Linux 2.4 Open Source Gold Release

Added support for the Key Separation and Sharing (KSS) feature.
Provided a set of new encryption and decryption functions such as sgx_hmac256_*.
Provided a new untrusted API: sgx_get_target_info.
Provided a new untrusted API: sgx_create_enclave_from_buffer_ex.
Updated the cryptography library and Architecture Enclaves to use Intel(R) Integrated
  Performance Primitives Cryptography 2019 Update 1.
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

License.txt

@@ -37,7 +37,7 @@ http://www.eclipse.org/legal/epl-v10.html
 
 ==============================================================
 
-libsgx_le.signed.so, libsgx_pce.signed.so, libsgx_pve.signed.so, libsgx_qe.signed.so, libsgx_pse_pr.signed.so and libsgx_pse_op.signed.so are licensed as Intel redistributable binary firmware and other blobs.
+libsgx_le.signed.so, libsgx_pce.signed.so, libsgx_pve.signed.so, libsgx_qe.signed.so, libsgx_pse_pr.signed.so, libsgx_pse_pr_2.signed.so and libsgx_pse_op.signed.so are licensed as Intel redistributable binary firmware and other blobs.
 
 
 Copyright (c) Intel Corporation.

Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/trusted/Enclave1.config.xml

@@ -1,7 +1,7 @@
 <EnclaveConfiguration>
   <ProdID>0</ProdID>
   <ISVSVN>0</ISVSVN>
-  <StackMinSize>0x1000</StackMinSize>
+  <StackMinSize>0x2000</StackMinSize>
   <StackMaxSize>0x40000</StackMaxSize>
   <HeapMinSize>0x1000</HeapMinSize>
   <HeapInitSize>0x1000000</HeapInitSize>

Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/untrusted/sample.cpp

@@ -124,74 +124,21 @@ void print_error_message(sgx_status_t ret)
 }
 
 /* Initialize the enclave:
- *   Step 1: retrive the launch token saved by last transaction
- *   Step 2: call sgx_create_enclave to initialize an enclave instance
- *   Step 3: save the launch token if it is updated
+ *   Call sgx_create_enclave to initialize an enclave instance
  */
 int initialize_enclave(void)
 {
-    char token_path[MAX_PATH] = {'\0'};
-    sgx_launch_token_t token = {0};
     sgx_status_t ret = SGX_ERROR_UNEXPECTED;
-    int updated = 0;
-    /* Step 1: retrive the launch token saved by last transaction */
-
-    /* try to get the token saved in $HOME */
-    const char *home_dir = getpwuid(getuid())->pw_dir;
-    if (home_dir != NULL && 
-        (strlen(home_dir)+strlen("/")+sizeof(TOKEN_FILENAME)+1) <= MAX_PATH) {
-        /* compose the token path */
-        strncpy(token_path, home_dir, strlen(home_dir));
-        strncat(token_path, "/", strlen("/"));
-        strncat(token_path, TOKEN_FILENAME, sizeof(TOKEN_FILENAME)+1);
-    } else {
-        /* if token path is too long or $HOME is NULL */
-        strncpy(token_path, TOKEN_FILENAME, sizeof(TOKEN_FILENAME));
-    }
-
-    FILE *fp = fopen(token_path, "rb");
-    if (fp == NULL && (fp = fopen(token_path, "wb")) == NULL) {
-        printf("Warning: Failed to create/open the launch token file \"%s\".\n", token_path);
-    }
-    printf("token_path: %s\n", token_path);
-    if (fp != NULL) {
-        /* read the token from saved file */
-        size_t read_num = fread(token, 1, sizeof(sgx_launch_token_t), fp);
-        if (read_num != 0 && read_num != sizeof(sgx_launch_token_t)) {
-            /* if token is invalid, clear the buffer */
-            memset(&token, 0x0, sizeof(sgx_launch_token_t));
-            printf("Warning: Invalid launch token read from \"%s\".\n", token_path);
-        }
-    }
 
-    /* Step 2: call sgx_create_enclave to initialize an enclave instance */
+    /* Call sgx_create_enclave to initialize an enclave instance */
     /* Debug Support: set 2nd parameter to 1 */
-
-    ret = sgx_create_enclave($(ENCLAVENAME)_FILENAME, SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
+    ret = sgx_create_enclave($(ENCLAVENAME)_FILENAME, SGX_DEBUG_FLAG, NULL, NULL, &global_eid, NULL);
 
     if (ret != SGX_SUCCESS) {
         print_error_message(ret);
-        if (fp != NULL) fclose(fp);
-
         return -1;
     }
 
-    /* Step 3: save the launch token if it is updated */
-
-    if (updated == FALSE || fp == NULL) {
-        /* if the token is not updated, or file handler is invalid, do not perform saving */
-        if (fp != NULL) fclose(fp);
-        return 0;
-    }
-
-    /* reopen the file with write capablity */
-    fp = freopen(token_path, "wb", fp);
-    if (fp == NULL) return 0;
-    size_t write_num = fwrite(token, 1, sizeof(sgx_launch_token_t), fp);
-    if (write_num != sizeof(sgx_launch_token_t))
-        printf("Warning: Failed to save launch token to \"%s\".\n", token_path);
-    fclose(fp);
-
     return 0;
 }
 

Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXEnclave/untrusted/sample.h

@@ -18,7 +18,6 @@
 #endif
 
 
-# define TOKEN_FILENAME   "enclave.token"
 # define $(ENCLAVENAME)_FILENAME "$(enclaveName).signed.so"
 
 extern sgx_enclave_id_t global_eid;    /* global enclave id */

Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXTrustedStaticLibrary/makefiles/c++/sgx_t_static.mk

@@ -102,4 +102,4 @@ lib$(enclaveName).sgx.static.lib.a: static_trusted/$(enclaveName)_t.h $($(Enclav
 	@echo "LINK =>  $@"
 
 clean:
-	@rm -f $(enclaveName).* static_trusted/$(enclaveName)_t.* $($(EnclaveName)_Cpp_Objects) $($(EnclaveName)_C_Objects)
+	@rm -f lib$(enclaveName).* static_trusted/$(enclaveName)_t.* $($(EnclaveName)_Cpp_Objects) $($(EnclaveName)_C_Objects)

Linux_SGXEclipsePlugin/build_directory/plugins/com.intel.sgx/templates/sgx/SGXTrustedStaticLibrary/makefiles/c/sgx_t_static.mk

@@ -92,4 +92,4 @@ lib$(enclaveName).sgx.static.lib.a: static_trusted/$(enclaveName)_t.h $($(Enclav
 	@echo "LINK =>  $@"
 
 clean:
-	@rm -f $(enclaveName).* static_trusted/$(enclaveName)_t.*  $($(EnclaveName)_C_Objects)
+	@rm -f lib$(enclaveName).* static_trusted/$(enclaveName)_t.*  $($(EnclaveName)_C_Objects)

Makefile

@@ -47,12 +47,19 @@ sdk_install_pkg: sdk
 psw_install_pkg: psw
 	./linux/installer/bin/build-installpkg.sh psw
 
+deb_sgx_urts_pkg: psw
+	./linux/installer/deb/libsgx-urts/build.sh
+
 deb_sgx_enclave_common_pkg: psw
 	./linux/installer/deb/libsgx-enclave-common/build.sh
 
 deb_sgx_enclave_common_dev_pkg:
 	./linux/installer/deb/libsgx-enclave-common-dev/build.sh
 
+deb_pkg: deb_sgx_urts_pkg deb_sgx_enclave_common_pkg deb_sgx_enclave_common_dev_pkg
+	@$(RM) -f ./linux/installer/deb/*.deb ./linux/installer/deb/*.ddeb
+	cp `find ./linux/installer/deb/ -name "*.deb" -o -name "*.ddeb"` ./linux/installer/deb/
+
 clean:
 	@$(MAKE) -C sdk/                                clean
 	@$(MAKE) -C psw/                                clean

README.md

@@ -135,16 +135,16 @@ $ make sdk_install_pkg DEBUG=1
 To build the Intel(R) SGX PSW installer, enter the following command:
 - On Ubuntu 16.04 and Ubuntu 18.04:
   ```
-  $ make deb_sgx_enclave_common_pkg
+  $ make deb_pkg
   ```
-  You can find the generated Intel(R) SGX PSW installer ``libsgx-enclave-common_${version}-${revision}_amd64.deb`` located under `linux/installer/deb/libsgx-enclave-common`, where `${version}` refers to the version number and the `${revision}` refers to the revision number of the package.   
+  You can find the generated Intel(R) SGX PSW installer ``libsgx-urts_${version}-${revision}_amd64.deb`` and ``libsgx-enclave-common_${version}-${revision}_amd64.deb`` located under `linux/installer/deb`, where `${version}` refers to the version number and the `${revision}` refers to the revision number of the package.   
   **Note**: On Ubuntu 18.04, besides the Intel(R) SGX PSW installer, the above command generates another debug symbol package named ``libsgx-enclave-common-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX PSW installer, before building the Intel(R) SGX PSW, you need to export an environment variable to ensure the debug symbols not stripped:
    ```
    $ export DEB_BUILD_OPTIONS="nostrip"
    ```
   **Note**: The above command builds the Intel(R) SGX PSW with default configuration firstly and then generates the target PSW Installer. To build the Intel(R) SGX PSW Installer without optimization and with full debug information kept in the tools and libraries, enter the following command:
   ```
-  $ make deb_sgx_enclave_common_pkg DEBUG=1
+  $ make deb_pkg DEBUG=1
   ```
 - On Red Hat Enterprise Linux 7.4 and CentOS 7.5:
 - On Fedora 27:
@@ -158,7 +158,7 @@ To build the Intel(R) SGX PSW installer, enter the following command:
   ```
   $ make psw_install_pkg DEBUG=1
   ```
-To build the Intel(R) SGX PSW development installer, enter the following command:
+To build the Intel(R) SGX PSW development installer separately, enter the following command:
 - On Ubuntu 16.04 and Ubuntu 18.04:
   ```
   $ make deb_sgx_enclave_common_dev_pkg
@@ -279,30 +279,30 @@ Install the Intel(R) SGX PSW
   Download source code from [dynamic-application-loader-host-interface](https://github.com/01org/dynamic-application-loader-host-interface) project. In the source code folder, build and install the `JHI` service using the following commands:
   * On Ubuntu 16.04 and Ubuntu 18.04:
   ```
-    $ sudo apt-get install uuid-dev libxml2-dev cmake pkg-config
+    $ sudo apt-get install uuid-dev libxml2-dev cmake pkg-config libsystemd-dev
     $ cmake .;make;sudo make install;sudo systemctl enable jhi
   ```
   * On Red Hat Enterprise Linux 7.4, CentOS 7.5 and Fedora 27:  
   ```
-    $ sudo yum install libuuid-devel libxml2-devel cmake pkgconfig
+    $ sudo yum install libuuid-devel libxml2-devel cmake pkgconfig systemd-devel
     $ cmake .;make;sudo make install;sudo ldconfig;sudo systemctl enable jhi
   ```
   * On SUSE Linux Enterprise Server 12:  
   ```
-    $ sudo zypper install libuuid-devel libxml2-devel cmake pkg-config
+    $ sudo zypper install libuuid-devel libxml2-devel cmake pkg-config systemd-devel
     $ cmake .;make;sudo make install;sudo ldconfig;sudo systemctl enable jhi
   ```
 
 ### Install the Intel(R) SGX PSW
 To install the Intel(R) SGX PSW, invoke the installer with root privilege: 
 - On Ubuntu 16.04 and Ubuntu 18.04:
   ```
-  $ cd linux/installer/deb/libsgx-enclave-common
-  $ sudo dpkg -i ./libsgx-enclave-common_${version}-${revision}_amd64.deb
+  $ cd linux/installer/deb
+  $ sudo dpkg -i ./libsgx-urts_${version}-${revision}_amd64.deb ./libsgx-enclave-common_${version}-${revision}_amd64.deb
   ```
   **NOTE**: To debug with sgx-gdb on Ubuntu 16.04, you need to ensure the Intel(R) SGX PSW is built under the condition that the environment variable ``DEB_BUILD_OPTIONS="nostrip"`` is set. On Ubuntu 18.04, you need to install the debug package by entering the following command:
   ```
-  $ cd linux/installer/deb/libsgx-enclave-common
+  $ cd linux/installer/deb
   $ sudo dpkg -i ./libsgx-enclave-common-dbgsym_${version}-${revision}_amd64.ddeb
   ```
 - On Red Hat Enterprise Linux 7.4 and CentOS 7.5:

SampleCode/Cxx11SGXDemo/App/App.cpp

@@ -159,13 +159,11 @@ void print_error_message(sgx_status_t ret)
  */
 int initialize_enclave(void)
 {
-    sgx_launch_token_t token = {0};
     sgx_status_t ret = SGX_ERROR_UNEXPECTED;
-    int updated = 0;
 
     /* Call sgx_create_enclave to initialize an enclave instance */
     /* Debug Support: set 2nd parameter to 1 */
-    ret = sgx_create_enclave(ENCLAVE_FILENAME, SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
+    ret = sgx_create_enclave(ENCLAVE_FILENAME, SGX_DEBUG_FLAG, NULL, NULL, &global_eid, NULL);
     if (ret != SGX_SUCCESS) {
         print_error_message(ret);
         return -1;

SampleCode/Cxx11SGXDemo/Makefile

@@ -178,18 +178,20 @@ endif
 endif
 
 
-.PHONY: all run
+.PHONY: all run target
+all: .config_$(Build_Mode)_$(SGX_ARCH)
+	@$(MAKE) target
 
 ifeq ($(Build_Mode), HW_RELEASE)
-all: .config_$(Build_Mode)_$(SGX_ARCH) $(App_Name) $(Enclave_Name)
+target: $(App_Name) $(Enclave_Name)
 	@echo "The project has been built in release hardware mode."
 	@echo "Please sign the $(Enclave_Name) first with your signing key before you run the $(App_Name) to launch and access the enclave."
 	@echo "To sign the enclave use the command:"
 	@echo "   $(SGX_ENCLAVE_SIGNER) sign -key <your key> -enclave $(Enclave_Name) -out <$(Signed_Enclave_Name)> -config $(Enclave_Config_File)"
 	@echo "You can also sign the enclave using an external signing tool."
 	@echo "To build the project in simulation mode set SGX_MODE=SIM. To build the project in prerelease mode set SGX_PRERELEASE=1 and SGX_MODE=HW."
 else
-all: .config_$(Build_Mode)_$(SGX_ARCH) $(App_Name) $(Signed_Enclave_Name)
+target: $(App_Name) $(Signed_Enclave_Name)
 ifeq ($(Build_Mode), HW_DEBUG)
 	@echo "The project has been built in debug hardware mode."
 else ifeq ($(Build_Mode), SIM_DEBUG)
@@ -209,34 +211,38 @@ ifneq ($(Build_Mode), HW_RELEASE)
 	@echo "RUN  =>  $(App_Name) [$(SGX_MODE)|$(SGX_ARCH), OK]"
 endif
 
+.config_$(Build_Mode)_$(SGX_ARCH):
+	@rm -f .config_* $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) App/Enclave_u.* $(Enclave_Cpp_Objects) Enclave/Enclave_t.*
+	@touch .config_$(Build_Mode)_$(SGX_ARCH)
+
 ######## App Objects ########
 
-App/Enclave_u.c: $(SGX_EDGER8R) Enclave/Enclave.edl
+App/Enclave_u.h: $(SGX_EDGER8R) Enclave/Enclave.edl
 	@cd App && $(SGX_EDGER8R) --untrusted ../Enclave/Enclave.edl --search-path ../Enclave --search-path $(SGX_SDK)/include
 	@echo "GEN  =>  $@"
 
+App/Enclave_u.c: App/Enclave_u.h
+
 App/Enclave_u.o: App/Enclave_u.c
 	@$(CC) $(SGX_COMMON_CFLAGS) $(App_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-App/%.o: App/%.cpp
+App/%.o: App/%.cpp App/Enclave_u.h
 	@$(CXX) $(SGX_COMMON_CXXFLAGS) $(App_Cpp_Flags) -c $< -o $@
 	@echo "CXX  <=  $<"
 
 $(App_Name): App/Enclave_u.o $(App_Cpp_Objects)
 	@$(CXX) $^ -o $@ $(App_Link_Flags)
 	@echo "LINK =>  $@"
 
-.config_$(Build_Mode)_$(SGX_ARCH):
-	@rm -f .config_* $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) App/Enclave_u.* $(Enclave_Cpp_Objects) Enclave/Enclave_t.*
-	@touch .config_$(Build_Mode)_$(SGX_ARCH)
-
 ######## Enclave Objects ########
 
-Enclave/Enclave_t.c: $(SGX_EDGER8R) Enclave/Enclave.edl
+Enclave/Enclave_t.h: $(SGX_EDGER8R) Enclave/Enclave.edl
 	@cd Enclave && $(SGX_EDGER8R) --trusted ../Enclave/Enclave.edl --search-path ../Enclave --search-path $(SGX_SDK)/include
 	@echo "GEN  =>  $@"
 
+Enclave/Enclave_t.c: Enclave/Enclave_t.h
+
 Enclave/Enclave_t.o: Enclave/Enclave_t.c
 	@$(CC) $(SGX_COMMON_CFLAGS) $(Enclave_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
@@ -245,6 +251,8 @@ Enclave/%.o: Enclave/%.cpp
 	@$(CXX) $(SGX_COMMON_CXXFLAGS) $(Enclave_Cpp_Flags) -c $< -o $@
 	@echo "CXX  <=  $<"
 
+$(Enclave_Cpp_Objects): Enclave/Enclave_t.h
+
 $(Enclave_Name): Enclave/Enclave_t.o $(Enclave_Cpp_Objects)
 	@$(CXX) $^ -o $@ $(Enclave_Link_Flags)
 	@echo "LINK =>  $@"

SampleCode/LocalAttestation/App/App.cpp

@@ -72,28 +72,27 @@ void waitForKeyPress()
 uint32_t load_enclaves()
 {
     uint32_t enclave_temp_no;
-    int ret, launch_token_updated;
-    sgx_launch_token_t launch_token;
+    sgx_status_t ret = SGX_ERROR_UNEXPECTED;
 
     enclave_temp_no = 0;
 
-    ret = sgx_create_enclave(ENCLAVE1_PATH, SGX_DEBUG_FLAG, &launch_token, &launch_token_updated, &e1_enclave_id, NULL);
+    ret = sgx_create_enclave(ENCLAVE1_PATH, SGX_DEBUG_FLAG, NULL, NULL, &e1_enclave_id, NULL);
     if (ret != SGX_SUCCESS) {
                 return ret;
     }
 
     enclave_temp_no++;
     g_enclave_id_map.insert(std::pair<sgx_enclave_id_t, uint32_t>(e1_enclave_id, enclave_temp_no));
 
-    ret = sgx_create_enclave(ENCLAVE2_PATH, SGX_DEBUG_FLAG, &launch_token, &launch_token_updated, &e2_enclave_id, NULL);
+    ret = sgx_create_enclave(ENCLAVE2_PATH, SGX_DEBUG_FLAG, NULL, NULL, &e2_enclave_id, NULL);
     if (ret != SGX_SUCCESS) {
                 return ret;
     }
 
     enclave_temp_no++;
     g_enclave_id_map.insert(std::pair<sgx_enclave_id_t, uint32_t>(e2_enclave_id, enclave_temp_no));
 
-    ret = sgx_create_enclave(ENCLAVE3_PATH, SGX_DEBUG_FLAG, &launch_token, &launch_token_updated, &e3_enclave_id, NULL);
+    ret = sgx_create_enclave(ENCLAVE3_PATH, SGX_DEBUG_FLAG, NULL, NULL, &e3_enclave_id, NULL);
     if (ret != SGX_SUCCESS) {
                 return ret;
     }