From 1683c336e11b3cbe2b48c1be1c9460a661523c71 Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Sat, 8 Jan 2022 17:22:31 +0100 Subject: [PATCH 1/3] Linux: fix Nix detection Detect the `OS_ID` of Nix by probing for the presence of the `NIX_STORE` environment variable instead of `NIX_PATH`. The latter is only set in a `nix-shell` session but isn't when building a derivation through `nix-build`. In contrast, the `NIX_STORE` environment variable is set in both cases. Signed-off-by: Vincent Haupert --- Linux/sgx/buildenv.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk index cd8818e..dac23c7 100644 --- a/Linux/sgx/buildenv.mk +++ b/Linux/sgx/buildenv.mk @@ -65,7 +65,7 @@ $(shell mkdir -p $(PACKAGE_LIB)) UBUNTU_CONFNAME:=/usr/include/x86_64-linux-gnu/bits/confname.h ifneq ("$(wildcard $(UBUNTU_CONFNAME))","") OS_ID=1 -else ifeq ($(origin NIX_PATH),environment) +else ifeq ($(origin NIX_STORE),environment) OS_ID=3 else OS_ID=2 From f493525face589d759223bfa45bb802c31ddce4f Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Sat, 8 Jan 2022 17:33:22 +0100 Subject: [PATCH 2/3] Linux: call binaries relative to PATH Using an absolute path to call binaries is incompatible with distributions which do not follow the Filesystem Hierachy Standard; Nix is an example. Also, it is inconsistent with the rest of the code base, let alone superfluous. Signed-off-by: Vincent Haupert --- Linux/build_openssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh index 7d77b79..e8b59a1 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh @@ -38,7 +38,7 @@ SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" echo $SGXSSL_ROOT OPENSSL_INSTALL_DIR="$SGXSSL_ROOT/../openssl_source/OpenSSL_install_dir_tmp" -OPENSSL_VERSION=`/bin/ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | /usr/bin/head -1 | /bin/grep -o '[^/]*$' | /bin/sed -s -- 's/\.tar\.gz//'` +OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*1.1.1*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'` if [ "$OPENSSL_VERSION" == "" ] then echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory." From fdb883d30fff72b5cfb8c61a2288d3d948f64224 Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Tue, 11 Jan 2022 10:56:39 +0100 Subject: [PATCH 3/3] Linux: properly extract GCC major version Calling `gcc -dumpversion` yields the full version string, e.g., `10.3.0`. The `build_openssl.sh` bash script uses the `-ge` number comparison operator to check if the returned version is at least 8. This results in an error if the returned GCC version includes a patch version; "10.3.0" isn't a valid number. This commit fixes the version detection by only extracting the relevant major version of GCC. Signed-off-by: Vincent Haupert --- Linux/build_openssl.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh index e8b59a1..6e4046f 100755 --- a/Linux/build_openssl.sh +++ b/Linux/build_openssl.sh @@ -82,6 +82,7 @@ fi MITIGATION_OPT="" MITIGATION_FLAGS="" CC_VERSION=`gcc -dumpversion` +CC_VERSION_MAJOR=`echo "$CC_VERSION" | cut -f1 -d.` for arg in "$@" do case $arg in @@ -99,7 +100,7 @@ do ;; -mfunction-return=thunk-extern) MITIGATION_FLAGS+=" $arg" - if [[ $CC_VERSION -ge 8 ]] ; then + if [[ "$CC_VERSION_MAJOR" -ge 8 ]] ; then MITIGATION_FLAGS+=" -fcf-protection=none" fi shift