Linux 2.13.1 Open Source Gold Release

Upgraded Intel(R) Integrated Performance Primitives (IPP) Cryptography library to version 2020 update 3.
Upgraded Intel(R) SGX Architecture Enclaves based on new IPP crypto library.
Fixed bugs.

Signed-off-by: Li, Xun <xun.li@intel.com>

Author: llly

.gitmodules

@@ -12,4 +12,4 @@
 [submodule "ipp-crypto"]
 	path = external/ippcp_internal/ipp-crypto
 	url = https://github.com/intel/ipp-crypto.git
-	branch = ipp-crypto_2019_update5
+	branch = ipp-crypto_2020_update3

build-scripts/sgx-asm-pp.py

@@ -31,20 +31,20 @@
 #ifndef _SE_VERSION_H_
 #define _SE_VERSION_H_
 
-#define STRFILEVER    "2.13.100.4"
+#define STRFILEVER    "2.13.101.2"
 #define SGX_MAJOR_VERSION       2
 #define SGX_MINOR_VERSION       13
-#define SGX_REVISION_VERSION    100
+#define SGX_REVISION_VERSION    101
 #define MAKE_VERSION_UINT(major,minor,rev)  (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev)
 #define VERSION_UINT        MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION)
 
 #define COPYRIGHT      "Copyright (C) 2021 Intel Corporation"
 
-#define UAE_SERVICE_VERSION       "2.3.207.4"
-#define URTS_VERSION              "1.1.111.4"
-#define ENCLAVE_COMMON_VERSION    "1.0.114.4"
-#define LAUNCH_VERSION            "1.0.109.4"
-#define EPID_VERSION              "1.0.109.4"
-#define QUOTE_EX_VERSION          "1.1.109.4"
+#define UAE_SERVICE_VERSION       "2.3.208.2"
+#define URTS_VERSION              "1.1.112.2"
+#define ENCLAVE_COMMON_VERSION    "1.0.115.2"
+#define LAUNCH_VERSION            "1.0.110.2"
+#define EPID_VERSION              "1.0.110.2"
+#define QUOTE_EX_VERSION          "1.1.110.2"
 
 #endif

common/inc/internal/se_version.h

@@ -33,11 +33,11 @@
 
 top_dir=`dirname $0`
 out_dir=$top_dir
-optlib_name=optimized_libs_2.13.tar.gz
-ae_file_name=prebuilt_ae_2.13.tar.gz
+optlib_name=optimized_libs_2.13.1.tar.gz
+ae_file_name=prebuilt_ae_2.13.1.tar.gz
 binutils_file_name=as.ld.objdump.gold.r3.tar.gz
-checksum_file=SHA256SUM_prebuilt_2.13.cfg
-server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.13
+checksum_file=SHA256SUM_prebuilt_2.13.1.cfg
+server_url_path=https://download.01.org/intel-sgx/sgx-linux/2.13.1
 server_optlib_url=$server_url_path/$optlib_name
 server_ae_url=$server_url_path/$ae_file_name
 server_binutils_url=$server_url_path/$binutils_file_name

download_prebuilt.sh

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2019 Intel Corporation. All rights reserved.
+ * Copyright (C) 2011-2021 Intel Corporation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -83,6 +83,7 @@ extern "C" {
   #define ippsAESDecryptCTR sgx_disp_ippsAESDecryptCTR
   #define ippsAESEncryptXTS_Direct sgx_disp_ippsAESEncryptXTS_Direct
   #define ippsAESDecryptXTS_Direct sgx_disp_ippsAESDecryptXTS_Direct
+  #define ippsAES_EncryptCFB16_MB sgx_disp_ippsAES_EncryptCFB16_MB
   #define ippsSMS4GetSize sgx_disp_ippsSMS4GetSize
   #define ippsSMS4Init sgx_disp_ippsSMS4Init
   #define ippsSMS4SetKey sgx_disp_ippsSMS4SetKey
@@ -347,6 +348,14 @@ extern "C" {
   #define ippsRSAVerify_PKCS1v15 sgx_disp_ippsRSAVerify_PKCS1v15
   #define ippsRSASign_PKCS1v15_rmf sgx_disp_ippsRSASign_PKCS1v15_rmf
   #define ippsRSAVerify_PKCS1v15_rmf sgx_disp_ippsRSAVerify_PKCS1v15_rmf
+  #define ippsRSA_MB_GetBufferSizePublicKey sgx_disp_ippsRSA_MB_GetBufferSizePublicKey
+  #define ippsRSA_MB_GetBufferSizePrivateKey sgx_disp_ippsRSA_MB_GetBufferSizePrivateKey
+  #define ippsRSA_MB_Encrypt sgx_disp_ippsRSA_MB_Encrypt
+  #define ippsRSA_MB_Decrypt sgx_disp_ippsRSA_MB_Decrypt
+  #define ippsRSA_MB_Sign_PSS_rmf sgx_disp_ippsRSA_MB_Sign_PSS_rmf
+  #define ippsRSA_MB_Verify_PSS_rmf sgx_disp_ippsRSA_MB_Verify_PSS_rmf
+  #define ippsRSA_MB_Sign_PKCS1v15_rmf sgx_disp_ippsRSA_MB_Sign_PKCS1v15_rmf
+  #define ippsRSA_MB_Verify_PKCS1v15_rmf sgx_disp_ippsRSA_MB_Verify_PKCS1v15_rmf
   #define ippsDLGetResultString sgx_disp_ippsDLGetResultString
   #define ippsDLPGetSize sgx_disp_ippsDLPGetSize
   #define ippsDLPInit sgx_disp_ippsDLPInit
@@ -509,7 +518,9 @@ extern "C" {
   #define ippsGFpECSetPointRandom sgx_disp_ippsGFpECSetPointRandom
   #define ippsGFpECMakePoint sgx_disp_ippsGFpECMakePoint
   #define ippsGFpECSetPointHash sgx_disp_ippsGFpECSetPointHash
+  #define ippsGFpECSetPointHashBackCompatible sgx_disp_ippsGFpECSetPointHashBackCompatible
   #define ippsGFpECSetPointHash_rmf sgx_disp_ippsGFpECSetPointHash_rmf
+  #define ippsGFpECSetPointHashBackCompatible_rmf sgx_disp_ippsGFpECSetPointHashBackCompatible_rmf
   #define ippsGFpECGetPoint sgx_disp_ippsGFpECGetPoint
   #define ippsGFpECGetPointRegular sgx_disp_ippsGFpECGetPointRegular
   #define ippsGFpECSetPointOctString sgx_disp_ippsGFpECSetPointOctString

external/dcap_source

@@ -34,8 +34,7 @@ include ../../buildenv.mk
 DIR = $(CURDIR)
 
 IPP_CONFIG = -Bbuild -DCMAKE_VERBOSE_MAKEFILE=on
-# Set the mitigation version assembler for IPP assembly code build
-IPP_CONFIG += -DCMAKE_ASM-ATT_COMPILER="$(BINUTILS_DIR)/as"
+
 # Ignore the CMAKE C/C++ compiler check to avoid conflicts with mitigation options
 IPP_CONFIG += -DCMAKE_C_COMPILER_WORKS=TRUE -DCMAKE_CXX_COMPILER_WORKS=TRUE 
 IPP_SOURCE = ipp-crypto
@@ -49,29 +48,23 @@ ENC_CXXFLAGS = $(ENC_CFLAGS)
 
 IPP_CONFIG += -DCMAKE_C_FLAGS="$(ENC_CFLAGS)"
 IPP_CONFIG += -DCMAKE_CXX_FLAGS="$(ENC_CXXFLAGS)"
-comma:= ,
-ASM_FLAGS = $(subst -Wa$(comma),,$(MITIGATION_ASFLAGS))
-ENC_ASM_FLAGS = $(patsubst -fno-plt, , $(ASM_FLAGS))
-
-IPP_CONFIG += -DCMAKE_ENC_ASM_FLAGS="$(ENC_ASM_FLAGS)"
 
 SUB_DIR = no_mitigation
 ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
 	SUB_DIR = cve_2020_0551_load
+	PRE_CONFIG= ASM_NASM="python $(DIR)/../../build-scripts/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=LOAD"
 else ifeq ($(MITIGATION-CVE-2020-0551), CF)
 	SUB_DIR = cve_2020_0551_cf
+	PRE_CONFIG= ASM_NASM="python $(DIR)/../../build-scripts/sgx-asm-pp.py --assembler=nasm --MITIGATION-CVE-2020-0551=CF"
 endif
 OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
 
-PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='Add mitigation support to assembly code' | cut -d' ' -f 3)
-CHECK_PATCHED :=
+CHECK_SOURCE :=
 # For reproducibility build in docker, the code should be 
 # prepared before build. So skip the code check to avoid
 # triggering network request 
 ifneq ($(origin NIX_PATH), environment)
-ifneq ($(PATCH_LOG), mitigation)
-CHECK_PATCHED:= ipp_source
-endif
+CHECK_SOURCE:= ipp_source
 endif
 
 .PHONY: all build_ipp
@@ -80,23 +73,21 @@ all: build_ipp
 	$(MKDIR) $(OUT_DIR)
 	$(CP) ipp-crypto/build/.build/RELEASE/lib/libippcp.a $(OUT_DIR)
 	$(CP) ipp-crypto/include/* ./inc/
-	patch ipp-crypto/include/ippcp.h -i ./inc/ippcp19u5.patch -o ./inc/ippcp.h
+	patch ipp-crypto/include/ippcp.h -i ./inc/ippcp20u3.patch -o ./inc/ippcp.h
 	$(MKDIR) license
 	$(CP) ipp-crypto/LICENSE ./license/
 
-build_ipp: $(CHECK_PATCHED)
-	cd $(IPP_SOURCE) && cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
+build_ipp: $(CHECK_SOURCE)
+	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
 
 .PHONY: ipp_source
 ipp_source:
-## Need to enable below code when release
-#ifeq ($(shell git rev-parse --is-inside-work-tree), true)
-#	git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
-#else
+ifeq ($(shell git rev-parse --is-inside-work-tree), true)
+	git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
+else
 	$(RM) -rf $(IPP_SOURCE)
-	git clone -b ipp-crypto_2019_update5  https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
-#endif
-	cd $(IPP_SOURCE) && git am ../0001-Add-mitigation-support-to-assembly-code.patch
+	git clone -b ipp-crypto_2020_update3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
+endif
 
 .PHONY: clean
 clean:

external/epid-sdk/ext/ipp/include/sgx_ippcp.h

@@ -0,0 +1,12 @@
+--- ipp-crypto/include/ippcp.h	2021-01-15 01:05:21.173829157 -0800
++++ inc/ippcp.h	2021-01-15 01:13:36.269813105 -0800
+@@ -23,6 +23,9 @@
+ #if !defined( IPPCP_H__ ) || defined( _OWN_BLDPCS )
+ #define IPPCP_H__
+ 
++#ifndef _SGX_IPPCP_H_
++#include "sgx_ippcp.h"
++#endif
+ 
+ #ifndef IPPCPDEFS_H__
+   #include "ippcpdefs.h"