# The enclave code must be built with very specific build # flags, that are different from what is used to build # native code. Thus we cannot globally set the CFLAGS etc %undefine _auto_set_build_flags ############################################################ # # Note about the approach to bundling... # # The linux-sgx project build system is written with the assumption # that a monolithic repo is being used with all dependencies # present at specific versions and in particular locations. # # Fully untangling this is impractical/unsustainable, because the # build system in fact has circular dependencies between what might # otherwise look like independent projects. ie linux-sgx depends # on headers from dcap, but dcap depends on headers from linux-sgx. # In addition, some of the 3rd party projects that are consumed are # patched with SGX enclave specific changes. # # For enclave builds, there will be no ability to share existing # binaries built for native Fedora, as everything must be built # for the enclave environment, with its own C runtime. Thus trying # to unbundle has little benefit for enclave related dependencies. # # This package is thus written such # # * All the SGX related projects provided by Intel are bundled # whether used for enclave or native OS code. # * SGX enclave code is built with bundled 3rd party projects. # * Native OS code is built with system packages for non-SGX # related dependancies. # # Focusing on unbundling only 3rd party projects involved in native # builds maximises the benefits of system package usage, without an # unreasonable burden fighting the build system for enclave pieces. ############################################################ # # A note about versions # # When rebasing to new linux-sgx releases, bump all the following # versions based on what the new release depends on (see various # git submodule tags and code files). # %define linux_sgx_version 2.25 # From SGX git submodule %define dcap_version 1.22 # From DCAP git submodule %define dcap_qvl_version 1.21 # From DCAP git submodule %define dcap_qvs_version 1.1.0-2885 # From SGX external/sgxssl/prepare_sgxssl.sh %define sgx_ssl_version 3.0_Rev4 # From SGX git submodule %define ipp_crypto_version 2021.12.1 # From SGX git submodule %define sgx_emm_version 1.0.3 # From SGX external/sgxssl/prepare_sgxssl.sh %define openssl_version 3.0.14 # From SGX git submodule %define libcbor_version 0.10.2 # From protobuf third_party/abseil-cpp %define abseil_cpp_version 20230125.3 # From DCAP git submodule %define jwt_cpp_version 0.6.0 # From DCAP git submodule %define wamr_version 1.3.3 # From SGX external/epid-sdk/CHANGELOG.md %define epid_version 6.0.0 # From SGX external/rdrand/src/configure.ac %define rdrand_version 1.1 %define vtune_version 2018 # enclaves from prebuilt_dcap_NNN.tar.gz - DCAP version numbers, # except for pce, which is actually an SGX enclave just bundled # with the DCAP enclaves %define enclave_pce_version 2.25 %define enclave_ide_version 1.22 %define enclave_qe3_version 1.22 %define enclave_tdqe_version 1.22 %define enclave_qve_version 1.22 # Whether to build & ship unsigned enclaves with latest distro # toolchain, as opposed to a reproducible build done in other # packages %define with_enclaves 1 # Provisioning Certification Enclave. Required. ECDSA quote signing %define with_enclave_pce 1 # ID Enclave. Required. Hardware identification %define with_enclave_ide 1 # Quoting Enclave. Required for non-TDX usage. ECDSA quote generation %define with_enclave_qe3 1 # Quoting Enclave. Required for TDX usage. ECDSA quote generation %define with_enclave_tdqe 1 # Quote Verification Enclave. Optional. ECDSA quote verification # # Note this build variant has removed unapproved crypto # XXX disabled until time to investigate jwt-cpp build errors %define with_enclave_qve 0 %define _with_enclave_pce %{expr:%{with_enclaves} ? %{with_enclave_pce} : 0} %define _with_enclave_ide %{expr:%{with_enclaves} ? %{with_enclave_ide} : 0} %define _with_enclave_qe3 %{expr:%{with_enclaves} ? %{with_enclave_qe3} : 0} %define _with_enclave_tdqe %{expr:%{with_enclaves} ? %{with_enclave_tdqe} : 0} %define _with_enclave_qve %{expr:%{with_enclaves} ? %{with_enclave_qve} : 0} # We prefer deployments using the pre-built enclaves # signed by Intel, but permit replacing with enclaves # signed by a different party %global enclave_requires() \ Requires: sgx-enclave(%1:signed) >= %2 \ Recommends: sgx-enclave(%1:signed:prebuilt) >= %2 Name: linux-sgx Version: %{linux_sgx_version} Release: 1%{?dist} Summary: Intel Linux SGX SDK and Platform Software # The entire source code is BSD, except some third party projects are # under other licenses listed in License.txt. License: 0BSD AND Apache-1.0 AND Apache-2.0 AND (Apache-2.0 OR GPL-2.0-or-later) AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND EPL-1.0 AND FSFAP AND FSFUL AND GPL-2.0-only AND ISC AND MIT AND (MIT OR CC0-1.0) AND MIT-0 AND MS-PL AND NCSA AND OpenSSL AND SMLNJ AND Unlicense AND Zlib URL: https://github.com/intel/linux-sgx ############################################################ # SGX related projects SourceN for N in (0..9) Source0: https://github.com/intel/linux-sgx/archive/refs/tags/sgx_%{linux_sgx_version}_reproducible.tar.gz#/linux-sgx-%{linux_sgx_version}-reproducible.tar.gz # repack.sh purges 'prebuilt/' (openssl binaries) Source1: https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/dcap_%{dcap_version}_reproducible.tar.gz Provides: bundled(dcap) = %{dcap_version} # repack.sh purges AE's that we're not shipping & 'prebuilt/' (openssl / OPA binaries) Source2: https://download.01.org/intel-sgx/sgx-dcap/%{dcap_version}/linux/prebuilt_dcap_%{dcap_version}-repacked.tar.gz Source3: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/%{sgx_ssl_version}.tar.gz#/intel-sgx-ssl-%{sgx_ssl_version}.tar.gz Provides: bundled(sgxssl) = %{sgx_ssl_version} Source4: https://github.com/intel/ipp-crypto/archive/refs/tags/ippcp_%{ipp_crypto_version}.tar.gz Provides: bundled(ipp-crypto) = %{ipp_crypto_version} Source5: https://github.com/intel/sgx-emm/archive/refs/tags/sgx-emm-%{sgx_emm_version}.tar.gz Provides: bundled(sgx-emm) = %{sgx_emm_version} Source6: https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/archive/refs/heads/DCAP/%{dcap_qvl_version}.tar.gz#/dcap-qvl-%{dcap_qvl_version}.tar.gz Provides: bundled(dcap-qvl} = %{dcap_qvl_version} Source7: https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationService/archive/refs/tags/v%{dcap_qvs_version}.tar.gz#/dcap-qvs-%{dcap_qvs_version}.tar.gz Provides: bundled(dcap-qvs} = %{dcap_qvs_version} ############################################################ # 3rd party projects SourceN for N in (10..19) Source10: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz Provides: bundled(openssl) = %{openssl_version} Source11: https://github.com/PJK/libcbor/archive/refs/tags/v%{libcbor_version}.tar.gz#/libcbor-%{libcbor_version}.tar.gz Provides: bundled(libcbor) = %{libcbor_version} # XXX unbundle me, only used in native code, or also in enclaves ? Source12: https://github.com/Thalhammer/jwt-cpp/archive/refs/tags/v%{jwt_cpp_version}.tar.gz#/jwt-cpp-%{jwt_cpp_version}.tar.gz Provides: bundled(jwt-cpp) = %{jwt_cpp_version} Source13: https://github.com/bytecodealliance/wasm-micro-runtime/archive/refs/tags/WAMR-%{wamr_version}.tar.gz#/wasm-micro-runtime-%{wamr_version}.tar.gz Provides: bundled(wasm-micro-runtime} = %{wamr_version} ############################################################ # Misc distro integration files SourceN in (40..59) Source40: aesmd.sysusers.conf Source41: aesmd.service Source42: sgxprv.sysusers.conf Source43: 92-sgx-provision.rules Source44: qgs.sysusers.conf Source45: qgs.service Source46: qgs.sysconfig Source48: mpa_registration.service ############################################################ # External projects that have been copied in tarballs as bundles # In external/epid-sdk/ Provides: bundled(epid-sdk) = 6.0.0 # In external/rdrand/ Provides: bundled(RdRand) = 1.1 # In external/vtune/ Provides: bundled(vtune) = 2018 ############################################################ # Distro integration patches # 0000-0099 -> against linux-sgx.git Patch0000: 0000-Use-distro-libcrypto-and-tinyxml2-for-signtool.patch Patch0001: 0001-Use-distro-provided-openssl-instead-of-prebuilt-copy.patch # https://github.com/intel/linux-sgx/pull/1055 Patch0002: 0002-Improve-make-debuggability.patch Patch0003: 0003-Avoid-cloning-ippcp-git-repo-during-build.patch Patch0004: 0004-disable-openmp-protobuf-mbedtls-sample_crypto-builds.patch Patch0005: 0005-Use-distro-CppMicroServices-instead-of-bundled-copy.patch Patch0006: 0006-Use-distro-libcrypto-instad-of-pre-built-bundled-cop.patch # https://github.com/intel/linux-sgx/pull/1063 Patch0007: 0007-Fix-compat-with-gcc-14.patch # https://github.com/intel/linux-sgx/pull/1056 Patch0008: 0008-Fix-escaping-of-regexes-in-sgx-asm-pp.patch # https://github.com/intel/linux-sgx/pull/1058 Patch0009: 0009-Disable-use-of-bogus-DEF_WEAK-macro.patch # https://github.com/intel/linux-sgx/pull/1057 Patch0010: 0010-Remove-all-references-to-pccs-service.patch # https://github.com/intel/linux-sgx/pull/1064 Patch0011: 0011-psw-prefer-dev-sgx_provision-dev-sgx_enclave.patch # 0100-0199 -> against SGXDataCenterAttestationPrimitives.git Patch0100: 0100-Drop-use-of-bundled-pre-built-openssl.patch Patch0101: 0101-Improve-debuggability-of-build-system.patch # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/437 Patch0102: 0102-Support-build-time-setting-of-enclave-load-directory.patch # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/434 Patch0103: 0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/429 Patch0104: 0104-Don-t-import-pypac-in-pccsadmin.patch Patch0105: 0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch # XXX enclaves must use bundled #Patch0106: 0106-Use-distro-provided-rapidjson-package.patch # https://github.com/intel/SGXDataCenterAttestationPrimitives/pull/428 Patch0107: 0107-qgs-add-space-between-program-name-first-arg-in-usag.patch Patch0108: 0108-qgs-protect-against-format-strings-in-QL-log-message.patch Patch0109: 0109-qgs-add-debug-parameter-to-control-logging.patch # 0200-0299 -> against intel-sgx-ssl.git Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch Patch0201: 0201-Workaround-missing-output-directory.patch Patch0202: 0202-Disable-various-EC-crypto-features.patch Patch0203: 0203-Disable-sm2-and-sm4-crypto-algorithms.patch # 0300-0399 -> against ipp-crypto.git Patch0300: 0300-Drop-min-openssl-from-3.0.8-to-3.0.7.patch Patch0301: 0301-Drop-Werror-from-build-flags.patch BuildRequires: sgx-srpm-macros BuildRequires: autoconf BuildRequires: automake BuildRequires: binutils BuildRequires: libtool BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: make BuildRequires: cmake BuildRequires: ocaml BuildRequires: ocaml-ocamlbuild BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: libcurl-devel BuildRequires: python3-devel BuildRequires: perl-generators BuildRequires: perl-interpreter BuildRequires: perl-devel BuildRequires: perl(FindBin) BuildRequires: perl(lib) BuildRequires: perl(IPC::Cmd) BuildRequires: nasm BuildRequires: python-unversioned-command BuildRequires: systemd-rpm-macros BuildRequires: tinyxml2-devel BuildRequires: CppMicroServices-devel #BuildRequires: rapidjson-devel BuildRequires: protobuf-compiler BuildRequires: protobuf-devel BuildRequires: boost-devel # If dpkg-architecture exists in $PATH, the Makefile # will change all the install paths, breaking this # spec's expected locations BuildConflicts: dpkg-dev # SGX is a technology that only exists in Intel x86 CPUs ExclusiveArch: x86_64 %description The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. # We always provide the unsigned enclaves, but only # provide signed version if it was signed in this # release. %global do_package() \ %if %2 \ %package -n sgx-enclave-%1-unsigned \ Summary: SGX %1 enclave (unsigned, latest toolchain) \ \ Provides: sgx-enclave(%1:unsigned) = %3 \ Provides: sgx-enclave(%1:unsigned:latest) = %3 \ \ %description -n sgx-enclave-%1-unsigned \ This package contains the unsigned SGX %1 enclave, \ built with latest toolchain and libraries. \ \ %endif %do_package pce %{_with_enclave_pce} %{linux_sgx_version} %do_package ide %{_with_enclave_ide} %{dcap_version} %do_package qe3 %{_with_enclave_qe3} %{dcap_version} %do_package tdqe %{_with_enclave_tdqe} %{dcap_version} %do_package qve %{_with_enclave_qve} %{dcap_version} %package -n sgx-enclave-devel Summary: SGX enclave libraries development %description -n sgx-enclave-devel This package contains the header files, libraries and tools required to create SGX enclaves. %package -n sgx-devel Summary: SGX platform libraries development %description -n sgx-devel This package contains the header files, libraries and tools required to build applications that interact with SGX enclaves on the platform. %package -n sgx-libs Summary: SGX platform libraries runtime %description -n sgx-libs This package contains the runtime libraries and tools required to run applications that interact with SGX enclaves on the platform. %package -n sgx-aesm Summary: SGX platform Architectural Enclave Service Manager Requires: CppMicroServices Suggests: sgx-enclave(pce:signed) >= %{enclave_pce_version} Suggests: sgx-enclave(qe3:signed) >= %{enclave_qe3_version} Suggests: sgx-enclave(qve:signed) >= %{enclave_qve_version} Suggests: sgx-enclave(ide:signed) >= %{enclave_ide_version} Suggests: sgx-enclave(tdqe:signed) >= %{enclave_tdqe_version} %description -n sgx-aesm This package contains the Architectural Enclave Service Manager (AESM) daemon. %package -n sgx-pccs-admin Summary: SGX Provisioning Certificate Caching Service Admin Tool Requires: python3-asn1 Requires: python3-pyOpenSSL Requires: python3-cryptography Requires: python3-keyring Requires: python3-requests Requires: python3-urllib3 %description -n sgx-pccs-admin SGX Provisioning Certificate Caching Service Admin Tool %package -n sgx-pckid-tool Summary: SGX PCK Cert ID Retrieval Tool Requires: sgx-libs = %{linux_sgx_version} %enclave_requires ide %{enclave_ide_version} %enclave_requires pce %{enclave_pce_version} %description -n sgx-pckid-tool SGX PCK Cert ID Retrieval Tool %package -n sgx-mpa Summary: SGX Multi-package Registration Agent %description -n sgx-mpa SGX Multi-package Registration Agent %package -n tdx-qgs Summary: TDX Quoting Generation Service Recommends: sgx-mpa Suggests: sgx-pckid-tool %enclave_requires ide %{enclave_ide_version} %enclave_requires pce %{enclave_pce_version} %enclave_requires tdqe %{enclave_tdqe_version} %description -n tdx-qgs TDX Quoting Generation Service %package -n tdx-attest-libs Summary: TDX attestation libraries %description -n tdx-attest-libs TDX attestation libraries This assists guest applications in attesting their virtual machine environment. %package -n tdx-attest-devel Summary: TDX attestation libraries development %description -n tdx-attest-devel TDX attestation libraries development This enables integration of support for attestation in applications %prep %setup -n linux-sgx-sgx_%{linux_sgx_version}_reproducible %autopatch -m 0 -M 99 -p1 ############################################################ # # 'make preparation' is required first build step, and would # pull in many git submodules, apply patches for various # things, download pre-built enclaves, etc. # # What follows simulates 'make preparation' with functionally # equivalent actions to get the source tree setup in the # expected manner for performing the build # ############################################################ # Will use system package instead rm -rf external/{CppMicroServices,tinyxml2} # Don't intend to package these optional bits since none of # the required enclaves need this, and thus we can cut down # on bundling some 3rd party code rm -rf external/{dnnl,openmp,protobuf,mbedtls} sdk/sample_libcrypto ############################################################ # dcap ( cd external/dcap_source tar zxf %{SOURCE1} --strip 1 %autopatch -m 100 -M 199 -p1 ( mkdir QuoteVerification/sgxssl cd QuoteVerification/sgxssl tar zxf %{SOURCE3} --strip 1 %autopatch -m 200 -M 299 -p1 cp %{SOURCE10} openssl_source/ ) ( cd QuoteVerification/QVL tar zxf %{SOURCE6} --strip 1 ) ( cd QuoteVerification/QuoteVerificationService tar zxf %{SOURCE7} --strip 1 ) ( cd external/jwt-cpp tar zxf %{SOURCE12} --strip 1 ) ( cd external/wasm-micro-runtime tar zxf %{SOURCE13} --strip 1 ) ) ############################################################ # sgxssl ( cd external/sgxssl tar zxf %{SOURCE3} --strip 1 %autopatch -m 200 -M 299 -p1 cp %{SOURCE10} openssl_source/ ) ############################################################ # ippcrypto ( # XXX sanity check that all ipp-crypto is permitted by Fedora cd external/ippcp_internal/ipp-crypto tar zxf %{SOURCE4} --strip 1 %autopatch -m 300 -M 399 -p1 ) ############################################################ # sgx-emm ( cd external/sgx-emm/emm_src tar zxf %{SOURCE5} --strip 1 ) ./external/sgx-emm/create_symlink.sh ############################################################ # libcbor ( cd external/cbor/libcbor tar zxf %{SOURCE11} --strip 1 cd .. cp -a libcbor sgx_libcbor cd libcbor patch -p1 < ../raw_cbor.patch cd .. cd sgx_libcbor patch -p1 < ../sgx_cbor.patch ) ############################################################ # prebuilt enclaves # repack.sh strips pre-built enclaves we don't ship, but # the build process still looks for them, so pretend # everything exists mkdir -p psw/ae/data/prebuilt/ touch psw/ae/data/prebuilt/libsgx_{le,qe,pve,pce}.signed.so ( cd external/dcap_source/QuoteGeneration tar zxf %{SOURCE2} # Again just pretend everything exists to placate build touch psw/ae/data/prebuilt/libsgx_{pce,id_enclave,qe3,tdqe,qve}.signed.so # the header files need to be up 1 level # # XXX these headers shouldn't really be needed, since DCAP # already unpacks & build openssl as a side effect of # sgxssl. Somewhere the headers from that build are discarded # and QuoteVerification makefiles are set to look at these # pre-built headers instead. This is a bug in DCAP that needs # fixing and sending upstream mkdir -p ../prebuilt/openssl/inc ../prebuilt/opa_bin mv prebuilt/openssl/inc/* ../prebuilt/openssl/inc/ # XXX figure out how to actually build this for real touch ../prebuilt/opa_bin/policy.wasm ) find -name '*.a' -o -name '*.o' > prebuilt.txt if test -s prebuilt.txt then echo "ERROR: Found pre-built files in source tree." echo "ERROR: The following files must be removed from the source archives:" cat prebuilt.txt exit 1 fi %build ############################################################ # First, build the SDK # IPP Crypto needs to be pre-built for the SDK. # Note, that the 'make clean' doesn't delete the # output '.a' files we need, only the '.o' files # So when complete we have 3 builds of IPP Crypto # in external/ippcp_internal/lib/linux/intel64/ for mitigation in '' LOAD CF do %__make %{?_smp_mflags} \ -C external/ippcp_internal \ clean %__make %{?_smp_mflags} \ -C external/ippcp_internal \ MITIGATION-CVE-2020-0551=$mitigation done # Now we can build the actual SDK for mitigation in LOAD CF '' do %__make %{?_smp_mflags} -j1 \ -C sdk/ V=1 \ MITIGATION-CVE-2020-0551=$mitigation \ clean %__make %{?_smp_mflags} \ -C external/dcap_source/QuoteVerification/dcap_tvl \ MITIGATION-CVE-2020-0551=$mitigation \ clean # Pre-build with current toolchain, since this # is a native app, and ocaml tools in Fedora # pass GCC -specs that assume current toolchain # and fail with old SGX binutils %__make %{?_smp_mflags} -j1 \ -C sdk/ edger8r V=1 \ MITIGATION-CVE-2020-0551=$mitigation %__make %{?_smp_mflags} -j1 \ -C sdk/ V=1 \ MITIGATION-CVE-2020-0551=$mitigation %__make %{?_smp_mflags} \ -C external/dcap_source/QuoteVerification/dcap_tvl \ MITIGATION-CVE-2020-0551=$mitigation done ############################################################ # Second, install the SDK into a temporary tree, since this # dir tree is needed by the next build phase. %define vroot build/vroot ./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551 ./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=%{vroot} ############################################################ # Third, build the AEs (Architectural Enclaves). # XXX -j1 due to race condition setting up sgxssl headers with QvE %global do_build() \ %if %1 \ %make_build -C %2 \\\ SGX_SDK=$(pwd)/%{vroot}/sgxsdk \\\ %3 -j1 \ %endif %do_build %{_with_enclave_pce} psw/ae/pce pce.so %do_build %{_with_enclave_ide} external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux id_enclave.so %do_build %{_with_enclave_qe3} external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux qe3.so %do_build %{_with_enclave_tdqe} external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux tdqe.so %do_build %{_with_enclave_qve} external/dcap_source/QuoteVerification/QvE qve.so ############################################################ # Fourth, build the Platform Software %__make %{?_smp_mflags} -j1 \ -C psw/ V=1 \ SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ SGX_ENCLAVE_PATH=%{sgx_libdir} %__make %{?_smp_mflags} -j1 \ -C external/dcap_source/ V=1 \ SGX_SDK=$(pwd)/%{vroot}/sgxsdk \ SGX_ENCLAVE_PATH=%{sgx_libdir} # SDK provides dummy stub libraries to deal with a circular # build dependancy problem where the PSW wants these libs # before it has built its own real copies. Delete them now, # since we've done the PSW build and don't want these dummy # stubs installed for i in epid launch quote_ex uae_service urts do rm -f %{vroot}/sgxsdk/lib64/libsgx_$i.so done rm -f %{vroot}/sgxsdk/lib64/libsgx_urts.so.2 %install ############################################################ # Install phase # # There's nothing useful like 'make install' to install # everything in the right place :-( # Dirs for host OS software %__install -d %{buildroot}%{_bindir} %__install -d %{buildroot}%{_sbindir} %__install -d %{buildroot}%{_libdir}/pkgconfig %__install -d %{buildroot}%{_libexecdir} %__install -d %{buildroot}%{_datadir} %__install -d %{buildroot}%{_includedir} %__install -d %{buildroot}%{_unitdir} %__install -d %{buildroot}%{_sysusersdir} %__install -d %{buildroot}%{_udevrulesdir} # Dirs for enclave software %__install -d %{buildroot}%{sgx_includedir} %__install -d %{buildroot}%{sgx_libdir} ############################################################ # First the SDK stuff we put into the 'vroot' earlier mv %{vroot}/sgxsdk/bin/sgx* %{buildroot}%{_bindir}/ mv %{vroot}/sgxsdk/bin/x64/sgx* %{buildroot}%{_bindir}/ mv %{vroot}/sgxsdk/include/* %{buildroot}%{sgx_includedir}/ mv %{vroot}/sgxsdk/lib64/libsgx*.a %{buildroot}%{sgx_libdir}/ mv %{vroot}/sgxsdk/lib64/libtdx*.a %{buildroot}%{sgx_libdir}/ mv %{vroot}/sgxsdk/lib64/libsgx*.so* %{buildroot}%{_libdir}/ mv %{vroot}/sgxsdk/lib64/gdb-sgx-plugin %{buildroot}%{_datadir}/sgx-gdb-plugin mv %{vroot}/sgxsdk/pkgconfig/libsgx*pc %{buildroot}%{_libdir}/pkgconfig/ rm -rf %{vroot}/sgxsdk/SampleCode ############################################################ # Second the (unsigned) architectural enclaves # @arg1: boolean condition for whether to ship this enclave # @arg2: base name of the enclave # @arg3: directory containing locally built enclave # @arg4: directory containing pre-bult enclave # @arg5: symbol name that defines the enclave SO version %global do_install() \ %if %1 \ %__install -m 0755 %3/%2.so %{buildroot}%{sgx_libdir}/libsgx_%2.so \ %endif version_file=common/inc/internal/se_version.h %do_install %{_with_enclave_pce} pce psw/ae/pce psw/ae/data/prebuilt PCE_VERSION version_file=external/dcap_source/QuoteGeneration/common/inc/internal/se_version.h %do_install %{_with_enclave_ide} id_enclave external/dcap_source/QuoteGeneration/quote_wrapper/quote/id_enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt IDE_VERSION %do_install %{_with_enclave_qe3} qe3 external/dcap_source/QuoteGeneration/quote_wrapper/quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QE3_VERSION %do_install %{_with_enclave_tdqe} tdqe external/dcap_source/QuoteGeneration/quote_wrapper/tdx_quote/enclave/linux external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt TDQE_VERSION %do_install %{_with_enclave_qve} qve external/dcap_source/QuoteVerification/QvE external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt QVE_VERSION ############################################################ # Third the Platform Software # # Neither of these fully installs all of the software, so we # have to run both. There's a little overlap in what they # install but that's harmless as duplicated content should # match between them. For further info: # # $ cd linux/installer/common # $ diff -rup psw-dcap/BOM_install/ psw-tdx/BOM_install/ %__make -I linux/installer/common/psw-dcap -f linux/installer/common/psw-dcap/Makefile SRCDIR=. DESTDIR=%{vroot}/psw install %__make -I linux/installer/common/psw-tdx -f linux/installer/common/psw-tdx/Makefile SRCDIR=. DESTDIR=%{vroot}/psw install # The above commands don't actually install into a single # usable tree, instead they create multiple top level FS # trees, each of which reflects the non-upstream Debian/RPM # packages that Intel propose. The RPMs don't reflect the # Fedora packaging guidelines, so we're ignoring their layout # and re-arranging things in a more normal manner. # # First merge all the top level dirs together into one # tree under the final build root mkdir %{vroot}/root for dir in %{vroot}/psw/* do cp -a $dir/* %{vroot}/root/ done cp -a %{vroot}/root/ %{buildroot}/root # Second, re-arrange the content to match the normal tree # layout Fedora expects. We rm/rmdir any bits we don't # want, such that RPM will warn about any files left in # the build root that aren't listed as 'files', so we catch # new files appearing in future versions ############################################################ # Host AESM service %__install -d %{buildroot}%{_sysconfdir}/aesmd %__install -d %{buildroot}%{_libdir}/aesmd %__install -d %{buildroot}%{_datadir}/aesmd %__install -d %{buildroot}%{_sharedstatedir}/aesmd %__install -d %{buildroot}%{_rundir}/aesmd # Enclaves to be provided by a separate package, so we purge these rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/*signed.so* rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/linksgx.sh rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/libsgx_urts.so.2 rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/startup.sh rm -f %{buildroot}/root/opt/intel/sgx-aesm-service/cleanup.sh mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/le_prod_css.bin %{buildroot}%{_datadir}/aesmd/ mv %{buildroot}/root/var/opt/aesmd/data/white_list_cert_to_be_verify.bin %{buildroot}%{_datadir}/aesmd/ rmdir %{buildroot}/root/var/opt/aesmd/data/ rmdir %{buildroot}/root/var/opt/aesmd mv %{buildroot}/root/opt/intel/sgx-aesm-service/aesm/* %{buildroot}%{_libdir}/aesmd/ rmdir %{buildroot}/root/opt/intel/sgx-aesm-service/aesm rmdir %{buildroot}/root/opt/intel/sgx-aesm-service mv %{buildroot}/root/etc/aesmd.conf %{buildroot}%{_sysconfdir}/ # Workarounds for code that assumes all files are in the same dir # XXX patch the source to just look in the right place to begin with ln -s ../../..%{_sysconfdir}/aesmd.conf \ %{buildroot}%{_libdir}/aesmd/aesmd.conf ln -s ../../..%{_datadir}/aesmd/le_prod_css.bin \ %{buildroot}%{_libdir}/aesmd/le_prod_css.bin ln -s ../../..%{_datadir}/aesmd/white_list_cert_to_be_verify.bin \ %{buildroot}%{_libdir}/aesmd/white_list_cert_to_be_verify.bin # XXX it looks for files relative to its binary, so we # need this wrapper. Patch the source and kill this cat >> %{buildroot}%{_sbindir}/aesmd < %{buildroot}%{_bindir}/pccsadmin < - 2.22-1 - Initial packaging