diff --git a/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch b/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch index 6a6e39b..4fdfeef 100644 --- a/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch +++ b/packages/sgx-dcap/SGXDataCenterAttestationPrimitives-tarball-repro.patch @@ -119,17 +119,6 @@ index 4e53085..7047a49 100755 pushd ${INSTALL_PATH} &> /dev/null sed -i "s/USR_LIB_VER=.*/USR_LIB_VER=${SGX_VERSION}/" Makefile -tar -zcvf ${TARBALL_NAME} * -+tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} * - popd &> /dev/null -diff --git a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh -index fa3286e..cacf5a3 100755 ---- a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh -+++ b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/createTarball.sh -@@ -57,5 +57,5 @@ python ${SCRIPT_DIR}/gen_source.py --bom=../licenses/BOM_license.txt --cleanup=f - - # Create the tarball - pushd ${INSTALL_PATH} &> /dev/null --tar -zcvf ${TARBALL_NAME} * +tar -zcv --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01 00:00:00' -f ${TARBALL_NAME} * popd &> /dev/null diff --git a/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh b/QuoteGeneration/installer/linux/common/tdx-qgs/createTarball.sh diff --git a/packages/sgx-dcap/default.nix b/packages/sgx-dcap/default.nix index dcc9b26..0499655 100644 --- a/packages/sgx-dcap/default.nix +++ b/packages/sgx-dcap/default.nix @@ -15,7 +15,7 @@ }: stdenv.mkDerivation rec { pname = "sgx-dcap"; - version = "1.21"; + version = "1.22"; postUnpack = let @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; + hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ="; }; }; in @@ -33,13 +33,14 @@ stdenv.mkDerivation rec { || (echo "Could not find expected prebuilt DCAP ${dcap.filename} in dcap source" >&2 && grep 'ae_file_name' "$sourceRoot/QuoteGeneration/download_prebuilt.sh" && exit 1) tar -zxf ${dcap.prebuilt} -C $sourceRoot/QuoteGeneration/ + tar -zxf ${dcap.prebuilt} -C $sourceRoot/ ''; src = fetchFromGitHub { owner = "intel"; repo = "SGXDataCenterAttestationPrimitives"; rev = "DCAP_${version}"; - hash = "sha256-Vp8R4W6qdPTGJFNJrPPKe9Oqxxj+UIdZf2GSL+gCyjU="; + hash = "sha256-Ubjm3/tpfkRrKhub10g2oDl+2vv/MF4wnJR/nLz7KDk="; fetchSubmodules = true; }; @@ -75,11 +76,11 @@ stdenv.mkDerivation rec { patchShebangs --build $(find . -name '*.sh') ''; - preBuild = '' - makeFlagsArray+=(SGX_SDK="${nixsgx.sgx-sdk}" SGXSSL_PACKAGE_PATH="${nixsgx.sgx-ssl}") - ''; + makeFlags = [ + "SGX_SDK=${nixsgx.sgx-sdk}" + "SGXSSL_PACKAGE_PATH=${nixsgx.sgx-ssl}" + ]; - # sigh... Intel! enableParallelBuilding = true; dontUseCmakeConfigure = true; @@ -112,7 +113,6 @@ stdenv.mkDerivation rec { ./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-network ./tools/SGXPlatformRegistration/package/installer/common/libsgx-ra-uefi ./tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool - #./QuoteGeneration/installer/linux/common/sgx-dcap-pccs ) for src in ''${dcap_pkgdirs[@]}; do @@ -152,10 +152,6 @@ stdenv.mkDerivation rec { "$ra_uefi" tools/PCKRetrievalTool/installer/common/sgx-pck-id-retrieval-tool/output "$pck_id_retrieval_tool" - #QuoteGeneration/installer/linux/common/sgx-dcap-pccs/output - #"$pccs" - # sgx-ra-service - # tdx-qgs ) for ((i = 0 ; i < ''${#dcap_map[@]} ; i+=2 )); do diff --git a/packages/sgx-psw/default.nix b/packages/sgx-psw/default.nix index 2f20585..f71d7c7 100644 --- a/packages/sgx-psw/default.nix +++ b/packages/sgx-psw/default.nix @@ -27,16 +27,16 @@ stdenv.mkDerivation rec { # attestation quotes, and do platform certification. ae.prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz"; - hash = "sha256-IGV9VEwY/cQBV4Vz2sps4JgRweWRl/l08ocb9P4SH8Q="; + hash = "sha256-Hlh96rYOyml2y50d8ASKz6U97Fl0hbGYECeZiG9nMSQ="; }; # Also include the Data Center Attestation Primitives (DCAP) platform # enclaves. dcap = rec { - version = "1.21"; + version = "1.22"; filename = "prebuilt_dcap_${version}.tar.gz"; prebuilt = fetchurl { url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}"; - hash = "sha256-/PPD2MyNxoCwzNljIFcpkFvItXbyvymsJ7+Uf4IyZuk="; + hash = "sha256-RTpJQ6epoAN8YQXSJUjJQ5mPaQIiQpStTWFsnspjjDQ="; }; }; in @@ -47,6 +47,7 @@ stdenv.mkDerivation rec { tar -zxf ${ae.prebuilt} -C $sourceRoot/ tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/ + tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/ ''; nativeBuildInputs = [ diff --git a/packages/sgx-sdk/default.nix b/packages/sgx-sdk/default.nix index b84b75a..057059d 100644 --- a/packages/sgx-sdk/default.nix +++ b/packages/sgx-sdk/default.nix @@ -27,15 +27,15 @@ stdenv.mkDerivation rec { pname = "sgx-sdk"; # Version as given in se_version.h - version = "2.24.100.3"; + version = "2.25.100.3"; # Version as used in the Git tag - versionTag = "2.24"; + versionTag = "2.25"; src = fetchFromGitHub { owner = "intel"; repo = "linux-sgx"; rev = "sgx_${versionTag}"; - hash = "sha256-1urEdfMKNUqqyJ3wQ10+tvtlRuAKELpaCWIOzjCbYKw="; + hash = "sha256-RR+vFTd9ZM6XUn3KgQeUM+xoj1Ava4zQzFYA/nfXyaw="; fetchSubmodules = true; }; @@ -139,13 +139,15 @@ stdenv.mkDerivation rec { cp ${ipp-crypto-no_mitigation}/include/fips_cert.h inc/ippcp/ rm inc/ippcp.h - patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u11.patch -o ./inc/ippcp.h + patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i ./inc/ippcp21u12.patch -o ./inc/ippcp.h install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE popd ''; + env.NIX_CFLAGS_COMPILE = "-Wno-error=missing-include-dirs"; + buildFlags = [ "sdk_install_pkg" ] ++ lib.optionals debug [ diff --git a/packages/sgx-sdk/disable-downloads.patch b/packages/sgx-sdk/disable-downloads.patch index c045606..e23712e 100644 --- a/packages/sgx-sdk/disable-downloads.patch +++ b/packages/sgx-sdk/disable-downloads.patch @@ -1,14 +1,16 @@ diff --git a/Makefile b/Makefile -index 73502a7..f24bd11 100644 +index 19bc05ab..f9ef0b75 100644 --- a/Makefile +++ b/Makefile -@@ -50,18 +50,18 @@ tips: +@@ -50,13 +50,13 @@ tips: preparation: # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip. # Only enable the download from git - git submodule update --init --recursive -- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # git submodule update --init --recursive + cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \ + git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check +- ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild + # ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 || git apply ../sgx_protobuf.patch --check -R @@ -17,12 +19,14 @@ index 73502a7..f24bd11 100644 ./external/sgx-emm/create_symlink.sh cd external/mbedtls/mbedtls_code && git apply ../sgx_mbedtls.patch >/dev/null 2>&1 || git apply ../sgx_mbedtls.patch --check -R cd external/cbor && cp -r libcbor sgx_libcbor - cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R +@@ -64,8 +64,8 @@ preparation: cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R + cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R + cd external/ippcp_internal/ipp-crypto && mkdir -p build - ./download_prebuilt.sh - ./external/dcap_source/QuoteGeneration/download_prebuilt.sh -+ # ./download_prebuilt.sh -+ # ./external/dcap_source/QuoteGeneration/download_prebuilt.sh ++ #./download_prebuilt.sh ++ #./external/dcap_source/QuoteGeneration/download_prebuilt.sh psw: $(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS) diff --git a/packages/sgx-sdk/ipp-crypto.nix b/packages/sgx-sdk/ipp-crypto.nix index eba9e7f..d7e1d2e 100644 --- a/packages/sgx-sdk/ipp-crypto.nix +++ b/packages/sgx-sdk/ipp-crypto.nix @@ -8,13 +8,13 @@ }: gcc11Stdenv.mkDerivation rec { pname = "ipp-crypto"; - version = "2021.11.1"; + version = "2021.12.1"; src = fetchFromGitHub { owner = "intel"; repo = "ipp-crypto"; rev = "ippcp_${version}"; - hash = "sha256-OgNrrPE8jFVD/hcv7A43Bno96r4Z/lb7/SE6TEL7RDI="; + hash = "sha256-voxjx9Np/8jy9XS6EvUK4aW18/DGQGaPpTKm9RzuCU8="; }; cmakeFlags = [ diff --git a/packages/sgx-ssl/default.nix b/packages/sgx-ssl/default.nix index 3d38983..c88b674 100644 --- a/packages/sgx-ssl/default.nix +++ b/packages/sgx-ssl/default.nix @@ -11,7 +11,7 @@ let inherit (nixsgx) sgx-sdk; sgxVersion = sgx-sdk.versionTag; - opensslVersion = "3.0.13"; + opensslVersion = "3.0.14"; in stdenv.mkDerivation { pname = "sgx-ssl" + lib.optionalString debug "-debug"; @@ -20,15 +20,15 @@ stdenv.mkDerivation { src = fetchFromGitHub { owner = "intel"; repo = "intel-sgx-ssl"; - rev = "3.0_Rev2"; - hash = "sha256-dmLyaG6v+skjSa0KxLAfIfSBOxp9grrI7ds6WdGPe0I="; + rev = "3.0_Rev4"; + hash = "sha256-RNAMmm2UNbIziBqu4RioPDb1/3TBd+MCsJ8PeCHWhL0="; }; postUnpack = let opensslSourceArchive = fetchurl { url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - hash = "sha256-iFJXU/edO+wn0vp8ZqoLkrOqlJja/ZPXz6SzeAza4xM="; + hash = "sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o="; }; in ''