Linux 2.23 Open Source Gold Release

Supported new OS: Ubuntu* 23.10 64-bit Server version.
Upgraded to OpenSSL 3.0.12.
Upgraded MbedTLS to 3.5.0.
Added SM2 encrypt/decrypt algorithm to the GM/SM (PRC National Commercial
  Cryptographic Algorithms) sample code.
Introduced the Intel® DCAP Appraisal Engine within quote verification library,
  empowering users to evaluate verification results against diverse policies.
Upgraded Intel SGX Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.12.
Added Rust wrapper for quote provider library APIs.
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

Makefile

@@ -90,11 +90,11 @@ tdx:
 	$(MAKE) -C external/dcap_source/QuoteGeneration tdx_qgs
 	$(MAKE) -C external/dcap_source/QuoteGeneration tdx_attest
 
-td_migration:
-	$(MAKE) -C sdk/ td_migration _TD_MIGRATION=1
-	$(MAKE) -C external/dcap_source/QuoteGeneration td_migration
+servtd_attest:
+	$(MAKE) -C sdk/ servtd_attest SERVTD_ATTEST=1
+	$(MAKE) -C external/dcap_source/QuoteGeneration servtd_attest
 
-td_migration_preparation:
+servtd_attest_preparation:
 # Only enable the download from git
 	git submodule update --init --recursive external/dcap_source external/sgx-emm/emm_src
 	./external/sgx-emm/create_symlink.sh
@@ -209,7 +209,21 @@ deb_libsgx_headers_pkg:
 
 ifeq ($(CC_BELOW_5_2), 1)
 .PHONY: deb_psw_pkg
-deb_psw_pkg: deb_libsgx_headers_pkg deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3  deb_libsgx_ae_tdqe deb_libsgx_ae_id_enclave deb_libsgx_tdx_logic deb_tdx_qgs deb_tdx_attest
+deb_psw_pkg: deb_libsgx_headers_pkg \
+             deb_libsgx_qe3_logic \
+             deb_libsgx_pce_logic \
+             deb_sgx_aesm_service \
+             deb_libsgx_epid \
+             deb_libsgx_launch \
+             deb_libsgx_quote_ex \
+             deb_libsgx_uae_service \
+             deb_libsgx_enclave_common \
+             deb_libsgx_urts \
+             deb_libsgx_ae_qe3 \
+             deb_libsgx_ae_tdqe \
+             deb_libsgx_ae_id_enclave \
+             deb_libsgx_tdx_logic \
+             deb_tdx_qgs deb_tdx_attest
 else
 .PHONY: deb_libsgx_dcap_default_qpl
 deb_libsgx_dcap_default_qpl:
@@ -250,8 +264,36 @@ deb_sgx_ra_service_pkg:
 	$(CP) external/dcap_source/tools/SGXPlatformRegistration/build/installer/sgx-ra-service*deb ./linux/installer/deb/sgx-aesm-service/
 	$(CP) external/dcap_source/tools/SGXPlatformRegistration/build/installer/libsgx-ra-*deb ./linux/installer/deb/sgx-aesm-service/
 
+.PHONY: deb_tee_appraisal_tool
+deb_tee_appraisal_tool:
+	$(MAKE) -C external/dcap_source/QuoteGeneration deb_tee_appraisal_tool_pkg
+	$(CP) external/dcap_source/QuoteGeneration/installer/linux/deb/tee-appraisal-tool/tee-appraisal-tool*deb ./linux/installer/deb/sgx-aesm-service/
+
 .PHONY: deb_psw_pkg
-deb_psw_pkg: deb_libsgx_headers_pkg deb_libsgx_qe3_logic deb_libsgx_pce_logic deb_sgx_aesm_service deb_libsgx_epid deb_libsgx_launch deb_libsgx_quote_ex deb_libsgx_uae_service deb_libsgx_enclave_common deb_libsgx_urts deb_libsgx_ae_qe3 deb_libsgx_ae_id_enclave deb_libsgx_dcap_default_qpl deb_libsgx_dcap_pccs deb_libsgx_dcap_ql deb_libsgx_ae_qve deb_sgx_dcap_quote_verify deb_sgx_pck_id_retrieval_tool_pkg deb_sgx_ra_service_pkg deb_libsgx_ae_tdqe deb_libsgx_tdx_logic deb_tdx_qgs deb_tdx_attest
+deb_psw_pkg: deb_libsgx_headers_pkg \
+             deb_libsgx_qe3_logic \
+             deb_libsgx_pce_logic \
+             deb_sgx_aesm_service \
+             deb_libsgx_epid \
+             deb_libsgx_launch \
+             deb_libsgx_quote_ex \
+             deb_libsgx_uae_service \
+             deb_libsgx_enclave_common \
+             deb_libsgx_urts \
+             deb_libsgx_ae_qe3 \
+             deb_libsgx_ae_id_enclave \
+             deb_libsgx_dcap_default_qpl \
+             deb_libsgx_dcap_pccs \
+             deb_libsgx_dcap_ql \
+             deb_libsgx_ae_qve \
+             deb_sgx_dcap_quote_verify \
+             deb_sgx_pck_id_retrieval_tool_pkg \
+             deb_sgx_ra_service_pkg \
+             deb_libsgx_ae_tdqe \
+             deb_libsgx_tdx_logic \
+             deb_tdx_qgs \
+             deb_tdx_attest \
+             deb_tee_appraisal_tool
 endif
 
 .PHONY: deb_local_repo
@@ -345,7 +387,22 @@ rpm_libsgx_headers_pkg:
 
 ifeq ($(CC_BELOW_5_2), 1)
 .PHONY: rpm_psw_pkg
-rpm_psw_pkg: rpm_libsgx_headers_pkg rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 rpm_libsgx_ae_tdqe rpm_libsgx_ae_id_enclave rpm_libsgx_tdx_logic rpm_tdx_qgs rpm_tdx_attest
+rpm_psw_pkg: rpm_libsgx_headers_pkg \
+             rpm_libsgx_pce_logic \
+             rpm_libsgx_qe3_logic \
+             rpm_sgx_aesm_service \
+             rpm_libsgx_epid \
+             rpm_libsgx_launch \
+             rpm_libsgx_quote_ex \
+             rpm_libsgx_uae_service \
+             rpm_libsgx_enclave_common \
+             rpm_libsgx_urts \
+             rpm_libsgx_ae_qe3 \
+             rpm_libsgx_ae_tdqe \
+             rpm_libsgx_ae_id_enclave \
+             rpm_libsgx_tdx_logic \
+             rpm_tdx_qgs \
+             rpm_tdx_attest
 else
 .PHONY: rpm_libsgx_dcap_default_qpl
 rpm_libsgx_dcap_default_qpl:
@@ -386,8 +443,36 @@ rpm_sgx_ra_service_pkg:
 	$(CP) external/dcap_source/tools/SGXPlatformRegistration/build/installer/sgx-ra-service*rpm ./linux/installer/rpm/sgx-aesm-service/
 	$(CP) external/dcap_source/tools/SGXPlatformRegistration/build/installer/libsgx-ra-*rpm ./linux/installer/rpm/sgx-aesm-service/
 
+.PHONY: rpm_tee_appraisal_tool
+rpm_tee_appraisal_tool:
+	$(MAKE) -C external/dcap_source/QuoteGeneration rpm_tee_appraisal_tool_pkg
+	$(CP) external/dcap_source/QuoteGeneration/installer/linux/rpm/tee-appraisal-tool/tee-appraisal-tool*rpm ./linux/installer/rpm/sgx-aesm-service/
+
 .PHONY: rpm_psw_pkg
-rpm_psw_pkg: rpm_libsgx_headers_pkg rpm_libsgx_pce_logic rpm_libsgx_qe3_logic rpm_sgx_aesm_service rpm_libsgx_epid rpm_libsgx_launch rpm_libsgx_quote_ex rpm_libsgx_uae_service rpm_libsgx_enclave_common rpm_libsgx_urts rpm_libsgx_ae_qe3 rpm_libsgx_ae_id_enclave rpm_libsgx_dcap_default_qpl rpm_libsgx_dcap_pccs rpm_libsgx_dcap_ql rpm_libsgx_ae_qve rpm_sgx_dcap_quote_verify rpm_sgx_pck_id_retrieval_tool_pkg rpm_sgx_ra_service_pkg rpm_libsgx_ae_tdqe rpm_libsgx_tdx_logic rpm_tdx_qgs rpm_tdx_attest
+rpm_psw_pkg: rpm_libsgx_headers_pkg \
+             rpm_libsgx_pce_logic \
+             rpm_libsgx_qe3_logic \
+             rpm_sgx_aesm_service \
+             rpm_libsgx_epid \
+             rpm_libsgx_launch \
+             rpm_libsgx_quote_ex \
+             rpm_libsgx_uae_service \
+             rpm_libsgx_enclave_common \
+             rpm_libsgx_urts \
+             rpm_libsgx_ae_qe3 \
+             rpm_libsgx_ae_id_enclave \
+             rpm_libsgx_dcap_default_qpl \
+             rpm_libsgx_dcap_pccs \
+             rpm_libsgx_dcap_ql \
+             rpm_libsgx_ae_qve \
+             rpm_sgx_dcap_quote_verify \
+             rpm_sgx_pck_id_retrieval_tool_pkg \
+             rpm_sgx_ra_service_pkg \
+             rpm_libsgx_ae_tdqe \
+             rpm_libsgx_tdx_logic \
+             rpm_tdx_qgs \
+             rpm_tdx_attest \
+             rpm_tee_appraisal_tool
 endif
 
 .PHONY: rpm_local_repo
@@ -442,6 +527,7 @@ ifeq ("$(shell test -f external/dcap_source/QuoteVerification/Makefile && echo M
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/sgx-dcap-pccs/clean.sh
+	./external/dcap_source/QuoteGeneration/installer/linux/deb/tee-appraisal-tool/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-ae-qve/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-ae-qe3/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-ae-id-enclave/clean.sh
@@ -455,6 +541,7 @@ ifeq ("$(shell test -f external/dcap_source/QuoteVerification/Makefile && echo M
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/sgx-dcap-pccs/clean.sh
+	./external/dcap_source/QuoteGeneration/installer/linux/rpm/tee-appraisal-tool/clean.sh
 endif
 
 rebuild:

README.md

@@ -91,6 +91,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
   * Ubuntu\* 22.04 LTS Server 64bits
+  * Ubuntu\* 23.10 Server 64bits
   * Red Hat Enterprise Linux Server release 9.2 64bits
   * CentOS Stream 9 64bits
   * CentOS 8.3 64bits
@@ -104,7 +105,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
     $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python3 libssl-dev git cmake perl
     $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
-  * On Ubuntu 20.04 and Ubuntu 22.04:
+  * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 23.10:
   ```
     $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
   ```
@@ -143,7 +144,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
       ```
         $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip lsb-release libsystemd0
       ```
-      * On Ubuntu 20.04 and Ubuntu 22.04:
+      * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 23.10:
       ```
         $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip pkgconf libboost-dev libboost-system-dev libboost-thread-dev lsb-release libsystemd0
       ```
@@ -177,12 +178,12 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
 ```
   The above ``make preparation`` would trigger the script ``download_prebuilt.sh`` to download the prebuilt binaries. You may need to set an https proxy for the `wget` tool used by the script (such as ``export https_proxy=http://test-proxy:test-port``)
 
-- Copy the mitigation tools corresponding to current OS distribution from external/toolset/{current_distr} to /usr/local/bin and make sure they have execute permission:
+- (*Optional*) If the binutils on your current operating system distribution doesn't support mitigation options, copy the mitigation tools corresponding to current OS distribution from external/toolset/{current_distr} to /usr/local/bin and make sure they have execute permission:
   ```
     $ sudo cp external/toolset/{current_distr}/* /usr/local/bin
     $ which ar as ld objcopy objdump ranlib
   ```
-    **Note**: The above action is a must even if you copied the previous mitigation tools to /usr/local/bin before. It ensures the updated mitigation tools are used in the later build.
+    **Note**: Mitigation tools are only provided for the operating systems whose binutils lack mitigation options support. If your operating system is not listed in the external/toolset/{current_distr} directory, you can skip this step. Otherwise, even if you previously copied the mitigation tools to /usr/local/bin, performing the above action is still necessary. This ensures that the latest mitigation tools are used during the subsequent build process.
 
 
 ### Build the Intel(R) SGX SDK and Intel(R) SGX SDK Installer
@@ -255,7 +256,7 @@ You can find the tools and libraries generated in the `build/linux` directory.
   $ make
 ```
 - To build the Intel(R) SGX PSW installer, enter the following command:
-  * On Ubuntu 20.04, Ubuntu 22.04 and Debian 10:
+  * On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10:
    ```
   $ make deb_psw_pkg
   ```
@@ -296,6 +297,10 @@ You can find the tools and libraries generated in the `build/linux` directory.
   ```
   deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO jammy main
   ```
+  * On Ubuntu 23.10:
+  ```
+  deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO mantic main
+  ```
   * On Debian 10:
   ```
   deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO buster main
@@ -339,6 +344,7 @@ Install the Intel(R) SGX SDK
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
   * Ubuntu\* 22.04 LTS Server 64bits
+  * Ubuntu\* 23.10 Server 64bits
   * Red Hat Enterprise Linux Server release 9.2 64bits
   * CentOS Stream 9 64bits
   * CentOS 8.3 64bits
@@ -351,7 +357,7 @@ Install the Intel(R) SGX SDK
     $ sudo apt-get install build-essential python3
     $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3
   ```
-   * On Ubuntu 20.04 and Ubuntu 22.04:
+   * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 23.10:
   ```
     $ sudo apt-get install build-essential python-is-python3
   ```
@@ -429,6 +435,7 @@ Install the Intel(R) SGX PSW
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
   * Ubuntu\* 22.04 LTS Server 64bits
+  * Ubuntu\* 23.10 Server 64bits
   * Red Hat Enterprise Linux Server release 9.2 64bits
   * CentOS Stream 9 64bits
   * CentOS 8.3 64bits
@@ -440,7 +447,7 @@ Install the Intel(R) SGX PSW
 - Configure the system with the **Intel SGX hardware enabled** option and install Intel(R) SGX driver in advance.
   See the earlier topic, *Build and Install the Intel(R) SGX Driver*, for information on how to install the Intel(R) SGX driver.
 - Install the library using the following command:
-  * On Ubuntu 20.04, Ubuntu 22.04 and Debian 10:
+  * On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10:
   ```
     $ sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
   ```
@@ -470,7 +477,7 @@ The SGX PSW provides 3 services: launch, EPID-based attestation, and algorithm a
 
 #### Using the local repo(recommended)
 
-|   |Ubuntu 20.04, Ubuntu 22.04 and Debian 10|Red Hat Enterprise Linux 9.2, CentOS Stream 9, CentOS 8.3 and Anolis OS 8.6| SUSE Linux Enterprise Server 15|
+|   |Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10|Red Hat Enterprise Linux 9.2, CentOS Stream 9, CentOS 8.3 and Anolis OS 8.6| SUSE Linux Enterprise Server 15|
 | ------------ | ------------ | ------------ | ------------ |
 |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts|zypper install libsgx-launch libsgx-urts|
 |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts|zypper install libsgx-epid libsgx-urts|
@@ -491,7 +498,7 @@ apt-get dist-upgrade -o Dpkg::Options::="--force-overwrite"
 ```
 #### Configure the installation
 Some packages are configured with recommended dependency on other packages that are not required for certain usage. For instance, the background daemon is not required for container usage. It will be installed by default, but you can drop it by using the additional option during the installation.
-* On Ubuntu 20.04, Ubuntu 22.04 and Debian 10:
+* On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10:
 ```
   --no-install-recommends
 ```

SampleCode/RemoteAttestation/service_provider/ecp.cpp

@@ -100,7 +100,7 @@ bool derive_key(
     hash_buffer_t hash_buffer;
     sample_sha_state_handle_t sha_context;
     sample_sha256_hash_t key_material;
-    
+
     memset(&hash_buffer, 0, sizeof(hash_buffer_t));
 
     /* counter in big endian  */
@@ -175,7 +175,7 @@ bool derive_key(
     sample_status_t sample_ret = SAMPLE_SUCCESS;
     uint8_t cmac_key[MAC_KEY_SIZE];
     sample_ec_key_128bit_t key_derive_key;
-    
+
     memset(&cmac_key, 0, MAC_KEY_SIZE);
 
     sample_ret = sample_rijndael128_cmac_msg(
@@ -233,7 +233,11 @@ bool derive_key(
     /*counter = 0x01 */
     p_derivation_buffer[0] = 0x01;
     /*label*/
-    memcpy_s(&p_derivation_buffer[1], derivation_buffer_length - 1, label, label_length);
+    if(memcpy_s(&p_derivation_buffer[1], derivation_buffer_length - 1, label, label_length)) {
+        memset(&key_derive_key, 0, sizeof(key_derive_key));
+        free(p_derivation_buffer);
+        return false;
+    }
     /*output_key_len=0x0080*/
     uint16_t *key_len = (uint16_t *)(&(p_derivation_buffer[derivation_buffer_length - 2]));
     *key_len = 0x0080;

SampleCode/RemoteAttestation/service_provider/ias_ra.cpp

@@ -243,8 +243,9 @@ int ias_enroll(
     UNUSED(p_authentication_token);
 
     if (NULL != p_spid) {
-        memcpy_s(p_spid, sizeof(sample_spid_t), &g_sim_spid,
-                 sizeof(sample_spid_t));
+        if(memcpy_s(p_spid, sizeof(sample_spid_t), &g_sim_spid, sizeof(sample_spid_t))) {
+            return(1);
+        }
     } else {
         return(1);
     }

SampleCode/RemoteAttestation/service_provider/service_provider.cpp

@@ -268,14 +268,23 @@ int sp_ra_proc_msg0_req(const sample_ra_msg0_t *p_msg0,
 
         if (g_return_ecdsa_att_key_id)
         {
-            memcpy_s(p_msg0_resp_full->body, msg0_resp_size,
-                g_ecdsa_p256_att_key_id_list, msg0_resp_size);
+            if (memcpy_s(p_msg0_resp_full->body, msg0_resp_size,
+                g_ecdsa_p256_att_key_id_list, msg0_resp_size)) {
+                fprintf(stderr, "\nError, cannot do memcpy in [%s].", __FUNCTION__);
+                g_return_ecdsa_att_key_id = false;
+                ret = SP_INTERNAL_ERROR;
+                goto CLEANUP;
+            }
             g_return_ecdsa_att_key_id = false;
         }
         else // Return EPID attestation key id
         {
-            memcpy_s(p_msg0_resp_full->body, msg0_resp_size,
-                g_epid_unlinkable_att_key_id_list, msg0_resp_size);
+            if(memcpy_s(p_msg0_resp_full->body, msg0_resp_size,
+                g_epid_unlinkable_att_key_id_list, msg0_resp_size)) {
+                fprintf(stderr, "\nError, cannot do memcpy in [%s].", __FUNCTION__);
+                ret = SP_INTERNAL_ERROR;
+                 goto CLEANUP;
+            }
         }
         p_msg0_resp_full->type = TYPE_RA_MSG0;
         p_msg0_resp_full->size = msg0_resp_size;
@@ -872,7 +881,3 @@ int sp_ra_proc_msg3_req(const sample_ra_msg3_t *p_msg3,
     }
     return ret;
 }
-
-
-
-