From a1d932579cb1f7c4cee9ee437a11eebd962e2bde Mon Sep 17 00:00:00 2001 From: Denis Date: Fri, 15 Mar 2024 18:14:05 +0400 Subject: [PATCH 1/4] Maybe maybe --- sgxvm/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sgxvm/Makefile b/sgxvm/Makefile index 843f0de5..57254806 100644 --- a/sgxvm/Makefile +++ b/sgxvm/Makefile @@ -75,9 +75,9 @@ endef define compile_unsigned_enclave @echo "Compile into unsinged enclave" - @g++ $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \ + @cxx $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \ -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \ - -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_dcap_tvl -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs \ + -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_dcap_tvl -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs -lpthread \ -L$(CURDIR)/sgx-artifacts/lib -lenclave -Wl,--end-group -Wl,--version-script=$(CURDIR)/Enclave.lds -Wl,-z,relro,-z,now,-z,noexecstack -Wl,-Bstatic -Wl,-Bsymbolic \ -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--gc-sections -Wl,--defsym,__ImageBase=0 endef From cc6a2d699931fd352d83ebcc6be7bfb4cfd3fcd2 Mon Sep 17 00:00:00 2001 From: Denis Date: Fri, 15 Mar 2024 18:20:03 +0400 Subject: [PATCH 2/4] Fix typo --- sgxvm/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sgxvm/Makefile b/sgxvm/Makefile index 57254806..a1e5b17a 100644 --- a/sgxvm/Makefile +++ b/sgxvm/Makefile @@ -75,7 +75,7 @@ endef define compile_unsigned_enclave @echo "Compile into unsinged enclave" - @cxx $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \ + @$(CXX) $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \ -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \ -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_dcap_tvl -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs -lpthread \ -L$(CURDIR)/sgx-artifacts/lib -lenclave -Wl,--end-group -Wl,--version-script=$(CURDIR)/Enclave.lds -Wl,-z,relro,-z,now,-z,noexecstack -Wl,-Bstatic -Wl,-Bsymbolic \ From ef75b56d05ae0a83982a4096b127496ee086c7e2 Mon Sep 17 00:00:00 2001 From: Denis Date: Fri, 15 Mar 2024 18:42:30 +0400 Subject: [PATCH 3/4] Maybe like this --- sgxvm/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sgxvm/Makefile b/sgxvm/Makefile index a1e5b17a..838b38c6 100644 --- a/sgxvm/Makefile +++ b/sgxvm/Makefile @@ -4,7 +4,7 @@ TARGET = $(shell rustc --version --verbose 2> /dev/null | awk "/host:/ { print \ TARGET_DIR = target/release/ DEFAULT = help CC=clang -CXX=clang++ +#CXX=clang++ SGX_MODE ?= HW ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave From db454982d9a20e33af521b85f93744825e51c162 Mon Sep 17 00:00:00 2001 From: Denis Date: Fri, 15 Mar 2024 18:55:40 +0400 Subject: [PATCH 4/4] Change flags order in CXX call, revert to focal --- docker/deb.Dockerfile | 2 +- sgxvm/Makefile | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docker/deb.Dockerfile b/docker/deb.Dockerfile index aa0437cf..6892bdc4 100644 --- a/docker/deb.Dockerfile +++ b/docker/deb.Dockerfile @@ -1,5 +1,5 @@ ############ Install Intel SGX SDK & SGX PSW -FROM ghcr.io/sigmagmbh/sgx:2.23-jammy-554238b as base +FROM ghcr.io/sigmagmbh/sgx:2.23-focal-77382c8 as base RUN wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - RUN apt-get update diff --git a/sgxvm/Makefile b/sgxvm/Makefile index 838b38c6..3a072383 100644 --- a/sgxvm/Makefile +++ b/sgxvm/Makefile @@ -11,6 +11,8 @@ ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave Trts_Library_Name = sgx_trts Service_Library_Name = sgx_tservice Enclave_build_feature = hardware_mode +# Enable the security flags +Enclave_Security_Link_Flags := -Wl,-z,relro,-z,now,-z,noexecstack # ENCLAVE SETTINGS ifneq ($(SGX_MODE), HW) @@ -75,11 +77,14 @@ endef define compile_unsigned_enclave @echo "Compile into unsinged enclave" - @$(CXX) $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \ - -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \ - -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_dcap_tvl -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs -lpthread \ - -L$(CURDIR)/sgx-artifacts/lib -lenclave -Wl,--end-group -Wl,--version-script=$(CURDIR)/Enclave.lds -Wl,-z,relro,-z,now,-z,noexecstack -Wl,-Bstatic -Wl,-Bsymbolic \ - -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--gc-sections -Wl,--defsym,__ImageBase=0 + @$(CXX) $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so $(Enclave_Security_Link_Flags) -fPIC \ + -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \ + -Wl,--whole-archive -lsgx_dcap_tvl -l$(Trts_Library_Name) -Wl,--no-whole-archive \ + -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs -lpthread -L$(CURDIR)/sgx-artifacts/lib -lenclave -Wl,--end-group \ + -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ + -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \ + -Wl,--gc-sections -Wl,--defsym,__ImageBase=0 \ + -Wl,--version-script=$(CURDIR)/Enclave.lds endef define sign_enclave