Linux 2.25 Open Source Gold Release

Upgraded to OpenSSL 3.0.14.
Upgraded Intel(R) Integrated Performance Primitives (IPP) Cryptography library to version
  2021.12.1.
Supported FIPS 140-3 Certifiable IPP Crypto based Trusted Library.
Upgraded Intel SGX Architecture Enclaves based on new IPP crypto library.
Upgraded Intel DCAP Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.14.
Removed Intel DCAP PCCS from repository.
Added Ubuntu* 24.04 LTS 64-bit Server support.
Fixed bug.

Note that PCCS is not available from this release. Please follow DCAP installation guide to use
`PCCSAdminTool` to retrieve the attestation collaterals or use old version PCCS.

Signed-off-by: Li, Xun <[email protected]>

Makefile

@@ -30,7 +30,7 @@
 #
 
 include buildenv.mk
-.PHONY: all preparation psw sdk clean rebuild sdk_install_pkg psw_install_pkg tdx
+.PHONY: all tips preparation psw sdk_no_mitigation sdk clean rebuild tdx servtd_attest servtd_attest_preparation ipp sdk_install_pkg_no_mitigation sdk_install_pkg  sdk_install_pkg_from_source psw_install_pkg
 
 all: tips
 
@@ -51,6 +51,8 @@ preparation:
 # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
 # Only enable the download from git
 	git submodule update --init --recursive
+	cd external/dcap_source/external/jwt-cpp && git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch >/dev/null 2>&1 || \
+	git apply ../0001-Add-a-macro-to-disable-time-support-in-jwt-for-SGX.patch -R --check
 	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
@@ -60,6 +62,8 @@ preparation:
 	cd external/cbor && cp -r libcbor sgx_libcbor
 	cd external/cbor/libcbor && git apply ../raw_cbor.patch >/dev/null 2>&1 || git apply ../raw_cbor.patch --check -R
 	cd external/cbor/sgx_libcbor && git apply ../sgx_cbor.patch >/dev/null 2>&1 || git apply ../sgx_cbor.patch --check -R
+	cd external/ippcp_internal/ipp-crypto && git apply ../0001-IPP-crypto-for-SGX.patch > /dev/null 2>&1 || git apply ../0001-IPP-crypto-for-SGX.patch --check -R
+	cd external/ippcp_internal/ipp-crypto && mkdir -p build
 	./download_prebuilt.sh
 	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
 
@@ -101,13 +105,26 @@ servtd_attest_preparation:
 	./external/sgx-emm/create_symlink.sh
 	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
 
+ipp:
+	$(MAKE) -C external/ippcp_internal/ clean
+	$(MAKE) -C external/ippcp_internal/ MITIGATION-CVE-2020-0551=LOAD
+	$(MAKE) -C external/ippcp_internal/ clean
+	$(MAKE) -C external/ippcp_internal/ MITIGATION-CVE-2020-0551=CF
+	$(MAKE) -C external/ippcp_internal/ clean
+	$(MAKE) -C external/ippcp_internal/
+
 # Generate SE SDK Install package
 sdk_install_pkg_no_mitigation: sdk_no_mitigation
 	./linux/installer/bin/build-installpkg.sh sdk
 
 sdk_install_pkg: sdk
 	./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
 
+sdk_install_pkg_from_source:
+	$(MAKE) ipp
+	$(MAKE) sdk
+	./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
+
 psw_install_pkg: psw
 ifeq ("$(wildcard ./external/dcap_source/QuoteGeneration/psw/ae/data/prebuilt/libsgx_qe3.signed.so)", "")
 	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
@@ -231,11 +248,6 @@ deb_libsgx_dcap_default_qpl:
 	$(MAKE) -C external/dcap_source/QuoteGeneration deb_sgx_dcap_default_qpl_pkg
 	$(CP) external/dcap_source/QuoteGeneration/installer/linux/deb/libsgx-dcap-default-qpl/libsgx-dcap-default-qpl*deb ./linux/installer/deb/sgx-aesm-service/
 
-.PHONY: deb_libsgx_dcap_pccs
-deb_libsgx_dcap_pccs:
-	$(MAKE) -C external/dcap_source/QuoteGeneration deb_sgx_dcap_pccs_pkg
-	$(CP) external/dcap_source/QuoteGeneration/installer/linux/deb/sgx-dcap-pccs/sgx-dcap-pccs*deb ./linux/installer/deb/sgx-aesm-service/
-
 .PHONY: deb_libsgx_dcap_ql
 deb_libsgx_dcap_ql: deb_libsgx_pce_logic
 	$(MAKE) -C external/dcap_source/QuoteGeneration deb_sgx_dcap_ql_pkg
@@ -284,7 +296,6 @@ deb_psw_pkg: deb_libsgx_headers_pkg \
              deb_libsgx_ae_qe3 \
              deb_libsgx_ae_id_enclave \
              deb_libsgx_dcap_default_qpl \
-             deb_libsgx_dcap_pccs \
              deb_libsgx_dcap_ql \
              deb_libsgx_ae_qve \
              deb_sgx_dcap_quote_verify \
@@ -410,11 +421,6 @@ rpm_libsgx_dcap_default_qpl:
 	$(MAKE) -C external/dcap_source/QuoteGeneration rpm_sgx_dcap_default_qpl_pkg
 	$(CP) external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-dcap-default-qpl/libsgx-dcap-default-qpl*.rpm ./linux/installer/rpm/sgx-aesm-service/
 
-.PHONY: rpm_libsgx_dcap_pccs
-rpm_libsgx_dcap_pccs:
-	$(MAKE) -C external/dcap_source/QuoteGeneration rpm_sgx_dcap_pccs_pkg
-	$(CP) external/dcap_source/QuoteGeneration/installer/linux/rpm/sgx-dcap-pccs/sgx-dcap-pccs*.rpm ./linux/installer/rpm/sgx-aesm-service/
-
 .PHONY: rpm_libsgx_dcap_ql
 rpm_libsgx_dcap_ql:
 	$(MAKE) -C external/dcap_source/QuoteGeneration rpm_sgx_dcap_ql_pkg
@@ -463,7 +469,6 @@ rpm_psw_pkg: rpm_libsgx_headers_pkg \
              rpm_libsgx_ae_qe3 \
              rpm_libsgx_ae_id_enclave \
              rpm_libsgx_dcap_default_qpl \
-             rpm_libsgx_dcap_pccs \
              rpm_libsgx_dcap_ql \
              rpm_libsgx_ae_qve \
              rpm_sgx_dcap_quote_verify \
@@ -486,8 +491,6 @@ clean:
 	@$(RM)   -r $(ROOT_DIR)/build
 	@$(RM)   -r linux/installer/bin/install-sgx-*.bin*.withLicense
 	@$(RM)   -r linux/installer/bin/sgx_linux*.bin
-	@$(RM)   -f ./linux/installer/deb/sgx-aesm-service/sgx-dcap-pccs*deb
-	@$(RM)   -f ./linux/installer/rpm/sgx-aesm-service/sgx-dcap-pccs*rpm
 	./linux/installer/deb/sgx-aesm-service/clean.sh
 	./linux/installer/deb/libsgx-epid/clean.sh
 	./linux/installer/deb/libsgx-launch/clean.sh
@@ -507,6 +510,7 @@ clean:
 	./linux/installer/rpm/libsgx-headers/clean.sh
 	./linux/installer/rpm/sdk/clean.sh
 	./linux/installer/common/local_repo_builder/local_repo_builder.sh rpm clean
+	$(MAKE) -C external/ippcp_internal/ clean
 ifeq ("$(shell test -f external/dcap_source/QuoteVerification/dcap_tvl/Makefile && echo TVL Makefile exists)", "TVL Makefile exists")
 	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=LOAD clean
 	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF clean
@@ -527,7 +531,6 @@ ifeq ("$(shell test -f external/dcap_source/QuoteVerification/Makefile && echo M
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/libsgx-pce-logic/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/clean.sh
-	./external/dcap_source/QuoteGeneration/installer/linux/deb/sgx-dcap-pccs/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/deb/tee-appraisal-tool/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-ae-qve/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-ae-qe3/clean.sh
@@ -541,7 +544,6 @@ ifeq ("$(shell test -f external/dcap_source/QuoteVerification/Makefile && echo M
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-pce-logic/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/clean.sh
-	./external/dcap_source/QuoteGeneration/installer/linux/rpm/sgx-dcap-pccs/clean.sh
 	./external/dcap_source/QuoteGeneration/installer/linux/rpm/tee-appraisal-tool/clean.sh
 endif
 
@@ -560,3 +562,4 @@ distclean:
 	$(RM) -rf external/dcap_source/QuoteGeneration/'Intel redistributable binary.txt'
 	$(RM) -rf external/dcap_source/QuoteVerification/sgxssl/
 	git submodule deinit  --all -f
+	$(RM) -rf dcap-trunk external/dcap_source external/openmp/openmp_code external/protobuf/protobuf_code

README.md

@@ -91,7 +91,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
   * Ubuntu\* 22.04 LTS Server 64bits
-  * Ubuntu\* 23.10 Server 64bits
+  * Ubuntu\* 24.04 LTS Server 64bits
   * Red Hat Enterprise Linux Server release 9.2 64bits
   * CentOS Stream 9 64bits
   * CentOS 8.3 64bits
@@ -105,7 +105,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
     $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python3 libssl-dev git cmake perl
     $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
-  * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 23.10:
+  * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 24.04:
   ```
     $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
   ```
@@ -142,9 +142,9 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   1)  To install the additional required tools:
       * On Debian 10:
       ```
-        $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip lsb-release libsystemd0
+        $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip  pkgconf libboost-dev libboost-system-dev libboost-thread-dev lsb-release libsystemd0
       ```
-      * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 23.10:
+      * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 24.04:
       ```
         $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip pkgconf libboost-dev libboost-system-dev libboost-thread-dev lsb-release libsystemd0
       ```
@@ -166,7 +166,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
       ```
       * On SUSE Linux Enterprise Server 15.4:
       ```
-        $ sudo zypper install libopenssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo libsystemd0
+        $ sudo zypper install libopenssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo_c libsystemd0 libboost_system1_66_0-devel libboost_thread1_66_0-devel
       ```
       2) To install latest Intel(R) SGX SDK Installer
   Ensure that you have downloaded latest Intel(R) SGX SDK Installer from the [Intel(R) SGX SDK](https://software.intel.com/en-us/sgx-sdk/download) and followed the Installation Guide in the same page to install latest Intel(R) SGX SDK Installer.
@@ -256,7 +256,7 @@ You can find the tools and libraries generated in the `build/linux` directory.
   $ make
 ```
 - To build the Intel(R) SGX PSW installer, enter the following command:
-  * On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10:
+  * On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04 and Debian 10:
    ```
   $ make deb_psw_pkg
   ```
@@ -297,9 +297,9 @@ You can find the tools and libraries generated in the `build/linux` directory.
   ```
   deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO jammy main
   ```
-  * On Ubuntu 23.10:
+  * On Ubuntu 24.04:
   ```
-  deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO mantic main
+  deb [trusted=yes arch=amd64] file:/PATH_TO_LOCAL_REPO noble main
   ```
   * On Debian 10:
   ```
@@ -344,7 +344,7 @@ Install the Intel(R) SGX SDK
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
   * Ubuntu\* 22.04 LTS Server 64bits
-  * Ubuntu\* 23.10 Server 64bits
+  * Ubuntu\* 24.04 LTS Server 64bits
   * Red Hat Enterprise Linux Server release 9.2 64bits
   * CentOS Stream 9 64bits
   * CentOS 8.3 64bits
@@ -357,7 +357,7 @@ Install the Intel(R) SGX SDK
     $ sudo apt-get install build-essential python3
     $ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
   ```
-   * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 23.10:
+   * On Ubuntu 20.04, Ubuntu 22.04 and Ubuntu 24.04:
   ```
     $ sudo apt-get install build-essential python-is-python3
   ```
@@ -435,7 +435,7 @@ Install the Intel(R) SGX PSW
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
   * Ubuntu\* 22.04 LTS Server 64bits
-  * Ubuntu\* 23.10 Server 64bits
+  * Ubuntu\* 24.04 LTS Server 64bits
   * Red Hat Enterprise Linux Server release 9.2 64bits
   * CentOS Stream 9 64bits
   * CentOS 8.3 64bits
@@ -447,7 +447,7 @@ Install the Intel(R) SGX PSW
 - Configure the system with the **Intel SGX hardware enabled** option and install Intel(R) SGX driver in advance.
   See the earlier topic, *Build and Install the Intel(R) SGX Driver*, for information on how to install the Intel(R) SGX driver.
 - Install the library using the following command:
-  * On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10:
+  * On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04 and Debian 10:
   ```
     $ sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
   ```
@@ -477,7 +477,7 @@ The SGX PSW provides 3 services: launch, EPID-based attestation, and algorithm a
 
 #### Using the local repo(recommended)
 
-|   |Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10|Red Hat Enterprise Linux 9.2, CentOS Stream 9, CentOS 8.3 and Anolis OS 8.6| SUSE Linux Enterprise Server 15|
+|   |Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04 and Debian 10|Red Hat Enterprise Linux 9.2, CentOS Stream 9, CentOS 8.3 and Anolis OS 8.6| SUSE Linux Enterprise Server 15|
 | ------------ | ------------ | ------------ | ------------ |
 |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts|zypper install libsgx-launch libsgx-urts|
 |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts|zypper install libsgx-epid libsgx-urts|
@@ -498,7 +498,7 @@ apt-get dist-upgrade -o Dpkg::Options::="--force-overwrite"
 ```
 #### Configure the installation
 Some packages are configured with recommended dependency on other packages that are not required for certain usage. For instance, the background daemon is not required for container usage. It will be installed by default, but you can drop it by using the additional option during the installation.
-* On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10 and Debian 10:
+* On Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04 and Debian 10:
 ```
   --no-install-recommends
 ```

SampleCode/Cxx11SGXDemo/Makefile

@@ -37,21 +37,21 @@ SGX_ARCH ?= x64
 SGX_DEBUG ?= 1
 
 ifeq ($(shell getconf LONG_BIT), 32)
-	SGX_ARCH := x86
+    SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
-	SGX_ARCH := x86
+    SGX_ARCH := x86
 endif
 
 ifeq ($(SGX_ARCH), x86)
-	SGX_COMMON_FLAGS := -m32
-	SGX_LIBRARY_PATH := $(SGX_SDK)/lib
-	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
-	SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
+    SGX_COMMON_FLAGS := -m32
+    SGX_LIBRARY_PATH := $(SGX_SDK)/lib
+    SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
+    SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
 else
-	SGX_COMMON_FLAGS := -m64
-	SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
-	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
-	SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
+    SGX_COMMON_FLAGS := -m64
+    SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
+    SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
+    SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
 endif
 
 ifeq ($(SGX_DEBUG), 1)
@@ -76,9 +76,9 @@ SGX_COMMON_CXXFLAGS := $(SGX_COMMON_FLAGS) -Wnon-virtual-dtor -std=c++11
 ######## App Settings ########
 
 ifneq ($(SGX_MODE), HW)
-	Urts_Library_Name := sgx_urts_sim
+    Urts_Library_Name := sgx_urts_sim
 else
-	Urts_Library_Name := sgx_urts
+    Urts_Library_Name := sgx_urts
 endif
 
 App_Cpp_Files := App/App.cpp $(wildcard App/TrustedLibrary/*.cpp)
@@ -111,18 +111,18 @@ Enclave_Version_Script := Enclave/Enclave_debug.lds
 ifeq ($(SGX_MODE), HW)
 ifneq ($(SGX_DEBUG), 1)
 ifneq ($(SGX_PRERELEASE), 1)
-	# Choose to use 'Enclave.lds' for HW release mode
-	Enclave_Version_Script = Enclave/Enclave.lds 
+    # Choose to use 'Enclave.lds' for HW release mode
+    Enclave_Version_Script = Enclave/Enclave.lds 
 endif
 endif
 endif
 
 ifneq ($(SGX_MODE), HW)
-	Trts_Library_Name := sgx_trts_sim
-	Service_Library_Name := sgx_tservice_sim
+    Trts_Library_Name := sgx_trts_sim
+    Service_Library_Name := sgx_tservice_sim
 else
-	Trts_Library_Name := sgx_trts
-	Service_Library_Name := sgx_tservice
+    Trts_Library_Name := sgx_trts
+    Service_Library_Name := sgx_tservice
 endif
 Crypto_Library_Name := sgx_tcrypto
 
@@ -160,19 +160,19 @@ Enclave_Test_Key := Enclave/Enclave_private_test.pem
 
 ifeq ($(SGX_MODE), HW)
 ifeq ($(SGX_DEBUG), 1)
-	Build_Mode = HW_DEBUG
+    Build_Mode = HW_DEBUG
 else ifeq ($(SGX_PRERELEASE), 1)
-	Build_Mode = HW_PRERELEASE
+    Build_Mode = HW_PRERELEASE
 else
-	Build_Mode = HW_RELEASE
+    Build_Mode = HW_RELEASE
 endif
 else
 ifeq ($(SGX_DEBUG), 1)
-	Build_Mode = SIM_DEBUG
+    Build_Mode = SIM_DEBUG
 else ifeq ($(SGX_PRERELEASE), 1)
-	Build_Mode = SIM_PRERELEASE
+    Build_Mode = SIM_PRERELEASE
 else
-	Build_Mode = SIM_RELEASE
+    Build_Mode = SIM_RELEASE
 endif
 endif