Linux 2.18 Open Source Gold Release

Along with the latest processor microcode address CVE-2022-21233.
  Modified the Switchless library to have mitigations for the associated issue.
Added support for the Linux kernel APIs for the Enclave Dynamic Memory
  Management (EDMM) features that are available with the Linux kernel v6.0 or
  later. Refer to the SGX SDK developer reference for details on new trusted
  APIs and enclave configuration for the EDMM features.
Enabled C++17 within SGX SDK.
Supported AMX (Advanced Matrix Extensions) in Enclave.
Replace hardcoded Enclave signing keys in all sample projects with dynamically
generated keys.
Added a new API to allow user to configure enclave internal cache size in the
  Protected File System library.
Upgraded to OpenSSL 1.1.1q and upgraded Intel(R) SGX Quote Verification Enclave
  to integrate SgxSSL/OpenSSL version 1.1.1q.
Supported new OS: Ubuntu* 22.04 LTS 64-bit Server version, CentOS* 8.3 64bits,
  Red Hat* Enterprise Linux* Server 8.6 (for x86_64), SUSE* Linux* Enterprise
  Server 15.4 64bits, Debian* 10 and Anolis* OS 8.6.
Upgraded Intel SGX QE3 to make it backward compatible.
Improved ECDSA quote generation and verification performance by caching PCK
  certificates and collaterals in memory and disk drive.
Added Java support for quote verification library.
Added new APIs to unify Intel SGX and TDX quote verification in Quote
  Verification Library.
Added Advisory ID in ECDSA quote verification supplemental data.
Added Intel TDX support in RA-TLS (Remote Attestation based TLS) library.
Improved TDX quote generation throughput in vsock mode.
Added Rust support for TDX quote generation.
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

Author: llly

.gitmodules

@@ -16,4 +16,7 @@
 [submodule "external/protobuf/protobuf_code"]
 	path = external/protobuf/protobuf_code
 	url = https://github.com/protocolbuffers/protobuf.git
-	branch = 3.20.x
+	branch = v3.20.1
+[submodule "external/sgx-emm/emm_src"]
+	path = external/sgx-emm/emm_src
+	url = https://github.com/intel/sgx-emm.git

Makefile

@@ -54,6 +54,7 @@ preparation:
 	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+	./external/sgx-emm/create_symlink.sh
 	@# download prebuilt binaries
 	./download_prebuilt.sh
 	./external/dcap_source/QuoteGeneration/download_prebuilt.sh

Makefile.psw_dcap

@@ -64,12 +64,19 @@ ippcp:
 	$(MAKE) -C external/ippcp_internal/
 
 sdk: ippcp
-	$(MAKE) -C sdk/ USE_OPT_LIBS=$(USE_OPT_LIBS)
+	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=LOAD
+	$(MAKE) -C sdk/ clean
+	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=CF
+	$(MAKE) -C sdk/ clean
+	$(MAKE) -C sdk/
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=LOAD
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF clean
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF
 	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl clean
 	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl
 
 install_sdk: sdk
-	./linux/installer/bin/build-installpkg.sh sdk
+	./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
 ifeq ($(call DIR_EXISTS,$(SGX_SDK)),)
 	./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=$(dir $(SGX_SDK))
 endif

Makefile.psw_tdx

@@ -0,0 +1,81 @@
+#
+# Copyright (C) 2011-2021 Intel Corporation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+#   * Redistributions of source code must retain the above copyright
+#     notice, this list of conditions and the following disclaimer.
+#   * Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in
+#     the documentation and/or other materials provided with the
+#     distribution.
+#   * Neither the name of Intel Corporation nor the names of its
+#     contributors may be used to endorse or promote products derived
+#     from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+#
+
+include buildenv.mk
+
+define DIR_EXISTS
+$(shell test -d $(1) && echo "$(1)")
+endef
+
+SGX_SDK := /tmp/intel/sgxsdk
+export SGX_SDK
+
+.PHONY: build psw dcap install clean sdk install_sdk ippcp
+
+build: psw dcap
+
+psw: install_sdk
+	@$(MAKE) -C psw/urts/linux/ USE_OPT_LIBS=$(USE_OPT_LIBS)
+
+dcap: install_sdk
+	@$(MAKE) -C external/dcap_source/
+
+install:
+	@$(MAKE) -I linux/installer/common/psw-tdx -f linux/installer/common/psw-tdx/Makefile SRCDIR=. DESTDIR=$(DESTDIR) install
+
+clean:
+	@$(MAKE) -C psw/urts/linux/       clean
+	@$(MAKE) -C external/dcap_source/ clean
+	@$(MAKE) -C sdk/                  clean
+	@$(MAKE) -C external/ippcp_internal/ clean
+ifneq ($(call DIR_EXISTS,$(SGX_SDK)),)
+	$(SGX_SDK)/uninstall.sh
+endif
+
+ippcp:
+	$(MAKE) -C external/ippcp_internal/
+sdk: ippcp
+	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=LOAD
+	$(MAKE) -C sdk/ clean
+	$(MAKE) -C sdk/ MITIGATION-CVE-2020-0551=CF
+	$(MAKE) -C sdk/ clean
+	$(MAKE) -C sdk/
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=LOAD
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF clean
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl MITIGATION-CVE-2020-0551=CF
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl clean
+	$(MAKE) -C external/dcap_source/QuoteVerification/dcap_tvl
+
+install_sdk: sdk
+	./linux/installer/bin/build-installpkg.sh sdk cve-2020-0551
+ifeq ($(call DIR_EXISTS,$(SGX_SDK)),)
+	./linux/installer/bin/sgx_linux_x64_sdk_*.bin --prefix=$(dir $(SGX_SDK))
+endif