sgx-ssl: 1.1.1l -> 1.1.1u
Release notes: <https://github.com/intel/intel-sgx-ssl/releases/tag/lin_2.21_1.1.1u>
This commit is contained in:
Philip Hayes
parent
77d43f5fb8
commit
c037c23bda
2 changed files with 10 additions and 123 deletions
|
|
@ -1,8 +1,8 @@
|
|||
{ stdenv
|
||||
, fetchFromGitHub
|
||||
, fetchpatch
|
||||
, fetchurl
|
||||
, lib
|
||||
, openssl
|
||||
, perl
|
||||
, sgx-sdk
|
||||
, which
|
||||
|
|
@ -10,9 +10,9 @@
|
|||
}:
|
||||
let
|
||||
sgxVersion = sgx-sdk.versionTag;
|
||||
opensslVersion = "1.1.1l";
|
||||
opensslVersion = "1.1.1u";
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
stdenv.mkDerivation {
|
||||
pname = "sgx-ssl" + lib.optionalString debug "-debug";
|
||||
version = "${sgxVersion}_${opensslVersion}";
|
||||
|
||||
|
|
@ -20,25 +20,20 @@ stdenv.mkDerivation rec {
|
|||
owner = "intel";
|
||||
repo = "intel-sgx-ssl";
|
||||
rev = "lin_${sgxVersion}_${opensslVersion}";
|
||||
hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
|
||||
hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
|
||||
};
|
||||
|
||||
postUnpack =
|
||||
let
|
||||
opensslSourceArchive = fetchurl {
|
||||
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
|
||||
hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
|
||||
hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
|
||||
};
|
||||
in
|
||||
''
|
||||
ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
|
||||
'';
|
||||
|
||||
patches = [
|
||||
# https://github.com/intel/intel-sgx-ssl/pull/111
|
||||
./intel-sgx-ssl-pr-111.patch
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
patchShebangs Linux/build_openssl.sh
|
||||
|
||||
|
|
@ -48,8 +43,6 @@ stdenv.mkDerivation rec {
|
|||
'bash -c "true"'
|
||||
'';
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
nativeBuildInputs = [
|
||||
perl
|
||||
sgx-sdk
|
||||
|
|
@ -68,28 +61,21 @@ stdenv.mkDerivation rec {
|
|||
];
|
||||
|
||||
# Build the test app
|
||||
#
|
||||
# Running the test app is currently only supported on Intel CPUs
|
||||
# and will fail on non-Intel CPUs even in SGX simulation mode.
|
||||
# Therefore, we only build the test app without running it until
|
||||
# upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
|
||||
doInstallCheck = true;
|
||||
installCheckTarget = "all";
|
||||
installCheckTarget = "test";
|
||||
installCheckFlags = [
|
||||
"SGX_MODE=SIM"
|
||||
"-C sgx/test_app"
|
||||
"-j 1" # Makefile doesn't support multiple jobs
|
||||
];
|
||||
preInstallCheck = ''
|
||||
# Expects the enclave file in the current working dir
|
||||
ln -s sgx/test_app/TestEnclave.signed.so .
|
||||
'';
|
||||
nativeInstallCheckInputs = [
|
||||
openssl
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
|
||||
homepage = "https://github.com/intel/intel-sgx-ssl";
|
||||
maintainers = with maintainers; [ trundle veehaitch ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
license = with licenses; [ bsd3 openssl ];
|
||||
license = [ licenses.bsd3 licenses.openssl ];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,99 +0,0 @@
|
|||
From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Haupert <mail@vincent-haupert.de>
|
||||
Date: Sat, 8 Jan 2022 17:22:31 +0100
|
||||
Subject: [PATCH 1/3] Linux: fix Nix detection
|
||||
|
||||
Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
|
||||
environment variable instead of `NIX_PATH`. The latter is only set in a
|
||||
`nix-shell` session but isn't when building a derivation through
|
||||
`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
|
||||
both cases.
|
||||
|
||||
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
|
||||
---
|
||||
Linux/sgx/buildenv.mk | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
|
||||
index cd8818e..dac23c7 100644
|
||||
--- a/Linux/sgx/buildenv.mk
|
||||
+++ b/Linux/sgx/buildenv.mk
|
||||
@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
|
||||
UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
|
||||
ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
|
||||
OS_ID=1
|
||||
-else ifeq ($(origin NIX_PATH),environment)
|
||||
+else ifeq ($(origin NIX_STORE),environment)
|
||||
OS_ID=3
|
||||
else
|
||||
OS_ID=2
|
||||
|
||||
From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Haupert <mail@vincent-haupert.de>
|
||||
Date: Sat, 8 Jan 2022 17:33:22 +0100
|
||||
Subject: [PATCH 2/3] Linux: call binaries relative to PATH
|
||||
|
||||
Using an absolute path to call binaries is incompatible with
|
||||
distributions which do not follow the Filesystem Hierachy Standard;
|
||||
Nix is an example. Also, it is inconsistent with the rest of the code
|
||||
base, let alone superfluous.
|
||||
|
||||
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
|
||||
---
|
||||
Linux/build_openssl.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
|
||||
index 7d77b79..e8b59a1 100755
|
||||
--- a/Linux/build_openssl.sh
|
||||
+++ b/Linux/build_openssl.sh
|
||||
@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
echo $SGXSSL_ROOT
|
||||
|
||||
OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
|
||||
-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
|
||||
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
|
||||
if [ "$OPENSSL_VERSION" == "" ]
|
||||
then
|
||||
echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
|
||||
|
||||
From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Haupert <mail@vincent-haupert.de>
|
||||
Date: Tue, 11 Jan 2022 10:56:39 +0100
|
||||
Subject: [PATCH 3/3] Linux: properly extract GCC major version
|
||||
|
||||
Calling `gcc -dumpversion` yields the full version string, e.g.,
|
||||
`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
|
||||
comparison operator to check if the returned version is at least
|
||||
8. This results in an error if the returned GCC version includes a patch
|
||||
version; "10.3.0" isn't a valid number.
|
||||
|
||||
This commit fixes the version detection by only extracting the relevant
|
||||
major version of GCC.
|
||||
|
||||
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
|
||||
---
|
||||
Linux/build_openssl.sh | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
|
||||
index e8b59a1..6e4046f 100755
|
||||
--- a/Linux/build_openssl.sh
|
||||
+++ b/Linux/build_openssl.sh
|
||||
@@ -82,6 +82,7 @@ fi
|
||||
MITIGATION_OPT=""
|
||||
MITIGATION_FLAGS=""
|
||||
CC_VERSION=`gcc -dumpversion`
|
||||
+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
|
||||
for arg in "$@"
|
||||
do
|
||||
case $arg in
|
||||
@@ -99,7 +100,7 @@ do
|
||||
;;
|
||||
-mfunction-return=thunk-extern)
|
||||
MITIGATION_FLAGS+=" $arg"
|
||||
- if [[ $CC_VERSION -ge 8 ]] ; then
|
||||
+ if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
|
||||
MITIGATION_FLAGS+=" -fcf-protection=none"
|
||||
fi
|
||||
shift
|
||||
Loading…
Reference in a new issue