From 20caab6fec5c1b35c35eddab72dc705e0d858dfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 8 Oct 2024 19:20:32 +0100
Subject: [PATCH] ae: blank out ld-linux.so interpretor path from AEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The enclaves are getting built as ELF executables, and thus the linker
will embed the current ld-linux.so path for the host OS environment
in the binary:

 $ readelf -a libsgx_tdqe.signed.so | grep interpreter
      [Requesting program interpreter: /nix/store/xmprbk52mlcdsljz66m8yf7cf0xf36n1-glibc-2.38-44/lib/ld-linux-x86-64.so.2]

The SGX enclaves are never loaded using ld-linux.so, as SGX has custom
code for loading enclaves in the required manner.

This embedded ld-linux.so path thus serves no functional purpose, while
also making it harder to do a reproducible build of the enclaves outside
of the NixOS environment.

This patch blanks out the NixOX interpretor path, by setting it to the
empty string.

Related: https://github.com/intel/linux-sgx/issues/1040
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 QuoteGeneration/ae/buildenv.mk | 4 ++--
 QuoteVerification/QvE/Makefile | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/QuoteGeneration/ae/buildenv.mk b/QuoteGeneration/ae/buildenv.mk
index 8064913f..0aabfba5 100644
--- a/QuoteGeneration/ae/buildenv.mk
+++ b/QuoteGeneration/ae/buildenv.mk
@@ -58,8 +58,8 @@ LDTFLAGS_NO_CRYPTO = -L$(SGX_LIBRARY_PATH) -Wl,--whole-archive $(TRTSLIB) -Wl,--
             -Wl,--start-group $(EXTERNAL_LIB_NO_CRYPTO) -Wl,--end-group                    \
             -Wl,--version-script=$(WORK_DIR)/enclave.lds $(ENCLAVE_LDFLAGS)
 
-LDTFLAGS += -Wl,-Map=out.map -Wl,--undefined=version -Wl,--gc-sections
-LDTFLAGS_NO_CRYPTO += -Wl,-Map=out.map -Wl,--undefined=version -Wl,--gc-sections
+LDTFLAGS += -Wl,-Map=out.map -Wl,--undefined=version -Wl,--gc-sections -Wl,-dynamic-linker,
+LDTFLAGS_NO_CRYPTO += -Wl,-Map=out.map -Wl,--undefined=version -Wl,--gc-sections -Wl,-dynamic-linker,
 
 
 vpath %.cpp $(COMMON_DIR)/src:$(LINUX_PSW_DIR)/ae/common
diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile
index 6532e8f8..2965afa6 100644
--- a/QuoteVerification/QvE/Makefile
+++ b/QuoteVerification/QvE/Makefile
@@ -123,7 +123,8 @@ ENCLAVE_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack -shared \
 				   -Wl,--build-id		\
 				   -Wl,-Bdynamic -L$(SERVTD_ATTEST_BUILD_DIR) -ltdx_verify \
 				   -Wl,-L/lib/x86_64-linux-gnu/ -lc \
-				   -Wl,--version-script=Enclave/linux/qve_migration.lds
+				   -Wl,--version-script=Enclave/linux/qve_migration.lds \
+				   -Wl,--dynamic-linker,
 else
 ENCLAVE_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack -fPIC \
 				   -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles \
@@ -135,7 +136,8 @@ ENCLAVE_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack -fPIC \
 				   -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,-Map,qve.map \
 				   -Wl,--defsym,__ImageBase=0  \
 				   -Wl,--build-id		\
-				   -Wl,--version-script=Enclave/linux/qve.lds
+				   -Wl,--version-script=Enclave/linux/qve.lds \
+				   -Wl,--dynamic-linker,
 endif