From f47d0e5a01bf68cebefce4418cf364777e76d503 Mon Sep 17 00:00:00 2001 From: "Zhang, Lili Z" Date: Tue, 22 Aug 2023 10:10:14 +0800 Subject: [PATCH] Linux 2.21 Open Source Gold Release Upgraded to OpenSSL 1.1.1u. Introduced Intel(R) TDX 1.4 and 1.5 support Upgraded Ring3 Abstraction Layer (R3AAL) library to support Intel(R) TDX MVP 6.2 kernel Enhanced quote verification performance in multi-thread scenarios Fixed bugs. Signed-off-by: Zhang, Lili Z --- Makefile | 10 +++ buildenv.mk | 4 + common/inc/internal/se_version.h | 16 ++-- common/inc/sgx_key.h | 2 +- common/inc/sgx_report2.h | 3 + common/inc/sgx_tseal.h | 2 +- common/src/sgx_read_rand.cpp | 10 +++ download_prebuilt.sh | 8 +- external/dcap_source | 2 +- external/protobuf/sgx_protobuf.patch | 84 +++++++++++++++++-- external/sgxssl/prepare_sgxssl.sh | 13 +-- linux/installer/common/sdk/BOMs/sdk_base.txt | 1 + .../sgx-aesm-service-1.0/debian/control | 4 +- linux/installer/rpm/psw-dcap/sanitize.sh | 6 +- linux/installer/rpm/psw-tdx/sanitize.sh | 6 +- .../libsgx-aesm-ecdsa-plugin.spec | 2 +- .../libsgx-aesm-pce-plugin.spec | 2 +- .../build_and_launch_docker.sh | 8 +- sdk/Makefile.source | 32 ++++++- sdk/selib/sgx_verify_report2.cpp | 3 +- .../sgx_tswitchless/sgx_ocall_switchless.c | 11 --- sdk/tlibc/Makefile | 2 +- sdk/tlibc/gen/sbrk.c | 7 ++ 23 files changed, 176 insertions(+), 62 deletions(-) mode change 100644 => 100755 linux/reproducibility/build_and_launch_docker.sh diff --git a/Makefile b/Makefile index 8bd287cba..9367fdb71 100644 --- a/Makefile +++ b/Makefile @@ -86,6 +86,16 @@ tdx: $(MAKE) -C external/dcap_source/QuoteGeneration tdx_logic $(MAKE) -C external/dcap_source/QuoteGeneration tdx_qgs $(MAKE) -C external/dcap_source/QuoteGeneration tdx_attest + +td_migration: + $(MAKE) -C sdk/ td_migration _TD_MIGRATION=1 + $(MAKE) -C external/dcap_source/QuoteGeneration td_migration + +td_migration_preparation: +# Only enable the download from git + git submodule update --init --recursive external/dcap_source external/sgx-emm/emm_src + ./external/sgx-emm/create_symlink.sh + ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild # Generate SE SDK Install package sdk_install_pkg_no_mitigation: sdk_no_mitigation diff --git a/buildenv.mk b/buildenv.mk index 4b68593c3..4e0ebf9bc 100644 --- a/buildenv.mk +++ b/buildenv.mk @@ -120,6 +120,10 @@ ifeq ($(BUILD_REF_LE), 1) COMMON_FLAGS += -DREF_LE endif +ifdef _TD_MIGRATION + COMMON_FLAGS += -D_TD_MIGRATION +endif + COMMON_FLAGS += -ffunction-sections -fdata-sections # turn on compiler warnings as much as possible diff --git a/common/inc/internal/se_version.h b/common/inc/internal/se_version.h index 3fa066f33..06999ebcb 100644 --- a/common/inc/internal/se_version.h +++ b/common/inc/internal/se_version.h @@ -31,21 +31,21 @@ #ifndef _SE_VERSION_H_ #define _SE_VERSION_H_ -#define STRFILEVER "2.20.100.4" +#define STRFILEVER "2.21.100.1" #define SGX_MAJOR_VERSION 2 -#define SGX_MINOR_VERSION 20 +#define SGX_MINOR_VERSION 21 #define SGX_REVISION_VERSION 100 #define MAKE_VERSION_UINT(major,minor,rev) (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev) #define VERSION_UINT MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION) #define COPYRIGHT "Copyright (C) 2023 Intel Corporation" -#define UAE_SERVICE_VERSION "2.3.219.4" -#define URTS_VERSION "2.0.103.4" -#define ENCLAVE_COMMON_VERSION "1.2.103.4" -#define LAUNCH_VERSION "1.0.121.4" -#define EPID_VERSION "1.0.121.4" -#define QUOTE_EX_VERSION "1.1.121.4" +#define UAE_SERVICE_VERSION "2.3.220.1" +#define URTS_VERSION "2.0.104.1" +#define ENCLAVE_COMMON_VERSION "1.2.104.1" +#define LAUNCH_VERSION "1.0.122.1" +#define EPID_VERSION "1.0.122.1" +#define QUOTE_EX_VERSION "1.1.122.1" #define PCE_VERSION "1.19.100.1" #define LE_VERSION "1.19.100.1" diff --git a/common/inc/sgx_key.h b/common/inc/sgx_key.h index 6be442113..0291fe4b8 100644 --- a/common/inc/sgx_key.h +++ b/common/inc/sgx_key.h @@ -51,7 +51,7 @@ /* Key Policy */ #define SGX_KEYPOLICY_MRENCLAVE 0x0001 /* Derive key using the enclave's ENCLAVE measurement register */ -#define SGX_KEYPOLICY_MRSIGNER 0x0002 /* Derive key using the enclave's SIGNER measurement register */ +#define SGX_KEYPOLICY_MRSIGNER 0x0002 /* Derive key using the enclave's SINGER measurement register */ #define SGX_KEYPOLICY_NOISVPRODID 0x0004 /* Derive key without the enclave's ISVPRODID */ #define SGX_KEYPOLICY_CONFIGID 0x0008 /* Derive key with the enclave's CONFIGID */ #define SGX_KEYPOLICY_ISVFAMILYID 0x0010 /* Derive key with the enclave's ISVFAMILYID */ diff --git a/common/inc/sgx_report2.h b/common/inc/sgx_report2.h index 14f764232..355bee8a9 100644 --- a/common/inc/sgx_report2.h +++ b/common/inc/sgx_report2.h @@ -36,6 +36,8 @@ #ifndef _SGX_REPORT2_H_ #define _SGX_REPORT2_H_ +#include + #define TEE_HASH_384_SIZE 48 /* SHA384 */ #define TEE_MAC_SIZE 32 /* Message SHA 256 HASH Code - 32 bytes */ @@ -67,6 +69,7 @@ typedef struct _tee_attributes_t #define TEE_REPORT2_TYPE 0x81 /* TEE Report Type2 */ #define TEE_REPORT2_SUBTYPE 0x0 /* SUBTYPE for Report Type2 is 0 */ #define TEE_REPORT2_VERSION 0x0 /* VERSION for Report Type2 is 0 */ +#define TEE_REPORT2_VERSION_SERVICETD 0x1 /* VERSION for Report Type2 which mr_servicetd is used */ typedef struct _tee_report_type_t { uint8_t type; /* Trusted Execution Environment(TEE) type: diff --git a/common/inc/sgx_tseal.h b/common/inc/sgx_tseal.h index 1436f3058..eb70f4211 100644 --- a/common/inc/sgx_tseal.h +++ b/common/inc/sgx_tseal.h @@ -56,7 +56,7 @@ typedef struct _aes_gcm_data_t typedef struct _sealed_data_t { sgx_key_request_t key_request; /* 00: The key request used to obtain the sealing key */ - uint32_t plain_text_offset; /* 64: Offset within aes_data.payload to the start of the optional additional MAC text */ + uint32_t plain_text_offset; /* 64: Offset within aes_data.playload to the start of the optional additional MAC text */ uint8_t reserved[12]; /* 68: Reserved bits */ sgx_aes_gcm_data_t aes_data; /* 80: Data structure holding the AES/GCM related data */ } sgx_sealed_data_t; diff --git a/common/src/sgx_read_rand.cpp b/common/src/sgx_read_rand.cpp index a6d421456..31b9a922d 100644 --- a/common/src/sgx_read_rand.cpp +++ b/common/src/sgx_read_rand.cpp @@ -33,11 +33,17 @@ /* Please add external/rdrand into INCLUDE path and correpondent library to project */ #include +#ifndef _TD_MIGRATION #include +#else +#include +#endif #include #include "sgx.h" #include "sgx_defs.h" +#ifndef _TD_MIGRATION #include "se_wrapper.h" +#endif #include "rdrand.h" #include "cpuid.h" #include @@ -84,10 +90,14 @@ extern "C" sgx_status_t SGXAPI sgx_read_rand(uint8_t *buf, size_t size) g_is_rdrand_supported = rdrand_cpuid(); } if(!g_is_rdrand_supported){ +#ifndef _TD_MIGRATION uint32_t i; for(i=0;i<(uint32_t)size;++i){ buf[i]=(uint8_t)rand(); } +#else + return SGX_ERROR_UNEXPECTED; +#endif }else{ int rd_ret =rdrand_get_bytes((uint32_t)size, buf); if(rd_ret != RDRAND_SUCCESS){ diff --git a/download_prebuilt.sh b/download_prebuilt.sh index 2f019a0b7..0b3506d28 100755 --- a/download_prebuilt.sh +++ b/download_prebuilt.sh @@ -33,11 +33,11 @@ top_dir=`dirname $0` out_dir=$top_dir -optlib_name=optimized_libs_2.20.tar.gz -ae_file_name=prebuilt_ae_2.20.tar.gz +optlib_name=optimized_libs_2.21.tar.gz +ae_file_name=prebuilt_ae_2.21.tar.gz binutils_file_name=as.ld.objdump.r4.tar.gz -checksum_file=SHA256SUM_prebuilt_2.20.cfg -server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.20 +checksum_file=SHA256SUM_prebuilt_2.21.cfg +server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.21 server_optlib_url=$server_url_path/$optlib_name server_ae_url=$server_url_path/$ae_file_name server_binutils_url=$server_url_path/$binutils_file_name diff --git a/external/dcap_source b/external/dcap_source index 0443ae263..6882afad8 160000 --- a/external/dcap_source +++ b/external/dcap_source @@ -1 +1 @@ -Subproject commit 0443ae263818a78afeeaf50ca29fc2cff02cb829 +Subproject commit 6882afad8644c27db162b40994402c8ad2a7fb32 diff --git a/external/protobuf/sgx_protobuf.patch b/external/protobuf/sgx_protobuf.patch index d2c8e9d9c..615ccb022 100644 --- a/external/protobuf/sgx_protobuf.patch +++ b/external/protobuf/sgx_protobuf.patch @@ -1,12 +1,13 @@ -From b309912dc33756a51d49af062ba883790d206f14 Mon Sep 17 00:00:00 2001 +From 693787f29e638e6f65dfdd5ee3dd9c2a45b7d3df Mon Sep 17 00:00:00 2001 From: yanxue -Date: Fri, 6 May 2022 16:04:12 +0800 +Date: Tue, 1 Aug 2023 07:12:57 +0000 Subject: [PATCH] Enable Protobuf in SGX --- cmake/CMakeLists.txt | 31 +++- cmake/libsgx_protobuf.cmake | 140 ++++++++++++++++++ configure.ac | 2 +- + .../google/protobuf/MessageReflection.java | 26 +++- .../protobuf/io/zero_copy_stream_impl.cc | 6 + .../protobuf/io/zero_copy_stream_impl.h | 4 +- src/google/protobuf/map.h | 12 ++ @@ -28,7 +29,7 @@ Subject: [PATCH] Enable Protobuf in SGX .../protobuf/util/delimited_message_util.cc | 2 + .../protobuf/util/delimited_message_util.h | 7 +- src/google/protobuf/util/time_util.h | 4 + - 24 files changed, 292 insertions(+), 14 deletions(-) + 25 files changed, 317 insertions(+), 15 deletions(-) create mode 100644 cmake/libsgx_protobuf.cmake diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt @@ -234,7 +235,7 @@ index 000000000..2d5b33da5 + DEBUG_POSTFIX "${protobuf_DEBUG_POSTFIX}") +add_library(protobuf::libprotobuf ALIAS libprotobuf) diff --git a/configure.ac b/configure.ac -index 5de1ce20a..712fa41d5 100644 +index 7c5c2c799..31c63629f 100644 --- a/configure.ac +++ b/configure.ac @@ -106,7 +106,7 @@ ACX_CHECK_SUNCC @@ -246,6 +247,77 @@ index 5de1ce20a..712fa41d5 100644 # Check whether the linker supports version scripts AC_MSG_CHECKING([whether the linker supports version scripts]) +diff --git a/java/core/src/main/java/com/google/protobuf/MessageReflection.java b/java/core/src/main/java/com/google/protobuf/MessageReflection.java +index b7f5d52d4..f032d4926 100644 +--- a/java/core/src/main/java/com/google/protobuf/MessageReflection.java ++++ b/java/core/src/main/java/com/google/protobuf/MessageReflection.java +@@ -349,6 +349,7 @@ class MessageReflection { + static class BuilderAdapter implements MergeTarget { + + private final Message.Builder builder; ++ private boolean hasNestedBuilders = true; + + @Override + public Descriptors.Descriptor getDescriptorForType() { +@@ -363,6 +364,17 @@ class MessageReflection { + public Object getField(Descriptors.FieldDescriptor field) { + return builder.getField(field); + } ++ ++ private Message.Builder getFieldBuilder(Descriptors.FieldDescriptor field) { ++ if (hasNestedBuilders) { ++ try { ++ return builder.getFieldBuilder(field); ++ } catch (UnsupportedOperationException e) { ++ hasNestedBuilders = false; ++ } ++ } ++ return null; ++ } + + @Override + public boolean hasField(Descriptors.FieldDescriptor field) { +@@ -371,6 +383,12 @@ class MessageReflection { + + @Override + public MergeTarget setField(Descriptors.FieldDescriptor field, Object value) { ++ if (!field.isRepeated() && value instanceof MessageLite.Builder) { ++ if (value != getFieldBuilder(field)) { ++ builder.setField(field, ((MessageLite.Builder) value).buildPartial()); ++ } ++ return this; ++ } + builder.setField(field, value); + return this; + } +@@ -384,12 +402,18 @@ class MessageReflection { + @Override + public MergeTarget setRepeatedField( + Descriptors.FieldDescriptor field, int index, Object value) { ++ if (value instanceof MessageLite.Builder) { ++ value = ((MessageLite.Builder) value).buildPartial(); ++ } + builder.setRepeatedField(field, index, value); + return this; + } + + @Override + public MergeTarget addRepeatedField(Descriptors.FieldDescriptor field, Object value) { ++ if (value instanceof MessageLite.Builder) { ++ value = ((MessageLite.Builder) value).buildPartial(); ++ } + builder.addRepeatedField(field, value); + return this; + } +@@ -543,7 +567,7 @@ class MessageReflection { + + @Override + public Object finish() { +- return builder.buildPartial(); ++ return builder; + } + } + diff --git a/src/google/protobuf/io/zero_copy_stream_impl.cc b/src/google/protobuf/io/zero_copy_stream_impl.cc index c66bc862a..1fee728cd 100644 --- a/src/google/protobuf/io/zero_copy_stream_impl.cc @@ -408,7 +480,7 @@ index 1c22f894e..69006e686 100644 // Like SerializeToString(), but appends to the data to the string's // existing contents. All required fields must be set. diff --git a/src/google/protobuf/port_def.inc b/src/google/protobuf/port_def.inc -index 31ab3b159..cadbf1645 100644 +index 1e360ccce..0765998b8 100644 --- a/src/google/protobuf/port_def.inc +++ b/src/google/protobuf/port_def.inc @@ -608,7 +608,7 @@ @@ -848,5 +920,5 @@ index 95cc64520..6d7c44775 100644 #include -- -2.17.1 +2.34.1 diff --git a/external/sgxssl/prepare_sgxssl.sh b/external/sgxssl/prepare_sgxssl.sh index 39a443290..24a4e5eb7 100755 --- a/external/sgxssl/prepare_sgxssl.sh +++ b/external/sgxssl/prepare_sgxssl.sh @@ -32,16 +32,16 @@ top_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" openssl_out_dir=$top_dir/openssl_source -openssl_ver=1.1.1t +openssl_ver=1.1.1u openssl_ver_name=openssl-$openssl_ver sgxssl_github_archive=https://github.com/intel/intel-sgx-ssl/archive -sgxssl_file_name=lin_2.19_1.1.1t +sgxssl_file_name=lin_2.21_1.1.1u build_script=$top_dir/Linux/build_openssl.sh server_url_path=https://www.openssl.org/source full_openssl_url=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz -sgxssl_chksum=bff5a9059911846e27447acb402c4690346abf46da8e1c26b66d406e8abb1588 -openssl_chksum=8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b +sgxssl_chksum=b83c6f98041eb77df209cef91b77b68a8cbd861e5617fe1bf087398042e5ace6 +openssl_chksum=e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6 rm -f check_sum_sgxssl.txt check_sum_openssl.txt if [ ! -f $build_script ]; then wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $top_dir || exit 1 @@ -70,11 +70,6 @@ if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then fi pushd $top_dir/Linux/ -patched=$(grep -c x509 build_openssl.sh) -if [ '0' -eq $patched ]; then - sed -i '140a cp ../../../dcap_source/prebuilt/openssl/OpenSSL_1.1.1u_files/pcy_*.* crypto/x509v3/.' build_openssl.sh - sed -i '140a cp ../../../dcap_source/prebuilt/openssl/OpenSSL_1.1.1u_files/x509_vfy.c crypto/x509/.' build_openssl.sh -fi if [ "$MITIGATION" != "" ]; then make clean all LINUX_SGX_BUILD=1 DEBUG=$DEBUG else diff --git a/linux/installer/common/sdk/BOMs/sdk_base.txt b/linux/installer/common/sdk/BOMs/sdk_base.txt index 3c178f318..4c9e3d421 100644 --- a/linux/installer/common/sdk/BOMs/sdk_base.txt +++ b/linux/installer/common/sdk/BOMs/sdk_base.txt @@ -93,6 +93,7 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /external/dcap_source/QuoteGeneration/pce_wrapper/inc/sgx_pce.h /package/include/./sgx_pce.h 0 main STP /external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_3.h /package/include/./sgx_quote_3.h 0 main STP /external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_4.h /package/include/./sgx_quote_4.h 0 main STP +/external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_5.h /package/include/./sgx_quote_5.h 0 main STP /external/dcap_source/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_quote.h /package/include/./sgx_ql_quote.h 0 main STP /external/dcap_source/QuoteVerification/QvE/Include/sgx_qve_header.h /package/include/./sgx_qve_header.h 0 main STP /external/dcap_source/QuoteVerification/dcap_tvl/sgx_dcap_tvl.h /package/include/./sgx_dcap_tvl.h 0 main STP diff --git a/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control b/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control index b50c23347..6265879ad 100644 --- a/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control +++ b/linux/installer/deb/sgx-aesm-service/sgx-aesm-service-1.0/debian/control @@ -37,12 +37,12 @@ Description: Unified Quote Plugin for Intel(R) Software Guard Extensions AESM Se Package: libsgx-aesm-ecdsa-plugin Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-qe3-logic(>= 1.17), libsgx-aesm-pce-plugin(>= @dep_version@) +Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-qe3-logic(>= 1.18), libsgx-aesm-pce-plugin(>= @dep_version@) Description: ECDSA Quote Plugin for Intel(R) Software Guard Extensions AESM Service Package: libsgx-aesm-pce-plugin Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-pce-logic(>= 1.17), libsgx-ae-pce(>= @dep_version@) +Depends: ${shlibs:Depends}, ${misc:Depends}, sgx-aesm-service(>= @dep_version@), libsgx-pce-logic(>= 1.18), libsgx-ae-pce(>= @dep_version@) Description: PCE Plugin for Intel(R) Software Guard Extensions AESM Service Package: libsgx-ae-pce diff --git a/linux/installer/rpm/psw-dcap/sanitize.sh b/linux/installer/rpm/psw-dcap/sanitize.sh index 5c4b9d5ad..7ab53df3f 100755 --- a/linux/installer/rpm/psw-dcap/sanitize.sh +++ b/linux/installer/rpm/psw-dcap/sanitize.sh @@ -47,11 +47,7 @@ make -C ${root_dir} preparation # Prepare ipp-crypto source pushd ${root_dir}/external/ippcp_internal/ -# cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R -# TODO - Need to remove below lines and enable the above content when opensource -rm -rf ipp-crypto -git clone -b ippcp_2021.7 https://github.com/intel/ipp-crypto.git --depth 1 ipp-crypto -cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch +cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R popd diff --git a/linux/installer/rpm/psw-tdx/sanitize.sh b/linux/installer/rpm/psw-tdx/sanitize.sh index ae47225f6..83aeec190 100755 --- a/linux/installer/rpm/psw-tdx/sanitize.sh +++ b/linux/installer/rpm/psw-tdx/sanitize.sh @@ -47,11 +47,7 @@ make -C ${root_dir} preparation # Prepare ipp-crypto source pushd ${root_dir}/external/ippcp_internal/ -# cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R -# TODO - Need to remove below lines and enable the above content when opensource -rm -rf ipp-crypto -git clone -b ippcp_2021.7 https://github.com/intel/ipp-crypto.git --depth 1 ipp-crypto -cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch +cd ipp-crypto && git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch >/dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX_psw_dcap.patch --check -R popd diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec index 76919833b..7c302e511 100644 --- a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec +++ b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-ecdsa-plugin.spec @@ -38,7 +38,7 @@ Version: @version@ Release: 1%{?dist} Summary: ECDSA Quote Plugin for Intel(R) Software Guard Extensions AESM Service Group: Development/System -Requires: sgx-aesm-service >= %{version}-%{release} libsgx-qe3-logic >= 1.17 libsgx-aesm-pce-plugin >= %{version}-%{release} +Requires: sgx-aesm-service >= %{version}-%{release} libsgx-qe3-logic >= 1.18 libsgx-aesm-pce-plugin >= %{version}-%{release} License: BSD License URL: https://github.com/intel/linux-sgx diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec index 87e832fa1..bafc6e64f 100644 --- a/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec +++ b/linux/installer/rpm/sgx-aesm-service/libsgx-aesm-pce-plugin.spec @@ -38,7 +38,7 @@ Version: @version@ Release: 1%{?dist} Summary: PCE Plugin for Intel(R) Software Guard Extensions AESM Service Group: Development/System -Requires: sgx-aesm-service >= %{version}-%{release} libsgx-pce-logic >= 1.17 +Requires: sgx-aesm-service >= %{version}-%{release} libsgx-pce-logic >= 1.18 License: BSD License URL: https://github.com/intel/linux-sgx diff --git a/linux/reproducibility/build_and_launch_docker.sh b/linux/reproducibility/build_and_launch_docker.sh old mode 100644 new mode 100755 index b3986e028..7ed67c3ef --- a/linux/reproducibility/build_and_launch_docker.sh +++ b/linux/reproducibility/build_and_launch_docker.sh @@ -75,8 +75,8 @@ mount_dir="/linux-sgx" sdk_installer="" sgx_src="" -default_sdk_installer=sgx_linux_x64_sdk_reproducible_2.20.100.1.bin -default_sdk_installer_url=https://download.01.org/intel-sgx/sgx-linux/2.20/distro/nix_reproducibility/$default_sdk_installer +default_sdk_installer=sgx_linux_x64_sdk_reproducible_2.21.100.1.bin +default_sdk_installer_url=https://download.01.org/intel-sgx/sgx-linux/2.21/distro/nix_reproducibility/$default_sdk_installer usage() @@ -177,7 +177,7 @@ prepare_sgx_src() if [ "$sgx_src" != "" ]; then mkdir -p "$sgx_repo" && cp -a "$sgx_src/." "$sgx_repo" else - git clone -b sgx_2.20_reproducible https://github.com/intel/linux-sgx.git $sgx_repo + git clone -b sgx_2.21_reproducible https://github.com/intel/linux-sgx.git $sgx_repo fi cd "$sgx_repo" && make preparation @@ -189,7 +189,7 @@ prepare_ipp_src() { pushd . ipp_dir="$sgx_repo/external/ippcp_internal" - + # Apply the patch cd $ipp_dir/ipp-crypto git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R diff --git a/sdk/Makefile.source b/sdk/Makefile.source index b4636bfee..d4ab3f7ee 100644 --- a/sdk/Makefile.source +++ b/sdk/Makefile.source @@ -76,6 +76,7 @@ components: tstdc tcxx tservice trts tcrypto tkey_exchange ukey_exchange tprotec .PHONY: tstdc tstdc: $(LIBTLIBC) +ifndef _TD_MIGRATION $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv $(MAKE) -C tlibc/ -j$(shell nproc) 2> /dev/null @$(MKDIR) $(BUILD_DIR)/.compiler-rt $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv @@ -93,6 +94,20 @@ $(LIBTLIBC): tlibthread compiler-rt tsafecrt tsetjmp tmm_rsrv @$(RM) -rf $(BUILD_DIR)/.compiler-rt @$(RM) -rf $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt @$(RM) -rf $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv +else +$(LIBTLIBC): tlibthread tsafecrt tsetjmp tmm_rsrv + $(MAKE) -C tlibc/ _TD_MIGRATION=1 -j$(shell nproc) 2> /dev/null + @$(MKDIR) $(BUILD_DIR)/.tlibthread $(BUILD_DIR)/.tsafecrt $(BUILD_DIR)/.tsetjmp $(BUILD_DIR)/.tmm_rsrv + @$(RM) -f $(BUILD_DIR)/.tlibthread/* && cd $(BUILD_DIR)/.tlibthread && $(AR) x $(LINUX_SDK_DIR)/tlibthread/libtlibthread.a + @$(RM) -f $(BUILD_DIR)/.tsafecrt/* && cd $(BUILD_DIR)/.tsafecrt && $(AR) x $(LINUX_SDK_DIR)/tsafecrt/libsgx_tsafecrt.a + @$(RM) -f $(BUILD_DIR)/.tsetjmp/* && cd $(BUILD_DIR)/.tsetjmp && $(AR) x $(LINUX_SDK_DIR)/tsetjmp/libsgx_tsetjmp.a + @$(RM) -f $(BUILD_DIR)/.tmm_rsrv/* && cd $(BUILD_DIR)/.tmm_rsrv && $(AR) x $(LINUX_SDK_DIR)/tmm_rsrv/libsgx_tmm_rsrv.a + $(CP) $(LINUX_SDK_DIR)/tlibc/libtlibc.a $@ + $(AR) qD $@ $(BUILD_DIR)/.tlibthread/*.o + $(AR) qD $@ $(BUILD_DIR)/.tsafecrt/*.o + $(AR) qD $@ $(BUILD_DIR)/.tsetjmp/*.o + $(AR) qD $@ $(BUILD_DIR)/.tmm_rsrv/*.o +endif .PHONY: tlibthread tlibthread: @@ -135,7 +150,12 @@ $(LIBTCXX): cpprt tlibcxx @cd $(BUILD_DIR)/.tlibcxx && $(AR) x $(LINUX_SDK_DIR)/tlibcxx/libcxx.a $(CP) $(LINUX_SDK_DIR)/cpprt/libcpprt.a $@ $(AR) qD $@ $(BUILD_DIR)/.tlibcxx/*.o - @$(RM) -rf $(BUILD_DIR)/.tlibcxx +ifdef _TD_MIGRATION + @$(MKDIR) $(BUILD_DIR)/.cpprt + @$(RM) -f $(BUILD_DIR)/.cpprt/* && cd $(BUILD_DIR)/.cpprt && $(AR) x $(LINUX_SDK_DIR)/cpprt/libcpprt.a +else + @$(RM) -rf $(BUILD_DIR)/.tlibcxx +endif .PHONY: cpprt cpprt: @@ -287,6 +307,9 @@ sgx_encrypt: tservice $(BUILD_DIR): $(MKDIR) $@ +.PHONY: td_migration +td_migration: tstdc tcxx edger8r + .PHONY: clean clean: $(MAKE) -C tlibc/ clean @@ -324,3 +347,10 @@ clean: $(MAKE) -C $(LINUX_EXTERNAL_DIR)/mbedtls clean @$(RM) $(LIBTLIBC) $(LIBTCXX) $(LIBTSE) @$(RM) $(BUILD_DIR)/libc++_Changes_SGX.txt + @$(RM) -rf $(BUILD_DIR)/.compiler-rt + @$(RM) -rf $(BUILD_DIR)/.tlibthread + @$(RM) -rf $(BUILD_DIR)/.tsafecrt + @$(RM) -rf $(BUILD_DIR)/.tsetjmp + @$(RM) -rf $(BUILD_DIR)/.tmm_rsrv + @$(RM) -rf $(BUILD_DIR)/.tlibcxx + @$(RM) -rf $(BUILD_DIR)/.cpprt diff --git a/sdk/selib/sgx_verify_report2.cpp b/sdk/selib/sgx_verify_report2.cpp index 6e9c85aa8..2ee591a9c 100644 --- a/sdk/selib/sgx_verify_report2.cpp +++ b/sdk/selib/sgx_verify_report2.cpp @@ -74,7 +74,8 @@ sgx_status_t sgx_verify_report2(const sgx_report2_mac_struct_t *report_mac_struc } if (report_mac_struct->report_type.subtype != TEE_REPORT2_SUBTYPE - || report_mac_struct->report_type.version != TEE_REPORT2_VERSION) + || (report_mac_struct->report_type.version != TEE_REPORT2_VERSION + && report_mac_struct->report_type.version != TEE_REPORT2_VERSION_SERVICETD)) { err = SGX_ERROR_INVALID_PARAMETER; goto CLEANUP; diff --git a/sdk/switchless/sgx_tswitchless/sgx_ocall_switchless.c b/sdk/switchless/sgx_tswitchless/sgx_ocall_switchless.c index 5077f0ab3..bb26ef654 100644 --- a/sdk/switchless/sgx_tswitchless/sgx_ocall_switchless.c +++ b/sdk/switchless/sgx_tswitchless/sgx_ocall_switchless.c @@ -89,17 +89,6 @@ sgx_status_t sgx_ocall_switchless(const unsigned int index, void* ms) if (sgx_is_enclave_crashed()) return SGX_ERROR_ENCLAVE_CRASHED; - /* Global object initialization (init_global_object) happens before - * g_uswitchless_handle is initialized (via sl_init_switchless). - * Some ctors invoke syscalls via switchless ocalls. This causes - * init_tswitchless_ocall_mngr to be invoked with sl_call_once prematurely, - * returning -1. Subsequent invokations will always return -1, such that - * switchless ocalls never happen. A simple solution is to fallback to - * traditional ocalls until g_uswitchless_handle has been initialized. */ - if (g_uswitchless_handle == NULL) { - return sgx_ocall(index, ms); - } - /* If Switchless SGX is not enabled at enclave creation, then switchless OCalls * fallback to the traditional OCalls */ if (sl_call_once(&g_init_ocall_mngr_done, init_tswitchless_ocall_mngr, NULL)) diff --git a/sdk/tlibc/Makefile b/sdk/tlibc/Makefile index a20fa288f..1f732369e 100644 --- a/sdk/tlibc/Makefile +++ b/sdk/tlibc/Makefile @@ -108,4 +108,4 @@ $(BUILD_DIR): .PHONY: clean clean: - @$(RM) $(LIBC_NAME) $(LIBC_OBJS) math/opt/*.o + @$(RM) $(LIBC_NAME) $(LIBC_OBJS) math/opt/*.o diff --git a/sdk/tlibc/gen/sbrk.c b/sdk/tlibc/gen/sbrk.c index 9dff9a637..30aa25d91 100644 --- a/sdk/tlibc/gen/sbrk.c +++ b/sdk/tlibc/gen/sbrk.c @@ -41,10 +41,17 @@ SE_DECLSPEC_EXPORT size_t g_peak_heap_used = 0; /* Please be aware of: sbrk is not thread safe by default. */ +#ifndef _TD_MIGRATION static void *heap_base __attribute__((section(RELRO_SECTION_NAME))) = NULL; static size_t heap_size __attribute__((section(RELRO_SECTION_NAME))) = 0; static int is_edmm_supported __attribute__((section(RELRO_SECTION_NAME))) = 0; static size_t heap_min_size __attribute__((section(RELRO_SECTION_NAME))) = 0; +#else +void *heap_base = NULL; +size_t heap_size = 0; +int is_edmm_supported = 0; +size_t heap_min_size = 0; +#endif int heap_init(void *_heap_base, size_t _heap_size, size_t _heap_min_size, int _is_edmm_supported) {