Merge pull request #254845 from phlip9/update-sgx-2.21

sgx-sdk: 2.16 -> 2.21

pkgs/os-specific/linux/sgx/azure-dcap-client/default.nix

@@ -1,6 +1,5 @@
 { stdenv
 , fetchFromGitHub
-, fetchurl
 , lib
 , curl
 , nlohmann_json
@@ -9,7 +8,6 @@
 , linkFarmFromDrvs
 , callPackage
 }:
-
 let
   # Although those headers are also included in the source of `sgx-psw`, the `azure-dcap-client` build needs specific versions
   filterSparse = list: ''
@@ -18,19 +16,11 @@ let
     cp ${lib.concatStringsSep " " list} "$out/"
   '';
   headers = linkFarmFromDrvs "azure-dcpa-client-intel-headers" [
-    (fetchFromGitHub rec {
-      name = "${repo}-headers";
-      owner = "intel";
-      repo = "SGXDataCenterAttestationPrimitives";
-      rev = "0436284f12f1bd5da7e7a06f6274d36b4c8d39f9";
-      sparseCheckout = [ "QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h" ];
-      hash = "sha256-ipKpYHbiwjCUXF/pCArJZy5ko1YX2wqMMdSnMUzhkgY=";
-      postFetch = filterSparse sparseCheckout;
-    })
     (fetchFromGitHub rec {
       name = "${repo}-headers";
       owner = "intel";
       repo = "linux-sgx";
+      # See: <src/Linux/configure> for the revision `azure-dcap-client` uses.
       rev = "1ccf25b64abd1c2eff05ead9d14b410b3c9ae7be";
       hash = "sha256-WJRoS6+NBVJrFmHABEEDpDhW+zbWFUl65AycCkRavfs=";
       sparseCheckout = [
@@ -44,13 +34,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "azure-dcap-client";
-  version = "1.11.2";
+  version = "1.12.1";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = pname;
     rev = version;
-    hash = "sha256-EYj3jnzTyJRl6N7avNf9VrB8r9U6zIE6wBNeVsMtWCA=";
+    hash = "sha256-q0dI4WdA1ue4sw+QfSherh31Ldf9gnhoft66o3E9gnU=";
   };
 
   nativeBuildInputs = [

pkgs/os-specific/linux/sgx/azure-dcap-client/test-suite.nix

@@ -3,12 +3,16 @@
 , gtest
 , makeWrapper
 }:
-sgx-azure-dcap-client.overrideAttrs (oldAttrs: {
-  nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [
+sgx-azure-dcap-client.overrideAttrs (old: {
+  nativeBuildInputs = old.nativeBuildInputs ++ [
     makeWrapper
     gtest
   ];
 
+  patches = [
+    ./tests-missing-includes.patch
+  ];
+
   buildFlags = [
     "tests"
   ];
@@ -22,6 +26,7 @@ sgx-azure-dcap-client.overrideAttrs (oldAttrs: {
   '';
 
   postFixup = ''
-    wrapProgram "$out/bin/tests" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}"
+    wrapProgram "$out/bin/tests" \
+      --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ sgx-azure-dcap-client ]}"
   '';
 })

pkgs/os-specific/linux/sgx/azure-dcap-client/tests-missing-includes.patch

@@ -0,0 +1,12 @@
+diff --git a/src/UnitTest/test_local_cache.cpp b/src/UnitTest/test_local_cache.cpp
+index 5fbc31b..6b8d52e 100644
+--- a/src/UnitTest/test_local_cache.cpp
++++ b/src/UnitTest/test_local_cache.cpp
+@@ -5,6 +5,7 @@
+ #include <gtest/gtest.h>
+ 
+ #undef NDEBUG // ensure that asserts are never compiled out
++#include <array>
+ #include <cassert>
+ #include <cstdio>
+ #include <cstring>

pkgs/os-specific/linux/sgx/psw/default.nix

@@ -5,15 +5,11 @@
 , coreutils
 , curl
 , file
-, glibc
 , makeWrapper
 , nixosTests
 , protobuf
 , python3
 , sgx-sdk
-, shadow
-, systemd
-, util-linux
 , which
 , debug ? false
 }:
@@ -23,16 +19,21 @@ stdenv.mkDerivation rec {
 
   postUnpack =
     let
+      # Fetch the pre-built, Intel-signed Architectural Enclaves (AE). They help
+      # run user application enclaves, verify launch policies, produce remote
+      # attestation quotes, and do platform certification.
       ae.prebuilt = fetchurl {
         url = "https://download.01.org/intel-sgx/sgx-linux/${versionTag}/prebuilt_ae_${versionTag}.tar.gz";
-        hash = "sha256-JriA9UGYFkAPuCtRizk8RMM1YOYGR/eO9ILnx47A40s=";
+        hash = "sha256-IckW4p1XWkWCDCErXyTtnKYKeAUaCrp5iAMsRBMjLX0=";
       };
+      # Also include the Data Center Attestation Primitives (DCAP) platform
+      # enclaves.
       dcap = rec {
-        version = "1.13";
+        version = "1.18";
         filename = "prebuilt_dcap_${version}.tar.gz";
         prebuilt = fetchurl {
           url = "https://download.01.org/intel-sgx/sgx-dcap/${version}/linux/${filename}";
-          hash = "sha256-0kD6hxN8qZ/7/H99aboQx7Qg7ewmYPEexoU6nqczAik=";
+          hash = "sha256-9ceys7ozOEienug+9MTZ6dw3nx7VBfxLNiwhZYv4SzY=";
         };
       };
     in
@@ -75,9 +76,6 @@ stdenv.mkDerivation rec {
 
   dontUseCmakeConfigure = true;
 
-  # Randomly fails if enabled
-  enableParallelBuilding = false;
-
   buildFlags = [
     "psw_install_pkg"
   ] ++ lib.optionals debug [
@@ -120,8 +118,18 @@ stdenv.mkDerivation rec {
     rm $sgxPswDir/{cleanup.sh,startup.sh}
     rm -r $sgxPswDir/scripts
 
+    # Move aesmd binaries/libraries/enclaves
     mv $sgxPswDir/aesm/ $out/
 
+    # We absolutely MUST avoid stripping or patching these ".signed.so" SGX
+    # enclaves. Stripping would change each enclave measurement (hash of the
+    # binary).
+    #
+    # We're going to temporarily move these enclave libs to another directory
+    # until after stripping/patching in the fixupPhase.
+    mkdir $TMPDIR/enclaves
+    mv $out/aesm/*.signed.so* $TMPDIR/enclaves
+
     mkdir $out/bin
     makeWrapper $out/aesm/aesm_service $out/bin/aesm_service \
       --suffix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ protobuf ]}:$out/aesm \
@@ -131,10 +139,23 @@ stdenv.mkDerivation rec {
     rmdir $sgxPswDir || (echo "Error: The directory $installDir still contains unhandled files: $(ls -A $installDir)" >&2 && exit 1)
   '';
 
-  # Most—if not all—of those fixups are not relevant for NixOS as we have our own
-  # NixOS module which is based on those files without relying on them. Still, it
-  # is helpful to have properly patched versions for non-NixOS distributions.
+  stripDebugList = [
+    "lib"
+    "bin"
+    # Also strip binaries/libs in the `aesm` directory
+    "aesm"
+  ];
+
   postFixup = ''
+    # Move the SGX enclaves back after everything else has been stripped.
+    mv $TMPDIR/enclaves/*.signed.so* $out/aesm/
+    rmdir $TMPDIR/enclaves
+
+    # Fixup the aesmd systemd service
+    #
+    # Most—if not all—of those fixups are not relevant for NixOS as we have our own
+    # NixOS module which is based on those files without relying on them. Still, it
+    # is helpful to have properly patched versions for non-NixOS distributions.
     echo "Fixing aesmd.service"
     substituteInPlace $out/lib/systemd/system/aesmd.service \
       --replace '@aesm_folder@' \
@@ -151,11 +172,6 @@ stdenv.mkDerivation rec {
                 "${coreutils}/bin/chmod" \
       --replace "/bin/kill" \
                 "${coreutils}/bin/kill"
-
-    echo "Fixing remount-dev-exec.service"
-    substituteInPlace $out/lib/systemd/system/remount-dev-exec.service \
-      --replace '/bin/mount' \
-                "${util-linux}/bin/mount"
   '';
 
   passthru.tests = {

pkgs/os-specific/linux/sgx/samples/default.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , makeWrapper
+, openssl
 , sgx-sdk
 , sgx-psw
 , which
@@ -18,6 +19,7 @@ let
 
     nativeBuildInputs = [
       makeWrapper
+      openssl
       which
     ];
 
@@ -66,7 +68,9 @@ let
 in
 {
   cxx11SGXDemo = buildSample "Cxx11SGXDemo";
-  localAttestation = (buildSample "LocalAttestation").overrideAttrs (oldAttrs: {
+  cxx14SGXDemo = buildSample "Cxx14SGXDemo";
+  cxx17SGXDemo = buildSample "Cxx17SGXDemo";
+  localAttestation = (buildSample "LocalAttestation").overrideAttrs (old: {
     installPhase = ''
       runHook preInstall
 
@@ -86,7 +90,7 @@ in
   });
   powerTransition = buildSample "PowerTransition";
   protobufSGXDemo = buildSample "ProtobufSGXDemo";
-  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (oldAttrs: {
+  remoteAttestation = (buildSample "RemoteAttestation").overrideAttrs (old: {
     # Makefile sets rpath to point to $TMPDIR
     preFixup = ''
       patchelf --remove-rpath $out/bin/app
@@ -97,13 +101,40 @@ in
     '';
   });
   sampleEnclave = buildSample "SampleEnclave";
-  sampleEnclavePCL = buildSample "SampleEnclavePCL";
   sampleEnclaveGMIPP = buildSample "SampleEnclaveGMIPP";
-  sealUnseal = (buildSample "SealUnseal").overrideAttrs (oldAttrs: {
+  sampleMbedCrypto = buildSample "SampleMbedCrypto";
+  sealUnseal = (buildSample "SealUnseal").overrideAttrs (old: {
     prePatch = ''
       substituteInPlace App/App.cpp \
         --replace '"sealed_data_blob.txt"' '"/tmp/sealed_data_blob.txt"'
     '';
   });
   switchless = buildSample "Switchless";
+  # # Requires SGX-patched openssl (sgxssl) build
+  # sampleAttestedTLS = buildSample "SampleAttestedTLS";
+} // lib.optionalAttrs (!isSimulation) {
+  # # Requires kernel >= v6.2 && HW SGX
+  # sampleAEXNotify = buildSample "SampleAEXNotify";
+
+  # Requires HW SGX
+  sampleCommonLoader = (buildSample "SampleCommonLoader").overrideAttrs (old: {
+    nativeBuildInputs = [ sgx-psw ] ++ old.nativeBuildInputs;
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/{bin,lib}
+      mv sample app
+      install -m 755 app $out/bin
+
+      wrapProgram "$out/bin/app" \
+        --chdir "$out/lib" \
+        --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [sgx-psw]}"
+
+      runHook postInstall
+    '';
+  });
+
+  # # SEGFAULTs in simulation mode?
+  # sampleEnclavePCL = buildSample "SampleEnclavePCL";
 }

pkgs/os-specific/linux/sgx/sdk/default.nix

@@ -2,7 +2,6 @@
 , stdenv
 , fetchFromGitHub
 , fetchpatch
-, fetchzip
 , autoconf
 , automake
 , binutils
@@ -13,10 +12,9 @@
 , git
 , libtool
 , linkFarmFromDrvs
-, nasm
 , ocaml
 , ocamlPackages
-, openssl_1_1
+, openssl
 , perl
 , python3
 , texinfo
@@ -29,15 +27,15 @@
 stdenv.mkDerivation rec {
   pname = "sgx-sdk";
   # Version as given in se_version.h
-  version = "2.16.100.4";
+  version = "2.21.100.1";
   # Version as used in the Git tag
-  versionTag = "2.16";
+  versionTag = "2.21";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "linux-sgx";
     rev = "sgx_${versionTag}";
-    hash = "sha256-qgXuJJWiqmcU11umCsE3DnlK4VryuTDAsNf53YPw6UY=";
+    hash = "sha256-Yo2G0H0XUI2p9W7lDRLkFHw2t8X1220brGohQJ0r2WY=";
     fetchSubmodules = true;
   };
 
@@ -55,10 +53,32 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  # There's a `make preparation` step that downloads some prebuilt binaries and
+  # applies some patches to the in-repo git submodules. We can't just run it,
+  # since it downloads things, so this step just extracts the patching steps.
   postPatch = ''
     patchShebangs linux/installer/bin/build-installpkg.sh \
       linux/installer/common/sdk/createTarball.sh \
-      linux/installer/common/sdk/install.sh
+      linux/installer/common/sdk/install.sh \
+      external/sgx-emm/create_symlink.sh
+
+    echo "Running 'make preparation' but without download steps"
+
+    # Seems to download something. Build currently uses ipp-crypto and not
+    # sgxssl so probably not an issue.
+    # $ ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+
+    pushd external/openmp/openmp_code
+      git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 \
+        || git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+    popd
+
+    pushd external/protobuf/protobuf_code
+      git apply ../sgx_protobuf.patch >/dev/null 2>&1 \
+        || git apply ../sgx_protobuf.patch --check -R
+    popd
+
+    ./external/sgx-emm/create_symlink.sh
   '';
 
   # We need `cmake` as a build input but don't use it to kick off the build phase
@@ -84,7 +104,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     libtool
-    openssl_1_1
+    openssl
   ];
 
   BINUTILS_DIR = "${binutils}/bin";
@@ -123,7 +143,7 @@ stdenv.mkDerivation rec {
         lib/linux/intel64/cve_2020_0551_cf/libippcp.a
 
       rm inc/ippcp.h
-      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u3.patch -o inc/ippcp.h
+      patch ${ipp-crypto-no_mitigation}/include/ippcp.h -i inc/ippcp21u7.patch -o inc/ippcp.h
 
       install -D ${ipp-crypto-no_mitigation.src}/LICENSE license/LICENSE
 
@@ -136,8 +156,6 @@ stdenv.mkDerivation rec {
     "DEBUG=1"
   ];
 
-  enableParallelBuilding = true;
-
   postBuild = ''
     patchShebangs linux/installer/bin/sgx_linux_x64_sdk_${version}.bin
   '';
@@ -166,6 +184,11 @@ stdenv.mkDerivation rec {
     mv $installDir/lib64 lib
     ln -s lib/ lib64
 
+    # Fixup the symlinks for libsgx_urts.so.* -> libsgx_urts.so
+    for file in lib/libsgx_urts.so.*; do
+      ln -srf lib/libsgx_urts.so $file
+    done
+
     mv $installDir/include/ .
 
     mkdir -p share/
@@ -204,7 +227,6 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-
   preFixup = ''
     echo "Strip sgxsdk prefix"
     for path in "$out/share/bin/environment" "$out/bin/sgx-gdb"; do

pkgs/os-specific/linux/sgx/sdk/ipp-crypto.nix

@@ -1,36 +1,28 @@
-{ lib
-, gcc11Stdenv
+{ gcc11Stdenv
 , fetchFromGitHub
 , cmake
 , nasm
-, openssl_1_1
+, openssl
 , python3
 , extraCmakeFlags ? [ ]
 }:
-
 gcc11Stdenv.mkDerivation rec {
   pname = "ipp-crypto";
-  version = "2021.3";
+  version = "2021.9.0";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "ipp-crypto";
     rev = "ippcp_${version}";
-    hash = "sha256-QEJXvQ//zhQqibFxXwPMdS1MHewgyb24LRmkycVSGrM=";
+    hash = "sha256-+ITnxyrkDQp4xRa+PVzXdYsSkI5sMNwQGfGU+lFJ6co=";
   };
 
-  # Fix typo: https://github.com/intel/ipp-crypto/pull/33
-  postPatch = ''
-    substituteInPlace sources/cmake/ippcp-gen-config.cmake \
-      --replace 'ippcpo-config.cmake' 'ippcp-config.cmake'
-  '';
-
   cmakeFlags = [ "-DARCH=intel64" ] ++ extraCmakeFlags;
 
   nativeBuildInputs = [
     cmake
     nasm
-    openssl_1_1
+    openssl
     python3
   ];
 }

pkgs/os-specific/linux/sgx/ssl/default.nix

@@ -1,8 +1,8 @@
 { stdenv
 , fetchFromGitHub
-, fetchpatch
 , fetchurl
 , lib
+, openssl
 , perl
 , sgx-sdk
 , which
@@ -10,9 +10,9 @@
 }:
 let
   sgxVersion = sgx-sdk.versionTag;
-  opensslVersion = "1.1.1l";
+  opensslVersion = "1.1.1u";
 in
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
   pname = "sgx-ssl" + lib.optionalString debug "-debug";
   version = "${sgxVersion}_${opensslVersion}";
 
@@ -20,25 +20,20 @@ stdenv.mkDerivation rec {
     owner = "intel";
     repo = "intel-sgx-ssl";
     rev = "lin_${sgxVersion}_${opensslVersion}";
-    hash = "sha256-ibPXs90ni2fkxJ09fNO6wWVpfCFdko6MjBFkEsyIih8=";
+    hash = "sha256-zbXEQz72VUPqnGrboX6oXliaLpbcos7tV6K9lX+zleg=";
   };
 
   postUnpack =
     let
       opensslSourceArchive = fetchurl {
         url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-        hash = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
+        hash = "sha256-4vjYS1I+7NBse+diaDA3AwD7zBU4a/UULXJ1j2lj68Y=";
       };
     in
     ''
       ln -s ${opensslSourceArchive} $sourceRoot/openssl_source/openssl-${opensslVersion}.tar.gz
     '';
 
-  patches = [
-    # https://github.com/intel/intel-sgx-ssl/pull/111
-    ./intel-sgx-ssl-pr-111.patch
-  ];
-
   postPatch = ''
     patchShebangs Linux/build_openssl.sh
 
@@ -48,8 +43,6 @@ stdenv.mkDerivation rec {
                 'bash -c "true"'
   '';
 
-  enableParallelBuilding = true;
-
   nativeBuildInputs = [
     perl
     sgx-sdk
@@ -68,28 +61,21 @@ stdenv.mkDerivation rec {
   ];
 
   # Build the test app
-  #
-  # Running the test app is currently only supported on Intel CPUs
-  # and will fail on non-Intel CPUs even in SGX simulation mode.
-  # Therefore, we only build the test app without running it until
-  # upstream resolves the issue: https://github.com/intel/intel-sgx-ssl/issues/113
   doInstallCheck = true;
-  installCheckTarget = "all";
+  installCheckTarget = "test";
   installCheckFlags = [
     "SGX_MODE=SIM"
-    "-C sgx/test_app"
     "-j 1" # Makefile doesn't support multiple jobs
   ];
-  preInstallCheck = ''
-    # Expects the enclave file in the current working dir
-    ln -s sgx/test_app/TestEnclave.signed.so .
-  '';
+  nativeInstallCheckInputs = [
+    openssl
+  ];
 
   meta = with lib; {
     description = "Cryptographic library for Intel SGX enclave applications based on OpenSSL";
     homepage = "https://github.com/intel/intel-sgx-ssl";
     maintainers = with maintainers; [ trundle veehaitch ];
     platforms = [ "x86_64-linux" ];
-    license = with licenses; [ bsd3 openssl ];
+    license = [ licenses.bsd3 licenses.openssl ];
   };
 }

pkgs/os-specific/linux/sgx/ssl/intel-sgx-ssl-pr-111.patch

@@ -1,99 +0,0 @@
-From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001
-From: Vincent Haupert <mail@vincent-haupert.de>
-Date: Sat, 8 Jan 2022 17:22:31 +0100
-Subject: [PATCH 1/3] Linux: fix Nix detection
-
-Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE`
-environment variable instead of `NIX_PATH`. The latter is only set in a
-`nix-shell` session but isn't when building a derivation through
-`nix-build`. In contrast, the `NIX_STORE` environment variable is set in
-both cases.
-
-Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
----
- Linux/sgx/buildenv.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
-index cd8818e..dac23c7 100644
---- a/Linux/sgx/buildenv.mk
-+++ b/Linux/sgx/buildenv.mk
-@@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB))
- UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h
- ifneq ("$(wildcard $(UBUNTU_CONFNAME))","")
- 	OS_ID=1
--else ifeq ($(origin NIX_PATH),environment)
-+else ifeq ($(origin NIX_STORE),environment)
- 	OS_ID=3
- else
- 	OS_ID=2
-
-From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001
-From: Vincent Haupert <mail@vincent-haupert.de>
-Date: Sat, 8 Jan 2022 17:33:22 +0100
-Subject: [PATCH 2/3] Linux: call binaries relative to PATH
-
-Using an absolute path to call binaries is incompatible with
-distributions which do not follow the Filesystem Hierachy Standard;
-Nix is an example. Also, it is inconsistent with the rest of the code
-base, let alone superfluous.
-
-Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
----
- Linux/build_openssl.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
-index 7d77b79..e8b59a1 100755
---- a/Linux/build_openssl.sh
-+++ b/Linux/build_openssl.sh
-@@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
- echo $SGXSSL_ROOT
- 
- OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp"
--OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'`
-+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
- if [ "$OPENSSL_VERSION" == "" ] 
- then
- 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
-
-From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001
-From: Vincent Haupert <mail@vincent-haupert.de>
-Date: Tue, 11 Jan 2022 10:56:39 +0100
-Subject: [PATCH 3/3] Linux: properly extract GCC major version
-
-Calling `gcc -dumpversion` yields the full version string, e.g.,
-`10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number
-comparison operator to check if the returned version is at least
-8. This results in an error if the returned GCC version includes a patch
-version; "10.3.0" isn't a valid number.
-
-This commit fixes the version detection by only extracting the relevant
-major version of GCC.
-
-Signed-off-by: Vincent Haupert <mail@vincent-haupert.de>
----
- Linux/build_openssl.sh | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
-index e8b59a1..6e4046f 100755
---- a/Linux/build_openssl.sh
-+++ b/Linux/build_openssl.sh
-@@ -82,6 +82,7 @@ fi
- MITIGATION_OPT=""
- MITIGATION_FLAGS=""
- CC_VERSION=`gcc -dumpversion`
-+CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.`
- for arg in "$@"
- do
-     case $arg in
-@@ -99,7 +100,7 @@ do
-         ;;
-     -mfunction-return=thunk-extern)
-         MITIGATION_FLAGS+=" $arg"
--        if [[ $CC_VERSION -ge 8 ]] ; then
-+        if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then
-             MITIGATION_FLAGS+=" -fcf-protection=none"
-         fi
-         shift