From cc0c6226a6277cb7932f62b1b1ff5ec4d4b3f7aa Mon Sep 17 00:00:00 2001 From: Antonio Salinas Date: Sun, 17 May 2026 22:01:48 +0000 Subject: [PATCH 1/5] fix(systemtap): pin to f43 HEAD to correct non-first-parent commit --- base/comps/systemtap/systemtap.comp.toml | 3 ++ locks/systemtap.lock | 8 ++--- specs/s/systemtap/sources | 2 +- specs/s/systemtap/systemtap-gcc16.patch | 13 -------- specs/s/systemtap/systemtap.spec | 42 ++++++++++++++++-------- 5 files changed, 36 insertions(+), 32 deletions(-) delete mode 100644 specs/s/systemtap/systemtap-gcc16.patch diff --git a/base/comps/systemtap/systemtap.comp.toml b/base/comps/systemtap/systemtap.comp.toml index c6ef26b1064..0a4fc7ec816 100644 --- a/base/comps/systemtap/systemtap.comp.toml +++ b/base/comps/systemtap/systemtap.comp.toml @@ -1,3 +1,6 @@ [components.systemtap] +# Pin past the default snapshot to correct a previously selected +# non-first-parent commit on the f43 branch. +spec = { type = "upstream", upstream-commit = "d06e77cc8d15d8f0fc861c82cde5af7f7a12beb1" } # Release: 1%{?release_override}%{?dist} release = { calculation = "manual" } diff --git a/locks/systemtap.lock b/locks/systemtap.lock index 050e0855d3b..d02b2939b0b 100644 --- a/locks/systemtap.lock +++ b/locks/systemtap.lock @@ -1,6 +1,6 @@ # Managed by azldev component update. Do not edit manually. version = 1 -import-commit = 'a5c5bd1293b3c1d39c7f9a1c39370d7d7bd1e374' -upstream-commit = 'a5c5bd1293b3c1d39c7f9a1c39370d7d7bd1e374' -input-fingerprint = 'sha256:4a9ba40aa14efdd15f24addddfcf1c96bc4837f855b3b6ba792315d58a1ee460' -resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' +import-commit = 'd06e77cc8d15d8f0fc861c82cde5af7f7a12beb1' +upstream-commit = 'd06e77cc8d15d8f0fc861c82cde5af7f7a12beb1' +input-fingerprint = 'sha256:2da25aa9ad786ee5b902a843031823c05dc00331401b1750c3f278696b205663' +resolution-input-hash = 'sha256:839b5466d4855563ee48b649e3fe11da139d12b234cdf7508df2a0b850388295' diff --git a/specs/s/systemtap/sources b/specs/s/systemtap/sources index a210820496e..78a936a21f6 100644 --- a/specs/s/systemtap/sources +++ b/specs/s/systemtap/sources @@ -1 +1 @@ -SHA512 (systemtap-5.4.tar.gz) = 5869fe3735e44be65ba7895a46b4ea66fcdcc21ed2ab0673c62d822730553837f816d82fd78eeca4bfe6f17fdeaa12eb2f94c0b0b7ebb8c495c961f0b6935785 +SHA512 (systemtap-5.5.tar.gz) = c44691a353b3d23579ef5bbc81f9f61dfaa0d2f6a232257670315eb7aef1f87196cb12b84607f06e5a1a8c022f883cead4737cd7b590fab4b6cd998e838fab2d diff --git a/specs/s/systemtap/systemtap-gcc16.patch b/specs/s/systemtap/systemtap-gcc16.patch deleted file mode 100644 index c336ce6a43e..00000000000 --- a/specs/s/systemtap/systemtap-gcc16.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- systemtap-5.4/configure~ 2025-10-30 14:47:35.000000000 +0000 -+++ systemtap-5.4/configure 2026-01-13 18:53:20.466037572 +0000 -@@ -3121,8 +3121,8 @@ - } - { - // Unicode literals -- char const *utf8 = u8"UTF-8 string \u2500"; -- char16_t const *utf16 = u"UTF-8 string \u2500"; -+ auto const *utf8 = u8"UTF-8 string \u2500"; -+ char16_t const *utf16 = u"UTF-16 string \u2500"; - char32_t const *utf32 = U"UTF-32 string \u2500"; - } - ' diff --git a/specs/s/systemtap/systemtap.spec b/specs/s/systemtap/systemtap.spec index 9702998e7b1..63e2468cb01 100644 --- a/specs/s/systemtap/systemtap.spec +++ b/specs/s/systemtap/systemtap.spec @@ -101,23 +101,23 @@ g stapusr 156\ g stapsys 157\ g stapdev 158\ g stapunpriv 159\ -u stapunpriv 159 "systemtap unprivileged user" /var/lib/stapunpriv /sbin/nologin\ +u stapunpriv 159 "systemtap unprivileged user"\ m stapunpriv stapunpriv %define _systemtap_server_preinstall \ # See systemd-sysusers(8) sysusers.d(5)\ \ g stap-server -\ -u stap-server - "systemtap compiler server" /var/lib/stap-server /sbin/nologin\ +u stap-server - "systemtap compiler server" /var/lib/stap-server\ m stap-server stap-server %define _systemtap_testsuite_preinstall \ # See systemd-sysusers(8) sysusers.d(5)\ \ -u stapusr - "systemtap testsuite user" / /sbin/nologin\ -u stapsys - "systemtap testsuite user" / /sbin/nologin\ -u stapdev - "systemtap testsuite user" / /sbin/nologin\ +u stapusr - "systemtap testsuite user"\ +u stapsys - "systemtap testsuite user"\ +u stapdev - "systemtap testsuite user"\ m stapusr stapusr\ m stapsys stapusr\ m stapsys stapsys\ @@ -133,8 +133,8 @@ f /var/log/stap-server/log 0644 stap-server stap-server - Name: systemtap # PRERELEASE -Version: 5.4 -Release: 3%{?release_override}%{?dist} +Version: 5.5 +Release: 1%{?release_override}%{?dist} # for version, see also configure.ac @@ -171,7 +171,6 @@ Summary: Programmable system-wide instrumentation system License: GPL-2.0-or-later URL: https://sourceware.org/systemtap/ Source: ftp://sourceware.org/pub/systemtap/releases/systemtap-%{version}.tar.gz -Patch0: systemtap-gcc16.patch # Build* BuildRequires: make @@ -340,6 +339,9 @@ Summary: Programmable system-wide instrumentation system - runtime License: GPL-2.0-or-later URL: https://sourceware.org/systemtap/ Requires(pre): shadow-utils +%if 0%{?fedora} >= 45 || 0%{?rhel} >= 11 +Recommends: yama-ptrace-enable +%endif Conflicts: systemtap-devel < %{version}-%{release} Conflicts: systemtap-server < %{version}-%{release} Conflicts: systemtap-client < %{version}-%{release} @@ -452,10 +454,12 @@ Conflicts: systemtap-testsuite = %{version}-%{release}.x86_64 Requires: gcc gcc-c++ make glibc-devel # testsuite/systemtap.base/ptrace.exp needs strace Requires: strace -# testsuite/systemtap.base/ipaddr.exp needs nc. Unfortunately, the rpm +# testsuite/systemtap.base/ipaddr.exp needs nc or ncat. Unfortunately, the rpm # that provides nc has changed over time (from 'nc' to -# 'nmap-ncat'). So, we'll do a file-based require. -Requires: /usr/bin/nc +# 'nmap-ncat'). So, we'll do a file-based recommend. +Recommends: /usr/bin/nc +# Suggest nmap-ncat for /usr/bin/ncat +Recommends: /usr/bin/ncat %ifnarch ia64 ppc64le aarch64 %if 0%{?fedora} >= 21 || 0%{?rhel} >= 8 # no prelink @@ -617,7 +621,6 @@ or within a container. %prep %setup -q -%patch 0 -p1 %build @@ -889,11 +892,18 @@ getent group stapusr >/dev/null || groupadd -f -g 156 -r stapusr getent group stapsys >/dev/null || groupadd -f -g 157 -r stapsys getent group stapdev >/dev/null || groupadd -f -g 158 -r stapdev getent passwd stapunpriv >/dev/null || \ - useradd -c "Systemtap Unprivileged User" -u 159 -g stapunpriv -d %{_localstatedir}/lib/stapunpriv -r -s /sbin/nologin stapunpriv 2>/dev/null || \ - useradd -c "Systemtap Unprivileged User" -g stapunpriv -d %{_localstatedir}/lib/stapunpriv -r -s /sbin/nologin stapunpriv + useradd -c "Systemtap Unprivileged User" -u 159 -g stapunpriv -d / -r -s /sbin/nologin stapunpriv 2>/dev/null || \ + useradd -c "Systemtap Unprivileged User" -g stapunpriv -d / -r -s /sbin/nologin stapunpriv exit 0 %endif +%post runtime +# stapunpriv is a system user not needing a homedir. Previously, specfile did +# set a homedir, but didn't create it. Fresh installations now set "/" as the +# homedir via _systemtap_runtime_preinstall, as SYSUSERS.D(5) recommends. Fix +# existing broken installations, keep upgrade path clean. Related: RHEL-130244. +getent passwd stapunpriv | cut -d: -f6 | grep -q '^/var/lib/stapunpriv$' && usermod -d / stapunpriv ||: + %pre server %if %{with_sysusers} %if (0%{?fedora} && 0%{?fedora} < 42) || (0%{?rhel} && 0%{?rhel} < 11) @@ -1368,6 +1378,10 @@ exit 0 # PRERELEASE %changelog +* Fri May 01 2026 Frank Ch. Eigler - 5.5-1 +- Upstream release, see wiki page below for detailed notes. + https://sourceware.org/systemtap/wiki/SystemTapReleases + * Sat Jan 17 2026 Fedora Release Engineering - 5.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild From 3e737d72b0d80620af923bd74e05a3c292fe4e89 Mon Sep 17 00:00:00 2001 From: Antonio Salinas Date: Sun, 17 May 2026 22:02:27 +0000 Subject: [PATCH 2/5] fix(linux-sgx): pin to f43 HEAD to correct non-first-parent commit --- base/comps/components.toml | 1 - base/comps/linux-sgx/linux-sgx.comp.toml | 4 + locks/linux-sgx.lock | 8 +- ...building-against-host-openssl-crypto.patch | 58 +-- ...r-building-against-host-tinyxml2-lib.patch | 10 +- ...building-against-host-CppMicroServic.patch | 24 +- .../0003-Improve-make-debuggability.patch | 22 +- ...-disabling-use-of-git-for-ippcp-code.patch | 6 +- ...openmp-protobuf-sample_crypto-builds.patch | 63 ++- ...ix-escaping-of-regexes-in-sgx-asm-pp.patch | 282 ------------ ...r-dev-sgx_provision-dev-sgx_enclave.patch} | 14 +- ...oname-for-libuae_service.so-library.patch} | 10 +- ...l-remove-redundant-use-of-bool-type.patch} | 6 +- ...CFLAGS-LDFLAGS-set-from-environment.patch} | 28 +- ...psw-make-aesm_service-build-verbose.patch} | 12 +- ...ern-C-function-prototype-compliance.patch} | 6 +- ...rapper-for-nasm-to-fix-cmake-compat.patch} | 12 +- ...installer-drop-PCCS-package-from-BOM.patch | 301 +++++++++++++ .../0014-fix-BOM-for-pccs-with-DCAP.patch | 155 ------- ...-due-to-attribute-regparam-with-GCC.patch} | 10 +- ...r-mpa_manage-mpa_registration-files.patch} | 6 +- ...016-Add-impl-of-__cxa_call_terminate.patch | 36 -- ...ix-missing-def-of-uncaught_exception.patch | 37 ++ ...sable-inclusion-of-AESM-in-installer.patch | 37 +- ...rop-use-of-bundled-pre-built-openssl.patch | 112 ++--- ...mprove-debuggability-of-build-system.patch | 213 +++++---- ...me-setting-of-enclave-load-directory.patch | 80 ++-- ...ed-sgx_urts-library-in-PCKRetrievalT.patch | 4 +- ...-only-import-pypac-module-on-Windows.patch | 14 +- ...-PCKRetrievalTool-config-file-in-etc.patch | 4 +- ...XFLAGS-LDFLAGS-for-various-tools-and.patch | 126 +++--- ...tween-program-name-first-arg-in-usag.patch | 4 +- ...nst-format-strings-in-QL-log-message.patch | 6 +- ...d-debug-parameter-to-control-logging.patch | 6 +- ...-leftover-debugging-print-args-state.patch | 6 +- ...sion-for-libsgx_qe3_logic.so-library.patch | 14 +- .../0112-Workaround-broken-GCC-15.patch | 4 +- ...-Don-t-disable-cf-protection-for-qgs.patch | 12 +- ...ecks-for-GCC-version-that-break-fsta.patch | 141 ++---- ...0116-Don-t-stomp-on-VERBOSE-variable.patch | 4 +- ...-MODE-parameter-for-UNIX-socket-mode.patch | 8 +- ...sclient-make-keyring-module-optional.patch | 4 +- ...rt-from-asn1-to-pyasn1-python-module.patch | 4 +- ...switch-to-pycryptography-for-CRL-ver.patch | 67 --- ...-errors-trying-to-clear-the-keyring.patch} | 6 +- ...re-of-pycryptography-instead-of-pyop.patch | 178 -------- ...r-boost-1.87-which-drops-asio-io_se.patch} | 4 +- ...prefer-pycryptography-over-pyopenssl.patch | 104 ----- ...r-boost-1.89-which-deprecated-deadl.patch} | 22 +- ...llback-for-when-pyopenssl-is-not-ava.patch | 75 ---- ...23-use-system-gtest-gmock-libraries.patch} | 30 +- ...Disable-PcsClientTool-package-build.patch} | 6 +- ...Migrate-from-deprecated-pkg_resource.patch | 76 ---- ...disable-building-of-WASM-SIMDE-code.patch} | 10 +- ...erminates-if-prepare_sgxssl.sh-fails.patch | 33 ++ ...l-placeholders-warning-from-boost-1..patch | 41 ++ ...me-of-input-file-in-cache-command-he.patch | 30 -- ...sgxssl-build-to-alternative-glibc-he.patch | 10 +- ...-Workaround-missing-output-directory.patch | 6 +- ...2-Disable-various-EC-crypto-features.patch | 6 +- ...isable-sm2-and-sm4-crypto-algorithms.patch | 6 +- ...vice-sanitize-paths-to-all-resources.patch | 74 ---- ...-leftover-debugging-print-args-state.patch | 33 -- ...csadmin-make-keyring-module-optional.patch | 69 --- ...e-errors-trying-to-clear-the-keyring.patch | 85 ---- ...-override-tar-module-to-7.0.0-series.patch | 404 ------------------ specs/l/linux-sgx/linux-sgx.spec | 402 ++++------------- specs/l/linux-sgx/pccs-nodejs-bundler | 83 ---- specs/l/linux-sgx/pccs.service | 22 - specs/l/linux-sgx/pccs.sysusers.conf | 1 - specs/l/linux-sgx/repack.sh | 2 +- specs/l/linux-sgx/sources | 19 +- 72 files changed, 1057 insertions(+), 2761 deletions(-) create mode 100644 base/comps/linux-sgx/linux-sgx.comp.toml delete mode 100644 specs/l/linux-sgx/0006-Fix-escaping-of-regexes-in-sgx-asm-pp.patch rename specs/l/linux-sgx/{0007-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch => 0006-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch} (90%) rename specs/l/linux-sgx/{0008-psw-fix-soname-for-libuae_service.so-library.patch => 0007-psw-fix-soname-for-libuae_service.so-library.patch} (84%) rename specs/l/linux-sgx/{0009-pcl-remove-redundant-use-of-bool-type.patch => 0008-pcl-remove-redundant-use-of-bool-type.patch} (91%) rename specs/l/linux-sgx/{0010-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch => 0009-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch} (86%) rename specs/l/linux-sgx/{0011-psw-make-aesm_service-build-verbose.patch => 0010-psw-make-aesm_service-build-verbose.patch} (73%) rename specs/l/linux-sgx/{0012-Fix-modern-C-function-prototype-compliance.patch => 0011-Fix-modern-C-function-prototype-compliance.patch} (93%) rename specs/l/linux-sgx/{0013-Add-wrapper-for-nasm-to-fix-cmake-compat.patch => 0012-Add-wrapper-for-nasm-to-fix-cmake-compat.patch} (86%) create mode 100644 specs/l/linux-sgx/0013-linux-installer-drop-PCCS-package-from-BOM.patch delete mode 100644 specs/l/linux-sgx/0014-fix-BOM-for-pccs-with-DCAP.patch rename specs/l/linux-sgx/{0015-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch => 0014-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch} (93%) rename specs/l/linux-sgx/{0017-fix-BOM-for-mpa_manage-mpa_registration-files.patch => 0015-fix-BOM-for-mpa_manage-mpa_registration-files.patch} (98%) delete mode 100644 specs/l/linux-sgx/0016-Add-impl-of-__cxa_call_terminate.patch create mode 100644 specs/l/linux-sgx/0016-fix-missing-def-of-uncaught_exception.patch delete mode 100644 specs/l/linux-sgx/0120-pcsclient-fully-switch-to-pycryptography-for-CRL-ver.patch rename specs/l/linux-sgx/{0124-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch => 0120-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch} (93%) delete mode 100644 specs/l/linux-sgx/0121-pcsclient-use-more-of-pycryptography-instead-of-pyop.patch rename specs/l/linux-sgx/{0126-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch => 0121-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch} (91%) delete mode 100644 specs/l/linux-sgx/0122-pcsclient-prefer-pycryptography-over-pyopenssl.patch rename specs/l/linux-sgx/{0127-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch => 0122-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch} (51%) delete mode 100644 specs/l/linux-sgx/0123-pcsclient-add-fallback-for-when-pyopenssl-is-not-ava.patch rename specs/l/linux-sgx/{0128-use-system-gtest-gmock-libraries.patch => 0123-use-system-gtest-gmock-libraries.patch} (80%) rename specs/l/linux-sgx/{0129-Disable-PcsClientTool-package-build.patch => 0124-Disable-PcsClientTool-package-build.patch} (82%) delete mode 100644 specs/l/linux-sgx/0125-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch rename specs/l/linux-sgx/{0130-disable-building-of-WASM-SIMDE-code.patch => 0125-disable-building-of-WASM-SIMDE-code.patch} (82%) create mode 100644 specs/l/linux-sgx/0126-ensure-build-terminates-if-prepare_sgxssl.sh-fails.patch create mode 100644 specs/l/linux-sgx/0127-qgs-squash-global-placeholders-warning-from-boost-1..patch delete mode 100644 specs/l/linux-sgx/0131-pcsclient-fix-name-of-input-file-in-cache-command-he.patch delete mode 100644 specs/l/linux-sgx/0400-service-sanitize-paths-to-all-resources.patch delete mode 100644 specs/l/linux-sgx/0401-pccsadmin-remove-leftover-debugging-print-args-state.patch delete mode 100644 specs/l/linux-sgx/0402-pccsadmin-make-keyring-module-optional.patch delete mode 100644 specs/l/linux-sgx/0403-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch delete mode 100644 specs/l/linux-sgx/0404-service-force-override-tar-module-to-7.0.0-series.patch delete mode 100755 specs/l/linux-sgx/pccs-nodejs-bundler delete mode 100644 specs/l/linux-sgx/pccs.service delete mode 100644 specs/l/linux-sgx/pccs.sysusers.conf diff --git a/base/comps/components.toml b/base/comps/components.toml index ac2cfc8babc..27f4595f847 100644 --- a/base/comps/components.toml +++ b/base/comps/components.toml @@ -2000,7 +2000,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min [components.linkchecker] [components.linux-atm] [components.linux-firmware] -[components.linux-sgx] [components.linux-sgx-enclaves-prebuilt] [components.linux-system-roles] [components.linuxconsoletools] diff --git a/base/comps/linux-sgx/linux-sgx.comp.toml b/base/comps/linux-sgx/linux-sgx.comp.toml new file mode 100644 index 00000000000..4809926a0ea --- /dev/null +++ b/base/comps/linux-sgx/linux-sgx.comp.toml @@ -0,0 +1,4 @@ +[components.linux-sgx] +# Pin past the default snapshot to correct a previously selected +# non-first-parent commit on the f43 branch. +spec = { type = "upstream", upstream-commit = "2049ba7b4df26e7a7ed754336c72b9082f5ee0c9" } diff --git a/locks/linux-sgx.lock b/locks/linux-sgx.lock index 795f6571a79..d0c8bd37e82 100644 --- a/locks/linux-sgx.lock +++ b/locks/linux-sgx.lock @@ -1,6 +1,6 @@ # Managed by azldev component update. Do not edit manually. version = 1 -import-commit = 'afd42ddd421bb38b5851f9ad92a55948e9f3238a' -upstream-commit = 'afd42ddd421bb38b5851f9ad92a55948e9f3238a' -input-fingerprint = 'sha256:479c56d2e8d64370c2680c4dae50aab910dd3feb902bdc0baf47f63e40526d61' -resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' +import-commit = '2049ba7b4df26e7a7ed754336c72b9082f5ee0c9' +upstream-commit = '2049ba7b4df26e7a7ed754336c72b9082f5ee0c9' +input-fingerprint = 'sha256:2899da94349e3880b3d66076d19df5f194bfe9578e2dce7f3cdaf27289aacfac' +resolution-input-hash = 'sha256:feca9c61e90483d7284d01334a5002556bb28222a9402c1febd10511ff480bd0' diff --git a/specs/l/linux-sgx/0000-Add-support-for-building-against-host-openssl-crypto.patch b/specs/l/linux-sgx/0000-Add-support-for-building-against-host-openssl-crypto.patch index ec9580bdb33..22a513063bf 100644 --- a/specs/l/linux-sgx/0000-Add-support-for-building-against-host-openssl-crypto.patch +++ b/specs/l/linux-sgx/0000-Add-support-for-building-against-host-openssl-crypto.patch @@ -1,7 +1,7 @@ -From 1cd5674ab9d90d663b4aada9c02cd1a2115c0b24 Mon Sep 17 00:00:00 2001 +From f3d15471fc97351df73b6d7af95561c9ecfa3a6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:12:38 +0000 -Subject: [PATCH 00/17] Add support for building against host openssl crypto +Subject: [PATCH 00/16] Add support for building against host openssl crypto lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -28,10 +28,10 @@ Signed-off-by: Daniel P. Berrangé 7 files changed, 27 insertions(+), 22 deletions(-) diff --git a/buildenv.mk b/buildenv.mk -index 4689c603..acae2106 100644 +index 379b87ce..b9f625cb 100644 --- a/buildenv.mk +++ b/buildenv.mk -@@ -371,3 +371,16 @@ else +@@ -356,3 +356,16 @@ else SGX_LIB_DIR := $(SGX_SDK)/lib64/$(MITIGATION_LIB_PATH) SGX_BIN_DIR := $(SGX_SDK)/bin/x64 endif @@ -49,11 +49,11 @@ index 4689c603..acae2106 100644 +OPENSSL_CRYPTO_LIBS = $(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64/libcrypto.a +endif diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile -index 498d6e2f..bac84292 100644 +index 350addeb..24613afe 100644 --- a/psw/ae/aesm_service/Makefile +++ b/psw/ae/aesm_service/Makefile -@@ -46,6 +46,9 @@ ifeq ($(BUILD_REF_LE), 1) - AESM_CONFIG += -DREF_LE=ON +@@ -42,6 +42,9 @@ else + AESM_CONFIG += -DCMAKE_BUILD_TYPE=Release endif +AESM_CONFIG += -DOPENSSL_CRYPTO_CFLAGS=$(OPENSSL_CRYPTO_CFLAGS) @@ -63,11 +63,11 @@ index 498d6e2f..bac84292 100644 SQLITECFLAGS += -m32 else diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt -index a3843bdf..2c9c87b3 100644 +index a4b3d1af..f8003e42 100644 --- a/psw/ae/aesm_service/source/utils/CMakeLists.txt +++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt -@@ -45,7 +45,7 @@ target_include_directories(utils PRIVATE - ${PROJECT_SOURCE_DIR}/../../../../external/epid-sdk +@@ -44,7 +44,7 @@ target_include_directories(utils PRIVATE + ${PROJECT_SOURCE_DIR}/../../../../common/inc/internal ${PROJECT_SOURCE_DIR}/../../../../external/rdrand ${PROJECT_SOURCE_DIR}/../../data/constants/linux - ${PROJECT_SOURCE_DIR}/../../../../external/dcap_source/prebuilt/openssl/inc @@ -75,7 +75,7 @@ index a3843bdf..2c9c87b3 100644 ) target_compile_definitions(utils PRIVATE -@@ -55,7 +55,7 @@ target_compile_definitions(utils PRIVATE +@@ -54,7 +54,7 @@ target_compile_definitions(utils PRIVATE set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs") target_link_libraries(utils @@ -85,7 +85,7 @@ index a3843bdf..2c9c87b3 100644 ${CMAKE_SOURCE_DIR}/../../../../external/rdrand/src/librdrand.a ) diff --git a/psw/urts/linux/Makefile b/psw/urts/linux/Makefile -index 7e0b6a08..3d08ee5c 100644 +index 2e291857..275a9d45 100644 --- a/psw/urts/linux/Makefile +++ b/psw/urts/linux/Makefile @@ -43,8 +43,6 @@ CFLAGS += -fPIC -Werror -g @@ -148,7 +148,7 @@ index 1ed9f286..ed177c86 100644 sgx_sign: $(OBJS) enclaveparser diff --git a/sdk/simulation/uae_service_sim/linux/Makefile b/sdk/simulation/uae_service_sim/linux/Makefile -index c66beed2..45ddb576 100644 +index d80a3d06..3d5b5628 100644 --- a/sdk/simulation/uae_service_sim/linux/Makefile +++ b/sdk/simulation/uae_service_sim/linux/Makefile @@ -34,9 +34,6 @@ include $(TOP_DIR)/buildenv.mk @@ -158,19 +158,19 @@ index c66beed2..45ddb576 100644 -PREBUILT_OPENSSL_DIR := $(LINUX_EXTERNAL_DIR)/dcap_source/prebuilt/openssl -CRYPTO_LIB := -L$(PREBUILT_OPENSSL_DIR)/lib/linux64 -lcrypto - - INCLUDES := -I.. \ - -I$(COMMON_DIR)/inc \ - -I$(COMMON_DIR)/inc/internal \ -@@ -48,7 +45,7 @@ INCLUDES := -I.. \ - -I$(LINUX_PSW_DIR)/ae/inc \ - -I$(LINUX_PSW_DIR)/ae/inc/internal \ - -I$(LINUX_PSW_DIR)/ae/common \ -- -I$(PREBUILT_OPENSSL_DIR)/inc -+ $(OPENSSL_CRYPTO_CFLAGS) - - - CXXFLAGS += -Wall -fPIC $(INCLUDES) -Werror -g $(CET_FLAGS) -@@ -60,7 +57,7 @@ RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile + INCLUDES := -I.. \ + -I$(COMMON_DIR)/inc \ + -I$(COMMON_DIR)/inc/internal \ +@@ -47,7 +44,7 @@ INCLUDES := -I.. \ + -I$(LINUX_PSW_DIR)/ae/inc \ + -I$(LINUX_PSW_DIR)/ae/inc/internal \ + -I$(LINUX_PSW_DIR)/ae/common \ +- -I$(PREBUILT_OPENSSL_DIR)/inc \ ++ $(OPENSSL_CRYPTO_CFLAGS) \ + -I$(DCAP_DIR)/QuoteGeneration/quote_wrapper/common/inc \ + -I$(DCAP_DIR)/QuoteGeneration/pce_wrapper/inc + +@@ -61,7 +58,7 @@ RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile EXTERNAL_LIB += -L$(RDRAND_LIBDIR) -lrdrand EXTERNAL_LIB += -L$(RDRAND_LIBDIR) -lrt @@ -180,7 +180,7 @@ index c66beed2..45ddb576 100644 vpath %.cpp $(LINUX_PSW_DIR)/ae/common \ $(LINUX_SDK_DIR)/simulation/urtssim \ diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile -index e756d468..ea8ca78c 100644 +index 79f20a2b..8af19905 100644 --- a/sdk/simulation/urtssim/linux/Makefile +++ b/sdk/simulation/urtssim/linux/Makefile @@ -42,9 +42,6 @@ endif @@ -202,7 +202,7 @@ index e756d468..ea8ca78c 100644 CPPFLAGS += -I$(COMMON_DIR)/inc/internal \ -I$(LINUX_PSW_DIR)/urts/linux \ -@@ -128,7 +125,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur +@@ -127,7 +124,7 @@ LDFLAGS += $(COMMON_LDFLAGS) -Wl,--version-script=$(LINUX_PSW_DIR)/urts/linux/ur LIBURTSSIM_SHARED := libsgx_urts_sim.so LIBURTS_DEPLOY := libsgx_urts_deploy.so @@ -212,5 +212,5 @@ index e756d468..ea8ca78c 100644 .PHONY: all -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0001-Add-support-for-building-against-host-tinyxml2-lib.patch b/specs/l/linux-sgx/0001-Add-support-for-building-against-host-tinyxml2-lib.patch index 100a562e68e..52c2181a3ea 100644 --- a/specs/l/linux-sgx/0001-Add-support-for-building-against-host-tinyxml2-lib.patch +++ b/specs/l/linux-sgx/0001-Add-support-for-building-against-host-tinyxml2-lib.patch @@ -1,7 +1,7 @@ -From 4f4340cc0e4c06b06f6531c00254bdcb2d4adf9e Mon Sep 17 00:00:00 2001 +From 79bc4b56fd25fbf49927be31513556ec9d86e6ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:01:10 +0000 -Subject: [PATCH 01/17] Add support for building against host tinyxml2 lib +Subject: [PATCH 01/16] Add support for building against host tinyxml2 lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -22,10 +22,10 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/buildenv.mk b/buildenv.mk -index acae2106..6dac4028 100644 +index b9f625cb..86d30af6 100644 --- a/buildenv.mk +++ b/buildenv.mk -@@ -384,3 +384,17 @@ OPENSSL_CRYPTO_CFLAGS = -I$(OPENSSL_CRYPTO_PREBUILT_DIR)/inc +@@ -369,3 +369,17 @@ OPENSSL_CRYPTO_CFLAGS = -I$(OPENSSL_CRYPTO_PREBUILT_DIR)/inc OPENSSL_CRYPTO_LDFLAGS = -L$(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64 -lcrypto OPENSSL_CRYPTO_LIBS = $(OPENSSL_CRYPTO_PREBUILT_DIR)/lib/linux64/libcrypto.a endif @@ -80,5 +80,5 @@ index ed177c86..1dcb6f51 100644 sgx_sign: $(OBJS) enclaveparser -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0002-Add-support-for-building-against-host-CppMicroServic.patch b/specs/l/linux-sgx/0002-Add-support-for-building-against-host-CppMicroServic.patch index c34a4f8abb2..48ec0425c22 100644 --- a/specs/l/linux-sgx/0002-Add-support-for-building-against-host-CppMicroServic.patch +++ b/specs/l/linux-sgx/0002-Add-support-for-building-against-host-CppMicroServic.patch @@ -1,7 +1,7 @@ -From 52367555ba7ec1a3591dc0e6fb3b3cc4cef03517 Mon Sep 17 00:00:00 2001 +From b59cf0e4fb227486ba743f4d02b9cede4b2e08ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:01:10 +0000 -Subject: [PATCH 02/17] Add support for building against host CppMicroServices +Subject: [PATCH 02/16] Add support for building against host CppMicroServices lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -29,10 +29,10 @@ Signed-off-by: Daniel P. Berrangé 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/buildenv.mk b/buildenv.mk -index 6dac4028..915e2eb4 100644 +index 86d30af6..8aafa610 100644 --- a/buildenv.mk +++ b/buildenv.mk -@@ -398,3 +398,13 @@ TINYXML2_LDFLAGS = +@@ -383,3 +383,13 @@ TINYXML2_LDFLAGS = TINYXML2_OBJ = tinyxml2.o TINYXML2_DIR = $(LINUX_EXTERNAL_DIR)/tinyxml2/ endif @@ -47,7 +47,7 @@ index 6dac4028..915e2eb4 100644 +CPPMICROSERVICES_CMAKE_DIR = $(CPPMICROSERVICES_INSTALL_DIR)/share/cppmicroservices4/cmake +endif diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile -index bac84292..89a15875 100644 +index 24613afe..b469bffb 100644 --- a/psw/ae/aesm_service/Makefile +++ b/psw/ae/aesm_service/Makefile @@ -32,10 +32,8 @@ @@ -62,7 +62,7 @@ index bac84292..89a15875 100644 ifdef DEBUG AESM_CONFIG += -DCMAKE_BUILD_TYPE=Debug else -@@ -48,6 +46,7 @@ endif +@@ -44,6 +42,7 @@ endif AESM_CONFIG += -DOPENSSL_CRYPTO_CFLAGS=$(OPENSSL_CRYPTO_CFLAGS) AESM_CONFIG += -DOPENSSL_CRYPTO_LIBS=$(OPENSSL_CRYPTO_LIBS) @@ -70,9 +70,9 @@ index bac84292..89a15875 100644 ifeq ($(ARCH), x86) SQLITECFLAGS += -m32 -@@ -66,7 +65,9 @@ CFLAGS := $(filter-out -Werror, $(CFLAGS)) +@@ -61,7 +60,9 @@ CFLAGS += -fpie + CFLAGS := $(filter-out -Werror, $(CFLAGS)) - WHITE_LIST_FILE := $(LINUX_PSW_DIR)/ae/data/prebuilt/white_list_cert_to_be_verify.bin APPNAME := source/build/bin/aesm_service -CPPMICROSERVICES:= $(CPPMICROSERVICES_DIR)/build/lib/libCppMicroServices.so.4.0.0 +ifeq ($(USE_HOST_CPPMICROSERVICES), 0) @@ -81,7 +81,7 @@ index bac84292..89a15875 100644 RDRAND_LIBDIR :=$(LINUX_EXTERNAL_DIR)/rdrand/src RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile -@@ -80,21 +81,25 @@ copy_data_file: +@@ -71,21 +72,25 @@ all: $(APPNAME) $(APPNAME_DEBUG) | $(BUILD_DIR) $(APPNAME): $(CPPMICROSERVICES) source/build/CMakeCache.txt urts RDRAND $(MAKE) -C source/build @@ -111,7 +111,7 @@ index bac84292..89a15875 100644 endif source/build/CMakeCache.txt: $(CPPMICROSERVICES) -@@ -124,8 +129,10 @@ $(BUILD_DIR): +@@ -115,8 +120,10 @@ $(BUILD_DIR): .PHONY: clean clean: @$(RM) -r source/build @@ -125,7 +125,7 @@ index bac84292..89a15875 100644 ifeq ($(RDRAND_MAKEFILE), $(wildcard $(RDRAND_MAKEFILE))) @$(MAKE) distclean -C $(RDRAND_LIBDIR) diff --git a/psw/ae/aesm_service/source/CMakeLists.txt b/psw/ae/aesm_service/source/CMakeLists.txt -index 5728e9b4..7f368a97 100644 +index 735c5fa5..065b7527 100644 --- a/psw/ae/aesm_service/source/CMakeLists.txt +++ b/psw/ae/aesm_service/source/CMakeLists.txt @@ -46,7 +46,7 @@ else() @@ -138,5 +138,5 @@ index 5728e9b4..7f368a97 100644 cmake_minimum_required(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) cmake_policy(VERSION ${US_CMAKE_MINIMUM_REQUIRED_VERSION}) -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0003-Improve-make-debuggability.patch b/specs/l/linux-sgx/0003-Improve-make-debuggability.patch index 5b617e66acf..a52f8599483 100644 --- a/specs/l/linux-sgx/0003-Improve-make-debuggability.patch +++ b/specs/l/linux-sgx/0003-Improve-make-debuggability.patch @@ -1,7 +1,7 @@ -From 18904b9f33fccdc9e1bc606ad266c8287131de19 Mon Sep 17 00:00:00 2001 +From 572c92dac5c5a27fa76d611703e25a341bb610aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 12:53:26 +0000 -Subject: [PATCH 03/17] Improve make debuggability +Subject: [PATCH 03/16] Improve make debuggability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,10 +17,10 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sdk/Makefile.source b/sdk/Makefile.source -index 0a84726c..e3bac508 100644 +index 7dbbb09d..37fb7dc4 100644 --- a/sdk/Makefile.source +++ b/sdk/Makefile.source -@@ -77,7 +77,7 @@ tstdc: $(LIBTLIBC) +@@ -75,7 +75,7 @@ tstdc: $(LIBTLIBC) ifndef SERVTD_ATTEST $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv @@ -29,7 +29,7 @@ index 0a84726c..e3bac508 100644 @$(MKDIR) $(BUILD_DIR)/.compiler-rt $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv @$(RM) -f $(BUILD_DIR)/.compiler-rt/* && cd $(BUILD_DIR)/.compiler-rt && $(AR) x $(LINUX_SDK_DIR)/compiler-rt/libcompiler-rt.a @$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a -@@ -95,7 +95,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv +@@ -93,7 +93,7 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv @$(RM) -rf $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv else $(LIBTLIBC): tlibthread tsafecrt tsetjmp tmm_rsrv @@ -38,7 +38,7 @@ index 0a84726c..e3bac508 100644 @$(MKDIR) $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv @$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a @$(RM) -f $(BUILD_DIR)/.tsafecrt/* && cd $(BUILD_DIR)/.tsafecrt && $(AR) x $(LINUX_SDK_DIR)/tsafecrt/libsgx_tsafecrt.a -@@ -118,7 +118,7 @@ tsafecrt: +@@ -116,7 +116,7 @@ tsafecrt: .PHONY: compiler-rt compiler-rt: @@ -47,7 +47,7 @@ index 0a84726c..e3bac508 100644 .PHONY: tsetjmp tsetjmp: -@@ -162,7 +162,7 @@ cpprt: +@@ -160,7 +160,7 @@ cpprt: libcxxrt .PHONY: tlibcxx tlibcxx: $(BUILD_DIR) @@ -57,18 +57,18 @@ index 0a84726c..e3bac508 100644 # --------------------------------------------------- diff --git a/sdk/cpprt/Makefile b/sdk/cpprt/Makefile -index d1ac38a1..5fb90c21 100644 +index 1d382c5b..91156a75 100644 --- a/sdk/cpprt/Makefile +++ b/sdk/cpprt/Makefile -@@ -83,7 +83,7 @@ $(CPPRT): $(OBJS) prepare-libunwind libunwind +@@ -102,7 +102,7 @@ $(CPPRT): $(OBJS) $(LIBCXXRT_STAMP) prepare-libunwind libunwind libunwind: cd $(LIBUNWIND_DIR)/ && \ ( test -f Makefile || CFLAGS="$(CFLAGS)" ./autogen.sh ) && \ - $(MAKE) -j$(shell nproc) + $(MAKE) - .PHONY: clean + clean: -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0004-Support-disabling-use-of-git-for-ippcp-code.patch b/specs/l/linux-sgx/0004-Support-disabling-use-of-git-for-ippcp-code.patch index b5ed46e6178..971cc77a170 100644 --- a/specs/l/linux-sgx/0004-Support-disabling-use-of-git-for-ippcp-code.patch +++ b/specs/l/linux-sgx/0004-Support-disabling-use-of-git-for-ippcp-code.patch @@ -1,7 +1,7 @@ -From 42a8e6203754527a76752d3aef2045c7b08a8e71 Mon Sep 17 00:00:00 2001 +From f11e29272736b152f7365febf8e157a410d4818b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 13 Feb 2025 14:37:24 +0000 -Subject: [PATCH 04/17] Support disabling use of git for ippcp code +Subject: [PATCH 04/16] Support disabling use of git for ippcp code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -45,5 +45,5 @@ index a57c22a9..d78ba90e 100644 .PHONY: clean -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0005-disable-openmp-protobuf-sample_crypto-builds.patch b/specs/l/linux-sgx/0005-disable-openmp-protobuf-sample_crypto-builds.patch index 36b7500aa73..6f0ca9009a4 100644 --- a/specs/l/linux-sgx/0005-disable-openmp-protobuf-sample_crypto-builds.patch +++ b/specs/l/linux-sgx/0005-disable-openmp-protobuf-sample_crypto-builds.patch @@ -1,7 +1,7 @@ -From 6a559d65522af8509a72818d2ef330f68d26711e Mon Sep 17 00:00:00 2001 +From ea9950ebf08d3899c345176ab24d7b3b8b39067d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 18 Jun 2024 15:57:22 +0100 -Subject: [PATCH 05/17] disable openmp, protobuf & sample_crypto builds +Subject: [PATCH 05/16] disable openmp, protobuf & sample_crypto builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -11,24 +11,18 @@ important, so skip them to reduce amount of bundled package code. Signed-off-by: Daniel P. Berrangé --- - linux/installer/common/sdk/BOMs/sdk_base.txt | 298 ------------------ + linux/installer/common/sdk/BOMs/sdk_base.txt | 296 ------------------ .../common/sdk/BOMs/sdk_cve_2020_0551_cf.txt | 2 - .../sdk/BOMs/sdk_cve_2020_0551_load.txt | 2 - linux/installer/common/sdk/BOMs/sdk_x64.txt | 3 - sdk/Makefile.source | 24 +- - 5 files changed, 1 insertion(+), 328 deletions(-) + 5 files changed, 1 insertion(+), 326 deletions(-) diff --git a/linux/installer/common/sdk/BOMs/sdk_base.txt b/linux/installer/common/sdk/BOMs/sdk_base.txt -index d26ee825..ed585066 100644 +index b9189f7b..858be8fd 100644 --- a/linux/installer/common/sdk/BOMs/sdk_base.txt +++ b/linux/installer/common/sdk/BOMs/sdk_base.txt -@@ -1,5 +1,4 @@ - DeliveryName InstallName FileCheckSum FileFeature FileOwner --/build/linux/libsample_libcrypto.so /package/SampleCode/RemoteAttestation/sample_libcrypto/libsample_libcrypto.so 0 main STP - /common/inc/sgx_attributes.h /package/include/sgx_attributes.h 0 main STP - /common/inc/sgx_capable.h /package/include/sgx_capable.h 0 main STP - /common/inc/sgx_cpuid.h /package/include/sgx_cpuid.h 0 main STP -@@ -391,16 +390,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner +@@ -365,16 +365,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp /package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.cpp 0 N/A N/A /SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl /package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.edl 0 N/A N/A /SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds /package/SampleCode/SealUnseal/Enclave_Unseal/Enclave_Unseal.lds 0 N/A N/A @@ -45,15 +39,7 @@ index d26ee825..ed585066 100644 /SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml /package/SampleCode/SampleAEXNotify/Enclave/Enclave.config.xml 0 N/A N/A /SampleCode/SampleAEXNotify/Enclave/Enclave.cpp /package/SampleCode/SampleAEXNotify/Enclave/Enclave.cpp 0 N/A N/A /SampleCode/SampleAEXNotify/Enclave/Enclave.edl /package/SampleCode/SampleAEXNotify/Enclave/Enclave.edl 0 N/A N/A -@@ -412,7 +401,6 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /SampleCode/SampleAEXNotify/Makefile /package/SampleCode/SampleAEXNotify/Makefile 0 N/A N/A - /SampleCode/SampleAEXNotify/README.txt /package/SampleCode/SampleAEXNotify/README.txt 0 N/A N/A - /build/linux/gdb-sgx-plugin/sgx-gdb /package/bin/sgx-gdb 0 main STP --/sdk/sample_libcrypto/sample_libcrypto.h /package/SampleCode/RemoteAttestation/sample_libcrypto/sample_libcrypto.h 0 main STP - /sdk/tlibcxx/include/CMakeLists.txt /package/include/libcxx/CMakeLists.txt 0 main STP - /sdk/tlibcxx/include/__availability /package/include/libcxx/__availability 0 main STP - /sdk/tlibcxx/include/__bit_reference /package/include/libcxx/__bit_reference 0 main STP -@@ -597,290 +585,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner +@@ -570,290 +560,4 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /sdk/tlibcxx/include/variant /package/include/libcxx/variant 0 main STP /sdk/tlibcxx/include/vector /package/include/libcxx/vector 0 main STP /sdk/tlibcxx/include/version /package/include/libcxx/version 0 main STP @@ -345,10 +331,10 @@ index d26ee825..ed585066 100644 -/external/protobuf/protobuf_code/third_party/abseil-cpp/absl/utility/utility.h /package/include/tprotobuf/absl/utility/utility.h 0 main STP /common/buildenv.mk /package/buildenv.mk 0 main STP diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt -index 65d9dca0..086992f9 100644 +index 7bd918da..144e2066 100644 --- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt +++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_cf.txt -@@ -10,9 +10,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner +@@ -9,9 +9,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /build/linuxCF/libsgx_tswitchless.a /package/lib64/cve_2020_0551_cf/libsgx_tswitchless.a 0 main STP /build/linuxCF/libsgx_tprotected_fs.a /package/lib64/cve_2020_0551_cf/libsgx_tprotected_fs.a 0 main STP /build/linuxCF/libsgx_pcl.a /package/lib64/cve_2020_0551_cf/libsgx_pcl.a 0 main STP @@ -359,10 +345,10 @@ index 65d9dca0..086992f9 100644 /build/linuxCF/libtdx_tls.a /package/lib64/cve_2020_0551_cf/libtdx_tls.a 0 main STP /build/linuxCF/libsgx_utls.a /package/lib64/cve_2020_0551_cf/libsgx_utls.a 0 main STP diff --git a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt -index 71684b38..c26c9e63 100644 +index 5491fa75..3f9f670b 100644 --- a/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt +++ b/linux/installer/common/sdk/BOMs/sdk_cve_2020_0551_load.txt -@@ -10,9 +10,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner +@@ -9,9 +9,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /build/linuxLOAD/libsgx_tswitchless.a /package/lib64/cve_2020_0551_load/libsgx_tswitchless.a 0 main STP /build/linuxLOAD/libsgx_tprotected_fs.a /package/lib64/cve_2020_0551_load/libsgx_tprotected_fs.a 0 main STP /build/linuxLOAD/libsgx_pcl.a /package/lib64/cve_2020_0551_load/libsgx_pcl.a 0 main STP @@ -373,10 +359,10 @@ index 71684b38..c26c9e63 100644 /build/linuxLOAD/libtdx_tls.a /package/lib64/cve_2020_0551_load/libtdx_tls.a 0 main STP /build/linuxLOAD/libsgx_utls.a /package/lib64/cve_2020_0551_load/libsgx_utls.a 0 main STP diff --git a/linux/installer/common/sdk/BOMs/sdk_x64.txt b/linux/installer/common/sdk/BOMs/sdk_x64.txt -index d713050b..111070ee 100644 +index 4066ad1a..a8f07678 100644 --- a/linux/installer/common/sdk/BOMs/sdk_x64.txt +++ b/linux/installer/common/sdk/BOMs/sdk_x64.txt -@@ -40,10 +40,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner +@@ -34,10 +34,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /build/linux/sgx_edger8r /package/bin/x64/sgx_edger8r 0 main STP /build/linux/sgx_sign /package/bin/x64/sgx_sign 0 main STP /build/linux/sgx_encrypt /package/bin/x64/sgx_encrypt 0 main STP @@ -388,10 +374,10 @@ index d713050b..111070ee 100644 /build/linux/libtdx_tls.a /package/lib64/libtdx_tls.a 0 main STP /build/linux/libsgx_utls.a /package/lib64/libsgx_utls.a 0 main STP diff --git a/sdk/Makefile.source b/sdk/Makefile.source -index e3bac508..2d37b2d4 100644 +index 37fb7dc4..59c5f8ea 100644 --- a/sdk/Makefile.source +++ b/sdk/Makefile.source -@@ -41,14 +41,11 @@ +@@ -40,13 +40,10 @@ # - tprotected_fs: libsgx_tprotected_fs.a # - tcmalloc: libsgx_tcmalloc.a # - sgx_pcl: libsgx_pcl.a @@ -399,23 +385,22 @@ index e3bac508..2d37b2d4 100644 -# - protobuf: libsgx_protobuf.a # - ttls: libsgx_ttls.a # - Untrtusted libraries - # - ukey_exchange: libsgx_ukey_exchange.a # - uprotected_fs: libsgx_uprotected_fs.a # - ptrace: libsgx_ptrace.so, gdb-sgx-plugin -# - sample_crypto: libsample_crypto.so (for sample code use) # - utls: libsgx_utls.a # - Standalone, untrusted libraries # - libcapable: libsgx_capable.a libsgx_capable.so -@@ -66,7 +63,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a +@@ -64,7 +61,7 @@ LIBTCXX := $(BUILD_DIR)/libsgx_tcxx.a LIBTSE := $(BUILD_DIR)/libsgx_tservice.a .PHONY: components --components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls -+components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotected_fs uprotected_fs ptrace libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread ttls utls +-components: tstdc tcxx tservice trts tcrypto tprotected_fs uprotected_fs ptrace sample_crypto libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread openmp protobuf ttls utls ++components: tstdc tcxx tservice trts tcrypto tprotected_fs uprotected_fs ptrace libcapable simulation signtool edger8r tcmalloc sgx_pcl sgx_encrypt sgx_tswitchless sgx_uswitchless pthread ttls utls # --------------------------------------------------- # tstdc -@@ -220,18 +217,6 @@ tprotected_fs: edger8r +@@ -214,18 +211,6 @@ tprotected_fs: edger8r sgx_pcl: $(MAKE) -C protected_code_loader @@ -434,7 +419,7 @@ index e3bac508..2d37b2d4 100644 .PHONY: cbor_untrusted cbor_untrusted: $(MAKE) -C $(LINUX_EXTERNAL_DIR)/cbor cbor_untrusted -@@ -255,10 +240,6 @@ uprotected_fs: edger8r +@@ -250,10 +235,6 @@ uprotected_fs: edger8r ptrace: $(MAKE) -C debugger_interface/linux/ @@ -445,7 +430,7 @@ index e3bac508..2d37b2d4 100644 .PHONY: utls utls: cbor_untrusted $(MAKE) -C utls -@@ -328,7 +309,6 @@ clean: +@@ -321,7 +302,6 @@ clean: $(MAKE) -C protected_fs/sgx_tprotected_fs/ clean $(MAKE) -C protected_fs/sgx_uprotected_fs/ clean $(MAKE) -C debugger_interface/linux/ clean @@ -453,15 +438,15 @@ index e3bac508..2d37b2d4 100644 $(MAKE) -C libcapable/linux/ clean $(MAKE) -C simulation/ clean $(MAKE) -C sign_tool/SignTool clean -@@ -339,8 +319,6 @@ clean: +@@ -332,8 +312,6 @@ clean: $(MAKE) -C switchless/sgx_uswitchless clean $(MAKE) -C tmm_rsrv/ clean $(MAKE) -C pthread clean - $(MAKE) -C $(LINUX_EXTERNAL_DIR)/openmp clean - $(MAKE) -C $(LINUX_EXTERNAL_DIR)/protobuf clean $(MAKE) -C $(LINUX_EXTERNAL_DIR)/cbor clean + $(MAKE) -C $(LINUX_EXTERNAL_DIR)/libcxxrt clean $(MAKE) -C ttls clean - $(MAKE) -C utls clean -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0006-Fix-escaping-of-regexes-in-sgx-asm-pp.patch b/specs/l/linux-sgx/0006-Fix-escaping-of-regexes-in-sgx-asm-pp.patch deleted file mode 100644 index f1ef4af7de1..00000000000 --- a/specs/l/linux-sgx/0006-Fix-escaping-of-regexes-in-sgx-asm-pp.patch +++ /dev/null @@ -1,282 +0,0 @@ -From bf5044bd0ad6c2eb41900104547747a51be005c4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Mon, 2 Sep 2024 16:49:18 +0100 -Subject: [PATCH 06/17] Fix escaping of regexes in sgx-asm-pp -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Running sgx-asm-pp.py on recent Python generates many warnings - - sgx-asm-pp.py:64: SyntaxWarning: invalid escape sequence '\s' - sgx-asm-pp.py:85: SyntaxWarning: invalid escape sequence '\s' - sgx-asm-pp.py:65: SyntaxWarning: invalid escape sequence '\s' - sgx-asm-pp.py:86: SyntaxWarning: invalid escape sequence '\s' - sgx-asm-pp.py:66: SyntaxWarning: invalid escape sequence '\s' - -Signed-off-by: Daniel P. Berrangé ---- - build-scripts/sgx-asm-pp.py | 242 ++++++++++++++++++------------------ - 1 file changed, 121 insertions(+), 121 deletions(-) - -diff --git a/build-scripts/sgx-asm-pp.py b/build-scripts/sgx-asm-pp.py -index 2b02396b..0df3fc47 100644 ---- a/build-scripts/sgx-asm-pp.py -+++ b/build-scripts/sgx-asm-pp.py -@@ -38,132 +38,132 @@ import re - import shutil - import argparse - --LOCK = 'lock' --REP = 'rep[a-z]*' --REX = 'rex(?:\.[a-zA-Z]+)?' --SCALAR = '(?:(?:[+-]\s*)?(?:[0-9][0-9a-fA-F]*|0x[0-9a-fA-F]+))' --IMMEDIATE = '(?:%s[hb]?)' %(SCALAR) --REG = '(?:[a-zA-Z][a-zA-Z0-9]*)' --SYM = '(?:[_a-zA-Z][_a-zA-Z0-9]*(?:@[0-9a-zA-Z]+)?)' --LABEL = '(?:[._a-zA-Z0-9]+)' --SEP = '(?:(?:^|:)\s*)' --PFX = '(?:%s\s+)?' %(REX) --CONST = '(?:(?:%s|%s|%s)(?:\s*[/*+-]\s*(?:%s|%s|%s))*)' %(SYM, SCALAR, LABEL, SYM, SCALAR, LABEL) --OFFSET = '(?:%s|%s|%s\s*:\s*(?:%s|%s|))' %(CONST, SYM, REG, CONST, SYM) --MEMORYOP = '(?:\[*(?:[a-zA-Z]+\s+)*(?:%s\s*:\s*%s?|(?:%s\s*)?\[[^]]+\]\]*))' %(REG, CONST, OFFSET) --ANYOP = '(?:%s|%s|%s|%s|%s)' %(MEMORYOP, IMMEDIATE, REG, SYM, LABEL) --MEMORYOP = '(?:%s|(?:[a-zA-Z]+\s+(?:ptr|PTR)\s+%s))' %(MEMORYOP, ANYOP) --MEMORYSRC = '(?:%s\s*,\s*)+%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) --MEMORYANY = '(?:%s\s*,\s*)*%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) -+LOCK = r'lock' -+REP = r'rep[a-z]*' -+REX = r'rex(?:\.[a-zA-Z]+)?' -+SCALAR = r'(?:(?:[+-]\s*)?(?:[0-9][0-9a-fA-F]*|0x[0-9a-fA-F]+))' -+IMMEDIATE = r'(?:%s[hb]?)' %(SCALAR) -+REG = r'(?:[a-zA-Z][a-zA-Z0-9]*)' -+SYM = r'(?:[_a-zA-Z][_a-zA-Z0-9]*(?:@[0-9a-zA-Z]+)?)' -+LABEL = r'(?:[._a-zA-Z0-9]+)' -+SEP = r'(?:(?:^|:)\s*)' -+PFX = r'(?:%s\s+)?' %(REX) -+CONST = r'(?:(?:%s|%s|%s)(?:\s*[/*+-]\s*(?:%s|%s|%s))*)' %(SYM, SCALAR, LABEL, SYM, SCALAR, LABEL) -+OFFSET = r'(?:%s|%s|%s\s*:\s*(?:%s|%s|))' %(CONST, SYM, REG, CONST, SYM) -+MEMORYOP = r'(?:\[*(?:[a-zA-Z]+\s+)*(?:%s\s*:\s*%s?|(?:%s\s*)?\[[^]]+\]\]*))' %(REG, CONST, OFFSET) -+ANYOP = r'(?:%s|%s|%s|%s|%s)' %(MEMORYOP, IMMEDIATE, REG, SYM, LABEL) -+MEMORYOP = r'(?:%s|(?:[a-zA-Z]+\s+(?:ptr|PTR)\s+%s))' %(MEMORYOP, ANYOP) -+MEMORYSRC = r'(?:%s\s*,\s*)+%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) -+MEMORYANY = r'(?:%s\s*,\s*)*%s(?:\s*,\s*%s)*' %(ANYOP, MEMORYOP, ANYOP) - ATTSTAR = '' --GPR = '(?:rax|rcx|rdx|rbx|rdi|rsi|rbp|rsp|r8|r9|r10|r11|r12|r13|r14|r15|RAX|RCX|RDX|RBX|RDI|RSI|RBP|RSP|R8|R9|R10|R11|R12|R13|R14|R15)' -+GPR = r'(?:rax|rcx|rdx|rbx|rdi|rsi|rbp|rsp|r8|r9|r10|r11|r12|r13|r14|r15|RAX|RCX|RDX|RBX|RDI|RSI|RBP|RSP|R8|R9|R10|R11|R12|R13|R14|R15)' - - LFENCE = [ -- '(?:%s%smov(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%s(?:vpmask|vmask|mask|c|v|p|vp)mov[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%spop[bswlqt]?\s+(?:%s|%s))' %(SEP, PFX, MEMORYOP, REG), -- '(?:%s%spopad?\s+%s\s*)' %(SEP, PFX, REG), -- '(?:%s%s(?:%s\s+)?xchg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?(?:x|p|vp|ph|h|pm|vpm|)add[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?(?:p|vp|ph|h|)sub[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?ad[co]x?[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?sbb[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?v?p?cmp(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?inc[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?dec[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?not[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?neg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:i|v|p|vp|)mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%s(?:i|v|p|vp|)div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%spopcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%scrc32[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%s(?:%s\s+)?v?p?and[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?v?p?or[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%s(?:%s\s+)?v?p?xor[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%sv?p?test[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%ss[ah][lr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%ssar[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%s(?:vp|)ro(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%src(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%s(?:%s\s+)?bt[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -- '(?:%s%sbs[fr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%s(?:vp|)[lt]zcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sblsi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sblsmsk[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sblsr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sbextr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sbzhi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%spdep[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%spext[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%s(?:%s\s+)?lods[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -- '(?:%s%s(?:%s\s+)?scas[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -- '(?:%s%s(?:%s\s+)?outs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -- '(?:%s%s(?:%s\s+)?cmps[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -- '(?:%s%s(?:%s\s+)?movs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -- '(?:%s%slddqu\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?pack[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?p?unpck[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?p?shuf[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?p?align[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?pblend[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%svperm[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?p?insr[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?insert[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?p?expand[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%svp?broadcast[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svp?gather[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?pavg[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?p?min[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?p?max[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?phminpos[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?pabs[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?psign[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?(?:m|db|)psad[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?psll[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?psrl[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?psra[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?pclmulqdq\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?aesdec(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?aesenc(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?aesimc\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?aeskeygenassist\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?sha(?:1|256)(?:nexte|rnds4|msg1|msg2)\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?cvt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?rcp(?:ss|ps)\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?u?comis[sd]\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?round[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?dpp[sd]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sv?r?sqrt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -- '(?:%s%sv?ldmxcsr\s+%s)' %(SEP, PFX, MEMORYOP), -- '(?:%s%sf?x?rstors?\s+%s)' %(SEP, PFX, MEMORYOP), -- '(?:%s%sl[gi]dt\s+%s)' %(SEP, PFX, MEMORYOP), -- '(?:%s%slmsw\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svmptrld\s+%s)' %(SEP, PFX, MEMORYOP), -- '(?:%s%sf(?:b|i|)ld[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sfi?add[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sfi?sub[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sfi?mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sfi?div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sf(?:i|u|)com[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sleave[bswlqt]?)' %(SEP, PFX), -- '(?:%s%spopf[bswlqt]?)' %(SEP, PFX), -- '(?:%s%svfixupimm[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svf[m|n]add[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svfpclass[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svget[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svpconflict[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svpternlog[d|q]\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svrange[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svreduce[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svrndscale[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%svscalef[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sxlat\s+%s)' %(SEP, PFX, MEMORYANY), -- '(?:%s%sxlatb?)' %(SEP, PFX), -+ r'(?:%s%smov(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%s(?:vpmask|vmask|mask|c|v|p|vp)mov[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%spop[bswlqt]?\s+(?:%s|%s))' %(SEP, PFX, MEMORYOP, REG), -+ r'(?:%s%spopad?\s+%s\s*)' %(SEP, PFX, REG), -+ r'(?:%s%s(?:%s\s+)?xchg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?(?:x|p|vp|ph|h|pm|vpm|)add[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?(?:p|vp|ph|h|)sub[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?ad[co]x?[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?sbb[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?v?p?cmp(?:[a-rt-z][a-z0-9]*)?\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?inc[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?dec[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?not[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?neg[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:i|v|p|vp|)mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%s(?:i|v|p|vp|)div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%spopcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%scrc32[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?v?p?and[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?v?p?or[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?v?p?xor[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%sv?p?test[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%ss[ah][lr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%ssar[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%s(?:vp|)ro(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%src(?:r|l)[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%s(?:%s\s+)?bt[a-z]*\s+%s)' %(SEP, PFX, LOCK, MEMORYANY), -+ r'(?:%s%sbs[fr][a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%s(?:vp|)[lt]zcnt[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sblsi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sblsmsk[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sblsr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sbextr[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sbzhi[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%spdep[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%spext[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%s(?:%s\s+)?lods[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -+ r'(?:%s%s(?:%s\s+)?scas[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -+ r'(?:%s%s(?:%s\s+)?outs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -+ r'(?:%s%s(?:%s\s+)?cmps[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -+ r'(?:%s%s(?:%s\s+)?movs[a-z]*(?:\s+%s|\s*(?:#|$)))' %(SEP, PFX, REP, MEMORYSRC), -+ r'(?:%s%slddqu\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?pack[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?p?unpck[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?p?shuf[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?p?align[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?pblend[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%svperm[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?p?insr[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?insert[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?p?expand[a-z]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%svp?broadcast[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svp?gather[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?pavg[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?p?min[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?p?max[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?phminpos[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?pabs[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?psign[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?(?:m|db|)psad[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?psll[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?psrl[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?psra[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?pclmulqdq\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?aesdec(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?aesenc(?:last)?\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?aesimc\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?aeskeygenassist\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?sha(?:1|256)(?:nexte|rnds4|msg1|msg2)\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?cvt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?rcp(?:ss|ps)\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?u?comis[sd]\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?round[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?dpp[sd]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sv?r?sqrt[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYSRC), -+ r'(?:%s%sv?ldmxcsr\s+%s)' %(SEP, PFX, MEMORYOP), -+ r'(?:%s%sf?x?rstors?\s+%s)' %(SEP, PFX, MEMORYOP), -+ r'(?:%s%sl[gi]dt\s+%s)' %(SEP, PFX, MEMORYOP), -+ r'(?:%s%slmsw\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svmptrld\s+%s)' %(SEP, PFX, MEMORYOP), -+ r'(?:%s%sf(?:b|i|)ld[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sfi?add[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sfi?sub[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sfi?mul[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sfi?div[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sf(?:i|u|)com[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sleave[bswlqt]?)' %(SEP, PFX), -+ r'(?:%s%spopf[bswlqt]?)' %(SEP, PFX), -+ r'(?:%s%svfixupimm[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svf[m|n]add[a-z0-9]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svfpclass[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svget[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svpconflict[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svpternlog[d|q]\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svrange[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svreduce[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svrndscale[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%svscalef[a-z]*\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sxlat\s+%s)' %(SEP, PFX, MEMORYANY), -+ r'(?:%s%sxlatb?)' %(SEP, PFX), - ] - --RET = '(?:%s%sret[a-z]*(?:\s+%s)?(?:#|$))' %(SEP, PFX, IMMEDIATE) --MEM_INDBR = '(?:%s%s(?:call|jmp)[a-z]*\s+%s%s)' %(SEP, PFX, ATTSTAR, MEMORYOP) --REG_INDBR = '(?:%s%s(?:call|jmp)[a-z]*\s+%s)' %(SEP, PFX, GPR) -+RET = r'(?:%s%sret[a-z]*(?:\s+%s)?(?:#|$))' %(SEP, PFX, IMMEDIATE) -+MEM_INDBR = r'(?:%s%s(?:call|jmp)[a-z]*\s+%s%s)' %(SEP, PFX, ATTSTAR, MEMORYOP) -+REG_INDBR = r'(?:%s%s(?:call|jmp)[a-z]*\s+%s)' %(SEP, PFX, GPR) - - # - # File Operations - read/write --- -2.52.0 - diff --git a/specs/l/linux-sgx/0007-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch b/specs/l/linux-sgx/0006-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch similarity index 90% rename from specs/l/linux-sgx/0007-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch rename to specs/l/linux-sgx/0006-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch index 3d817a4a912..8491d872740 100644 --- a/specs/l/linux-sgx/0007-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch +++ b/specs/l/linux-sgx/0006-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch @@ -1,7 +1,7 @@ -From e70a6cf01361e773c361cdb8debf1be2859e0b09 Mon Sep 17 00:00:00 2001 +From b6781ffdf7993718ddc232b27a0eac4d2ef2dddf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 4 Oct 2024 16:33:20 +0100 -Subject: [PATCH 07/17] psw: prefer /dev/sgx_provision & /dev/sgx_enclave +Subject: [PATCH 06/16] psw: prefer /dev/sgx_provision & /dev/sgx_enclave MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -21,10 +21,10 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/psw/enclave_common/sgx_enclave_common.cpp b/psw/enclave_common/sgx_enclave_common.cpp -index 399d63b2..f63149a0 100644 +index 19cc998b..1ea3d04c 100644 --- a/psw/enclave_common/sgx_enclave_common.cpp +++ b/psw/enclave_common/sgx_enclave_common.cpp -@@ -481,11 +481,11 @@ static void enclave_set_provision_access(int hdevice, void* enclave_base) +@@ -409,11 +409,11 @@ static void enclave_set_provision_access(int hdevice, void* enclave_base) if (s_driver_type == SGX_DRIVER_IN_KERNEL) { @@ -40,7 +40,7 @@ index 399d63b2..f63149a0 100644 if (-1 == hdev_prov) { diff --git a/psw/urts/linux/edmm_utility.cpp b/psw/urts/linux/edmm_utility.cpp -index 49f2b9aa..fc537a84 100644 +index 9406ee64..5eea4ecd 100644 --- a/psw/urts/linux/edmm_utility.cpp +++ b/psw/urts/linux/edmm_utility.cpp @@ -99,11 +99,11 @@ bool get_driver_type(int *driver_type) @@ -58,7 +58,7 @@ index 49f2b9aa..fc537a84 100644 } if (-1 == hdev) { -@@ -154,11 +154,11 @@ extern "C" bool open_se_device(int driver_type, int *hdevice) +@@ -155,11 +155,11 @@ extern "C" bool open_se_device(int driver_type, int *hdevice) *hdevice = -1; if (driver_type == SGX_DRIVER_IN_KERNEL) { @@ -74,5 +74,5 @@ index 49f2b9aa..fc537a84 100644 } else if (driver_type == SGX_DRIVER_DCAP) -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0008-psw-fix-soname-for-libuae_service.so-library.patch b/specs/l/linux-sgx/0007-psw-fix-soname-for-libuae_service.so-library.patch similarity index 84% rename from specs/l/linux-sgx/0008-psw-fix-soname-for-libuae_service.so-library.patch rename to specs/l/linux-sgx/0007-psw-fix-soname-for-libuae_service.so-library.patch index 919475d890f..8dd9be59902 100644 --- a/specs/l/linux-sgx/0008-psw-fix-soname-for-libuae_service.so-library.patch +++ b/specs/l/linux-sgx/0007-psw-fix-soname-for-libuae_service.so-library.patch @@ -1,7 +1,7 @@ -From 83d0388400f5acd63f5cdad1a3d7da26fb6d4d17 Mon Sep 17 00:00:00 2001 +From e39bf7eef92faee1f6096d4ca7da0e2571a94cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 17 Jan 2025 15:38:56 +0000 -Subject: [PATCH 08/17] psw: fix soname for libuae_service.so library +Subject: [PATCH 07/16] psw: fix soname for libuae_service.so library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,10 +12,10 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/psw/uae_service/linux/Makefile b/psw/uae_service/linux/Makefile -index bffbdc5b..81f5c4b7 100644 +index 0de5ab7c..3d9a1408 100644 --- a/psw/uae_service/linux/Makefile +++ b/psw/uae_service/linux/Makefile -@@ -143,7 +143,7 @@ libsgx_%.so: $(OBJ) %_version.o +@@ -120,7 +120,7 @@ libsgx_%.so: $(OBJ) %_version.o $(CXX) $(CXXFLAGS) $^ -shared $(LDUFLAGS) -Wl,--version-script=$(@:.so=.lds) -Wl,--gc-sections $(EXTERNAL_LIB) -Wl,-soname=$@.$(call get_major_version,$(call get_version_name,$@)) -o $@ $(LEGACY_LIBNAME): $(LEGACY_OBJ) @@ -25,5 +25,5 @@ index bffbdc5b..81f5c4b7 100644 $(IPC_SRC:.cpp=.o) : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc AEServicesImpl.o : $(IPC_COMMON_PROTO_DIR)/messages.pb.cc -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0009-pcl-remove-redundant-use-of-bool-type.patch b/specs/l/linux-sgx/0008-pcl-remove-redundant-use-of-bool-type.patch similarity index 91% rename from specs/l/linux-sgx/0009-pcl-remove-redundant-use-of-bool-type.patch rename to specs/l/linux-sgx/0008-pcl-remove-redundant-use-of-bool-type.patch index 90f3a0313b4..0b80e4e2b22 100644 --- a/specs/l/linux-sgx/0009-pcl-remove-redundant-use-of-bool-type.patch +++ b/specs/l/linux-sgx/0008-pcl-remove-redundant-use-of-bool-type.patch @@ -1,7 +1,7 @@ -From eb3056a11ffe6359acc5c7a8957ede654e7b2d90 Mon Sep 17 00:00:00 2001 +From 30c235fb42a26be114a50bc07b82a4700747df25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 6 Feb 2025 09:54:33 +0000 -Subject: [PATCH 09/17] pcl: remove redundant use of 'bool' type +Subject: [PATCH 08/16] pcl: remove redundant use of 'bool' type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -45,5 +45,5 @@ index 5ad6efde..b78ca907 100644 #endif // #ifdef SE_SIM -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0010-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch b/specs/l/linux-sgx/0009-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch similarity index 86% rename from specs/l/linux-sgx/0010-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch rename to specs/l/linux-sgx/0009-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch index b88022bc022..b62599a4053 100644 --- a/specs/l/linux-sgx/0010-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch +++ b/specs/l/linux-sgx/0009-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch @@ -1,7 +1,7 @@ -From 8e12ec0045bf6ac4f94f287cdbf87e69e734647a Mon Sep 17 00:00:00 2001 +From f5703f8320b8fb6f4a5f227bb522ea8e1d7721e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 27 Mar 2025 14:17:01 +0000 -Subject: [PATCH 10/17] sdk: honour CFLAGS/LDFLAGS set from environment +Subject: [PATCH 09/16] sdk: honour CFLAGS/LDFLAGS set from environment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé 6 files changed, 9 insertions(+), 12 deletions(-) diff --git a/sdk/debugger_interface/linux/Makefile b/sdk/debugger_interface/linux/Makefile -index 8f2847da..808e093f 100644 +index 018b8a31..a86b6085 100644 --- a/sdk/debugger_interface/linux/Makefile +++ b/sdk/debugger_interface/linux/Makefile @@ -31,13 +31,10 @@ @@ -30,11 +30,11 @@ index 8f2847da..808e093f 100644 CPPFLAGS += -I$(COMMON_DIR)/inc/ \ -I$(COMMON_DIR)/inc/internal/ --CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic -+CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic -Wno-conversion -Wno-redundant-decls - ifeq ($(CC_BELOW_4_9), 1) - CFLAGS += -fstack-protector - else +-CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic -fstack-protector-strong ++CFLAGS += -W -Wall -Werror -D_GNU_SOURCE -fpic -fstack-protector-strong -Wno-conversion -Wno-redundant-decls + LDLIBS += -ldl + + ifdef DEBUG diff --git a/sdk/encrypt_enclave/Makefile b/sdk/encrypt_enclave/Makefile index d388dc1d..867de978 100644 --- a/sdk/encrypt_enclave/Makefile @@ -75,10 +75,10 @@ index fce3a59e..5fd8548e 100644 LDFLAGS += -pie $(COMMON_LDFLAGS) LDLIBS := -lwrapper diff --git a/sdk/simulation/uae_service_sim/linux/Makefile b/sdk/simulation/uae_service_sim/linux/Makefile -index 45ddb576..865d5556 100644 +index 3d5b5628..6a50f7eb 100644 --- a/sdk/simulation/uae_service_sim/linux/Makefile +++ b/sdk/simulation/uae_service_sim/linux/Makefile -@@ -50,7 +50,7 @@ INCLUDES := -I.. \ +@@ -51,7 +51,7 @@ INCLUDES := -I.. \ CXXFLAGS += -Wall -fPIC $(INCLUDES) -Werror -g $(CET_FLAGS) CFLAGS := $(filter-out -fPIC -Werror, $(CFLAGS)) -Wall $(INCLUDES) $(CET_FLAGS) @@ -88,7 +88,7 @@ index 45ddb576..865d5556 100644 RDRAND_LIBDIR := $(LINUX_EXTERNAL_DIR)/rdrand/src RDRAND_MAKEFILE := $(RDRAND_LIBDIR)/Makefile diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile -index ea8ca78c..dd716f2b 100644 +index 8af19905..78f53484 100644 --- a/sdk/simulation/urtssim/linux/Makefile +++ b/sdk/simulation/urtssim/linux/Makefile @@ -65,9 +65,9 @@ DIR5 := $(LINUX_PSW_DIR)/../common/src/linux @@ -103,7 +103,7 @@ index ea8ca78c..dd716f2b 100644 OBJ1 := enclave.o \ tcs.o \ -@@ -120,7 +120,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6) +@@ -119,7 +119,7 @@ vpath %.cpp .:$(DIR1):$(DIR2):$(DIR3):$(DIR4):$(DIR6) vpath %.S .:$(DIR2):$(DIR5) vpath %.c .:$(DIR6) @@ -112,7 +112,7 @@ index ea8ca78c..dd716f2b 100644 LIBURTSSIM_SHARED := libsgx_urts_sim.so LIBURTS_DEPLOY := libsgx_urts_deploy.so -@@ -134,7 +134,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR) +@@ -133,7 +133,7 @@ all: $(LIBURTSSIM_SHARED) $(LIBURTS_DEPLOY)| $(BUILD_DIR) $(CP) $(LIBURTS_DEPLOY) $| $(LIBURTSSIM_SHARED): simasm uinst driver_api wrapper uae_service_sim $(OBJ) $(OBJ6) ittnotify @@ -122,5 +122,5 @@ index ea8ca78c..dd716f2b 100644 $(BUILD_DIR): @$(MKDIR) $@ -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0011-psw-make-aesm_service-build-verbose.patch b/specs/l/linux-sgx/0010-psw-make-aesm_service-build-verbose.patch similarity index 73% rename from specs/l/linux-sgx/0011-psw-make-aesm_service-build-verbose.patch rename to specs/l/linux-sgx/0010-psw-make-aesm_service-build-verbose.patch index 77acafcf8a2..5661eb7159e 100644 --- a/specs/l/linux-sgx/0011-psw-make-aesm_service-build-verbose.patch +++ b/specs/l/linux-sgx/0010-psw-make-aesm_service-build-verbose.patch @@ -1,7 +1,7 @@ -From fc8aa721d2f55aa40eb8e1a681a78c24db811b10 Mon Sep 17 00:00:00 2001 +From 693ee7cf08bf06c9de402fd3df5fb8d44c40e903 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 27 Mar 2025 16:07:10 +0000 -Subject: [PATCH 11/17] psw: make aesm_service build verbose. +Subject: [PATCH 10/16] psw: make aesm_service build verbose. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,11 +12,11 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/psw/ae/aesm_service/Makefile b/psw/ae/aesm_service/Makefile -index 89a15875..dbfa3fb6 100644 +index b469bffb..b150044e 100644 --- a/psw/ae/aesm_service/Makefile +++ b/psw/ae/aesm_service/Makefile -@@ -80,7 +80,7 @@ copy_data_file: - @$(CP) $(WHITE_LIST_FILE) data/white_list_cert_to_be_verify.bin +@@ -71,7 +71,7 @@ all: $(APPNAME) $(APPNAME_DEBUG) | $(BUILD_DIR) + $(CP) -r source/build/bin/* $| $(APPNAME): $(CPPMICROSERVICES) source/build/CMakeCache.txt urts RDRAND - $(MAKE) -C source/build @@ -25,5 +25,5 @@ index 89a15875..dbfa3fb6 100644 $(CP) $(CPPMICROSERVICES) source/build/bin/ endif -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0012-Fix-modern-C-function-prototype-compliance.patch b/specs/l/linux-sgx/0011-Fix-modern-C-function-prototype-compliance.patch similarity index 93% rename from specs/l/linux-sgx/0012-Fix-modern-C-function-prototype-compliance.patch rename to specs/l/linux-sgx/0011-Fix-modern-C-function-prototype-compliance.patch index 2aa84d21913..cc8ae9735ab 100644 --- a/specs/l/linux-sgx/0012-Fix-modern-C-function-prototype-compliance.patch +++ b/specs/l/linux-sgx/0011-Fix-modern-C-function-prototype-compliance.patch @@ -1,7 +1,7 @@ -From 4f93867b42fe72e6a2c28550e1cb0590a1cb5cc9 Mon Sep 17 00:00:00 2001 +From acd8d8671bc163a078c189b90244a521d1c4ac5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 31 Mar 2025 10:55:25 +0100 -Subject: [PATCH 12/17] Fix modern C function prototype compliance +Subject: [PATCH 11/16] Fix modern C function prototype compliance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -39,5 +39,5 @@ index 8e4e7600..8c38bb68 100644 g_sys_ptrace = (ptrace_t)dlsym(RTLD_NEXT, "ptrace"); g_sys_waitpid = (waitpid_t)dlsym(RTLD_NEXT, "waitpid"); -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0013-Add-wrapper-for-nasm-to-fix-cmake-compat.patch b/specs/l/linux-sgx/0012-Add-wrapper-for-nasm-to-fix-cmake-compat.patch similarity index 86% rename from specs/l/linux-sgx/0013-Add-wrapper-for-nasm-to-fix-cmake-compat.patch rename to specs/l/linux-sgx/0012-Add-wrapper-for-nasm-to-fix-cmake-compat.patch index 52cb3e8c927..abaf61f00df 100644 --- a/specs/l/linux-sgx/0013-Add-wrapper-for-nasm-to-fix-cmake-compat.patch +++ b/specs/l/linux-sgx/0012-Add-wrapper-for-nasm-to-fix-cmake-compat.patch @@ -1,7 +1,7 @@ -From 6c821fbce7dc41a7020740ea05cb664009d70fdc Mon Sep 17 00:00:00 2001 +From 258dfa3df79b8286549856003e8234975434fbb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 2 Apr 2025 17:11:25 +0100 -Subject: [PATCH 13/17] Add wrapper for nasm to fix cmake compat +Subject: [PATCH 12/16] Add wrapper for nasm to fix cmake compat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé diff --git a/build-scripts/sgx-nasm.sh b/build-scripts/sgx-nasm.sh new file mode 100755 -index 00000000..4ad75f73 +index 00000000..a2c3fd74 --- /dev/null +++ b/build-scripts/sgx-nasm.sh @@ -0,0 +1,12 @@ @@ -33,8 +33,8 @@ index 00000000..4ad75f73 + exec nasm -v +else + here=$(dirname $0) -+ echo python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@" -+ exec python ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@" ++ echo python3 ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@" ++ exec python3 ${here}/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=${MITIGATION} "$@" +fi diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile index d78ba90e..71a40247 100644 @@ -65,5 +65,5 @@ index d78ba90e..71a40247 100644 $(IPP_SOURCE)/build: ifeq ($(IPP_USE_GIT), 1) -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0013-linux-installer-drop-PCCS-package-from-BOM.patch b/specs/l/linux-sgx/0013-linux-installer-drop-PCCS-package-from-BOM.patch new file mode 100644 index 00000000000..138ebb55ccf --- /dev/null +++ b/specs/l/linux-sgx/0013-linux-installer-drop-PCCS-package-from-BOM.patch @@ -0,0 +1,301 @@ +From 9291f1ccc657b814bcb4094633a911061726f8dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 27 Jun 2025 11:37:26 +0100 +Subject: [PATCH 13/16] linux/installer: drop PCCS package from BOM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PCCS will now be distributed as a standalone RPM package. + +Signed-off-by: Daniel P. Berrangé +--- + .../psw-dcap/BOM_install/sgx-dcap-pccs.txt | 74 ------------------- + linux/installer/common/psw-dcap/Makefile | 14 +--- + linux/installer/common/psw-dcap/installConfig | 1 - + .../psw-tdx/BOM_install/sgx-dcap-pccs.txt | 74 ------------------- + linux/installer/common/psw-tdx/Makefile | 14 +--- + linux/installer/common/psw-tdx/installConfig | 1 - + 6 files changed, 2 insertions(+), 176 deletions(-) + delete mode 100644 linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt + delete mode 100644 linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt + +diff --git a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt +deleted file mode 100644 +index 4d16e883..00000000 +--- a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt ++++ /dev/null +@@ -1,74 +0,0 @@ +-DeliveryName InstallName FileCheckSum FileFeature FileOwner +-/external/dcap_source/QuoteGeneration/pccs/service/config/default.json /config/default.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/constants/index.js /constants/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/constants/pccs_status_code.js /constants/pccs_status_code.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/identityController.js /controllers/identityController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/index.js /controllers/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/pckcertController.js /controllers/pckcertController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/pckcrlController.js /controllers/pckcrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/platformCollateralController.js /controllers/platformCollateralController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/platformsController.js /controllers/platformsController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/refreshController.js /controllers/refreshController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/rootcacrlController.js /controllers/rootcacrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/tcbinfoController.js /controllers/tcbinfoController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/crlController.js /controllers/crlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/fmspc_tcbs.js /dao/models/fmspc_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/index.js /dao/models/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_cert.js /dao/models/pck_cert.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_certchain.js /dao/models/pck_certchain.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_crl.js /dao/models/pck_crl.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pcs_certificates.js /dao/models/pcs_certificates.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pcs_version.js /dao/models/pcs_version.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/platform_tcbs.js /dao/models/platform_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/platforms_registered.js /dao/models/platforms_registered.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/platforms.js /dao/models/platforms.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/enclave_identities.js /dao/models/enclave_identities.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/crl_cache.js /dao/models/crl_cache.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/fmspcTcbDao.js /dao/fmspcTcbDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pckCertchainDao.js /dao/pckCertchainDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pckcertDao.js /dao/pckcertDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pckcrlDao.js /dao/pckcrlDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pcsCertificatesDao.js /dao/pcsCertificatesDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pcsVersionDao.js /dao/pcsVersionDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/platformsDao.js /dao/platformsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/platformsRegDao.js /dao/platformsRegDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/platformTcbsDao.js /dao/platformTcbsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/enclaveIdentityDao.js /dao/enclaveIdentityDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/crlCacheDao.js /dao/crlCacheDao.js 0 main STP +-/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so /lib/libPCKCertSelection.so 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/lib_wrapper/pcklib_wrapper.js /lib_wrapper/pcklib_wrapper.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/middleware/auth.js /middleware/auth.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/middleware/error.js /middleware/error.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/routes/index.js /routes/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/identityService.js /services/identityService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/index.js /services/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/pccs_schemas.js /services/pccs_schemas.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/pckcertService.js /services/pckcertService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/pckcrlService.js /services/pckcrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/platformCollateralService.js /services/platformCollateralService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/platformsRegService.js /services/platformsRegService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/platformsService.js /services/platformsService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/refreshService.js /services/refreshService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/rootcacrlService.js /services/rootcacrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/tcbinfoService.js /services/tcbinfoService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/crlService.js /services/crlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingMode.js /services/caching_modes/cachingMode.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingModeManager.js /services/caching_modes/cachingModeManager.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/logic/commonCacheLogic.js /services/logic/commonCacheLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/logic/qvCollateralLogic.js /services/logic/qvCollateralLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/utils/Logger.js /utils/Logger.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/utils/PccsError.js /utils/PccsError.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/utils/apputil.js /utils/apputil.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/x509/x509.js /x509/x509.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/install.sh /install.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/package.json /package.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/pccs_server.js /pccs_server.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/pccs.service /pccs.service 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/startup.sh /startup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/cleanup.sh /cleanup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/README.md /README.md 0 main STP +diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile +index 9236de6a..1ae7a292 100644 +--- a/linux/installer/common/psw-dcap/Makefile ++++ b/linux/installer/common/psw-dcap/Makefile +@@ -59,9 +59,6 @@ AESMD_CONF=aesmd.service + AESMD_CONF_DEL=aesmd.conf + AESMD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) + +-PCCS_CONF=pccs.service +-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +- + RAD_CONF=mpa_registration_tool.service + RAD_CONF_DEL=mpa_registration_tool.conf + RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +@@ -148,7 +145,7 @@ ALL_PKGS:= $(AESM_SERVICE_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS) + + $(foreach PKG,$(AESM_SERVICE_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG)))) + $(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG)))) +-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) ++$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) + + PHONY+=$(ALL_PKGS) + PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG)) +@@ -176,14 +173,6 @@ install_$(AESM_SERVICE_PACKAGE): $(foreach PKG,$(AESM_SERVICE_PKGS),post_$(PKG)) + ln -fs $(shell readlink -m $(USR_LIB_PATH)/libsgx_pce.signed.so) && \ + ln -fs liburts_internal.so libsgx_urts.so.$(URTS_MAJOR_VER) + +-PHONY+=install_$(DCAP_PCCS_PACKAGE) +-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \ +- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \ +- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \ +- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE) +- + PHONY+=$(RA_SERVICE_PACKAGE) + $(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH) + install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \ +@@ -286,7 +275,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG)) + + PHONY+=install + install: install_$(AESM_SERVICE_PACKAGE) \ +- install_$(DCAP_PCCS_PACKAGE) \ + install_$(RA_SERVICE_PACKAGE) \ + install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \ + install_ae \ +diff --git a/linux/installer/common/psw-dcap/installConfig b/linux/installer/common/psw-dcap/installConfig +index 5ef949cd..7145f148 100644 +--- a/linux/installer/common/psw-dcap/installConfig ++++ b/linux/installer/common/psw-dcap/installConfig +@@ -22,7 +22,6 @@ DCAP_QL_PACKAGE=libsgx-dcap-ql + DCAP_QL_DEV_PACKAGE=libsgx-dcap-ql-devel + DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify + DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel +-DCAP_PCCS_PACKAGE=sgx-dcap-pccs + + PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool + RA_NETWORK_PACKAGE=libsgx-ra-network +diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt +deleted file mode 100644 +index 4d16e883..00000000 +--- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt ++++ /dev/null +@@ -1,74 +0,0 @@ +-DeliveryName InstallName FileCheckSum FileFeature FileOwner +-/external/dcap_source/QuoteGeneration/pccs/service/config/default.json /config/default.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/constants/index.js /constants/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/constants/pccs_status_code.js /constants/pccs_status_code.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/identityController.js /controllers/identityController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/index.js /controllers/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/pckcertController.js /controllers/pckcertController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/pckcrlController.js /controllers/pckcrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/platformCollateralController.js /controllers/platformCollateralController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/platformsController.js /controllers/platformsController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/refreshController.js /controllers/refreshController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/rootcacrlController.js /controllers/rootcacrlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/tcbinfoController.js /controllers/tcbinfoController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/controllers/crlController.js /controllers/crlController.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/fmspc_tcbs.js /dao/models/fmspc_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/index.js /dao/models/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_cert.js /dao/models/pck_cert.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_certchain.js /dao/models/pck_certchain.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_crl.js /dao/models/pck_crl.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pcs_certificates.js /dao/models/pcs_certificates.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/pcs_version.js /dao/models/pcs_version.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/platform_tcbs.js /dao/models/platform_tcbs.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/platforms_registered.js /dao/models/platforms_registered.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/platforms.js /dao/models/platforms.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/enclave_identities.js /dao/models/enclave_identities.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/models/crl_cache.js /dao/models/crl_cache.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/fmspcTcbDao.js /dao/fmspcTcbDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pckCertchainDao.js /dao/pckCertchainDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pckcertDao.js /dao/pckcertDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pckcrlDao.js /dao/pckcrlDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pcsCertificatesDao.js /dao/pcsCertificatesDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/pcsVersionDao.js /dao/pcsVersionDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/platformsDao.js /dao/platformsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/platformsRegDao.js /dao/platformsRegDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/platformTcbsDao.js /dao/platformTcbsDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/enclaveIdentityDao.js /dao/enclaveIdentityDao.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/dao/crlCacheDao.js /dao/crlCacheDao.js 0 main STP +-/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so /lib/libPCKCertSelection.so 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/lib_wrapper/pcklib_wrapper.js /lib_wrapper/pcklib_wrapper.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/middleware/auth.js /middleware/auth.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/middleware/error.js /middleware/error.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/routes/index.js /routes/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/identityService.js /services/identityService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/index.js /services/index.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/pccs_schemas.js /services/pccs_schemas.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/pckcertService.js /services/pckcertService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/pckcrlService.js /services/pckcrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/platformCollateralService.js /services/platformCollateralService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/platformsRegService.js /services/platformsRegService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/platformsService.js /services/platformsService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/refreshService.js /services/refreshService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/rootcacrlService.js /services/rootcacrlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/tcbinfoService.js /services/tcbinfoService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/crlService.js /services/crlService.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingMode.js /services/caching_modes/cachingMode.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingModeManager.js /services/caching_modes/cachingModeManager.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/logic/commonCacheLogic.js /services/logic/commonCacheLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/services/logic/qvCollateralLogic.js /services/logic/qvCollateralLogic.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/utils/Logger.js /utils/Logger.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/utils/PccsError.js /utils/PccsError.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/utils/apputil.js /utils/apputil.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/x509/x509.js /x509/x509.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/install.sh /install.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/package.json /package.json 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/pccs_server.js /pccs_server.js 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/pccs.service /pccs.service 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/startup.sh /startup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/cleanup.sh /cleanup.sh 0 main STP +-/external/dcap_source/QuoteGeneration/pccs/service/README.md /README.md 0 main STP +diff --git a/linux/installer/common/psw-tdx/Makefile b/linux/installer/common/psw-tdx/Makefile +index 4f50ee49..0e8cb3e7 100644 +--- a/linux/installer/common/psw-tdx/Makefile ++++ b/linux/installer/common/psw-tdx/Makefile +@@ -80,9 +80,6 @@ QGSD_CONF=qgsd.service + QGSD_CONF_DEL=qgsd.conf + QGSD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) + +-PCCS_CONF=pccs.service +-PCCS_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +- + RAD_CONF=mpa_registration_tool.service + RAD_CONF_DEL=mpa_registration_tool.conf + RAD_CONF_PATH=$(if $(wildcard /lib/systemd/system/.),/lib/systemd/system,/usr/lib/systemd/system) +@@ -160,7 +157,7 @@ ALL_PKGS:= $(TDX_QGS_PKGS) $(AE_PKGS) $(DEV_LIB_PKGS) + + $(foreach PKG,$(TDX_QGS_PKGS) $(AE_PKGS),$(eval $(call INSTALL_AESM_SERVICE_TEMPLATE,$(PKG)))) + $(foreach PKG,$(DEV_LIB_PKGS),$(eval $(call INSTALL_DEV_LIB_TEMPLATE,$(PKG)))) +-$(foreach PKG,$(ALL_PKGS) $(DCAP_PCCS_PACKAGE) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) ++$(foreach PKG,$(ALL_PKGS) $(RA_SERVICE_PACKAGE) $(PCK_ID_RETRIEVAL_TOOL_PACKAGE),$(eval $(call PRE_INSTALL_TEMPLATE,$(PKG)))) + + PHONY+=$(ALL_PKGS) + PHONY+=$(foreach PKG,$(ALL_PKGS),pre_$(PKG)) +@@ -184,14 +181,6 @@ install_$(TDX_QGS_PACKAGE): $(foreach PKG,$(TDX_QGS_PKGS),post_$(PKG)) + $(DESTDIR)/$(TDX_QGS_PACKAGE)/$(ETC_DIR) && \ + rm -fr $(DESTDIR)/$(TDX_QGS_PACKAGE)/$(SGX_INSTALL_PATH)/$(TDX_QGS_PACKAGE)/conf)) + +-PHONY+=install_$(DCAP_PCCS_PACKAGE) +-install_$(DCAP_PCCS_PACKAGE): pre_$(DCAP_PCCS_PACKAGE) | $(PACKAGE_ROOT_PATH) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH)) && \ +- cp -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF_PATH) && \ +- rm -f $|/$(DCAP_PCCS_PACKAGE)/$(PCCS_CONF) +- install -d $(shell readlink -m $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE)) && \ +- cp -fr $|/$(DCAP_PCCS_PACKAGE)/* $(DESTDIR)/$(DCAP_PCCS_PACKAGE)/$(SGX_INSTALL_PATH)/$(DCAP_PCCS_PACKAGE) +- + PHONY+=$(RA_SERVICE_PACKAGE) + $(RA_SERVICE_PACKAGE): pre_$(RA_SERVICE_PACKAGE) | $(PACKAGE_ROOT_PATH) + install -d $(shell readlink -m $(DESTDIR)/$@/$(SGX_INSTALL_PATH)/$@) && \ +@@ -291,7 +280,6 @@ install_dev_lib: $(foreach PKG,$(DEV_LIB_PKGS),post_$(PKG)) + + PHONY+=install + install: install_$(TDX_QGS_PACKAGE) \ +- install_$(DCAP_PCCS_PACKAGE) \ + install_$(RA_SERVICE_PACKAGE) \ + install_$(PCK_ID_RETRIEVAL_TOOL_PACKAGE) \ + install_ae \ +diff --git a/linux/installer/common/psw-tdx/installConfig b/linux/installer/common/psw-tdx/installConfig +index 7129b71d..c55a8ada 100644 +--- a/linux/installer/common/psw-tdx/installConfig ++++ b/linux/installer/common/psw-tdx/installConfig +@@ -16,7 +16,6 @@ TDX_ATTEST_PACKAGE=libtdx-attest + TDX_ATTEST_DEV_PACKAGE=libtdx-attest-devel + DCAP_QVL_PACKAGE=libsgx-dcap-quote-verify + DCAP_QVL_DEV_PACKAGE=libsgx-dcap-quote-verify-devel +-DCAP_PCCS_PACKAGE=sgx-dcap-pccs + PCK_ID_RETRIEVAL_TOOL_PACKAGE=sgx-pck-id-retrieval-tool + RA_NETWORK_PACKAGE=libsgx-ra-network + RA_NETWORK_DEV_PACKAGE=libsgx-ra-network-devel +-- +2.53.0 + diff --git a/specs/l/linux-sgx/0014-fix-BOM-for-pccs-with-DCAP.patch b/specs/l/linux-sgx/0014-fix-BOM-for-pccs-with-DCAP.patch deleted file mode 100644 index 4a62e905031..00000000000 --- a/specs/l/linux-sgx/0014-fix-BOM-for-pccs-with-DCAP.patch +++ /dev/null @@ -1,155 +0,0 @@ -From aca7090de49e822af00eebe21128a85127fb0b20 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Fri, 27 Jun 2025 11:37:26 +0100 -Subject: [PATCH 14/17] fix BOM for pccs with DCAP -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The BOM for pccs is missing various files causing it to fail to start, -and also includes some obsolete files. - -This change makes the content match the BOM filelist seen in the PCCS -git repo. - -Signed-off-by: Daniel P. Berrangé ---- - .../psw-dcap/BOM_install/sgx-dcap-pccs.txt | 16 ++++++++++++++-- - .../common/psw-tdx/BOM_install/sgx-dcap-pccs.txt | 16 ++++++++++++++-- - 2 files changed, 28 insertions(+), 4 deletions(-) - -diff --git a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt -index 4d16e883..f40a5b54 100644 ---- a/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt -+++ b/linux/installer/common/psw-dcap/BOM_install/sgx-dcap-pccs.txt -@@ -12,6 +12,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/controllers/rootcacrlController.js /controllers/rootcacrlController.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/controllers/tcbinfoController.js /controllers/tcbinfoController.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/controllers/crlController.js /controllers/crlController.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/controllers/appraisalPolicyController.js /controllers/appraisalPolicyController.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/fmspc_tcbs.js /dao/models/fmspc_tcbs.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/index.js /dao/models/index.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_cert.js /dao/models/pck_cert.js 0 main STP -@@ -24,6 +25,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/platforms.js /dao/models/platforms.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/enclave_identities.js /dao/models/enclave_identities.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/crl_cache.js /dao/models/crl_cache.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/dao/models/appraisal_policy.js /dao/models/appraisal_policy.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/fmspcTcbDao.js /dao/fmspcTcbDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/pckCertchainDao.js /dao/pckCertchainDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/pckcertDao.js /dao/pckcertDao.js 0 main STP -@@ -35,14 +37,20 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/dao/platformTcbsDao.js /dao/platformTcbsDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/enclaveIdentityDao.js /dao/enclaveIdentityDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/crlCacheDao.js /dao/crlCacheDao.js 0 main STP --/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so /lib/libPCKCertSelection.so 0 main STP --/external/dcap_source/QuoteGeneration/pccs/service/lib_wrapper/pcklib_wrapper.js /lib_wrapper/pcklib_wrapper.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/dao/appraisalPolicyDao.js /dao/appraisalPolicyDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/middleware/auth.js /middleware/auth.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/middleware/error.js /middleware/error.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/middleware/filterDuplicatedParams.js /middleware/filterDuplicatedParams.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/migrations/03_db_version_3.js /migrations/03_db_version_3.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/migrations/04_db_version_4.js /migrations/04_db_version_4.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/migrations/05_db_version_5.js /migrations/05_db_version_5.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/pckCertSelection/PckCertificate.js /pckCertSelection/PckCertificate.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/pckCertSelection/Tcb.js /pckCertSelection/Tcb.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/pckCertSelection/pckCertSelection.js /pckCertSelection/pckCertSelection.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/routes/index.js /routes/index.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/identityService.js /services/identityService.js 0 main STP -@@ -57,6 +65,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/services/rootcacrlService.js /services/rootcacrlService.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/tcbinfoService.js /services/tcbinfoService.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/crlService.js /services/crlService.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/services/appraisalPolicyService.js /services/appraisalPolicyService.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingMode.js /services/caching_modes/cachingMode.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingModeManager.js /services/caching_modes/cachingModeManager.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/logic/commonCacheLogic.js /services/logic/commonCacheLogic.js 0 main STP -@@ -64,11 +73,14 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/utils/Logger.js /utils/Logger.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/utils/PccsError.js /utils/PccsError.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/utils/apputil.js /utils/apputil.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/utils/errors.js /utils/errors.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/x509/x509.js /x509/x509.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/install.sh /install.sh 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/package.json /package.json 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/package-lock.json /package-lock.json 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/pccs_server.js /pccs_server.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/pccs.service /pccs.service 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/startup.sh /startup.sh 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/cleanup.sh /cleanup.sh 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/README.md /README.md 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/nodejs.cnf /nodejs.cnf 0 main STP -diff --git a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt -index 4d16e883..f40a5b54 100644 ---- a/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt -+++ b/linux/installer/common/psw-tdx/BOM_install/sgx-dcap-pccs.txt -@@ -12,6 +12,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/controllers/rootcacrlController.js /controllers/rootcacrlController.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/controllers/tcbinfoController.js /controllers/tcbinfoController.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/controllers/crlController.js /controllers/crlController.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/controllers/appraisalPolicyController.js /controllers/appraisalPolicyController.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/fmspc_tcbs.js /dao/models/fmspc_tcbs.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/index.js /dao/models/index.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/pck_cert.js /dao/models/pck_cert.js 0 main STP -@@ -24,6 +25,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/platforms.js /dao/models/platforms.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/enclave_identities.js /dao/models/enclave_identities.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/models/crl_cache.js /dao/models/crl_cache.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/dao/models/appraisal_policy.js /dao/models/appraisal_policy.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/fmspcTcbDao.js /dao/fmspcTcbDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/pckCertchainDao.js /dao/pckCertchainDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/pckcertDao.js /dao/pckcertDao.js 0 main STP -@@ -35,14 +37,20 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/dao/platformTcbsDao.js /dao/platformTcbsDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/enclaveIdentityDao.js /dao/enclaveIdentityDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/dao/crlCacheDao.js /dao/crlCacheDao.js 0 main STP --/external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so /lib/libPCKCertSelection.so 0 main STP --/external/dcap_source/QuoteGeneration/pccs/service/lib_wrapper/pcklib_wrapper.js /lib_wrapper/pcklib_wrapper.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/dao/appraisalPolicyDao.js /dao/appraisalPolicyDao.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/middleware/auth.js /middleware/auth.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/middleware/error.js /middleware/error.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/middleware/filterDuplicatedParams.js /middleware/filterDuplicatedParams.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/migrations/03_db_version_3.js /migrations/03_db_version_3.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/migrations/04_db_version_4.js /migrations/04_db_version_4.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/migrations/05_db_version_5.js /migrations/05_db_version_5.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/pckCertSelection/PckCertificate.js /pckCertSelection/PckCertificate.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/pckCertSelection/Tcb.js /pckCertSelection/Tcb.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/pckCertSelection/pckCertSelection.js /pckCertSelection/pckCertSelection.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/routes/index.js /routes/index.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/identityService.js /services/identityService.js 0 main STP -@@ -57,6 +65,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/services/rootcacrlService.js /services/rootcacrlService.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/tcbinfoService.js /services/tcbinfoService.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/crlService.js /services/crlService.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/services/appraisalPolicyService.js /services/appraisalPolicyService.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingMode.js /services/caching_modes/cachingMode.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/caching_modes/cachingModeManager.js /services/caching_modes/cachingModeManager.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/services/logic/commonCacheLogic.js /services/logic/commonCacheLogic.js 0 main STP -@@ -64,11 +73,14 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner - /external/dcap_source/QuoteGeneration/pccs/service/utils/Logger.js /utils/Logger.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/utils/PccsError.js /utils/PccsError.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/utils/apputil.js /utils/apputil.js 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/utils/errors.js /utils/errors.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/x509/x509.js /x509/x509.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/install.sh /install.sh 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/package.json /package.json 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/package-lock.json /package-lock.json 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/pccs_server.js /pccs_server.js 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/pccs.service /pccs.service 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/startup.sh /startup.sh 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/cleanup.sh /cleanup.sh 0 main STP - /external/dcap_source/QuoteGeneration/pccs/service/README.md /README.md 0 main STP -+/external/dcap_source/QuoteGeneration/pccs/service/nodejs.cnf /nodejs.cnf 0 main STP --- -2.52.0 - diff --git a/specs/l/linux-sgx/0015-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch b/specs/l/linux-sgx/0014-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch similarity index 93% rename from specs/l/linux-sgx/0015-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch rename to specs/l/linux-sgx/0014-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch index 0d85d271f68..9551911ae99 100644 --- a/specs/l/linux-sgx/0015-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch +++ b/specs/l/linux-sgx/0014-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch @@ -1,7 +1,7 @@ -From b8d2a529940b6b56cac86a3a495e7731cff1e73d Mon Sep 17 00:00:00 2001 +From 4a12419da033bf88ded73ece3a80090c3d48c7ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 6 Jan 2026 18:31:32 +0000 -Subject: [PATCH 15/17] sdk: avoid failure due to attribute(regparam) with GCC +Subject: [PATCH 14/16] sdk: avoid failure due to attribute(regparam) with GCC 16 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/psw/urts/linux/Makefile b/psw/urts/linux/Makefile -index 3d08ee5c..1e76d8d5 100644 +index 275a9d45..94a0aacb 100644 --- a/psw/urts/linux/Makefile +++ b/psw/urts/linux/Makefile @@ -36,10 +36,10 @@ CXXFLAGS += -DDISABLE_TRACE @@ -52,7 +52,7 @@ index 16e2a96d..7e545c1a 100644 SIM_DIR := $(CUR_DIR)/../.. diff --git a/sdk/simulation/urtssim/linux/Makefile b/sdk/simulation/urtssim/linux/Makefile -index dd716f2b..5d64c8ac 100644 +index 78f53484..c99a50e5 100644 --- a/sdk/simulation/urtssim/linux/Makefile +++ b/sdk/simulation/urtssim/linux/Makefile @@ -39,8 +39,8 @@ CXXFLAGS += -DDISABLE_TRACE @@ -79,5 +79,5 @@ index 5750aece..4766ef51 100644 -fno-rtti -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0017-fix-BOM-for-mpa_manage-mpa_registration-files.patch b/specs/l/linux-sgx/0015-fix-BOM-for-mpa_manage-mpa_registration-files.patch similarity index 98% rename from specs/l/linux-sgx/0017-fix-BOM-for-mpa_manage-mpa_registration-files.patch rename to specs/l/linux-sgx/0015-fix-BOM-for-mpa_manage-mpa_registration-files.patch index 760bbafe96c..87b249f29d6 100644 --- a/specs/l/linux-sgx/0017-fix-BOM-for-mpa_manage-mpa_registration-files.patch +++ b/specs/l/linux-sgx/0015-fix-BOM-for-mpa_manage-mpa_registration-files.patch @@ -1,7 +1,7 @@ -From 501e90724f57fdb76999dd518876d47212d29853 Mon Sep 17 00:00:00 2001 +From 9fa76f92c2dd7430b5b873cf0b93810d9fb80a8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 2 Feb 2026 19:01:24 +0000 -Subject: [PATCH 17/17] fix BOM for mpa_manage/mpa_registration files +Subject: [PATCH 15/16] fix BOM for mpa_manage/mpa_registration files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -94,5 +94,5 @@ index 3521a03f..6fea3137 100644 +/external/dcap_source/tools/SGXPlatformRegistration/src/mpa_registration/startup.sh /startup.sh 0 main STP +/external/dcap_source/tools/SGXPlatformRegistration/src/mpa_registration/cleanup.sh /cleanup.sh 0 main STP -- -2.52.0 +2.53.0 diff --git a/specs/l/linux-sgx/0016-Add-impl-of-__cxa_call_terminate.patch b/specs/l/linux-sgx/0016-Add-impl-of-__cxa_call_terminate.patch deleted file mode 100644 index 10e0e035dca..00000000000 --- a/specs/l/linux-sgx/0016-Add-impl-of-__cxa_call_terminate.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a59e761be86d61203639a6d9f5e1952cb57216f4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Mon, 2 Feb 2026 15:38:23 +0000 -Subject: [PATCH 16/17] Add impl of __cxa_call_terminate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Newer GCC will now invoke __cxa_call_terminate instead of std::terminate - -Signed-off-by: Daniel P. Berrangé ---- - sdk/cpprt/linux/exception.cc | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/sdk/cpprt/linux/exception.cc b/sdk/cpprt/linux/exception.cc -index 2223b8bb..9ff48873 100644 ---- a/sdk/cpprt/linux/exception.cc -+++ b/sdk/cpprt/linux/exception.cc -@@ -1237,6 +1237,13 @@ extern "C" void __cxa_call_unexpected(void*exception) - abort(); - } - -+extern "C" void __cxa_call_terminate(void*exception) -+{ -+ std::terminate(); -+ // Should not be reached. -+ abort(); -+} -+ - /** - * ABI function, returns the adjusted pointer to the exception object. - */ --- -2.52.0 - diff --git a/specs/l/linux-sgx/0016-fix-missing-def-of-uncaught_exception.patch b/specs/l/linux-sgx/0016-fix-missing-def-of-uncaught_exception.patch new file mode 100644 index 00000000000..76acfa50cda --- /dev/null +++ b/specs/l/linux-sgx/0016-fix-missing-def-of-uncaught_exception.patch @@ -0,0 +1,37 @@ +From ce1ad3fba7d14ff037b40ffeab2dccbfa7ccdbc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 25 Mar 2026 12:15:12 +0000 +Subject: [PATCH 16/16] fix missing def of uncaught_exception +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This needs to be unconditionally present, not restricted to +old C++ standards. This fixes an error seen with GCC 16: + +linux-sgx-2.28-build/confidential-computing.sgx-sgx_2.28/sdk/tlibcxx/include/ostream:280:27: error: there are no arguments to ‘uncaught_exception’ that depend on a template parameter, so a declaration of ‘uncaught_exception’ must be available [-Wtemplate-body] + 280 | && !uncaught_exception()) + | ^~~~~~~~~~~~~~~~~~ +linux-sgx-2.28-build/confidential-computing.sgx-sgx_2.28/sdk/tlibcxx/include/ostream:280:27: note: (if you use ‘-fpermissive’, G++ will accept your code, but allowing the use of an undeclared name is deprecated) + +Signed-off-by: Daniel P. Berrangé +--- + common/inc/stdc++/linux/exception | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/inc/stdc++/linux/exception b/common/inc/stdc++/linux/exception +index a3c81106..b81f2d0c 100644 +--- a/common/inc/stdc++/linux/exception ++++ b/common/inc/stdc++/linux/exception +@@ -63,7 +63,7 @@ namespace std + + # if __cplusplus < 201103L + bool uncaught_exception() throw(); +-# elif __cplusplus <= 201703L ++# else + bool uncaught_exception() noexcept; + # endif + +-- +2.53.0 + diff --git a/specs/l/linux-sgx/0050-Disable-inclusion-of-AESM-in-installer.patch b/specs/l/linux-sgx/0050-Disable-inclusion-of-AESM-in-installer.patch index 07dcf300fe7..59e6ff3d8f2 100644 --- a/specs/l/linux-sgx/0050-Disable-inclusion-of-AESM-in-installer.patch +++ b/specs/l/linux-sgx/0050-Disable-inclusion-of-AESM-in-installer.patch @@ -1,4 +1,4 @@ -From 97cfa1700287075f2d87905aa895d570122ec725 Mon Sep 17 00:00:00 2001 +From 5e85d8d7f98625bf42c75b2253b1cbe763d5a275 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 11 Feb 2025 14:58:58 +0000 Subject: [PATCH] Disable inclusion of AESM in installer @@ -11,30 +11,28 @@ CppMicroServices dependency Signed-off-by: Daniel P. Berrangé --- - linux/installer/common/psw-dcap/Makefile | 27 +----------------------- - psw/ae/Makefile | 4 ++-- - 2 files changed, 3 insertions(+), 28 deletions(-) + linux/installer/common/psw-dcap/Makefile | 25 +----------------------- + psw/ae/Makefile | 2 +- + 2 files changed, 2 insertions(+), 25 deletions(-) diff --git a/linux/installer/common/psw-dcap/Makefile b/linux/installer/common/psw-dcap/Makefile -index a85c8b82..3ea22440 100644 +index 1ae7a292..1174622d 100644 --- a/linux/installer/common/psw-dcap/Makefile +++ b/linux/installer/common/psw-dcap/Makefile -@@ -150,13 +150,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH) +@@ -111,11 +111,7 @@ post_$(1): $(1) | $(PACKAGE_ROOT_PATH) cp -fr $$|/$$ Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 100/131] Drop use of bundled pre-built openssl +Subject: [PATCH 100/127] Drop use of bundled pre-built openssl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -13,20 +13,20 @@ Signed-off-by: Daniel P. Berrangé --- QuoteGeneration/qcnl/linux/Makefile | 8 +++----- QuoteGeneration/qpl/linux/Makefile | 8 +++----- - QuoteVerification/QvE/Test/Makefile | 4 ++-- QuoteVerification/appraisal/qal/Makefile | 5 ++--- QuoteVerification/appraisal/tee_appraisal_tool/Makefile | 5 ++--- QuoteVerification/buildenv.mk | 1 - QuoteVerification/dcap_quoteverify/linux/Makefile | 8 ++++---- + ae/QvE/Test/Makefile | 4 ++-- tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 9 +++------ .../PCKCertSelectionLib/Makefile.static_lib | 5 +---- 9 files changed, 20 insertions(+), 33 deletions(-) diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile -index f5b7be90..860eb268 100644 +index 3d105625..9e358fb6 100644 --- a/QuoteGeneration/qcnl/linux/Makefile +++ b/QuoteGeneration/qcnl/linux/Makefile -@@ -32,7 +32,6 @@ +@@ -7,7 +7,6 @@ ######## SGX SDK Settings ######## TOP_DIR = ../.. include $(TOP_DIR)/buildenv.mk @@ -34,7 +34,7 @@ index f5b7be90..860eb268 100644 ######## SGX CNL Library Settings ######## -@@ -45,10 +44,9 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ +@@ -20,10 +19,9 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ -I../../common/inc/internal \ -I../../pce_wrapper/inc \ -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson \ @@ -42,12 +42,12 @@ index f5b7be90..860eb268 100644 - -I$(PREBUILD_OPENSSL_PATH)/inc + -I../../../tools/PCKCertSelection/include --CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) -+CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) +-CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(CNL_Lib_Include_Paths) ++CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(CNL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) LDUFLAGS:= -pthread $(COMMON_LDFLAGS) LDUFLAGS += -Wl,--version-script=sgx_default_qcnl.lds -Wl,--gc-sections -@@ -60,7 +58,7 @@ CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT +@@ -35,7 +33,7 @@ CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT endif CNL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ @@ -57,10 +57,10 @@ index f5b7be90..860eb268 100644 ifndef DEBUG CNL_Lib_Cpp_Flags += -DDISABLE_TRACE diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile -index b675e729..b109a581 100644 +index 549f5ef0..52b91b0a 100644 --- a/QuoteGeneration/qpl/linux/Makefile +++ b/QuoteGeneration/qpl/linux/Makefile -@@ -32,7 +32,6 @@ +@@ -7,7 +7,6 @@ ######## SGX SDK Settings ######## TOP_DIR = ../.. include $(TOP_DIR)/buildenv.mk @@ -68,7 +68,7 @@ index b675e729..b109a581 100644 ######## SGX QPL Library Settings ######## -@@ -42,17 +41,16 @@ QPL_Lib_Cpp_Files := $(wildcard *.cpp ../*.cpp) +@@ -17,17 +16,16 @@ QPL_Lib_Cpp_Files := $(wildcard *.cpp ../*.cpp) QPL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ -I../inc -I$(SGX_SDK)/include \ -I../../common/inc/internal \ @@ -76,43 +76,21 @@ index b675e729..b109a581 100644 - -I$(PREBUILD_OPENSSL_PATH)/inc + -I../../qcnl/inc --QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Paths) -+QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) +-QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(QPL_Lib_Include_Paths) ++QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(QPL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) LDUFLAGS:= -pthread $(COMMON_LDFLAGS) LDUFLAGS += -Wl,--version-script=sgx_default_quote_provider.lds -Wl,--gc-sections - QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11 + QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 \ +QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ -lcrypto -lsgx_default_qcnl_wrapper -lpthread -ldl ifndef DEBUG -diff --git a/QuoteVerification/QvE/Test/Makefile b/QuoteVerification/QvE/Test/Makefile -index 29f697ba..ce4b1eec 100644 ---- a/QuoteVerification/QvE/Test/Makefile -+++ b/QuoteVerification/QvE/Test/Makefile -@@ -20,7 +20,7 @@ SRC_PATH := $(MKFILE_PATH)/../Enclave - TEST_PATH := $(MKFILE_PATH)/src - MOCK_PATH := $(MKFILE_PATH)/src/mock - --INCLUDE := -I$(INCLUDE_PATH) -I$(SRC_PATH) -I$(MOCK_PATH) -I$(PREBUILD_OPENSSL_PATH)/inc\ -+INCLUDE := -I$(INCLUDE_PATH) -I$(SRC_PATH) -I$(MOCK_PATH) $(shell pkg-config --cflags libcrypto) \ - -I$(MKFILE_PATH)/../../QVL/Src/AttestationLibrary/src \ - -I$(MKFILE_PATH)/../../QVL/Src/AttestationLibrary/include \ - -I$(MKFILE_PATH)/../../QVL/Src/AttestationParsers/include \ -@@ -54,7 +54,7 @@ OBJ_SRC_PATH := $(OBJ_PATH)/qve - OBJS_SRC := $(OBJ_SRC_PATH)/$(notdir $(SRC_QVE_LOGIC:.cpp=.o)) - - LD_GTEST := -L$(GTEST_PATH)/lib -lgtest -lgmock_main -lgmock --LDFLAGS := -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto -lpthread -ldl -+LDFLAGS := $(shell pkg-config --libs libcrypto) -lpthread -ldl - - CXX_WARNINGS := -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls - diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile -index 7a7f2eb4..89c26de2 100644 +index c0df67b2..4feaaa92 100644 --- a/QuoteVerification/appraisal/qal/Makefile +++ b/QuoteVerification/appraisal/qal/Makefile @@ -12,10 +12,9 @@ WARM_Lib_Path := $(WARM_Top_Path)/product-mini/platforms/linux/build/ @@ -130,17 +108,17 @@ index 7a7f2eb4..89c26de2 100644 @@ -28,7 +27,7 @@ QAL_Cpp_Flags := $(CXXFLAGS) -g -fPIC $(QAL_Include_Path) QAL_C_Flags := $(CFLAGS) -g -fPIC $(QAL_Include_Path) - QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -liwasm -ldl -lm -lpthread \ + QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthread \ - -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto \ + $(shell pkg-config --libs libcrypto) \ -Wl,--gc-sections -Wl,--version-script=sgx_dcap_qal.lds WASM_CONFIG ?= -DCMAKE_BUILD_TYPE=Release diff --git a/QuoteVerification/appraisal/tee_appraisal_tool/Makefile b/QuoteVerification/appraisal/tee_appraisal_tool/Makefile -index b5b6e6c4..512a48d9 100644 +index 966b51f9..9e06fc79 100644 --- a/QuoteVerification/appraisal/tee_appraisal_tool/Makefile +++ b/QuoteVerification/appraisal/tee_appraisal_tool/Makefile -@@ -33,14 +33,13 @@ +@@ -7,14 +7,13 @@ DCAP_TOPDIR = ../../.. include $(DCAP_TOPDIR)/QuoteGeneration/buildenv.mk @@ -156,12 +134,12 @@ index b5b6e6c4..512a48d9 100644 -I../common ifdef DEBUG -@@ -56,7 +55,7 @@ Cpp_Common_Obj_Files := file_util.o format_util.o +@@ -30,7 +29,7 @@ Cpp_Common_Obj_Files := file_util.o format_util.o C_Obj_Files := se_trace.o Obj_Files := $(Cpp_Files:.cpp=.o) $(C_Obj_Files) $(Cpp_Common_Obj_Files) --LDFLAGS += -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto -lpthread -ldl -+LDFLAGS += $(shell pkg-config --libs libcrypto) -lpthread -ldl +-LDFLAGS += $(COMMON_LDFLAGS) -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -pie -lcrypto -lpthread -ldl ++LDFLAGS += $(COMMON_LDFLAGS) $(shell pkg-config --libs libcrypto) -pie -lpthread -ldl TARGET_NAME := tee_appraisal_tool @@ -178,11 +156,11 @@ index a619f498..8ffd99cb 100644 SGX_COMMON_CFLAGS := $(COMMON_FLAGS) -m64 -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++17 diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile -index cbc24c1e..96ad3e56 100644 +index 308ee9e1..71f0f989 100644 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile +++ b/QuoteVerification/dcap_quoteverify/linux/Makefile -@@ -10,8 +10,8 @@ INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu - QVE_SRC_PATH := $(DCAP_QV_DIR)/QvE +@@ -16,8 +16,8 @@ INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu + QVE_SRC_PATH := ../../../ae/QvE DCAP_QPL_DIR := $(DCAP_QG_DIR)/qpl -QVL_LIB_INC += -I$(PREBUILD_OPENSSL_PATH)/inc -I$(QVE_SRC_PATH)/Include @@ -192,7 +170,7 @@ index cbc24c1e..96ad3e56 100644 QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ -I../inc \ -I$(DCAP_QG_DIR)/quote_wrapper/common/inc \ -@@ -19,7 +19,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ +@@ -25,7 +25,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ -I$(DCAP_QG_DIR)/common/inc/internal \ -I$(DCAP_QG_DIR)/common/inc/internal/linux \ -I$(DCAP_QG_DIR)/pce_wrapper/inc \ @@ -201,7 +179,7 @@ index cbc24c1e..96ad3e56 100644 $(QVL_LIB_INC) \ -I$(DCAP_QPL_DIR)/inc \ -I$(DCAP_QV_DIR)/appraisal/common \ -@@ -38,7 +38,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation +@@ -49,7 +49,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation QVL_LIB_NAME := lib$(QVL_LIB).a QVL_PARSER_NAME := lib$(QVL_PARSER).a @@ -210,8 +188,30 @@ index cbc24c1e..96ad3e56 100644 LDUFLAGS += -Wl,--version-script=sgx_dcap_quoteverify.lds -Wl,--gc-sections QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp) +diff --git a/ae/QvE/Test/Makefile b/ae/QvE/Test/Makefile +index 345c9f52..0ed41883 100644 +--- a/ae/QvE/Test/Makefile ++++ b/ae/QvE/Test/Makefile +@@ -20,7 +20,7 @@ SRC_PATH := $(MKFILE_PATH)/../qve + TEST_PATH := $(MKFILE_PATH)/src + MOCK_PATH := $(MKFILE_PATH)/src/mock + +-INCLUDE := -I$(INCLUDE_PATH) -I$(SRC_PATH) -I$(MOCK_PATH) -I$(PREBUILD_OPENSSL_PATH)/inc\ ++INCLUDE := -I$(INCLUDE_PATH) -I$(SRC_PATH) -I$(MOCK_PATH) $(shell pkg-config --cflags libcrypto) \ + -I$(MKFILE_PATH)/../../../QuoteVerification/QVL/Src/AttestationLibrary/src \ + -I$(MKFILE_PATH)/../../../QuoteVerification/QVL/Src/AttestationLibrary/include \ + -I$(MKFILE_PATH)/../../../QuoteVerification/QVL/Src/AttestationParsers/include \ +@@ -54,7 +54,7 @@ OBJ_SRC_PATH := $(OBJ_PATH)/qve + OBJS_SRC := $(OBJ_SRC_PATH)/$(notdir $(SRC_QVE_LOGIC:.cpp=.o)) + + LD_GTEST := -L$(GTEST_PATH)/lib -lgtest -lgmock_main -lgmock +-LDFLAGS := -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto -lpthread -ldl ++LDFLAGS := $(shell pkg-config --libs libcrypto) -lpthread -ldl + + CXX_WARNINGS := -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls + diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile -index e0402e95..6e1c7876 100644 +index d53413b5..5c586d86 100644 --- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile @@ -63,10 +63,7 @@ ifndef QG_DIR @@ -235,15 +235,15 @@ index e0402e95..6e1c7876 100644 # the library shared object name LIB_NAME := libPCKCertSelection.so -@@ -136,7 +133,7 @@ C_FLAGS := -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-ov - C_FLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT +@@ -129,7 +126,7 @@ CXXFLAGS += -m64 -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror - + CXXFLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT - # link flags, link openssl crypto --LINK_FLAGS := -shared -L$(OPENSSL_LIB) -lcrypto -lpthread -ldl -+LINK_FLAGS := -shared -lcrypto -lpthread -ldl + # Link flags +-LINK_FLAGS := -m64 -shared $(COMMON_LDFLAGS) -L$(OPENSSL_LIB) -lcrypto -lpthread -ldl ++LINK_FLAGS := -m64 -shared $(COMMON_LDFLAGS) -lcrypto -lpthread -ldl LINK_FLAGS += -Wl,--version-script=pck_cert_selection.lds -Wl,--gc-sections - # debug/release switch + # Strip only in RELEASE builds diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib index a20a3cd5..499ee94f 100644 --- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile.static_lib diff --git a/specs/l/linux-sgx/0101-Improve-debuggability-of-build-system.patch b/specs/l/linux-sgx/0101-Improve-debuggability-of-build-system.patch index 377614b1450..39ffb1d942e 100644 --- a/specs/l/linux-sgx/0101-Improve-debuggability-of-build-system.patch +++ b/specs/l/linux-sgx/0101-Improve-debuggability-of-build-system.patch @@ -1,7 +1,7 @@ -From 3173daff9069d6d50c9e47bd04f9c6dedcf15d8c Mon Sep 17 00:00:00 2001 +From e56d81031a49344706c38ce64a6294252d5bccc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 12:05:01 +0000 -Subject: [PATCH 101/131] Improve debuggability of build system +Subject: [PATCH 101/127] Improve debuggability of build system MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,16 +12,16 @@ Don't hide commands that are run, so compiler flags are visible. Signed-off-by: Daniel P. Berrangé --- QuoteGeneration/qcnl/linux/Makefile | 2 +- - QuoteVerification/QvE/Makefile | 26 ++++++++--------- QuoteVerification/appraisal/qal/Makefile | 2 +- .../dcap_quoteverify/linux/Makefile | 28 +++++++++---------- + ae/QvE/Makefile | 26 ++++++++--------- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile -index 860eb268..7be0370d 100644 +index 9e358fb6..74b2ac95 100644 --- a/QuoteGeneration/qcnl/linux/Makefile +++ b/QuoteGeneration/qcnl/linux/Makefile -@@ -113,7 +113,7 @@ $(CNL_Lib_Name_Static): $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Select +@@ -87,7 +87,7 @@ $(CNL_Lib_Name_Static): $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Select $(AR) rsD $(CNL_Lib_Name_Static) $(CNL_Lib_Cpp_Objects) $(CNL_Lib_C_Objects) $(PCK_Selection_Cpp_Objects) $(PCK_Selection_Lib_Static): @@ -30,112 +30,24 @@ index 860eb268..7be0370d 100644 force_look: true -diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile -index 218bb8e6..f6148df6 100644 ---- a/QuoteVerification/QvE/Makefile -+++ b/QuoteVerification/QvE/Makefile -@@ -138,37 +138,37 @@ PREPARE_SGXSSL := ../prepare_sgxssl.sh - SGXSSL_HEADER_CHECK := $(SGXSSL_PACKAGE_PATH)/include/openssl/opensslconf.h - PREPARE_SGX_SSL: - ifdef SERVTD_ATTEST -- @test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) SERVTD_ATTEST -+ test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) SERVTD_ATTEST - else -- @test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) $(if $(FIPS),FIPS) -+ test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) $(if $(FIPS),FIPS) - endif - - $(SGXSSL_HEADER_CHECK): PREPARE_SGX_SSL - - install_lib: $(SIGNED_QVE_NAME) | $(BUILD_DIR) -- @$(CP) $(SIGNED_QVE_NAME) $(BUILD_DIR) -+ $(CP) $(SIGNED_QVE_NAME) $(BUILD_DIR) - - ######## Enclave Objects ######## - - ifndef SERVTD_ATTEST - Enclave/sgx_base64.o: $(DCAP_QPL_DIR)/sgx_base64.cpp -- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ -+ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ - @echo "CXX <= $<" - Enclave/ec_key.o: $(DCAP_QV_DIR)/appraisal/common/ec_key.cpp -- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ -+ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ - @echo "CXX <= $<" - endif - - $(QVL_LIB_OBJS): %.o: %.cpp $(SGXSSL_HEADER_CHECK) - ifdef SERVTD_ATTEST -- @$(CXX) -DSERVTD_ATTEST $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ -+ $(CXX) -DSERVTD_ATTEST $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ - else -- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ -+ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ - endif - @echo "CXX <= $<" - - $(QVL_PARSER_OBJS): %.o: %.cpp $(SGXSSL_HEADER_CHECK) -- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_PARSER_INC) -c $< -o $@ -+ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_PARSER_INC) -c $< -o $@ - @echo "CXX <= $<" - - ifndef SERVTD_ATTEST -@@ -179,7 +179,7 @@ Enclave/qve_t.h: Enclave/qve.edl $(SGX_EDGER8R) - Enclave/qve_t.c: Enclave/qve_t.h - - Enclave/qve_t.o: Enclave/qve_t.c -- @$(CC) $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) -c $< -o $@ -+ $(CC) $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) -c $< -o $@ - @echo "CC <= $<" - endif - -@@ -188,7 +188,7 @@ Enclave/%.o: Enclave/%.cpp $(SGXSSL_HEADER_CHECK) - else - Enclave/%.o: Enclave/%.cpp Enclave/qve_t.h $(SGXSSL_HEADER_CHECK) - endif -- @$(CXX) $(SGX_COMMON_CXXFLAGS) $(ENCLAVE_CXXFLAGS) $(if $(FIPS),-DSGXSSL_FIPS) $(QVL_LIB_INC) -I$(QVL_SRC_PATH) -c $< -o $@ -+ $(CXX) $(SGX_COMMON_CXXFLAGS) $(ENCLAVE_CXXFLAGS) $(if $(FIPS),-DSGXSSL_FIPS) $(QVL_LIB_INC) -I$(QVL_SRC_PATH) -c $< -o $@ - @echo "CXX <= $<" - - ifdef SERVTD_ATTEST -@@ -209,16 +209,16 @@ endif - ifdef SERVTD_ATTEST - $(QVE_NAME): $(QVE_OBJS) $(QVL_PARSER_OBJS) $(QVL_LIB_OBJS) - if [ ! -d "$(SERVTD_ATTEST_BUILD_DIR)" ]; then mkdir -p '$(SERVTD_ATTEST_BUILD_DIR)';fi -- @$(CXX) $^ -shared -o $(SERVTD_ATTEST_BUILD_DIR)/$@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) -+ $(CXX) $^ -shared -o $(SERVTD_ATTEST_BUILD_DIR)/$@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) - else - $(QVE_NAME): $(QVE_OBJS) Enclave/qve_t.o $(QVL_PARSER_OBJS) $(QVL_LIB_OBJS) $(QVL_LIB_COMMON_OBJS) -- @$(CXX) $^ -o $@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) -Wl,-soname=${SIGNED_QVE_NAME}.$(call get_major_version,QVE_VERSION) -+ $(CXX) $^ -o $@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) -Wl,-soname=${SIGNED_QVE_NAME}.$(call get_major_version,QVE_VERSION) - $(STRIP) --strip-unneeded --remove-section=.comment --remove-section=.note $@ - endif - @echo "LINK => $@" - - $(SIGNED_QVE_NAME): $(QVE_NAME) $(QVE_CONFIG_FILE) -- @$(SGX_ENCLAVE_SIGNER) sign -key Enclave/qve_test_key.pem -enclave $< -out $@ -config $(QVE_CONFIG_FILE) -+ $(SGX_ENCLAVE_SIGNER) sign -key Enclave/qve_test_key.pem -enclave $< -out $@ -config $(QVE_CONFIG_FILE) - @echo "SIGN => $@" - - print-% : ; @echo $* = $($*) diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile -index 89c26de2..94469dda 100644 +index 4feaaa92..bd93c19e 100644 --- a/QuoteVerification/appraisal/qal/Makefile +++ b/QuoteVerification/appraisal/qal/Makefile -@@ -102,7 +102,7 @@ $(QAL_CXX_Common_Objs): %.o: ../common/%.cpp +@@ -104,7 +104,7 @@ $(QAL_CXX_Common_Objs): %.o: ../common/%.cpp $(CXX) $(QAL_Cpp_Flags) -c $< -o $@ wasm_lib: -- test -f $(WARM_Lib_Path)/libiwasm.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib) -+ test -f $(WARM_Lib_Path)/libiwasm.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib VERBOSE=1) +- test -f $(WARM_Lib_Path)/libvmlib.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib) ++ test -f $(WARM_Lib_Path)/libvmlib.a || ($(MKDIR) $(WARM_Lib_Path) && cd $(WARM_Lib_Path) && cmake .. $(WASM_CONFIG) && $(MAKE) vmlib VERBOSE=1) clean: $(RM) $(QAL_Obj_Files) $(Target_Lib_Name) $(Target_Lib_Name).$(SGX_MAJOR_VER) $(Target_Static_Lib_Name) $(BUILD_DIR)/$(Target_Lib_Name) $(QVL_Cpp_Obj_Files) diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile -index 96ad3e56..49d74948 100644 +index 71f0f989..26f3c6bb 100644 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile +++ b/QuoteVerification/dcap_quoteverify/linux/Makefile -@@ -82,13 +82,13 @@ $(BUILD_DIR): +@@ -95,12 +95,12 @@ $(BUILD_DIR): @$(MKDIR) $@ install_lib: $(QVL_VERIFY_LIB_NAME_Dynamic) | $(BUILD_DIR) @@ -145,7 +57,6 @@ index 96ad3e56..49d74948 100644 + $(CP) $(QVL_VERIFY_LIB_NAME_Dynamic) $|/$(QVL_VERIFY_LIB_NAME_Dynamic_Full) + $(LN) $(QVL_VERIFY_LIB_NAME_Dynamic_Full) $|/$(QVL_VERIFY_LIB_NAME_Dynamic_Major) + $(LN) $(QVL_VERIFY_LIB_NAME_Dynamic_Major) $|/$(QVL_VERIFY_LIB_NAME_Dynamic) - $(CP) $(PREBUILD_PATH)/opa_bin/policy.wasm $|/tee_appraisal_policy.wasm ifeq ($(GEN_STATIC),1) - @$(MAKE) $(QVL_VERIFY_LIB_NAME_Static) @@ -153,12 +64,12 @@ index 96ad3e56..49d74948 100644 @$(CP) $(QVL_VERIFY_LIB_NAME_Static) $| endif -@@ -98,13 +98,13 @@ run: all +@@ -110,13 +110,13 @@ run: all ######## QVL Library Objects ######## - qve_u.h: $(QVE_SRC_PATH)/Enclave/qve.edl $(SGX_EDGER8R) -- @$(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/Enclave $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc)) -+ $(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/Enclave $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc)) + qve_u.h: $(QVE_SRC_PATH)/qve/qve.edl $(SGX_EDGER8R) +- @$(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/qve $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc)) ++ $(SGX_EDGER8R) --untrusted $< $(addprefix --search-path ,$(QVE_SRC_PATH)/qve $(SGX_SDK)/include $(addprefix $(SGXSSL_PACKAGE_PATH)/include/,. $(if $(FIPS),,no)filefunc)) @echo "GEN => $@" qve_u.c : qve_u.h @@ -169,7 +80,7 @@ index 96ad3e56..49d74948 100644 @echo "CC <= $<" -include $(QPL_BASE64_CPP_DEP) -@@ -118,15 +118,15 @@ ec_key.o: $(DCAP_QV_DIR)/appraisal/common/ec_key.cpp +@@ -130,15 +130,15 @@ ec_key.o: $(DCAP_QV_DIR)/appraisal/common/ec_key.cpp @echo "CXX <= $<" $(QVL_VERIFY_CPP_OBJS): %.o: %.cpp qve_u.h @@ -188,7 +99,7 @@ index 96ad3e56..49d74948 100644 @echo "CXX <= $<" $(QVE_LOGIC_CPP_OBJ): $(QVE_LOGIC_CPP_SRC) -@@ -134,18 +134,18 @@ $(QVE_LOGIC_CPP_OBJ): $(QVE_LOGIC_CPP_SRC) +@@ -146,18 +146,18 @@ $(QVE_LOGIC_CPP_OBJ): $(QVE_LOGIC_CPP_SRC) @echo "CXX <= $<" $(QVL_LIB_OBJS): %_untrusted.o: %.cpp @@ -211,7 +122,7 @@ index 96ad3e56..49d74948 100644 $(QVL_VERIFY_LIB_NAME_Dynamic): $(QVL_VERIFY_CPP_OBJS) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVE_LOGIC_CPP_OBJ) $(QVL_LIB_NAME) $(QVL_PARSER_NAME) $(QVL_LIB_COMMON_OBJS) qal -@@ -153,7 +153,7 @@ $(QVL_VERIFY_LIB_NAME_Dynamic): $(QVL_VERIFY_CPP_OBJS) $(QVL_VERIFY_C_OBJS) $(QV +@@ -165,7 +165,7 @@ $(QVL_VERIFY_LIB_NAME_Dynamic): $(QVL_VERIFY_CPP_OBJS) $(QVL_VERIFY_C_OBJS) $(QV @ln -sf $(QVL_VERIFY_LIB_NAME_Dynamic) $(QVL_VERIFY_LIB_NAME_Dynamic).1 $(QVL_VERIFY_LIB_NAME_Static): $(QVL_VERIFY_CPP_OBJS_STATIC) $(QVL_VERIFY_C_OBJS) $(QVE_CPP_OBJ) $(QVE_LOGIC_CPP_OBJ) $(QVL_LIB_NAME) $(QVL_PARSER_NAME) $(QVL_LIB_COMMON_OBJS) @@ -220,6 +131,94 @@ index 96ad3e56..49d74948 100644 .PHONY: qal qal: +diff --git a/ae/QvE/Makefile b/ae/QvE/Makefile +index f21ba8d3..d5af625a 100644 +--- a/ae/QvE/Makefile ++++ b/ae/QvE/Makefile +@@ -139,37 +139,37 @@ PREPARE_SGXSSL := ../../QuoteVerification/prepare_sgxssl.sh + SGXSSL_HEADER_CHECK := $(SGXSSL_PACKAGE_PATH)/include/openssl/opensslconf.h + PREPARE_SGX_SSL: + ifdef SERVTD_ATTEST +- @test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) SERVTD_ATTEST ++ test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) SERVTD_ATTEST + else +- @test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) $(if $(FIPS),FIPS) ++ test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TCRYPTO).a && test -f $(SGXSSL_PACKAGE_PATH)/lib64/lib$(SGXSSL_TLIB).a && test -f $(SGXSSL_HEADER_CHECK) || $(PREPARE_SGXSSL) $(if $(FIPS),FIPS) + endif + + $(SGXSSL_HEADER_CHECK): PREPARE_SGX_SSL + + install_lib: $(SIGNED_QVE_NAME) | $(BUILD_DIR) +- @$(CP) $(SIGNED_QVE_NAME) $(BUILD_DIR) ++ $(CP) $(SIGNED_QVE_NAME) $(BUILD_DIR) + + ######## Enclave Objects ######## + + ifndef SERVTD_ATTEST + $(QVE_DIR)/sgx_base64.o: $(DCAP_QPL_DIR)/sgx_base64.cpp +- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ ++ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ + @echo "CXX <= $<" + $(QVE_DIR)/ec_key.o: $(DCAP_QV_DIR)/appraisal/common/ec_key.cpp +- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ ++ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ + @echo "CXX <= $<" + endif + + $(QVL_LIB_OBJS): %.o: %.cpp $(SGXSSL_HEADER_CHECK) + ifdef SERVTD_ATTEST +- @$(CXX) -DSERVTD_ATTEST $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ ++ $(CXX) -DSERVTD_ATTEST $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ + else +- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ ++ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_LIB_INC) -c $< -o $@ + endif + @echo "CXX <= $<" + + $(QVL_PARSER_OBJS): %.o: %.cpp $(SGXSSL_HEADER_CHECK) +- @$(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_PARSER_INC) -c $< -o $@ ++ $(CXX) $(ENCLAVE_CXXFLAGS) $(QVL_PARSER_INC) -c $< -o $@ + @echo "CXX <= $<" + + ifndef SERVTD_ATTEST +@@ -180,7 +180,7 @@ $(QVE_DIR)/qve_t.h: $(QVE_DIR)/qve.edl $(SGX_EDGER8R) + $(QVE_DIR)/qve_t.c: $(QVE_DIR)/qve_t.h + + $(QVE_DIR)/qve_t.o: $(QVE_DIR)/qve_t.c +- @$(CC) $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) -c $< -o $@ ++ $(CC) $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) -c $< -o $@ + @echo "CC <= $<" + endif + +@@ -189,7 +189,7 @@ $(QVE_DIR)/%.o: $(QVE_DIR)/%.cpp $(SGXSSL_HEADER_CHECK) + else + $(QVE_DIR)/%.o: $(QVE_DIR)/%.cpp $(QVE_DIR)/qve_t.h $(SGXSSL_HEADER_CHECK) + endif +- @$(CXX) $(SGX_COMMON_CXXFLAGS) $(ENCLAVE_CXXFLAGS) $(if $(FIPS),-DSGXSSL_FIPS) $(QVL_LIB_INC) -I$(QVL_SRC_PATH) -c $< -o $@ ++ $(CXX) $(SGX_COMMON_CXXFLAGS) $(ENCLAVE_CXXFLAGS) $(if $(FIPS),-DSGXSSL_FIPS) $(QVL_LIB_INC) -I$(QVL_SRC_PATH) -c $< -o $@ + @echo "CXX <= $<" + + ifdef SERVTD_ATTEST +@@ -210,16 +210,16 @@ endif + ifdef SERVTD_ATTEST + $(QVE_NAME): $(QVE_OBJS) $(QVL_PARSER_OBJS) $(QVL_LIB_OBJS) + if [ ! -d "$(SERVTD_ATTEST_BUILD_DIR)" ]; then mkdir -p '$(SERVTD_ATTEST_BUILD_DIR)';fi +- @$(CXX) $^ -shared -o $(SERVTD_ATTEST_BUILD_DIR)/$@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) ++ $(CXX) $^ -shared -o $(SERVTD_ATTEST_BUILD_DIR)/$@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) + else + $(QVE_NAME): $(QVE_OBJS) $(QVE_DIR)/qve_t.o $(QVL_PARSER_OBJS) $(QVL_LIB_OBJS) $(QVL_LIB_COMMON_OBJS) +- @$(CXX) $^ -o $@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) -Wl,-soname=${SIGNED_QVE_NAME}.$(call get_major_version,QVE_VERSION) ++ $(CXX) $^ -o $@ $(ENCLAVE_LDFLAGS) $(ENCLAVE_CXXFLAGS) -Wl,-soname=${SIGNED_QVE_NAME}.$(call get_major_version,QVE_VERSION) + $(STRIP) --strip-unneeded --remove-section=.comment --remove-section=.note $@ + endif + @echo "LINK => $@" + + $(SIGNED_QVE_NAME): $(QVE_NAME) $(QVE_CONFIG_FILE) +- @$(SGX_ENCLAVE_SIGNER) sign -key $(QVE_DIR)/../../dep/dcap_ae_test_key.pem -enclave $< -out $@ -config $(QVE_CONFIG_FILE) ++ $(SGX_ENCLAVE_SIGNER) sign -key $(QVE_DIR)/../../dep/dcap_ae_test_key.pem -enclave $< -out $@ -config $(QVE_CONFIG_FILE) + @echo "SIGN => $@" + + print-% : ; @echo $* = $($*) -- 2.53.0 diff --git a/specs/l/linux-sgx/0102-Support-build-time-setting-of-enclave-load-directory.patch b/specs/l/linux-sgx/0102-Support-build-time-setting-of-enclave-load-directory.patch index 735cdb7b509..621509092a5 100644 --- a/specs/l/linux-sgx/0102-Support-build-time-setting-of-enclave-load-directory.patch +++ b/specs/l/linux-sgx/0102-Support-build-time-setting-of-enclave-load-directory.patch @@ -1,7 +1,7 @@ -From d10ce49953e1bb8cdfe3b0eb47add0caead53ebc Mon Sep 17 00:00:00 2001 +From aa175423d4f6972f0a796d865f401f2fd8dc562c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 102/131] Support build time setting of enclave load directory +Subject: [PATCH 102/127] Support build time setting of enclave load directory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -45,18 +45,18 @@ Signed-off-by: Daniel P. Berrangé 12 files changed, 60 insertions(+), 8 deletions(-) diff --git a/QuoteGeneration/pce_wrapper/linux/Makefile b/QuoteGeneration/pce_wrapper/linux/Makefile -index debcb41d..7ceaaea8 100644 +index f44b91c8..84544fbc 100644 --- a/QuoteGeneration/pce_wrapper/linux/Makefile +++ b/QuoteGeneration/pce_wrapper/linux/Makefile -@@ -40,7 +40,7 @@ INCLUDE += -I$(ROOT_DIR)/ae/common \ - -I$(ROOT_DIR)/ae/inc \ - -I$(ROOT_DIR)/ae/inc/internal +@@ -15,7 +15,7 @@ INCLUDE += -I$(ROOT_DIR)/../ae/dep/common \ + -I$(ROOT_DIR)/../ae/dep/inc \ + -I$(ROOT_DIR)/../ae/dep/inc/internal -CXXFLAGS += -fPIC -Werror -g +CXXFLAGS += -fPIC -Werror -g -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" - CFLAGS += -fPIC -Werror -g Link_Flags := $(SGX_COMMON_CFLAGS) -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl + diff --git a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp b/QuoteGeneration/pce_wrapper/pce_wrapper.cpp index 7f103bdd..8384d57f 100644 --- a/QuoteGeneration/pce_wrapper/pce_wrapper.cpp @@ -78,23 +78,23 @@ index 7f103bdd..8384d57f 100644 NULL != dl_info.dli_fname) { diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -index c50fdb32..7d0b398f 100644 +index 074d4521..fbf1f09a 100644 --- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -@@ -51,7 +51,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I. +@@ -26,7 +26,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I$ - Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(Quote_Include_Paths) + Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(Quote_Include_Paths) --Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 -+Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" - Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl +-Quote_Cpp_Flags := $(Quote_C_Flags) ++Quote_Cpp_Flags := $(Quote_C_Flags) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + Quote_Link_Flags := $(COMMON_LDFLAGS) -g -pthread -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl ifndef DEBUG diff --git a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp -index 0b486a78..5d39177e 100644 +index c1301f2a..8c410711 100644 --- a/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp +++ b/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp -@@ -549,6 +549,15 @@ get_qe_path(const TCHAR *p_file_name, +@@ -542,6 +542,15 @@ get_qe_path(const TCHAR *p_file_name, p_file_path[buf_size - 1] = '\0'; //null terminate the string return true; } @@ -111,23 +111,23 @@ index 0b486a78..5d39177e 100644 NULL != dl_info.dli_fname) { diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile -index 61ad7f3c..fc5bd208 100644 +index 8e56f8ae..ac0568da 100644 --- a/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/tdx_quote/linux/Makefile -@@ -56,7 +56,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ \ +@@ -31,7 +31,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ \ - Quote_C_Flags := $(CFLAGS) -g -MMD -fPIC -Wno-attributes $(Quote_Include_Paths) + Quote_C_Flags := $(CFLAGS) -g -MMD -fPIC -Werror -Wno-attributes $(Quote_Include_Paths) --Quote_Cpp_Flags := $(CXXFLAGS) -g -MMD -fPIC -Wno-attributes $(Quote_Include_Paths) -+Quote_Cpp_Flags := $(CXXFLAGS) -g -MMD -fPIC -Wno-attributes $(Quote_Include_Paths) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" +-Quote_Cpp_Flags := $(CXXFLAGS) -g -MMD -fPIC -Werror -Wno-attributes $(Quote_Include_Paths) ++Quote_Cpp_Flags := $(CXXFLAGS) -g -MMD -fPIC -Werror -Wno-attributes $(Quote_Include_Paths) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" Quote_Link_Flags := $(COMMON_LDFLAGS) -g -L$(ROOT_DIR)/build/linux \ -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(SGX_SDK)/lib64 \ -lsgx_urts -lpthread -ldl diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp -index 7296d5b3..e20fa701 100644 +index ce01d3da..6e0916ae 100644 --- a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp +++ b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp -@@ -378,6 +378,14 @@ bool tee_att_config_t::get_qe_path(tee_att_ae_type_t type, +@@ -371,6 +371,14 @@ bool tee_att_config_t::get_qe_path(tee_att_ae_type_t type, p_file_path[len] = '\0'; //null terminate the string return true; } @@ -143,7 +143,7 @@ index 7296d5b3..e20fa701 100644 NULL != dl_info.dli_fname) { diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile -index 94469dda..10ca0572 100644 +index bd93c19e..af72a783 100644 --- a/QuoteVerification/appraisal/qal/Makefile +++ b/QuoteVerification/appraisal/qal/Makefile @@ -23,7 +23,7 @@ QAL_Include_Path := -I./ \ @@ -154,12 +154,12 @@ index 94469dda..10ca0572 100644 +QAL_Cpp_Flags := $(CXXFLAGS) -g -fPIC $(QAL_Include_Path) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" QAL_C_Flags := $(CFLAGS) -g -fPIC $(QAL_Include_Path) - QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -liwasm -ldl -lm -lpthread \ + QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthread \ diff --git a/QuoteVerification/appraisal/qal/qae_wrapper.cpp b/QuoteVerification/appraisal/qal/qae_wrapper.cpp -index 5659808f..35d0623a 100644 +index 71870ca7..2d3e04b3 100644 --- a/QuoteVerification/appraisal/qal/qae_wrapper.cpp +++ b/QuoteVerification/appraisal/qal/qae_wrapper.cpp -@@ -103,6 +103,14 @@ static bool get_qae_path( +@@ -82,6 +82,14 @@ static bool get_qae_path( p_file_path[buf_size - 1] = '\0'; // null terminate the string return true; } @@ -174,7 +174,7 @@ index 5659808f..35d0623a 100644 else if (0 != dladdr(__builtin_return_address(0), &dl_info) && NULL != dl_info.dli_fname) { -@@ -362,4 +370,4 @@ quote3_error_t ecall_authenticate_policy_owner(sgx_enclave_id_t eid, +@@ -337,4 +345,4 @@ quote3_error_t ecall_authenticate_policy_owner(sgx_enclave_id_t eid, retval = SGX_QL_ERROR_UNEXPECTED; } return retval; @@ -182,18 +182,18 @@ index 5659808f..35d0623a 100644 \ No newline at end of file +} diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile -index 49d74948..e92cc2aa 100644 +index 26f3c6bb..f2761156 100644 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile +++ b/QuoteVerification/dcap_quoteverify/linux/Makefile -@@ -28,7 +28,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ +@@ -34,7 +34,7 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ QPL_BASE64_CPP_DEP := $(DCAP_QPL_DIR)/sgx_base64.d - SGX_COMMON_CFLAGS += -g -fPIC -Wno-attributes -USGX_TRUSTED --SGX_COMMON_CXXFLAGS += -g -fPIC -USGX_TRUSTED -+SGX_COMMON_CXXFLAGS += -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" + SGX_COMMON_CFLAGS += $(CFLAGS) -g -fPIC -Wno-attributes -USGX_TRUSTED +-SGX_COMMON_CXXFLAGS += $(CXXFLAGS) -g -fPIC -USGX_TRUSTED ++SGX_COMMON_CXXFLAGS += $(CXXFLAGS) -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" - QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o) - QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o) + ifeq ($(CC_NO_LESS_THAN_8), 1) + SGX_COMMON_CFLAGS += -fcf-protection=none diff --git a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp b/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp index e50fab0b..856de23f 100644 --- a/QuoteVerification/dcap_quoteverify/linux/qve_parser.cpp @@ -246,18 +246,18 @@ index ec19122d..634ad27b 100644 return false; (void)strncat(enclave_path, enclave_name, strnlen(enclave_name, ProgPathBufferSize)); diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile -index 93165755..d804ce9d 100644 +index 8ff58b8a..22251bfa 100644 --- a/tools/PCKRetrievalTool/Makefile +++ b/tools/PCKRetrievalTool/Makefile -@@ -83,7 +83,7 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR +@@ -74,7 +74,7 @@ App_Include_Paths += -I ../../QuoteGeneration/common/inc/internal + App_Include_Paths += -I ../../ae/dep/inc/internal -I ../SGXPlatformRegistration/include - App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths) + App_C_Flags := $(COMMON_FLAGS) $(CFLAGS) $(App_Include_Paths) +-App_Cpp_Flags := $(COMMON_FLAGS) $(CXXFLAGS) $(App_Include_Paths) ++App_Cpp_Flags := $(COMMON_FLAGS) $(CXXFLAGS) $(App_Include_Paths) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" --App_Cpp_Flags := $(App_C_Flags) -std=c++11 -+App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack App_Link_Flags += -lcurl -ldl -lpthread - ifeq ($(STANDALONE), 1) -- 2.53.0 diff --git a/specs/l/linux-sgx/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch b/specs/l/linux-sgx/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch index 32dd9ac26aa..0d5d6b525fc 100644 --- a/specs/l/linux-sgx/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch +++ b/specs/l/linux-sgx/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch @@ -1,7 +1,7 @@ -From 96c2b15fc4a5b350d66950041e058d007004ce8e Mon Sep 17 00:00:00 2001 +From 38880d491208012697daa55555ec7d0b5716da57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Feb 2024 15:46:41 +0000 -Subject: [PATCH 103/131] Look for versioned sgx_urts library in +Subject: [PATCH 103/127] Look for versioned sgx_urts library in PCKRetrievalTool MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/specs/l/linux-sgx/0104-pcsclient-only-import-pypac-module-on-Windows.patch b/specs/l/linux-sgx/0104-pcsclient-only-import-pypac-module-on-Windows.patch index 0d68a18a678..f0676a79bfb 100644 --- a/specs/l/linux-sgx/0104-pcsclient-only-import-pypac-module-on-Windows.patch +++ b/specs/l/linux-sgx/0104-pcsclient-only-import-pypac-module-on-Windows.patch @@ -1,7 +1,7 @@ -From 6d4c9642dc6c9e2915c004e6a87855ba94b43e49 Mon Sep 17 00:00:00 2001 +From 34587f84399c672fc3da229c3288681b54b250d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 4 Oct 2024 17:41:37 +0100 -Subject: [PATCH 104/131] pcsclient: only import 'pypac' module on Windows +Subject: [PATCH 104/127] pcsclient: only import 'pypac' module on Windows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -16,13 +16,13 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index 9f1d2245..046c781d 100644 +index fa13c2a2..8fd28e2b 100644 --- a/tools/PcsClientTool/lib/intelsgx/pcs.py +++ b/tools/PcsClientTool/lib/intelsgx/pcs.py -@@ -5,8 +5,9 @@ import json - import binascii - from urllib import parse - from OpenSSL import crypto +@@ -32,8 +32,9 @@ if verification is None: + import tempfile + import subprocess + -from pypac import PACSession from platform import system +if system() == 'Windows': diff --git a/specs/l/linux-sgx/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch b/specs/l/linux-sgx/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch index e8a6a49f473..7a18b5b399f 100644 --- a/specs/l/linux-sgx/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch +++ b/specs/l/linux-sgx/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch @@ -1,7 +1,7 @@ -From a7e0d0095ff19aee8b32d25ccc52593c09112c56 Mon Sep 17 00:00:00 2001 +From ae8dae8f9a342190cf3218ca9549eef86531c327 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 29 Feb 2024 14:21:36 +0000 -Subject: [PATCH 105/131] Look for PCKRetrievalTool config file in /etc/ +Subject: [PATCH 105/127] Look for PCKRetrievalTool config file in /etc/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/specs/l/linux-sgx/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch b/specs/l/linux-sgx/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch index 0a280b70472..3b2dd9bfe3e 100644 --- a/specs/l/linux-sgx/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch +++ b/specs/l/linux-sgx/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch @@ -1,7 +1,7 @@ -From f822ca390720dcfc20923c6778fdeb8b6127b149 Mon Sep 17 00:00:00 2001 +From c53e28aec887ef3fbfcd91621b0726ab84dc4f1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 28 Mar 2025 16:00:27 +0000 -Subject: [PATCH 106/131] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and +Subject: [PATCH 106/127] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and libraries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -9,48 +9,45 @@ Content-Transfer-Encoding: 8bit Signed-off-by: Daniel P. Berrangé --- - QuoteGeneration/qcnl/linux/Makefile | 7 ++++--- + QuoteGeneration/qcnl/linux/Makefile | 5 +++-- QuoteGeneration/qpl/linux/Makefile | 4 ++-- QuoteGeneration/quote_wrapper/qgs/Makefile | 2 +- - QuoteGeneration/quote_wrapper/ql/linux/Makefile | 7 ++++--- + QuoteGeneration/quote_wrapper/ql/linux/Makefile | 5 +++-- QuoteGeneration/quote_wrapper/quote/linux/Makefile | 2 +- - QuoteVerification/dcap_quoteverify/linux/Makefile | 6 +++--- - tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 4 ++-- - tools/PCKRetrievalTool/Makefile | 9 +++++---- + QuoteVerification/dcap_quoteverify/linux/Makefile | 2 +- + tools/PCKCertSelection/PCKCertSelectionLib/Makefile | 2 +- + tools/PCKRetrievalTool/Makefile | 6 +++--- tools/SGXPlatformRegistration/Makefile | 8 ++++---- - 9 files changed, 26 insertions(+), 23 deletions(-) + 9 files changed, 19 insertions(+), 17 deletions(-) diff --git a/QuoteGeneration/qcnl/linux/Makefile b/QuoteGeneration/qcnl/linux/Makefile -index 7be0370d..f0f800ea 100644 +index 74b2ac95..d2c8f8da 100644 --- a/QuoteGeneration/qcnl/linux/Makefile +++ b/QuoteGeneration/qcnl/linux/Makefile -@@ -46,12 +46,13 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ - -I../../../QuoteVerification/QVL/Src/ThirdParty/rapidjson/include/rapidjson \ - -I../../../tools/PCKCertSelection/include +@@ -23,10 +23,11 @@ CNL_Lib_Include_Paths := -I../../quote_wrapper/common/inc \ --CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) -+CNL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(CNL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) -+CNL_Lib_C_Flags := $(CFLAGS) $(CNL_Lib_Common_Flags) + CNL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(CNL_Lib_Include_Paths) $(shell pkg-config --cflags libcrypto) -LDUFLAGS:= -pthread $(COMMON_LDFLAGS) +LDUFLAGS:= $(LDFLAGS) -pthread $(COMMON_LDFLAGS) LDUFLAGS += -Wl,--version-script=sgx_default_qcnl.lds -Wl,--gc-sections --CNL_Lib_Cpp_Flags := $(CNL_Lib_C_Flags) -std=c++11 -+CNL_Lib_Cpp_Flags := $(CXXFLAGS) $(CNL_Lib_Common_Flags) -std=c++11 +-CNL_Lib_Cpp_Flags := $(CNL_Lib_C_Flags) ++CNL_Lib_Cpp_Flags := $(CXXFLAGS) $(CNL_Lib_C_Flags) ++CNL_Lib_C_Flags += $(CFLAGS) ifdef SELF_SIGNED_CERT CNL_Lib_Cpp_Flags+= -DSELF_SIGNED_CERT diff --git a/QuoteGeneration/qpl/linux/Makefile b/QuoteGeneration/qpl/linux/Makefile -index b109a581..e2865397 100644 +index 52b91b0a..c1ccfb9c 100644 --- a/QuoteGeneration/qpl/linux/Makefile +++ b/QuoteGeneration/qpl/linux/Makefile -@@ -48,9 +48,9 @@ QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QPL_Lib_Include_Pa +@@ -23,9 +23,9 @@ QPL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(QPL_Lib_In LDUFLAGS:= -pthread $(COMMON_LDFLAGS) LDUFLAGS += -Wl,--version-script=sgx_default_quote_provider.lds -Wl,--gc-sections --QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) -std=c++11 -+QPL_Lib_Cpp_Flags := $(CXXFLAGS) $(QPL_Lib_C_Flags) -std=c++11 +-QPL_Lib_Cpp_Flags := $(QPL_Lib_C_Flags) ++QPL_Lib_Cpp_Flags := $(CXXFLAGS) $(QPL_Lib_C_Flags) -QPL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ +QPL_Lib_Link_Flags := $(LDFLAGS) $(SGX_COMMON_FLAGS) -g -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 \ @@ -58,10 +55,10 @@ index b109a581..e2865397 100644 ifndef DEBUG diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile -index 5d87e4d1..8228bdfc 100644 +index 16dfeacc..2faa6130 100644 --- a/QuoteGeneration/quote_wrapper/qgs/Makefile +++ b/QuoteGeneration/quote_wrapper/qgs/Makefile -@@ -51,7 +51,7 @@ endif +@@ -26,7 +26,7 @@ endif DEPENDS = ${QGS_OBJS test_client.o:.o=.d} # SGX related libraries @@ -71,56 +68,39 @@ index 5d87e4d1..8228bdfc 100644 # add boost_system for link QGS_LFLAGS += -lboost_system -lboost_thread -lpthread diff --git a/QuoteGeneration/quote_wrapper/ql/linux/Makefile b/QuoteGeneration/quote_wrapper/ql/linux/Makefile -index c5d877b5..29836652 100644 +index a717f4d0..8c9364c4 100644 --- a/QuoteGeneration/quote_wrapper/ql/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/ql/linux/Makefile -@@ -48,13 +48,14 @@ QL_Lib_C_Files := se_trace.c se_thread.c - QL_Lib_Include_Paths := -I../../common/inc -I./ -I$(SGX_SDK)/include -I../../../common/inc/internal - QL_Lib_Include_Paths += -I../../quote/inc -I../../../pce_wrapper/inc -I../inc - --QL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths) -+QL_Lib_Common_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(QL_Lib_Include_Paths) -+QL_Lib_C_Flags := $(CFLAGS) $(QL_Lib_Common_Flags) - +@@ -28,8 +28,9 @@ QL_Lib_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(QL_Lib_Incl LDUFLAGS:= -pthread $(COMMON_LDFLAGS) LDUFLAGS += -Wl,--version-script=dcap_ql_wrapper.lds -Wl,--gc-sections --QL_Lib_Cpp_Flags := $(QL_Lib_C_Flags) -std=c++11 +-QL_Lib_Cpp_Flags := $(QL_Lib_C_Flags) -QL_Lib_Link_Flags := $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl -+QL_Lib_Cpp_Flags := $(CXXFLAGS) $(QL_Lib_Common_Flags) -std=c++11 ++QL_Lib_Cpp_Flags := $(CXXFLAGS) $(QL_Lib_C_Flags) ++QL_Lib_C_Flags += $(CFLAGS) +QL_Lib_Link_Flags := $(LDFLAGS) $(SGX_COMMON_FLAGS) -g -L$(Quote_Library_Dir) -lsgx_qe3_logic -L$(PCE_Library_Dir) -lsgx_pce_logic -L$(TOP_DIR)/build/linux -L$(SGX_SDK)/lib64 -lpthread -ldl QL_Lib_Cpp_Flags += -DDISABLE_TRACE QL_Lib_Link_Flags += -DDISABLE_TRACE diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -index 7d0b398f..9b8c936c 100644 +index fbf1f09a..47684976 100644 --- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -@@ -52,7 +52,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I. - Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Wno-attributes $(Quote_Include_Paths) +@@ -27,7 +27,7 @@ Quote_Include_Paths := -I$(SGX_SDK)/include -I../inc -I../../common/inc -I./ -I$ + Quote_C_Flags := $(COMMON_FLAGS) -g -fPIC -Werror -Wno-attributes $(Quote_Include_Paths) - Quote_Cpp_Flags := $(Quote_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" --Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl -+Quote_Link_Flags := $(COMMON_FLAGS) -g -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl $(LDFLAGS) + Quote_Cpp_Flags := $(Quote_C_Flags) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" +-Quote_Link_Flags := $(COMMON_LDFLAGS) -g -pthread -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl ++Quote_Link_Flags := $(COMMON_LDFLAGS) -g -pthread -L$(ROOT_DIR)/build/linux -L$(SGX_SDK)/lib64 -lsgx_urts -lpthread -ldl $(LDFLAGS) ifndef DEBUG Quote_Cpp_Flags += -DDISABLE_TRACE diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile -index e92cc2aa..4b9103fe 100644 +index f2761156..39bf87fc 100644 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile +++ b/QuoteVerification/dcap_quoteverify/linux/Makefile -@@ -27,8 +27,8 @@ QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ - - QPL_BASE64_CPP_DEP := $(DCAP_QPL_DIR)/sgx_base64.d - --SGX_COMMON_CFLAGS += -g -fPIC -Wno-attributes -USGX_TRUSTED --SGX_COMMON_CXXFLAGS += -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" -+SGX_COMMON_CFLAGS += $(CFLAGS) -g -fPIC -Wno-attributes -USGX_TRUSTED -+SGX_COMMON_CXXFLAGS += $(CXXFLAGS) -g -fPIC -USGX_TRUSTED -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" - - QVL_LIB_OBJS := $(QVL_LIB_FILES:.cpp=_untrusted.o) - QVL_PARSER_OBJS := $(QVL_PARSER_FILES:.cpp=_untrusted.o) -@@ -38,7 +38,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation +@@ -49,7 +49,7 @@ QVL_PARSER := sgx_dcap_qvl_attestation QVL_LIB_NAME := lib$(QVL_LIB).a QVL_PARSER_NAME := lib$(QVL_PARSER).a @@ -130,40 +110,32 @@ index e92cc2aa..4b9103fe 100644 QVL_VERIFY_CPP_SRCS := $(wildcard ../*.cpp) $(wildcard *.cpp) diff --git a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile -index 6e1c7876..4b8ff9dc 100644 +index 5c586d86..1a565b70 100644 --- a/tools/PCKCertSelection/PCKCertSelectionLib/Makefile +++ b/tools/PCKCertSelection/PCKCertSelectionLib/Makefile -@@ -129,11 +129,11 @@ DEBUG_FLAGS := -m64 -O0 -g - RELEASE_FLAGS := -m64 -O2 $(COMMON_FLAGS) - - # basic library c build flags --C_FLAGS := -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-overloaded-virtual $(LIB_INCLUDE_PATHS) -+C_FLAGS := $(CFLAGS) -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror -Wno-overloaded-virtual $(LIB_INCLUDE_PATHS) - C_FLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT +@@ -126,7 +126,7 @@ CXXFLAGS += -m64 -fPIC -fvisibility=hidden -fvisibility-inlines-hidden -Werror - + CXXFLAGS += -UPCK_CERT_SELECTION_WITH_COMPONENT - # link flags, link openssl crypto --LINK_FLAGS := -shared -lcrypto -lpthread -ldl -+LINK_FLAGS := $(LDFLAGS) -shared -lcrypto -lpthread -ldl + # Link flags +-LINK_FLAGS := -m64 -shared $(COMMON_LDFLAGS) -lcrypto -lpthread -ldl ++LINK_FLAGS := $(LDFLAGS) -m64 -shared $(COMMON_LDFLAGS) -lcrypto -lpthread -ldl LINK_FLAGS += -Wl,--version-script=pck_cert_selection.lds -Wl,--gc-sections - # debug/release switch + # Strip only in RELEASE builds diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile -index d804ce9d..422f329a 100644 +index 22251bfa..0688c503 100644 --- a/tools/PCKRetrievalTool/Makefile +++ b/tools/PCKRetrievalTool/Makefile -@@ -83,8 +83,9 @@ App_Include_Paths += -I ../../QuoteGeneration/ae/inc/internal -I ../SGXPlatformR - - App_C_Flags := $(COMMON_FLAGS) -fPIC -Wno-attributes $(App_Include_Paths) +@@ -76,7 +76,7 @@ App_Include_Paths += -I ../../ae/dep/inc/internal -I ../SGXPlatformRegistration/ + App_C_Flags := $(COMMON_FLAGS) $(CFLAGS) $(App_Include_Paths) + App_Cpp_Flags := $(COMMON_FLAGS) $(CXXFLAGS) $(App_Include_Paths) -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" --App_Cpp_Flags := $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" -App_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack -+App_Cpp_Flags := $(CXXFLAGS) $(App_C_Flags) -std=c++11 -DSGX_ENCLAVE_PATH="\"$(SGX_ENCLAVE_PATH)\"" -+App_C_Flags += $(CFLAGS) +App_Link_Flags := $(CXXFLAGS) $(LDFLAGS) $(SGX_COMMON_CFLAGS) -Wl,-z,relro,-z,now,-z,noexecstack App_Link_Flags += -lcurl -ldl -lpthread ifeq ($(STANDALONE), 1) App_Link_Flags += '-Wl,-rpath,$$ORIGIN' -@@ -114,11 +115,11 @@ App/id_enclave_u.c: +@@ -105,11 +105,11 @@ App/id_enclave_u.c: echo "GEN => $@" App/id_enclave_u.o: App/id_enclave_u.c @@ -178,10 +150,10 @@ index d804ce9d..422f329a 100644 App/%.o: App/%.cpp diff --git a/tools/SGXPlatformRegistration/Makefile b/tools/SGXPlatformRegistration/Makefile -index a4f54099..b5b8dcac 100644 +index 2b10a4c3..d0f4b053 100644 --- a/tools/SGXPlatformRegistration/Makefile +++ b/tools/SGXPlatformRegistration/Makefile -@@ -127,11 +127,11 @@ OBJS_MPA_MANAGE_APP := $(patsubst $(MPA_MANAGE_PATH)/src/%.cpp,$(OBJ_MPA_MANAGE_ +@@ -112,11 +112,11 @@ OBJS_MPA_MANAGE_APP := $(patsubst $(MPA_MANAGE_PATH)/src/%.cpp,$(OBJ_MPA_MANAGE_ OBJ_TEST_PATH := $(OBJ_PATH)/test OBJS_TEST := $(patsubst $(TEST_PATH)/%.cpp,$(OBJ_TEST_PATH)/%.o, $(SRC_TEST)) @@ -195,8 +167,8 @@ index a4f54099..b5b8dcac 100644 -LD_GTEST := -L$(GTEST_PATH)/lib -lgtest -lgmock_main -lgmock -lpthread +LD_GTEST := $(LDFLAGS) -L$(GTEST_PATH)/lib -lgtest -lgmock_main -lgmock -lpthread - CXX_WARNINGS := -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls - CXXFLAGS := -std=c++17 -fPIC -Wnon-virtual-dtor -fstack-protector -ffunction-sections -DITT_ARCH_IA64 -fcf-protection $(CXX_WARNINGS) + CXX_WARNINGS := -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security \ + -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -- 2.53.0 diff --git a/specs/l/linux-sgx/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch b/specs/l/linux-sgx/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch index ce9cee7de2f..5b0b2faef82 100644 --- a/specs/l/linux-sgx/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch +++ b/specs/l/linux-sgx/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch @@ -1,7 +1,7 @@ -From 456990090bfc0e229abf09e7e43ba544e990de43 Mon Sep 17 00:00:00 2001 +From 56e82b013fb62af8d5805da1993f05cadf401350 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Oct 2024 14:42:29 +0100 -Subject: [PATCH 107/131] qgs: add space between program name & first arg in +Subject: [PATCH 107/127] qgs: add space between program name & first arg in usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/specs/l/linux-sgx/0108-qgs-protect-against-format-strings-in-QL-log-message.patch b/specs/l/linux-sgx/0108-qgs-protect-against-format-strings-in-QL-log-message.patch index f751542c63e..9d755b24600 100644 --- a/specs/l/linux-sgx/0108-qgs-protect-against-format-strings-in-QL-log-message.patch +++ b/specs/l/linux-sgx/0108-qgs-protect-against-format-strings-in-QL-log-message.patch @@ -1,7 +1,7 @@ -From 3571160e4372c7c326117ea5ba098f318bd09ddf Mon Sep 17 00:00:00 2001 +From d07488f32723bb310712e0cd6c744028ca643fd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 4 Oct 2024 09:43:17 +0100 -Subject: [PATCH 108/131] qgs: protect against format strings in QL log +Subject: [PATCH 108/127] qgs: protect against format strings in QL log messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -18,7 +18,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp -index 77838c31..1e97b586 100644 +index ce37e418..12c51596 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp @@ -50,10 +50,10 @@ typedef quote3_error_t (*sgx_ql_set_logging_callback_t)(sgx_ql_logging_callback_ diff --git a/specs/l/linux-sgx/0109-qgs-add-debug-parameter-to-control-logging.patch b/specs/l/linux-sgx/0109-qgs-add-debug-parameter-to-control-logging.patch index 61d80c2d1f9..0b540c5ef77 100644 --- a/specs/l/linux-sgx/0109-qgs-add-debug-parameter-to-control-logging.patch +++ b/specs/l/linux-sgx/0109-qgs-add-debug-parameter-to-control-logging.patch @@ -1,7 +1,7 @@ -From a6333110e96533ad82de21ab1c269791cfc64655 Mon Sep 17 00:00:00 2001 +From b193dc9b0f715eb14044e1e848c2a0c4c40d1f55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Oct 2024 16:57:35 +0100 -Subject: [PATCH 109/131] qgs: add --debug parameter to control logging +Subject: [PATCH 109/127] qgs: add --debug parameter to control logging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -64,7 +64,7 @@ index 1d7fd747..05d41a44 100644 void qgs_log_init_ex(bool nosyslog); void qgs_log_fini(void); diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp -index 1e97b586..db642f70 100644 +index 12c51596..ad49d888 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp @@ -113,8 +113,8 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { diff --git a/specs/l/linux-sgx/0110-pcsclient-remove-leftover-debugging-print-args-state.patch b/specs/l/linux-sgx/0110-pcsclient-remove-leftover-debugging-print-args-state.patch index cc76ecf48d5..4c2f1a36cdd 100644 --- a/specs/l/linux-sgx/0110-pcsclient-remove-leftover-debugging-print-args-state.patch +++ b/specs/l/linux-sgx/0110-pcsclient-remove-leftover-debugging-print-args-state.patch @@ -1,7 +1,7 @@ -From b3580bc3d44436de9280fc26a12ad51a324aa8ac Mon Sep 17 00:00:00 2001 +From cdda8a978fcb996f567ad7e72e5e45c93b5ae024 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 8 Oct 2024 10:13:02 +0100 -Subject: [PATCH 110/131] pcsclient: remove leftover debugging 'print(args)' +Subject: [PATCH 110/127] pcsclient: remove leftover debugging 'print(args)' statement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 2 deletions(-) diff --git a/tools/PcsClientTool/pcsclient.py b/tools/PcsClientTool/pcsclient.py -index f8432cab..1759833f 100755 +index 07ab8080..eef984af 100755 --- a/tools/PcsClientTool/pcsclient.py +++ b/tools/PcsClientTool/pcsclient.py @@ -63,8 +63,6 @@ def main(): diff --git a/specs/l/linux-sgx/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch b/specs/l/linux-sgx/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch index f60155888cf..1b5a088df4b 100644 --- a/specs/l/linux-sgx/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch +++ b/specs/l/linux-sgx/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch @@ -1,7 +1,7 @@ -From 9ac872a88b5f9813005e4af8f8f460cc33548427 Mon Sep 17 00:00:00 2001 +From f31fe57de72e42558e408f93540c8887ee0f217e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 17 Jan 2025 15:39:39 +0000 -Subject: [PATCH 111/131] Fix soname version for libsgx_qe3_logic.so library +Subject: [PATCH 111/127] Fix soname version for libsgx_qe3_logic.so library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -13,7 +13,7 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/QuoteGeneration/common/inc/internal/se_version.h b/QuoteGeneration/common/inc/internal/se_version.h -index 564cb75d..edf30d77 100644 +index a6d7ad96..0b5087b8 100644 --- a/QuoteGeneration/common/inc/internal/se_version.h +++ b/QuoteGeneration/common/inc/internal/se_version.h @@ -16,6 +16,11 @@ @@ -27,12 +27,12 @@ index 564cb75d..edf30d77 100644 +#define QE3_WRAPPER_VERSION "1.0.0" #define QE3_VERSION "1.22.100.1" - #define QVE_VERSION "1.24.100.1" + #define QVE_VERSION "1.25.100.1" diff --git a/QuoteGeneration/quote_wrapper/quote/linux/Makefile b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -index 9b8c936c..c92d7827 100644 +index 47684976..63542e58 100644 --- a/QuoteGeneration/quote_wrapper/quote/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/quote/linux/Makefile -@@ -65,6 +65,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o) +@@ -39,6 +39,8 @@ Quote_C_Objects := $(Quote_C_Files:.c=.o) Quote_Cpp_Objects := $(Quote_Cpp_Files:.cpp=.o) Quote_Name := libsgx_qe3_logic.so @@ -41,7 +41,7 @@ index 9b8c936c..c92d7827 100644 .PHONY: all all: install_lib -@@ -94,7 +96,7 @@ $(Quote_Cpp_Objects): %.o: %.cpp +@@ -68,7 +70,7 @@ $(Quote_Cpp_Objects): %.o: %.cpp @echo "CXX <= $<" $(Quote_Name): $(Quote_C_Objects) $(Quote_Cpp_Objects) diff --git a/specs/l/linux-sgx/0112-Workaround-broken-GCC-15.patch b/specs/l/linux-sgx/0112-Workaround-broken-GCC-15.patch index 44ebf868e1a..c0ea35d7b83 100644 --- a/specs/l/linux-sgx/0112-Workaround-broken-GCC-15.patch +++ b/specs/l/linux-sgx/0112-Workaround-broken-GCC-15.patch @@ -1,7 +1,7 @@ -From 67a818bc7d96d9df9b28be94ceecfdc10beced87 Mon Sep 17 00:00:00 2001 +From 5a18d8d08db1a051a810085427873922e3d9f92a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 6 Feb 2025 20:08:59 +0000 -Subject: [PATCH 112/131] Workaround broken GCC 15 +Subject: [PATCH 112/127] Workaround broken GCC 15 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/specs/l/linux-sgx/0113-Don-t-disable-cf-protection-for-qgs.patch b/specs/l/linux-sgx/0113-Don-t-disable-cf-protection-for-qgs.patch index a7afac2f264..d2f713fcd1b 100644 --- a/specs/l/linux-sgx/0113-Don-t-disable-cf-protection-for-qgs.patch +++ b/specs/l/linux-sgx/0113-Don-t-disable-cf-protection-for-qgs.patch @@ -1,7 +1,7 @@ -From 1e4b1188408c896c795271fd20af7fc1a902a78a Mon Sep 17 00:00:00 2001 +From 20494e4793ffbf276fb195a2caf971eff3a5844b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 2 Apr 2025 18:39:31 +0100 -Subject: [PATCH 113/131] Don't disable cf-protection for qgs +Subject: [PATCH 113/127] Don't disable cf-protection for qgs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,13 +12,13 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 4 deletions(-) diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile -index 8228bdfc..5116d85e 100644 +index 2faa6130..fa1f6708 100644 --- a/QuoteGeneration/quote_wrapper/qgs/Makefile +++ b/QuoteGeneration/quote_wrapper/qgs/Makefile -@@ -43,10 +43,6 @@ QGS_INC = -I$(SGX_SDK)/include \ +@@ -18,10 +18,6 @@ QGS_INC = -I$(SGX_SDK)/include \ -I$(TOP_DIR)/quote_wrapper/qgs_msg_lib/inc - QGS_CFLAGS = -g -MMD $(CFLAGS) $(QGS_INC) - QGS_CXXFLAGS = -g -MMD $(CXXFLAGS) $(QGS_INC) + QGS_CFLAGS = -g -MMD -Werror $(CFLAGS) $(QGS_INC) + QGS_CXXFLAGS = -g -MMD -Werror $(CXXFLAGS) $(QGS_INC) -ifeq ($(CC_NO_LESS_THAN_8), 1) - QGS_CFLAGS += -fcf-protection=none - QGS_CXXFLAGS += -fcf-protection=none diff --git a/specs/l/linux-sgx/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch b/specs/l/linux-sgx/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch index 47f24085d89..326cf9e228b 100644 --- a/specs/l/linux-sgx/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch +++ b/specs/l/linux-sgx/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch @@ -1,7 +1,7 @@ -From 32b371963c82b3dd391081e7ada861e652748db3 Mon Sep 17 00:00:00 2001 +From 4cde0980849bd6e9f33a868491ddb462b0d2f1c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Apr 2025 17:44:48 +0100 -Subject: [PATCH 114/131] Delete broken checks for GCC version that break +Subject: [PATCH 114/127] Delete broken checks for GCC version that break -fstack-protector-strong MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -12,105 +12,15 @@ broken for any GCC version >= 10, preventing use of -fstack-protector-strong Signed-off-by: Daniel P. Berrangé --- - QuoteGeneration/buildenv.mk | 7 +------ - QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile | 2 +- - QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile | 4 ++-- - QuoteVerification/QvE/Makefile | 7 +------ - QuoteVerification/dcap_tvl/Makefile | 7 +------ - QuoteVerification/dcap_tvl/Makefile.standalone | 7 +------ - SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile | 8 +------- - SampleCode/QuoteGenerationSample/Makefile | 6 +----- - SampleCode/QuoteVerificationSample/Makefile | 8 +------- - tools/PCKRetrievalTool/Makefile | 7 +------ - 10 files changed, 11 insertions(+), 52 deletions(-) + QuoteVerification/dcap_tvl/Makefile.standalone | 7 +------ + SampleCode/QuoteAppraisalSample/QAEAppraisal/Makefile | 8 +------- + SampleCode/QuoteGenerationSample/Makefile | 7 +------ + SampleCode/QuoteVerificationSample/Makefile | 8 +------- + ae/qae/Makefile | 7 +------ + 5 files changed, 5 insertions(+), 32 deletions(-) -diff --git a/QuoteGeneration/buildenv.mk b/QuoteGeneration/buildenv.mk -index 5cf2ed6e..56aefe20 100644 ---- a/QuoteGeneration/buildenv.mk -+++ b/QuoteGeneration/buildenv.mk -@@ -71,12 +71,7 @@ ifeq ($(CC_NO_LESS_THAN_8), 1) - endif - - # turn on stack protector for SDK --CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") --ifeq ($(CC_BELOW_4_9), 1) -- COMMON_FLAGS += -fstack-protector --else -- COMMON_FLAGS += -fstack-protector-strong --endif -+COMMON_FLAGS += -fstack-protector-strong - - ifdef DEBUG - COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG -diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile -index dff0af23..9ece3cc4 100644 ---- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile -+++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile -@@ -33,7 +33,7 @@ - TOP_DIR = ../../.. - SDK_NOT_REQUIRED = 1 - ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),) -- CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ -+ CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ - -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \ - -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \ - -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection -diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile -index f0a5e364..20f30221 100644 ---- a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile -+++ b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile -@@ -33,11 +33,11 @@ - TOP_DIR = ../../.. - SDK_NOT_REQUIRED = 1 - ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),) -- CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector -O2 \ -+ CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector-strong -O2 \ - -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self \ - -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs \ - -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection -- CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ -+ CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ - -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \ - -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \ - -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection -diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile -index f6148df6..cd9094b2 100644 ---- a/QuoteVerification/QvE/Makefile -+++ b/QuoteVerification/QvE/Makefile -@@ -76,12 +76,7 @@ endif - ifneq ($(DEBUG), 1) - ENCLAVE_CFLAGS += -ffunction-sections -fdata-sections - endif --CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") --ifeq ($(CC_BELOW_4_9), 1) -- ENCLAVE_CFLAGS += -fstack-protector --else -- ENCLAVE_CFLAGS += -fstack-protector-strong --endif -+ENCLAVE_CFLAGS += -fstack-protector-strong - - ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++17 -DSGX_TRUSTED -DSGX_JWT -DPICOJSON_USE_LOCALE=0 - -diff --git a/QuoteVerification/dcap_tvl/Makefile b/QuoteVerification/dcap_tvl/Makefile -index 2d62f283..49b4b686 100644 ---- a/QuoteVerification/dcap_tvl/Makefile -+++ b/QuoteVerification/dcap_tvl/Makefile -@@ -56,12 +56,7 @@ endif - ifneq ($(DEBUG), 1) - COMMON_FLAGS += -ffunction-sections -fdata-sections - endif --CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") --ifeq ($(CC_BELOW_4_9), 1) -- COMMON_FLAGS += -fstack-protector --else -- COMMON_FLAGS += -fstack-protector-strong --endif -+COMMON_FLAGS += -fstack-protector-strong - - ENCLAVE_CXXFLAGS += $(SGX_COMMON_CXXFLAGS) $(COMMON_FLAGS) -fPIC -std=c++11 - diff --git a/QuoteVerification/dcap_tvl/Makefile.standalone b/QuoteVerification/dcap_tvl/Makefile.standalone -index 8a1cb730..713d8afc 100644 +index 8e98c329..b8818b90 100644 --- a/QuoteVerification/dcap_tvl/Makefile.standalone +++ b/QuoteVerification/dcap_tvl/Makefile.standalone @@ -45,12 +45,7 @@ COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack @@ -147,13 +57,14 @@ index 662ac3e5..868d72df 100644 Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++ diff --git a/SampleCode/QuoteGenerationSample/Makefile b/SampleCode/QuoteGenerationSample/Makefile -index 4fdbb36e..fd5b4e25 100644 +index 06a36813..0cb0baf8 100644 --- a/SampleCode/QuoteGenerationSample/Makefile +++ b/SampleCode/QuoteGenerationSample/Makefile -@@ -104,11 +104,7 @@ Enclave_Cpp_Files := Enclave/Enclave.cpp +@@ -108,12 +108,7 @@ Crypto_Library_Name := sgx_tcrypto + Enclave_Cpp_Files := Enclave/Enclave.cpp Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx - CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +-CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") -ifeq ($(CC_BELOW_4_9), 1) - Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector -else @@ -164,7 +75,7 @@ index 4fdbb36e..fd5b4e25 100644 Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++ diff --git a/SampleCode/QuoteVerificationSample/Makefile b/SampleCode/QuoteVerificationSample/Makefile -index 5b3df2cb..0b4b1acc 100644 +index ed099c7c..59a10981 100644 --- a/SampleCode/QuoteVerificationSample/Makefile +++ b/SampleCode/QuoteVerificationSample/Makefile @@ -105,13 +105,7 @@ DCAP_DIR ?= ../../ @@ -182,24 +93,24 @@ index 5b3df2cb..0b4b1acc 100644 Enclave_Cpp_Flags := $(Enclave_C_Flags) -nostdinc++ -diff --git a/tools/PCKRetrievalTool/Makefile b/tools/PCKRetrievalTool/Makefile -index 422f329a..7bd86398 100644 ---- a/tools/PCKRetrievalTool/Makefile -+++ b/tools/PCKRetrievalTool/Makefile -@@ -34,12 +34,7 @@ else - endif +diff --git a/ae/qae/Makefile b/ae/qae/Makefile +index 715f365a..6a2b23b7 100644 +--- a/ae/qae/Makefile ++++ b/ae/qae/Makefile +@@ -54,12 +54,7 @@ Enclave_Include_Paths := -I./ -I$(WARM_Top_Path)/core/iwasm/include \ + -I$(DCAP_QV_DIR)/appraisal/common \ + -I$(DCAP_QG_DIR)/common/inc/internal - # turn on stack protector for SDK -CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") -ifeq ($(CC_BELOW_4_9), 1) -- COMMON_FLAGS += -fstack-protector +- Enclave_Common_Flags := -fstack-protector -else -- COMMON_FLAGS += -fstack-protector-strong +- Enclave_Common_Flags := -fstack-protector-strong -endif -+COMMON_FLAGS += -fstack-protector-strong ++Enclave_Common_Flags := -fstack-protector-strong + Enclave_Common_Flags += -ffreestanding -fvisibility=hidden -fpie -ffunction-sections -fdata-sections $(Enclave_Include_Paths) + Enclave_Common_Flags += -DPICOJSON_USE_LOCALE=0 -DBUILD_QAE -DSGX_JWT - ifdef DEBUG - COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG -- 2.53.0 diff --git a/specs/l/linux-sgx/0116-Don-t-stomp-on-VERBOSE-variable.patch b/specs/l/linux-sgx/0116-Don-t-stomp-on-VERBOSE-variable.patch index 577b9086dc6..9ff4da4ba96 100644 --- a/specs/l/linux-sgx/0116-Don-t-stomp-on-VERBOSE-variable.patch +++ b/specs/l/linux-sgx/0116-Don-t-stomp-on-VERBOSE-variable.patch @@ -1,7 +1,7 @@ -From 1fb91bd063bff1b9f6eae57f4facc0355b311d42 Mon Sep 17 00:00:00 2001 +From 6b23d61924f49afc6a9264a5b46a23a34e39829b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 16 Apr 2025 11:48:52 +0100 -Subject: [PATCH 116/131] Don't stomp on "VERBOSE" variable +Subject: [PATCH 116/127] Don't stomp on "VERBOSE" variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/specs/l/linux-sgx/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch b/specs/l/linux-sgx/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch index 0b45c417955..ebb3125cfb5 100644 --- a/specs/l/linux-sgx/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch +++ b/specs/l/linux-sgx/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch @@ -1,7 +1,7 @@ -From 5ed781b8277921e4d6061744df198d4ec5ca6aae Mon Sep 17 00:00:00 2001 +From b9104a5ce6234ff22c802e333224fcbbaf70fea6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 2 May 2025 14:48:24 +0100 -Subject: [PATCH 117/131] qgs: add -m=MODE parameter for UNIX socket mode +Subject: [PATCH 117/127] qgs: add -m=MODE parameter for UNIX socket mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp -index 62764d04..762bc998 100644 +index 62764d04..bef9e0ec 100644 --- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp @@ -83,9 +83,10 @@ int main(int argc, const char* argv[]) @@ -84,7 +84,7 @@ index 62764d04..762bc998 100644 + * overriding only if an explicit mode is requested + */ + if (socket_based_communication && mode != 0) { -+ chmod(QGS_UNIX_SOCKET_FILE, mode); ++ chmod(QGS_UNIX_SOCKET_FILE, (mode_t)mode); + } QGS_LOG_INFO("About to start main loop\n"); io_service.run(); diff --git a/specs/l/linux-sgx/0118-pcsclient-make-keyring-module-optional.patch b/specs/l/linux-sgx/0118-pcsclient-make-keyring-module-optional.patch index 574d15b1023..77cbdf1044a 100644 --- a/specs/l/linux-sgx/0118-pcsclient-make-keyring-module-optional.patch +++ b/specs/l/linux-sgx/0118-pcsclient-make-keyring-module-optional.patch @@ -1,7 +1,7 @@ -From cdb0cd3480f5ab6cac9df1e13bed78dd1088c7a1 Mon Sep 17 00:00:00 2001 +From 1055a7f1f6b9cb2f55784ae52d29677a828ca93c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 4 Dec 2025 13:31:54 +0000 -Subject: [PATCH 118/131] pcsclient: make 'keyring' module optional +Subject: [PATCH 118/127] pcsclient: make 'keyring' module optional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/specs/l/linux-sgx/0119-pcsclient-convert-from-asn1-to-pyasn1-python-module.patch b/specs/l/linux-sgx/0119-pcsclient-convert-from-asn1-to-pyasn1-python-module.patch index 7d9422bc5a3..24cf9546bd4 100644 --- a/specs/l/linux-sgx/0119-pcsclient-convert-from-asn1-to-pyasn1-python-module.patch +++ b/specs/l/linux-sgx/0119-pcsclient-convert-from-asn1-to-pyasn1-python-module.patch @@ -1,7 +1,7 @@ -From 89050a93ffb40d5b5462223519dd4b52ecc24b89 Mon Sep 17 00:00:00 2001 +From a01581a9e29e919d2af9ee1781d70d725619937d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 4 Dec 2025 13:54:19 +0000 -Subject: [PATCH 119/131] pcsclient: convert from asn1 to pyasn1 python module +Subject: [PATCH 119/127] pcsclient: convert from asn1 to pyasn1 python module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/specs/l/linux-sgx/0120-pcsclient-fully-switch-to-pycryptography-for-CRL-ver.patch b/specs/l/linux-sgx/0120-pcsclient-fully-switch-to-pycryptography-for-CRL-ver.patch deleted file mode 100644 index 601e12121cf..00000000000 --- a/specs/l/linux-sgx/0120-pcsclient-fully-switch-to-pycryptography-for-CRL-ver.patch +++ /dev/null @@ -1,67 +0,0 @@ -From e13e50bf8ab8ef81727a3162a45b326bd7d098f0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Mon, 8 Dec 2025 17:47:01 +0000 -Subject: [PATCH 120/131] pcsclient: fully switch to pycryptography for CRL - verification -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The pyopenssl 24.3.0 removed the CRL object and its related -methods. pccsadmin was already using the pycryptography CRL -object for the verification task, so fully switch to use it -for loading the CRL to begin with. - -Signed-off-by: Daniel P. Berrangé ---- - tools/PcsClientTool/lib/intelsgx/pcs.py | 13 ++++--------- - 1 file changed, 4 insertions(+), 9 deletions(-) - -diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index 046c781d..e68864d2 100644 ---- a/tools/PcsClientTool/lib/intelsgx/pcs.py -+++ b/tools/PcsClientTool/lib/intelsgx/pcs.py -@@ -101,11 +101,6 @@ class PCS: - # Copy our list so we don't modify the original - pychain= pychain_in[:] - -- # PyOpenSSL doesn't have methods for verifying a CRL issuer, -- # so we need to translate from it to cryptography. -- -- crl= pycrl.to_cryptography() -- - # The chain_pem is our CRL issuer and the CA for the issuer. - # Verify that first. - -@@ -118,13 +113,13 @@ class PCS: - - signer_key= pycert.get_pubkey().to_cryptography_key() - -- if not crl.is_signature_valid(signer_key): -+ if not pycrl.is_signature_valid(signer_key): - self.error("Could not verify CRL signature") - return False - - # Check the crl issuer - -- if pycrl.get_issuer() != pycert.get_subject(): -+ if pycrl.issuer != pycert.get_subject(): - self.error("CRL issuer doesn't match issuer chain") - return False - -@@ -516,10 +511,10 @@ class PCS: - crl= response.content - if self.ApiVersion<3: - crl_str= str(crl, dec) -- pycrl= crypto.load_crl(crypto.FILETYPE_PEM, crl) -+ pycrl= x509.load_pem_x509_crl(crl) - else: - crl_str= binascii.hexlify(crl).decode(dec) -- pycrl= crypto.load_crl(crypto.FILETYPE_ASN1, crl) -+ pycrl= x509.load_der_x509_crl(crl) - - if not self.verify_crl_trust(pychain, pycrl): - self.error("Could not validate certificate using trust chain") --- -2.53.0 - diff --git a/specs/l/linux-sgx/0124-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch b/specs/l/linux-sgx/0120-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch similarity index 93% rename from specs/l/linux-sgx/0124-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch rename to specs/l/linux-sgx/0120-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch index 42a84d895a2..6679035183d 100644 --- a/specs/l/linux-sgx/0124-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch +++ b/specs/l/linux-sgx/0120-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch @@ -1,7 +1,7 @@ -From 307b0ff6d27b6788cdc4b4f4abac9e949129c19e Mon Sep 17 00:00:00 2001 +From 5368f45e784a42a837523916667d045b0680f23d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 4 Dec 2025 18:05:14 +0000 -Subject: [PATCH 124/131] pcsclient: ignore errors trying to clear the keyring +Subject: [PATCH 120/127] pcsclient: ignore errors trying to clear the keyring MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index 1368b57b..dd4eba40 100644 +index 8fd28e2b..93f1132b 100644 --- a/tools/PcsClientTool/lib/intelsgx/pcs.py +++ b/tools/PcsClientTool/lib/intelsgx/pcs.py @@ -404,7 +404,13 @@ class PCS: diff --git a/specs/l/linux-sgx/0121-pcsclient-use-more-of-pycryptography-instead-of-pyop.patch b/specs/l/linux-sgx/0121-pcsclient-use-more-of-pycryptography-instead-of-pyop.patch deleted file mode 100644 index 089b173d8cf..00000000000 --- a/specs/l/linux-sgx/0121-pcsclient-use-more-of-pycryptography-instead-of-pyop.patch +++ /dev/null @@ -1,178 +0,0 @@ -From a548970fc5f876fb51f3d717d56c7daaf42030a9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Mon, 8 Dec 2025 17:48:11 +0000 -Subject: [PATCH 121/131] pcsclient: use more of pycryptography instead of - pyopenssl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -pyopenssl docs are indicating that the 'crypto' module is liable to -see further deprecation, suggesting use of pycryptography instead. -pccsadmin code already uses pycryptography for CRLs, so extend this -to use it for loading certificates too. They are converted back to -pyopenssl objects for verification. - -Signed-off-by: Daniel P. Berrangé ---- - tools/PcsClientTool/lib/intelsgx/pcs.py | 49 ++++++++++++++----------- - 1 file changed, 28 insertions(+), 21 deletions(-) - -diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index e68864d2..f6b58a6b 100644 ---- a/tools/PcsClientTool/lib/intelsgx/pcs.py -+++ b/tools/PcsClientTool/lib/intelsgx/pcs.py -@@ -5,6 +5,10 @@ import json - import binascii - from urllib import parse - from OpenSSL import crypto -+from cryptography import x509 -+from cryptography.exceptions import InvalidSignature -+from cryptography.hazmat.primitives import hashes -+from cryptography.hazmat.primitives.asymmetric import ec - from platform import system - if system() == 'Windows': - from pypac import PACSession -@@ -17,6 +21,9 @@ certBegin= '-----BEGIN CERTIFICATE-----' - certEnd= '-----END CERTIFICATE-----' - certEndOffset= len(certEnd) - -+def CN(name): -+ return name.get_attributes_for_oid(x509.NameOID.COMON_NAME)[0].value -+ - class PCS: - BaseUrl= '' - ApiVersion= 3 -@@ -93,7 +100,7 @@ class PCS: - store= crypto.X509Store() - - for tcert in pychain: -- store.add_cert(tcert) -+ store.add_cert(crypto.X509.from_cryptography(tcert)) - - return store - -@@ -111,7 +118,7 @@ class PCS: - - # Now verify the CRL signature - -- signer_key= pycert.get_pubkey().to_cryptography_key() -+ signer_key= pycert.public_key() - - if not pycrl.is_signature_valid(signer_key): - self.error("Could not verify CRL signature") -@@ -119,7 +126,7 @@ class PCS: - - # Check the crl issuer - -- if pycrl.issuer != pycert.get_subject(): -+ if pycrl.issuer != pycert.subject: - self.error("CRL issuer doesn't match issuer chain") - return False - -@@ -129,7 +136,8 @@ class PCS: - store= self.init_cert_store(pychain) - - for pycert in pycerts: -- store_ctx= crypto.X509StoreContext(store, pycert) -+ store_ctx= crypto.X509StoreContext( -+ store, crypto.X509.from_cryptography(pycert)) - try: - store_ctx.verify_certificate() - except crypto.X509StoreContextError as e: -@@ -161,22 +169,21 @@ class PCS: - sig= bytes([0x30,len(r)+len(s)+4,2,len(r)]) + r + bytes([2,len(s)]) + s - - try: -- crypto.verify(pycert, sig, msg, "sha256") -- except crypto.Error as e: -+ pycert.public_key().verify( -+ sig, msg, ec.ECDSA(hashes.SHA256())) -+ except InvalidSignature as e: - self.error('Signature verification failed: {:s}'.format(str(e))) - return False - - return True - - def pem_to_pycert(self, cert_pem): -- return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) -+ return x509.load_pem_x509_certificate(cert_pem.encode("utf-8")) - - def pems_to_pycerts(self, certs_pem): - pycerts= [] - for cert_pem in certs_pem: -- pycerts.append( -- crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem) -- ) -+ pycerts.append(self.pem_to_pycert(cert_pem)) - return pycerts - - def parse_chain_pem(self, chain_pem): -@@ -209,9 +216,9 @@ class PCS: - cert0= chain_in[0] - cert1= chain_in[1] - -- if cert0.get_subject() == cert1.get_issuer(): -+ if cert0.subject == cert1.issuer: - return chain_in -- elif cert1.get_subject() == cert0.get_issuer(): -+ elif cert1.subject == cert0.issuer: - chain_in.reverse() - return chain_in - else: -@@ -224,7 +231,7 @@ class PCS: - for i in range(1, len(chain_in)): - cert= chain_in[i] - pcert= chain_in[i-1] -- if cert.get_issuer() != pcert.get_subject(): -+ if cert.issuer != pcert.subject: - sorted= False - break - -@@ -240,10 +247,10 @@ class PCS: - rootidx= -1 - for i in range(0, len(chain)): - cert= chain[i] -- subject= cert.get_subject() -- issuer= cert.get_issuer() -- cert_subjects[subject.CN]= cert -- print("cert: {:s} <- {:s}" . format(subject.CN, issuer.CN)) -+ subject= cert.subject -+ issuer= cert.issuer -+ cert_subjects[CN(subject)]= cert -+ print("cert: {:s} <- {:s}" . format(CN(subject), CN(issuer))) - - if subject == issuer: - if len(sorted_chain) > 0: -@@ -262,8 +269,8 @@ class PCS: - issuer_to= {} - - for cert in chain: -- issuer= cert.get_issuer().CN -- subject= cert.get_subject().CN -+ issuer= CN(cert.issuer) -+ subject= CN(cert.subject) - - if issuer in issued_by: - self.error('multiple certs issued by same cert in chain') -@@ -280,7 +287,7 @@ class PCS: - - if len(sorted_chain) > 0: - for cert in chain: -- issuer= cert.get_issuer().CN -+ issuer= CN(cert.issuer) - if issuer not in issued_by: - if len(sorted_chain) > 0: - self.error('multiple certs with no issuer') -@@ -296,7 +303,7 @@ class PCS: - cert= sorted_chain[0] - - while len(sorted_chain) < lchain: -- issuer_subject= cert.get_subject().der() -+ issuer_subject= CN(cert.subject) - - if issuer_subject not in issuer_to: - self.error('cert in chain with no issuer') --- -2.53.0 - diff --git a/specs/l/linux-sgx/0126-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch b/specs/l/linux-sgx/0121-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch similarity index 91% rename from specs/l/linux-sgx/0126-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch rename to specs/l/linux-sgx/0121-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch index ae9121ca8d9..d97f6a1ff8c 100644 --- a/specs/l/linux-sgx/0126-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch +++ b/specs/l/linux-sgx/0121-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch @@ -1,7 +1,7 @@ -From 950898fa0ce1e473e774b4e809bc9570867bd599 Mon Sep 17 00:00:00 2001 +From 089c7a2e1e8fa6cb7b18a0e3ed2f5ca5870d8db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 15 Jan 2026 11:23:35 +0000 -Subject: [PATCH 126/131] qgs: add compat for boost 1.87 which drops +Subject: [PATCH 121/127] qgs: add compat for boost 1.87 which drops asio::io_service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/specs/l/linux-sgx/0122-pcsclient-prefer-pycryptography-over-pyopenssl.patch b/specs/l/linux-sgx/0122-pcsclient-prefer-pycryptography-over-pyopenssl.patch deleted file mode 100644 index 97c075edb16..00000000000 --- a/specs/l/linux-sgx/0122-pcsclient-prefer-pycryptography-over-pyopenssl.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 2f9bfe49cdaed0b61df1cb9b889eb827c2be26f9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Wed, 3 Dec 2025 17:59:09 +0000 -Subject: [PATCH 122/131] pcsclient: prefer pycryptography over pyopenssl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The only part of pcsclient that still needs pyopenssl is certificate -verification. As of pycryptography 45.0.0, there are sufficient APIs -available to replace the remaining usage of pyopenssl. - -Since new pycryptography is still not widely available in distros, -keep pyopenssl code as a fallback. - -Signed-off-by: Daniel P. Berrangé ---- - tools/PcsClientTool/lib/intelsgx/pcs.py | 60 +++++++++++++++++++------ - 1 file changed, 47 insertions(+), 13 deletions(-) - -diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index f6b58a6b..eeb29697 100644 ---- a/tools/PcsClientTool/lib/intelsgx/pcs.py -+++ b/tools/PcsClientTool/lib/intelsgx/pcs.py -@@ -4,11 +4,28 @@ import requests - import json - import binascii - from urllib import parse --from OpenSSL import crypto -+ - from cryptography import x509 - from cryptography.exceptions import InvalidSignature --from cryptography.hazmat.primitives import hashes -+from cryptography.hazmat.primitives import hashes, serialization - from cryptography.hazmat.primitives.asymmetric import ec -+ -+# Prefer pycryptography for cert verification if new -+# enough, but fallback to pyopenssl -+try: -+ # 'verification' module available from >= 42.0.0, but -+ # the required 'ExtensionPolicy' API is from >= 45.0.0 -+ from cryptography.x509 import verification -+ if not hasattr(verification, 'ExtensionPolicy'): -+ verification = None -+ else: -+ crypto = None -+except ImportError: -+ verification = None -+ -+if verification is None: -+ from OpenSSL import crypto -+ - from platform import system - if system() == 'Windows': - from pypac import PACSession -@@ -133,17 +150,34 @@ class PCS: - return True - - def verify_cert_trust(self, pychain, pycerts): -- store= self.init_cert_store(pychain) -- -- for pycert in pycerts: -- store_ctx= crypto.X509StoreContext( -- store, crypto.X509.from_cryptography(pycert)) -- try: -- store_ctx.verify_certificate() -- except crypto.X509StoreContextError as e: -- # Printing or logging the error details -- print(e) -- return False -+ if verification is not None: -+ store= verification.Store(pychain) -+ -+ builder= verification.PolicyBuilder().store(store) -+ builder= builder.extension_policies( -+ ee_policy=verification.ExtensionPolicy.permit_all(), -+ ca_policy=verification.ExtensionPolicy.webpki_defaults_ca()) -+ -+ verifier= builder.build_client_verifier() -+ for pycert in pycerts: -+ try: -+ verifier.verify(pycert,[]) -+ except verification.VerificationError as e: -+ # Printing or logging the error details -+ print(e) -+ return False -+ else: -+ store= self.init_cert_store(pychain) -+ -+ for pycert in pycerts: -+ store_ctx= crypto.X509StoreContext( -+ store, crypto.X509.from_cryptography(pycert)) -+ try: -+ store_ctx.verify_certificate() -+ except crypto.X509StoreContextError as e: -+ # Printing or logging the error details -+ print(e) -+ return False - - return True - --- -2.53.0 - diff --git a/specs/l/linux-sgx/0127-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch b/specs/l/linux-sgx/0122-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch similarity index 51% rename from specs/l/linux-sgx/0127-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch rename to specs/l/linux-sgx/0122-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch index 3154d8d4d0c..987294113f6 100644 --- a/specs/l/linux-sgx/0127-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch +++ b/specs/l/linux-sgx/0122-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch @@ -1,7 +1,7 @@ -From e3c75970d5de401a80b8c7f97a31b0ad4cf7ed7d Mon Sep 17 00:00:00 2001 +From 0a09e36017a7851d91ce950f301b3d37f7fc8009 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 15 Jan 2026 12:48:19 +0000 -Subject: [PATCH 127/131] qgs: add compat for boost 1.89 which deprecated +Subject: [PATCH 122/127] qgs: add compat for boost 1.89 which deprecated deadline_timer.hpp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -16,9 +16,25 @@ include the deadline_timer.hpp Signed-off-by: Daniel P. Berrangé --- + QuoteGeneration/quote_wrapper/qgs/Makefile | 4 ++-- QuoteGeneration/quote_wrapper/qgs/qgs_server.h | 1 + - 1 file changed, 1 insertion(+) + 2 files changed, 3 insertions(+), 2 deletions(-) +diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile +index fa1f6708..e3efaeb9 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/Makefile ++++ b/QuoteGeneration/quote_wrapper/qgs/Makefile +@@ -16,8 +16,8 @@ QGS_INC = -I$(SGX_SDK)/include \ + -I$(TOP_DIR)/qpl/inc \ + -I$(TOP_DIR)/quote_wrapper/tdx_quote/inc \ + -I$(TOP_DIR)/quote_wrapper/qgs_msg_lib/inc +-QGS_CFLAGS = -g -MMD -Werror $(CFLAGS) $(QGS_INC) +-QGS_CXXFLAGS = -g -MMD -Werror $(CXXFLAGS) $(QGS_INC) ++QGS_CFLAGS = -g -MMD -Werror -Wno-deprecated-declarations $(CFLAGS) $(QGS_INC) ++QGS_CXXFLAGS = -g -MMD -Werror -Wno-deprecated-declarations $(CXXFLAGS) $(QGS_INC) + + DEPENDS = ${QGS_OBJS test_client.o:.o=.d} + diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h b/QuoteGeneration/quote_wrapper/qgs/qgs_server.h index 91eb41a4..b56b2633 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgs_server.h diff --git a/specs/l/linux-sgx/0123-pcsclient-add-fallback-for-when-pyopenssl-is-not-ava.patch b/specs/l/linux-sgx/0123-pcsclient-add-fallback-for-when-pyopenssl-is-not-ava.patch deleted file mode 100644 index 5061a343e67..00000000000 --- a/specs/l/linux-sgx/0123-pcsclient-add-fallback-for-when-pyopenssl-is-not-ava.patch +++ /dev/null @@ -1,75 +0,0 @@ -From bf9e0725f88903c43623c14eaa97a784310e1a7e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Mon, 8 Dec 2025 17:56:59 +0000 -Subject: [PATCH 123/131] pcsclient: add fallback for when pyopenssl is not - available -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RHEL does not ship pyopenssl, however, the pycryptography that is -included is also too old to support certificate verification. Add -a further fallback that can invoke the 'openssl' command line tool -to verify certificates. - -Signed-off-by: Daniel P. Berrangé ---- - tools/PcsClientTool/lib/intelsgx/pcs.py | 28 +++++++++++++++++++++++-- - 1 file changed, 26 insertions(+), 2 deletions(-) - -diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index eeb29697..1368b57b 100644 ---- a/tools/PcsClientTool/lib/intelsgx/pcs.py -+++ b/tools/PcsClientTool/lib/intelsgx/pcs.py -@@ -24,7 +24,14 @@ except ImportError: - verification = None - - if verification is None: -- from OpenSSL import crypto -+ try: -+ from OpenSSL import crypto -+ except ModuleNotFoundError: -+ # Fallback to spawning 'openssl' binary if -+ # pyopenssl is not available -+ crypto = None -+ import tempfile -+ import subprocess - - from platform import system - if system() == 'Windows': -@@ -166,7 +173,7 @@ class PCS: - # Printing or logging the error details - print(e) - return False -- else: -+ elif crypto is not None: - store= self.init_cert_store(pychain) - - for pycert in pycerts: -@@ -178,6 +185,23 @@ class PCS: - # Printing or logging the error details - print(e) - return False -+ else: -+ with tempfile.NamedTemporaryFile("wb") as chainfile: -+ for cert in pychain: -+ chainfile.write(cert.public_bytes(serialization.Encoding.PEM)) -+ chainfile.flush() -+ -+ for cert in pycerts: -+ with tempfile.NamedTemporaryFile("wb") as certfile: -+ certfile.write(cert.public_bytes(serialization.Encoding.PEM)) -+ certfile.flush() -+ -+ try: -+ subprocess.check_call(["openssl", "verify", -+ "-CAfile", chainfile.name, certfile.name], -+ stdout=subprocess.DEVNULL) -+ except subprocess.CalledProcessError as e: -+ return False - - return True - --- -2.53.0 - diff --git a/specs/l/linux-sgx/0128-use-system-gtest-gmock-libraries.patch b/specs/l/linux-sgx/0123-use-system-gtest-gmock-libraries.patch similarity index 80% rename from specs/l/linux-sgx/0128-use-system-gtest-gmock-libraries.patch rename to specs/l/linux-sgx/0123-use-system-gtest-gmock-libraries.patch index e7e54679409..94afc7fa747 100644 --- a/specs/l/linux-sgx/0128-use-system-gtest-gmock-libraries.patch +++ b/specs/l/linux-sgx/0123-use-system-gtest-gmock-libraries.patch @@ -1,22 +1,22 @@ -From d12dd23661f55a2399357d8394a5bc2e5f467ac8 Mon Sep 17 00:00:00 2001 +From fb7c37323a272e5852eef15443c8af79cc025e6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 29 Jan 2026 15:26:38 +0000 -Subject: [PATCH 128/131] use system gtest / gmock libraries +Subject: [PATCH 123/127] use system gtest / gmock libraries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel P. Berrangé --- - QuoteVerification/QvE/Test/Makefile | 7 ++++--- + ae/QvE/Test/Makefile | 7 ++++--- external/Makefile | 24 +----------------------- tools/SGXPlatformRegistration/Makefile | 10 +++++----- 3 files changed, 10 insertions(+), 31 deletions(-) -diff --git a/QuoteVerification/QvE/Test/Makefile b/QuoteVerification/QvE/Test/Makefile -index ce4b1eec..3705d567 100644 ---- a/QuoteVerification/QvE/Test/Makefile -+++ b/QuoteVerification/QvE/Test/Makefile +diff --git a/ae/QvE/Test/Makefile b/ae/QvE/Test/Makefile +index 0ed41883..75b30126 100644 +--- a/ae/QvE/Test/Makefile ++++ b/ae/QvE/Test/Makefile @@ -14,7 +14,8 @@ EXTERNAL_PATH := $(MKFILE_PATH)/../../../external BUILD_PATH := $(MKFILE_PATH)/build DEST_PATH := $(BUILD_PATH)/release @@ -25,7 +25,7 @@ index ce4b1eec..3705d567 100644 +GTEST_CFLAGS := $(shell pkg-config --cflags gtest gmock gmock_main) +GTEST_LDFLAGS := $(shell pkg-config --libs gtest gmock gmock_main) - SRC_PATH := $(MKFILE_PATH)/../Enclave + SRC_PATH := $(MKFILE_PATH)/../qve TEST_PATH := $(MKFILE_PATH)/src @@ -29,7 +30,7 @@ INCLUDE := -I$(INCLUDE_PATH) -I$(SRC_PATH) -I$(MOCK_PATH) $(shell pkg-config --c -isystem$(EXTERNAL_PATH)/jwt-cpp/include @@ -81,10 +81,10 @@ index 9e348e7c..ca27cac9 100644 - rm -r $(GTEST_CMAKE_BUILD_PATH)/* - rm -r $(GTEST_BUILD_PATH)/* diff --git a/tools/SGXPlatformRegistration/Makefile b/tools/SGXPlatformRegistration/Makefile -index b5b8dcac..e99fec1f 100644 +index d0f4b053..d59c297e 100644 --- a/tools/SGXPlatformRegistration/Makefile +++ b/tools/SGXPlatformRegistration/Makefile -@@ -51,7 +51,8 @@ EXTERNAL_PATH := $(MKFILE_PATH)/../../external +@@ -36,7 +36,8 @@ EXTERNAL_PATH := $(MKFILE_PATH)/../../external DEST_PATH := $(BUILD_PATH)/release INSTALL_PATH := $(DEST_PATH)/installer @@ -94,7 +94,7 @@ index b5b8dcac..e99fec1f 100644 TEST_PATH := $(MKFILE_PATH)/test ifdef DEBUG -@@ -82,8 +83,7 @@ INCLUDE += -I$(MANAGEMENT_PATH)/inc +@@ -67,8 +68,7 @@ INCLUDE += -I$(MANAGEMENT_PATH)/inc INCLUDE += -I$(NETWORK_PATH)/inc INCLUDE += -I$(UEFI_PATH)/inc @@ -104,16 +104,16 @@ index b5b8dcac..e99fec1f 100644 SRC_AGENT := $(wildcard $(AGENT_PATH)/src/*cpp) SRC_COMMON := $(wildcard $(COMMON_PATH)/src/*cpp) -@@ -131,7 +131,7 @@ LDFLAGS_SO := $(LDFLAGS) -shared -Wl,-z,relro,-z,now,-z,noexecstack +@@ -116,7 +116,7 @@ LDFLAGS_SO := $(LDFLAGS) -shared -Wl,-z,relro,-z,now,-z,noexecstack LD_REGI_APP := $(LDFLAGS) -L$(LIB_PATH) -Wl,-Bstatic -lmpa_registration -Wl,-Bdynamic -lmpa_network -lmpa_uefi LD_MANAGE_APP := $(LDFLAGS) -L$(LIB_PATH) -Wl,-Bstatic -lmpa_management -lmpa_registration -Wl,-Bdynamic -lmpa_uefi -LD_GTEST := $(LDFLAGS) -L$(GTEST_PATH)/lib -lgtest -lgmock_main -lgmock -lpthread +LD_GTEST := $(LDFLAGS) $(GTEST_LDFLAGS) -lpthread - CXX_WARNINGS := -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls - CXXFLAGS := -std=c++17 -fPIC -Wnon-virtual-dtor -fstack-protector -ffunction-sections -DITT_ARCH_IA64 -fcf-protection $(CXX_WARNINGS) -@@ -276,5 +276,5 @@ $(OBJ_MPA_MANAGE_APP_PATH)/%.o: $(MPA_MANAGE_PATH)/src/%.cpp + CXX_WARNINGS := -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security \ + -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls +@@ -267,5 +267,5 @@ $(OBJ_MPA_MANAGE_APP_PATH)/%.o: $(MPA_MANAGE_PATH)/src/%.cpp @echo "$<" $(OBJ_TEST_PATH)/%.o: $(TEST_PATH)/%.cpp diff --git a/specs/l/linux-sgx/0129-Disable-PcsClientTool-package-build.patch b/specs/l/linux-sgx/0124-Disable-PcsClientTool-package-build.patch similarity index 82% rename from specs/l/linux-sgx/0129-Disable-PcsClientTool-package-build.patch rename to specs/l/linux-sgx/0124-Disable-PcsClientTool-package-build.patch index ccd9e802ef7..6c895c37b60 100644 --- a/specs/l/linux-sgx/0129-Disable-PcsClientTool-package-build.patch +++ b/specs/l/linux-sgx/0124-Disable-PcsClientTool-package-build.patch @@ -1,7 +1,7 @@ -From e5195226c8bc6d3dbb237c5b9cc745cc56815955 Mon Sep 17 00:00:00 2001 +From 19879fa7382377eaf8d6c56a2bc9e11a9ee5f29c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 2 Feb 2026 16:12:50 +0000 -Subject: [PATCH 129/131] Disable PcsClientTool package build +Subject: [PATCH 124/127] Disable PcsClientTool package build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,7 +12,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/PcsClientTool/Makefile b/tools/PcsClientTool/Makefile -index d6eec9cb..dd99ee7f 100644 +index f6f0fabf..c01e4057 100644 --- a/tools/PcsClientTool/Makefile +++ b/tools/PcsClientTool/Makefile @@ -6,7 +6,8 @@ diff --git a/specs/l/linux-sgx/0125-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch b/specs/l/linux-sgx/0125-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch deleted file mode 100644 index fed1a261b9d..00000000000 --- a/specs/l/linux-sgx/0125-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 3aecd977bcb3a5fb81397bd821891e7dfc59e147 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Fri, 9 Jan 2026 10:35:43 +0100 -Subject: [PATCH 125/131] [PCS Client Tool] Migrate from deprecated - pkg_resources to packaging (#485) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Miro Hrončok - -* [PCS Client Tool] Migrate from deprecated pkg_resources to packaging - -Version 14.0 is the first version that had the Version class. - -Ref: https://setuptools.pypa.io/en/latest/pkg_resources.html - -* [PCS Client Tool] Avoid needless indirection when contracting Version objects - ---------- - -Signed-off-by: Miro Hrončok -(cherry picked from commit a6c3631330787aaf1e286f5dd06c39c50ac0d796) ---- - tools/PcsClientTool/lib/intelsgx/pcs.py | 6 +++--- - tools/PcsClientTool/requirements.txt | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/tools/PcsClientTool/lib/intelsgx/pcs.py b/tools/PcsClientTool/lib/intelsgx/pcs.py -index dd4eba40..76a213b0 100644 ---- a/tools/PcsClientTool/lib/intelsgx/pcs.py -+++ b/tools/PcsClientTool/lib/intelsgx/pcs.py -@@ -39,7 +39,7 @@ if system() == 'Windows': - from lib.intelsgx.credential import Credentials - from requests.adapters import HTTPAdapter - from urllib3.util import Retry --from pkg_resources import parse_version -+from packaging.version import Version - - certBegin= '-----BEGIN CERTIFICATE-----' - certEnd= '-----END CERTIFICATE-----' -@@ -90,7 +90,7 @@ class PCS: - - PARAMS = {} - https = requests.Session() -- if parse_version(urllib3.__version__) < parse_version('1.26.0'): -+ if Version(urllib3.__version__) < Version('1.26.0'): - https.mount("https://", HTTPAdapter(max_retries=Retry(method_whitelist=["HEAD", "GET", "PUT", "POST", "DELETE", "OPTIONS", "TRACE"]))) - else: - https.mount("https://", HTTPAdapter(max_retries=Retry(allowed_methods=["HEAD", "GET", "PUT", "POST", "DELETE", "OPTIONS", "TRACE"]))) -@@ -108,7 +108,7 @@ class PCS: - - PARAMS = {} - https = requests.Session() -- if parse_version(urllib3.__version__) < parse_version('1.26.0'): -+ if Version(urllib3.__version__) < Version('1.26.0'): - https.mount("https://", HTTPAdapter(max_retries=Retry(method_whitelist=["HEAD", "GET", "PUT", "POST", "DELETE", "OPTIONS", "TRACE"]))) - else: - https.mount("https://", HTTPAdapter(max_retries=Retry(allowed_methods=["HEAD", "GET", "PUT", "POST", "DELETE", "OPTIONS", "TRACE"]))) -diff --git a/tools/PcsClientTool/requirements.txt b/tools/PcsClientTool/requirements.txt -index 3128807f..fc16cbf5 100644 ---- a/tools/PcsClientTool/requirements.txt -+++ b/tools/PcsClientTool/requirements.txt -@@ -1,8 +1,8 @@ - asn1>=2.4.1 - cryptography>=41.0.7,<44 - keyring>=23.0.0 -+packaging>=14.0 - pyOpenSSL>=23.2.0,<24.3.0 - pypac>=0.14.0 - Requests>=2.31.0 --setuptools>=65.5.1,<81 - urllib3>=1.26.18 --- -2.53.0 - diff --git a/specs/l/linux-sgx/0130-disable-building-of-WASM-SIMDE-code.patch b/specs/l/linux-sgx/0125-disable-building-of-WASM-SIMDE-code.patch similarity index 82% rename from specs/l/linux-sgx/0130-disable-building-of-WASM-SIMDE-code.patch rename to specs/l/linux-sgx/0125-disable-building-of-WASM-SIMDE-code.patch index c6675c73349..50226a1e56a 100644 --- a/specs/l/linux-sgx/0130-disable-building-of-WASM-SIMDE-code.patch +++ b/specs/l/linux-sgx/0125-disable-building-of-WASM-SIMDE-code.patch @@ -1,7 +1,7 @@ -From c0655ac4e8f7c85648874f3bed2879848e9487ed Mon Sep 17 00:00:00 2001 +From 8fc5b4ca900f26c636dc23d183754464cc236258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 3 Feb 2026 11:40:10 +0000 -Subject: [PATCH 130/131] disable building of WASM SIMDE code +Subject: [PATCH 125/127] disable building of WASM SIMDE code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -16,10 +16,10 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile -index 10ca0572..0bb3fdef 100644 +index af72a783..a317cf11 100644 --- a/QuoteVerification/appraisal/qal/Makefile +++ b/QuoteVerification/appraisal/qal/Makefile -@@ -30,7 +30,7 @@ QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -liwasm -ldl -lm -lpthre +@@ -30,7 +30,7 @@ QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthre $(shell pkg-config --libs libcrypto) \ -Wl,--gc-sections -Wl,--version-script=sgx_dcap_qal.lds @@ -27,7 +27,7 @@ index 10ca0572..0bb3fdef 100644 +WASM_CONFIG ?= -DCMAKE_BUILD_TYPE=Release -DWAMR_BUILD_SIMD=0 -DWAMR_BUILD_LIB_SIMDE=0 ifeq ($(DEBUG), 1) WASM_CONFIG := -DCMAKE_BUILD_TYPE=Debug - QAL_Link_Flags += -fsanitize=undefined + QAL_Cpp_Flags += -fsanitize=undefined -- 2.53.0 diff --git a/specs/l/linux-sgx/0126-ensure-build-terminates-if-prepare_sgxssl.sh-fails.patch b/specs/l/linux-sgx/0126-ensure-build-terminates-if-prepare_sgxssl.sh-fails.patch new file mode 100644 index 00000000000..27a744dfe83 --- /dev/null +++ b/specs/l/linux-sgx/0126-ensure-build-terminates-if-prepare_sgxssl.sh-fails.patch @@ -0,0 +1,33 @@ +From a4ebdc7940846aac60f589358bdae60559ccca34 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 25 Mar 2026 15:54:42 +0000 +Subject: [PATCH 126/127] ensure build terminates if prepare_sgxssl.sh fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The prepare_sgxssl.sh script ignores exit status from all +commands it runs, so if 'make' fails to build the sgxssl +code the caller will still assume all is well. + +Signed-off-by: Daniel P. Berrangé +--- + QuoteVerification/prepare_sgxssl.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/QuoteVerification/prepare_sgxssl.sh b/QuoteVerification/prepare_sgxssl.sh +index 19152d77..8195407f 100755 +--- a/QuoteVerification/prepare_sgxssl.sh ++++ b/QuoteVerification/prepare_sgxssl.sh +@@ -5,6 +5,8 @@ + # SPDX-License-Identifier: BSD-3-Clause + # + ++set -e ++ + ARG1=${1:-build} + top_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + sgxssl_dir=$top_dir/sgxssl +-- +2.53.0 + diff --git a/specs/l/linux-sgx/0127-qgs-squash-global-placeholders-warning-from-boost-1..patch b/specs/l/linux-sgx/0127-qgs-squash-global-placeholders-warning-from-boost-1..patch new file mode 100644 index 00000000000..f1c705359cd --- /dev/null +++ b/specs/l/linux-sgx/0127-qgs-squash-global-placeholders-warning-from-boost-1..patch @@ -0,0 +1,41 @@ +From 8670f057f4558fd250db375d91bdc52db502a076 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 25 Mar 2026 16:46:52 +0000 +Subject: [PATCH 127/127] qgs: squash global placeholders warning from boost + 1.90 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest boost 1.90 warns: + + /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of declaring the Bind placeholders (_1, _2, ...) in the global namespace is deprecated. Please use + using namespace boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the current behavior.’ + 36 | BOOST_PRAGMA_MESSAGE( + | ^~~~~~~~~~~~~~~~~~~~ + +Squash this warning using the suggested define so the build +does not break under -Werror. + +Signed-off-by: Daniel P. Berrangé +--- + QuoteGeneration/quote_wrapper/qgs/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/QuoteGeneration/quote_wrapper/qgs/Makefile b/QuoteGeneration/quote_wrapper/qgs/Makefile +index e3efaeb9..8446b194 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/Makefile ++++ b/QuoteGeneration/quote_wrapper/qgs/Makefile +@@ -16,8 +16,8 @@ QGS_INC = -I$(SGX_SDK)/include \ + -I$(TOP_DIR)/qpl/inc \ + -I$(TOP_DIR)/quote_wrapper/tdx_quote/inc \ + -I$(TOP_DIR)/quote_wrapper/qgs_msg_lib/inc +-QGS_CFLAGS = -g -MMD -Werror -Wno-deprecated-declarations $(CFLAGS) $(QGS_INC) +-QGS_CXXFLAGS = -g -MMD -Werror -Wno-deprecated-declarations $(CXXFLAGS) $(QGS_INC) ++QGS_CFLAGS = -g -MMD -Werror -Wno-deprecated-declarations -DBOOST_BIND_GLOBAL_PLACEHOLDERS $(CFLAGS) $(QGS_INC) ++QGS_CXXFLAGS = -g -MMD -Werror -Wno-deprecated-declarations -DBOOST_BIND_GLOBAL_PLACEHOLDERS $(CXXFLAGS) $(QGS_INC) + + DEPENDS = ${QGS_OBJS test_client.o:.o=.d} + +-- +2.53.0 + diff --git a/specs/l/linux-sgx/0131-pcsclient-fix-name-of-input-file-in-cache-command-he.patch b/specs/l/linux-sgx/0131-pcsclient-fix-name-of-input-file-in-cache-command-he.patch deleted file mode 100644 index d15807d3a65..00000000000 --- a/specs/l/linux-sgx/0131-pcsclient-fix-name-of-input-file-in-cache-command-he.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 119aab0c40001c9ff803dac8d7a6fd975cd6de6e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Wed, 4 Feb 2026 15:10:02 +0000 -Subject: [PATCH 131/131] pcsclient: fix name of input file in 'cache' command - help text -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Daniel P. Berrangé ---- - tools/PcsClientTool/pcsclient.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/PcsClientTool/pcsclient.py b/tools/PcsClientTool/pcsclient.py -index 1759833f..eef984af 100755 ---- a/tools/PcsClientTool/pcsclient.py -+++ b/tools/PcsClientTool/pcsclient.py -@@ -50,7 +50,7 @@ def main(): - parser_cache = subparsers.add_parser('cache') - # add optional arguments for cache - parser_cache.add_argument("-u", "--url", help="The URL of the Intel PCS service; default: https://api.trustedservices.intel.com/sgx/certification/v4/") -- parser_cache.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.csv") -+ parser_cache.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.json") - parser_cache.add_argument("-o", "--output_dir", help="The destination directory for storing the generated cache files") - parser_cache.add_argument("-s", "--sub_dir", help="Store output cache files in subdirectories named according to QE ID or Platform ID", action="store_true") - parser_cache.add_argument("-e", "--expire", type=Utils.check_expire_hours, help="How many hours the cache files will be valid for. Default is 2160 hours (90 days).") --- -2.53.0 - diff --git a/specs/l/linux-sgx/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch b/specs/l/linux-sgx/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch index a7485ec55db..06612418a5f 100644 --- a/specs/l/linux-sgx/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch +++ b/specs/l/linux-sgx/0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch @@ -1,4 +1,4 @@ -From 89d2bacc8b67eca8decae7b7508080582fc2c60d Mon Sep 17 00:00:00 2001 +From 726612218a56c0f5f3d219e2fbacb6c1e2f7153c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 29 Aug 2024 12:23:30 +0100 Subject: [PATCH 200/203] Enable pointing sgxssl build to alternative glibc @@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index 0a99917..4e4a81e 100755 +index ea47407..1a8ea2c 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh @@ -89,6 +89,7 @@ fi @@ -60,10 +60,10 @@ index 0a99917..4e4a81e 100755 sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1 sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1 diff --git a/Linux/sgx/Makefile b/Linux/sgx/Makefile -index e4f3f92..ec1a0c3 100644 +index ed8456d..bea3463 100644 --- a/Linux/sgx/Makefile +++ b/Linux/sgx/Makefile -@@ -85,7 +85,7 @@ endif +@@ -84,7 +84,7 @@ endif endif $(PACKAGE_LIB)/$(OPENSSL_LIB): @@ -73,5 +73,5 @@ index e4f3f92..ec1a0c3 100644 clean: $(MAKE) -C $(TRUSTED_LIB_DIR) clean -- -2.49.0 +2.53.0 diff --git a/specs/l/linux-sgx/0201-Workaround-missing-output-directory.patch b/specs/l/linux-sgx/0201-Workaround-missing-output-directory.patch index fca630c0601..5a13acf1f55 100644 --- a/specs/l/linux-sgx/0201-Workaround-missing-output-directory.patch +++ b/specs/l/linux-sgx/0201-Workaround-missing-output-directory.patch @@ -1,4 +1,4 @@ -From d823d7a67291d51d8b3c57c36f059e1d1d84c2e6 Mon Sep 17 00:00:00 2001 +From c3b4f345afd487fce48837a604b16625f25c1c60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 29 Aug 2024 12:50:32 +0100 Subject: [PATCH 201/203] Workaround missing output directory @@ -16,7 +16,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 1 insertion(+) diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index 4e4a81e..d0518e5 100755 +index 1a8ea2c..44bfa7b 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh @@ -174,6 +174,7 @@ fi @@ -28,5 +28,5 @@ index 4e4a81e..d0518e5 100755 grep OPENSSL_VERSION_STR include/openssl/opensslv.h > $SGXSSL_ROOT/sgx/osslverstr.h || exit 1 cp -r include/crypto $SGXSSL_ROOT/sgx/test_app/enclave/ || exit 1 -- -2.49.0 +2.53.0 diff --git a/specs/l/linux-sgx/0202-Disable-various-EC-crypto-features.patch b/specs/l/linux-sgx/0202-Disable-various-EC-crypto-features.patch index 13f7de2c0ec..906d3701a2d 100644 --- a/specs/l/linux-sgx/0202-Disable-various-EC-crypto-features.patch +++ b/specs/l/linux-sgx/0202-Disable-various-EC-crypto-features.patch @@ -1,4 +1,4 @@ -From 3aea585cfbe4691fea3c584981e36ee06d945bf4 Mon Sep 17 00:00:00 2001 +From dba682aa959d913aa316d0102b064ef8415b6987 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 13:24:26 +0000 Subject: [PATCH 202/203] Disable various EC crypto features @@ -20,7 +20,7 @@ Signed-off-by: Daniel P. Berrangé create mode 100644 openssl_source/0012-Disable-explicit-ec.patch diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index d0518e5..cf8394b 100755 +index 44bfa7b..007aea0 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh @@ -54,6 +54,17 @@ cd $SGXSSL_ROOT/../openssl_source || exit 1 @@ -1631,5 +1631,5 @@ index 0000000..0cae2fa + + err: -- -2.49.0 +2.53.0 diff --git a/specs/l/linux-sgx/0203-Disable-sm2-and-sm4-crypto-algorithms.patch b/specs/l/linux-sgx/0203-Disable-sm2-and-sm4-crypto-algorithms.patch index 99ff25004cd..25fca76425b 100644 --- a/specs/l/linux-sgx/0203-Disable-sm2-and-sm4-crypto-algorithms.patch +++ b/specs/l/linux-sgx/0203-Disable-sm2-and-sm4-crypto-algorithms.patch @@ -1,4 +1,4 @@ -From 1c3da2baf4cc84aecd2f6610777d28ac69a47039 Mon Sep 17 00:00:00 2001 +From 7ca8da21d6f4d5f6a0785dadd4b90547e3419609 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 13:25:14 +0000 Subject: [PATCH 203/203] Disable sm2 and sm4 crypto algorithms @@ -17,7 +17,7 @@ Signed-off-by: Daniel P. Berrangé 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh -index cf8394b..fea2232 100755 +index 007aea0..5b11130 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh @@ -162,7 +162,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 @@ -119,5 +119,5 @@ index a395ce8..f49e5b7 100644 } +#endif -- -2.49.0 +2.53.0 diff --git a/specs/l/linux-sgx/0400-service-sanitize-paths-to-all-resources.patch b/specs/l/linux-sgx/0400-service-sanitize-paths-to-all-resources.patch deleted file mode 100644 index 65648926b6c..00000000000 --- a/specs/l/linux-sgx/0400-service-sanitize-paths-to-all-resources.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 76a6604302bc45e77b701d21831d9b97d770fbdc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Tue, 27 Jan 2026 11:45:01 +0000 -Subject: [PATCH 400/404] service: sanitize paths to all resources -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Look for SSL cert config in /etc/pccs/ssl -Look for DB migrations in /usr/share/pccs -Use log file in /var/log/pccs - -Signed-off-by: Daniel P. Berrangé ---- - service/pccs_server.js | 4 ++-- - service/utils/Logger.js | 2 +- - service/utils/apputil.js | 6 +++--- - 3 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/service/pccs_server.js b/service/pccs_server.js -index 363f74d..caa693e 100644 ---- a/service/pccs_server.js -+++ b/service/pccs_server.js -@@ -129,8 +129,8 @@ function startHttpsServer() { - let privateKey; - let certificate; - try { -- privateKey = fs.readFileSync('./ssl_key/private.pem', 'utf8'); -- certificate = fs.readFileSync('./ssl_key/file.crt', 'utf8'); -+ privateKey = fs.readFileSync('/etc/pccs/ssl/server-key.pem', 'utf8'); -+ certificate = fs.readFileSync('/etc/pccs/ssl/server-cert.pem', 'utf8'); - } catch (err) { - logger.error('The private key or certificate for HTTPS server is missing.'); - logger.endAndExitProcess(); -diff --git a/service/utils/Logger.js b/service/utils/Logger.js -index e011539..82125ed 100644 ---- a/service/utils/Logger.js -+++ b/service/utils/Logger.js -@@ -51,7 +51,7 @@ export function formatLogMessage (tokens, req, res) { - const options = { - file: { - level: Config.has('LogLevel') ? Config.get('LogLevel') : 'info', -- filename: __dirname + `/../logs/pccs_server.log`, -+ filename: `/var/log/pccs/pccs_server.log`, - handleExceptions: true, - json: false, - colorize: true, -diff --git a/service/utils/apputil.js b/service/utils/apputil.js -index 6f910ee..6eb9d15 100644 ---- a/service/utils/apputil.js -+++ b/service/utils/apputil.js -@@ -84,8 +84,8 @@ async function test_db_status() { - } - - async function db_migration() { -- const migrations = fs.readdirSync('./migrations').map(name => { -- const path = `./migrations/${name}`; -+ const migrations = fs.readdirSync('/usr/lib/node_modules/pccs/migrations').map(name => { -+ const path = `/usr/lib/node_modules/pccs/migrations/${name}`; - - return { - name, -@@ -126,7 +126,7 @@ async function db_migration() { - - const umzug = new Umzug({ - migrations: { -- glob: './migrations/*.{js,up.sql}', -+ glob: '/usr/lib/node_modules/pccs/migrations/*.{js,up.sql}', - resolve: ({ name }) => { - const migration = migrations.find(migration => migration.name === name); - logger.debug(`Resolving migration: ${name}, found: ${migration ? migration.name : 'none'}`); --- -2.52.0 - diff --git a/specs/l/linux-sgx/0401-pccsadmin-remove-leftover-debugging-print-args-state.patch b/specs/l/linux-sgx/0401-pccsadmin-remove-leftover-debugging-print-args-state.patch deleted file mode 100644 index 62d1682e5f0..00000000000 --- a/specs/l/linux-sgx/0401-pccsadmin-remove-leftover-debugging-print-args-state.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 41858b9da0b2b2946965ab988795c1b8a87ede82 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Tue, 27 Jan 2026 11:47:46 +0000 -Subject: [PATCH 401/404] pccsadmin: remove leftover debugging 'print(args)' - statement -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Dumping the python "Namespace" object to stdout after parsing argv -serves no user purpose. Remove what is presumably a leftover -debugging statement. - -Signed-off-by: Daniel P. Berrangé ---- - PccsAdminTool/pccsadmin.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/PccsAdminTool/pccsadmin.py b/PccsAdminTool/pccsadmin.py -index 01dc9b8..f38d412 100755 ---- a/PccsAdminTool/pccsadmin.py -+++ b/PccsAdminTool/pccsadmin.py -@@ -56,7 +56,6 @@ def main(): - parser.print_help() - parser.exit() - -- print(args) - # Check mandatory arguments for appraisalpolicy - if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"): - if not args.fmspc or not args.input_file: --- -2.52.0 - diff --git a/specs/l/linux-sgx/0402-pccsadmin-make-keyring-module-optional.patch b/specs/l/linux-sgx/0402-pccsadmin-make-keyring-module-optional.patch deleted file mode 100644 index d8c7523f7b7..00000000000 --- a/specs/l/linux-sgx/0402-pccsadmin-make-keyring-module-optional.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 59cd2d52e92e983f1149a77b1f444d754a11b31c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Tue, 27 Jan 2026 11:49:50 +0000 -Subject: [PATCH 402/404] pccsadmin: make 'keyring' module optional -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is not available in some distros, and since it is merely a -convenience to avoid repeated password entry, it can be made -optional. - -Signed-off-by: Daniel P. Berrangé ---- - PccsAdminTool/lib/intelsgx/credential.py | 29 ++++++++++++++---------- - 1 file changed, 17 insertions(+), 12 deletions(-) - -diff --git a/PccsAdminTool/lib/intelsgx/credential.py b/PccsAdminTool/lib/intelsgx/credential.py -index ca1b23b..d23ec20 100644 ---- a/PccsAdminTool/lib/intelsgx/credential.py -+++ b/PccsAdminTool/lib/intelsgx/credential.py -@@ -1,4 +1,7 @@ --import keyring -+try: -+ import keyring -+except: -+ keyring = None - import getpass - - class Credentials: -@@ -7,11 +10,12 @@ class Credentials: - - def get_admin_token(self): - admin_token = "" -- try: -- print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") -- admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN) -- except keyring.errors.KeyringError as ke: -- admin_token = "" -+ if keyring is not None: -+ try: -+ print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") -+ admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN) -+ except keyring.errors.KeyringError as ke: -+ admin_token = "" - - while admin_token is None or admin_token == '': - admin_token = getpass.getpass(prompt="Please input your administrator password for PCCS service:") -@@ -24,10 +28,11 @@ class Credentials: - return admin_token - - def set_admin_token(self, token): -- try: -- print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") -- keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token) -- except keyring.errors.PasswordSetError as ke: -- print("Failed to store admin token.") -- return False -+ if keyring is not None: -+ try: -+ print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") -+ keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token) -+ except keyring.errors.PasswordSetError as ke: -+ print("Failed to store admin token.") -+ return False - return True --- -2.52.0 - diff --git a/specs/l/linux-sgx/0403-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch b/specs/l/linux-sgx/0403-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch deleted file mode 100644 index ae2eeafc35b..00000000000 --- a/specs/l/linux-sgx/0403-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch +++ /dev/null @@ -1,85 +0,0 @@ -From cfd679c70fbfd00a9be4233e8c6c6ca2c99988c4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Tue, 27 Jan 2026 11:51:25 +0000 -Subject: [PATCH 403/404] pccsadmin: ignore errors trying to clear the keyring -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On authentication errors with PCS, an attempt is made to clear the -keyring. This may fail if the user's login environment has no keyring -configured. The user would have declined to store the key when first -prompted, so there would be nothing to clear either in this case. - -Signed-off-by: Daniel P. Berrangé ---- - PccsAdminTool/pccsadmin.py | 32 ++++++++++++++++++++++++++++---- - 1 file changed, 28 insertions(+), 4 deletions(-) - -diff --git a/PccsAdminTool/pccsadmin.py b/PccsAdminTool/pccsadmin.py -index f38d412..413fea8 100755 ---- a/PccsAdminTool/pccsadmin.py -+++ b/PccsAdminTool/pccsadmin.py -@@ -119,7 +119,13 @@ class PccsClient: - if response.status_code == 200: - self._write_output_file(output_file, response) - elif response.status_code == 401: # Authentication error -- self.credentials.set_admin_token('') -+ try: -+ self.credentials.set_admin_token('') -+ except: -+ # If keyring is unavailable, we don't want to trigger -+ # traceback, as the user may have declined to save -+ # the key in the keyring earlier -+ pass - print("Authentication failed.") - else: - self._handle_error(response) -@@ -149,7 +155,13 @@ class PccsClient: - if response.status_code == 200: - print("Collaterals uploaded successfully.") - elif response.status_code == 401: # Authentication error -- self.credentials.set_admin_token('') -+ try: -+ self.credentials.set_admin_token('') -+ except: -+ # If keyring is unavailable, we don't want to trigger -+ # traceback, as the user may have declined to save -+ # the key in the keyring earlier -+ pass - print("Authentication failed.") - else: - self._handle_error(response) -@@ -165,7 +177,13 @@ class PccsClient: - if response.status_code == 200: - print("Policy uploaded successfully with policy ID :" + response.text) - elif response.status_code == 401: # Authentication error -- self.credentials.set_admin_token('') -+ try: -+ self.credentials.set_admin_token('') -+ except: -+ # If keyring is unavailable, we don't want to trigger -+ # traceback, as the user may have declined to save -+ # the key in the keyring earlier -+ pass - print("Authentication failed.") - else: - self._handle_error(response) -@@ -198,7 +216,13 @@ class PccsClient: - if response.status_code == 200: - print("The cache database was refreshed successfully.") - elif response.status_code == 401: # Authentication error -- self.credentials.set_admin_token('') -+ try: -+ self.credentials.set_admin_token('') -+ except: -+ # If keyring is unavailable, we don't want to trigger -+ # traceback, as the user may have declined to save -+ # the key in the keyring earlier -+ pass - print("Authentication failed.") - else: - self._handle_error(response) --- -2.52.0 - diff --git a/specs/l/linux-sgx/0404-service-force-override-tar-module-to-7.0.0-series.patch b/specs/l/linux-sgx/0404-service-force-override-tar-module-to-7.0.0-series.patch deleted file mode 100644 index ca34b3fe6fa..00000000000 --- a/specs/l/linux-sgx/0404-service-force-override-tar-module-to-7.0.0-series.patch +++ /dev/null @@ -1,404 +0,0 @@ -From c121747f3e3cd71e88516edb597e0db27250b244 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Tue, 27 Jan 2026 17:29:22 +0000 -Subject: [PATCH 404/404] service: force override "tar" module to 7.0.0 series -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The 6.x series is vulnerable to multiple flaws, however, it is a -depedency of sqlite3. The latter has not been updated in several -years. The new tar 7.x series appears largely back-compatible -despite the major version change, so can override it to force -the new release. - -The 'npm audit fix' command was run to update pacakge-lock.json -with new deps for tar 7.x and eliminate other outdated/vunlerable -deps. - -Signed-off-by: Daniel P. Berrangé ---- - service/package-lock.json | 225 ++++++++++++++++++++++++++++---------- - service/package.json | 3 + - 2 files changed, 172 insertions(+), 56 deletions(-) - -diff --git a/service/package-lock.json b/service/package-lock.json -index fe887ce..54ef2ec 100644 ---- a/service/package-lock.json -+++ b/service/package-lock.json -@@ -78,6 +78,27 @@ - "license": "MIT", - "optional": true - }, -+ "node_modules/@isaacs/fs-minipass": { -+ "version": "4.0.1", -+ "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz", -+ "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==", -+ "license": "ISC", -+ "dependencies": { -+ "minipass": "^7.0.4" -+ }, -+ "engines": { -+ "node": ">=18.0.0" -+ } -+ }, -+ "node_modules/@isaacs/fs-minipass/node_modules/minipass": { -+ "version": "7.1.2", -+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", -+ "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", -+ "license": "ISC", -+ "engines": { -+ "node": ">=16 || 14 >=14.17" -+ } -+ }, - "node_modules/@nodelib/fs.scandir": { - "version": "2.1.5", - "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", -@@ -660,29 +681,58 @@ - } - }, - "node_modules/body-parser": { -- "version": "1.20.3", -- "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz", -- "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==", -+ "version": "1.20.4", -+ "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.4.tgz", -+ "integrity": "sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==", - "license": "MIT", - "dependencies": { -- "bytes": "3.1.2", -+ "bytes": "~3.1.2", - "content-type": "~1.0.5", - "debug": "2.6.9", - "depd": "2.0.0", -- "destroy": "1.2.0", -- "http-errors": "2.0.0", -- "iconv-lite": "0.4.24", -- "on-finished": "2.4.1", -- "qs": "6.13.0", -- "raw-body": "2.5.2", -+ "destroy": "~1.2.0", -+ "http-errors": "~2.0.1", -+ "iconv-lite": "~0.4.24", -+ "on-finished": "~2.4.1", -+ "qs": "~6.14.0", -+ "raw-body": "~2.5.3", - "type-is": "~1.6.18", -- "unpipe": "1.0.0" -+ "unpipe": "~1.0.0" - }, - "engines": { - "node": ">= 0.8", - "npm": "1.2.8000 || >= 1.4.16" - } - }, -+ "node_modules/body-parser/node_modules/http-errors": { -+ "version": "2.0.1", -+ "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", -+ "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", -+ "license": "MIT", -+ "dependencies": { -+ "depd": "~2.0.0", -+ "inherits": "~2.0.4", -+ "setprototypeof": "~1.2.0", -+ "statuses": "~2.0.2", -+ "toidentifier": "~1.0.1" -+ }, -+ "engines": { -+ "node": ">= 0.8" -+ }, -+ "funding": { -+ "type": "opencollective", -+ "url": "https://opencollective.com/express" -+ } -+ }, -+ "node_modules/body-parser/node_modules/statuses": { -+ "version": "2.0.2", -+ "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", -+ "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", -+ "license": "MIT", -+ "engines": { -+ "node": ">= 0.8" -+ } -+ }, - "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", -@@ -858,6 +908,7 @@ - "resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz", - "integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==", - "license": "ISC", -+ "optional": true, - "engines": { - "node": ">=10" - } -@@ -1309,39 +1360,39 @@ - } - }, - "node_modules/express": { -- "version": "4.21.2", -- "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz", -- "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==", -+ "version": "4.22.1", -+ "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz", -+ "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==", - "license": "MIT", - "dependencies": { - "accepts": "~1.3.8", - "array-flatten": "1.1.1", -- "body-parser": "1.20.3", -- "content-disposition": "0.5.4", -+ "body-parser": "~1.20.3", -+ "content-disposition": "~0.5.4", - "content-type": "~1.0.4", -- "cookie": "0.7.1", -- "cookie-signature": "1.0.6", -+ "cookie": "~0.7.1", -+ "cookie-signature": "~1.0.6", - "debug": "2.6.9", - "depd": "2.0.0", - "encodeurl": "~2.0.0", - "escape-html": "~1.0.3", - "etag": "~1.8.1", -- "finalhandler": "1.3.1", -- "fresh": "0.5.2", -- "http-errors": "2.0.0", -+ "finalhandler": "~1.3.1", -+ "fresh": "~0.5.2", -+ "http-errors": "~2.0.0", - "merge-descriptors": "1.0.3", - "methods": "~1.1.2", -- "on-finished": "2.4.1", -+ "on-finished": "~2.4.1", - "parseurl": "~1.3.3", -- "path-to-regexp": "0.1.12", -+ "path-to-regexp": "~0.1.12", - "proxy-addr": "~2.0.7", -- "qs": "6.13.0", -+ "qs": "~6.14.0", - "range-parser": "~1.2.1", - "safe-buffer": "5.2.1", -- "send": "0.19.0", -- "serve-static": "1.16.2", -+ "send": "~0.19.0", -+ "serve-static": "~1.16.2", - "setprototypeof": "1.2.0", -- "statuses": "2.0.1", -+ "statuses": "~2.0.1", - "type-is": "~1.6.18", - "utils-merge": "1.0.1", - "vary": "~1.1.2" -@@ -1492,6 +1543,7 @@ - "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz", - "integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==", - "license": "ISC", -+ "optional": true, - "dependencies": { - "minipass": "^3.0.0" - }, -@@ -2164,9 +2216,9 @@ - "license": "MIT" - }, - "node_modules/lodash": { -- "version": "4.17.21", -- "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", -- "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", -+ "version": "4.17.23", -+ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", -+ "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", - "license": "MIT" - }, - "node_modules/logform": { -@@ -2414,6 +2466,7 @@ - "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", - "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", - "license": "ISC", -+ "optional": true, - "dependencies": { - "yallist": "^4.0.0" - }, -@@ -2496,6 +2549,7 @@ - "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz", - "integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==", - "license": "MIT", -+ "optional": true, - "dependencies": { - "minipass": "^3.0.0", - "yallist": "^4.0.0" -@@ -2509,6 +2563,7 @@ - "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz", - "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==", - "license": "MIT", -+ "optional": true, - "bin": { - "mkdirp": "bin/cmd.js" - }, -@@ -3009,12 +3064,12 @@ - } - }, - "node_modules/qs": { -- "version": "6.13.0", -- "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz", -- "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", -+ "version": "6.14.1", -+ "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz", -+ "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==", - "license": "BSD-3-Clause", - "dependencies": { -- "side-channel": "^1.0.6" -+ "side-channel": "^1.1.0" - }, - "engines": { - "node": ">=0.6" -@@ -3065,20 +3120,49 @@ - } - }, - "node_modules/raw-body": { -- "version": "2.5.2", -- "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz", -- "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==", -+ "version": "2.5.3", -+ "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz", -+ "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==", - "license": "MIT", - "dependencies": { -- "bytes": "3.1.2", -- "http-errors": "2.0.0", -- "iconv-lite": "0.4.24", -- "unpipe": "1.0.0" -+ "bytes": "~3.1.2", -+ "http-errors": "~2.0.1", -+ "iconv-lite": "~0.4.24", -+ "unpipe": "~1.0.0" - }, - "engines": { - "node": ">= 0.8" - } - }, -+ "node_modules/raw-body/node_modules/http-errors": { -+ "version": "2.0.1", -+ "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", -+ "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", -+ "license": "MIT", -+ "dependencies": { -+ "depd": "~2.0.0", -+ "inherits": "~2.0.4", -+ "setprototypeof": "~1.2.0", -+ "statuses": "~2.0.2", -+ "toidentifier": "~1.0.1" -+ }, -+ "engines": { -+ "node": ">= 0.8" -+ }, -+ "funding": { -+ "type": "opencollective", -+ "url": "https://opencollective.com/express" -+ } -+ }, -+ "node_modules/raw-body/node_modules/statuses": { -+ "version": "2.0.2", -+ "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", -+ "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", -+ "license": "MIT", -+ "engines": { -+ "node": ">= 0.8" -+ } -+ }, - "node_modules/rc": { - "version": "1.2.8", - "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz", -@@ -3804,20 +3888,19 @@ - } - }, - "node_modules/tar": { -- "version": "6.2.1", -- "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", -- "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", -- "license": "ISC", -+ "version": "7.5.7", -+ "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.7.tgz", -+ "integrity": "sha512-fov56fJiRuThVFXD6o6/Q354S7pnWMJIVlDBYijsTNx6jKSE4pvrDTs6lUnmGvNyfJwFQQwWy3owKz1ucIhveQ==", -+ "license": "BlueOak-1.0.0", - "dependencies": { -- "chownr": "^2.0.0", -- "fs-minipass": "^2.0.0", -- "minipass": "^5.0.0", -- "minizlib": "^2.1.1", -- "mkdirp": "^1.0.3", -- "yallist": "^4.0.0" -+ "@isaacs/fs-minipass": "^4.0.0", -+ "chownr": "^3.0.0", -+ "minipass": "^7.1.2", -+ "minizlib": "^3.1.0", -+ "yallist": "^5.0.0" - }, - "engines": { -- "node": ">=10" -+ "node": ">=18" - } - }, - "node_modules/tar-fs": { -@@ -3854,13 +3937,43 @@ - "node": ">=6" - } - }, -+ "node_modules/tar/node_modules/chownr": { -+ "version": "3.0.0", -+ "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz", -+ "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==", -+ "license": "BlueOak-1.0.0", -+ "engines": { -+ "node": ">=18" -+ } -+ }, - "node_modules/tar/node_modules/minipass": { -- "version": "5.0.0", -- "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz", -- "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==", -+ "version": "7.1.2", -+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", -+ "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", - "license": "ISC", - "engines": { -- "node": ">=8" -+ "node": ">=16 || 14 >=14.17" -+ } -+ }, -+ "node_modules/tar/node_modules/minizlib": { -+ "version": "3.1.0", -+ "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.1.0.tgz", -+ "integrity": "sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==", -+ "license": "MIT", -+ "dependencies": { -+ "minipass": "^7.1.2" -+ }, -+ "engines": { -+ "node": ">= 18" -+ } -+ }, -+ "node_modules/tar/node_modules/yallist": { -+ "version": "5.0.0", -+ "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz", -+ "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==", -+ "license": "BlueOak-1.0.0", -+ "engines": { -+ "node": ">=18" - } - }, - "node_modules/text-hex": { -diff --git a/service/package.json b/service/package.json -index 85a4996..95e568e 100644 ---- a/service/package.json -+++ b/service/package.json -@@ -26,5 +26,8 @@ - }, - "scripts": { - "start": "node pccs_server.js" -+ }, -+ "overrides": { -+ "tar": "^7.0.0" - } - } --- -2.52.0 - diff --git a/specs/l/linux-sgx/linux-sgx.spec b/specs/l/linux-sgx/linux-sgx.spec index 547e35b3232..23dcf092f77 100644 --- a/specs/l/linux-sgx/linux-sgx.spec +++ b/specs/l/linux-sgx/linux-sgx.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.8.3) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 10; + release_number = 6; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -70,9 +70,6 @@ %global with_sysusers_scripts 1 %endif -# Change after running pccs-nodejs-bundler -%define node_modules_date 20260204 - ############################################################ # # A note about versions @@ -85,26 +82,25 @@ # of new tarballs after updating the versions, as well as stripping # non-permitted content from some tarballs. # -%global linux_sgx_version 2.27 +%global linux_sgx_version 2.28 # From submodule: external/dcap_source -%global dcap_version 1.24 +%global dcap_version 1.25 # From submodule: external/dcap_source/QuoteVerification/QVL # NB: follows DCAP versioning, but may skip releases -%global dcap_qvl_version 1.24 +%global dcap_qvl_version 1.25 # From script: external/sgxssl/prepare_sgxssl.sh # Should match: external/dcap_source/QuoteVerification/prepare_sgxssl.sh -%global sgx_ssl_version 3.0_Rev5.1 +%global sgx_ssl_version 3.0_Rev5.2 # From submodule: external/ippcp_internal/ipp-crypto %global ipp_crypto_version 2021.12.1 # From submodule: external/sgx-emm/emm_src %global sgx_emm_version 1.0.3 -# From submodule: external/dcap_source/QuoteGeneration/pccs -# NB: follows DCAP versioning, but may skip releases -%global pccs_version 1.24 - +# From external/libcxxrt/libcxxrt_code +%global libcxxrt_commit a6f71cbc3a1e1b8b9df241e081fa0ffdcde96249 +%global libcxxrt_version 4.0.10^20250225gita6f71cb # From script: external/sgxssl/prepare_sgxssl.sh # Should match: external/dcap_source/QuoteVerification/prepare_sgxssl.sh -%global openssl_version 3.0.17 +%global openssl_version 3.0.19 # From submodule: external/cbor/libcbor %global libcbor_version 0.10.2 # From submodule: external/protobuf/protobuf_code/third_party/abseil-cpp @@ -112,12 +108,10 @@ # From submodule: external/dcap_source/external/jwt-cpp %global jwt_cpp_version 0.6.0 # From submodule: external/dcap_source/external/wasm-micro-runtime -%global wamr_version 2.4.3 +%global wamr_version 1.0.0 # From code: external/tinyxml2/ %global tinyxml2_version 10.0.0 -# From docs: external/epid-sdk/CHANGELOG.md -%global epid_version 6.0.0 # From script: external/rdrand/src/configure.ac %global rdrand_version 1.1 %global vtune_version 2018 @@ -155,12 +149,15 @@ # to ship in Fedora. %global with_enclave_qve 1 +# Quote Appraisal Enclave. Optional. Evaluates quote evidence +%global with_enclave_qae 1 %global _with_enclave_pce %{expr:%{with_enclaves} ? %{with_enclave_pce} : 0} %global _with_enclave_ide %{expr:%{with_enclaves} ? %{with_enclave_ide} : 0} %global _with_enclave_qe3 %{expr:%{with_enclaves} ? %{with_enclave_qe3} : 0} %global _with_enclave_tdqe %{expr:%{with_enclaves} ? %{with_enclave_tdqe} : 0} %global _with_enclave_qve %{expr:%{with_enclaves} ? %{with_enclave_qve} : 0} +%global _with_enclave_qae %{expr:%{with_enclaves} ? %{with_enclave_qae} : 0} # We prefer deployments using the pre-built enclaves @@ -179,19 +176,13 @@ Summary: Intel Linux SGX SDK and Platform Software # so while the license of the combined work is declared to be # BSD-3-Clause, there is actually a huge set of licenses to track License: %{shrink: - %dnl node_modules - 0BSD AND - - %dnl sdk/tlibcxx, external/ippcp_internal, external/epid-sdk, node_modules + %dnl sdk/tlibcxx, external/ippcp_internal Apache-2.0 AND - %dnl node_modules - BlueOak-1.0.0 AND - - %dnl sdk/cpprt, sdk/tlibc, node_modules + %dnl sdk/cpprt, sdk/tlibc BSD-2-Clause AND - %dnl external/dcap_source, sdk/*, node_modules + %dnl external/dcap_source, sdk/* BSD-3-Clause AND %dnl sdk/tlibc @@ -203,10 +194,10 @@ License: %{shrink: %dnl psd/urts/linux/isgx_user.h GPL-2.0-only AND - %dnl sdk/tlibc, sdk/pthread, node_modules + %dnl sdk/tlibc, sdk/pthread ISC AND - %dnl external/cbor/libcbor, sdk/*, node_modules + %dnl external/cbor/libcbor, sdk/* MIT AND %dnl sdk/tlibc/stdlib/malloc.c @@ -224,12 +215,6 @@ License: %{shrink: %dnl sdk/tlibc/math SunPro AND - %dnl node_modules - Unlicense AND - - %dnl node_modules - WTFPL AND - %dnl sdk/tlibc LicenseRef-Fedora-Public-Domain } @@ -269,9 +254,6 @@ Provides: bundled(sgx-emm) = %{sgx_emm_version} Source7: https://github.com/intel/confidential-computing.tee.dcap.qvl/archive/refs/tags/DCAP_%{dcap_qvl_version}.tar.gz#/dcap-qvl-%{dcap_qvl_version}.tar.gz Provides: bundled(dcap-qvl) = %{dcap_qvl_version} -Source8: https://github.com/intel/confidential-computing.tee.dcap.pccs/archive/refs/tags/DCAP_%{pccs_version}.tar.gz#/pccs-%{pccs_version}.tar.gz -Provides: bundled(pccs) = %{pccs_version} - ############################################################ # 3rd party projects SourceN for N in (10..19) @@ -294,6 +276,8 @@ Source14: https://github.com/leethomason/tinyxml2/archive/refs/tags/%{tinyxml2_v Provides: bundled(tinyxml2) = %{tinyxml2_version} %endif +Source15: https://github.com/libcxxrt/libcxxrt/archive/%{libcxxrt_commit}.tar.gz#/libcxxrt-%{libcxxrt_version}.tar.gz +Provides: bundled(libcxxrt) = %{libcxxrt_version} ############################################################ # Misc distro integration files SourceN in (40..59) @@ -310,23 +294,13 @@ Source46: qgs.sysconfig Source48: mpa_registration.service -Source50: pccs.sysusers.conf -Source51: pccs.service -# RPM build doesn't run this, but we want it in the src.rpm -# as record of what was used to create Source54 -Source52: pccs-nodejs-bundler -# Pre-created using Source53 -Source53: pccs-%{dcap_version}-%{node_modules_date}-node-modules.tar.xz - ############################################################ # External projects that have been copied in tarballs as bundles -# In external/epid-sdk/ -Provides: bundled(epid-sdk) = 6.0.0 # In external/rdrand/ -Provides: bundled(RdRand) = 1.1 +Provides: bundled(RdRand) = %{rdrand_version} # In external/vtune/ -Provides: bundled(vtune) = 2018 +Provides: bundled(vtune) = %{vtune_version} ############################################################ # Distro integration patches @@ -342,20 +316,18 @@ Patch0002: 0002-Add-support-for-building-against-host-CppMicroServic.patch Patch0003: 0003-Improve-make-debuggability.patch Patch0004: 0004-Support-disabling-use-of-git-for-ippcp-code.patch Patch0005: 0005-disable-openmp-protobuf-sample_crypto-builds.patch -# https://github.com/intel/linux-sgx/pull/1056 -Patch0006: 0006-Fix-escaping-of-regexes-in-sgx-asm-pp.patch # https://github.com/intel/linux-sgx/pull/1064 -Patch0007: 0007-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch -Patch0008: 0008-psw-fix-soname-for-libuae_service.so-library.patch -Patch0009: 0009-pcl-remove-redundant-use-of-bool-type.patch -Patch0010: 0010-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch -Patch0011: 0011-psw-make-aesm_service-build-verbose.patch -Patch0012: 0012-Fix-modern-C-function-prototype-compliance.patch -Patch0013: 0013-Add-wrapper-for-nasm-to-fix-cmake-compat.patch -Patch0014: 0014-fix-BOM-for-pccs-with-DCAP.patch -Patch0015: 0015-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch -Patch0016: 0016-Add-impl-of-__cxa_call_terminate.patch -Patch0017: 0017-fix-BOM-for-mpa_manage-mpa_registration-files.patch +Patch0006: 0006-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch +Patch0007: 0007-psw-fix-soname-for-libuae_service.so-library.patch +Patch0008: 0008-pcl-remove-redundant-use-of-bool-type.patch +Patch0009: 0009-sdk-honour-CFLAGS-LDFLAGS-set-from-environment.patch +Patch0010: 0010-psw-make-aesm_service-build-verbose.patch +Patch0011: 0011-Fix-modern-C-function-prototype-compliance.patch +Patch0012: 0012-Add-wrapper-for-nasm-to-fix-cmake-compat.patch +Patch0013: 0013-linux-installer-drop-PCCS-package-from-BOM.patch +Patch0014: 0014-sdk-avoid-failure-due-to-attribute-regparam-with-GCC.patch +Patch0015: 0015-fix-BOM-for-mpa_manage-mpa_registration-files.patch +Patch0016: 0016-fix-missing-def-of-uncaught_exception.patch # Optional patches Patch0050: 0050-Disable-inclusion-of-AESM-in-installer.patch @@ -388,20 +360,15 @@ Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch Patch0117: 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch Patch0118: 0118-pcsclient-make-keyring-module-optional.patch Patch0119: 0119-pcsclient-convert-from-asn1-to-pyasn1-python-module.patch -Patch0120: 0120-pcsclient-fully-switch-to-pycryptography-for-CRL-ver.patch -Patch0121: 0121-pcsclient-use-more-of-pycryptography-instead-of-pyop.patch -Patch0122: 0122-pcsclient-prefer-pycryptography-over-pyopenssl.patch -Patch0123: 0123-pcsclient-add-fallback-for-when-pyopenssl-is-not-ava.patch -Patch0124: 0124-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch -# https://github.com/intel/confidential-computing.tee.dcap/pull/485 -Patch0125: 0125-PCS-Client-Tool-Migrate-from-deprecated-pkg_resource.patch +Patch0120: 0120-pcsclient-ignore-errors-trying-to-clear-the-keyring.patch # https://github.com/intel/confidential-computing.tee.dcap/pull/487 -Patch0126: 0126-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch -Patch0127: 0127-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch -Patch0128: 0128-use-system-gtest-gmock-libraries.patch -Patch0129: 0129-Disable-PcsClientTool-package-build.patch -Patch0130: 0130-disable-building-of-WASM-SIMDE-code.patch -Patch0131: 0131-pcsclient-fix-name-of-input-file-in-cache-command-he.patch +Patch0121: 0121-qgs-add-compat-for-boost-1.87-which-drops-asio-io_se.patch +Patch0122: 0122-qgs-add-compat-for-boost-1.89-which-deprecated-deadl.patch +Patch0123: 0123-use-system-gtest-gmock-libraries.patch +Patch0124: 0124-Disable-PcsClientTool-package-build.patch +Patch0125: 0125-disable-building-of-WASM-SIMDE-code.patch +Patch0126: 0126-ensure-build-terminates-if-prepare_sgxssl.sh-fails.patch +Patch0127: 0127-qgs-squash-global-placeholders-warning-from-boost-1..patch # 0200-0299 -> against intel-sgx-ssl.git @@ -422,16 +389,6 @@ Patch0300: 0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch Patch0301: 0301-Drop-Werror-from-build-flags.patch -# 0400-0499 -> against confidential-computing.tee.dcap.pccs.git -# -# Maintained in https://github.com/berrange/confidential-computing.tee.dcap.pccs/tree/dist-git-%{pccs_version} -# -Patch0400: 0400-service-sanitize-paths-to-all-resources.patch -Patch0401: 0401-pccsadmin-remove-leftover-debugging-print-args-state.patch -Patch0402: 0402-pccsadmin-make-keyring-module-optional.patch -Patch0403: 0403-pccsadmin-ignore-errors-trying-to-clear-the-keyring.patch -Patch0404: 0404-service-force-override-tar-module-to-7.0.0-series.patch - BuildRequires: sgx-rpm-macros BuildRequires: autoconf BuildRequires: automake @@ -447,6 +404,7 @@ BuildRequires: ocaml-ocamlbuild BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: libcurl-devel +BuildRequires: python-unversioned-command BuildRequires: python3-devel BuildRequires: perl-generators BuildRequires: perl-interpreter @@ -454,20 +412,8 @@ BuildRequires: perl-devel BuildRequires: perl(FindBin) BuildRequires: perl(lib) BuildRequires: perl(IPC::Cmd) +BuildRequires: perl(Time::Piece) BuildRequires: nasm -# XXX nodejs-packaging needs fixing to auto-add 'Requires: nodejs(abi) == XX' -# then this can be reduced to only 'BuildRequires: nodejs, /usr/bin/node' -# See also https://src.fedoraproject.org/rpms/linux-sgx/pull-request/6 -# Match this version with later 'Requires: nodejsXX' against sgx-pccs -%if 0%{?fedora} >= 44 || 0%{?rhel} >= 11 -BuildRequires: nodejs24-devel, /usr/bin/node, /usr/bin/npm -%else -# npm in RHEL 9, nodejs-npm in RHEL 10 and F<44 -BuildRequires: nodejs-devel, /usr/bin/node, /usr/bin/npm -%endif -BuildRequires: nodejs-packaging -BuildRequires: python-unversioned-command -BuildRequires: sqlite-devel BuildRequires: systemd-rpm-macros %if %{with_host_tinyxml2} BuildRequires: tinyxml2-devel @@ -524,6 +470,7 @@ built with latest tool-chain and libraries. \ %do_package qe3 %{_with_enclave_qe3} %{dcap_version} %do_package tdqe %{_with_enclave_tdqe} %{dcap_version} %do_package qve %{_with_enclave_qve} %{dcap_version} +%do_package qae %{_with_enclave_qae} %{dcap_version} %package -n sgx-enclave-devel Summary: SGX enclave libraries development @@ -570,36 +517,6 @@ This package contains the Architectural Enclave Service Manager %endif -%package -n sgx-pccs -Summary: SGX Provisioning Certificate Caching Service -%if 0%{?fedora} >= 44 || 0%{?rhel} >= 11 -Requires: nodejs24 -%else -Requires: nodejs -%endif -Requires: sgx-common = %{version}-%{release} - -%description -n sgx-pccs -SGX Provisioning Certificate Caching Service - - -%package -n sgx-pccs-admin -Summary: SGX Provisioning Certificate Caching Service Admin Tool -%if 0%{?fedora} -Requires: python3-keyring -%endif -Requires: python3-requests -Requires: python3-urllib3 -Requires: python3-packaging -Requires: sgx-common = %{version}-%{release} -# pccs admin tool can be used against a remote pccs -# so don't force a hard dep -Recommends: sgx-pccs = %{version}-%{release} - -%description -n sgx-pccs-admin -SGX Provisioning Certificate Caching Service Admin Tool - - %package -n sgx-pcs-client Summary: SGX Provisioning Certificate Service Client Tool Requires: python3-pyasn1 @@ -774,14 +691,6 @@ rm -rf external/{dnnl,openmp,protobuf} sdk/sample_libcrypto %autopatch -m 300 -M 399 -p1 ) -############################################################ -# pccs -( - cd external/dcap_source/QuoteGeneration/pccs - tar zxf %{SOURCE8} --strip 1 - %autopatch -m 400 -M 499 -p1 -) - ############################################################ # sgx-emm ( @@ -814,6 +723,17 @@ rm -rf external/{dnnl,openmp,protobuf} sdk/sample_libcrypto ) %endif + +############################################################ +# libcxxrt +( + cd external/libcxxrt/libcxxrt_code + + tar zxf %{SOURCE15} --strip 1 + patch -p1 < ../sgx_libcxxrt.patch +) + + ############################################################ # prebuilt enclaves @@ -967,10 +887,11 @@ done %endif %do_build %{_with_enclave_pce} psw/ae/pce pce.so -%do_build %{_with_enclave_ide} external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux id_enclave.so -%do_build %{_with_enclave_qe3} external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux qe3.so -%do_build %{_with_enclave_tdqe} external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux tdqe.so -%do_build %{_with_enclave_qve} external/dcap_source/QuoteVerification/QvE qve.so +%do_build %{_with_enclave_ide} external/dcap_source/ae/id_enclave/linux id_enclave.so +%do_build %{_with_enclave_qe3} external/dcap_source/ae/qe3/linux qe3.so +%do_build %{_with_enclave_tdqe} external/dcap_source/ae/tdqe/linux tdqe.so +%do_build %{_with_enclave_qve} external/dcap_source/ae/QvE qve.so +%do_build %{_with_enclave_qae} external/dcap_source/ae/qae libsgx_qae.so ############################################################ @@ -1000,38 +921,12 @@ LDFLAGS="%{build_ldflags}" \ SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ SGX_ENCLAVE_PATH=%{sgx_libdir} -( - # PCCS NodeJS deps bundle - - cd external/dcap_source/QuoteGeneration/pccs - tar Jxvf %{SOURCE53} - - cd service - - perl -i -p -e 's,"sqlite%":"internal","sqlite%":"/usr",' node_modules/sqlite3/binding.gyp - perl -i -p -e 's,\(sqlite\)/lib,(sqlite)/lib64,' node_modules/sqlite3/binding.gyp - - for pkg in node_modules/* - do - ( - cd $pkg - npm run install --if-present --nodedir=/usr - ) - done - - # Keep brp-mangle-shebangs happy - find node_modules -type f -exec chmod -x {} \; - - chrpath --delete node_modules/sqlite3/build/Release/node_sqlite3.node -) - - # SDK provides dummy stub libraries to deal with a circular # build dependancy problem where the PSW wants these libs # before it has built its own real copies. Delete them now, # since we've done the PSW build and don't want these dummy # stubs installed -for i in epid launch quote_ex uae_service urts +for i in launch quote_ex uae_service urts do rm -f %{vroot}/sgxsdk/lib64/libsgx_$i.so done @@ -1088,23 +983,19 @@ rm -rf %{vroot}/sgxsdk/SampleCode # Second the (unsigned) architectural enclaves # @arg1: boolean condition for whether to ship this enclave -# @arg2: base name of the enclave -# @arg3: directory containing locally built enclave -# @arg4: directory containing pre-bult enclave -# @arg5: symbol name that defines the enclave SO version +# @arg2: path of the source enclave binary +# @arg3: name of the target enclave binary %global do_install() \ %if %1 \ -%__install -m 0755 %3/%2.so %{buildroot}%{sgx_libdir}/libsgx_%2.so \ +%__install -m 0755 %2 %{buildroot}%{sgx_libdir}/%3 \ %endif -version_file=common/inc/internal/se_version.h -%do_install %{_with_enclave_pce} pce psw/ae/pce psw/ae/data/prebuilt PCE_VERSION - -version_file=external/dcap_source/QuoteGeneration/common/inc/internal/se_version.h -%do_install %{_with_enclave_ide} id_enclave external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt IDE_VERSION -%do_install %{_with_enclave_qe3} qe3 external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QE3_VERSION -%do_install %{_with_enclave_tdqe} tdqe external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt TDQE_VERSION -%do_install %{_with_enclave_qve} qve external/dcap_source/QuoteVerification/QvE external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QVE_VERSION +%do_install %{_with_enclave_pce} psw/ae/pce/pce.so libsgx_pce.so +%do_install %{_with_enclave_ide} external/dcap_source/ae/id_enclave/linux/id_enclave.so libsgx_id_enclave.so +%do_install %{_with_enclave_qe3} external/dcap_source/ae/qe3/linux/qe3.so libsgx_qe3.so +%do_install %{_with_enclave_tdqe} external/dcap_source/ae/tdqe/linux/tdqe.so libsgx_tdqe.so +%do_install %{_with_enclave_qve} external/dcap_source/ae/QvE/qve.so libsgx_qve.so +%do_install %{_with_enclave_qae} external/dcap_source/ae/qae/libsgx_qae.so libsgx_qae.so ############################################################ @@ -1151,7 +1042,6 @@ cp -a %{vroot}/root/ %{buildroot}/root %if %{with_aesm} %__install -d %{buildroot}%{_sysconfdir}/aesmd %__install -d %{buildroot}%{_libdir}/aesmd -%__install -d %{buildroot}%{_datadir}/aesmd %__install -d %{buildroot}%{_sharedstatedir}/aesmd %__install -d %{buildroot}%{_rundir}/aesmd %endif @@ -1165,10 +1055,6 @@ rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/libsgx_urts.so.2 rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/startup.sh rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/cleanup.sh - -mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/le_prod_css.bin %{buildroot}%{_datadir}/aesmd/ -mv %{buildroot}/root/var/opt/aesmd/data/white_list_cert_to_be_verify.bin %{buildroot}%{_datadir}/aesmd/ -rmdir %{buildroot}/root/var/opt/aesmd/data/ rmdir %{buildroot}/root/var/opt/aesmd mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/* %{buildroot}%{_libdir}/aesmd/ @@ -1181,10 +1067,6 @@ mv %{buildroot}/root/etc/aesmd.conf %{buildroot}%{_sysconfdir}/ # XXX patch the source to just look in the right place to begin with ln -s ../../..%{_sysconfdir}/aesmd.conf \ %{buildroot}%{_libdir}/aesmd/aesmd.conf -ln -s ../../..%{_datadir}/aesmd/le_prod_css.bin \ - %{buildroot}%{_libdir}/aesmd/le_prod_css.bin -ln -s ../../..%{_datadir}/aesmd/white_list_cert_to_be_verify.bin \ - %{buildroot}%{_libdir}/aesmd/white_list_cert_to_be_verify.bin # XXX it looks for files relative to its binary, so we # need this wrapper. Patch the source and kill this @@ -1200,72 +1082,11 @@ rm -f %{buildroot}/root/lib/systemd/system/aesmd.service %__install %{SOURCE40} %{buildroot}%{_sysusersdir}/aesmd.conf %__install %{SOURCE41} %{buildroot}%{_unitdir}/aesmd.service %else -rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/le_prod_css.bin rmdir %{buildroot}/root/opt/intel/sgx-aesm-service/aesm rmdir %{buildroot}/root/opt/intel/sgx-aesm-service %endif -############################################################ -# Host PCCS service - -# Home dir for 'pccs' user -%__install -d %{buildroot}%{_sharedstatedir}/pccs -%__install -d %{buildroot}%{_localstatedir}/log/pccs -%__install -d %{buildroot}%{_sysconfdir}/pccs -%__install -d %{buildroot}%{_sysconfdir}/pccs/ssl -%__install -d %{buildroot}%{nodejs_sitearch}/pccs - -mv external/dcap_source/tools/PCKCertSelection/out/libPCKCertSelection.so \ - %{buildroot}%{_libdir}/libPCKCertSelection.so.1 -ln -s libPCKCertSelection.so.1 %{buildroot}%{_libdir}/libPCKCertSelection.so - -mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/config/default.json \ - %{buildroot}%{_sysconfdir}/pccs/default.json -rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs/config -rm -f %{buildroot}/root/lib/systemd/system/pccs.service - -mv %{buildroot}/root/opt/intel/sgx-dcap-pccs/* \ - %{buildroot}%{nodejs_sitearch}/pccs -rmdir %{buildroot}/root/opt/intel/sgx-dcap-pccs - -( - # Node JS deps bundle - cd external/dcap_source/QuoteGeneration/pccs/service - rm -f install.sh README.md - - # So find-debuginfo processes it - chmod +x node_modules/sqlite3/build/Release/node_sqlite3.node - - cp -a node_modules %{buildroot}%{nodejs_sitearch}/pccs/node_modules -) - -cat >>%{buildroot}%{_bindir}/pccs < %{buildroot}%{_bindir}/pccsadmin < - 2.27-10 -- feat: introduce deterministic commit resolution via Azure Linux lock file +* Sun May 17 2026 Antonio Salinas - 2.28-6 +- fix(linux-sgx): pin to f43 HEAD to correct non-first-parent commit + +* Fri Mar 27 2026 Daniel P. Berrangé - 2.28-5 +- Collapase PCCS BOM patches & fix default PCS server URL + +* Wed Mar 25 2026 Daniel P. Berrangé - 2.28-3 +- Updates for unversioned python command + +* Wed Mar 25 2026 Daniel P. Berrangé - 2.28-2 +- Fixes for latest gcc & boost + +* Mon Mar 23 2026 Daniel P. Berrangé - 2.28-1 +- Rebase to SGX 2.28 / DCAP 1.25 releases * Fri Feb 13 2026 Daniel P. Berrangé - 2.27-9 - Fix socket mode handling diff --git a/specs/l/linux-sgx/pccs-nodejs-bundler b/specs/l/linux-sgx/pccs-nodejs-bundler deleted file mode 100755 index fd4dae77595..00000000000 --- a/specs/l/linux-sgx/pccs-nodejs-bundler +++ /dev/null @@ -1,83 +0,0 @@ -#!/bin/sh - -#set -v -set -e - -if test -z "$1" -then - echo "syntax: $0 PCCS-TARBALL-VERSION" - exit 1 -fi - -VERSION=$1 - -TARBALL=pccs-${VERSION}.tar.gz - -if ! test -f $TARBALL -then - echo "error: $0 missing $TARBALL" - exit 1 -fi -tar xfz $TARBALL -DIRNAME=confidential-computing.tee.dcap.pccs-DCAP_${VERSION} -pushd $DIRNAME - -# Apply patches from linux-sgx.spec since they update the package-lock.json -# to pull in security fixes. See linux-sgx.spec for the github URL of the -# source-git repo where the patches are maintained. -for p in ../04*.patch -do - patch -p1 < $p -done -pushd service -echo " Downloading prod dependencies" -npm install --omit=dev --omit=optional --ignore-scripts -if ! npm audit -then - echo "error: $0 some dependencies have known vulnerabilities" - if test -z "$NPM_IGNORE_AUDIT" - then - exit 1 - fi -fi -rm -rf node_modules/*/prebuilds -rm -f node_modules/sqlite3/deps/sqlite-autoconf-*.tar.gz -popd - -function find_package { - find . -type f -name "package.json" -not \( -path './service/node_modules/resolve/test/*' -o -path './service/node_modules/github-from-package/example/*' \) "$@" -} - -echo "LICENSES IN BUNDLE:" -find_package -exec jq '.license | strings' {} \; >> ../pccs-${VERSION}-nodejs-licenses.txt -find_package -exec jq '.license | objects | .type' {} \; >> ../pccs-${VERSION}-nodejs-licenses.txt 2>/dev/null -find_package -exec jq '.licenses[] .type' {} \; >> ../pccs-${VERSION}-nodejs-licenses.txt 2>/dev/null -sort -u -o ../pccs-${VERSION}-nodejs-licenses.txt ../pccs-${VERSION}-nodejs-licenses.txt - -IGNORE_NO_LICENSE="(PCCS|seq-queue)" -# Locate any dependencies without a provided license -find_package -execdir jq 'if .license==null and .licenses==null then .name else null end' '{}' '+' \ - | grep -vE '^null$' | grep -v -E $IGNORE_NO_LICENSE | sort -u > ../nolicense.txt - -if [ -s ../nolicense.txt ]; then - echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m" - cat ../nolicense.txt - echo -e "\e[5m\e[41m======================================================================\e[0m" -else - rm -f ../nolicense.txt -fi - - -if [ -d service/node_modules ] ; then - TODAY=$(date +"%Y%m%d") - OUTPUT=pccs-${VERSION}-${TODAY}-node-modules.tar.xz - tar cJf ../$OUTPUT --sort=name $(find service -type d -name node_modules) - - echo "Review pccs-${VERSION}-nodejs-licenses.txt for any new" - echo "licenses to be added to linux-sgx.spec" - echo "New archive is $OUTPUT" -fi - -popd - -rm -rf $DIRNAME diff --git a/specs/l/linux-sgx/pccs.service b/specs/l/linux-sgx/pccs.service deleted file mode 100644 index f94950a3549..00000000000 --- a/specs/l/linux-sgx/pccs.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Provisioning Certificate Caching Service (PCCS) -Documentation=https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/pccs/README.md -After=syslog.target network.target auditd.service -ConditionPathExists=/dev/sgx_enclave - -[Service] -Type=simple -User=pccs -ExecStart=/usr/bin/pccs -Restart=on-failure -RestartSec=15s - -Environment=NODE_CONFIG_DIR=/etc/pccs -WorkingDirectory=/var/lib/pccs -InaccessibleDirectories=/home -DevicePolicy=closed -DeviceAllow=/dev/sgx_enclave rw -DeviceAllow=/dev/sgx_provision rw - -[Install] -WantedBy=multi-user.target diff --git a/specs/l/linux-sgx/pccs.sysusers.conf b/specs/l/linux-sgx/pccs.sysusers.conf deleted file mode 100644 index 7f9623c666a..00000000000 --- a/specs/l/linux-sgx/pccs.sysusers.conf +++ /dev/null @@ -1 +0,0 @@ -u pccs - "SGX PCCS Server" /var/lib/pccs diff --git a/specs/l/linux-sgx/repack.sh b/specs/l/linux-sgx/repack.sh index 4a4fa7163e5..857ea4083e5 100755 --- a/specs/l/linux-sgx/repack.sh +++ b/specs/l/linux-sgx/repack.sh @@ -35,9 +35,9 @@ dcap_version=$(grep dcap_version linux-sgx*spec | head -1 | awk '{print $3}') repack prebuilt_dcap_${dcap_version} \ libcrypto.a \ - policy.wasm \ libsgx_pce.signed.so \ libsgx_id_enclave.signed.so \ + libsgx_qae.signed.so \ libsgx_qe3.signed.so \ libsgx_tdqe.signed.so \ libsgx_qve.signed.so diff --git a/specs/l/linux-sgx/sources b/specs/l/linux-sgx/sources index 47168fe3de5..27a0aaaa3dd 100644 --- a/specs/l/linux-sgx/sources +++ b/specs/l/linux-sgx/sources @@ -1,14 +1,13 @@ -SHA512 (DCAP_1.24.tar.gz) = 97ddb1dd7120296457c6c9c4501b3940d07ed04e56151f72916ab0a02b87ef67f970b137b866660c34deba33347a50e489914d088dc09de0c8218cc24d236c89 -SHA512 (dcap-qvl-1.24.tar.gz) = b255a9a285cfe22c6cd31fb352e315ed62a2e32c0d974fecadd86407a46de16522c1124f15d7cdbfdc4f2da63bf0bf4cadbbbe3edc6fb3fe55a5a8cb7ef3aa36 -SHA512 (intel-sgx-ssl-3.0_Rev5.1.tar.gz) = 380d27784154fbdfe6c23535fdbcd26b3c27ae60a85643ae2777e3415621794a1d28d760f08aae28c9a20e98a1e46f7dd9098ea35e3a61c4c3474cd65c5b9c11 +SHA512 (DCAP_1.25.tar.gz) = 6daccdb8c6a94a98664b32f7d3a42d84d402c6ed83c9ecc7ccc831fcd03ef83c99cfb2d5daa6b844361e4fb3adc924055080816b5a34359d980a01eba6768ac0 +SHA512 (dcap-qvl-1.25.tar.gz) = e8449f52bdaf4ba98df78084b981eecec9cc2d516796dc468cd2366524dcb98d43a78438908448e0fce355dc0edc0e5d745aa9cab687bad889a34e6b1a0db5f7 +SHA512 (intel-sgx-ssl-3.0_Rev5.2.tar.gz) = 9f15b88a24cc73a1be5698b6609083125a2e3d7bd38496099c7d8f9eb196a5ffdd5500eaa6e055550cf70e3678977f59b39745becdd14d91db44e7dd5290ac69 SHA512 (ippcp_2021.12.1.tar.gz) = cdde7eed0f27b80663bf6a131abd8e6afcf16f0b9897ae12e251dc6bd3a9cc15c7666e4276eb4ba4b3b66fa93b5115c29537e176a6a2fb0de1b17cfcc1b7c426 SHA512 (jwt-cpp-0.6.0.tar.gz) = b6d5ebb3a7eeb6fef9a1d41c707251d1ab05bf47920c280d5203f1b9ee5bf6f8e914cd2ffaed66550cfa6d78c34465d4cf86517a759d5f8739b429faf1c2c0ef SHA512 (libcbor-0.10.2.tar.gz) = 23c6177443778d4b4833ec7ed0d0e639a0d4863372e3a38d772fdce2673eae6d5cb2a31a2a021d1a699082ea53494977c907fd0e94149b97cb23a4b6d039228a -SHA512 (linux-sgx-2.27.tar.gz) = 9a64dc9e1feda16fcb5f2a4776b2a32e5cb1387094095ec0935788eb69ba12339258ea69cac730d90e5e2fa6b1e1ceed6c1420f332cfb06ee7ab0ff5200552f9 -SHA512 (openssl-3.0.17.tar.gz) = 563546cfc0766b9a690c20bcc7df1afed843c3c57df4b8fa561d4c695e6f5cc3258a2cd95775f8fb5fd78005198ee20aa58c3fc19fdefbe5e60b8731390842c2 -SHA512 (prebuilt_dcap_1.24-repacked.tar.gz) = 1a22654dca6b2f96019ddcee73fef4283ba38398a554f4912179fa5fe2f54363d422168be9afcb15a91cf17501b1bd349027f116c2b30d4d2d2527e97c2749c0 -SHA512 (sgx-emm-1.0.3.tar.gz) = 0ec9f0133b3a32409c8af61568a47128a1860407170b9b274647140ac36069851638d7282649e23590131d44ca93f839fd2ffe4b9b39821631d279c1384874bf -SHA512 (wasm-micro-runtime-2.4.3.tar.gz) = 3f4ea94490ba1027473c1faf8df2d4bb6c81bd5efeccbe9d5621830dbf80b2020249263bc443c3bce86a4b2f66b1b8521e3bb831b62703bf6062f08464820943 +SHA512 (linux-sgx-2.28.tar.gz) = dd015564ea9dcba184bb05e8c336345ba0db6d999fbb61571e7d291cb1ddc72407ca41c5f20ee596616bf5efc242785d5abce73e917e6563b0288e741dc97f95 +SHA512 (openssl-3.0.19.tar.gz) = 6e602ac7217e1b4423793ee5c4c10745f70fcde3f9820d6c894ebeedb4f29566e2d0c3c590ae210484dcea4eb53db5bb8dbbfee14bbaca3e147406b1343c3cd7 +SHA512 (prebuilt_dcap_1.25-repacked.tar.gz) = b07bc8430bf2996a4d650002168921d356f445dde1ea16452f28ccc133c5e3e6c3c897aff969fe027605dab9b96c44c850f655968f18f66b4cf89a9f68086b85 +SHA512 (sgx-emm-1.0.3.tar.gz) = d5a11e430ddf8d6cae7665ef645d1280b5e61bc9b90c308c3ed32b622dd5ea383d17fd501a81850374c76062f1602b957d4585e5de885f0c9d05ab7bce013dfd SHA512 (tinyxml2-10.0.0.tar.gz) = a359d33bc12fad455b53d81011dbe12727cae0aabfaa5704f1a25807ca216dd854a571291029886c0beedeca5c3b6393dd49c4718773e18a0e008abbdb3de36a -SHA512 (pccs-1.24.tar.gz) = c0ea8a5ed18bc4d497d82f6aabd1d60971878923a9effb67e91c8449fd6af4ac3e20346999c475b487a23e0ccec356fb50f40c4b1bcf7153c640653358a6bc94 -SHA512 (pccs-1.24-20260204-node-modules.tar.xz) = 6d258d9e0f7bcc169eaa7cf16aa18d13b9119fc32ec18a7cc815f5582a435f7c91db0e5997d7510502c1aac2fc2db03602f23d5b8f4bdf9f6500f97ed8477a95 +SHA512 (wasm-micro-runtime-1.0.0.tar.gz) = fb16a992b54f5c006be386b72ff65c680ededaafe7f2010db163b6e4365d198cc96f06ae60ac42986aaf45609803ffc1722308277474c341673e391f9bc4846e +SHA512 (libcxxrt-4.0.10^20250225gita6f71cb.tar.gz) = bd725c27db2e3eafcef4f3dbb82a27abec23bed3171bc2667f4f339945c792ba16bd04a4dbe7232c6aba6e7dea91982337e8ff153a38dcec6ad093bb85f9eaa3 From 04206bb21984da1fe84584fcbcc4f9762e8f9043 Mon Sep 17 00:00:00 2001 From: Antonio Salinas Date: Sun, 17 May 2026 22:02:34 +0000 Subject: [PATCH 3/5] fix(openscap): pin to f43 HEAD to correct non-first-parent commit --- base/comps/openscap/openscap.comp.toml | 5 +++++ locks/openscap.lock | 8 ++++---- specs/o/openscap/openscap.spec | 5 ++++- specs/o/openscap/sources | 2 +- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/base/comps/openscap/openscap.comp.toml b/base/comps/openscap/openscap.comp.toml index e89d3e869b1..fdb9894d18b 100644 --- a/base/comps/openscap/openscap.comp.toml +++ b/base/comps/openscap/openscap.comp.toml @@ -1,3 +1,8 @@ +[components.openscap] +# Pin past the default snapshot to correct a previously selected +# non-first-parent commit on the f43 branch. +spec = { type = "upstream", upstream-commit = "25ae681cc80c81e5c86418198c04593eca68531f" } + [components.openscap.build] # Disable the optional `apt` integration. Upstream gates it on a # `%bcond_without apt` (default-on for Fedora, default-off for diff --git a/locks/openscap.lock b/locks/openscap.lock index 21062f20054..30e5d93782b 100644 --- a/locks/openscap.lock +++ b/locks/openscap.lock @@ -1,6 +1,6 @@ # Managed by azldev component update. Do not edit manually. version = 1 -import-commit = 'bf5627bf8a35044563c84e7a90638c7a87c1d6a7' -upstream-commit = 'bf5627bf8a35044563c84e7a90638c7a87c1d6a7' -input-fingerprint = 'sha256:7549f855fe2b34304f57656af7b1a0af83265c74f78c72b9da78059ccc93971e' -resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' +import-commit = '25ae681cc80c81e5c86418198c04593eca68531f' +upstream-commit = '25ae681cc80c81e5c86418198c04593eca68531f' +input-fingerprint = 'sha256:83b5014d0896ccbb3e57f5c754b996917140f177bc57af1314e275c622ca1e5f' +resolution-input-hash = 'sha256:9173b76f366d6392a16198f4cdbdf44f4d2789322eedd1d785bac85a65f35b89' diff --git a/specs/o/openscap/openscap.spec b/specs/o/openscap/openscap.spec index 9b11f9ee7d9..065aedc2e75 100644 --- a/specs/o/openscap/openscap.spec +++ b/specs/o/openscap/openscap.spec @@ -5,7 +5,7 @@ %{load:%{_sourcedir}/openscap.azl.macros} Name: openscap -Version: 1.4.3 +Version: 1.4.4 Release: 4%{?dist} Epoch: 1 Summary: Set of open source libraries enabling integration of the SCAP line of standards @@ -326,6 +326,9 @@ pathfix.py -i %{__python3} -p -n %{buildroot}%{_bindir}/scap-as-rpm %{_mandir}/man8/oscap-podman.8* %changelog +* Thu Apr 09 2026 Matthew Burket - 1:1.4.4-1 +- Upgrade to the latest upstream release + * Fri Jan 16 2026 Fedora Release Engineering - 1:1.4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild diff --git a/specs/o/openscap/sources b/specs/o/openscap/sources index 9006201d007..dc4231e1e49 100644 --- a/specs/o/openscap/sources +++ b/specs/o/openscap/sources @@ -1 +1 @@ -SHA512 (openscap-1.4.3.tar.gz) = 76ee761804f781f72adea07d9a07f0100cde9bb2a08f1637887b4e6f42438d9bbcfd73b17dc233b67cee3db86f9ccb1654f87c23c374bf3f834139413e121d6f +SHA512 (openscap-1.4.4.tar.gz) = c69736bee997e50a04aff8e4f22da880f342190e1289c5df0fb73b7af34833d3bd9f4e5055b227a18d571167671f821701a09f8c9a3e4568c7da68cc4be51133 From 2c3263345751a2cc3203cda6b585e17c7ae0af50 Mon Sep 17 00:00:00 2001 From: Antonio Salinas Date: Sun, 17 May 2026 22:03:14 +0000 Subject: [PATCH 4/5] fix(pcp): pin to f43 HEAD to correct non-first-parent commit --- base/comps/components.toml | 1 - base/comps/pcp/pcp.comp.toml | 4 ++++ locks/pcp.lock | 8 ++++---- specs/p/pcp/pcp-avc-nvidia.patch | 30 ++++++++++++++++++++++++++++++ specs/p/pcp/pcp-avc-rocestat.patch | 29 +++++++++++++++++++++++++++++ specs/p/pcp/pcp.spec | 7 ++++++- 6 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 base/comps/pcp/pcp.comp.toml create mode 100644 specs/p/pcp/pcp-avc-nvidia.patch create mode 100644 specs/p/pcp/pcp-avc-rocestat.patch diff --git a/base/comps/components.toml b/base/comps/components.toml index 27f4595f847..ff25eb9f1e7 100644 --- a/base/comps/components.toml +++ b/base/comps/components.toml @@ -2367,7 +2367,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min [components.pcg-cpp] [components.pciutils] [components.pcm] -[components.pcp] [components.pcs] [components.pcsc-lite] [components.pcsc-lite-ccid] diff --git a/base/comps/pcp/pcp.comp.toml b/base/comps/pcp/pcp.comp.toml new file mode 100644 index 00000000000..52cb7783335 --- /dev/null +++ b/base/comps/pcp/pcp.comp.toml @@ -0,0 +1,4 @@ +[components.pcp] +# Pin past the default snapshot to correct a previously selected +# non-first-parent commit on the f43 branch. +spec = { type = "upstream", upstream-commit = "ca70e01ed8f01b26cf221bfcdd816d2ae71cb87e" } diff --git a/locks/pcp.lock b/locks/pcp.lock index d7c1a2626e1..fbdef4b0150 100644 --- a/locks/pcp.lock +++ b/locks/pcp.lock @@ -1,6 +1,6 @@ # Managed by azldev component update. Do not edit manually. version = 1 -import-commit = '91f4ce40de29a10186f74d75dd0c2f1e2769354b' -upstream-commit = '91f4ce40de29a10186f74d75dd0c2f1e2769354b' -input-fingerprint = 'sha256:8ec8f56b4b8fa4863607278119a1986a1ac739ca5f270048f63def3219775979' -resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' +import-commit = 'ca70e01ed8f01b26cf221bfcdd816d2ae71cb87e' +upstream-commit = 'ca70e01ed8f01b26cf221bfcdd816d2ae71cb87e' +input-fingerprint = 'sha256:53e6f186133203e79de9616c800bb628f8b2b2a2d0a9cfbd011a3285cbaf5b65' +resolution-input-hash = 'sha256:810ddf55b3b08725dc7cdc8308833ac7827eebee5f1a83e396c22689f3fca061' diff --git a/specs/p/pcp/pcp-avc-nvidia.patch b/specs/p/pcp/pcp-avc-nvidia.patch new file mode 100644 index 00000000000..e1a4a4f4748 --- /dev/null +++ b/specs/p/pcp/pcp-avc-nvidia.patch @@ -0,0 +1,30 @@ +commit e84ee24823548ce92c1e222d034e5600f4d3a10a +Author: William Cohen +Date: Tue Feb 10 04:00:26 2026 +0000 + + selinux: Update nvidia pmda policy + + RHEL-133519 + +diff --git a/src/selinux/pcp.te b/src/selinux/pcp.te +index 54f4e96877..69ee2b2957 100644 +--- a/src/selinux/pcp.te ++++ b/src/selinux/pcp.te +@@ -1051,7 +1051,7 @@ optional_policy(` + # type=AVC msg=audit(N): avc: denied { read } for pid=PID comm="pmdanvidia" name="nvidia-cap2" dev="devtmpfs" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file permissive=0 + #RHEL-83594 + allow pcp_pmcd_t default_t:file { execute }; +-allow pcp_pmcd_t device_t:chr_file { create open read setattr write }; ++allow pcp_pmcd_t device_t:chr_file { create ioctl open read setattr write }; + allow pcp_pmcd_t device_t:dir { add_name remove_name write }; + allow pcp_pmcd_t device_t:lnk_file { create unlink }; + allow pcp_pmcd_t self:capability mknod; +@@ -1059,7 +1059,7 @@ allow pcp_pmcd_t dri_device_t:chr_file { ioctl open read write }; + allow pcp_pmcd_t device_t:dir write; + allow pcp_pmcd_t device_t:dir { create setattr }; + allow pcp_pmcd_t sysctl_vm_t:file read; +-allow pcp_pmcd_t xserver_misc_device_t:chr_file { ioctl open read write }; ++allow pcp_pmcd_t xserver_misc_device_t:chr_file { ioctl map open read write }; + + # type=AVC msg=audit(N): avc: denied { sys_rawio } for pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0 + allow pcp_pmcd_t self:capability sys_rawio; diff --git a/specs/p/pcp/pcp-avc-rocestat.patch b/specs/p/pcp/pcp-avc-rocestat.patch new file mode 100644 index 00000000000..c286791c5c3 --- /dev/null +++ b/specs/p/pcp/pcp-avc-rocestat.patch @@ -0,0 +1,29 @@ +commit 082ff6beb14420c04af74f37d2ae8c1628182ae2 +Author: William Cohen +Date: Tue Feb 10 02:19:21 2026 +0000 + + selinux: AVC denial fix for rocestat pmda + + Resolves: RHEL-132402 + +diff --git a/src/selinux/pcp.te b/src/selinux/pcp.te +index 59cf1fb630..54f4e96877 100644 +--- a/src/selinux/pcp.te ++++ b/src/selinux/pcp.te +@@ -1036,6 +1036,16 @@ allow pcp_pmproxy_t pcp_log_t:lnk_file read; + allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read }; + allow pcp_pmcd_t fixed_disk_device_t:blk_file { open read ioctl }; + ++#============= pmda-rocestat ============== ++optional_policy(` ++ require { ++ type ifconfig_exec_t; ++ } ++ # type=AVC msg=audit(N): avc: denied { execute_no_trans } for pid=PID comm="python3" path="/usr/sbin/ethtool" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 ++ # RHEL-132402 ++ allow pcp_pmcd_t ifconfig_exec_t:file { execute execute_no_trans }; ++') ++ + #============= pmda-nvidia ============== + # type=AVC msg=audit(N): avc: denied { execute } for pid=PID comm="pmdanvidia" path="/usr/lib64/libnvidia-ml.so" dev="dm-2" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0 + # type=AVC msg=audit(N): avc: denied { read } for pid=PID comm="pmdanvidia" name="nvidia-cap2" dev="devtmpfs" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file permissive=0 diff --git a/specs/p/pcp/pcp.spec b/specs/p/pcp/pcp.spec index 5ef07cf9bfd..b2f74b4296a 100644 --- a/specs/p/pcp/pcp.spec +++ b/specs/p/pcp/pcp.spec @@ -3,7 +3,7 @@ Name: pcp Version: 7.1.0 -Release: 6%{?dist} +Release: 8%{?dist} Summary: System-level performance monitoring and performance management License: GPL-2.0-or-later AND LGPL-2.1-or-later AND CC-BY-3.0 URL: https://pcp.io @@ -16,6 +16,8 @@ ExcludeArch: %{ix86} Patch1: pcp-selinux.patch Patch2: pcp-qa-avc-check.patch Patch3: pcp-selinux2.patch +Patch4: pcp-avc-rocestat.patch +Patch5: pcp-avc-nvidia.patch # The additional linker flags break out-of-tree PMDAs. # https://bugzilla.redhat.com/show_bug.cgi?id=2043092 @@ -3451,6 +3453,9 @@ fi %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Sun Mar 15 2026 William Cohen - 7.1.0-6 +- Add selinux fixes for rocestat and nvidia pmdas. + * Sun Feb 15 2026 William Cohen - 7.1.0-5 - Bump and include additional selinux fixup. From bd714d7ce38ebe55261166efe6bfb87e24929cd0 Mon Sep 17 00:00:00 2001 From: Antonio Salinas Date: Sun, 17 May 2026 22:03:21 +0000 Subject: [PATCH 5/5] fix(yarnpkg): update lock to correct non-first-parent commit --- locks/yarnpkg.lock | 6 +++--- specs/y/yarnpkg/yarnpkg.spec | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/locks/yarnpkg.lock b/locks/yarnpkg.lock index d32bcf1dc56..823a52e9698 100644 --- a/locks/yarnpkg.lock +++ b/locks/yarnpkg.lock @@ -1,6 +1,6 @@ # Managed by azldev component update. Do not edit manually. version = 1 -import-commit = '67fc0c2761282f257cef9eae198d24bd62247016' -upstream-commit = '67fc0c2761282f257cef9eae198d24bd62247016' -input-fingerprint = 'sha256:1b165f30d91836362b3ad949df0902bec9b1a7367feed89c778b4768450805a7' +import-commit = '2787ceb4087c2477217567d362f87976cbca75bb' +upstream-commit = '2787ceb4087c2477217567d362f87976cbca75bb' +input-fingerprint = 'sha256:3f939237df8469cf2bbf7c2edd56f68b80015a37ea4f9fb1d87018d496d73338' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/specs/y/yarnpkg/yarnpkg.spec b/specs/y/yarnpkg/yarnpkg.spec index dd4b602cc5c..0426a91e35a 100644 --- a/specs/y/yarnpkg/yarnpkg.spec +++ b/specs/y/yarnpkg/yarnpkg.spec @@ -15,7 +15,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 17%{?dist} +Release: 18%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -40,7 +40,7 @@ ExclusiveArch: %{nodejs_arches} BuildRequires: nodejs-packaging %if 0%{?fedora} -BuildRequires: %{_bindir}/npm +BuildRequires: nodejs-npm %else BuildRequires: npm %endif @@ -102,11 +102,11 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Wed Dec 03 2025 Sandro Mani - 1.22.22-14 -- Bump release - -* Wed Dec 03 2025 Sandro Mani - 1.22.22-13 - Refresh bundle, fixes CVE-2025-64756 +* Tue Nov 11 2025 Tomas Juhasz - 1.22.22-13 +- Rebuilt for nodejs-packaging + * Tue Sep 30 2025 Sandro Mani - 1.22.22-12 - Regenerate bundle, fixes CVE-2025-59343 - Patch out eslint and commitizen devDependencies to reduce dependencies