rpms/linux-sgx
7
0
Fork 0
Code Issues Pull Requests Releases Activity
bab0c46cd5
linux-sgx/linux-sgx.spec
Daniel P. Berrangé bab0c46cd5 Add scriptlets for PCCS 
Related: https://issues.redhat.com/browse/RHEL-121612
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2025-12-10 11:15:55 +00:00

1737 lines
56 KiB
RPMSpec
Raw Blame History

# The enclave code must be built with very specific build
# flags, that are different from what is used to build
# native code. Thus we cannot globally set the CFLAGS etc
%undefine _auto_set_build_flags
# When -flto is set, something (possibly cmake related)
# causes the build of psw/ae/aesm_service to add -fpie
# to the build flags. This conflicts with the need to
# build everything with -fPIC, and causes linker failures
#
# /usr/bin/ld: /tmp/ccWKJhwL.ltrans0.ltrans.o: warning: relocation against `stdout@@GLIBC_2.2.5' in read-only section `.text.sgx_proc_log_report'
# /usr/bin/ld: /tmp/ccWKJhwL.ltrans0.ltrans.o: relocation R_X86_64_PC32 against symbol `_Z16aesm_thread_procPv' can not be used when making a shared object; recompile with -fPIC
%global _lto_cflags %nil
############################################################
#
# Note about the approach to bundling...
#
# The linux-sgx project build system is written with the assumption
# that a monolithic repo is being used with all dependencies
# present at specific versions and in particular locations.
#
# Fully untangling this is impractical/unsustainable, because the
# build system in fact has circular dependencies between what might
# otherwise look like independent projects. ie linux-sgx depends
# on headers from dcap, but dcap depends on headers from linux-sgx.
# In addition, some of the 3rd party projects that are consumed are
# patched with SGX enclave specific changes.
#
# For enclave builds, there will be no ability to share existing
# binaries built for native Fedora, as everything must be built
# for the enclave environment, with its own C runtime. Thus trying
# to unbundle has little benefit for enclave related dependencies.
#
# This package is thus written such
#
# * All the SGX related projects provided by Intel are bundled
# whether used for enclave or native OS code.
# * SGX enclave code is built with bundled 3rd party projects.
# * Native OS code is built with system packages for non-SGX
# related dependancies.
#
# Focusing on unbundling only 3rd party projects involved in native
# builds maximises the benefits of system package usage, without an
# unreasonable burden fighting the build system for enclave pieces.
%global with_aesm 0
%global with_host_tinyxml2 0
%global with_pccsadmin 1
%if 0%{?fedora}
%global with_aesm 1
%global with_host_tinyxml2 1
%endif
%global with_sysusers_scripts 0
%if 0%{?rhel} <= 10
%global with_sysusers_scripts 1
%endif
############################################################
#
# A note about versions
#
# When rebasing to new linux-sgx releases, bump all the following
# versions based on what the new release depends on (see various
# git submodule tags and code files).
#
%global linux_sgx_version 2.26
# From SGX git submodule
%global dcap_version 1.23
# From DCAP git submodule
%global dcap_qvl_version 1.21
# From DCAP git submodule
%global dcap_qvs_version 1.1.0-2885
# From SGX external/sgxssl/prepare_sgxssl.sh
%global sgx_ssl_version 3.1.6_Rev1
# From SGX git submodule
%global ipp_crypto_version 2021.12.1
# From SGX git submodule
%global sgx_emm_version 1.0.3
# From SGX external/sgxssl/prepare_sgxssl.sh
%global openssl_version 3.1.6
# From SGX git submodule
%global libcbor_version 0.10.2
# From protobuf third_party/abseil-cpp
%global abseil_cpp_version 20230125.3
# From DCAP git submodule
%global jwt_cpp_version 0.6.0
# From DCAP git submodule
%global wamr_version 1.0.0
# From SGX external/tinyxml2
%global tinyxml2_version 10.0.0
# From SGX external/epid-sdk/CHANGELOG.md
%global epid_version 6.0.0
# From SGX external/rdrand/src/configure.ac
%global rdrand_version 1.1
%global vtune_version 2018
# From SGX external/dcap_source/QuoteGeneration/pccs/package_lock.json
# NB: node_modules/@yuuang/ffi-rs-linux-x64-gnu will likely pull the
# version higher than what is declared for 'ffi-rs' itself.
%global node_ffi_rs_version 1.2.6
# enclaves from prebuilt_dcap_NNN.tar.gz - DCAP version numbers,
# except for pce, which is actually an SGX enclave just bundled
# with the DCAP enclaves
%global enclave_pce_version 2.25
%global enclave_ide_version 1.22
%global enclave_qe3_version 1.22
%global enclave_tdqe_version 1.22
%global enclave_qve_version 1.22
# Whether to build & ship unsigned enclaves with latest distro
# tool-chain, as opposed to a reproducible build done in other
# packages
%global with_enclaves 1
# Provisioning Certification Enclave. Required. ECDSA quote signing
%global with_enclave_pce 1
# ID Enclave. Required. Hardware identification
%global with_enclave_ide 1
# Quoting Enclave. Required for non-TDX usage. ECDSA quote generation
%global with_enclave_qe3 1
# Quoting Enclave. Required for TDX usage. ECDSA quote generation
%global with_enclave_tdqe 1
# Quote Verification Enclave. Optional. ECDSA quote verification
#
# Note this package has removed the unapproved crypto this
# enclave links to in upstream builds, to make it possible
# to ship in Fedora.
# XXX disabled until time to investigate jwt-cpp build errors
%global with_enclave_qve 0
%global _with_enclave_pce %{expr:%{with_enclaves} ? %{with_enclave_pce} : 0}
%global _with_enclave_ide %{expr:%{with_enclaves} ? %{with_enclave_ide} : 0}
%global _with_enclave_qe3 %{expr:%{with_enclaves} ? %{with_enclave_qe3} : 0}
%global _with_enclave_tdqe %{expr:%{with_enclaves} ? %{with_enclave_tdqe} : 0}
%global _with_enclave_qve %{expr:%{with_enclaves} ? %{with_enclave_qve} : 0}
# We prefer deployments using the pre-built enclaves
# signed by Intel, but permit replacing with enclaves
# signed by a different party
%global enclave_requires() \
Requires: sgx-enclave(%1:signed) >= %2 \
Recommends: sgx-enclave(%1:signed:prebuilt) >= %2
Name: linux-sgx
Version: %{linux_sgx_version}
Release: %autorelease
Summary: Intel Linux SGX SDK and Platform Software
# The project pulls together source from a wide variety of places,
# so while the license of the combined work is declared to be
# BSD-3-Clause, there is actually a huge set of licenses to track
License: %{shrink:
%dnl node_modules
0BSD AND
%dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk, node_modules, node-ffi-rs vendor
Apache-2.0 AND
%dnl sdk/cpprt, sdk/tlibc, node_modules
BSD-2-Clause AND
%dnl external/dcap_source, sdk/*, node_modules
BSD-3-Clause AND
%dnl sdk/tlibc
BSD-4-Clause AND
%dnl sdk/tlibc
BSD-4-Clause-UC AND
%dnl psd/urts/linux/isgx_user.h
GPL-2.0-only AND
%dnl sdk/tlibc, sdk/pthread, node_modules, node-ffi-rs vendor
ISC AND
%dnl external/cbor/libcbor, sdk/*, node_modules, node-ffi-rs vendor
MIT AND
%dnl sdk/tlibc/stdlib/malloc.c
MIT-0 AND
%dnl sdk/compiler-rt
NCSA AND
%dnl sdk/protected_code_loader
OpenSSL AND
%dnl sdk/tlibc/gdtoa
SMLNJ AND
%dnl sdk/tlibc/math
SunPro AND
%dnl node-ffi-rs vendor
Unicode-3.0 AND
%dnl node_modules, node-ffi-rs vendor
Unlicense AND
%dnl sdk/tlibc
LicenseRef-Fedora-Public-Domain
}
URL: https://github.com/intel/linux-sgx
############################################################
# SGX related projects SourceN for N in (0..9)
Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}.tar.gz#/linux-sgx-%{linux_sgx_version}.tar.gz
# repack.sh purges all the prebuilt AE's that we ship in a different RPM
# as well as 'prebuilt/' content (openssl / OPA binaries) that we must
# not distribute.
Source1: repack.sh
Source2: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_%{dcap_version}.tar.gz
Provides: bundled(dcap) = %{dcap_version}
# Upload tarball is:
#
# https://download.01.org/intel-sgx/sgx-dcap/%{dcap_version}/linux/prebuilt_dcap_%{dcap_version}.tar.gz
#
# but is then post-processed using repack.sh to create this
Source3: prebuilt_dcap_%{dcap_version}-repacked.tar.gz
Source4: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/%{sgx_ssl_version}.tar.gz#/intel-sgx-ssl-%{sgx_ssl_version}.tar.gz
Provides: bundled(sgxssl) = %{sgx_ssl_version}
Source5: https://github.com/intel/ipp-crypto/archive/refs/tags/ippcp_%{ipp_crypto_version}.tar.gz
Provides: bundled(ipp-crypto) = %{ipp_crypto_version}
Source6: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx_emm_version}.tar.gz
Provides: bundled(sgx-emm) = %{sgx_emm_version}
Source7: https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/archive/refs/heads/DCAP/%{dcap_qvl_version}.tar.gz#/dcap-qvl-%{dcap_qvl_version}.tar.gz
Provides: bundled(dcap-qvl} = %{dcap_qvl_version}
Source8: https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationService/archive/refs/tags/v%{dcap_qvs_version}.tar.gz#/dcap-qvs-%{dcap_qvs_version}.tar.gz
Provides: bundled(dcap-qvs} = %{dcap_qvs_version}
############################################################
# 3rd party projects SourceN for N in (10..19)
Source10: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz
Provides: bundled(openssl) = %{openssl_version}
Source11: https://github.com/PJK/libcbor/archive/refs/tags/v%{libcbor_version}.tar.gz#/libcbor-%{libcbor_version}.tar.gz
Provides: bundled(libcbor) = %{libcbor_version}
# XXX unbundle me, only used in native code, or also in enclaves ?
Source12: https://github.com/Thalhammer/jwt-cpp/archive/refs/tags/v%{jwt_cpp_version}.tar.gz#/jwt-cpp-%{jwt_cpp_version}.tar.gz
Provides: bundled(jwt-cpp) = %{jwt_cpp_version}
Source13: https://github.com/bytecodealliance/wasm-micro-runtime/archive/refs/tags/WAMR-%{wamr_version}.tar.gz#/wasm-micro-runtime-%{wamr_version}.tar.gz
Provides: bundled(wasm-micro-runtime} = %{wamr_version}
Source14: https://github.com/leethomason/tinyxml2/archive/refs/tags/%{tinyxml2_version}.tar.gz#/tinyxml2-%{tinyxml2_version}.tar.gz
%if ! %{with_host_tinyxml2}
Provides: bundled(tinyxml2) = %{tinyxml2_version}
%endif
############################################################
# Misc distro integration files SourceN in (40..59)
Source40: aesmd.sysusers.conf
Source41: aesmd.service
Source42: sgxprv.sysusers.conf
Source43: 92-sgx-provision.rules
Source44: qgs.sysusers.conf
Source45: qgs.service
Source46: qgs.sysconfig
Source48: mpa_registration.service
Source50: pccs.sysusers.conf
Source51: pccs.service
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source54
Source52: pccs-nodejs-bundler
# Pre-created using Source53
Source53: dcap-%{dcap_version}-pccs-node-modules.tar.xz
# RPM build doesn't run this, but we want it in the src.rpm
# as record of what was used to create Source55 & Source56
Source54: pccs-node-ffi-rs-bundler
Source55: node-ffi-rs-%{node_ffi_rs_version}.tar.gz
Source56: node-ffi-rs-%{node_ffi_rs_version}-vendor.tar.gz
############################################################
# External projects that have been copied in tarballs as bundles
# In external/epid-sdk/
Provides: bundled(epid-sdk) = 6.0.0
# In external/rdrand/
Provides: bundled(RdRand) = 1.1
# In external/vtune/
Provides: bundled(vtune) = 2018
############################################################
# Distro integration patches
# 0000-0099 -> against linux-sgx.git
Patch0000: 0000-Add-support-for-building-against-host-openssl-crypto.patch
Patch0001: 0001-Add-support-for-building-against-host-tinyxml2-lib.patch
Patch0002: 0002-Add-support-for-building-against-host-CppMicroServic.patch
# https://github.com/intel/linux-sgx/pull/1055
Patch0003: 0003-Improve-make-debuggability.patch
Patch0004: 0004-Support-disabling-use-of-git-for-ippcp-code.patch
Patch0005: 0005-disable-openmp-protobuf-sample_crypto-builds.patch
# https://github.com/intel/linux-sgx/pull/1063
Patch0006: 0006-Fix-compat-with-gcc-14.patch
# https://github.com/intel/linux-sgx/pull/1056
Patch0007: 0007-Fix-escaping-of-regexes-in-sgx-asm-pp.patch
# https://github.com/intel/linux-sgx/pull/1064
Patch0008: 0008-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch
Patch0009: 0009-psw-fix-soname-for-libuae_service.so-library.patch
Patch0010: 0010-pcl-remove-redundant-use-of-bool-type.patch
Patch0011: 0011-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch
Patch0012: 0012-psw-make-aesm_service-build-verbose.patch
Patch0013: 0013-Fix-modern-C-function-prototype-compliance.patch
Patch0014: 0014-Add-wrapper-for-nasm-to-fix-cmake-compat.patch
Patch0015: 0015-fix-BOM-for-pccs-with-DCAP-1.23.patch
# Optional patches
Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch
# 0100-0199 -> against SGXDataCenterAttestationPrimitives.git
Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch
Patch0101: 0101-Improve-debuggability-of-build-system.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/437
Patch0102: 0102-Support-build-time-setting-of-enclave-load-directory.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/434
Patch0103: 0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/429
Patch0104: 0104-Don-t-import-pypac-in-pccsadmin.patch
Patch0105: 0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
Patch0106: 0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
# https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/428
Patch0107: 0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
Patch0108: 0108-qgs-protect-against-format-strings-in-QL-log-message.patch
Patch0109: 0109-qgs-add-debug-parameter-to-control-logging.patch
Patch0110: 0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
Patch0111: 0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
Patch0112: 0112-Workaround-broken-GCC-15.patch
Patch0113: 0113-Don-t-disable-cf-protection-for-qgs.patch
Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
#Patch0115: 0115-Use-distro-provided-rapidjson-package.patch
Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch
Patch0117: 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
Patch0118: 0118-Switch-default-PCCS-port-number-from-8081-to-10801.patch
Patch0119: 0119-Sanitize-paths-to-all-resources-in-PCCS-server.patch
Patch0120: 0120-pccs-only-pass-ApiKey-if-it-is-set.patch
# 0200-0299 -> against intel-sgx-ssl.git
Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
Patch0201: 0201-Workaround-missing-output-directory.patch
Patch0202: 0202-Disable-various-EC-crypto-features.patch
Patch0203: 0203-Disable-sm2-and-sm4-crypto-algorithms.patch
# 0300-0399 -> against ipp-crypto.git
Patch0300: 0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch
Patch0301: 0301-Drop-Werror-from-build-flags.patch
BuildRequires: sgx-rpm-macros
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: binutils
BuildRequires: libtool
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: make
BuildRequires: cmake
BuildRequires: ocaml
BuildRequires: ocaml-ocamlbuild
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: libcurl-devel
BuildRequires: chrpath
BuildRequires: python3-devel
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl-devel
BuildRequires: perl(FindBin)
BuildRequires: perl(lib)
BuildRequires: perl(IPC::Cmd)
BuildRequires: nasm
BuildRequires: nodejs
BuildRequires: nodejs-devel
BuildRequires: nodejs-npm
BuildRequires: nodejs-packaging
BuildRequires: python-unversioned-command
BuildRequires: sqlite-devel
BuildRequires: systemd-rpm-macros
%if %{with_host_tinyxml2}
BuildRequires: tinyxml2-devel
%endif
%if %{with_aesm}
BuildRequires: CppMicroServices-devel
%endif
#BuildRequires: rapidjson-devel
BuildRequires: protobuf-compiler
BuildRequires: protobuf-devel
BuildRequires: boost-devel
%if 0%{?rhel}
BuildRequires: rust-toolset
%else
BuildRequires: cargo-rpm-macros
%endif
# If dpkg-architecture exists in $PATH, the Makefile
# will change all the install paths, breaking this
# spec's expected locations
BuildConflicts: dpkg-dev
# SGX is a technology that only exists in Intel x86 CPUs
ExclusiveArch: x86_64
%description
The Intel SGX SDK is a collection of APIs, libraries, documentations and
tools that allow software developers to create and debug Intel SGX
enabled applications in C/C++.
%package -n sgx-common
Summary: Intel SGX SDK & runtime common
%description -n sgx-common
Common files for the Intel SGX SDK & runtime
# We only provide the unsigned enclaves. The pre-built
# signed enclaves and shipped separately for ease of
# updating
%global do_package() \
%if %2 \
%package -n sgx-enclave-latest-%1-unsigned \
Summary: SGX %1 enclave (unsigned, latest tool-chain) \
\
Provides: sgx-enclave(%1:unsigned) = %3 \
Provides: sgx-enclave(%1:unsigned:latest) = %3 \
Requires: sgx-common = %{version}-%{release} \
\
%description -n sgx-enclave-latest-%1-unsigned \
This package contains the unsigned SGX %1 enclave, \
built with latest tool-chain and libraries. \
\
%endif
%do_package pce %{_with_enclave_pce} %{linux_sgx_version}
%do_package ide %{_with_enclave_ide} %{dcap_version}
%do_package qe3 %{_with_enclave_qe3} %{dcap_version}
%do_package tdqe %{_with_enclave_tdqe} %{dcap_version}
%do_package qve %{_with_enclave_qve} %{dcap_version}
%package -n sgx-enclave-devel
Summary: SGX enclave libraries development
Requires: sgx-libs = %{version}-%{release}
%description -n sgx-enclave-devel
This package contains the header files, libraries and tools required
to create SGX enclaves.
%package -n sgx-devel
Summary: SGX platform libraries development
Requires: sgx-libs = %{version}-%{release}
%description -n sgx-devel
This package contains the header files, libraries and tools required
to build applications that interact with SGX enclaves on the platform.
%package -n sgx-libs
Summary: SGX platform libraries runtime
Requires: sgx-common = %{version}-%{release}
%description -n sgx-libs
This package contains the runtime libraries and tools required
to run applications that interact with SGX enclaves on the platform.
%if %{with_aesm}
%package -n sgx-aesm
Summary: SGX platform Architectural Enclave Service Manager
Requires: CppMicroServices
Requires: sgx-libs = %{version}-%{release}
Suggests: sgx-enclave(pce:signed) >= %{enclave_pce_version}
Suggests: sgx-enclave(qe3:signed) >= %{enclave_qe3_version}
Suggests: sgx-enclave(qve:signed) >= %{enclave_qve_version}
Suggests: sgx-enclave(ide:signed) >= %{enclave_ide_version}
Suggests: sgx-enclave(tdqe:signed) >= %{enclave_tdqe_version}
%description -n sgx-aesm
This package contains the Architectural Enclave Service Manager
(AESM) daemon.
%endif
%package -n sgx-pccs
Summary: SGX Provisioning Certificate Caching Service
Requires: nodejs
Requires: sgx-mpa = %{version}-%{release}
%description -n sgx-pccs
SGX Provisioning Certificate Caching Service
%package -n sgx-pccs-admin
Summary: SGX Provisioning Certificate Caching Service Admin Tool
Requires: python3-asn1
Requires: python3-pyOpenSSL
Requires: python3-cryptography
Requires: python3-keyring
Requires: python3-requests
Requires: python3-urllib3
Requires: sgx-libs = %{version}-%{release}
# pccs admin tool can be used against a remote pccs
# so don't force a hard dep
Recommends: sgx-pccs = %{version}-%{release}
%description -n sgx-pccs-admin
SGX Provisioning Certificate Caching Service Admin Tool
%package -n sgx-pckid-tool
Summary: SGX PCK Cert ID Retrieval Tool
Requires: sgx-libs = %{version}-%{release}
%enclave_requires ide %{enclave_ide_version}
%enclave_requires pce %{enclave_pce_version}
%description -n sgx-pckid-tool
SGX PCK Cert ID Retrieval Tool
%package -n sgx-mpa
Summary: SGX Multi-package Registration Agent
Requires: sgx-libs = %{version}-%{release}
%description -n sgx-mpa
SGX Multi-package Registration Agent
%package -n tdx-qgs
Summary: TDX Quoting Generation Service
Requires: sgx-libs = %{version}-%{release}
# mpa provides auto-registration of the platform, if it
# is enabled in EFI. If not enabled, it is a no-op so
# safe to have installed by default regardless, but use
# weak dep to allow skipping for optimized installs
Recommends: sgx-mpa = %{version}-%{release}
# If auto-registration is not enabled, the pckid-tool
# is needed for manual registration; it is also useful
# misc admin tasks
Recommends: sgx-pckid-tool = %{version}-%{release}
# In internet isolated hosts pccs can be used to
# provide pre-cached certs, either running it on
# localhost or on the LAN. Weak dep though as it
# is expected that LAN deployment is more common
Suggests: sgx-pccs = %{version}-%{release}
%enclave_requires ide %{enclave_ide_version}
%enclave_requires pce %{enclave_pce_version}
%enclave_requires tdqe %{enclave_tdqe_version}
%description -n tdx-qgs
TDX Quoting Generation Service
%package -n tdx-attest-libs
Summary: TDX attestation libraries
Requires: sgx-common = %{version}-%{release}
%description -n tdx-attest-libs
TDX attestation libraries
This assists guest applications in attesting
their virtual machine environment.
%package -n tdx-attest-devel
Summary: TDX attestation libraries development
Requires: tdx-attest-libs = %{version}-%{release}
%description -n tdx-attest-devel
TDX attestation libraries development
This enables integration of support for attestation
in applications
%prep
%setup -q -n linux-sgx-sgx_%{linux_sgx_version}
%autopatch -m 0 -M 49 -p1
%if !%{with_aesm}
%autopatch -m 50 -M 99 -p1
%endif
############################################################
#
# 'make preparation' is required first build step, and would
# pull in many git submodules, apply patches for various
# things, download pre-built enclaves, etc.
#
# What follows simulates 'make preparation' with functionally
# equivalent actions to get the source tree setup in the
# expected manner for performing the build
#
############################################################
# Will use system package instead
rm -rf external/CppMicroServices
%if %{with_host_tinyxml2}
rm -rf external/tinyxml2
%endif
# Don't intend to package these optional bits since none of
# the required enclaves need this, and thus we can cut down
# on bundling some 3rd party code
rm -rf external/{dnnl,openmp,protobuf} sdk/sample_libcrypto
############################################################
# dcap
(
cd external/dcap_source
tar zxf %{SOURCE2} --strip 1
%autopatch -m 100 -M 199 -p1
(
mkdir QuoteVerification/sgxssl
cd QuoteVerification/sgxssl
tar zxf %{SOURCE4} --strip 1
%autopatch -m 200 -M 299 -p1
cp %{SOURCE10} openssl_source/
)
(
cd QuoteVerification/QVL
tar zxf %{SOURCE7} --strip 1
)
(
cd QuoteVerification/QuoteVerificationService
tar zxf %{SOURCE8} --strip 1
)
(
cd external/jwt-cpp
tar zxf %{SOURCE12} --strip 1
)
(
cd external/wasm-micro-runtime
tar zxf %{SOURCE13} --strip 1
)
)
############################################################
# sgxssl
(
cd external/sgxssl
tar zxf %{SOURCE4} --strip 1
%autopatch -m 200 -M 299 -p1
cp %{SOURCE10} openssl_source/
)
############################################################
# ippcrypto
(
# XXX sanity check that all ipp-crypto is permitted by Fedora
cd external/ippcp_internal/ipp-crypto
tar zxf %{SOURCE5} --strip 1
%autopatch -m 300 -M 399 -p1
)
############################################################
# sgx-emm
(
cd external/sgx-emm/emm_src
tar zxf %{SOURCE6} --strip 1
)
./external/sgx-emm/create_symlink.sh
############################################################
# libcbor
(
cd external/cbor/libcbor
tar zxf %{SOURCE11} --strip 1
cd ..
cp -a libcbor sgx_libcbor
cd libcbor
patch -p1 < ../raw_cbor.patch
cd ..
cd sgx_libcbor
patch -p1 < ../sgx_cbor.patch
)
############################################################
# tinyxml2
%if ! %{with_host_tinyxml2}
(
cd external/tinyxml2
tar zxf %{SOURCE14} --strip 1
)
%endif
############################################################
# prebuilt enclaves
# repack.sh strips pre-built enclaves we don't ship, but
# the build process still looks for them, so pretend
# everything exists
mkdir -p psw/ae/data/prebuilt/
touch psw/ae/data/prebuilt/libsgx_{le,qe,pve,pce}.signed.so
(
cd external/dcap_source/QuoteGeneration
tar zxf %{SOURCE3}
# Again just pretend everything exists to placate build
touch psw/ae/data/prebuilt/libsgx_{pce,id_enclave,qe3,tdqe,qve}.signed.so
# the header files need to be up 1 level
#
# XXX these headers shouldn't really be needed, since DCAP
# already unpacks & build openssl as a side effect of
# sgxssl. Somewhere the headers from that build are discarded
# and QuoteVerification makefiles are set to look at these
# pre-built headers instead. This is a bug in DCAP that needs
# fixing and sending upstream
mkdir -p ../prebuilt/openssl/inc ../prebuilt/opa_bin
mv prebuilt/openssl/inc/* ../prebuilt/openssl/inc/
# Source3 contains a pre-built policy.wasm file which repack.sh
# purges. There are no instructions for how to create this file
# but the build system needs it to exist, so we touch it. Despite
# all this it never gets installed as while it was added to the
# BOM in dcap, it was missed from the BOMs in linux-sgx.
# https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/427
touch ../prebuilt/opa_bin/policy.wasm
)
# Sanity check that upstream hasn't include more prebuilt
# files that we're not expecting and thus failed to purge
# in the repack.sh script.
find -name '*.a' -o -name '*.o' > prebuilt.txt
if test -s prebuilt.txt
then
echo "ERROR: Found pre-built files in source tree."
echo "ERROR: The following files must be removed from the source archives:"
cat prebuilt.txt
exit 1
fi
%build
# Workaround for cmake >= 4.0 which drops compat with
# cmake_minimum_required(VERSION 3.0.0)
export CMAKE_POLICY_VERSION_MINIMUM=3.5
############################################################
# First, build the SDK
# IPP Crypto needs to be pre-built for the SDK.
# Note, that the 'make clean' doesn't delete the
# output '.a' files we need, only the '.o' files
# So when complete we have 3 builds of IPP Crypto
# in external/ippcp_internal/lib/linux/intel64/
for mitigation in '' LOAD CF
do
%__make %{?_smp_mflags} \
-C external/ippcp_internal \
IPP_USE_GIT=0 \
clean
%__make %{?_smp_mflags} \
-C external/ippcp_internal \
MITIGATION-CVE-2020-0551=$mitigation \
IPP_USE_GIT=0
done
# Now we can build the actual SDK
for mitigation in LOAD CF ''
do
%__make %{?_smp_mflags} \
-C sdk/ V=1 \
MITIGATION-CVE-2020-0551=$mitigation \
clean
%__make %{?_smp_mflags} \
-C external/dcap_source/QuoteVerification/dcap_tvl \
MITIGATION-CVE-2020-0551=$mitigation \
clean
# XXX temp override -j1 due to race conditions that have not yet been diagnosed
%__make %{?_smp_mflags} -j1 \
-C sdk/ V=1 \
MITIGATION-CVE-2020-0551=$mitigation \
USE_HOST_OPENSSL_CRYPTO=1 \
USE_HOST_TINYXML2=%{with_host_tinyxml2}
%__make %{?_smp_mflags} \
-C external/dcap_source/QuoteVerification/dcap_tvl \
MITIGATION-CVE-2020-0551=$mitigation
done
NATIVE="sign_tool/SignTool"
NATIVE="$NATIVE encrypt_enclave"
NATIVE="$NATIVE libcapable/linux"
NATIVE="$NATIVE debugger_interface/linux"
NATIVE="$NATIVE simulation"
# Most of 'sdk/' is enclave code, but there's some
# important native code we must now re-build with
# proper flags enabled to get distro hardening.
for dir in $NATIVE
do
%__make %{?_smp_mflags} \
-C sdk/$dir clean
# XXX temp override -j1 due to race conditions that have not yet been diagnosed
CFLAGS="%{build_cflags}" \
CXXFLAGS="%{build_cxxflags}" \
LDFLAGS="%{build_ldflags}" \
%__make %{?_smp_mflags} -j1 \
-C sdk/$dir V=1 \
MITIGATION-CVE-2020-0551= \
USE_HOST_OPENSSL_CRYPTO=1 \
USE_HOST_TINYXML2=%{with_host_tinyxml2}
done
############################################################
# Second, install the SDK into a temporary tree, since this
# dir tree is needed by the next build phase.
%global vroot build/vroot
./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=%{vroot}
############################################################
# Third, build the AEs (Architectural Enclaves).
# XXX temp override -j1 due to race condition setting up sgxssl headers with QvE
%global do_build() \
%if %1 \
%if "%3" == "qve.so" \
%make_build -C %2 \\\
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \\\
%3 -j1 \
%else \
%make_build -C %2 \\\
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \\\
%3 \
%endif \
%endif
%do_build %{_with_enclave_pce} psw/ae/pce pce.so
%do_build %{_with_enclave_ide} external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux id_enclave.so
%do_build %{_with_enclave_qe3} external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux qe3.so
%do_build %{_with_enclave_tdqe} external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux tdqe.so
%do_build %{_with_enclave_qve} external/dcap_source/QuoteVerification/QvE qve.so
############################################################
# Fourth, build the Platform Software
# XXX temp override -j1 due to race conditions that have not yet been diagnosed
#
# Perhaps 20% of the time it will fail with error like:
#
# /usr/bin/ld: /builddir/build/BUILD/linux-sgx-2.26-build/linux-sgx-sgx_2.26/common/se_wrapper_psw/libwrapper.a: error adding symbols: file format not recognized
CFLAGS="%{build_cflags}" \
CXXFLAGS="%{build_cxxflags}" \
LDFLAGS="%{build_ldflags}" \
%__make %{?_smp_mflags} -j1 \
-C psw/ V=1 VERBOSE=1 \
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
SGX_ENCLAVE_PATH=%{sgx_libdir} \
USE_HOST_OPENSSL_CRYPTO=1 \
USE_HOST_CPPMICROSERVICES=1
# XXX temp override -j1 due to race conditions that have not yet been diagnosed
CFLAGS="%{build_cflags}" \
CXXFLAGS="%{build_cxxflags}" \
LDFLAGS="%{build_ldflags}" \
%__make %{?_smp_mflags} -j1 \
-C external/dcap_source/ V=1 VERBOSE=1 \
SGX_SDK=$(pwd)/%{vroot}/sgxsdk \
SGX_ENCLAVE_PATH=%{sgx_libdir}
(
# PCCS NodeJS deps bundle
cd external/dcap_source
tar Jxvf %{SOURCE53}
cd QuoteGeneration/pccs
perl -i -p -e 's,"sqlite%":"internal","sqlite%":"/usr",' node_modules/sqlite3/binding.gyp
perl -i -p -e 's,\(sqlite\)/lib,(sqlite)/lib64,' node_modules/sqlite3/binding.gyp
for pkg in node_modules/*
do
(
cd $pkg
npm run install --if-present --nodedir=/usr
)
done
# Keep brp-mangle-shebangs happy
find node_modules -type f -exec chmod -x {} \;
chrpath --delete node_modules/sqlite3/build/Release/node_sqlite3.node
tar zxvf %{SOURCE55}
(
cd node-ffi-rs-%{node_ffi_rs_version}
tar zxvf %{SOURCE56}
%cargo_prep -v vendor
%cargo_build
mv target/rpm/libffi_rs.so ../node_modules/ffi-rs/ffi-rs.linux-x64-gnu.node
)
)
# SDK provides dummy stub libraries to deal with a circular
# build dependancy problem where the PSW wants these libs
# before it has built its own real copies. Delete them now,
# since we've done the PSW build and don't want these dummy
# stubs installed
for i in epid launch quote_ex uae_service urts
do
rm -f %{vroot}/sgxsdk/lib64/libsgx_$i.so
done
rm -f %{vroot}/sgxsdk/lib64/libsgx_urts.so.2
# Pull together all license files relevant to the code
# that is known to be built into the enclaves
mkdir licenses
for f in License.txt \
external/epid-sdk/LICENSE.txt \
external/epid-sdk/ext/argtable3/LICENSE \
sdk/compiler-rt/LICENSE.TXT \
sdk/cpprt/linux/libunwind/LICENSE \
sdk/gperftools/gperftools-2.7/COPYING \
sdk/tlibcxx/LICENSE.TXT \
external/dcap_source/License.txt \
external/dcap_source/QuoteGeneration/ThirdPartyLicenses.txt \
external/dcap_source/tools/PCKRetrievalTool/License.txt \
external/dcap_source/tools/PCKRetrievalTool/ThirdPartyLicenseIndex.txt \
external/dcap_source/tools/PccsAdminTool/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_Network_Components/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/inf/MPA_UEFI_Components/License.txt \
external/dcap_source/tools/SGXPlatformRegistration/license.txt
do
d=$(dirname $f)
mkdir -p licenses/$d
cp $f licenses/$f
done
%install
############################################################
# Install phase
#
# There's nothing useful like 'make install' to install
# everything in the right place :-(
# Dirs for host OS software
%__install -d %{buildroot}%{_bindir}
%__install -d %{buildroot}%{_sbindir}
%__install -d %{buildroot}%{_libdir}/pkgconfig
%__install -d %{buildroot}%{_libexecdir}
%__install -d %{buildroot}%{_datadir}
%__install -d %{buildroot}%{_includedir}
%__install -d %{buildroot}%{_unitdir}
%__install -d %{buildroot}%{_sysusersdir}
%__install -d %{buildroot}%{_udevrulesdir}
# Dirs for enclave software
%__install -d %{buildroot}%{sgx_includedir}
%__install -d %{buildroot}%{sgx_libdir}
############################################################
# First the SDK stuff we put into the 'vroot' earlier
mv %{vroot}/sgxsdk/bin/sgx* %{buildroot}%{_bindir}/
mv %{vroot}/sgxsdk/bin/x64/sgx* %{buildroot}%{_bindir}/
mv %{vroot}/sgxsdk/include/* %{buildroot}%{sgx_includedir}/
mv %{vroot}/sgxsdk/lib64/libsgx*.a %{buildroot}%{sgx_libdir}/
mv %{vroot}/sgxsdk/lib64/libtdx*.a %{buildroot}%{sgx_libdir}/
mv %{vroot}/sgxsdk/lib64/libsgx*.so* %{buildroot}%{_libdir}/
mv %{vroot}/sgxsdk/lib64/gdb-sgx-plugin %{buildroot}%{_datadir}/sgx-gdb-plugin
mv %{vroot}/sgxsdk/pkgconfig/libsgx*pc %{buildroot}%{_libdir}/pkgconfig/
rm -rf %{vroot}/sgxsdk/SampleCode
############################################################
# Second the (unsigned) architectural enclaves
# @arg1: boolean condition for whether to ship this enclave
# @arg2: base name of the enclave
# @arg3: directory containing locally built enclave
# @arg4: directory containing pre-bult enclave
# @arg5: symbol name that defines the enclave SO version
%global do_install() \
%if %1 \
%__install -m 0755 %3/%2.so %{buildroot}%{sgx_libdir}/libsgx_%2.so \
%endif
version_file=common/inc/internal/se_version.h
%do_install %{_with_enclave_pce} pce psw/ae/pce psw/ae/data/prebuilt PCE_VERSION
version_file=external/dcap_source/QuoteGeneration/common/inc/internal/se_version.h
%do_install %{_with_enclave_ide} id_enclave external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt IDE_VERSION
%do_install %{_with_enclave_qe3} qe3 external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QE3_VERSION
%do_install %{_with_enclave_tdqe} tdqe external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt TDQE_VERSION
%do_install %{_with_enclave_qve} qve external/dcap_source/QuoteVerification/QvE external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QVE_VERSION
############################################################
# Third the Platform Software
#
# Neither of these fully installs all of the software, so we
# have to run both. There's a little overlap in what they
# install but that's harmless as duplicated content should
# match between them. For further info go to the source
# and compare:
#
# $ cd linux/installer/common
# $ diff -rup psw-dcap/BOM_install/ psw-tdx/BOM_install/
sed -i '/libCppMicroServices/g' linux/installer/common/psw-dcap/BOM_install/sgx-aesm-service.txt
%__make -I linux/installer/common/psw-dcap -f linux/installer/common/psw-dcap/Makefile SRCDIR=. DESTDIR=%{vroot}/psw install
%__make -I linux/installer/common/psw-tdx -f linux/installer/common/psw-tdx/Makefile SRCDIR=. DESTDIR=%{vroot}/psw install
# The above commands don't actually install into a single
# usable tree, instead they create multiple top level FS
# trees, each of which reflects the non-upstream Debian/RPM
# packages that Intel propose. These RPMs don't reflect the
# Fedora packaging guidelines, so we're ignoring their layout
# and re-arranging things in a more normal manner.
#
# First merge all the top level dirs together into one
# tree under the final build root
mkdir %{vroot}/root
for dir in %{vroot}/psw/*
do
cp -a $dir/* %{vroot}/root/
done
cp -a %{vroot}/root/ %{buildroot}/root
# Second, re-arrange the content to match the normal tree
# layout Fedora expects. We rm/rmdir any bits we don't
# want, such that RPM will warn about any files left in
# the build root that aren't listed as 'files', so we catch
# new files appearing in future versions
############################################################
# Host AESM service
%if %{with_aesm}
%__install -d %{buildroot}%{_sysconfdir}/aesmd
%__install -d %{buildroot}%{_libdir}/aesmd
%__install -d %{buildroot}%{_datadir}/aesmd
%__install -d %{buildroot}%{_sharedstatedir}/aesmd
%__install -d %{buildroot}%{_rundir}/aesmd
%endif
# Enclaves to be provided by a separate package, so we purge these
rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/*signed.so*
%if %{with_aesm}
rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/linksgx.sh
rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/libsgx_urts.so.2
rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/startup.sh
rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/cleanup.sh
mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/le_prod_css.bin %{buildroot}%{_datadir}/aesmd/
mv %{buildroot}/root/var/opt/aesmd/data/white_list_cert_to_be_verify.bin %{buildroot}%{_datadir}/aesmd/
rmdir %{buildroot}/root/var/opt/aesmd/data/
rmdir %{buildroot}/root/var/opt/aesmd
mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/* %{buildroot}%{_libdir}/aesmd/
rmdir %{buildroot}/root/opt/intel/sgx-aesm-service/aesm
rmdir %{buildroot}/root/opt/intel/sgx-aesm-service
mv %{buildroot}/root/etc/aesmd.conf %{buildroot}%{_sysconfdir}/
# Workarounds for code that assumes all files are in the same dir
# XXX patch the source to just look in the right place to begin with
ln -s ../../..%{_sysconfdir}/aesmd.conf \
%{buildroot}%{_libdir}/aesmd/aesmd.conf
ln -s ../../..%{_datadir}/aesmd/le_prod_css.bin \
%{buildroot}%{_libdir}/aesmd/le_prod_css.bin
ln -s ../../..%{_datadir}/aesmd/white_list_cert_to_be_verify.bin \
%{buildroot}%{_libdir}/aesmd/white_list_cert_to_be_verify.bin
# XXX it looks for files relative to its binary, so we
# need this wrapper. Patch the source and kill this
cat >> %{buildroot}%{_sbindir}/aesmd <<EOF
#!/bin/sh
export LD_LIBRARY_PATH=%{_libdir}/aesmd/
exec %{_libdir}/aesmd/aesm_service "\$@"
EOF
chmod +x %{buildroot}%{_sbindir}/aesmd
rm -f %{buildroot}/root/lib/systemd/system/aesmd.service
%__install %{SOURCE40} %{buildroot}%{_sysusersdir}/aesmd.conf
%__install %{SOURCE41} %{buildroot}%{_unitdir}/aesmd.service
%else
rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/le_prod_css.bin
rmdir %{buildroot}/root/opt/intel/sgx-aesm-service/aesm
rmdir %{buildroot}/root/opt/intel/sgx-aesm-service
%endif
############################################################
# Host PCCS service
# Home dir for 'pccs' user
%__install -d %{buildroot}%{_sharedstatedir}/pccs
%__install -d %{buildroot}%{_localstatedir}/log/pccs
%__install -d %{buildroot}%{_sysconfdir}/pccs
%__install -d %{buildroot}%{_sysconfdir}/pccs/ssl
%__install -d %{buildroot}%{nodejs_sitearch}/pccs
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/lib/libPCKCertSelection.so \
%{buildroot}%{_libdir}/libPCKCertSelection.so.1
ln -s libPCKCertSelection.so.1 %{buildroot}%{_libdir}/libPCKCertSelection.so
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/config/default.json \
%{buildroot}%{_sysconfdir}/pccs/default.json
rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs/config
rm -f %{buildroot}/root/lib/systemd/system/pccs.service
mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/* \
%{buildroot}%{nodejs_sitearch}/pccs
rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs
(
# Node JS deps bundle
cd external/dcap_source/QuoteGeneration/pccs
rm -f install.sh README.md
# So find-debuginfo processes it
chmod +x node_modules/sqlite3/build/Release/node_sqlite3.node
cp -a node_modules %{buildroot}%{nodejs_sitearch}/pccs/node_modules
)
cat >>%{buildroot}%{_sbindir}/pccs <<EOF
#!/usr/bin/sh
exec node %{nodejs_sitearch}/pccs/pccs_server.js
EOF
chmod +x %{buildroot}%{_sbindir}/pccs
%__install -m 0644 %{SOURCE50} %{buildroot}%{_sysusersdir}/pccs.conf
%__install -m 0644 %{SOURCE51} %{buildroot}%{_unitdir}/pccs.service
############################################################
# Host PCCS admin tool
%if %{with_pccsadmin}
%__install -d %{buildroot}%{_datadir}/pccsadmin
cp external/dcap_source/tools/PccsAdminTool/pccsadmin.py %{buildroot}%{_datadir}/pccsadmin/pccsadmin.py
cp -a external/dcap_source/tools/PccsAdminTool/lib %{buildroot}%{_datadir}/pccsadmin/lib
cat > %{buildroot}%{_bindir}/pccsadmin <<EOF
#!/bin/sh
exec python3 %{_datadir}/pccsadmin/pccsadmin.py "\$@"
EOF
chmod +x %{buildroot}%{_bindir}/pccsadmin
%endif
############################################################
# Host PCK ID tool
%__install -d %{buildroot}%{_sysconfdir}/PCKIDRetrievalTool/
# XXX must patch source to look in sysconfdir
mv %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool/PCKIDRetrievalTool \
%{buildroot}%{_bindir}/
mv %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf \
%{buildroot}%{_sysconfdir}/PCKIDRetrievalTool/network_setting.conf
rm -f %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool/License.txt
rm -f %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool/README.txt
# Enclaves to be provided by a separate package, so we purge these
rm -f %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool/libsgx_pce.signed.so.1
rm -f %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool/libsgx_id_enclave.signed.so.1
rmdir %{buildroot}/root/opt/intel/sgx-pck-id-retrieval-tool
############################################################
# Registration agent
mv %{buildroot}/root/opt/intel/sgx-ra-service/mpa_manage \
%{buildroot}%{_bindir}/mpa_manage
mv %{buildroot}/root/opt/intel/sgx-ra-service/mpa_registration \
%{buildroot}%{_sbindir}/mpa_registration
mv %{buildroot}/root/etc/mpa_registration.conf \
%{buildroot}%{_sysconfdir}/mpa_registration.conf
rm -f %{buildroot}/root/opt/intel/sgx-ra-service/mpa_registration_tool.conf
rm -f %{buildroot}/root/opt/intel/sgx-ra-service/mpa_registration_tool.service
rm %{buildroot}/root/opt/intel/sgx-ra-service/startup.sh
rm %{buildroot}/root/opt/intel/sgx-ra-service/cleanup.sh
rmdir %{buildroot}/root/opt/intel/sgx-ra-service
%__install -m 0644 %{SOURCE48} %{buildroot}%{_unitdir}/mpa_registration.service
mv %{buildroot}/root/usr/include/{mp*,MP*,MultiPackageDefs}.h \
%{buildroot}%{_includedir}/
mv %{buildroot}/root/usr/lib64/libmpa*.so* \
%{buildroot}%{_libdir}/
############################################################
# Host TDX quote generation service
%__install -d %{buildroot}%{_sharedstatedir}/qgs
# XXX patch source to just 'qgs' instead of 'tdx-qgs' ?
%__install -d %{buildroot}%{_rundir}/tdx-qgs
%__install -d %{buildroot}%{_sysconfdir}/sysconfig
mv %{buildroot}/root/etc/qgs.conf \
%{buildroot}%{_sysconfdir}/qgs.conf
mv %{buildroot}/root/opt/intel/tdx-qgs/qgs \
%{buildroot}%{_sbindir}/qgs
# Switch from vsock to unix socket to avoid exposing it
# to all VMs unconditionally
sed -i -e 's/^port/#port/' %{buildroot}%{_sysconfdir}/qgs.conf
rm -f %{buildroot}/root/opt/intel/tdx-qgs/linksgx.sh
rm -f %{buildroot}/root/opt/intel/tdx-qgs/cleanup.sh
rm -f %{buildroot}/root/opt/intel/tdx-qgs/startup.sh
rmdir %{buildroot}/root/opt/intel/tdx-qgs
%__install -m 0644 %{SOURCE44} %{buildroot}%{_sysusersdir}/qgs.conf
%__install -m 0644 %{SOURCE45} %{buildroot}%{_unitdir}/qgs.service
%__install -m 0644 %{SOURCE46} %{buildroot}%{_sysconfdir}/sysconfig/qgs
############################################################
# Common libraries
# Enclaves to be provided by a separate package, so we purge these
rm -f %{buildroot}/root/usr/lib64/lib*signed.so*
# Normal host libraries
mv %{buildroot}/root/usr/lib64/lib* %{buildroot}/%{_libdir}/
# Some overlap with what's in %{sgx_includedir}, but that dir is
# intended exclusively for building enclave code, while
# %{_includedir} is for stuff that's exclusively host code
mv %{buildroot}/root/usr/include/*.h %{buildroot}/%{_includedir}/
# Wierdly missing, but required by other headers that are present
for i in 3 4 5
do
cp %{buildroot}%{sgx_includedir}/sgx_quote_$i.h %{buildroot}/%{_includedir}/
done
mv %{buildroot}/root/etc/sgx_default_qcnl.conf \
%{buildroot}%{_sysconfdir}/
# Default to the public API service. If users do deploy pccs
# it probably makes more sense to do so on the LAN, so don't
# assume localhost deployment. This also allows out of the box
# usage without having to create a local x509 CA for PCCS.
perl -i -p -e 's,https://localhost:10801/sgx/certification/v4/,https://api.trustedservices.intel.com/sgx/certification/v4/,' \
%{buildroot}%{_sysconfdir}/sgx_default_qcnl.conf
%__install %{SOURCE42} %{buildroot}%{_sysusersdir}/sgxprv.conf
%__install %{SOURCE43} %{buildroot}%{_udevrulesdir}/92-sgx-provision.rules
############################################################
# Misc cleanup
# Irrelevant for Fedora context
rm -f %{buildroot}/root/usr/lib/systemd/system/remount-dev-exec.service
# We apply our own unit files for services
rm -f %{buildroot}/root/lib/systemd/system/mpa_registration_tool.service
rm -f %{buildroot}/root/lib/systemd/system/qgsd.service
rm -rf %{buildroot}/root/sample
rm -f %{buildroot}/root/etc/udev/rules.d/93-sgx-provision.rules
rm -f %{buildroot}/root/etc/udev/rules.d/91-sgx-enclave.rules
rm -f %{buildroot}/root/License.txt
# Intentionally not recursive delete, as we want build to fail
# to alert us if a future release adds more files that need handling
rmdir %{buildroot}/root/etc/udev/rules.d/
rmdir %{buildroot}/root/etc/udev
rmdir %{buildroot}/root/etc/
rmdir %{buildroot}/root/lib/systemd/system
rmdir %{buildroot}/root/lib/systemd
rmdir %{buildroot}/root/lib
rmdir %{buildroot}/root/usr/lib/systemd/system
rmdir %{buildroot}/root/usr/lib/systemd
rmdir %{buildroot}/root/usr/lib/
rmdir %{buildroot}/root/usr/lib64
rmdir %{buildroot}/root/usr/include
rmdir %{buildroot}/root/usr/
%if %{with_aesm}
rmdir %{buildroot}/root/var/opt
rmdir %{buildroot}/root/var
%endif
rmdir %{buildroot}/root/opt/intel
rmdir %{buildroot}/root/opt
rmdir %{buildroot}/root
############################################################
# Fix ups - for some reason the PSW BOM files miss a few bits
cp ./external/dcap_source/tools/PCKCertSelection/include/pck_cert_selection.h %{buildroot}%{_includedir}
cp ./external/dcap_source/QuoteGeneration/qpl/inc/sgx_default_quote_provider.h %{buildroot}%{_includedir}
cp ./external/dcap_source/QuoteGeneration/quote_wrapper/quote/inc/sgx_ql_core_wrapper.h %{buildroot}%{_includedir}
mv %{buildroot}%{_libdir}/libsgx_qe3_logic.so \
%{buildroot}%{_libdir}/libsgx_qe3_logic.so.1.0.0
ln -s libsgx_qe3_logic.so.1.0.0 %{buildroot}%{_libdir}/libsgx_qe3_logic.so.1
ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so
%if %{with_sysusers_scripts}
%pre -n sgx-libs
%sysusers_create_compat %{SOURCE42}
%endif
%post -n sgx-libs
if [ -S /run/udev/control ]; then
udevadm control --reload
udevadm trigger --property-match=DEVNAME=/dev/sgx_provision
fi
%if %{with_aesm}
%if %{with_sysusers_scripts}
%pre -n sgx-aesm
%sysusers_create_compat %{SOURCE40}
%endif
%post -n sgx-aesm
%systemd_post aesmd.service
%preun -n sgx-aesm
%systemd_preun aesmd.service
%postun -n sgx-aesm
%systemd_postun_with_restart aesmd.service
%endif
%post -n sgx-mpa
%systemd_post mpa_registration.service
%preun -n sgx-mpa
%systemd_preun mpa_registration.service
%postun -n sgx-mpa
%systemd_postun_with_restart mpa_registration.service
%if %{with_sysusers_scripts}
%pre -n sgx-pccs
%sysusers_create_compat %{SOURCE50}
%endif
%post -n sgx-pccs
%systemd_post pccs.service
%preun -n sgx-pccs
%systemd_preun pccs.service
%postun -n sgx-pccs
%systemd_postun_with_restart pccs.service
%if %{with_sysusers_scripts}
%pre -n tdx-qgs
%sysusers_create_compat %{SOURCE44}
%endif
%post -n tdx-qgs
%systemd_post qgs.service
%preun -n tdx-qgs
%systemd_preun qgs.service
%postun -n tdx-qgs
%systemd_postun_with_restart qgs.service
%global do_files() \
%if %3 \
%files -n sgx-enclave-latest-%1-unsigned \
%dir %{sgx_prefix} \
%dir %{sgx_libdir} \
%{sgx_libdir}/libsgx_%2.so \
%endif
%do_files pce pce %{_with_enclave_pce}
%do_files ide id_enclave %{_with_enclave_ide}
%do_files qe3 qe3 %{_with_enclave_qe3}
%do_files tdqe tdqe %{_with_enclave_tdqe}
%do_files qve qve %{_with_enclave_qve}
%files -n sgx-common
%license licenses/
%files -n sgx-enclave-devel
%{_bindir}/sgx_edger8r
%{_bindir}/sgx_sign
%{_bindir}/sgx_encrypt
%{_bindir}/sgx-gdb
%{_bindir}/sgx_config_cpusvn
%dir %{_datadir}/sgx-gdb-plugin/
%{_datadir}/sgx-gdb-plugin/gdb_sgx_cmd
%{_datadir}/sgx-gdb-plugin/gdb_sgx_plugin.py
%{_datadir}/sgx-gdb-plugin/load_symbol_cmd.py
%{_datadir}/sgx-gdb-plugin/printers.py
%{_datadir}/sgx-gdb-plugin/readelf.py
%{_datadir}/sgx-gdb-plugin/sgx_emmt.py
%dir %{sgx_prefix}
%dir %{sgx_includedir}/
%{sgx_includedir}/libcxx/
%{sgx_includedir}/stdc++/
%{sgx_includedir}/tlibc/
%{sgx_includedir}/sgx.h
%{sgx_includedir}/sgx_attributes.h
%{sgx_includedir}/sgx_capable.h
%{sgx_includedir}/sgx_cpuid.h
%{sgx_includedir}/sgx_dcap_qae_tvl.h
%{sgx_includedir}/sgx_dcap_qal.h
%{sgx_includedir}/sgx_dcap_tvl.h
%{sgx_includedir}/sgx_defs.h
%{sgx_includedir}/sgx_dh.h
%{sgx_includedir}/sgx_ecp_types.h
%{sgx_includedir}/sgx_edger8r.h
%{sgx_includedir}/sgx_eid.h
%{sgx_includedir}/sgx_enclave_common.h
%{sgx_includedir}/sgx_error.h
%{sgx_includedir}/sgx_intrin.h
%{sgx_includedir}/sgx_key.h
%{sgx_includedir}/sgx_key_exchange.h
%{sgx_includedir}/sgx_lfence.h
%{sgx_includedir}/sgx_mm.h
%{sgx_includedir}/sgx_pce.h
%{sgx_includedir}/sgx_pcl_guid.h
%{sgx_includedir}/sgx_ql_lib_common.h
%{sgx_includedir}/sgx_ql_quote.h
%{sgx_includedir}/sgx_quote.h
%{sgx_includedir}/sgx_quote_3.h
%{sgx_includedir}/sgx_quote_4.h
%{sgx_includedir}/sgx_quote_5.h
%{sgx_includedir}/sgx_qve_header.h
%{sgx_includedir}/sgx_report.h
%{sgx_includedir}/sgx_report2.h
%{sgx_includedir}/sgx_rsrv_mem_mngr.h
%{sgx_includedir}/sgx_secure_align.h
%{sgx_includedir}/sgx_secure_align_api.h
%{sgx_includedir}/sgx_spinlock.h
%{sgx_includedir}/sgx_tcrypto.h
%{sgx_includedir}/sgx_thread.h
%{sgx_includedir}/sgx_tkey_exchange.h
%{sgx_includedir}/sgx_tprotected_fs.h
%{sgx_includedir}/sgx_trts.h
%{sgx_includedir}/sgx_trts_aex.h
%{sgx_includedir}/sgx_trts_exception.h
%{sgx_includedir}/sgx_tseal.h
%{sgx_includedir}/sgx_ttls.h
%{sgx_includedir}/sgx_uae_epid.h
%{sgx_includedir}/sgx_uae_launch.h
%{sgx_includedir}/sgx_uae_quote_ex.h
%{sgx_includedir}/sgx_uae_service.h
%{sgx_includedir}/sgx_ukey_exchange.h
%{sgx_includedir}/sgx_urts.h
%{sgx_includedir}/sgx_uswitchless.h
%{sgx_includedir}/sgx_utils.h
%{sgx_includedir}/sgx_utls.h
%{sgx_includedir}/sgx_dcap_tvl.edl
%{sgx_includedir}/sgx_pthread.edl
%{sgx_includedir}/sgx_tkey_exchange.edl
%{sgx_includedir}/sgx_tprotected_fs.edl
%{sgx_includedir}/sgx_tstdc.edl
%{sgx_includedir}/sgx_tswitchless.edl
%{sgx_includedir}/sgx_ttls.edl
%{sgx_includedir}/ipp/
%dir %{sgx_libdir}/
%{sgx_libdir}/libsgx_capable.a
%{sgx_libdir}/libsgx_dcap_tvl.a
%{sgx_libdir}/libsgx_ossl_fips.a
%{sgx_libdir}/libsgx_pcl.a
%{sgx_libdir}/libsgx_pclsim.a
%{sgx_libdir}/libsgx_pthread.a
%{sgx_libdir}/libsgx_tcmalloc.a
%{sgx_libdir}/libsgx_tcrypto.a
%{sgx_libdir}/libsgx_tcxx.a
%{sgx_libdir}/libsgx_tkey_exchange.a
%{sgx_libdir}/libsgx_tprotected_fs.a
%{sgx_libdir}/libsgx_trts.a
%{sgx_libdir}/libsgx_trts_sim.a
%{sgx_libdir}/libsgx_tservice.a
%{sgx_libdir}/libsgx_tservice_sim.a
%{sgx_libdir}/libsgx_tstdc.a
%{sgx_libdir}/libsgx_tswitchless.a
%{sgx_libdir}/libsgx_ttls.a
%{sgx_libdir}/libsgx_ukey_exchange.a
%{sgx_libdir}/libsgx_uprotected_fs.a
%{sgx_libdir}/libsgx_uswitchless.a
%{sgx_libdir}/libsgx_utls.a
%{sgx_libdir}/libtdx_tls.a
%{_libdir}/libsgx_capable.so
%{_libdir}/libsgx_epid_sim.so
%{_libdir}/libsgx_launch_sim.so
%{_libdir}/libsgx_ptrace.so
%{_libdir}/libsgx_quote_ex_sim.so
%{_libdir}/libsgx_uae_service_sim.so
%{_libdir}/libsgx_urts_sim.so
%{_libdir}/pkgconfig/libsgx_epid_sim.pc
%{_libdir}/pkgconfig/libsgx_launch_sim.pc
%{_libdir}/pkgconfig/libsgx_quote_ex_sim.pc
%{_libdir}/pkgconfig/libsgx_uae_service_sim.pc
%{_libdir}/pkgconfig/libsgx_urts_sim.pc
%files -n sgx-devel
%{_includedir}/MPNetwork.h
%{_includedir}/MPNetworkDefs.h
%{_includedir}/MPUefi.h
%{_includedir}/MultiPackageDefs.h
%{_includedir}/mp_network.h
%{_includedir}/mp_uefi.h
%{_includedir}/pck_cert_selection.h
%{_includedir}/sgx_attributes.h
%{_includedir}/sgx_dcap_ql_wrapper.h
%{_includedir}/sgx_dcap_quoteverify.h
%{_includedir}/sgx_default_quote_provider.h
%{_includedir}/sgx_defs.h
%{_includedir}/sgx_eid.h
%{_includedir}/sgx_enclave_common.h
%{_includedir}/sgx_error.h
%{_includedir}/sgx_key.h
%{_includedir}/sgx_pce.h
%{_includedir}/sgx_ql_core_wrapper.h
%{_includedir}/sgx_ql_lib_common.h
%{_includedir}/sgx_ql_quote.h
%{_includedir}/sgx_quote.h
%{_includedir}/sgx_quote_3.h
%{_includedir}/sgx_quote_4.h
%{_includedir}/sgx_quote_5.h
%{_includedir}/sgx_qve_header.h
%{_includedir}/sgx_report.h
%{_includedir}/sgx_uae_epid.h
%{_includedir}/sgx_uae_launch.h
%{_includedir}/sgx_uae_quote_ex.h
%{_includedir}/sgx_urts.h
%{_includedir}/td_ql_wrapper.h
%{_libdir}/libmpa_network.so
%{_libdir}/libmpa_uefi.so
%{_libdir}/libdcap_quoteprov.so
%{_libdir}/libsgx_dcap_ql.so
%{_libdir}/libsgx_dcap_quoteverify.so
%{_libdir}/libsgx_default_qcnl_wrapper.so
%{_libdir}/libsgx_enclave_common.so
%{_libdir}/libsgx_epid.so
%{_libdir}/libsgx_launch.so
%{_libdir}/libsgx_pce_logic.so
%{_libdir}/libsgx_qe3_logic.so
%{_libdir}/libsgx_quote_ex.so
%{_libdir}/libsgx_tdx_logic.so
%{_libdir}/libsgx_uae_service.so
%{_libdir}/libsgx_urts.so
%{_libdir}/libPCKCertSelection.so
%{_libdir}/pkgconfig/libsgx_epid.pc
%{_libdir}/pkgconfig/libsgx_launch.pc
%{_libdir}/pkgconfig/libsgx_quote_ex.pc
%{_libdir}/pkgconfig/libsgx_uae_service.pc
%{_libdir}/pkgconfig/libsgx_urts.pc
%files -n sgx-libs
%config(noreplace) %{_sysconfdir}/sgx_default_qcnl.conf
%{_sysusersdir}/sgxprv.conf
%dir %{_udevrulesdir}
%{_udevrulesdir}/92-sgx-provision.rules
%{_libdir}/libdcap_quoteprov.so.1*
%{_libdir}/libmpa_network.so.1*
%{_libdir}/libmpa_uefi.so.1*
%{_libdir}/libsgx_default_qcnl_wrapper.so.1*
%{_libdir}/libsgx_dcap_ql.so.1*
%{_libdir}/libsgx_dcap_quoteverify.so.1*
%{_libdir}/libsgx_enclave_common.so.1*
%{_libdir}/libsgx_epid.so.1*
%{_libdir}/libsgx_launch.so.1*
%{_libdir}/libsgx_pce_logic.so.1*
%{_libdir}/libsgx_qe3_logic.so.1*
%{_libdir}/libsgx_quote_ex.so.1*
%{_libdir}/libsgx_tdx_logic.so.1*
%{_libdir}/libsgx_uae_service.so.2*
%{_libdir}/libsgx_urts.so.2*
%{_libdir}/libPCKCertSelection.so.1*
%if %{with_aesm}
%files -n sgx-aesm
%{_sbindir}/aesmd
%{_unitdir}/aesmd.service
%config(noreplace) %{_sysconfdir}/aesmd.conf
%dir %{_libdir}/aesmd
%dir %{_libdir}/aesmd/bundles
%{_libdir}/aesmd/aesm_service
%{_libdir}/aesmd/bundles/libecdsa_quote_service_bundle.so
%{_libdir}/aesmd/bundles/libepid_quote_service_bundle.so
%{_libdir}/aesmd/bundles/lible_launch_service_bundle.so
%{_libdir}/aesmd/bundles/liblinux_network_service_bundle.so
%{_libdir}/aesmd/bundles/libpce_service_bundle.so
%{_libdir}/aesmd/bundles/libquote_ex_service_bundle.so
%{_libdir}/aesmd/aesmd.conf
%{_libdir}/aesmd/le_prod_css.bin
%{_libdir}/aesmd/liboal.so
%{_libdir}/aesmd/libipc.so
%{_libdir}/aesmd/libutils.so
%{_libdir}/aesmd/liburts_internal.so
%{_libdir}/aesmd/white_list_cert_to_be_verify.bin
%dir %{_datadir}/aesmd/
%{_datadir}/aesmd/white_list_cert_to_be_verify.bin
%{_datadir}/aesmd/le_prod_css.bin
%attr(0700,aesmd,aesmd) %{_sharedstatedir}/aesmd
%{_sysusersdir}/aesmd.conf
%attr(0700,aesmd,aesmd) %{_rundir}/aesmd
%endif
%files -n sgx-pccs
%{_sbindir}/pccs
%dir %{_sysconfdir}/pccs
%attr(0750,root,pccs) %dir %{_sysconfdir}/pccs/ssl
%config(noreplace) %{_sysconfdir}/pccs/default.json
%{_unitdir}/pccs.service
%{nodejs_sitearch}/pccs
%{_sysusersdir}/pccs.conf
%attr(0700,pccs,pccs) %dir %{_sharedstatedir}/pccs
%attr(0700,pccs,pccs) %dir %{_localstatedir}/log/pccs
%if %{with_pccsadmin}
%files -n sgx-pccs-admin
%{_bindir}/pccsadmin
%{_datadir}/pccsadmin
%endif
%files -n sgx-pckid-tool
%doc external/dcap_source/tools/PCKRetrievalTool/README_standalone.txt
%dir %{_sysconfdir}/PCKIDRetrievalTool
%config(noreplace) %{_sysconfdir}/PCKIDRetrievalTool/network_setting.conf
%{_bindir}/PCKIDRetrievalTool
%files -n sgx-mpa
%{_bindir}/mpa_manage
%{_sbindir}/mpa_registration
%{_unitdir}/mpa_registration.service
%config(noreplace) %{_sysconfdir}/mpa_registration.conf
%files -n tdx-qgs
%config(noreplace) %{_sysconfdir}/sysconfig/qgs
%{_sbindir}/qgs
%{_unitdir}/qgs.service
%config(noreplace) %{_sysconfdir}/qgs.conf
%{_sysusersdir}/qgs.conf
%attr(0700,qgs,qgs) %dir %{_sharedstatedir}/qgs
%ghost %attr(0755,qgs,qgs) %dir %{_rundir}/tdx-qgs
%files -n tdx-attest-libs
%{_libdir}/libtdx_attest.so.1*
%files -n tdx-attest-devel
%{_includedir}/tdx_attest.h
%{_libdir}/libtdx_attest.so
%changelog
%autochangelog
Reference in New Issue View Git Blame Copy Permalink