326d..8e447c50 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -92,7 +92,6 @@ def main():
@ -29,5 +29,5 @@ index ffee326..8e447c5 100755
if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"):
if not args.fmspc or not args.input_file:
--
2.49.0
2.52.0

20
0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
View File

@ -1,7 +1,7 @@
From 1db2f71aead55201fcd82efa7d1ee99c9fa006b9 Mon Sep 17 00:00:00 2001
From 32ac12f933e813b80348840821e1deaedf797a00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 17 Jan 2025 15:39:39 +0000
Subject: [PATCH 111/117] Fix soname version for libsgx_qe3_logic.so library
Subject: [PATCH 111/136] Fix soname version for libsgx_qe3_logic.so library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -13,23 +13,23 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/QuoteGeneration/common/inc/internal/se_version.h b/QuoteGeneration/common/inc/internal/se_version.h
index 471784d..22e0dff 100644
index 93f60cb9..9ee51c0c 100644
--- a/QuoteGeneration/common/inc/internal/se_version.h
+++ b/QuoteGeneration/common/inc/internal/se_version.h
@@ -41,6 +41,11 @@
#define QUOTE_LOADER_VERSION "1.11.109.1"
#define TDQE_WRAPPER_VERSION "1.14.109.1"
#define PCE_WRAPPER_VERSION "1.14.109.1"
#define QUOTE_LOADER_VERSION "1.11.110.0"
#define TDQE_WRAPPER_VERSION "1.14.110.0"
#define PCE_WRAPPER_VERSION "1.14.110.0"
+/*
+ * XXX: downstream hack based on version declared
+ * in linux-sgx.git/linux/installer/common/psw/Makefile
+ */
+#define QE3_WRAPPER_VERSION "1.0.0"
#define QE3_VERSION "1.19.100.1"
#define QVE_VERSION "1.21.100.1"
#define QE3_VERSION "1.22.100.1"
#define QVE_VERSION "1.22.100.1"
diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
index 9b8c936..c92d782 100644
index 9b8c936c..c92d7827 100644
--- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile
@@ -65,6 +65,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o)
@ -51,5 +51,5 @@ index 9b8c936..c92d782 100644
$(BUILD_DIR):
--
2.49.0
2.52.0

8
0112-Workaround-broken-GCC-15.patch
View File

@ -1,7 +1,7 @@
From 9c8155bb1b2928390a21408944fd876f40c281e6 Mon Sep 17 00:00:00 2001
From ac446d8943858e6dccec924451b8a8a3be4d9c4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 6 Feb 2025 20:08:59 +0000
Subject: [PATCH 112/117] Workaround broken GCC 15
Subject: [PATCH 112/136] Workaround broken GCC 15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 insertions(+)
diff --git a/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h b/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h
index 15fbdd4..4400544 100644
index 15fbdd42..4400544b 100644
--- a/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h
+++ b/QuoteGeneration/common/inc/internal/linux/sgx_random_buffers.h
@@ -258,7 +258,11 @@ struct alignas(A)randomly_placed_buffer
@ -36,5 +36,5 @@ index 15fbdd4..4400544 100644
private:
struct alignas(A)_T_instantiator_
--
2.49.0
2.52.0

8
0113-Don-t-disable-cf-protection-for-qgs.patch
View File

@ -1,7 +1,7 @@
From c4a2855d01b06e1da960a677379c55a5b31b427c Mon Sep 17 00:00:00 2001
From fa8c4f150fe32dafd875c5f45a9e588775235e35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 2 Apr 2025 18:39:31 +0100
Subject: [PATCH 113/117] Don't disable cf-protection for qgs
Subject: [PATCH 113/136] Don't disable cf-protection for qgs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -12,7 +12,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 4 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile
index 8228bdf..5116d85 100644
index 8228bdfc..5116d85e 100644
--- a/QuoteGeneration/quote_wrapper/qgs/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs/Makefile
@@ -43,10 +43,6 @@ QGS_INC = -I$(SGX_SDK)/include \
@ -27,5 +27,5 @@ index 8228bdf..5116d85 100644
DEPENDS = ${QGS_OBJS test_client.o:.o=.d}
--
2.49.0
2.52.0

26
0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
View File

@ -1,7 +1,7 @@
From 3bcde80a8e81c6f9992085f5a924544fb6082d79 Mon Sep 17 00:00:00 2001
From 2d83da9d5f5fb7399b0d7ec6ac410a6bf52b2add Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Apr 2025 17:44:48 +0100
Subject: [PATCH 114/117] Delete broken checks for GCC version that break
Subject: [PATCH 114/136] Delete broken checks for GCC version that break
-fstack-protector-strong
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -25,7 +25,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
10 files changed, 11 insertions(+), 52 deletions(-)
diff --git a/QuoteGeneration/buildenv.mk b/QuoteGeneration/buildenv.mk
index 0b677db..3fba935 100644
index 0b677db8..3fba9359 100644
--- a/QuoteGeneration/buildenv.mk
+++ b/QuoteGeneration/buildenv.mk
@@ -128,12 +128,7 @@ ifeq ($(CC_NO_LESS_THAN_8), 1)
@ -43,7 +43,7 @@ index 0b677db..3fba935 100644
ifdef DEBUG
COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
index dff0af2..9ece3cc 100644
index dff0af23..9ece3cc4 100644
--- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile
@@ -33,7 +33,7 @@
@ -56,7 +56,7 @@ index dff0af2..9ece3cc 100644
-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
index f0a5e36..20f3022 100644
index f0a5e364..20f30221 100644
--- a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
+++ b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile
@@ -33,11 +33,11 @@
@ -74,7 +74,7 @@ index f0a5e36..20f3022 100644
-Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \
-Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection
diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile
index 6532e8f..e5045dd 100644
index cdac5ff9..73e0c65b 100644
--- a/QuoteVerification/QvE/Makefile
+++ b/QuoteVerification/QvE/Makefile
@@ -101,12 +101,7 @@ endif
@ -92,7 +92,7 @@ index 6532e8f..e5045dd 100644
ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++17 -DSGX_TRUSTED -DSGX_JWT -DPICOJSON_USE_LOCALE=0
diff --git a/QuoteVerification/dcap_tvl/Makefile b/QuoteVerification/dcap_tvl/Makefile
index 2d62f28..49b4b68 100644
index 2d62f283..49b4b686 100644
--- a/QuoteVerification/dcap_tvl/Makefile
+++ b/QuoteVerification/dcap_tvl/Makefile
@@ -56,12 +56,7 @@ endif
@ -110,7 +110,7 @@ index 2d62f28..49b4b68 100644
ENCLAVE_CXXFLAGS += $(SGX_COMMON_CXXFLAGS) $(COMMON_FLAGS) -fPIC -std=c++11
diff --git a/QuoteVerification/dcap_tvl/Makefile.standalone b/QuoteVerification/dcap_tvl/Makefile.standalone
index 8a1cb73..713d8af 100644
index 8a1cb730..713d8afc 100644
--- a/QuoteVerification/dcap_tvl/Makefile.standalone
+++ b/QuoteVerification/dcap_tvl/Makefile.standalone
@@ -45,12 +45,7 @@ COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack
@ -128,7 +128,7 @@ index 8a1cb73..713d8af 100644
ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks
ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++
diff --git a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
index 662ac3e..868d72d 100644
index 662ac3e5..868d72df 100644
--- a/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
+++ b/SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile
@@ -87,13 +87,7 @@ Crypto_Library_Name := sgx_tcrypto
@ -147,7 +147,7 @@ index 662ac3e..868d72d 100644
Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
diff --git a/SampleCode/QuoteGenerationSample/Makefile b/SampleCode/QuoteGenerationSample/Makefile
index 4fdbb36..fd5b4e2 100644
index 4fdbb36e..fd5b4e25 100644
--- a/SampleCode/QuoteGenerationSample/Makefile
+++ b/SampleCode/QuoteGenerationSample/Makefile
@@ -104,11 +104,7 @@ Enclave_Cpp_Files := Enclave/Enclave.cpp
@ -164,7 +164,7 @@ index 4fdbb36..fd5b4e2 100644
Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
diff --git a/SampleCode/QuoteVerificationSample/Makefile b/SampleCode/QuoteVerificationSample/Makefile
index d534615..6164587 100644
index d5346152..61645871 100644
--- a/SampleCode/QuoteVerificationSample/Makefile
+++ b/SampleCode/QuoteVerificationSample/Makefile
@@ -130,13 +130,7 @@ DCAP_DIR ?= ../../
@ -183,7 +183,7 @@ index d534615..6164587 100644
Enclave_Cpp_Flags := $(Enclave_C_Flags) -nostdinc++
diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile
index b6968c6..1d2106b 100644
index b6968c6d..1d2106b7 100644
--- a/tools/PCKRetrievalTool/Makefile
+++ b/tools/PCKRetrievalTool/Makefile
@@ -59,12 +59,7 @@ else
@ -201,5 +201,5 @@ index b6968c6..1d2106b 100644
ifdef DEBUG
COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
--
2.49.0
2.52.0

24
0115-Use-distro-provided-rapidjson-package.patch
View File

@ -1,7 +1,7 @@
From e7afd8a28400d47b3864514fde5c2ce62d3937ec Mon Sep 17 00:00:00 2001
From 40d434d75ff4978cd968b4d140af5aa8c8f602c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 115/117] Use distro provided rapidjson package
Subject: [PATCH 115/136] Use distro provided rapidjson package
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
9 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/QuoteGeneration/qcnl/certification_provider.cpp b/QuoteGeneration/qcnl/certification_provider.cpp
index a08ea7e..41e5b9d 100644
index a08ea7e7..41e5b9d0 100644
--- a/QuoteGeneration/qcnl/certification_provider.cpp
+++ b/QuoteGeneration/qcnl/certification_provider.cpp
@@ -36,7 +36,7 @@
@ -33,7 +33,7 @@ index a08ea7e..41e5b9d 100644
#include "pck_cert_selection.h"
#include "qcnl_util.h"
diff --git a/QuoteGeneration/qcnl/inc/pccs_response_object.h b/QuoteGeneration/qcnl/inc/pccs_response_object.h
index f1f545f..2153b6f 100644
index f1f545f0..2153b6fa 100644
--- a/QuoteGeneration/qcnl/inc/pccs_response_object.h
+++ b/QuoteGeneration/qcnl/inc/pccs_response_object.h
@@ -37,7 +37,7 @@
@ -53,7 +53,7 @@ index f1f545f..2153b6f 100644
\ No newline at end of file
+#endif
diff --git a/QuoteGeneration/qcnl/inc/qcnl_config.h b/QuoteGeneration/qcnl/inc/qcnl_config.h
index ff3c744..71b9a99 100644
index ff3c744d..71b9a996 100644
--- a/QuoteGeneration/qcnl/inc/qcnl_config.h
+++ b/QuoteGeneration/qcnl/inc/qcnl_config.h
@@ -38,7 +38,7 @@
@ -66,7 +66,7 @@ index ff3c744..71b9a99 100644
#include <string>
diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile
index 531f40b..5c56951 100644
index 531f40b8..5c569515 100644
--- a/QuoteGeneration/qcnl/linux/Makefile
+++ b/QuoteGeneration/qcnl/linux/Makefile
@@ -43,7 +43,7 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \
@ -79,7 +79,7 @@ index 531f40b..5c56951 100644
CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(pkg-config --cflags libcrypto)
diff --git a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
index 7b74eae..5f20a1e 100644
index 7b74eae0..5f20a1e3 100644
--- a/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
+++ b/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp
@@ -35,7 +35,7 @@
@ -92,7 +92,7 @@ index 7b74eae..5f20a1e 100644
#include <algorithm>
#include <curl/curl.h>
diff --git a/QuoteGeneration/qcnl/qcnl_config.cpp b/QuoteGeneration/qcnl/qcnl_config.cpp
index 42388a0..9be8fee 100644
index 42388a08..9be8feec 100644
--- a/QuoteGeneration/qcnl/qcnl_config.cpp
+++ b/QuoteGeneration/qcnl/qcnl_config.cpp
@@ -36,10 +36,10 @@
@ -110,7 +110,7 @@ index 42388a0..9be8fee 100644
#include <algorithm>
diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk
index 982c7d5..854b70a 100644
index 982c7d56..854b70ac 100644
--- a/QuoteVerification/buildenv.mk
+++ b/QuoteVerification/buildenv.mk
@@ -72,9 +72,9 @@ else
@ -126,7 +126,7 @@ index 982c7d5..854b70a 100644
QVL_LIB_FILES := $(sort $(wildcard $(QVL_LIB_PATH)/src/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*/*.cpp) $(wildcard $(QVL_COMMON_PATH)/src/Utils/*.cpp))
QVL_PARSER_FILES := $(sort $(wildcard $(QVL_PARSER_PATH)/src/*.cpp) $(wildcard $(QVL_PARSER_PATH)/src/*/*.cpp))
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
index c106ab4..117f88f 100644
index c106ab4f..117f88fd 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile
@@ -66,7 +66,7 @@ endif
@ -148,7 +148,7 @@ index c106ab4..117f88f 100644
# the library shared object name
LIB_NAME := libPCKCertSelection.so
diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
index c8e1d01..6f1440a 100644
index c8e1d01e..6f1440a6 100644
--- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
+++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib
@@ -69,7 +69,7 @@ OPENSSL_INC := $(PROJ_ROOT_DIR)/../../prebuilt/openssl/inc
@ -170,5 +170,5 @@ index c8e1d01..6f1440a 100644
# the library shared object name
LIB_NAME := libPCKCertSelection.a
--
2.49.0
2.52.0

8
0116-Don-t-stomp-on-VERBOSE-variable.patch
View File

@ -1,7 +1,7 @@
From 224d1fe828bc4fcaa0861c3b59ddcc0c979fc2d6 Mon Sep 17 00:00:00 2001
From 605d9bcc0003c869e785376bbc3dbecc670c934d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Apr 2025 11:48:52 +0100
Subject: [PATCH 116/117] Don't stomp on "VERBOSE" variable
Subject: [PATCH 116/136] Don't stomp on "VERBOSE" variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/driver/win/PLE/Makefile b/driver/win/PLE/Makefile
index 3d474bb..0f593f5 100644
index 3d474bbc..0f593f5e 100644
--- a/driver/win/PLE/Makefile
+++ b/driver/win/PLE/Makefile
@@ -75,9 +75,9 @@ ifneq ($(PUBKEY_FILE),)
@ -97,5 +97,5 @@ index 3d474bb..0f593f5 100644
- $(VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
+ $(CMD_VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
--
2.49.0
2.52.0

8
0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
View File

@ -1,7 +1,7 @@
From 8ded27dcf0c5a02c7869568bd1cafd5c2d15c0b0 Mon Sep 17 00:00:00 2001
From d7299915f42cd068744ce02e358865085f2f12bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 May 2025 14:48:24 +0100
Subject: [PATCH 117/117] qgs: add -m=MODE parameter for UNIX socket mode
Subject: [PATCH 117/136] qgs: add -m=MODE parameter for UNIX socket mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 47f6c26..4628b18 100644
index 47f6c264..4628b182 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -73,9 +73,10 @@ int main(int argc, const char* argv[])
@ -99,5 +99,5 @@ index 47f6c26..4628b18 100644
io_service.run();
QGS_LOG_INFO("Quit main loop\n");
--
2.49.0
2.52.0

108
0118-pccs-sanitize-paths-to-all-resources.patch Normal file
View File

@ -0,0 +1,108 @@
From b108e8c9a0c9143e8fd930186c21d34d9cddaea7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 13:38:49 +0000
Subject: [PATCH 118/136] pccs: sanitize paths to all resources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Look for libPCKCertSelection.so in /lib64
Look for SSL cert config in /etc/pccs/ssl
Look for DB migrations in /usr/share/pccs
Use log file in /var/log/pccs
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js | 4 ++--
QuoteGeneration/pccs/pccs_server.js | 8 ++++----
QuoteGeneration/pccs/utils/Logger.js | 2 +-
QuoteGeneration/pccs/utils/apputil.js | 6 +++---
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js b/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
index 17cdf9a9..1f7567b5 100644
--- a/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
+++ b/QuoteGeneration/pccs/lib_wrapper/pcklib_wrapper.js
@@ -37,7 +37,7 @@ import { load, DataType, open, close, createPointer, arrayConstructor, restorePo
const __dirname = path.dirname(fileURLToPath(import.meta.url));
let libpath = 'PCKCertSelectionLib.dll';
if (process.platform === 'linux') {
- libpath = path.join(__dirname, '../lib/libPCKCertSelection.so');
+ libpath = '/lib64/libPCKCertSelection.so.1';
}
open({
library: 'libPCKCertSelection', // key
@@ -84,4 +84,4 @@ export function pck_cert_select(
// Ensure the library is closed before the process exits
process.on('exit', () => {
close('libPCKCertSelection');
-});
\ No newline at end of file
+});
diff --git a/QuoteGeneration/pccs/pccs_server.js b/QuoteGeneration/pccs/pccs_server.js
index b41d871e..57c1cee9 100644
--- a/QuoteGeneration/pccs/pccs_server.js
+++ b/QuoteGeneration/pccs/pccs_server.js
@@ -61,9 +61,9 @@ process.on('SIGINT', () => {
});
// Create ./logs if it doesn't exist
-fs.mkdir('./logs', (err) => {
+//fs.mkdir('./logs', (err) => {
/* do nothing */
-});
+//});
const app = express();
@@ -141,8 +141,8 @@ function startHttpsServer() {
let privateKey;
let certificate;
try {
- privateKey = fs.readFileSync('./ssl_key/private.pem', 'utf8');
- certificate = fs.readFileSync('./ssl_key/file.crt', 'utf8');
+ privateKey = fs.readFileSync('/etc/pccs/ssl/server-key.pem', 'utf8');
+ certificate = fs.readFileSync('/etc/pccs/ssl/server-cert.pem', 'utf8');
} catch (err) {
logger.error('The private key or certificate for HTTPS server is missing.');
logger.endAndExitProcess();
diff --git a/QuoteGeneration/pccs/utils/Logger.js b/QuoteGeneration/pccs/utils/Logger.js
index 5ac7a488..c774ac40 100644
--- a/QuoteGeneration/pccs/utils/Logger.js
+++ b/QuoteGeneration/pccs/utils/Logger.js
@@ -40,7 +40,7 @@ const { createLogger, format, transports } = winston;
const options = {
file: {
level: Config.has('LogLevel') ? Config.get('LogLevel') : 'info',
- filename: __dirname + `/../logs/pccs_server.log`,
+ filename: `/var/log/pccs/pccs_server.log`,
handleExceptions: true,
json: false,
colorize: true,
diff --git a/QuoteGeneration/pccs/utils/apputil.js b/QuoteGeneration/pccs/utils/apputil.js
index 6f910eea..6eb9d153 100644
--- a/QuoteGeneration/pccs/utils/apputil.js
+++ b/QuoteGeneration/pccs/utils/apputil.js
@@ -84,8 +84,8 @@ async function test_db_status() {
}
async function db_migration() {
- const migrations = fs.readdirSync('./migrations').map(name => {
- const path = `./migrations/${name}`;
+ const migrations = fs.readdirSync('/usr/lib/node_modules/pccs/migrations').map(name => {
+ const path = `/usr/lib/node_modules/pccs/migrations/${name}`;
return {
name,
@@ -126,7 +126,7 @@ async function db_migration() {
const umzug = new Umzug({
migrations: {
- glob: './migrations/*.{js,up.sql}',
+ glob: '/usr/lib/node_modules/pccs/migrations/*.{js,up.sql}',
resolve: ({ name }) => {
const migration = migrations.find(migration => migration.name === name);
logger.debug(`Resolving migration: ${name}, found: ${migration ? migration.name : 'none'}`);
--
2.52.0

71
0119-pccs-only-pass-ApiKey-if-it-is-set.patch Normal file
View File

@ -0,0 +1,71 @@
From 6c6e7427cf14455a56828db5c39f26ca8658a18d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 9 Jul 2025 16:41:59 +0100
Subject: [PATCH 119/136] pccs: only pass ApiKey if it is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some endpoints on the api.trustedservices.intel.com site do not
require an API token. The pcs_client code, however, will always
set the Ocp-Apim-Subscription-Key HTTP header, even if it is
the empty string. The server will reject the empty string
as invalid, rather than prcessing it as an non-authenticated
request.
This leads to PCCS being unable to fetch PCK certs in an out of
the box config unless the admin sets the API token, which should
not be required for "LAZY" caching.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/pcs_client/pcs_client.js | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/pcs_client/pcs_client.js b/QuoteGeneration/pccs/pcs_client/pcs_client.js
index 99ccea69..4f6c903b 100644
--- a/QuoteGeneration/pccs/pcs_client/pcs_client.js
+++ b/QuoteGeneration/pccs/pcs_client/pcs_client.js
@@ -66,7 +66,9 @@ async function do_request(url, options) {
if (!options.headers) {
options.headers = {};
}
- options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ if (Config.get('ApiKey') != "") {
+ options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ }
}
// global opitons ( proxy, timeout, etc)
@@ -128,8 +130,11 @@ export async function getCerts(enc_ppid, pceid) {
pceid: pceid,
},
method: 'GET',
- headers: { 'Ocp-Apim-Subscription-Key': Config.get('ApiKey') },
+ headers: {}
};
+ if (Config.get('ApiKey') != "") {
+ options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ }
return do_request(Config.get('uri') + 'pckcerts', options);
}
@@ -142,11 +147,14 @@ export async function getCertsWithManifest(platform_manifest, pceid) {
},
method: 'POST',
headers: {
- 'Ocp-Apim-Subscription-Key': Config.get('ApiKey'),
'Content-Type': 'application/json',
},
};
+ if (Config.get('ApiKey') != "") {
+ options.headers['Ocp-Apim-Subscription-Key'] = Config.get('ApiKey');
+ }
+
return do_request(Config.get('uri') + 'pckcerts', options);
}
--
2.52.0

104
0120-pccsadmin-make-keyring-module-optional.patch Normal file
View File

@ -0,0 +1,104 @@
From 2b540452538b12a47340b03d6118d3df281a6638 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 13:31:54 +0000
Subject: [PATCH 120/136] pccsadmin: make 'keyring' module optional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is not available in some distros, and since it is merely a
convenience to avoid repeated password entry, it can be made
optional.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
.../PccsAdminTool/lib/intelsgx/credential.py | 53 +++++++++++--------
1 file changed, 30 insertions(+), 23 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/credential.py b/tools/PccsAdminTool/lib/intelsgx/credential.py
index 638cd88e..cebecade 100644
--- a/tools/PccsAdminTool/lib/intelsgx/credential.py
+++ b/tools/PccsAdminTool/lib/intelsgx/credential.py
@@ -1,4 +1,7 @@
-import keyring
+try:
+ import keyring
+except:
+ keyring = None
import getpass
class Credentials:
@@ -8,11 +11,12 @@ class Credentials:
def get_admin_token(self):
admin_token = ""
- try:
- print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
- admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN)
- except keyring.errors.KeyringError as ke:
- admin_token = ""
+ if keyring is not None:
+ try:
+ print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
+ admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN)
+ except keyring.errors.KeyringError as ke:
+ admin_token = ""
while admin_token is None or admin_token == '':
admin_token = getpass.getpass(prompt="Please input your administrator password for PCCS service:")
@@ -25,21 +29,23 @@ class Credentials:
return admin_token
def set_admin_token(self, token):
- try:
- print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
- keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token)
- except keyring.errors.PasswordSetError as ke:
- print("Failed to store admin token.")
- return False
+ if keyring is not None:
+ try:
+ print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
+ keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token)
+ except keyring.errors.PasswordSetError as ke:
+ print("Failed to store admin token.")
+ return False
return True
def get_pcs_api_key(self):
pcs_api_key = ""
- try:
- print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
- pcs_api_key = keyring.get_password(self.APPNAME, self.KEY_PCS_APIKEY)
- except keyring.errors.KeyringError as ke:
- pcs_api_key = ""
+ if keyring is not None:
+ try:
+ print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
+ pcs_api_key = keyring.get_password(self.APPNAME, self.KEY_PCS_APIKEY)
+ except keyring.errors.KeyringError as ke:
+ pcs_api_key = ""
while pcs_api_key is None or pcs_api_key == '':
pcs_api_key = getpass.getpass(prompt="Please input ApiKey for Intel PCS:")
@@ -52,10 +58,11 @@ class Credentials:
return pcs_api_key
def set_pcs_api_key(self, apikey):
- try:
- print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
- keyring.set_password(self.APPNAME, self.KEY_PCS_APIKEY, apikey)
- except keyring.errors.PasswordSetError as ke:
- print("Failed to store PCS API key.")
- return False
+ if keyring is not None:
+ try:
+ print("Please note: A prompt may appear asking for your keyring password to access stored credentials.")
+ keyring.set_password(self.APPNAME, self.KEY_PCS_APIKEY, apikey)
+ except keyring.errors.PasswordSetError as ke:
+ print("Failed to store PCS API key.")
+ return False
return True
--
2.52.0

341
0121-pccsadmin-convert-from-asn1-to-pyasn1-python-module.patch Normal file
View File

@ -0,0 +1,341 @@
From b9954581944446455876728bdab816090d773715 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 13:54:19 +0000
Subject: [PATCH 121/136] pccsadmin: convert from asn1 to pyasn1 python module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The pyasn1 module decodes using a formal object model so is more robust,
as well as being more widely available in distros.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pckcert.py | 267 +++++++++++++-------
1 file changed, 177 insertions(+), 90 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pckcert.py b/tools/PccsAdminTool/lib/intelsgx/pckcert.py
index 97aa2783..eaed331b 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pckcert.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pckcert.py
@@ -1,76 +1,171 @@
from cryptography import x509
from cryptography.x509.oid import ObjectIdentifier
from cryptography.hazmat.backends import default_backend
-import asn1
-import struct
+import pyasn1
+from pyasn1.codec.der.decoder import decode as der_decoder
+from pyasn1.type import namedtype
+from pyasn1.type import namedval
+from pyasn1.type import opentype
+from pyasn1.type import univ
+
+
+id_cdp_extensionStr = '2.5.29.31'
+id_ce_sGXExtensionsStr = '1.2.840.113741.1.13.1'
+
+id_ce_sGXExtensions = univ.ObjectIdentifier(id_ce_sGXExtensionsStr)
+
+id_ce_sGXExtensions_pPID = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".1")
+id_ce_sGXExtensions_tCB = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2")
+id_ce_sGXExtensions_pCE_ID = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".3")
+id_ce_sGXExtensions_fMSPC = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".4")
+id_ce_sGXExtensions_sGXType = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".5")
+id_ce_sGXExtensions_platformInstanceID = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".6")
+id_ce_sGXExtensions_configuration = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".7")
+
+id_ce_tCB_sGXTCBComp01SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.1")
+id_ce_tCB_sGXTCBComp02SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.2")
+id_ce_tCB_sGXTCBComp03SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.3")
+id_ce_tCB_sGXTCBComp04SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.4")
+id_ce_tCB_sGXTCBComp05SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.5")
+id_ce_tCB_sGXTCBComp06SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.6")
+id_ce_tCB_sGXTCBComp07SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.7")
+id_ce_tCB_sGXTCBComp08SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.8")
+id_ce_tCB_sGXTCBComp09SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.9")
+id_ce_tCB_sGXTCBComp10SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.10")
+id_ce_tCB_sGXTCBComp11SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.11")
+id_ce_tCB_sGXTCBComp12SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.12")
+id_ce_tCB_sGXTCBComp13SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.13")
+id_ce_tCB_sGXTCBComp14SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.14")
+id_ce_tCB_sGXTCBComp15SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.15")
+id_ce_tCB_sGXTCBComp16SVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.16")
+id_ce_tCB_pCESVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.17")
+id_ce_tCB_cPUSVN = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".2.18")
+
+id_ce_configuration_dynamicPlatform = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".7.1")
+id_ce_configuration_cachedKeys = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".7.2")
+id_ce_configuration_sMTEnabled = univ.ObjectIdentifier(id_ce_sGXExtensionsStr + ".7.3")
+
+
+class SgxExtensionPPID(univ.OctetString):
+ pass
+
+
+class SgxCPUSVN(univ.OctetString):
+ pass
+
+
+tcbAttributeMap = {
+ id_ce_tCB_sGXTCBComp01SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp02SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp03SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp04SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp05SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp06SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp07SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp08SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp09SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp10SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp11SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp12SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp13SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp14SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp15SVN: univ.Integer(),
+ id_ce_tCB_sGXTCBComp16SVN: univ.Integer(),
+ id_ce_tCB_pCESVN: univ.Integer(),
+ id_ce_tCB_cPUSVN: SgxCPUSVN(),
+}
+
+
+class SgxExtensionTCBEntry(univ.Sequence):
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType('tCBId', univ.ObjectIdentifier()),
+ namedtype.NamedType('tCBValue', univ.Any(),
+ openType=opentype.OpenType('tCBId',
+ tcbAttributeMap))
+ )
+
+
+class SgxExtensionTCB(univ.SequenceOf):
+ componentType = SgxExtensionTCBEntry()
+
+
+class SgxExtensionPCEID(univ.OctetString):
+ pass
+
+
+class SgxExtensionFMSPC(univ.OctetString):
+ pass
+
+
+class SgxExtensionSGXType(univ.Enumerated):
+ namedValues = namedval.NamedValues(
+ ('standard', 0),
+ ('scalable', 1),
+ ('scalableWithIntegrity', 2)
+ )
+
+
+class SgxExtensionPlatformInstanceID(univ.OctetString):
+ pass
+
+
+configurationAttributeMap = {
+ id_ce_configuration_dynamicPlatform: univ.Boolean(),
+ id_ce_configuration_cachedKeys: univ.Boolean(),
+ id_ce_configuration_sMTEnabled: univ.Boolean(),
+}
+
+
+class SgxExtensionConfigurationEntry(univ.Sequence):
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType('configurationId', univ.ObjectIdentifier()),
+ namedtype.NamedType('configurationValue', univ.Any(),
+ openType=opentype.OpenType('configurationId',
+ configurationAttributeMap))
+ )
+
+
+class SgxExtensionConfiguration(univ.SequenceOf):
+ componentType = SgxExtensionConfigurationEntry()
+
+
+extensionAttributeMap = {
+ id_ce_sGXExtensions_pPID: SgxExtensionPPID(),
+ id_ce_sGXExtensions_tCB: SgxExtensionTCB(),
+ id_ce_sGXExtensions_pCE_ID: SgxExtensionPCEID(),
+ id_ce_sGXExtensions_fMSPC: SgxExtensionFMSPC(),
+ id_ce_sGXExtensions_sGXType: SgxExtensionSGXType(),
+ id_ce_sGXExtensions_platformInstanceID: SgxExtensionPlatformInstanceID(),
+ id_ce_sGXExtensions_configuration: SgxExtensionConfiguration(),
+}
+
+
+class SgxExtensionEntry(univ.Sequence):
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType('sGXExtensionId', univ.ObjectIdentifier()),
+ namedtype.NamedType('sGXExtensionValue', univ.Any(),
+ openType=opentype.OpenType('sGXExtensionId',
+ extensionAttributeMap))
+ )
+
+
+class SgxExtension(univ.SequenceOf):
+ componentType = SgxExtensionEntry()
-# This is a very simplistic ASN1 parser. Production code should use
-# something like ans1c to build a parser from the ASN1 spec file so
-# that it can check and enforce data validity.
class SgxPckCertificateExtensions:
- id_ce_sGXExtensions = '1.2.840.113741.1.13.1'
- id_ce_sGXExtensions_tCB= id_ce_sGXExtensions+".2"
- id_ce_sGXExtensions_configuration= id_ce_sGXExtensions+".7"
- id_cdp_extension = '2.5.29.31'
- decoder= asn1.Decoder()
- _data= {}
- ca= ''
- oids= {
- id_ce_sGXExtensions: 'sGXExtensions',
- id_ce_sGXExtensions+".1": 'pPID',
- id_ce_sGXExtensions_tCB: 'tCB',
- id_ce_sGXExtensions_tCB+".1": 'tCB-sGXTCBComp01SVN',
- id_ce_sGXExtensions_tCB+".2": 'tCB-sGXTCBComp02SVN',
- id_ce_sGXExtensions_tCB+".3": 'tCB-sGXTCBComp03SVN',
- id_ce_sGXExtensions_tCB+".4": 'tCB-sGXTCBComp04SVN',
- id_ce_sGXExtensions_tCB+".5": 'tCB-sGXTCBComp05SVN',
- id_ce_sGXExtensions_tCB+".6": 'tCB-sGXTCBComp06SVN',
- id_ce_sGXExtensions_tCB+".7": 'tCB-sGXTCBComp07SVN',
- id_ce_sGXExtensions_tCB+".8": 'tCB-sGXTCBComp08SVN',
- id_ce_sGXExtensions_tCB+".9": 'tCB-sGXTCBComp09SVN',
- id_ce_sGXExtensions_tCB+".10": 'tCB-sGXTCBComp10SVN',
- id_ce_sGXExtensions_tCB+".11": 'tCB-sGXTCBComp11SVN',
- id_ce_sGXExtensions_tCB+".12": 'tCB-sGXTCBComp12SVN',
- id_ce_sGXExtensions_tCB+".13": 'tCB-sGXTCBComp13SVN',
- id_ce_sGXExtensions_tCB+".14": 'tCB-sGXTCBComp14SVN',
- id_ce_sGXExtensions_tCB+".15": 'tCB-sGXTCBComp15SVN',
- id_ce_sGXExtensions_tCB+".16": 'tCB-sGXTCBComp16SVN',
- id_ce_sGXExtensions_tCB+".17": 'tCB-pCESVN',
- id_ce_sGXExtensions_tCB+".18": 'tCB-cPUSVN',
- id_ce_sGXExtensions+".3": 'pCE-ID',
- id_ce_sGXExtensions+".4": 'fMSPC',
- id_ce_sGXExtensions+".5": 'sGXType',
- id_ce_sGXExtensions+".6": 'platformInstanceID',
- id_ce_sGXExtensions_configuration: 'configuration',
- id_ce_sGXExtensions_configuration+".1": 'dynamicPlatform',
- id_ce_sGXExtensions_configuration+".2": 'cachedKeys',
- id_ce_sGXExtensions_configuration+".3": 'sMTEnabled'
- }
-
- def _parse_asn1(self, d, oid, lnr=asn1.Numbers.ObjectIdentifier):
- tag= self.decoder.peek()
- while tag:
- if tag.typ == asn1.Types.Constructed:
- self.decoder.enter()
- if ( lnr == asn1.Numbers.ObjectIdentifier ):
- d[self.oids[oid]]= {}
- self._parse_asn1(d[self.oids[oid]], oid, tag.nr)
- else:
- self._parse_asn1(d, oid, tag.nr)
- self.decoder.leave()
- elif tag.typ == asn1.Types.Primitive:
- tag, value= self.decoder.read()
- if ( tag.nr == asn1.Numbers.ObjectIdentifier ):
- oid= value
- else:
- d[self.oids[oid]]= value
- lnr= tag.nr
- tag= self.decoder.peek()
- return
+
+ def __init__(self):
+ self.ca= ''
+ self._data= None
+
+ def _parse_asn1(self, extensionData):
+ parsed, extra= der_decoder(extensionData,
+ asn1Spec=SgxExtension(),
+ decodeOpenTypes=True)
+ return parsed
def parse_pem_certificate(self, pem):
- self._data= {}
cert= x509.load_pem_x509_certificate(pem, default_backend())
issuerCN = cert.issuer.rfc4514_string()
if (issuerCN.find('Processor') != -1) :
@@ -81,63 +176,55 @@ class SgxPckCertificateExtensions:
self.ca = None
sgxext= cert.extensions.get_extension_for_oid(
- ObjectIdentifier(self.id_ce_sGXExtensions)
+ ObjectIdentifier(id_ce_sGXExtensionsStr)
)
- self.decoder.start(sgxext.value.value)
- self._parse_asn1(self._data, self.id_ce_sGXExtensions)
+ self._data= self._parse_asn1(sgxext.value.value)
def get_root_ca_crl(self, pem):
- self._data= {}
cert= x509.load_pem_x509_certificate(pem, default_backend())
cdpext= cert.extensions.get_extension_for_oid(
- ObjectIdentifier(self.id_cdp_extension)
+ ObjectIdentifier(id_cdp_extensionStr)
)
return getattr(getattr(cdpext.value[0], "_full_name")[0], "value")
- def data(self, field=None):
- if 'sGXExtensions' not in self._data:
- return None
-
- d= self._data['sGXExtensions']
-
- if field:
- if field in d:
- return d[field]
+ def data(self, field):
+ if self._data is None:
return None
- return d
+ ent = list(filter(lambda e: e['sGXExtensionId'] == field, self._data))[0]
+ return ent['sGXExtensionValue']
def _hex_data(self, field):
val= self.data(field)
if val is None:
return None
- return val.hex()
+ return bytes(val).hex()
# Commonly-needed data fields
#------------------------------
def get_fmspc(self):
- return self._hex_data('fMSPC')
+ return self._hex_data(id_ce_sGXExtensions_fMSPC)
def get_ca(self):
return self.ca
def get_tcbm(self):
- tcb= self.data('tCB')
+ tcb= self.data(id_ce_sGXExtensions_tCB)
if tcb is None:
return None
- return tcb['tCB-cPUSVN'].hex() + self.get_pcesvn()
+ ent= list(filter(lambda e: e['tCBId'] == id_ce_tCB_cPUSVN, tcb))[0]
+ return bytes(ent["tCBValue"]).hex() + self.get_pcesvn()
def get_pceid(self):
- return self._hex_data('pCE-ID')
+ return self._hex_data(id_ce_sGXExtensions_pCE_ID)
def get_ppid(self):
- return self._hex_data('pPID')
+ return self._hex_data(id_ce_sGXExtensions_pPID)
def get_pcesvn(self):
- tcb= self.data('tCB')
- # pCESVN should be packed little-endian
- pcesvn= struct.pack('<H', tcb['tCB-pCESVN'])
- return pcesvn.hex()
+ tcb= self.data(id_ce_sGXExtensions_tCB)
+ ent= list(filter(lambda e: e['tCBId'] == id_ce_tCB_pCESVN, tcb))[0]
+ return int(ent["tCBValue"]).to_bytes(2, byteorder='little').hex()
--
2.52.0

67
0122-pccsadmin-fully-switch-to-pycryptography-for-CRL-ver.patch Normal file
View File

@ -0,0 +1,67 @@
From d44b9ac3e89e17452678758634e6dbca6c5a099a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 8 Dec 2025 17:47:01 +0000
Subject: [PATCH 122/136] pccsadmin: fully switch to pycryptography for CRL
verification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The pyopenssl 24.3.0 removed the CRL object and its related
methods. pccsadmin was already using the pycryptography CRL
object for the verification task, so fully switch to use it
for loading the CRL to begin with.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index 046c781d..e68864d2 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -101,11 +101,6 @@ class PCS:
# Copy our list so we don't modify the original
pychain= pychain_in[:]
- # PyOpenSSL doesn't have methods for verifying a CRL issuer,
- # so we need to translate from it to cryptography.
-
- crl= pycrl.to_cryptography()
-
# The chain_pem is our CRL issuer and the CA for the issuer.
# Verify that first.
@@ -118,13 +113,13 @@ class PCS:
signer_key= pycert.get_pubkey().to_cryptography_key()
- if not crl.is_signature_valid(signer_key):
+ if not pycrl.is_signature_valid(signer_key):
self.error("Could not verify CRL signature")
return False
# Check the crl issuer
- if pycrl.get_issuer() != pycert.get_subject():
+ if pycrl.issuer != pycert.get_subject():
self.error("CRL issuer doesn't match issuer chain")
return False
@@ -516,10 +511,10 @@ class PCS:
crl= response.content
if self.ApiVersion<3:
crl_str= str(crl, dec)
- pycrl= crypto.load_crl(crypto.FILETYPE_PEM, crl)
+ pycrl= x509.load_pem_x509_crl(crl)
else:
crl_str= binascii.hexlify(crl).decode(dec)
- pycrl= crypto.load_crl(crypto.FILETYPE_ASN1, crl)
+ pycrl= x509.load_der_x509_crl(crl)
if not self.verify_crl_trust(pychain, pycrl):
self.error("Could not validate certificate using trust chain")
--
2.52.0

178
0123-pccsadmin-use-more-of-pycryptography-instead-of-pyop.patch Normal file
View File

@ -0,0 +1,178 @@
From d14f914ea644d7c1b2312780688d55fbb13892bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 8 Dec 2025 17:48:11 +0000
Subject: [PATCH 123/136] pccsadmin: use more of pycryptography instead of
pyopenssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
pyopenssl docs are indicating that the 'crypto' module is liable to
see further deprecation, suggesting use of pycryptography instead.
pccsadmin code already uses pycryptography for CRLs, so extend this
to use it for loading certificates too. They are converted back to
pyopenssl objects for verification.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 49 ++++++++++++++-----------
1 file changed, 28 insertions(+), 21 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index e68864d2..f6b58a6b 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -5,6 +5,10 @@ import json
import binascii
from urllib import parse
from OpenSSL import crypto
+from cryptography import x509
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import ec
from platform import system
if system() == 'Windows':
from pypac import PACSession
@@ -17,6 +21,9 @@ certBegin= '-----BEGIN CERTIFICATE-----'
certEnd= '-----END CERTIFICATE-----'
certEndOffset= len(certEnd)
+def CN(name):
+ return name.get_attributes_for_oid(x509.NameOID.COMON_NAME)[0].value
+
class PCS:
BaseUrl= ''
ApiVersion= 3
@@ -93,7 +100,7 @@ class PCS:
store= crypto.X509Store()
for tcert in pychain:
- store.add_cert(tcert)
+ store.add_cert(crypto.X509.from_cryptography(tcert))
return store
@@ -111,7 +118,7 @@ class PCS:
# Now verify the CRL signature
- signer_key= pycert.get_pubkey().to_cryptography_key()
+ signer_key= pycert.public_key()
if not pycrl.is_signature_valid(signer_key):
self.error("Could not verify CRL signature")
@@ -119,7 +126,7 @@ class PCS:
# Check the crl issuer
- if pycrl.issuer != pycert.get_subject():
+ if pycrl.issuer != pycert.subject:
self.error("CRL issuer doesn't match issuer chain")
return False
@@ -129,7 +136,8 @@ class PCS:
store= self.init_cert_store(pychain)
for pycert in pycerts:
- store_ctx= crypto.X509StoreContext(store, pycert)
+ store_ctx= crypto.X509StoreContext(
+ store, crypto.X509.from_cryptography(pycert))
try:
store_ctx.verify_certificate()
except crypto.X509StoreContextError as e:
@@ -161,22 +169,21 @@ class PCS:
sig= bytes([0x30,len(r)+len(s)+4,2,len(r)]) + r + bytes([2,len(s)]) + s
try:
- crypto.verify(pycert, sig, msg, "sha256")
- except crypto.Error as e:
+ pycert.public_key().verify(
+ sig, msg, ec.ECDSA(hashes.SHA256()))
+ except InvalidSignature as e:
self.error('Signature verification failed: {:s}'.format(str(e)))
return False
return True
def pem_to_pycert(self, cert_pem):
- return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
+ return x509.load_pem_x509_certificate(cert_pem.encode("utf-8"))
def pems_to_pycerts(self, certs_pem):
pycerts= []
for cert_pem in certs_pem:
- pycerts.append(
- crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
- )
+ pycerts.append(self.pem_to_pycert(cert_pem))
return pycerts
def parse_chain_pem(self, chain_pem):
@@ -209,9 +216,9 @@ class PCS:
cert0= chain_in[0]
cert1= chain_in[1]
- if cert0.get_subject() == cert1.get_issuer():
+ if cert0.subject == cert1.issuer:
return chain_in
- elif cert1.get_subject() == cert0.get_issuer():
+ elif cert1.subject == cert0.issuer:
chain_in.reverse()
return chain_in
else:
@@ -224,7 +231,7 @@ class PCS:
for i in range(1, len(chain_in)):
cert= chain_in[i]
pcert= chain_in[i-1]
- if cert.get_issuer() != pcert.get_subject():
+ if cert.issuer != pcert.subject:
sorted= False
break
@@ -240,10 +247,10 @@ class PCS:
rootidx= -1
for i in range(0, len(chain)):
cert= chain[i]
- subject= cert.get_subject()
- issuer= cert.get_issuer()
- cert_subjects[subject.CN]= cert
- print("cert: {:s} <- {:s}" . format(subject.CN, issuer.CN))
+ subject= cert.subject
+ issuer= cert.issuer
+ cert_subjects[CN(subject)]= cert
+ print("cert: {:s} <- {:s}" . format(CN(subject), CN(issuer)))
if subject == issuer:
if len(sorted_chain) > 0:
@@ -262,8 +269,8 @@ class PCS:
issuer_to= {}
for cert in chain:
- issuer= cert.get_issuer().CN
- subject= cert.get_subject().CN
+ issuer= CN(cert.issuer)
+ subject= CN(cert.subject)
if issuer in issued_by:
self.error('multiple certs issued by same cert in chain')
@@ -280,7 +287,7 @@ class PCS:
if len(sorted_chain) > 0:
for cert in chain:
- issuer= cert.get_issuer().CN
+ issuer= CN(cert.issuer)
if issuer not in issued_by:
if len(sorted_chain) > 0:
self.error('multiple certs with no issuer')
@@ -296,7 +303,7 @@ class PCS:
cert= sorted_chain[0]
while len(sorted_chain) < lchain:
- issuer_subject= cert.get_subject().der()
+ issuer_subject= CN(cert.subject)
if issuer_subject not in issuer_to:
self.error('cert in chain with no issuer')
--
2.52.0

104
0124-pccsadmin-prefer-pycryptography-over-pyopenssl.patch Normal file
View File

@ -0,0 +1,104 @@
From 9d3da2fd99ba2832fcaa4067dd5db3f7f349c306 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 3 Dec 2025 17:59:09 +0000
Subject: [PATCH 124/136] pccsadmin: prefer pycryptography over pyopenssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The only part of pccsadmin that still needs pyopenssl is certificate
verification. As of pycryptography 45.0.0, there are sufficient APIs
available to replace the remaining usage of pyopenssl.
Since new pycryptography is still not widely available in distros,
keep pyopenssl code as a fallback.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 60 +++++++++++++++++++------
1 file changed, 47 insertions(+), 13 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index f6b58a6b..eeb29697 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -4,11 +4,28 @@ import requests
import json
import binascii
from urllib import parse
-from OpenSSL import crypto
+
from cryptography import x509
from cryptography.exceptions import InvalidSignature
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ec
+
+# Prefer pycryptography for cert verification if new
+# enough, but fallback to pyopenssl
+try:
+ # 'verification' module available from >= 42.0.0, but
+ # the required 'ExtensionPolicy' API is from >= 45.0.0
+ from cryptography.x509 import verification
+ if not hasattr(verification, 'ExtensionPolicy'):
+ verification = None
+ else:
+ crypto = None
+except ImportError:
+ verification = None
+
+if verification is None:
+ from OpenSSL import crypto
+
from platform import system
if system() == 'Windows':
from pypac import PACSession
@@ -133,17 +150,34 @@ class PCS:
return True
def verify_cert_trust(self, pychain, pycerts):
- store= self.init_cert_store(pychain)
-
- for pycert in pycerts:
- store_ctx= crypto.X509StoreContext(
- store, crypto.X509.from_cryptography(pycert))
- try:
- store_ctx.verify_certificate()
- except crypto.X509StoreContextError as e:
- # Printing or logging the error details
- print(e)
- return False
+ if verification is not None:
+ store= verification.Store(pychain)
+
+ builder= verification.PolicyBuilder().store(store)
+ builder= builder.extension_policies(
+ ee_policy=verification.ExtensionPolicy.permit_all(),
+ ca_policy=verification.ExtensionPolicy.webpki_defaults_ca())
+
+ verifier= builder.build_client_verifier()
+ for pycert in pycerts:
+ try:
+ verifier.verify(pycert,[])
+ except verification.VerificationError as e:
+ # Printing or logging the error details
+ print(e)
+ return False
+ else:
+ store= self.init_cert_store(pychain)
+
+ for pycert in pycerts:
+ store_ctx= crypto.X509StoreContext(
+ store, crypto.X509.from_cryptography(pycert))
+ try:
+ store_ctx.verify_certificate()
+ except crypto.X509StoreContextError as e:
+ # Printing or logging the error details
+ print(e)
+ return False
return True
--
2.52.0

75
0125-pccsadmin-add-fallback-for-when-pyopenssl-is-not-ava.patch Normal file
View File

@ -0,0 +1,75 @@
From 262c1cb978d31130d3558d2a29690b1eace52c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 8 Dec 2025 17:56:59 +0000
Subject: [PATCH 125/136] pccsadmin: add fallback for when pyopenssl is not
available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RHEL does not ship pyopenssl, however, the pycryptography that is
included is also too old to support certificate verification. Add
a further fallback that can invoke the 'openssl' command line tool
to verify certificates.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 28 +++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index eeb29697..1368b57b 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -24,7 +24,14 @@ except ImportError:
verification = None
if verification is None:
- from OpenSSL import crypto
+ try:
+ from OpenSSL import crypto
+ except ModuleNotFoundError:
+ # Fallback to spawning 'openssl' binary if
+ # pyopenssl is not available
+ crypto = None
+ import tempfile
+ import subprocess
from platform import system
if system() == 'Windows':
@@ -166,7 +173,7 @@ class PCS:
# Printing or logging the error details
print(e)
return False
- else:
+ elif crypto is not None:
store= self.init_cert_store(pychain)
for pycert in pycerts:
@@ -178,6 +185,23 @@ class PCS:
# Printing or logging the error details
print(e)
return False
+ else:
+ with tempfile.NamedTemporaryFile("wb") as chainfile:
+ for cert in pychain:
+ chainfile.write(cert.public_bytes(serialization.Encoding.PEM))
+ chainfile.flush()
+
+ for cert in pycerts:
+ with tempfile.NamedTemporaryFile("wb") as certfile:
+ certfile.write(cert.public_bytes(serialization.Encoding.PEM))
+ certfile.flush()
+
+ try:
+ subprocess.check_call(["openssl", "verify",
+ "-CAfile", chainfile.name, certfile.name],
+ stdout=subprocess.DEVNULL)
+ except subprocess.CalledProcessError as e:
+ return False
return True
--
2.52.0

120
0126-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch Normal file
View File

@ -0,0 +1,120 @@
From 48f3dc21602f2f11f054c740c5efd4c34d5efae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 4 Dec 2025 18:05:14 +0000
Subject: [PATCH 126/136] pccsadmin: ignore errors trying to clear the keyring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On authentication errors with PCS, an attempt is made to clear the
keyring. This may fail if the user's login environment has no keyring
configured. The user would have declined to store the key when first
prompted, so there would be nothing to clear either in this case.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 16 +++++++++++--
tools/PccsAdminTool/pccsadmin.py | 32 +++++++++++++++++++++----
2 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index 1368b57b..dd4eba40 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -404,7 +404,13 @@ class PCS:
if response.status_code != 200:
print(str(response.content, 'utf-8'))
if response.status_code == 401:
- Credentials().set_pcs_api_key('') #reset ApiKey
+ try:
+ Credentials().set_pcs_api_key('') #reset ApiKey
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
return None
# Verify expected headers
@@ -479,7 +485,13 @@ class PCS:
if response.status_code != 200:
print(str(response.content, 'utf-8'))
if response.status_code == 401:
- Credentials().set_pcs_api_key('') #reset ApiKey
+ try:
+ Credentials().set_pcs_api_key('') #reset ApiKey
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
return None
# Verify expected headers
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index 8e447c50..dc5253bb 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -166,7 +166,13 @@ class PccsClient:
if response.status_code == 200:
self._write_output_file(output_file, response)
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
@@ -196,7 +202,13 @@ class PccsClient:
if response.status_code == 200:
print("Collaterals uploaded successfully.")
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
@@ -212,7 +224,13 @@ class PccsClient:
if response.status_code == 200:
print("Policy uploaded successfully with policy ID :" + response.text)
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
@@ -245,7 +263,13 @@ class PccsClient:
if response.status_code == 200:
print("The cache database was refreshed successfully.")
elif response.status_code == 401: # Authentication error
- self.credentials.set_admin_token('')
+ try:
+ self.credentials.set_admin_token('')
+ except:
+ # If keyring is unavailable, we don't want to trigger
+ # traceback, as the user may have declined to save
+ # the key in the keyring earlier
+ pass
print("Authentication failed.")
else:
self._handle_error(response)
--
2.52.0

51
0127-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch Normal file
View File

@ -0,0 +1,51 @@
From f0222324f5896d08457ed0ffb3951081d66e0cf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 6 Jan 2026 18:03:36 +0100
Subject: [PATCH 127/136] [PCS Client Tool] Migrate from deprecated
pkg_resources to packaging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Miro Hrončok <miro@hroncok.cz>
Version 14.0 is the first version that had the Version class.
Ref: https://setuptools.pypa.io/en/latest/pkg_resources.html
Signed-off-by: Miro Hrončok <miro@hroncok.cz>
---
tools/PccsAdminTool/lib/intelsgx/pcs.py | 2 +-
tools/PccsAdminTool/requirements.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
index dd4eba40..7596708c 100644
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
@@ -39,7 +39,7 @@ if system() == 'Windows':
from lib.intelsgx.credential import Credentials
from requests.adapters import HTTPAdapter
from urllib3.util import Retry
-from pkg_resources import parse_version
+from packaging.version import Version as parse_version
certBegin= '-----BEGIN CERTIFICATE-----'
certEnd= '-----END CERTIFICATE-----'
diff --git a/tools/PccsAdminTool/requirements.txt b/tools/PccsAdminTool/requirements.txt
index 8a73667f..65f6bf50 100644
--- a/tools/PccsAdminTool/requirements.txt
+++ b/tools/PccsAdminTool/requirements.txt
@@ -1,8 +1,8 @@
asn1>=2.4.1
cryptography>=41.0.7
keyring>=23.0.0
+packaging>=14.0
pyOpenSSL>=23.2.0,<24.3.0
pypac>=0.14.0
Requests>=2.31.0
-setuptools>=65.5.1
urllib3>=1.26.18
--
2.52.0

44
0128-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch Normal file
View File

@ -0,0 +1,44 @@
From a3633a45f16aa80e9be8542ea8702ec32dbf93cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 15 Jan 2026 11:23:35 +0000
Subject: [PATCH 128/136] qgs: add compat for boost 1.87 which drops
asio::io_service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Jonathan Wakely <jwakely@redhat.com>
The asio::io_service type was deprecated since 1.66 in 2017,
with asio::io_context being its drop-in replacement.
Release 1.87 finally dropped the back-compat support for
asio::io_service entirely.
To retain compat with old boost this change conditionally
re-adds the compat definition for asio::io_service.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/quote_wrapper/qgs/qgs_server.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
index f3f5b9f9..91eb41a4 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
@@ -36,6 +36,11 @@
#include <boost/asio.hpp>
#include <boost/scoped_ptr.hpp>
+#if BOOST_VERSION >= 108700
+// Asio no longer defines the deprecated io_service alias.
+namespace boost { namespace asio { using io_service = io_context; } }
+#endif
+
namespace intel { namespace sgx { namespace dcap { namespace qgs {
namespace asio = boost::asio;
--
2.52.0

36
0129-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch Normal file
View File

@ -0,0 +1,36 @@
From 3c73dad4bdab6d3c29f58ca5ca34628c7ef952b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 15 Jan 2026 12:48:19 +0000
Subject: [PATCH 129/136] qgs: add compat for boost 1.89 which deprecated
deadline_timer.hpp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The asio::deadline_timer was deprecated in 1.89 and as a result
the deadline_timer.hpp file is no longer implicitly included by
asio.hpp.
To retain compat with old and new boost the code must explicitly
include the deadline_timer.hpp
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/quote_wrapper/qgs/qgs_server.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
index 91eb41a4..b56b2633 100644
--- a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
+++ b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h
@@ -34,6 +34,7 @@
#include <stdint.h>
#include <boost/asio.hpp>
+#include <boost/asio/deadline_timer.hpp>
#include <boost/scoped_ptr.hpp>
#if BOOST_VERSION >= 108700
--
2.52.0

46
0130-Bump-tar-fs-from-2.1.2-to-2.1.3-in-QuoteGeneration-p.patch Normal file
View File

@ -0,0 +1,46 @@
From 64ceff38879265a1844ae1410fa117b8e2745eed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 27 Aug 2025 08:50:27 -0400
Subject: [PATCH 130/136] Bump tar-fs from 2.1.2 to 2.1.3 in
/QuoteGeneration/pccs (#452)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.2 to 2.1.3.
- [Commits](https://github.com/mafintosh/tar-fs/commits)
---
updated-dependencies:
- dependency-name: tar-fs
dependency-version: 2.1.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit be740fc70414b27bbe94398fb77a3d0738569e75)
---
QuoteGeneration/pccs/package-lock.json | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index 8eb75a13..d979ab1c 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -3437,9 +3437,10 @@
}
},
"node_modules/tar-fs": {
- "version": "2.1.2",
- "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.2.tgz",
- "integrity": "sha512-EsaAXwxmx8UB7FRKqeozqEPop69DXcmYwTQwXvyAPF352HJsPdkVhvTaDPYqfNgruveJIJy3TA2l+2zj8LJIJA==",
+ "version": "2.1.3",
+ "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz",
+ "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==",
+ "license": "MIT",
"dependencies": {
"chownr": "^1.1.1",
"mkdirp-classic": "^0.5.2",
--
2.52.0

102
0131-Bump-on-headers-and-morgan-in-QuoteGeneration-pccs-4.patch Normal file
View File

@ -0,0 +1,102 @@
From 3b4b10d4d979a6241309dd9eda790759f3f642ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 27 Aug 2025 08:51:38 -0400
Subject: [PATCH 131/136] Bump on-headers and morgan in /QuoteGeneration/pccs
(#455)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [on-headers](https://github.com/jshttp/on-headers) to 1.1.0 and updates ancestor dependency [morgan](https://github.com/expressjs/morgan). These dependencies need to be updated together.
Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases)
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md)
- [Commits](https://github.com/jshttp/on-headers/compare/v1.0.2...v1.1.0)
Updates `morgan` from 1.10.0 to 1.10.1
- [Release notes](https://github.com/expressjs/morgan/releases)
- [Changelog](https://github.com/expressjs/morgan/blob/master/HISTORY.md)
- [Commits](https://github.com/expressjs/morgan/compare/1.10.0...1.10.1)
---
updated-dependencies:
- dependency-name: on-headers
dependency-version: 1.1.0
dependency-type: indirect
- dependency-name: morgan
dependency-version: 1.10.1
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit e195a67362971db869b7f9fa8a16b5d688e797b8)
---
QuoteGeneration/pccs/package-lock.json | 18 ++++++++++--------
QuoteGeneration/pccs/package.json | 2 +-
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index d979ab1c..7dfcb6be 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -18,7 +18,7 @@
"express": "^4.21.2",
"ffi-rs": "^1.0.64",
"got": "^11.8.6",
- "morgan": "^1.10.0",
+ "morgan": "^1.10.1",
"mysql2": "^3.10.1",
"node-schedule": "^2.1.1",
"sequelize": "^6.37.3",
@@ -2376,15 +2376,16 @@
}
},
"node_modules/morgan": {
- "version": "1.10.0",
- "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.0.tgz",
- "integrity": "sha512-AbegBVI4sh6El+1gNwvD5YIck7nSA36weD7xvIxG4in80j/UoK8AEGaWnnz8v1GxonMCltmlNs5ZKbGvl9b1XQ==",
+ "version": "1.10.1",
+ "resolved": "https://registry.npmjs.org/morgan/-/morgan-1.10.1.tgz",
+ "integrity": "sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==",
+ "license": "MIT",
"dependencies": {
"basic-auth": "~2.0.1",
"debug": "2.6.9",
"depd": "~2.0.0",
"on-finished": "~2.3.0",
- "on-headers": "~1.0.2"
+ "on-headers": "~1.1.0"
},
"engines": {
"node": ">= 0.8.0"
@@ -2607,9 +2608,10 @@
}
},
"node_modules/on-headers": {
- "version": "1.0.2",
- "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
- "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
+ "version": "1.1.0",
+ "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
+ "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+ "license": "MIT",
"engines": {
"node": ">= 0.8"
}
diff --git a/QuoteGeneration/pccs/package.json b/QuoteGeneration/pccs/package.json
index ea6d29a9..7c498083 100644
--- a/QuoteGeneration/pccs/package.json
+++ b/QuoteGeneration/pccs/package.json
@@ -14,7 +14,7 @@
"express": "^4.21.2",
"ffi-rs": "^1.0.64",
"got": "^11.8.6",
- "morgan": "^1.10.0",
+ "morgan": "^1.10.1",
"mysql2": "^3.10.1",
"node-schedule": "^2.1.1",
"sequelize": "^6.37.3",
--
2.52.0

47
0132-Bump-brace-expansion-from-1.1.11-to-1.1.12-in-QuoteG.patch Normal file
View File

@ -0,0 +1,47 @@
From 39c83bdcf585187cb41c4698b0b2a24679ce3af2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 27 Aug 2025 08:52:37 -0400
Subject: [PATCH 132/136] Bump brace-expansion from 1.1.11 to 1.1.12 in
/QuoteGeneration/pccs (#459)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)
---
updated-dependencies:
- dependency-name: brace-expansion
dependency-version: 1.1.12
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit a46ee8ab10569962c5cd7397b4babd4a47431976)
---
QuoteGeneration/pccs/package-lock.json | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index 7dfcb6be..c946788f 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -750,9 +750,10 @@
}
},
"node_modules/brace-expansion": {
- "version": "1.1.11",
- "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
- "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+ "version": "1.1.12",
+ "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+ "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+ "license": "MIT",
"optional": true,
"dependencies": {
"balanced-match": "^1.0.0",
--
2.52.0

45
0133-Bump-tar-fs-from-2.1.3-to-2.1.4-in-QuoteGeneration-p.patch Normal file
View File

@ -0,0 +1,45 @@
From d91e8d59ccf4c15ebfa4e4760839f41e19107c04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 7 Oct 2025 09:14:30 -0400
Subject: [PATCH 133/136] Bump tar-fs from 2.1.3 to 2.1.4 in
/QuoteGeneration/pccs (#463)
From: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4.
- [Commits](https://github.com/mafintosh/tar-fs/compare/v2.1.3...v2.1.4)
---
updated-dependencies:
- dependency-name: tar-fs
dependency-version: 2.1.4
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 66726e154c6d9e6ffeea3d3035241805cb82bfed)
---
QuoteGeneration/pccs/package-lock.json | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index c946788f..e383c219 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -3440,9 +3440,9 @@
}
},
"node_modules/tar-fs": {
- "version": "2.1.3",
- "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz",
- "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==",
+ "version": "2.1.4",
+ "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz",
+ "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==",
"license": "MIT",
"dependencies": {
"chownr": "^1.1.1",
--
2.52.0

4122
0134-PCCS-dependencies-updated-to-latest-minor.patch Normal file
View File

File diff suppressed because it is too large Load Diff

217
0135-pccs-force-override-tar-module-to-7.0.0-series.patch Normal file
View File

@ -0,0 +1,217 @@
From 416a5f3338e4f3709eb647d56a78a6e22724a284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Jan 2026 16:09:15 +0000
Subject: [PATCH 135/136] pccs: force override "tar" module to 7.0.0 series
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The 6.x series is vulnerable to multiple flaws, however, it is a
depedency of sqlite3. The latter has not been updated in several
years. The new tar 7.x series appears largely back-compatible
despite the major version change, so can override it to force
the new release.
The 'npm audit fix' command was run to update pacakge-lock.json
with new deps for tar 7.x and eliminate other outdated/vunlerable
deps.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
QuoteGeneration/pccs/package-lock.json | 97 ++++++++++++++++++++------
QuoteGeneration/pccs/package.json | 3 +
2 files changed, 79 insertions(+), 21 deletions(-)
diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json
index e01fde2f..7536872b 100644
--- a/QuoteGeneration/pccs/package-lock.json
+++ b/QuoteGeneration/pccs/package-lock.json
@@ -79,6 +79,27 @@
"license": "MIT",
"optional": true
},
+ "node_modules/@isaacs/fs-minipass": {
+ "version": "4.0.1",
+ "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
+ "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==",
+ "license": "ISC",
+ "dependencies": {
+ "minipass": "^7.0.4"
+ },
+ "engines": {
+ "node": ">=18.0.0"
+ }
+ },
+ "node_modules/@isaacs/fs-minipass/node_modules/minipass": {
+ "version": "7.1.2",
+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+ "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+ "license": "ISC",
+ "engines": {
+ "node": ">=16 || 14 >=14.17"
+ }
+ },
"node_modules/@nodelib/fs.scandir": {
"version": "2.1.5",
"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -1011,6 +1032,7 @@
"resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz",
"integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==",
"license": "ISC",
+ "optional": true,
"engines": {
"node": ">=10"
}
@@ -1664,6 +1686,7 @@
"resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz",
"integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==",
"license": "ISC",
+ "optional": true,
"dependencies": {
"minipass": "^3.0.0"
},
@@ -2340,9 +2363,9 @@
"license": "MIT"
},
"node_modules/lodash": {
- "version": "4.17.21",
- "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
- "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+ "version": "4.17.23",
+ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+ "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
"license": "MIT"
},
"node_modules/logform": {
@@ -2580,6 +2603,7 @@
"resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
"integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
"license": "ISC",
+ "optional": true,
"dependencies": {
"yallist": "^4.0.0"
},
@@ -2662,6 +2686,7 @@
"resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz",
"integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==",
"license": "MIT",
+ "optional": true,
"dependencies": {
"minipass": "^3.0.0",
"yallist": "^4.0.0"
@@ -2675,6 +2700,7 @@
"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
"integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
"license": "MIT",
+ "optional": true,
"bin": {
"mkdirp": "bin/cmd.js"
},
@@ -3175,9 +3201,9 @@
}
},
"node_modules/qs": {
- "version": "6.14.0",
- "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
- "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+ "version": "6.14.1",
+ "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+ "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
"license": "BSD-3-Clause",
"dependencies": {
"side-channel": "^1.1.0"
@@ -4050,20 +4076,19 @@
}
},
"node_modules/tar": {
- "version": "6.2.1",
- "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
- "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
- "license": "ISC",
+ "version": "7.5.7",
+ "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.7.tgz",
+ "integrity": "sha512-fov56fJiRuThVFXD6o6/Q354S7pnWMJIVlDBYijsTNx6jKSE4pvrDTs6lUnmGvNyfJwFQQwWy3owKz1ucIhveQ==",
+ "license": "BlueOak-1.0.0",
"dependencies": {
- "chownr": "^2.0.0",
- "fs-minipass": "^2.0.0",
- "minipass": "^5.0.0",
- "minizlib": "^2.1.1",
- "mkdirp": "^1.0.3",
- "yallist": "^4.0.0"
+ "@isaacs/fs-minipass": "^4.0.0",
+ "chownr": "^3.0.0",
+ "minipass": "^7.1.2",
+ "minizlib": "^3.1.0",
+ "yallist": "^5.0.0"
},
"engines": {
- "node": ">=10"
+ "node": ">=18"
}
},
"node_modules/tar-fs": {
@@ -4100,13 +4125,43 @@
"node": ">=6"
}
},
+ "node_modules/tar/node_modules/chownr": {
+ "version": "3.0.0",
+ "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz",
+ "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==",
+ "license": "BlueOak-1.0.0",
+ "engines": {
+ "node": ">=18"
+ }
+ },
"node_modules/tar/node_modules/minipass": {
- "version": "5.0.0",
- "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz",
- "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==",
+ "version": "7.1.2",
+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+ "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
"license": "ISC",
"engines": {
- "node": ">=8"
+ "node": ">=16 || 14 >=14.17"
+ }
+ },
+ "node_modules/tar/node_modules/minizlib": {
+ "version": "3.1.0",
+ "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.1.0.tgz",
+ "integrity": "sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==",
+ "license": "MIT",
+ "dependencies": {
+ "minipass": "^7.1.2"
+ },
+ "engines": {
+ "node": ">= 18"
+ }
+ },
+ "node_modules/tar/node_modules/yallist": {
+ "version": "5.0.0",
+ "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz",
+ "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==",
+ "license": "BlueOak-1.0.0",
+ "engines": {
+ "node": ">=18"
}
},
"node_modules/text-hex": {
diff --git a/QuoteGeneration/pccs/package.json b/QuoteGeneration/pccs/package.json
index 6d0569f4..e5b470be 100644
--- a/QuoteGeneration/pccs/package.json
+++ b/QuoteGeneration/pccs/package.json
@@ -30,5 +30,8 @@
"test": "NODE_ENV=test mocha ../../../unittests/psw/pccs_ut/test.js --timeout 120000 --exit",
"offline": "NODE_ENV=test_offline mocha ../../../unittests/psw/pccs_ut/test_offline.js --timeout 120000 --exit",
"req": "NODE_ENV=test_req mocha ../../../unittests/psw/pccs_ut/test_req.js --timeout 120000 --exit"
+ },
+ "overrides": {
+ "tar": "^7.0.0"
}
}
--
2.52.0

30
0136-pccsadmin-fix-name-of-input-file-for-cache-command-i.patch Normal file
View File

@ -0,0 +1,30 @@
From 911260b974b5fdbb44e81c95d47bd447a09c4d3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 4 Feb 2026 15:07:30 +0000
Subject: [PATCH 136/136] pccsadmin: fix name of input file for 'cache' command
in help text
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
tools/PccsAdminTool/pccsadmin.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py
index dc5253bb..4d6b6c7b 100755
--- a/tools/PccsAdminTool/pccsadmin.py
+++ b/tools/PccsAdminTool/pccsadmin.py
@@ -79,7 +79,7 @@ def main():
parser_cache = subparsers.add_parser('cache')
# add optional arguments for cache
parser_cache.add_argument("-u", "--url", help="The URL of the Intel PCS service; default: https://api.trustedservices.intel.com/sgx/certification/v4/")
- parser_cache.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.csv")
+ parser_cache.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.json")
parser_cache.add_argument("-o", "--output_dir", help="The destination directory for storing the generated cache files")
parser_cache.add_argument("-s", "--sub_dir", help="Store output cache files in subdirectories named according to QE ID or Platform ID", action="store_true")
parser_cache.add_argument("-e", "--expire", type=Utils.check_expire_hours, help="How many hours the cache files will be valid for. Default is 2160 hours (90 days).")
--
2.52.0

24
0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
View File

@ -1,7 +1,7 @@
From aaf1277c7c0aa37d387e8a7983da607498335757 Mon Sep 17 00:00:00 2001
From 89d2bacc8b67eca8decae7b7508080582fc2c60d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Aug 2024 12:23:30 +0100
Subject: [PATCH 200/201] Enable pointing sgxssl build to alternative glibc
Subject: [PATCH 200/203] Enable pointing sgxssl build to alternative glibc
headers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -20,10 +20,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index cd76872..f1c39b6 100755
index 0a99917..4e4a81e 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -83,6 +83,7 @@ fi
@@ -89,6 +89,7 @@ fi
# Mitigation flags
MITIGATION_OPT=""
MITIGATION_FLAGS=""
@ -31,7 +31,7 @@ index cd76872..f1c39b6 100755
CC_VERSION=`gcc -dumpversion`
CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
for arg in "$@"
@@ -123,6 +124,10 @@ do
@@ -129,6 +130,10 @@ do
MITIGATION_FLAGS+=" $arg"
shift
;;
@ -42,7 +42,7 @@ index cd76872..f1c39b6 100755
*)
# Unknown option
shift
@@ -131,6 +136,7 @@ do
@@ -137,6 +142,7 @@ do
done
echo $MITIGATION_OPT
echo $MITIGATION_FLAGS
@ -50,20 +50,20 @@ index cd76872..f1c39b6 100755
echo $SPACE_OPT
sed -i -- 's/OPENSSL_issetugid/OPENSSLd_issetugid/g' $OPENSSL_VERSION/crypto/uid.c || exit 1
@@ -139,7 +145,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
@@ -145,7 +151,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1
sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1
diff --git a/Linux/sgx/Makefile b/Linux/sgx/Makefile
index d08eff7..6555d28 100644
index e4f3f92..ec1a0c3 100644
--- a/Linux/sgx/Makefile
+++ b/Linux/sgx/Makefile
@@ -76,7 +76,7 @@ endif
@@ -85,7 +85,7 @@ endif
endif
$(PACKAGE_LIB)/$(OPENSSL_LIB):
@ -73,5 +73,5 @@ index d08eff7..6555d28 100644
clean:
$(MAKE) -C $(TRUSTED_LIB_DIR) clean
--
2.46.0
2.49.0

10
0201-Workaround-missing-output-directory.patch
View File

@ -1,7 +1,7 @@
From 63f4368171ee5bf78f956c429c37d43618a881e7 Mon Sep 17 00:00:00 2001
From d823d7a67291d51d8b3c57c36f059e1d1d84c2e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Aug 2024 12:50:32 +0100
Subject: [PATCH 201/201] Workaround missing output directory
Subject: [PATCH 201/203] Workaround missing output directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -16,10 +16,10 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index f1c39b6..f2cf0b1 100755
index 4e4a81e..d0518e5 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -168,6 +168,7 @@ fi
@@ -174,6 +174,7 @@ fi
make libcrypto.a || exit 1
cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
@ -28,5 +28,5 @@ index f1c39b6..f2cf0b1 100755
grep OPENSSL_VERSION_STR include/openssl/opensslv.h > $SGXSSL_ROOT/sgx/osslverstr.h || exit 1
cp -r include/crypto $SGXSSL_ROOT/sgx/test_app/enclave/ || exit 1
--
2.46.0
2.49.0

10
0202-Disable-various-EC-crypto-features.patch
View File

@ -1,4 +1,4 @@
From 6cf74b032bc9f120a7c4924a0394d22f6ed4767b Mon Sep 17 00:00:00 2001
From 3aea585cfbe4691fea3c584981e36ee06d945bf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 13:24:26 +0000
Subject: [PATCH 202/203] Disable various EC crypto features
@ -20,12 +20,12 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
create mode 100644 openssl_source/0012-Disable-explicit-ec.patch
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index f2cf0b1..7470479 100755
index d0518e5..cf8394b 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -55,6 +55,17 @@ cd $SGXSSL_ROOT/../openssl_source || exit 1
@@ -54,6 +54,17 @@ cd $SGXSSL_ROOT/../openssl_source || exit 1
rm -rf $OPENSSL_VERSION
tar xvf $OPENSSL_VERSION.tar.gz || exit 1
tar xvf $OPENSSL_VERSION.tar.gz > /dev/null || exit 1
+# Disable forbidden EC
+(
@ -1631,5 +1631,5 @@ index 0000000..0cae2fa
+
+ err:
--
2.46.0
2.49.0

37
0203-Disable-sm2-and-sm4-crypto-algorithms.patch
View File

@ -1,4 +1,4 @@
From f429bf3ffd992c678f7d1a041f6a6b5df9a4b6fb Mon Sep 17 00:00:00 2001
From 1c3da2baf4cc84aecd2f6610777d28ac69a47039 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 13:25:14 +0000
Subject: [PATCH 203/203] Disable sm2 and sm4 crypto algorithms
@ -11,45 +11,45 @@ Policy copied from Fedora 39 openssl package
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
Linux/build_openssl.sh | 2 +-
Linux/sgx/test_app/enclave/TestEnclave.cpp | 5 ++++-
Linux/sgx/test_app/enclave/TestEnclave.cpp | 4 ++++
Linux/sgx/test_app/enclave/TestEnclave.h | 4 ++++
Linux/sgx/test_app/enclave/tests/evp_smx.c | 4 ++++
4 files changed, 13 insertions(+), 2 deletions(-)
4 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7470479..e214ccb 100755
index cf8394b..fea2232 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -156,7 +156,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
@@ -162,7 +162,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-sm2 no-sm4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS $ENCLAVE_CFLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-sm2 no-sm4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1
sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1
diff --git a/Linux/sgx/test_app/enclave/TestEnclave.cpp b/Linux/sgx/test_app/enclave/TestEnclave.cpp
index dac620a..b219e74 100644
index 7b21dd2..65330d5 100644
--- a/Linux/sgx/test_app/enclave/TestEnclave.cpp
+++ b/Linux/sgx/test_app/enclave/TestEnclave.cpp
@@ -413,6 +413,7 @@ void t_sgxssl_call_apis()
@@ -469,6 +469,7 @@ void t_sgxssl_call_apis()
}
printf("test threads_test completed\n");
#ifndef SGXSSL_FIPS
+#if 0
//GM SM2 - sign and verify
ret = ecall_sm2_sign_verify();
if (ret != 0)
@@ -430,6 +431,7 @@ void t_sgxssl_call_apis()
exit(ret);
@@ -486,6 +487,7 @@ void t_sgxssl_call_apis()
goto end;
}
printf("test evp_sm2_encrypt_decrypt completed\n");
+#endif
//GM SM3 - compute digest of message
ret = ecall_sm3();
@@ -440,6 +442,7 @@ void t_sgxssl_call_apis()
@@ -496,6 +498,7 @@ void t_sgxssl_call_apis()
}
printf("test evp_sm3 completed\n");
@ -57,13 +57,14 @@ index dac620a..b219e74 100644
//GM SM4 - cbc encrypt and decrypt
ret = ecall_sm4_cbc();
if (ret != 0)
@@ -457,5 +460,5 @@ void t_sgxssl_call_apis()
exit(ret);
@@ -513,6 +516,7 @@ void t_sgxssl_call_apis()
goto end;
}
printf("test evp_sm4_ctr completed\n");
-
+#endif
}
#endif
printf("ALL tests in t_sgxssl_call_apis passed!\n");
end:
diff --git a/Linux/sgx/test_app/enclave/TestEnclave.h b/Linux/sgx/test_app/enclave/TestEnclave.h
index c2ca854..a989735 100644
--- a/Linux/sgx/test_app/enclave/TestEnclave.h
@ -118,5 +119,5 @@ index a395ce8..f49e5b7 100644
}
+#endif
--
2.46.0
2.49.0

15
download.sh Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
set -e
spec=linux-sgx.spec
for url in $(rpmspec -P ${spec} 2>/dev/null | grep Source | grep http | awk '{print $2}')
do
tarball=$(basename ${url})
echo "Check $url -> $tarball"
if ! test -f ${tarball}
then
wget -O $tarball ${url}
fi
done

384
linux-sgx.spec
View File

@ -47,11 +47,10 @@
%global with_aesm 0
%global with_host_tinyxml2 0
%global with_pccsadmin 0
%global with_pccsadmin 1
%if 0%{?fedora}
%global with_aesm 1
%global with_host_tinyxml2 1
%global with_pccsadmin 1
%endif
%global with_sysusers_scripts 0
@ -59,6 +58,9 @@
%global with_sysusers_scripts 1
%endif
# Change after running pccs-nodejs-bundler
%define node_modules_date 20260204
############################################################
#
# A note about versions
@ -67,22 +69,22 @@
# versions based on what the new release depends on (see various
# git submodule tags and code files).
#
%global linux_sgx_version 2.25
%global linux_sgx_version 2.26
# From SGX git submodule
%global dcap_version 1.22
%global dcap_version 1.23
# From DCAP git submodule
%global dcap_qvl_version 1.21
# From DCAP git submodule
%global dcap_qvs_version 1.1.0-2885
# From SGX external/sgxssl/prepare_sgxssl.sh
%global sgx_ssl_version 3.0_Rev4
%global sgx_ssl_version 3.1.6_Rev1
# From SGX git submodule
%global ipp_crypto_version 2021.12.1
# From SGX git submodule
%global sgx_emm_version 1.0.3
# From SGX external/sgxssl/prepare_sgxssl.sh
%global openssl_version 3.0.14
%global openssl_version 3.1.6
# From SGX git submodule
%global libcbor_version 0.10.2
# From protobuf third_party/abseil-cpp
@ -90,7 +92,7 @@
# From DCAP git submodule
%global jwt_cpp_version 0.6.0
# From DCAP git submodule
%global wamr_version 1.3.3
%global wamr_version 1.0.0
# From SGX external/tinyxml2
%global tinyxml2_version 10.0.0
@ -100,6 +102,10 @@
%global rdrand_version 1.1
%global vtune_version 2018
# From SGX external/dcap_source/QuoteGeneration/pccs/package_lock.json
# NB: node_modules/@yuuang/ffi-rs-linux-x64-gnu will likely pull the
# version higher than what is declared for 'ffi-rs' itself.
%global node_ffi_rs_version 1.2.6
# enclaves from prebuilt_dcap_NNN.tar.gz - DCAP version numbers,
# except for pce, which is actually an SGX enclave just bundled
@ -159,13 +165,19 @@ Summary: Intel Linux SGX SDK and Platform Software
# so while the license of the combined work is declared to be
# BSD-3-Clause, there is actually a huge set of licenses to track
License: %{shrink:
%dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk
%dnl node_modules
0BSD AND
%dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk, node_modules, node-ffi-rs vendor
Apache-2.0 AND
%dnl sdk/cpprt, sdk/tlibc
%dnl node_modules
BlueOak-1.0.0 AND
%dnl sdk/cpprt, sdk/tlibc, node_modules
BSD-2-Clause AND
%dnl external/dcap_source, sdk/*
%dnl external/dcap_source, sdk/*, node_modules
BSD-3-Clause AND
%dnl sdk/tlibc
@ -177,10 +189,10 @@ License: %{shrink:
%dnl psd/urts/linux/isgx_user.h
GPL-2.0-only AND
%dnl sdk/tlibc, sdk/pthread
%dnl sdk/tlibc, sdk/pthread, node_modules, node-ffi-rs vendor
ISC AND
%dnl external/cbor/libcbor, sdk/*
%dnl external/cbor/libcbor, sdk/*, node_modules, node-ffi-rs vendor
MIT AND
%dnl sdk/tlibc/stdlib/malloc.c
@ -198,6 +210,15 @@ License: %{shrink:
%dnl sdk/tlibc/math
SunPro AND
%dnl node-ffi-rs vendor
Unicode-3.0 AND
%dnl node_modules, node-ffi-rs vendor
Unlicense AND
%dnl node_modules
WTFPL AND
%dnl sdk/tlibc
LicenseRef-Fedora-Public-Domain
}
@ -208,14 +229,14 @@ URL: https://github.com/intel/linux-sgx
############################################################
# SGX related projects SourceN for N in (0..9)
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}_reproducible.tar.gz#/linux-sgx-%{linux_sgx_version}-reproducible.tar.gz
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}.tar.gz#/linux-sgx-%{linux_sgx_version}.tar.gz
# repack.sh purges all the prebuilt AE's that we ship in a different RPM
# as well as 'prebuilt/' content (openssl / OPA binaries) that we must
# not distribute.
Source1: repack.sh
Source2: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/dcap_%{dcap_version}_reproducible.tar.gz
Source2: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_%{dcap_version}.tar.gz
Provides: bundled(dcap) = %{dcap_version}
# Upload tarball is:
@ -278,6 +299,20 @@ Source46: qgs.sysconfig
Source48: mpa_registration.service
Source50: pccs.sysusers.conf
Source51: pccs.service
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source54
Source52: pccs-nodejs-bundler
# Pre-created using Source53
Source53: dcap-%{dcap_version}-%{node_modules_date}-pccs-node-modules.tar.xz
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source55 & Source56
Source54: pccs-node-ffi-rs-bundler
Source55: node-ffi-rs-%{node_ffi_rs_version}.tar.gz
Source56: node-ffi-rs-%{node_ffi_rs_version}-vendor.tar.gz
############################################################
# External projects that have been copied in tarballs as bundles
@ -293,33 +328,37 @@ Provides: bundled(vtune) = 2018
# Distro integration patches
# 0000-0099 -> against linux-sgx.git
#
# Maintained in: https://github.com/berrange/linux-sgx/tree/dist-git-%{linux_sgx_version}-hostsw
#
Patch0000: 0000-Add-support-for-building-against-host-openssl-crypto.patch
Patch0001: 0001-Add-support-for-building-against-host-tinyxml2-lib.patch
Patch0002: 0002-Add-support-for-building-against-host-CppMicroServic.patch
# https://github.com/intel/linux-sgx/pull/1055
Patch0003: 0003-Improve-make-debuggability.patch
Patch0004: 0004-Support-disabling-use-of-git-for-ippcp-code.patch
Patch0005: 0005-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch
Patch0005: 0005-disable-openmp-protobuf-sample_crypto-builds.patch
# https://github.com/intel/linux-sgx/pull/1063
Patch0006: 0006-Fix-compat-with-gcc-14.patch
# https://github.com/intel/linux-sgx/pull/1056
Patch0007: 0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
# https://github.com/intel/linux-sgx/pull/1058
Patch0008: 0008-Disable-use-of-bogus-DEF_WEAK-macro.patch
# https://github.com/intel/linux-sgx/pull/1057
Patch0009: 0009-Remove-all-references-to-pccs-service.patch
# https://github.com/intel/linux-sgx/pull/1064
Patch0010: 0010-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
Patch0011: 0011-psw-fix-soname-for-libuae_service.so-library.patch
Patch0012: 0012-pcl-remove-redundant-use-of-bool-type.patch
Patch0013: 0013-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
Patch0014: 0014-psw-make-aesm_service-build-verbose.patch
Patch0015: 0015-Fix-modern-C-function-prototype-compliance.patch
Patch0016: 0016-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
Patch0008: 0008-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
Patch0009: 0009-psw-fix-soname-for-libuae_service.so-library.patch
Patch0010: 0010-pcl-remove-redundant-use-of-bool-type.patch
Patch0011: 0011-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
Patch0012: 0012-psw-make-aesm_service-build-verbose.patch
Patch0013: 0013-Fix-modern-C-function-prototype-compliance.patch
Patch0014: 0014-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
Patch0015: 0015-fix-BOM-for-pccs-with-DCAP-1.23.patch
# Optional patches
Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch
# 0100-0199 -> against SGXDataCenterAttestationPrimitives.git
#
# Maintained in https://github.com/berrange/SGXDataCenterAttestationPrimitives/tree/dist-git-%{dcap_version}-hostsw
#
Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch
Patch0101: 0101-Improve-debuggability-of-build-system.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/437
@ -327,7 +366,7 @@ Patch0102: 0102-Support-build-time-setting-of-enclave-load-directory.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/434
Patch0103: 0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/429
Patch0104: 0104-Don-t-import-pypac-in-pccsadmin.patch
Patch0104: 0104-pccsadmin-only-import-pypac-module-on-Windows.patch
Patch0105: 0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
Patch0106: 0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/428
@ -342,14 +381,49 @@ Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
#Patch0115: 0115-Use-distro-provided-rapidjson-package.patch
Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch
Patch0117: 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
Patch0118: 0118-pccs-sanitize-paths-to-all-resources.patch
Patch0119: 0119-pccs-only-pass-ApiKey-if-it-is-set.patch
Patch0120: 0120-pccsadmin-make-keyring-module-optional.patch
Patch0121: 0121-pccsadmin-convert-from-asn1-to-pyasn1-python-module.patch
Patch0122: 0122-pccsadmin-fully-switch-to-pycryptography-for-CRL-ver.patch
Patch0123: 0123-pccsadmin-use-more-of-pycryptography-instead-of-pyop.patch
Patch0124: 0124-pccsadmin-prefer-pycryptography-over-pyopenssl.patch
Patch0125: 0125-pccsadmin-add-fallback-for-when-pyopenssl-is-not-ava.patch
Patch0126: 0126-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch
# https://github.com/intel/confidential-computing.tee.dcap/pull/485
Patch0127: 0127-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch
# https://github.com/intel/confidential-computing.tee.dcap/pull/487
Patch0128: 0128-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch
Patch0129: 0129-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch
# Patches 0130->0135 collectively fix:
# CVE-2026-23745: node-tar
# CVE-2026-23950: node-tar
# CVE-2026-24842: node-tar
# CVE-2025-13465: lodash
# CVE-2025-15284: qs
Patch0130: 0130-Bump-tar-fs-from-2.1.2-to-2.1.3-in-QuoteGeneration-p.patch
Patch0131: 0131-Bump-on-headers-and-morgan-in-QuoteGeneration-pccs-4.patch
Patch0132: 0132-Bump-brace-expansion-from-1.1.11-to-1.1.12-in-QuoteG.patch
Patch0133: 0133-Bump-tar-fs-from-2.1.3-to-2.1.4-in-QuoteGeneration-p.patch
Patch0134: 0134-PCCS-dependencies-updated-to-latest-minor.patch
Patch0135: 0135-pccs-force-override-tar-module-to-7.0.0-series.patch
# https://github.com/intel/confidential-computing.tee.dcap/pull/489
Patch0136: 0136-pccsadmin-fix-name-of-input-file-for-cache-command-i.patch
# 0200-0299 -> against intel-sgx-ssl.git
#
# Maintained in https://github.com/berrange/intel-sgx-ssl/tree/dist-git-%{sgx_ssl_version}
#
Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
Patch0201: 0201-Workaround-missing-output-directory.patch
Patch0202: 0202-Disable-various-EC-crypto-features.patch
Patch0203: 0203-Disable-sm2-and-sm4-crypto-algorithms.patch
# 0300-0399 -> against ipp-crypto.git
#
# Maintained in https://github.com/berrange/ipp-crypto/tree/dist-git-%{ipp_crypto_version}
#
Patch0300: 0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch
Patch0301: 0301-Drop-Werror-from-build-flags.patch
@ -357,6 +431,7 @@ BuildRequires: sgx-rpm-macros
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: binutils
BuildRequires: chrpath
BuildRequires: libtool
BuildRequires: gcc
BuildRequires: gcc-c++
@ -375,7 +450,16 @@ BuildRequires: perl(FindBin)
BuildRequires: perl(lib)
BuildRequires: perl(IPC::Cmd)
BuildRequires: nasm
BuildRequires: nodejs
BuildRequires: nodejs-devel
%if 0%{?rhel} == 9
BuildRequires: npm
%else
BuildRequires: nodejs-npm
%endif
BuildRequires: nodejs-packaging
BuildRequires: python-unversioned-command
BuildRequires: sqlite-devel
BuildRequires: systemd-rpm-macros
%if %{with_host_tinyxml2}
BuildRequires: tinyxml2-devel
@ -387,6 +471,11 @@ BuildRequires: CppMicroServices-devel
BuildRequires: protobuf-compiler
BuildRequires: protobuf-devel
BuildRequires: boost-devel
%if 0%{?rhel}
BuildRequires: rust-toolset
%else
BuildRequires: cargo-rpm-macros
%endif
# If dpkg-architecture exists in $PATH, the Makefile
# will change all the install paths, breaking this
@ -457,6 +546,7 @@ Requires: sgx-common = %{version}-%{release}
This package contains the runtime libraries and tools required
to run applications that interact with SGX enclaves on the platform.
%if %{with_aesm}
%package -n sgx-aesm
Summary: SGX platform Architectural Enclave Service Manager
@ -474,15 +564,33 @@ This package contains the Architectural Enclave Service Manager
(AESM) daemon.
%endif
%package -n sgx-pccs
Summary: SGX Provisioning Certificate Caching Service
Requires: nodejs
Requires: sgx-common = %{version}-%{release}
%description -n sgx-pccs
SGX Provisioning Certificate Caching Service
%package -n sgx-pccs-admin
Summary: SGX Provisioning Certificate Caching Service Admin Tool
Requires: python3-asn1
Requires: python3-pyOpenSSL
Requires: python3-pyasn1
Requires: python3-cryptography
%if 0%{?fedora}
Requires: python3-keyring
%endif
Requires: python3-requests
Requires: python3-urllib3
Requires: python3-packaging
%if 0%{?rhel}
Requires: openssl
%endif
Requires: sgx-libs = %{version}-%{release}
# pccs admin tool can be used against a remote pccs
# so don't force a hard dep
Recommends: sgx-pccs = %{version}-%{release}
%description -n sgx-pccs-admin
SGX Provisioning Certificate Caching Service Admin Tool
@ -509,8 +617,20 @@ SGX Multi-package Registration Agent
%package -n tdx-qgs
Summary: TDX Quoting Generation Service
Requires: sgx-libs = %{version}-%{release}
Recommends: sgx-mpa sgx-pckid-tool
Suggests: sgx-pckid-tool
# mpa provides auto-registration of the platform, if it
# is enabled in EFI. If not enabled, it is a no-op so
# safe to have installed by default regardless, but use
# weak dep to allow skipping for optimized installs
Recommends: sgx-mpa = %{version}-%{release}
# If auto-registration is not enabled, the pckid-tool
# is needed for manual registration; it is also useful
# misc admin tasks
Recommends: sgx-pckid-tool = %{version}-%{release}
# In internet isolated hosts pccs can be used to
# provide pre-cached certs, either running it on
# localhost or on the LAN. Weak dep though as it
# is expected that LAN deployment is more common
Suggests: sgx-pccs = %{version}-%{release}
%enclave_requires ide %{enclave_ide_version}
%enclave_requires pce %{enclave_pce_version}
@ -544,7 +664,7 @@ in applications
%prep
%setup -q -n linux-sgx-sgx_%{linux_sgx_version}_reproducible
%setup -q -n linux-sgx-sgx_%{linux_sgx_version}
%autopatch -m 0 -M 49 -p1
%if !%{with_aesm}
@ -572,7 +692,7 @@ rm -rf external/tinyxml2
# Don't intend to package these optional bits since none of
# the required enclaves need this, and thus we can cut down
# on bundling some 3rd party code
rm -rf external/{dnnl,openmp,protobuf,mbedtls} sdk/sample_libcrypto
rm -rf external/{dnnl,openmp,protobuf} sdk/sample_libcrypto
############################################################
# dcap
@ -705,8 +825,9 @@ touch psw/ae/data/prebuilt/libsgx_{le,qe,pve,pce}.signed.so
touch ../prebuilt/opa_bin/policy.wasm
)
# Sanity check that upstream hasn't include more prebult
# files that we've not expected.
# Sanity check that upstream hasn't include more prebuilt
# files that we're not expecting and thus failed to purge
# in the repack.sh script.
find -name '*.a' -o -name '*.o' > prebuilt.txt
if test -s prebuilt.txt
then
@ -830,10 +951,15 @@ done
############################################################
# Fourth, build the Platform Software
# XXX temp override -j1 due to race conditions that have not yet been diagnosed
#
# Perhaps 20% of the time it will fail with error like:
#
# /usr/bin/ld: /builddir/build/BUILD/linux-sgx-2.26-build/linux-sgx-sgx_2.26/common/se_wrapper_psw/libwrapper.a: error adding symbols: file format not recognized
CFLAGS="%{build_cflags}" \
CXXFLAGS="%{build_cxxflags}" \
LDFLAGS="%{build_ldflags}" \
%__make %{?_smp_mflags} \
%__make %{?_smp_mflags} -j1 \
-C psw/ V=1 VERBOSE=1 \
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
SGX_ENCLAVE_PATH=%{sgx_libdir} \
@ -849,6 +975,40 @@ LDFLAGS="%{build_ldflags}" \
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
SGX_ENCLAVE_PATH=%{sgx_libdir}
(
# PCCS NodeJS deps bundle
cd external/dcap_source
tar Jxvf %{SOURCE53}
cd QuoteGeneration/pccs
perl -i -p -e 's,"sqlite%":"internal","sqlite%":"/usr",' node_modules/sqlite3/binding.gyp
perl -i -p -e 's,\(sqlite\)/lib,(sqlite)/lib64,' node_modules/sqlite3/binding.gyp
for pkg in node_modules/*
do
(
cd $pkg
npm run install --if-present --nodedir=/usr
)
done
# Keep brp-mangle-shebangs happy
find node_modules -type f -exec chmod -x {} \;
chrpath --delete node_modules/sqlite3/build/Release/node_sqlite3.node
tar zxvf %{SOURCE55}
(
cd node-ffi-rs-%{node_ffi_rs_version}
tar zxvf %{SOURCE56}
%cargo_prep -v vendor
%cargo_build
mv target/rpm/libffi_rs.so ../node_modules/ffi-rs/ffi-rs.linux-x64-gnu.node
)
)
# SDK provides dummy stub libraries to deal with a circular
# build dependancy problem where the PSW wants these libs
@ -862,24 +1022,10 @@ done
rm -f %{vroot}/sgxsdk/lib64/libsgx_urts.so.2
# Pull together all license files relevant to the code
# that is known to be built into the enclaves
# Pull together all license files relevant to the code that is shipped
# Err on the side of pulling in much too much, rather than miss something
mkdir licenses
for f in License.txt \
external/epid-sdk/LICENSE.txt \
external/epid-sdk/ext/argtable3/LICENSE \
sdk/compiler-rt/LICENSE.TXT \
sdk/cpprt/linux/libunwind/LICENSE \
sdk/gperftools/gperftools-2.7/COPYING \
sdk/tlibcxx/LICENSE.TXT \
external/dcap_source/License.txt \
external/dcap_source/QuoteGeneration/ThirdPartyLicenses.txt \
external/dcap_source/tools/PCKRetrievalTool/License.txt \
external/dcap_source/tools/PCKRetrievalTool/ThirdPartyLicenseIndex.txt \
external/dcap_source/tools/PccsAdminTool/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_Network_Components/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_UEFI_Components/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/license.txt
for f in $(find -type f | grep -v '\.pdf' | grep -E -i '(license|copying)')
do
d=$(dirname $f)
mkdir -p licenses/$d
@ -977,6 +1123,7 @@ do
done
cp -a %{vroot}/root/ %{buildroot}/root
# Second, re-arrange the content to match the normal tree
# layout Fedora expects. We rm/rmdir any bits we don't
# want, such that RPM will warn about any files left in
@ -1044,6 +1191,51 @@ rmdir %{buildroot}/root/opt/intel/sgx-aesm-service
%endif
############################################################
# Host PCCS service
# Home dir for 'pccs' user
%__install -d %{buildroot}%{_sharedstatedir}/pccs
%__install -d %{buildroot}%{_localstatedir}/log/pccs
%__install -d %{buildroot}%{_sysconfdir}/pccs
%__install -d %{buildroot}%{_sysconfdir}/pccs/ssl
%__install -d %{buildroot}%{nodejs_sitearch}/pccs
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/lib/libPCKCertSelection.so \
%{buildroot}%{_libdir}/libPCKCertSelection.so.1
ln -s libPCKCertSelection.so.1 %{buildroot}%{_libdir}/libPCKCertSelection.so
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/config/default.json \
%{buildroot}%{_sysconfdir}/pccs/default.json
rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs/config
rm -f %{buildroot}/root/lib/systemd/system/pccs.service
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/* \
%{buildroot}%{nodejs_sitearch}/pccs
rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs
(
# Node JS deps bundle
cd external/dcap_source/QuoteGeneration/pccs
rm -f install.sh README.md
# So find-debuginfo processes it
chmod +x node_modules/sqlite3/build/Release/node_sqlite3.node
cp -a node_modules %{buildroot}%{nodejs_sitearch}/pccs/node_modules
)
cat >>%{buildroot}%{_sbindir}/pccs <<EOF
#!/usr/bin/sh
exec node %{nodejs_sitearch}/pccs/pccs_server.js
EOF
chmod +x %{buildroot}%{_sbindir}/pccs
%__install -m 0644 %{SOURCE50} %{buildroot}%{_sysusersdir}/pccs.conf
%__install -m 0644 %{SOURCE51} %{buildroot}%{_unitdir}/pccs.service
############################################################
# Host PCCS admin tool
@ -1150,18 +1342,16 @@ done
mv %{buildroot}/root/etc/sgx_default_qcnl.conf \
%{buildroot}%{_sysconfdir}/
# PCCS no longer exists, so default to the public API service
perl -i -p -e 's,https://localhost:8081/sgx/certification/v4/,https://api.trustedservices.intel.com/sgx/certification/v4/,' \
# Default to the public API service. If users do deploy pccs
# it probably makes more sense to do so on the LAN, so don't
# assume localhost deployment. This also allows out of the box
# usage without having to create a local x509 CA for PCCS.
perl -i -p -e 's,https://localhost:10801/sgx/certification/v4/,https://api.trustedservices.intel.com/sgx/certification/v4/,' \
%{buildroot}%{_sysconfdir}/sgx_default_qcnl.conf
%__install %{SOURCE42} %{buildroot}%{_sysusersdir}/sgxprv.conf
%__install %{SOURCE43} %{buildroot}%{_udevrulesdir}/92-sgx-provision.rules
# Previously part of PCCS BOM, now we must install manually
mv external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so \
%{buildroot}%{_libdir}/libPCKCertSelection.so.1
ln -s libPCKCertSelection.so.1 %{buildroot}%{_libdir}/libPCKCertSelection.so
############################################################
# Misc cleanup
@ -1217,6 +1407,12 @@ ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so
%sysusers_create_compat %{SOURCE42}
%endif
%post -n sgx-libs
if [ -S /run/udev/control ]; then
udevadm control --reload
udevadm trigger --property-match=DEVNAME=/dev/sgx_provision
fi
%if %{with_aesm}
%if %{with_sysusers_scripts}
%pre -n sgx-aesm
@ -1244,6 +1440,21 @@ ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so
%systemd_postun_with_restart mpa_registration.service
%if %{with_sysusers_scripts}
%pre -n sgx-pccs
%sysusers_create_compat %{SOURCE50}
%endif
%post -n sgx-pccs
%systemd_post pccs.service
%preun -n sgx-pccs
%systemd_preun pccs.service
%postun -n sgx-pccs
%systemd_postun_with_restart pccs.service
%if %{with_sysusers_scripts}
%pre -n tdx-qgs
%sysusers_create_compat %{SOURCE44}
@ -1365,41 +1576,38 @@ ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so
%dir %{sgx_libdir}/
%{sgx_libdir}/libsgx_pthread.a
%{sgx_libdir}/libsgx_tcxx.a
%{sgx_libdir}/libsgx_tprotected_fs.a
%{sgx_libdir}/libsgx_tservice.a
%{sgx_libdir}/libsgx_tstdc.a
%{sgx_libdir}/libsgx_uprotected_fs.a
%{sgx_libdir}/libsgx_uswitchless.a
%{sgx_libdir}/libsgx_dcap_tvl.a
%{_libdir}/libsgx_capable.so
%{_libdir}/libsgx_ptrace.so
%{sgx_libdir}/libsgx_trts.a
%{sgx_libdir}/libsgx_tcrypto.a
%{_libdir}/libsgx_epid_sim.so
%{_libdir}/libsgx_launch_sim.so
%{_libdir}/libsgx_quote_ex_sim.so
%{_libdir}/libsgx_uae_service_sim.so
%{_libdir}/libsgx_urts_sim.so
%{sgx_libdir}/libsgx_capable.a
%{sgx_libdir}/libsgx_dcap_tvl.a
%{sgx_libdir}/libsgx_ossl_fips.a
%{sgx_libdir}/libsgx_pcl.a
%{sgx_libdir}/libsgx_pclsim.a
%{sgx_libdir}/libsgx_pthread.a
%{sgx_libdir}/libsgx_tcmalloc.a
%{sgx_libdir}/libsgx_tcrypto.a
%{sgx_libdir}/libsgx_tcxx.a
%{sgx_libdir}/libsgx_tkey_exchange.a
%{sgx_libdir}/libsgx_tprotected_fs.a
%{sgx_libdir}/libsgx_trts.a
%{sgx_libdir}/libsgx_trts_sim.a
%{sgx_libdir}/libsgx_tservice.a
%{sgx_libdir}/libsgx_tservice_sim.a
%{sgx_libdir}/libsgx_tstdc.a
%{sgx_libdir}/libsgx_tswitchless.a
%{sgx_libdir}/libsgx_ttls.a
%{sgx_libdir}/libsgx_ukey_exchange.a
%{sgx_libdir}/libsgx_uprotected_fs.a
%{sgx_libdir}/libsgx_uswitchless.a
%{sgx_libdir}/libsgx_utls.a
%{sgx_libdir}/libtdx_tls.a
%{_libdir}/libsgx_capable.so
%{_libdir}/libsgx_epid_sim.so
%{_libdir}/libsgx_launch_sim.so
%{_libdir}/libsgx_ptrace.so
%{_libdir}/libsgx_quote_ex_sim.so
%{_libdir}/libsgx_uae_service_sim.so
%{_libdir}/libsgx_urts_sim.so
%{_libdir}/pkgconfig/libsgx_epid_sim.pc
%{_libdir}/pkgconfig/libsgx_launch_sim.pc
%{_libdir}/pkgconfig/libsgx_quote_ex_sim.pc
@ -1515,6 +1723,18 @@ ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so
%endif
%files -n sgx-pccs
%{_sbindir}/pccs
%dir %{_sysconfdir}/pccs
%attr(0750,root,pccs) %dir %{_sysconfdir}/pccs/ssl
%config(noreplace) %{_sysconfdir}/pccs/default.json
%{_unitdir}/pccs.service
%{nodejs_sitearch}/pccs
%{_sysusersdir}/pccs.conf
%attr(0700,pccs,pccs) %dir %{_sharedstatedir}/pccs
%attr(0700,pccs,pccs) %dir %{_localstatedir}/log/pccs
%if %{with_pccsadmin}
%files -n sgx-pccs-admin
%{_bindir}/pccsadmin

33
pccs-node-ffi-rs-bundler Executable file
View File

@ -0,0 +1,33 @@
#!/bin/sh
set -v
set -e
if test -z "$1"
then
echo "syntax: $0 VERSION"
exit 1
fi
VERSION=$1
PACKAGE=node-ffi-rs
AUTHOR=zhangyuang
GITURL=https://github.com/${AUTHOR}/${PACKAGE}
if ! test -d $PACKAGE
then
git clone $GITURL
fi
cd $PACKAGE
git checkout master
git reset --hard
git clean -f -x -d
git pull
git archive v${VERSION} -o ../node-ffi-rs-${VERSION}.tar.gz --prefix "node-ffi-rs-${VERSION}/"
git checkout v${VERSION}
cargo vendor-filterer --platform x86_64-unknown-linux-gnu
tar zcvf ../node-ffi-rs-${VERSION}-vendor.tar.gz vendor

55
pccs-nodejs-bundler Executable file
View File

@ -0,0 +1,55 @@
#!/bin/sh
set -v
set -e
if test -z "$1"
then
echo "syntax: $0 VERSION"
exit 1
fi
VERSION=$1
TARBALL=DCAP_${VERSION}.tar.gz
if ! test -f $TARBALL
then
echo "error: $0 missing $TARBALL"
exit 1
fi
tar xfz $TARBALL
DIRNAME=SGXDataCenterAttestationPrimitives-DCAP_${VERSION}
pushd $DIRNAME
pushd QuoteGeneration/pccs
echo " Downloading prod dependencies"
npm install --omit=dev --omit=optional --ignore-scripts
rm -rf node_modules/*/prebuilds
rm -f node_modules/sqlite3/deps/sqlite-autoconf-*.tar.gz
popd
echo "LICENSES IN BUNDLE:"
find . -name "package.json" -exec jq '.license | strings' {} \; >> ../dcap-${VERSION}-pccs-nodejs-licenses.txt
find . -name "package.json" -exec jq '.license | objects | .type' {} \; >> ../dcap-${VERSION}-pccs-nodejs-licenses.txt 2>/dev/null
find . -name "package.json" -exec jq '.licenses[] .type' {} \; >> ../dcap-${VERSION}-pccs-nodejs-licenses.txt 2>/dev/null
sort -u -o ../dcap-${VERSION}-pccs-nodejs-licenses.txt ../dcap-${VERSION}-pccs-nodejs-licenses.txt
# Locate any dependencies without a provided license
find . -type f -name package.json -execdir jq 'if .license==null and .licenses==null then .name else null end' '{}' '+' \
| grep -vE '^null$' | sort -u > ../nolicense.txt
if [ -s ../nolicense.txt ]; then
echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m"
cat ../nolicense.txt
echo -e "\e[5m\e[41m======================================================================\e[0m"
fi
if [ -d QuoteGeneration/pccs/node_modules ] ; then
tar cJf ../dcap-${VERSION}-pccs-node-modules.tar.xz --sort=name $(find QuoteGeneration/pccs -type d -name node_modules)
fi
popd
rm -rf $DIRNAME

23
pccs.service Normal file
View File

@ -0,0 +1,23 @@
[Unit]
Description=Provisioning Certificate Caching Service (PCCS)
Documentation=https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md
After=syslog.target network.target auditd.service mpa_registration.service
ConditionPathExists=/dev/sgx_enclave
Requires=mpa_registration.service
[Service]
Type=simple
User=pccs
ExecStart=/usr/sbin/pccs
Restart=on-failure
RestartSec=15s
Environment=NODE_CONFIG_DIR=/etc/pccs
WorkingDirectory=/var/lib/pccs
InaccessibleDirectories=/home
DevicePolicy=closed
DeviceAllow=/dev/sgx_enclave rw
DeviceAllow=/dev/sgx_provision rw
[Install]
WantedBy=multi-user.target

1
pccs.sysusers.conf Normal file
View File

@ -0,0 +1 @@
u pccs - "SGX PCCS Server" /var/lib/pccs

15
sources
View File

@ -1,13 +1,16 @@
SHA512 (dcap_1.22_reproducible.tar.gz) = 1f6d79721f9b7c86a8a935429c8133db9cc24585a8fa3e8e8fbab99f5f0ffebdb206077844c83e630e2ad15d51ec7ad8ea35352f5ccbf7408dc3ced885b89b72
SHA512 (DCAP_1.23.tar.gz) = 02fe956c176362079094c5009ce48d6dc4d17233217a9d6d779707893231e68b065ca02a458d5b06e518b99185f00e3d0e5f6c4165bbde1fe22b87d52f952e29
SHA512 (dcap-qvl-1.21.tar.gz) = 62ab0d9f48c9a8d975cb861ac5161770b990af3bbc8ff67a8b9ca48af86565b6d445cfe87786d332a65efee22114de2e2a4589722625cbc4fc6b58647599626d
SHA512 (dcap-qvs-1.1.0-2885.tar.gz) = 811663f713902f263e3d8ad7cc7d62e92f76f1618c5ac8b5366dc880d79509a0d349328ac2d8f9dc2170e09d80ac00ec934f7cbf3594bec9cb69b6b544ca30e6
SHA512 (intel-sgx-ssl-3.0_Rev4.tar.gz) = 9b8bd2ec3c9eccb3fbbecdaa586b669fa68f4bf68911194dcba6f7ea9c8ec84503a86733c70019124eaeff4ac79c6f178435c2a51530104f22014760146d87fe
SHA512 (intel-sgx-ssl-3.1.6_Rev1.tar.gz) = cbcae2df7a2518fa00e05dacb708b39ba0d1f1aa23f12a97c403dbbd02a81965b3f682257302e20fe837fe6abc00848e955b9e02e12eafb6973a358c24c4a6d5
SHA512 (ippcp_2021.12.1.tar.gz) = cdde7eed0f27b80663bf6a131abd8e6afcf16f0b9897ae12e251dc6bd3a9cc15c7666e4276eb4ba4b3b66fa93b5115c29537e176a6a2fb0de1b17cfcc1b7c426
SHA512 (jwt-cpp-0.6.0.tar.gz) = b6d5ebb3a7eeb6fef9a1d41c707251d1ab05bf47920c280d5203f1b9ee5bf6f8e914cd2ffaed66550cfa6d78c34465d4cf86517a759d5f8739b429faf1c2c0ef
SHA512 (libcbor-0.10.2.tar.gz) = 23c6177443778d4b4833ec7ed0d0e639a0d4863372e3a38d772fdce2673eae6d5cb2a31a2a021d1a699082ea53494977c907fd0e94149b97cb23a4b6d039228a
SHA512 (linux-sgx-2.25-reproducible.tar.gz) = 5fa14448c872822916c5abe4f21e633ee2967ae605de426ccef2cdd4572427a63cf00c76160e9f54c072375d23b52342b7befd59e56816b4226799b8a627f98c
SHA512 (openssl-3.0.14.tar.gz) = 1c59c01e60da902a20780d71f1fa5055d4037f38c4bc3fb27ed5b91f211b36a6018055409441ad4df58b5e9232b2528240d02067272c3c9ccb8c221449ca9ac0
SHA512 (prebuilt_dcap_1.22-repacked.tar.gz) = 306ab63c28635ebee51c194087c9212a6223619a07f8bd50ba1e5d5a7bdd2325edfb40c69f7e59a937fe21bc937248c5d273790eed45ca67fcde9298d5abd2f7
SHA512 (linux-sgx-2.26.tar.gz) = 129ee9d6f2d33157f0d96adef1a6c44a801a1064c1c0c75f8bf61f7085408e1de34f59d7acab26f7db32618b1f3ba2c08e2ffa8879f43450c14f085d902ab687
SHA512 (node-ffi-rs-1.2.6.tar.gz) = 37f95562e5a61b60949c59d024bea2e2d02c6bf1b21a3bc07d558538d05082a03d1ba2eb8e4500fd4ccd7e556aae0c60fc875d487b2d2d54c8302757f69dc003
SHA512 (node-ffi-rs-1.2.6-vendor.tar.gz) = 76d59d69a842ce207dce21f12a8ada3b3b1b81a93ccd3a0b68838cea4aad1cbdba0a314ff7208b43caf6435e820a226ab1e8f8477bedcdb323eec80976ab96be
SHA512 (openssl-3.1.6.tar.gz) = 18ca07ee6a98d5fe46accfa0156e0354ad770d78bbbbe8e4bb92b316a0e4404f17a34eb700f17ed355d826a4b2166894aa46d8dd81fedbcb16aa1aad0926a390
SHA512 (prebuilt_dcap_1.23-repacked.tar.gz) = a253b7ea5a9a0c73a31259bb852ad5942d9c11c98ea23616bec3cef028ed135090a5837895a1a5771bc8507caec1c1a6c845bd12e01864bfd79fb1827867ce66
SHA512 (sgx-emm-1.0.3.tar.gz) = 0ec9f0133b3a32409c8af61568a47128a1860407170b9b274647140ac36069851638d7282649e23590131d44ca93f839fd2ffe4b9b39821631d279c1384874bf
SHA512 (wasm-micro-runtime-1.0.0.tar.gz) = fb16a992b54f5c006be386b72ff65c680ededaafe7f2010db163b6e4365d198cc96f06ae60ac42986aaf45609803ffc1722308277474c341673e391f9bc4846e
SHA512 (dcap-1.23-20260204-pccs-node-modules.tar.xz) = c075a7f84e8dfcbfc1e4fdf57221f7914394a06b70c2abe5ccf63bc95a3e3228b92931ef0966fbdb85ac6ab5d436a45389e6eed3fa5af49a6b420714593b4f22
SHA512 (tinyxml2-10.0.0.tar.gz) = a359d33bc12fad455b53d81011dbe12727cae0aabfaa5704f1a25807ca216dd854a571291029886c0beedeca5c3b6393dd49c4718773e18a0e008abbdb3de36a
SHA512 (wasm-micro-runtime-1.3.3.tar.gz) = 53f2ee3adf55e5b2e207287231621bef50b812c3e228c9306a03b7487ff579e2fc3ed2831da546cbcc337843e139d1add2b0276e87a58b3035eb0c2fbb73b275