Update SGX SDK to 2.21 (#3618)

mobilecoinfoundation · Oct 17, 2023 · 3aaaa39 · 3aaaa39
1 parent 7db5ae2
commit 3aaaa39
Show file tree

Hide file tree

Showing 21 changed files with 43 additions and 43 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ permissions:
 jobs:
   build-dev:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -42,7 +42,7 @@ jobs:
 
   build-prod:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -62,7 +62,7 @@ jobs:
 
   build-and-test-wasm:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -76,7 +76,7 @@ jobs:
 
   lint-rust:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -93,7 +93,7 @@ jobs:
 
   build-and-test-go:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -126,7 +126,7 @@ jobs:
 
   docs:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -145,7 +145,7 @@ jobs:
 
   mc-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     strategy:
       matrix:
@@ -188,7 +188,7 @@ jobs:
 
   consensus-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     strategy:
       matrix:
@@ -221,7 +221,7 @@ jobs:
 
   fog-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     strategy:
       matrix:
@@ -272,7 +272,7 @@ jobs:
 
   fog-ingest-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -295,7 +295,7 @@ jobs:
 
   fog-conformance-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -335,7 +335,7 @@ jobs:
 
   fog-local-network-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code
@@ -522,7 +522,7 @@ jobs:
 
   minting-and-burning-tests:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     steps:
       - name: Check out code

diff --git a/.github/workflows/dependent-repos.yml b/.github/workflows/dependent-repos.yml
@@ -10,7 +10,7 @@ env:
 jobs:
   android-bindings:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     permissions:
       pull-requests: write
@@ -30,7 +30,7 @@ jobs:
 
   full-service:
     runs-on: [self-hosted, Linux, large]
-    container: mobilecoin/builder-install:v0.0.29
+    container: mobilecoin/builder-install:v0.0.30
 
     permissions:
       pull-requests: write

diff --git a/.github/workflows/mobilecoin-dev-cd.yaml b/.github/workflows/mobilecoin-dev-cd.yaml
@@ -73,7 +73,7 @@ jobs:
     - generate-metadata
     runs-on: [self-hosted, Linux, large-cd]
     container:
-      image: mobilecoin/rust-sgx-base:v0.0.29
+      image: mobilecoin/rust-sgx-base:v0.0.30
 
     env:
       ENCLAVE_SIGNING_KEY_PATH: ${{ github.workspace }}/.tmp/enclave_signing.pem

diff --git a/.internal-ci/docker/Dockerfile.dcap-runtime-base b/.internal-ci/docker/Dockerfile.dcap-runtime-base
@@ -23,7 +23,7 @@ RUN  apt-get update \
 COPY .internal-ci/docker/support/intel-sgx-archive-keyring.gpg /etc/apt/trusted.gpg.d/
 RUN  echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/intel-sgx-archive-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu/ focal main" > /etc/apt/sources.list.d/intel-sgx.list
 
-ARG SGX_SDK_VERSION=2.20.100.4-focal1
+ARG SGX_SDK_VERSION=2.21.100.1-focal1
 ENV SGX_SDK_VERSION=${SGX_SDK_VERSION}
 
 # Explicitly call out *all* dependency versions. This is because the Intel
@@ -37,7 +37,7 @@ RUN  apt-get update \
   && rm -r /var/lib/apt/lists
 
 # Install DCAP libraries
-ARG DCAP_VERSION=1.17.100.4-focal1
+ARG DCAP_VERSION=1.18.100.1-focal1
 ENV DCAP_VERSION=${DCAP_VERSION}
 
 # Explicitly call out *all* dependency versions. This is because the Intel

diff --git a/.internal-ci/docker/Dockerfile.runtime-base b/.internal-ci/docker/Dockerfile.runtime-base
@@ -31,9 +31,9 @@ ENV LD_LIBRARY_PATH="/opt/intel/sgx-aesm-service/aesm"
 # libsgx-enclave-common libsgx-epid libsgx-launch libsgx-pce-logic libsgx-urts
 # sgx-aesm-service
 # Use `apt show -a sgx-aesm-service` to find version
-ENV AESM_VERSION=2.20.100.4-focal1
+ENV AESM_VERSION=2.21.100.1-focal1
 # Use `apt show -a libsgx-pce-logic` to find the version thats compatible with aesm.
-ENV PCE_LOGIC_VERSION=1.17.100.4-focal1
+ENV PCE_LOGIC_VERSION=1.18.100.1-focal1
 
 
 # Install  packages

diff --git a/.mobconf b/.mobconf
@@ -1,9 +1,9 @@
 [image]
 url = mobilecoin/builder-install
-tag = v0.0.29
+tag = v0.0.30
 [builder-install]
 url = mobilecoin/builder-install
-tag = v0.0.29
+tag = v0.0.30
 [signing-tools]
 url = mobilecoin/signing-tools
 tag = v0.0.1
diff --git a/consensus/enclave/build.rs b/consensus/enclave/build.rs
@@ -12,7 +12,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/consensus/enclave/measurement/build.rs b/consensus/enclave/measurement/build.rs
@@ -10,7 +10,7 @@ use std::{env::var, path::PathBuf};
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 const CONSENSUS_ENCLAVE_PRODUCT_ID: u16 = 1;
 const CONSENSUS_ENCLAVE_SECURITY_VERSION: u16 = 8;

diff --git a/consensus/enclave/trusted/build.rs b/consensus/enclave/trusted/build.rs
@@ -14,7 +14,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/consensus/service/BUILD.md b/consensus/service/BUILD.md
@@ -97,8 +97,8 @@ Recommended SDK and package installation:
 (
 	. /etc/os-release
 
-	wget "https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_sdk_2.20.100.4.bin"
-	wget "https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_driver_2.11.54c9c4c.bin"
+	wget "https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_sdk_2.21.100.1.bin"
+	wget "https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_driver_2.11.54c9c4c.bin"
 
 	echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/intel-sgx-archive-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu/ ${UBUNTU_CODENAME} main" > /etc/apt/sources.list.d/intel-sgx.list
 )
@@ -112,8 +112,8 @@ chmod +x ./sgx_linux_x64_driver_2.11.054c9c4c.bin
 ./sgx_linux_x64_driver_2.11.054c9c4c.bin
 
 # Install the SDK to /opt/intel/sgxsdk
-chmod +x ./sgx_linux_x64_sdk_2.20.100.4.bin
-./sgx_linux_x64_sdk_2.20.100.4.bin --prefix=/opt/intel
+chmod +x ./sgx_linux_x64_sdk_2.21.100.1.bin
+./sgx_linux_x64_sdk_2.21.100.1.bin --prefix=/opt/intel
 
 apt install libsgx-uae-service sgx-aesm-service
 

diff --git a/docker/install_sgx.sh b/docker/install_sgx.sh
@@ -24,7 +24,7 @@ cd /tmp
 (
 	. /etc/os-release
 
-	wget "https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_sdk_2.20.100.4.bin"
+	wget "https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_sdk_2.21.100.1.bin"
 
 	echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/intel-sgx-archive-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu/ ${UBUNTU_CODENAME} main" > /etc/apt/sources.list.d/intel-sgx.list
 )
@@ -59,8 +59,8 @@ apt-get install -yq --no-install-recommends \
 
 # Install *after* pkg-config so that they get registered correctly.
 # pkg-config gets pulled in transitively via build-essential
-chmod +x ./sgx_linux_x64_sdk_2.20.100.4.bin
-./sgx_linux_x64_sdk_2.20.100.4.bin --prefix=/opt/intel
+chmod +x ./sgx_linux_x64_sdk_2.21.100.1.bin
+./sgx_linux_x64_sdk_2.21.100.1.bin --prefix=/opt/intel
 
 # Update .bashrc to source sgxsdk
 echo 'source /opt/intel/sgxsdk/environment' >> /root/.bashrc

diff --git a/fog/ingest/enclave/build.rs b/fog/ingest/enclave/build.rs
@@ -12,7 +12,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/fog/ingest/enclave/measurement/build.rs b/fog/ingest/enclave/measurement/build.rs
@@ -10,7 +10,7 @@ use std::{env::var, path::PathBuf};
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 const INGEST_ENCLAVE_PRODUCT_ID: u16 = 4;
 const INGEST_ENCLAVE_SECURITY_VERSION: u16 = 7;

diff --git a/fog/ingest/enclave/trusted/build.rs b/fog/ingest/enclave/trusted/build.rs
@@ -14,7 +14,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/fog/ledger/enclave/build.rs b/fog/ledger/enclave/build.rs
@@ -12,7 +12,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/fog/ledger/enclave/measurement/build.rs b/fog/ledger/enclave/measurement/build.rs
@@ -10,7 +10,7 @@ use std::{env::var, path::PathBuf};
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 const LEDGER_ENCLAVE_PRODUCT_ID: u16 = 2;
 const LEDGER_ENCLAVE_SECURITY_VERSION: u16 = 7;

diff --git a/fog/ledger/enclave/trusted/build.rs b/fog/ledger/enclave/trusted/build.rs
@@ -14,7 +14,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/fog/view/enclave/build.rs b/fog/view/enclave/build.rs
@@ -12,7 +12,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/fog/view/enclave/measurement/build.rs b/fog/view/enclave/measurement/build.rs
@@ -10,7 +10,7 @@ use std::{env::var, path::PathBuf};
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 const VIEW_ENCLAVE_PRODUCT_ID: u16 = 3;
 const VIEW_ENCLAVE_SECURITY_VERSION: u16 = 7;

diff --git a/fog/view/enclave/trusted/build.rs b/fog/view/enclave/trusted/build.rs
@@ -14,7 +14,7 @@ const SGX_SIMULATION_LIBS: &[&str] = &["libsgx_urts_sim", "libsgx_epid_sim"];
 
 // Changing this version is a breaking change, you must update the crate version
 // if you do.
-const SGX_VERSION: &str = "2.20.100.4";
+const SGX_VERSION: &str = "2.21.100.1";
 
 fn main() {
     let env = Environment::default();

diff --git a/ops/Dockerfile-consensus b/ops/Dockerfile-consensus
@@ -19,9 +19,9 @@ RUN apt-get update -q -q && \
 
 # Install SGX Ubuntu/Debian Repo
 RUN source /etc/os-release && \
-	wget "https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_driver_2.11.54c9c4c.bin" && \
+	wget "https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_driver_2.11.54c9c4c.bin" && \
 
-	wget "https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_sdk_2.20.100.4.bin" && \
+	wget "https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu${VERSION_ID}-server/sgx_linux_x64_sdk_2.21.100.1.bin" && \
 	echo "deb [arch=amd64 signed-by=/usr/local/share/apt-keyrings/intel-sgx-archive-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu/ ${UBUNTU_CODENAME} main" > /etc/apt/sources.list.d/intel-sgx.list
 
 RUN mkdir -p /usr/local/share/apt-keyrings && \