Linux 2.15 Open Source Gold Release

Upgraded Intel(R) Integrated Performance Primitives Cryptography library to version 2021 update 3.
Upgraded Intel(R) SGX Architecture Enclaves based on new IPP crypto library.
Added software prevention of fault injection attacks.
Upgraded to GNU Binutils 2.36.1. Stopped providing ld.gold (developers should use ld instead).
Supported Google Protobuf C++.
Enabled C++14 within SGX SDK.
Added SM2/3/4 Samples.
Fixed bugs.

Signed-off-by: Zhang Lili <lili.z.zhang@intel.com>

Author: lzha101

.gitignore

@@ -21,7 +21,11 @@
 # files downloaded in preparation phase
 Intel redistributable binary.txt
 Master_EULA_for_Intel_Sw_Development_Products.pdf
-external/ippcp_internal/
+external/ippcp_internal/inc/ippcp.h
+external/ippcp_internal/inc/ippcpdefs.h
+external/ippcp_internal/inc/ippversion.h
+external/ippcp_internal/inc/sgx_ippcp.h
+external/ippcp_internal/license/
 external/toolset/
 psw/ae/data/prebuilt/README.md
 redist.txt

.gitmodules

@@ -12,4 +12,8 @@
 [submodule "ipp-crypto"]
 	path = external/ippcp_internal/ipp-crypto
 	url = https://github.com/intel/ipp-crypto.git
-	branch = ipp-crypto_2020_update3
+	branch = ipp-crypto_2021_3
+[submodule "external/protobuf/protobuf_code"]
+	path = external/protobuf/protobuf_code
+	url = https://github.com/protocolbuffers/protobuf.git
+	branch = 3.14.x

Makefile

@@ -53,6 +53,7 @@ preparation:
 	git submodule update --init --recursive
 	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
 	@# download prebuilt binaries
 	./download_prebuilt.sh
 	./external/dcap_source/QuoteGeneration/download_prebuilt.sh

README.md

@@ -46,6 +46,10 @@ The [linux-sgx-driver](https://github.com/01org/linux-sgx-driver) project hosts
 
 The [intel-device-plugins-for-kubernetes](https://github.com/intel/intel-device-plugins-for-kubernetes) project enables users to run container applications running Intel(R) SGX enclaves in Kubernetes clusters. It also gives instructions how to set up ECDSA based attestation in a cluster.
 
+
+The [intel-sgx-ssl](https://github.com/intel/intel-sgx-ssl) project provides a full-strength general purpose cryptography library for Intel(R) SGX enclave applications. It is based on the underlying OpenSSL* Open Source project. Intel(R) SGX provides a build combination to build out a SGXSSL based SDK as [below](#build-the-intelr-sgx-sdk-and-intelr-sgx-sdk-installer). Users could also utilize this cryptography library in SGX enclave applications seperately.
+
+
 This repository provides a reference implementation of a Launch Enclave for 'Flexible Launch Control' under [psw/ae/ref_le](psw/ae/ref_le). The reference LE implementation can be used as a basis for enforcing different launch control policy by the platform developer or owner. To build and try it by yourself, please refer to the [ref_le.md](psw/ae/ref_le/ref_le.md) for details.
 
 License
@@ -87,10 +91,8 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   * Ubuntu\* 18.04 LTS Server 64bits
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
-  * Red Hat Enterprise Linux Server release 7.6 64bits
   * Red Hat Enterprise Linux Server release 8.2 64bits
   * CentOS 8.2 64bits
-  * Fedora 31 Server 64bits
 
 - Use the following command(s) to install the required tools to build the Intel(R) SGX SDK:  
   * On Ubuntu 18.04:
@@ -101,7 +103,7 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
   ```
     $ sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl
   ```
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2:
+  * On Red Hat Enterprise Linux 8.2:
   ```
     $ sudo yum groupinstall 'Development Tools'
     $ sudo yum install ocaml ocaml-ocamlbuild wget python2 openssl-devel git cmake perl
@@ -113,19 +115,14 @@ Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package
     $ sudo dnf --enablerepo=PowerTools install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget rpm-build git cmake perl python2
     $ sudo alternatives --set python /usr/bin/python2
   ```
-  * On Fedora 31:
-  ```
-    $ sudo yum groupinstall 'C Development Tools and Libraries'
-    $ sudo yum install ocaml ocaml-ocamlbuild redhat-rpm-config openssl-devel wget python rpm-build git cmake perl
-  ```
-   **Note**:  To build Intel(R) SGX SDK, gcc version is required to be 7.3 or above and glibc version is required to be 2.27 or above. For Red Hat Enterprise Linux 7.6, you may need to update gcc and glibc version manually.
+   **Note**:  To build Intel(R) SGX SDK, gcc version is required to be 7.3 or above and glibc version is required to be 2.27 or above.
 - Use the following command to install additional required tools and latest Intel(R) SGX SDK Installer to build the Intel(R) SGX PSW:  
   1)  To install the additional required tools:
       * On Ubuntu 18.04 and Ubuntu 20.04:
       ```
         $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev debhelper cmake reprepro unzip
       ```
-      * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and Fedora 31:
+      * On Red Hat Enterprise Linux 8.2:
       ```
         $ sudo yum install openssl-devel libcurl-devel protobuf-devel cmake rpm-build createrepo yum-utils
       ```
@@ -234,7 +231,7 @@ You can find the tools and libraries generated in the `build/linux` directory.
   ```
   $ make deb_psw_pkg DEBUG=1
   ```
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2 and Fedora 31:
+  * On Red Hat Enterprise Linux 8.2 and CentOS 8.2:
   ```
   $ make rpm_psw_pkg
   ```
@@ -278,12 +275,12 @@ You can find the tools and libraries generated in the `build/linux` directory.
   **Note**: The above command builds the local package repository. If you want to use it, you need to add it to the system repository configuration. Since the local package repository is not signed with GPG, you should ignore the gpgcheck when installing the packages.
 
   - To add the local RPM package repository to the system repository configuration, you can use the following command. You need to replace PATH_TO_LOCAL_REPO with the proper path on your system:
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31:
+  * On Red Hat Enterprise Linux 8.2 and CentOS 8.2:
   ```
   $ sudo yum-config-manager --add-repo file://PATH_TO_LOCAL_REPO
   ```
   - To ignore the gpgcheck when you install the package, enter the following command:
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31:
+  * On Red Hat Enterprise Linux 8.2 and CentOS 8.2:
   ```
   $ sudo yum --nogpgcheck install <package>
   ```
@@ -296,25 +293,19 @@ Install the Intel(R) SGX SDK
   * Ubuntu\* 18.04 LTS Server 64bits
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
-  * Red Hat Enterprise Linux Server release 7.6 64bits
   * Red Hat Enterprise Linux Server release 8.2 64bits
   * CentOS 8.2 64bits
-  * Fedora 31 Server 64bits
 - Use the following command to install the required tool to use Intel(R) SGX SDK:
   * On Ubuntu 18.04 and Ubuntu 20.04:
   ```  
     $ sudo apt-get install build-essential python
   ```
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and CentOS 8.2:
+  * On Red Hat Enterprise Linux 8.2 and CentOS 8.2:
   ```
      $ sudo yum groupinstall 'Development Tools'
      $ sudo yum install python2
      $ sudo alternatives --set python /usr/bin/python2 
   ```
-  * On Fedora 31:
-  ```
-     $ sudo yum groupinstall 'C Development Tools and Libraries'
-  ```
 
 ### Install the Intel(R) SGX SDK
 To install the Intel(R) SGX SDK, invoke the installer, as follows:
@@ -330,7 +321,7 @@ NOTE: You need to set up the needed environment variables before compiling your
 ### Test the Intel(R) SGX SDK Package with the Code Samples
 - Compile and run each code sample in Simulation mode to make sure the package works well:    
 ```
-  $ cd SampleCode/LocalAttestation
+  $ cd ${sgx-sdk-install-path}/SampleCode/LocalAttestation
   $ make SGX_MODE=SIM
   $ cd bin
   $ ./app
@@ -344,7 +335,7 @@ See the earlier topic, *Build and Install the Intel(R) SGX Driver*, for informat
 See the later topic, *Install Intel(R) SGX PSW*, for information on how to install the PSW package.
 - Compile and run each code sample in Hardware mode, Debug build, as follows:  
 ```
-  $ cd SampleCode/LocalAttestation
+  $ cd ${sgx-sdk-install-path}/SampleCode/LocalAttestation
   $ make
   $ cd bin
   $ ./app
@@ -360,10 +351,8 @@ Install the Intel(R) SGX PSW
   * Ubuntu\* 18.04 LTS Server 64bits
   * Ubuntu\* 20.04 LTS Desktop 64bits
   * Ubuntu\* 20.04 LTS Server 64bits
-  * Red Hat Enterprise Linux Server release 7.6 64bits
   * Red Hat Enterprise Linux Server release 8.2 64bits
   * CentOS 8.2 64bits
-  * Fedora 31 Server 64bits
 - Ensure that you have a system with the following required hardware:  
   * 6th Generation Intel(R) Core(TM) Processor or newer
 - Configure the system with the **Intel SGX hardware enabled** option and install Intel(R) SGX driver in advance.  
@@ -373,7 +362,7 @@ Install the Intel(R) SGX PSW
   ```
     $ sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
   ```
-  * On Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2 and Fedora 31:  
+  * On Red Hat Enterprise Linux 8.2:  
   ```
     $ sudo yum install openssl-devel libcurl-devel protobuf-devel
   ```
@@ -387,7 +376,7 @@ The SGX PSW provides 3 services: launch, EPID-based attestation, and algorithm a
 
 #### Using the local repo(recommended)
 
-|   |Ubuntu 18.04 and Ubuntu 20.04|Red Hat Enterprise Linux 7.6, Red Hat Enterprise Linux 8.2, CentOS 8.2, Fedora 31|
+|   |Ubuntu 18.04 and Ubuntu 20.04|Red Hat Enterprise Linux 8.2, CentOS 8.2|
 | ------------ | ------------ | ------------ |
 |launch service |apt-get install libsgx-launch libsgx-urts|yum install libsgx-launch libsgx-urts|
 |EPID-based attestation service|apt-get install libsgx-epid libsgx-urts|yum install libsgx-epid libsgx-urts|

SampleCode/Cxx14SGXDemo/App/App.cpp

@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2011-2021 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of Intel Corporation nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+# include <unistd.h>
+# include <pwd.h>
+# define MAX_PATH FILENAME_MAX
+
+#include "sgx_urts.h"
+#include "App.h"
+#include "Enclave_u.h"
+
+/* Global EID shared by multiple threads */
+sgx_enclave_id_t global_eid = 0;
+
+typedef struct _sgx_errlist_t {
+    sgx_status_t err;
+    const char *msg;
+    const char *sug; /* Suggestion */
+} sgx_errlist_t;
+
+/* Error code returned by sgx_create_enclave */
+static sgx_errlist_t sgx_errlist[] = {
+    {
+        SGX_ERROR_UNEXPECTED,
+        "Unexpected error occurred.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_PARAMETER,
+        "Invalid parameter.",
+        NULL
+    },
+    {
+        SGX_ERROR_OUT_OF_MEMORY,
+        "Out of memory.",
+        NULL
+    },
+    {
+        SGX_ERROR_ENCLAVE_LOST,
+        "Power transition occurred.",
+        "Please refer to the sample \"PowerTransition\" for details."
+    },
+    {
+        SGX_ERROR_INVALID_ENCLAVE,
+        "Invalid enclave image.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_ENCLAVE_ID,
+        "Invalid enclave identification.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_SIGNATURE,
+        "Invalid enclave signature.",
+        NULL
+    },
+    {
+        SGX_ERROR_OUT_OF_EPC,
+        "Out of EPC memory.",
+        NULL
+    },
+    {
+        SGX_ERROR_NO_DEVICE,
+        "Invalid SGX device.",
+        "Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards."
+    },
+    {
+        SGX_ERROR_MEMORY_MAP_CONFLICT,
+        "Memory map conflicted.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_METADATA,
+        "Invalid enclave metadata.",
+        NULL
+    },
+    {
+        SGX_ERROR_DEVICE_BUSY,
+        "SGX device was busy.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_VERSION,
+        "Enclave version was invalid.",
+        NULL
+    },
+    {
+        SGX_ERROR_INVALID_ATTRIBUTE,
+        "Enclave was not authorized.",
+        NULL
+    },
+    {
+        SGX_ERROR_ENCLAVE_FILE_ACCESS,
+        "Can't open enclave file.",
+        NULL
+    },
+    {
+        SGX_ERROR_NDEBUG_ENCLAVE,
+        "The enclave is signed as product enclave, and can not be created as debuggable enclave.",
+        NULL
+    },
+};
+
+/* Check error conditions for loading enclave */
+void print_error_message(sgx_status_t ret)
+{
+    size_t idx = 0;
+    size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
+
+    for (idx = 0; idx < ttl; idx++) {
+        if(ret == sgx_errlist[idx].err) {
+            if(NULL != sgx_errlist[idx].sug)
+                printf("Info: %s\n", sgx_errlist[idx].sug);
+            printf("Error: %s\n", sgx_errlist[idx].msg);
+            break;
+        }
+    }
+    
+    if (idx == ttl)
+        printf("Error: Unexpected error occurred.\n");
+}
+
+/* Initialize the enclave:
+ *   Call sgx_create_enclave to initialize an enclave instance
+ */
+int initialize_enclave(void)
+{
+    sgx_status_t ret = SGX_ERROR_UNEXPECTED;
+    
+    /* Call sgx_create_enclave to initialize an enclave instance */
+    /* Debug Support: set 2nd parameter to 1 */
+    ret = sgx_create_enclave(ENCLAVE_FILENAME, SGX_DEBUG_FLAG, NULL, NULL, &global_eid, NULL);
+    if (ret != SGX_SUCCESS) {
+        print_error_message(ret);
+        return -1;
+    }
+
+    return 0;
+}
+
+/* OCall functions */
+void ocall_print_string(const char *str)
+{
+    /* Proxy/Bridge will check the length and null-terminate 
+     * the input string to prevent buffer overflow. 
+     */
+    printf("%s", str);
+}
+
+
+/* Application entry */
+int SGX_CDECL main(int argc, char *argv[])
+{
+    (void)(argc);
+    (void)(argv);
+
+
+    /* Initialize the enclave */
+    if(initialize_enclave() < 0){
+        printf("Enter a character before exit ...\n");
+        getchar();
+        return -1; 
+    }
+ 
+    
+    /* Utilize trusted libraries */ 
+    ecall_libcxx_functions();
+    
+    /* Destroy the enclave */
+    sgx_destroy_enclave(global_eid);
+    
+    printf("Info: Cxx14DemoEnclave successfully returned.\n");
+
+    //printf("Enter a character before exit ...\n");
+    //getchar();
+    return 0;
+}
+