Linux 2.21 Open Source Gold Release

Upgraded to OpenSSL 1.1.1u.
Introduced Intel(R) TDX 1.4 and 1.5 support
Upgraded Ring3 Abstraction Layer (R3AAL) library to support
Intel(R) TDX MVP 6.2 kernel
Enhanced quote verification performance in multi-thread scenarios
Fixed bugs.

Signed-off-by: Zhang, Lili Z <[email protected]>

Makefile

@@ -86,6 +86,16 @@ tdx:
 	$(MAKE) -C external/dcap_source/QuoteGeneration tdx_logic
 	$(MAKE) -C external/dcap_source/QuoteGeneration tdx_qgs
 	$(MAKE) -C external/dcap_source/QuoteGeneration tdx_attest
+
+td_migration:
+	$(MAKE) -C sdk/ td_migration _TD_MIGRATION=1
+	$(MAKE) -C external/dcap_source/QuoteGeneration td_migration
+
+td_migration_preparation:
+# Only enable the download from git
+	git submodule update --init --recursive external/dcap_source external/sgx-emm/emm_src
+	./external/sgx-emm/create_symlink.sh
+	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
 
 # Generate SE SDK Install package
 sdk_install_pkg_no_mitigation: sdk_no_mitigation

buildenv.mk

@@ -120,6 +120,10 @@ ifeq ($(BUILD_REF_LE), 1)
     COMMON_FLAGS += -DREF_LE
 endif
 
+ifdef _TD_MIGRATION
+    COMMON_FLAGS += -D_TD_MIGRATION
+endif
+
 COMMON_FLAGS += -ffunction-sections -fdata-sections
 
 # turn on compiler warnings as much as possible

common/inc/internal/se_version.h

@@ -31,21 +31,21 @@
 #ifndef _SE_VERSION_H_
 #define _SE_VERSION_H_
 
-#define STRFILEVER    "2.20.100.4"
+#define STRFILEVER    "2.21.100.1"
 #define SGX_MAJOR_VERSION       2
-#define SGX_MINOR_VERSION       20
+#define SGX_MINOR_VERSION       21
 #define SGX_REVISION_VERSION    100
 #define MAKE_VERSION_UINT(major,minor,rev)  (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev)
 #define VERSION_UINT        MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION)
 
 #define COPYRIGHT      "Copyright (C) 2023 Intel Corporation"
 
-#define UAE_SERVICE_VERSION       "2.3.219.4"
-#define URTS_VERSION              "2.0.103.4"
-#define ENCLAVE_COMMON_VERSION    "1.2.103.4"
-#define LAUNCH_VERSION            "1.0.121.4"
-#define EPID_VERSION              "1.0.121.4"
-#define QUOTE_EX_VERSION          "1.1.121.4"
+#define UAE_SERVICE_VERSION       "2.3.220.1"
+#define URTS_VERSION              "2.0.104.1"
+#define ENCLAVE_COMMON_VERSION    "1.2.104.1"
+#define LAUNCH_VERSION            "1.0.122.1"
+#define EPID_VERSION              "1.0.122.1"
+#define QUOTE_EX_VERSION          "1.1.122.1"
 
 #define PCE_VERSION               "1.19.100.1"
 #define LE_VERSION                "1.19.100.1"

common/inc/sgx_key.h

@@ -51,7 +51,7 @@
 
 /* Key Policy */
 #define SGX_KEYPOLICY_MRENCLAVE        0x0001      /* Derive key using the enclave's ENCLAVE measurement register */
-#define SGX_KEYPOLICY_MRSIGNER         0x0002      /* Derive key using the enclave's SIGNER measurement register */
+#define SGX_KEYPOLICY_MRSIGNER         0x0002      /* Derive key using the enclave's SINGER measurement register */
 #define SGX_KEYPOLICY_NOISVPRODID      0x0004      /* Derive key without the enclave's ISVPRODID */
 #define SGX_KEYPOLICY_CONFIGID         0x0008      /* Derive key with the enclave's CONFIGID */
 #define SGX_KEYPOLICY_ISVFAMILYID      0x0010      /* Derive key with the enclave's ISVFAMILYID */

common/inc/sgx_report2.h

@@ -36,6 +36,8 @@
 #ifndef _SGX_REPORT2_H_
 #define _SGX_REPORT2_H_
 
+#include <stdint.h>
+
 #define TEE_HASH_384_SIZE       48 /* SHA384 */
 #define TEE_MAC_SIZE            32 /* Message SHA 256 HASH Code - 32 bytes */
 
@@ -67,6 +69,7 @@ typedef struct _tee_attributes_t
 #define TEE_REPORT2_TYPE        0x81    /* TEE Report Type2 */
 #define TEE_REPORT2_SUBTYPE     0x0     /* SUBTYPE for Report Type2 is 0 */
 #define TEE_REPORT2_VERSION     0x0     /* VERSION for Report Type2 is 0 */
+#define TEE_REPORT2_VERSION_SERVICETD 0x1 /* VERSION for Report Type2 which mr_servicetd is used */
 
 typedef struct _tee_report_type_t {
     uint8_t type;       /* Trusted Execution Environment(TEE) type:

common/inc/sgx_tseal.h

@@ -56,7 +56,7 @@ typedef struct _aes_gcm_data_t
 typedef struct _sealed_data_t
 {
     sgx_key_request_t  key_request;       /* 00: The key request used to obtain the sealing key */
-    uint32_t           plain_text_offset; /* 64: Offset within aes_data.payload to the start of the optional additional MAC text */
+    uint32_t           plain_text_offset; /* 64: Offset within aes_data.playload to the start of the optional additional MAC text */
     uint8_t            reserved[12];      /* 68: Reserved bits */
     sgx_aes_gcm_data_t aes_data;          /* 80: Data structure holding the AES/GCM related data */
 } sgx_sealed_data_t;

common/src/sgx_read_rand.cpp

@@ -33,11 +33,17 @@
 /* Please add external/rdrand into INCLUDE path and correpondent library to project */
 
 #include <stdint.h>
+#ifndef _TD_MIGRATION
 #include <memory.h>
+#else
+#include <string.h>
+#endif
 #include <stdlib.h>
 #include "sgx.h"
 #include "sgx_defs.h"
+#ifndef _TD_MIGRATION
 #include "se_wrapper.h"
+#endif
 #include "rdrand.h"
 #include "cpuid.h"
 #include <stdio.h>
@@ -84,10 +90,14 @@ extern "C" sgx_status_t SGXAPI sgx_read_rand(uint8_t *buf, size_t size)
         g_is_rdrand_supported = rdrand_cpuid();
     }
     if(!g_is_rdrand_supported){
+#ifndef _TD_MIGRATION
         uint32_t i;
         for(i=0;i<(uint32_t)size;++i){
             buf[i]=(uint8_t)rand();
         }
+#else
+        return SGX_ERROR_UNEXPECTED;
+#endif
     }else{
         int rd_ret =rdrand_get_bytes((uint32_t)size, buf);
         if(rd_ret != RDRAND_SUCCESS){

download_prebuilt.sh

@@ -33,11 +33,11 @@
 
 top_dir=`dirname $0`
 out_dir=$top_dir
-optlib_name=optimized_libs_2.20.tar.gz
-ae_file_name=prebuilt_ae_2.20.tar.gz
+optlib_name=optimized_libs_2.21.tar.gz
+ae_file_name=prebuilt_ae_2.21.tar.gz
 binutils_file_name=as.ld.objdump.r4.tar.gz
-checksum_file=SHA256SUM_prebuilt_2.20.cfg
-server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.20
+checksum_file=SHA256SUM_prebuilt_2.21.cfg
+server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.21
 server_optlib_url=$server_url_path/$optlib_name
 server_ae_url=$server_url_path/$ae_file_name
 server_binutils_url=$server_url_path/$binutils_file_name

external/protobuf/sgx_protobuf.patch

@@ -1,12 +1,13 @@
-From b309912dc33756a51d49af062ba883790d206f14 Mon Sep 17 00:00:00 2001
+From 693787f29e638e6f65dfdd5ee3dd9c2a45b7d3df Mon Sep 17 00:00:00 2001
 From: yanxue <[email protected]>
-Date: Fri, 6 May 2022 16:04:12 +0800
+Date: Tue, 1 Aug 2023 07:12:57 +0000
 Subject: [PATCH] Enable Protobuf in SGX
 
 ---
  cmake/CMakeLists.txt                          |  31 +++-
  cmake/libsgx_protobuf.cmake                   | 140 ++++++++++++++++++
  configure.ac                                  |   2 +-
+ .../google/protobuf/MessageReflection.java    |  26 +++-
  .../protobuf/io/zero_copy_stream_impl.cc      |   6 +
  .../protobuf/io/zero_copy_stream_impl.h       |   4 +-
  src/google/protobuf/map.h                     |  12 ++
@@ -28,7 +29,7 @@ Subject: [PATCH] Enable Protobuf in SGX
  .../protobuf/util/delimited_message_util.cc   |   2 +
  .../protobuf/util/delimited_message_util.h    |   7 +-
  src/google/protobuf/util/time_util.h          |   4 +
- 24 files changed, 292 insertions(+), 14 deletions(-)
+ 25 files changed, 317 insertions(+), 15 deletions(-)
  create mode 100644 cmake/libsgx_protobuf.cmake
 
 diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt
@@ -234,7 +235,7 @@ index 000000000..2d5b33da5
 +    DEBUG_POSTFIX "${protobuf_DEBUG_POSTFIX}")
 +add_library(protobuf::libprotobuf ALIAS libprotobuf)
 diff --git a/configure.ac b/configure.ac
-index 5de1ce20a..712fa41d5 100644
+index 7c5c2c799..31c63629f 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -106,7 +106,7 @@ ACX_CHECK_SUNCC
@@ -246,6 +247,77 @@ index 5de1ce20a..712fa41d5 100644
 
  # Check whether the linker supports version scripts
  AC_MSG_CHECKING([whether the linker supports version scripts])
+diff --git a/java/core/src/main/java/com/google/protobuf/MessageReflection.java b/java/core/src/main/java/com/google/protobuf/MessageReflection.java
+index b7f5d52d4..f032d4926 100644
+--- a/java/core/src/main/java/com/google/protobuf/MessageReflection.java
++++ b/java/core/src/main/java/com/google/protobuf/MessageReflection.java
+@@ -349,6 +349,7 @@ class MessageReflection {
+   static class BuilderAdapter implements MergeTarget {
+
+     private final Message.Builder builder;
++    private boolean hasNestedBuilders = true;
+
+     @Override
+     public Descriptors.Descriptor getDescriptorForType() {
+@@ -363,6 +364,17 @@ class MessageReflection {
+     public Object getField(Descriptors.FieldDescriptor field) {
+       return builder.getField(field);
+     }
++    
++    private Message.Builder getFieldBuilder(Descriptors.FieldDescriptor field) {
++      if (hasNestedBuilders) {
++        try {
++          return builder.getFieldBuilder(field);
++        } catch (UnsupportedOperationException e) {
++          hasNestedBuilders = false;
++        }
++      }
++      return null;
++    }
+
+     @Override
+     public boolean hasField(Descriptors.FieldDescriptor field) {
+@@ -371,6 +383,12 @@ class MessageReflection {
+
+     @Override
+     public MergeTarget setField(Descriptors.FieldDescriptor field, Object value) {
++      if (!field.isRepeated() && value instanceof MessageLite.Builder) {
++        if (value != getFieldBuilder(field)) {
++          builder.setField(field, ((MessageLite.Builder) value).buildPartial());
++        }
++        return this;
++      }
+       builder.setField(field, value);
+       return this;
+     }
+@@ -384,12 +402,18 @@ class MessageReflection {
+     @Override
+     public MergeTarget setRepeatedField(
+         Descriptors.FieldDescriptor field, int index, Object value) {
++      if (value instanceof MessageLite.Builder) {
++        value = ((MessageLite.Builder) value).buildPartial();
++      }
+       builder.setRepeatedField(field, index, value);
+       return this;
+     }
+
+     @Override
+     public MergeTarget addRepeatedField(Descriptors.FieldDescriptor field, Object value) {
++      if (value instanceof MessageLite.Builder) {
++        value = ((MessageLite.Builder) value).buildPartial();
++      }
+       builder.addRepeatedField(field, value);
+       return this;
+     }
+@@ -543,7 +567,7 @@ class MessageReflection {
+
+     @Override
+     public Object finish() {
+-      return builder.buildPartial();
++      return builder;
+     }
+   }
+
 diff --git a/src/google/protobuf/io/zero_copy_stream_impl.cc b/src/google/protobuf/io/zero_copy_stream_impl.cc
 index c66bc862a..1fee728cd 100644
 --- a/src/google/protobuf/io/zero_copy_stream_impl.cc
@@ -408,7 +480,7 @@ index 1c22f894e..69006e686 100644
    // Like SerializeToString(), but appends to the data to the string's
    // existing contents.  All required fields must be set.
 diff --git a/src/google/protobuf/port_def.inc b/src/google/protobuf/port_def.inc
-index 31ab3b159..cadbf1645 100644
+index 1e360ccce..0765998b8 100644
 --- a/src/google/protobuf/port_def.inc
 +++ b/src/google/protobuf/port_def.inc
 @@ -608,7 +608,7 @@
@@ -848,5 +920,5 @@ index 95cc64520..6d7c44775 100644
 
  #include <google/protobuf/duration.pb.h>
 -- 
-2.17.1
+2.34.1
 

external/sgxssl/prepare_sgxssl.sh

@@ -32,16 +32,16 @@
 
 top_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 openssl_out_dir=$top_dir/openssl_source
-openssl_ver=1.1.1t
+openssl_ver=1.1.1u
 openssl_ver_name=openssl-$openssl_ver
 sgxssl_github_archive=https://github.com/intel/intel-sgx-ssl/archive
-sgxssl_file_name=lin_2.19_1.1.1t
+sgxssl_file_name=lin_2.21_1.1.1u
 build_script=$top_dir/Linux/build_openssl.sh
 server_url_path=https://www.openssl.org/source
 full_openssl_url=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz
 
-sgxssl_chksum=bff5a9059911846e27447acb402c4690346abf46da8e1c26b66d406e8abb1588
-openssl_chksum=8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
+sgxssl_chksum=b83c6f98041eb77df209cef91b77b68a8cbd861e5617fe1bf087398042e5ace6
+openssl_chksum=e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6
 rm -f check_sum_sgxssl.txt check_sum_openssl.txt
 if [ ! -f $build_script ]; then
 	wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $top_dir || exit 1
@@ -70,11 +70,6 @@ if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then
 fi
 
 pushd $top_dir/Linux/
-patched=$(grep -c x509 build_openssl.sh)
-if [ '0' -eq $patched ]; then
-	sed -i '140a cp ../../../dcap_source/prebuilt/openssl/OpenSSL_1.1.1u_files/pcy_*.* crypto/x509v3/.' build_openssl.sh
-	sed -i '140a cp ../../../dcap_source/prebuilt/openssl/OpenSSL_1.1.1u_files/x509_vfy.c crypto/x509/.' build_openssl.sh
-fi
 if [ "$MITIGATION" != "" ]; then
         make clean all LINUX_SGX_BUILD=1 DEBUG=$DEBUG
 else

linux/installer/common/sdk/BOMs/sdk_base.txt

@@ -93,6 +93,7 @@ DeliveryName	InstallName	FileCheckSum	FileFeature	FileOwner
 <deliverydir>/external/dcap_source/QuoteGeneration/pce_wrapper/inc/sgx_pce.h	<installdir>/package/include/./sgx_pce.h	0	main	STP
 <deliverydir>/external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_3.h	<installdir>/package/include/./sgx_quote_3.h	0	main	STP
 <deliverydir>/external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_4.h	<installdir>/package/include/./sgx_quote_4.h	0	main	STP
+<deliverydir>/external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_5.h	<installdir>/package/include/./sgx_quote_5.h	0	main	STP
 <deliverydir>/external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_quote.h	<installdir>/package/include/./sgx_ql_quote.h	0	main	STP
 <deliverydir>/external/dcap_source/QuoteVerification/QvE/Include/sgx_qve_header.h	<installdir>/package/include/./sgx_qve_header.h	0	main	STP
 <deliverydir>/external/dcap_source/QuoteVerification/dcap_tvl/sgx_dcap_tvl.h	<installdir>/package/include/./sgx_dcap_tvl.h	0	main	STP

linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control

@@ -37,12 +37,12 @@ Description: Unified Quote Plugin for Intel(R) Software Guard Extensions AESM Se
 
 Package: libsgx-aesm-ecdsa-plugin
 Architecture: amd64
-Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-qe3-logic(>= 1.17), libsgx-aesm-pce-plugin(>= @dep_version@)
+Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-qe3-logic(>= 1.18), libsgx-aesm-pce-plugin(>= @dep_version@)
 Description: ECDSA Quote Plugin for Intel(R) Software Guard Extensions AESM Service
 
 Package: libsgx-aesm-pce-plugin
 Architecture: amd64
-Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-pce-logic(>= 1.17), libsgx-ae-pce(>= @dep_version@)
+Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-pce-logic(>= 1.18), libsgx-ae-pce(>= @dep_version@)
 Description: PCE Plugin for Intel(R) Software Guard Extensions AESM Service
 
 Package: libsgx-ae-pce

linux/installer/rpm/psw-dcap/sanitize.sh

@@ -47,11 +47,7 @@ make -C ${root_dir} preparation
 # Prepare ipp-crypto source
 pushd ${root_dir}/external/ippcp_internal/
 
-# cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 ||  git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R
-# TODO - Need to remove below lines and enable the above content when opensource 
-rm -rf ipp-crypto
-git clone -b ippcp_2021.7 https://github.com/intel/ipp-crypto.git --depth 1 ipp-crypto
-cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch
+cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 ||  git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R
 
 popd
 

linux/installer/rpm/psw-tdx/sanitize.sh

@@ -47,11 +47,7 @@ make -C ${root_dir} preparation
 # Prepare ipp-crypto source
 pushd ${root_dir}/external/ippcp_internal/
 
-# cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 ||  git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R
-# TODO - Need to remove below lines and enable the above content when opensource 
-rm -rf ipp-crypto
-git clone -b ippcp_2021.7 https://github.com/intel/ipp-crypto.git --depth 1 ipp-crypto
-cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch
+cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 ||  git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R
 
 popd
 

linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec

@@ -38,7 +38,7 @@ Version:        @version@
 Release:        1%{?dist}
 Summary:        ECDSA Quote Plugin for Intel(R) Software Guard Extensions AESM Service
 Group:          Development/System
-Requires:       sgx-aesm-service >= %{version}-%{release} libsgx-qe3-logic >= 1.17 libsgx-aesm-pce-plugin >= %{version}-%{release}
+Requires:       sgx-aesm-service >= %{version}-%{release} libsgx-qe3-logic >= 1.18 libsgx-aesm-pce-plugin >= %{version}-%{release}
 
 License:        BSD License
 URL:            https://github.com/intel/linux-sgx

linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec

@@ -38,7 +38,7 @@ Version:        @version@
 Release:        1%{?dist}
 Summary:        PCE Plugin for Intel(R) Software Guard Extensions AESM Service
 Group:          Development/System
-Requires:       sgx-aesm-service >= %{version}-%{release} libsgx-pce-logic >= 1.17
+Requires:       sgx-aesm-service >= %{version}-%{release} libsgx-pce-logic >= 1.18
 
 License:        BSD License
 URL:            https://github.com/intel/linux-sgx