Linux 2.14 Open Source Gold Release

Supported loading enclave at address 0.
Upgraded Intel(R) Quote Verification Enclave to integrate SgxSSL/OpenSSL version 1.1.1k.
Updated the DCAP driver V1.33 with stability fixes, released as V1.33.2. This is to support
  legacy solutions not ready to transition to the latest DCAP driver V1.41 or kernel 5.11+.
Fixed bugs.

Signed-off-by: Li, Xun <xun.li@intel.com>

Author: llly

.gitignore

@@ -18,16 +18,12 @@
 /build/
 /linux/installer/bin/*.bin
 
-
 # files downloaded in preparation phase
 Intel redistributable binary.txt
 Master_EULA_for_Intel_Sw_Development_Products.pdf
-external/ippcp_internal/inc/ippcp.h
-external/ippcp_internal/inc/ippcpdefs.h
-external/ippcp_internal/inc/ippversion.h
-external/ippcp_internal/inc/sgx_ippcp.h
-external/ippcp_internal/license/
+external/ippcp_internal/
 external/toolset/
+psw/ae/data/prebuilt/README.md
 redist.txt
 
 # directory created when running reproducibility scripts

README.md

@@ -40,6 +40,8 @@ The Linux\* Intel(R) SGX software stack is comprised of the Intel(R) SGX driver,
 
 The [SGXDataCenterAttestationPrimitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) project maintains an out-of-tree driver for the Linux\* Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete. It is used on the platforms with *Flexible Launch Control* and *Intel(R) AES New Instructions* support and could support both Elliptic Curve Digital Signature algorithm (ECDSA) based attestation and Enhanced Privacy Identification (EPID) based attestation.
 
+**Note**: Ice Lake Xeon-SP (and the future Xeon-SP platforms) doesn't support EPID attestation.
+
 The [linux-sgx-driver](https://github.com/01org/linux-sgx-driver) project hosts the other out-of-tree driver for the Linux\* Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete. It is used to support Enhanced Privacy Identification (EPID) based attestation on the platforms without *Flexible Launch Control*. 
 
 The [intel-device-plugins-for-kubernetes](https://github.com/intel/intel-device-plugins-for-kubernetes) project enables users to run container applications running Intel(R) SGX enclaves in Kubernetes clusters. It also gives instructions how to set up ECDSA based attestation in a cluster.

SampleCode/SampleEnclave/App/Edger8rSyntax/Pointers.cpp

@@ -50,19 +50,19 @@ void edger8r_pointer_attributes(void)
     assert(strcmp(c, "SGX_SUCCESS") == 0);
 
 
-    val = 0;
+    val = 1;
     ret = ecall_pointer_in(global_eid, &val);
     if (ret != SGX_SUCCESS)
         abort();
-    assert(val == 0);
+    assert(val == 1);
 
-    val = 0;
+    val = 1;
     ret = ecall_pointer_out(global_eid, &val);
     if (ret != SGX_SUCCESS)
         abort();
     assert(val == 1234);
 
-    val = 0;
+    val = 1;
     ret = ecall_pointer_in_out(global_eid, &val);
     if (ret != SGX_SUCCESS)
         abort();

SampleCode/SampleEnclave/Enclave/Edger8rSyntax/Pointers.cpp

@@ -98,6 +98,7 @@ void ecall_pointer_in(int* val)
 {
     if (sgx_is_within_enclave(val, sizeof(int)) != 1)
         abort();
+    assert(*val == 1);
     *val = 1234;
 }
 
@@ -119,6 +120,7 @@ void ecall_pointer_in_out(int* val)
 {
     if (sgx_is_within_enclave(val, sizeof(int)) != 1)
         abort();
+    assert(*val == 1);
     *val = 1234;
 }
 

build-scripts/sgx-asm-pp.py

@@ -30,6 +30,7 @@
 #
 #
 
+
 __version__ = '1.0.1'
 import sys
 import os

common/inc/internal/enclave_creator.h

@@ -57,11 +57,13 @@ class EnclaveCreator : private Uncopyable
 {
 public:
     /*
-    @quote      the EPC reserved;
-    @enclave_id identify the unique enclave;
-    @start_addr is the linear address allocated for Enclave;
+    @secs          is a pointer to the architecture-specific information to use to create the enclave;
+    @enclave_id    identify the unique enclave;
+    @start_addr    is the linear address allocated for enclave;
+    @ex_features   is the bitmask defining the extended features to activate on the enclave creation;
+    @ex_features_p is the array of pointers to extended feature control structures;
     */
-    virtual int create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, void **start_addr, bool ae = false) = 0;
+    virtual int create_enclave(secs_t *secs, sgx_enclave_id_t *enclave_id, void **start_addr, const uint32_t ex_features, const void* ex_features_p[32]) = 0;
     /*
     *@attr can be REMOVABLE
     */
@@ -83,6 +85,7 @@ class EnclaveCreator : private Uncopyable
     virtual int trim_range(uint64_t fromaddr, uint64_t toaddr) = 0;
     virtual int trim_accept(uint64_t addr) = 0;
     virtual int remove_range(uint64_t fromaddr, uint64_t numpages) = 0;
+    
     // destructor
     virtual ~EnclaveCreator() {};
 };

common/inc/internal/global_data.h

@@ -48,7 +48,7 @@
 typedef struct _global_data_t
 {
     sys_word_t     sdk_version;
-    sys_word_t     enclave_size;
+    sys_word_t     enclave_size;            /* the size of the virtual address range that the enclave will use*/
     sys_word_t     heap_offset;
     sys_word_t     heap_size;
     sys_word_t     rsrv_offset;
@@ -61,6 +61,9 @@ typedef struct _global_data_t
     uint32_t       layout_entry_num;
     uint32_t       reserved;
     layout_t       layout_table[LAYOUT_ENTRY_NUM];
+    uint64_t       enclave_image_address;   /* the base address of the enclave image */
+    uint64_t       elrange_start_address;   /* the base address provided in the enclave's SECS (SECS.BASEADDR) */
+    uint64_t       elrange_size;            /* the size of the enclave address range provided in the enclave's SECS (SECS.SIZE) */
 } global_data_t;
 
 #define ENCLAVE_INIT_NOT_STARTED  0

common/inc/internal/metadata.h

@@ -40,6 +40,12 @@
 #define MAJOR_VERSION 2                 //MAJOR_VERSION should not larger than 0ffffffff
 #define MINOR_VERSION 4                 //MINOR_VERSION should not larger than 0ffffffff
 
+#define SGX_2_ELRANGE_MAJOR_VERSION 12
+#define SGX_1_ELRANGE_MAJOR_VERSION 11
+
+#define SGX_MAJOR_VERSION_GAP 10
+
+
 #define SGX_2_1_MAJOR_VERSION 2         //MAJOR_VERSION should not larger than 0ffffffff
 #define SGX_2_1_MINOR_VERSION 2         //MINOR_VERSION should not larger than 0ffffffff
 
@@ -168,6 +174,13 @@ typedef struct _patch_entry_t
     uint32_t reserved[4];
 } patch_entry_t;
 
+typedef struct _elrange_config_entry_t
+{
+    uint64_t enclave_image_address;
+    uint64_t elrange_start_address;
+    uint64_t elrange_size;
+}elrange_config_entry_t;
+
 typedef struct _metadata_t 
 {
     uint64_t            magic_num;             /* The magic number identifying the file as a signed enclave image */

common/inc/internal/se_debugger_lib.h

@@ -87,6 +87,7 @@ typedef struct _debug_enclave_info_t
     PADDED_POINTER(void, lpFileName);
     PADDED_POINTER(void, g_peak_heap_used_addr);
     PADDED_POINTER(void, g_peak_rsrv_mem_committed_addr);
+    uint64_t elrange_start_address;
     PADDED_POINTER(void, dyn_sec);
     sgx_misc_select_t  misc_select;
     /* The following members are optional or unused */

common/inc/internal/se_version.h

@@ -31,20 +31,20 @@
 #ifndef _SE_VERSION_H_
 #define _SE_VERSION_H_
 
-#define STRFILEVER    "2.13.103.1"
+#define STRFILEVER    "2.14.100.2"
 #define SGX_MAJOR_VERSION       2
-#define SGX_MINOR_VERSION       13
-#define SGX_REVISION_VERSION    103
+#define SGX_MINOR_VERSION       14
+#define SGX_REVISION_VERSION    100
 #define MAKE_VERSION_UINT(major,minor,rev)  (((uint64_t)major)<<32 | ((uint64_t)minor) << 16 | rev)
 #define VERSION_UINT        MAKE_VERSION_UINT(SGX_MAJOR_VERSION, SGX_MINOR_VERSION, SGX_REVISION_VERSION)
 
 #define COPYRIGHT      "Copyright (C) 2021 Intel Corporation"
 
-#define UAE_SERVICE_VERSION       "2.3.210.1"
-#define URTS_VERSION              "1.1.114.1"
-#define ENCLAVE_COMMON_VERSION    "1.0.117.1"
-#define LAUNCH_VERSION            "1.0.112.1"
-#define EPID_VERSION              "1.0.112.1"
-#define QUOTE_EX_VERSION          "1.1.112.1"
+#define UAE_SERVICE_VERSION       "2.3.211.2"
+#define URTS_VERSION              "1.1.115.2"
+#define ENCLAVE_COMMON_VERSION    "1.1.118.2"
+#define LAUNCH_VERSION            "1.0.113.2"
+#define EPID_VERSION              "1.0.113.2"
+#define QUOTE_EX_VERSION          "1.1.113.2"
 
 #endif