aland/nixpkgs-odroid-hc4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

Browse source 
https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948
this can do it nicely.

Signed-off-by: Anton Arapov <anton@deadbeef.mx>
This commit is contained in:
Anton Arapov 2021-04-03 12:58:10 +02:00 committed by Alan Daniels
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

169
pkgs/os-specific/linux/sgx/psw/default.nix Normal file
View file

@ -0,0 +1,169 @@
{ stdenv
, lib
, fetchurl
, cmake
, coreutils
, curl
, file
, glibc
, makeWrapper
, nixosTests
, protobuf
, python3
, sgx-sdk
, shadow
, systemd
, util-linux
, which
, debug ? false
}:
stdenv.mkDerivation rec {
inherit (sgx-sdk) version versionTag src;
pname = "sgx-psw";
postUnpack =
let
ae.prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
};
dcap = rec {
version = "1.13";
filename = "prebuilt_dcap_${version}.tar.gz";
prebuilt = fetchurl {
url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
};
};
in
sgx-sdk.postUnpack + ''
# Make sure we use the correct version of prebuilt DCAP
grep -q 'ae_file_name=${dcap.filename}' "$src/external/dcap_source/QuoteGeneration/download_prebuilt.sh" \
|| (echo "Could not find expected prebuilt DCAP ${dcap.filename} in linux-sgx source" >&2 && exit 1)
tar -zxf ${ae.prebuilt} -C $sourceRoot/
tar -zxf ${dcap.prebuilt} -C $sourceRoot/external/dcap_source/QuoteGeneration/
'';
nativeBuildInputs = [
cmake
file
makeWrapper
python3
sgx-sdk
which
];
buildInputs = [
curl
protobuf
];
hardeningDisable = lib.optionals debug [
"fortify"
];
postPatch = ''
patchShebangs \
linux/installer/bin/build-installpkg.sh \
linux/installer/common/psw/createTarball.sh \
linux/installer/common/psw/install.sh
'';
dontUseCmakeConfigure = true;
# Randomly fails if enabled
enableParallelBuilding = false;
buildFlags = [
"psw_install_pkg"
] ++ lib.optionals debug [
"DEBUG=1"
];
installFlags = [
"-C linux/installer/common/psw/output"
"DESTDIR=$(TMPDIR)/install"
];
postInstall = ''
installDir=$TMPDIR/install
sgxPswDir=$installDir/opt/intel/sgxpsw
mv $installDir/usr/lib64/ $out/lib/
ln -sr $out/lib $out/lib64
# Install udev rules to lib/udev/rules.d
mv $sgxPswDir/udev/ $out/lib/
# Install example AESM config
mkdir $out/etc/
mv $sgxPswDir/aesm/conf/aesmd.conf $out/etc/
rmdir $sgxPswDir/aesm/conf/
# Delete init service
rm $sgxPswDir/aesm/aesmd.conf
# Move systemd services
mkdir -p $out/lib/systemd/system/
mv $sgxPswDir/aesm/aesmd.service $out/lib/systemd/system/
mv $sgxPswDir/remount-dev-exec.service $out/lib/systemd/system/
# Move misc files
mkdir $out/share/
mv $sgxPswDir/licenses $out/share/
# Remove unnecessary files
rm $sgxPswDir/{cleanup.sh,startup.sh}
rm -r $sgxPswDir/scripts
mv $sgxPswDir/aesm/ $out/
mkdir $out/bin
makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
--chdir "$out/aesm"
# Make sure we didn't forget to handle any files
rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
'';
# Most—if not all—of those fixups are not relevant for NixOS as we have our own
# NixOS module which is based on those files without relying on them. Still, it
# is helpful to have properly patched versions for non-NixOS distributions.
postFixup = ''
header "Fixing aesmd.service"
substituteInPlace $out/lib/systemd/system/aesmd.service \
--replace '@aesm_folder@' \
"$out/aesm" \
--replace 'Type=forking' \
'Type=simple' \
--replace "ExecStart=$out/aesm/aesm_service" \
"ExecStart=$out/bin/aesm_service --no-daemon"\
--replace "/bin/mkdir" \
"${coreutils}/bin/mkdir" \
--replace "/bin/chown" \
"${coreutils}/bin/chown" \
--replace "/bin/chmod" \
"${coreutils}/bin/chmod" \
--replace "/bin/kill" \
"${coreutils}/bin/kill"
header "Fixing remount-dev-exec.service"
substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
--replace '/bin/mount' \
"${util-linux}/bin/mount"
'';
passthru.tests = {
service = nixosTests.aesmd;
};
meta = with lib; {
description = "Intel SGX Architectural Enclave Service Manager";
homepage = "https://github.com/intel/linux-sgx";
maintainers = with maintainers; [ veehaitch citadelcore ];
platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 ];
};
}

109
pkgs/os-specific/linux/sgx/samples/default.nix Normal file
View file

@ -0,0 +1,109 @@
{ stdenv
, lib
, makeWrapper
, sgx-sdk
, sgx-psw
, which
# "SIM" or "HW"
, sgxMode
}:
let
isSimulation = sgxMode == "SIM";
buildSample = name: stdenv.mkDerivation {
pname = name;
version = sgxMode;
src = sgx-sdk.out;
sourceRoot = "${sgx-sdk.name}/share/SampleCode/${name}";
nativeBuildInputs = [
makeWrapper
which
];
buildInputs = [
sgx-sdk
];
# The samples don't have proper support for parallel building
# causing them to fail randomly.
enableParallelBuilding = false;
buildFlags = [
"SGX_MODE=${sgxMode}"
];
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
install -m 755 app $out/bin
install *.so $out/lib
wrapProgram "$out/bin/app" \
--chdir "$out/lib" \
${lib.optionalString (!isSimulation)
''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
runHook postInstall
'';
# Breaks the signature of the enclaves
dontFixup = true;
# We don't have access to real SGX hardware during the build
doInstallCheck = isSimulation;
installCheckPhase = ''
runHook preInstallCheck
pushd /
echo a | $out/bin/app
popd
runHook preInstallCheck
'';
};
in
{
cxx11SGXDemo = buildSample "Cxx11SGXDemo";
localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib}
install -m 755 bin/app* $out/bin
install bin/*.so $out/lib
for bin in $out/bin/*; do
wrapProgram $bin \
--chdir "$out/lib" \
${lib.optionalString (!isSimulation)
''--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-psw ]}"''}
done
runHook postInstall
'';
});
powerTransition = buildSample "PowerTransition";
protobufSGXDemo = buildSample "ProtobufSGXDemo";
remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
# Makefile sets rpath to point to $TMPDIR
preFixup = ''
patchelf --remove-rpath $out/bin/app
'';
postInstall = ''
install sample_libcrypto/*.so $out/lib
'';
});
sampleEnclave = buildSample "SampleEnclave";
sampleEnclavePCL = buildSample "SampleEnclavePCL";
sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: {
prePatch = ''
substituteInPlace App/App.cpp \
--replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
'';
});
switchless = buildSample "Switchless";
}

285
pkgs/os-specific/linux/sgx/sdk/default.nix Normal file
View file

@ -0,0 +1,285 @@
{ lib
, stdenv
, fetchFromGitHub
, fetchpatch
, fetchzip
, autoconf
, automake
, binutils
, callPackage
, cmake
, file
, gdb
, git
, libtool
, linkFarmFromDrvs
, nasm
, ocaml
, ocamlPackages
, openssl
, perl
, python3
, texinfo
, validatePkgConfig
, writeShellApplication
, writeShellScript
, writeText
, debug ? false
}:
stdenv.mkDerivation rec {
pname = "sgx-sdk";
# Version as given in se_version.h
version = "2.16.100.4";
# Version as used in the Git tag
versionTag = "2.16";
src = fetchFromGitHub {
owner = "intel";
repo = "linux-sgx";
rev = "sgx_${versionTag}";
hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY=";
fetchSubmodules = true;
};
postUnpack = ''
# Make sure this is the right version of linux-sgx
grep -q '"${version}"' "$src/common/inc/internal/se_version.h" \
|| (echo "Could not find expected version ${version} in linux-sgx source" >&2 && exit 1)
'';
patches = [
# Fix missing pthread_compat.h, see https://github.com/intel/linux-sgx/pull/784
(fetchpatch {
url = "https://github.com/intel/linux-sgx/commit/254b58f922a6bd49c308a4f47f05f525305bd760.patch";
sha256 = "sha256-sHU++K7NJ+PdITx3y0PwstA9MVh10rj2vrLn01N9F4w=";
})
];
postPatch = ''
patchShebangs linux/installer/bin/build-installpkg.sh \
linux/installer/common/sdk/createTarball.sh \
linux/installer/common/sdk/install.sh
'';
# We need `cmake` as a build input but don't use it to kick off the build phase
dontUseCmakeConfigure = true;
# SDK built with stackprotector produces broken enclaves which crash at runtime.
# Disable all to be safe, SDK build configures compiler mitigations manually.
hardeningDisable = [ "all" ];
nativeBuildInputs = [
autoconf
automake
cmake
file
git
ocaml
ocamlPackages.ocamlbuild
perl
python3
texinfo
validatePkgConfig
];
buildInputs = [
libtool
openssl
];
BINUTILS_DIR = "${binutils}/bin";
# Build external/ippcp_internal first. The Makefile is rewritten to make the
# build faster by splitting different versions of ipp-crypto builds and to
# avoid patching the Makefile for reproducibility issues.
preBuild =
let
ipp-crypto-no_mitigation = callPackage ./ipp-crypto.nix { };
sgx-asm-pp = "python ${src}/build-scripts/sgx-asm-pp.py --assembler=nasm";
nasm-load = writeShellScript "nasm-load" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=LOAD $@";
ipp-crypto-cve_2020_0551_load = callPackage ./ipp-crypto.nix {
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-load}" ];
};
nasm-cf = writeShellScript "nasm-cf" "${sgx-asm-pp} --MITIGATION-CVE-2020-0551=CF $@";
ipp-crypto-cve_2020_0551_cf = callPackage ./ipp-crypto.nix {
extraCmakeFlags = [ "-DCMAKE_ASM_NASM_COMPILER=${nasm-cf}" ];
};
in
''
header "Setting up IPP crypto build artifacts"
pushd 'external/ippcp_internal'
cp -r ${ipp-crypto-no_mitigation}/include/. inc/
install -D -m a+rw ${ipp-crypto-no_mitigation}/lib/intel64/libippcp.a \
lib/linux/intel64/no_mitigation/libippcp.a
install -D -m a+rw ${ipp-crypto-cve_2020_0551_load}/lib/intel64/libippcp.a \
lib/linux/intel64/cve_2020_0551_load/libippcp.a
install -D -m a+rw ${ipp-crypto-cve_2020_0551_cf}/lib/intel64/libippcp.a \
lib/linux/intel64/cve_2020_0551_cf/libippcp.a
rm inc/ippcp.h
patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h
install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
popd
'';
buildFlags = [
"sdk_install_pkg"
] ++ lib.optionals debug [
"DEBUG=1"
];
enableParallelBuilding = true;
postBuild = ''
patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
'';
installPhase = ''
runHook preInstall
installDir=$TMPDIR
./linux/installer/bin/sgx_linux_x64_sdk_${version}.bin -prefix $installDir
installDir=$installDir/sgxsdk
header "Move files created by installer"
mkdir -p $out/bin
pushd $out
mv $installDir/bin/sgx-gdb $out/bin
mkdir $out/bin/x64
for file in $installDir/bin/x64/*; do
mv $file bin/
ln -sr bin/$(basename $file) bin/x64/
done
rmdir $installDir/bin/{x64,}
# Move `lib64` to `lib` and symlink `lib64`
mv $installDir/lib64 lib
ln -s lib/ lib64
mv $installDir/include/ .
mkdir -p share/
mv $installDir/{SampleCode,licenses} share/
mkdir -p share/bin
mv $installDir/{environment,buildenv.mk} share/bin/
ln -s share/bin/{environment,buildenv.mk} .
# pkgconfig should go to lib/
mv $installDir/pkgconfig lib/
ln -s lib/pkgconfig/ .
# Also create the `sdk_libs` for compat. All the files
# link to libraries in `lib64/`, we shouldn't link the entire
# directory, however, as there seems to be some ambiguity between
# SDK and PSW libraries.
mkdir sdk_libs/
for file in $installDir/sdk_libs/*; do
ln -sr lib/$(basename $file) sdk_libs/
rm $file
done
rmdir $installDir/sdk_libs
# No uninstall script required
rm $installDir/uninstall.sh
# Create an `sgxsdk` symlink which points to `$out` for compat
ln -sr . sgxsdk
# Make sure we didn't forget any files
rmdir $installDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
popd
runHook postInstall
'';
preFixup = ''
header "Strip sgxsdk prefix"
for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do
substituteInPlace $path --replace "$TMPDIR/sgxsdk" "$out"
done
header "Fixing pkg-config files"
sed -i "s|prefix=.*|prefix=$out|g" $out/lib/pkgconfig/*.pc
header "Fixing SGX_SDK default in samples"
substituteInPlace $out/share/SampleCode/LocalAttestation/buildenv.mk \
--replace '/opt/intel/sgxsdk' "$out"
for file in $out/share/SampleCode/*/Makefile; do
substituteInPlace $file \
--replace '/opt/intel/sgxsdk' "$out"
done
header "Fixing BINUTILS_DIR in buildenv.mk"
substituteInPlace $out/share/bin/buildenv.mk \
--replace 'BINUTILS_DIR ?= /usr/local/bin' \
'BINUTILS_DIR ?= ${BINUTILS_DIR}'
header "Fixing GDB path in bin/sgx-gdb"
substituteInPlace $out/bin/sgx-gdb --replace '/usr/local/bin/gdb' '${gdb}/bin/gdb'
'';
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
# Make sure all symlinks are valid
output=$(find "$out" -type l -exec test ! -e {} \; -print)
if [[ -n "$output" ]]; then
echo "Broken symlinks:"
echo "$output"
exit 1
fi
runHook postInstallCheck
'';
setupHook = writeText "setup-hook.sh" ''
sgxsdk() {
export SGX_SDK=@out@
}
postHooks+=(sgxsdk)
'';
passthru.tests = callPackage ../samples { sgxMode = "SIM"; };
# Run tests in SGX hardware mode on an SGX-enabled machine
# $(nix-build -A sgx-sdk.runTestsHW)/bin/run-tests-hw
passthru.runTestsHW =
let
testsHW = lib.filterAttrs (_: v: v ? "name") (callPackage ../samples { sgxMode = "HW"; });
testsHWLinked = linkFarmFromDrvs "sgx-samples-hw-bundle" (lib.attrValues testsHW);
in
writeShellApplication {
name = "run-tests-hw";
text = ''
for test in ${testsHWLinked}/*; do
printf '*** Running test %s ***\n\n' "$(basename "$test")"
printf 'a\n' | "$test/bin/app"
printf '\n'
done
'';
};
meta = with lib; {
description = "Intel SGX SDK for Linux built with IPP Crypto Library";
homepage = "https://github.com/intel/linux-sgx";
maintainers = with maintainers; [ sbellem arturcygan veehaitch ];
platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 ];
};
}

36
pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix Normal file
View file

@ -0,0 +1,36 @@
{ lib
, stdenv
, fetchFromGitHub
, cmake
, nasm
, openssl
, python3
, extraCmakeFlags ? [ ]
}:
stdenv.mkDerivation rec {
pname = "ipp-crypto";
version = "2021.3";
src = fetchFromGitHub {
owner = "intel";
repo = "ipp-crypto";
rev = "ippcp_${version}";
hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM=";
};
# Fix typo: https://github.com/intel/ipp-crypto/pull/33
postPatch = ''
substituteInPlace sources/cmake/ippcp-gen-config.cmake \
--replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
'';
cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
nativeBuildInputs = [
cmake
nasm
openssl
python3
];
}

95
pkgs/os-specific/linux/sgx/ssl/default.nix Normal file
View file

@ -0,0 +1,95 @@
{ stdenv
, fetchFromGitHub
, fetchpatch
, fetchurl
, lib
, perl
, sgx-sdk
, which
, debug ? false
}:
let
sgxVersion = sgx-sdk.versionTag;
opensslVersion = "1.1.1l";
in
stdenv.mkDerivation rec {
pname = "sgx-ssl" + lib.optionalString debug "-debug";
version = "${sgxVersion}_${opensslVersion}";
src = fetchFromGitHub {
owner = "intel";
repo = "intel-sgx-ssl";
rev = "lin_${sgxVersion}_${opensslVersion}";
hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
};
postUnpack =
let
opensslSourceArchive = fetchurl {
url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
};
in
''
ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
'';
patches = [
# https://github.com/intel/intel-sgx-ssl/pull/111
./intel-sgx-ssl-pr-111.patch
];
postPatch = ''
patchShebangs Linux/build_openssl.sh
# Run the test in the `installCheckPhase`, not the `buildPhase`
substituteInPlace Linux/sgx/Makefile \
--replace '$(MAKE) -C $(TEST_DIR) all' \
'bash -c "true"'
'';
enableParallelBuilding = true;
nativeBuildInputs = [
perl
sgx-sdk
stdenv.cc.libc
which
];
makeFlags = [
"-C Linux"
] ++ lib.optionals debug [
"DEBUG=1"
];
installFlags = [
"DESTDIR=$(out)"
];
# Build the test app
#
# Running the test app is currently only supported on Intel CPUs
# and will fail on non-Intel CPUs even in SGX simulation mode.
# Therefore, we only build the test app without running it until
# upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
doInstallCheck = true;
installCheckTarget = "all";
installCheckFlags = [
"SGX_MODE=SIM"
"-C sgx/test_app"
"-j 1" # Makefile doesn't support multiple jobs
];
preInstallCheck = ''
# Expects the enclave file in the current working dir
ln -s sgx/test_app/TestEnclave.signed.so .
'';
meta = with lib; {
description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
homepage = "https://github.com/intel/intel-sgx-ssl";
maintainers = with maintainers; [ trundle veehaitch ];
platforms = [ "x86_64-linux" ];
license = with licenses; [ bsd3 openssl ];
};
}

99
pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch Normal file
View file

@ -0,0 +1,99 @@
From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Sat, 8 Jan 2022 17:22:31 +0100
Subject: [PATCH 1/3] Linux: fix Nix detection
Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
environment variable instead of `NIX_PATH`. The latter is only set in a
`nix-shell` session but isn't when building a derivation through
`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
both cases.
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
---
Linux/sgx/buildenv.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
index cd8818e..dac23c7 100644
--- a/Linux/sgx/buildenv.mk
+++ b/Linux/sgx/buildenv.mk
@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
OS_ID=1
-else ifeq ($(origin NIX_PATH),environment)
+else ifeq ($(origin NIX_STORE),environment)
OS_ID=3
else
OS_ID=2
From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Sat, 8 Jan 2022 17:33:22 +0100
Subject: [PATCH 2/3] Linux: call binaries relative to PATH
Using an absolute path to call binaries is incompatible with
distributions which do not follow the Filesystem Hierachy Standard;
Nix is an example. Also, it is inconsistent with the rest of the code
base, let alone superfluous.
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
---
Linux/build_openssl.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7d77b79..e8b59a1 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
echo $SGXSSL_ROOT
OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
-OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
if [ "$OPENSSL_VERSION" == "" ]
then
echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Tue, 11 Jan 2022 10:56:39 +0100
Subject: [PATCH 3/3] Linux: properly extract GCC major version
Calling `gcc -dumpversion` yields the full version string, e.g.,
`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
comparison operator to check if the returned version is at least
8. This results in an error if the returned GCC version includes a patch
version; "10.3.0" isn't a valid number.
This commit fixes the version detection by only extracting the relevant
major version of GCC.
Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
---
Linux/build_openssl.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index e8b59a1..6e4046f 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -82,6 +82,7 @@ fi
MITIGATION_OPT=""
MITIGATION_FLAGS=""
CC_VERSION=`gcc -dumpversion`
+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
for arg in "$@"
do
case $arg in
@@ -99,7 +100,7 @@ do
;;
-mfunction-return=thunk-extern)
MITIGATION_FLAGS+=" $arg"
- if [[ $CC_VERSION -ge 8 ]] ; then
+ if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
MITIGATION_FLAGS+=" -fcf-protection=none"
fi
shift