!37 linux-sgx升级至v2.15

From: @BornThisWay 
Reviewed-by: @houmingyong 
Signed-off-by: @houmingyong

0001-disable-the-download-process-in-building.patch

@@ -0,0 +1,108 @@
+From d046801c2a6eee21fbf6018ce43588e3fe79a045 Mon Sep 17 00:00:00 2001
+From: wangcheng <wangcheng156@huawei.com>
+Date: Thu, 16 Dec 2021 04:51:21 +0000
+Subject: [PATCH] disable the download process in building
+
+---
+ Makefile                                      |  8 +--
+ .../QuoteVerification/prepare_sgxssl.sh       | 62 +++++++++----------
+ 2 files changed, 35 insertions(+), 35 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 34d43bad..072c5dd2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -50,13 +50,13 @@ tips:
+ preparation:
+ # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
+ # Only enable the download from git
+-	git submodule update --init --recursive
+-	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
++	# git submodule update --init --recursive
++	# ./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
+ 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
+ 	cd external/protobuf/protobuf_code && git apply ../sgx_protobuf.patch >/dev/null 2>&1 ||  git apply ../sgx_protobuf.patch --check -R
+ 	@# download prebuilt binaries
+-	./download_prebuilt.sh
+-	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
++	# ./download_prebuilt.sh
++	# ./external/dcap_source/QuoteGeneration/download_prebuilt.sh
+ 
+ psw:
+ 	$(MAKE) -C psw/ USE_OPT_LIBS=$(USE_OPT_LIBS)
+diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh
+index 8a3c9e46..f490a2b7 100755
+--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh
++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/prepare_sgxssl.sh
+@@ -44,37 +44,37 @@ full_openssl_url_old=$server_url_path/old/1.1.1/$openssl_ver_name.tar.gz
+ 
+ sgxssl_chksum=825e58823f2ec39bcfb69c2c62cc4e769bdac057ade10b362cdeac1f5a563954
+ openssl_chksum=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+-rm -f check_sum_sgxssl.txt check_sum_openssl.txt
+-if [ ! -f $build_script ]; then
+-	wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
+-	sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
+-	grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
+-	if [ $? -ne 0 ]; then
+-    	echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
+-      rm -f $sgxssl_dir/$sgxssl_file_name.zip
+-    	exit -1
+-	fi
+-	unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1
+-	mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1
+-	rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1
+-	rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1
+-fi
+-
+-if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then
+-	wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1
+-	sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt
+-	grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt
+-	if [ $? -ne 0 ]; then
+-    	echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure"
+-        rm -f $openssl_out_dir/$openssl_ver_name.tar.gz
+-    	exit -1
+-	fi
+-fi
+-
+-
+-if [ "$1" = "nobuild" ]; then
+-	exit 0
+-fi
++#rm -f check_sum_sgxssl.txt check_sum_openssl.txt
++#if [ ! -f $build_script ]; then
++#	wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
++#	sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
++#	grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
++#	if [ $? -ne 0 ]; then
++#    	echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
++#      rm -f $sgxssl_dir/$sgxssl_file_name.zip
++#    	exit -1
++#	fi
++#	unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1
++#	mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1
++#	rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1
++#	rm -rf $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name || exit 1
++#fi
++#
++#if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then
++#	wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1
++#	sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt
++#	grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt
++#	if [ $? -ne 0 ]; then
++#    	echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure"
++#        rm -f $openssl_out_dir/$openssl_ver_name.tar.gz
++#    	exit -1
++#	fi
++#fi
++#
++#
++#if [ "$1" = "nobuild" ]; then
++#	exit 0
++#fi
+ 
+ pushd $sgxssl_dir/Linux/
+ make clean sgxssl_no_mitigation 
+-- 
+2.27.0
+

0001-fix-error-for-openeuler-building.patch

@@ -1,203 +0,0 @@
-From ffbcce92d6fbd22b2ec6f89696c3866e7f686fb4 Mon Sep 17 00:00:00 2001
-From: c00448856 <chenmaodong@huawei.com>
-Date: Mon, 21 Dec 2020 07:43:39 +0800
-Subject: [PATCH] fit for rpmbuild
-
----
- Makefile                                      |  4 +--
- .../QuoteGeneration/download_prebuilt.sh      | 36 +++++++++----------
- .../rpm/libsgx-ae-qe3/libsgx-ae-qe3.spec      |  1 -
- .../rpm/libsgx-ae-qve/libsgx-ae-qve.spec      |  1 -
- .../QuoteVerification/prepare_sgxssl.sh       | 35 +++++++++---------
- .../rpm/sgx-aesm-service/libsgx-ae-epid.spec  |  1 -
- .../rpm/sgx-aesm-service/libsgx-ae-le.spec    |  1 -
- .../rpm/sgx-aesm-service/libsgx-ae-pce.spec   |  1 -
- 8 files changed, 39 insertions(+), 41 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 8d803d6..57e8e72 100644
---- a/Makefile
-+++ b/Makefile
-@@ -50,11 +50,11 @@ tips:
- preparation:
- # As SDK build needs to clone and patch openmp, we cannot support the mode that download the source from github as zip.
- # Only enable the download from git
--	git submodule update --init --recursive
-+#	git submodule update --init --recursive
- 	./external/dcap_source/QuoteVerification/prepare_sgxssl.sh nobuild
- 	cd external/openmp/openmp_code && git apply ../0001-Enable-OpenMP-in-SGX.patch >/dev/null 2>&1 ||  git apply ../0001-Enable-OpenMP-in-SGX.patch --check -R
- 	@# download prebuilt binaries
--	./download_prebuilt.sh
-+#	./download_prebuilt.sh
- 	./external/dcap_source/QuoteGeneration/download_prebuilt.sh
- 
- psw:
-diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/download_prebuilt.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/download_prebuilt.sh
-index d07649b..565ee52 100755
---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/download_prebuilt.sh
-+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/download_prebuilt.sh
-@@ -38,30 +38,30 @@ server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.8/linux
- server_ae_url=$server_url_path/$ae_file_name
- server_checksum_url=$server_url_path/$checksum_file
- 
--rm -rf $out_dir/$ae_file_name
--wget $server_ae_url -P $out_dir
--if [ $? -ne 0 ]; then
--    echo "Fail to download file $server_ae_url"
--    exit -1
--fi
-+#rm -rf $out_dir/$ae_file_name
-+mv $ae_file_name $out_dir
-+#if [ $? -ne 0 ]; then
-+#    echo "Fail to download file $server_ae_url"
-+#    exit -1
-+#fi
- 
--rm -f $out_dir/$checksum_file
--wget $server_checksum_url -P $out_dir
--if [ $? -ne 0 ]; then
--    echo "Fail to download file $server_checksum_url"
--    exit -1
--fi
-+#rm -f $out_dir/$checksum_file
-+#wget $server_checksum_url -P $out_dir
-+#if [ $? -ne 0 ]; then
-+#    echo "Fail to download file $server_checksum_url"
-+#    exit -1
-+#fi
- 
- pushd $out_dir
- 
--sha256sum -c $checksum_file
--if [ $? -ne 0 ]; then
--    echo "Checksum verification failure"
--    exit -1
--fi
-+#sha256sum -c $checksum_file
-+#if [ $? -ne 0 ]; then
-+#    echo "Checksum verification failure"
-+#    exit -1
-+#fi
- 
- tar -zxf $ae_file_name
- rm -f $ae_file_name
--rm -f $checksum_file
-+#rm -f $checksum_file
- 
- popd
-diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qe3/libsgx-ae-qe3.spec b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qe3/libsgx-ae-qe3.spec
-index 7e24818..4955ff6 100644
---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qe3/libsgx-ae-qe3.spec
-+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qe3/libsgx-ae-qe3.spec
-@@ -58,7 +58,6 @@ done
- 
- %files -f %{_specdir}/list-%{name}
- 
--%debug_package
- 
- %changelog
- * Mon Jul 29 2019 SGX Team
-diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qve/libsgx-ae-qve.spec b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qve/libsgx-ae-qve.spec
-index d4bb388..65aa3cb 100644
---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qve/libsgx-ae-qve.spec
-+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteGeneration/installer/linux/rpm/libsgx-ae-qve/libsgx-ae-qve.spec
-@@ -58,7 +58,6 @@ done
- 
- %files -f %{_specdir}/list-%{name}
- 
--%debug_package
- 
- %changelog
- * Mon Jul 29 2019 SGX Team
-diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteVerification/prepare_sgxssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteVerification/prepare_sgxssl.sh
-index 214633e..0dbab9b 100755
---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteVerification/prepare_sgxssl.sh
-+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/QuoteVerification/prepare_sgxssl.sh
-@@ -46,14 +46,16 @@ sgxssl_chksum=5fb5328fdd55d643cc125dd43cbd0a1f7d74ead7948b52cf15d8533d47a0d266
- openssl_chksum=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46
- rm -f check_sum_sgxssl.txt check_sum_openssl.txt
- if [ ! -f $build_script ]; then
--	wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
--	sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
--	grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
--	if [ $? -ne 0 ]; then
--    	echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
--      rm -f $sgxssl_dir/$sgxssl_file_name.zip
--    	exit -1
--	fi
-+#	wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1
-+	mkdir -p $sgxssl_dir/
-+	mv ./$sgxssl_file_name.zip  $sgxssl_dir/ || exit 1
-+#	sha256sum $sgxssl_dir/$sgxssl_file_name.zip > $sgxssl_dir/check_sum_sgxssl.txt
-+#	grep $sgxssl_chksum $sgxssl_dir/check_sum_sgxssl.txt
-+#	if [ $? -ne 0 ]; then
-+#    	echo "File $sgxssl_dir/$sgxssl_file_name.zip checksum failure"
-+#      rm -f $sgxssl_dir/$sgxssl_file_name.zip
-+#    	exit -1
-+#	fi
- 	unzip -qq $sgxssl_dir/$sgxssl_file_name.zip -d $sgxssl_dir/ || exit 1
- 	mv $sgxssl_dir/intel-sgx-ssl-$sgxssl_file_name/* $sgxssl_dir/ || exit 1
- 	rm $sgxssl_dir/$sgxssl_file_name.zip || exit 1
-@@ -61,14 +63,15 @@ if [ ! -f $build_script ]; then
- fi
- 
- if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then
--	wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1
--	sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt
--	grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt
--	if [ $? -ne 0 ]; then
--    	echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure"
--        rm -f $openssl_out_dir/$openssl_ver_name.tar.gz
--    	exit -1
--	fi
-+#	wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1
-+	mv ./$openssl_ver_name.tar.gz $openssl_out_dir || exit 1
-+#	sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt
-+#	grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt
-+#	if [ $? -ne 0 ]; then
-+#    	echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure"
-+#        rm -f $openssl_out_dir/$openssl_ver_name.tar.gz
-+#    	exit -1
-+#	fi
- fi
- 
- 
-diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-ae-epid.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-ae-epid.spec
-index e467f5c..a999311 100644
---- a/linux/installer/rpm/sgx-aesm-service/libsgx-ae-epid.spec
-+++ b/linux/installer/rpm/sgx-aesm-service/libsgx-ae-epid.spec
-@@ -66,7 +66,6 @@ rm -fr %{?buildroot}/%{name}
- 
- %files -f %{_specdir}/list-%{name}
- 
--%debug_package
- 
- %changelog
- * Mon Jul 29 2019 SGX Team
-diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-ae-le.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-ae-le.spec
-index 6517977..4421b63 100644
---- a/linux/installer/rpm/sgx-aesm-service/libsgx-ae-le.spec
-+++ b/linux/installer/rpm/sgx-aesm-service/libsgx-ae-le.spec
-@@ -66,7 +66,6 @@ rm -fr %{?buildroot}/%{name}
- 
- %files -f %{_specdir}/list-%{name}
- 
--%debug_package
- 
- %changelog
- * Mon Jul 29 2019 SGX Team
-diff --git a/linux/installer/rpm/sgx-aesm-service/libsgx-ae-pce.spec b/linux/installer/rpm/sgx-aesm-service/libsgx-ae-pce.spec
-index a7ba0e4..9269552 100644
---- a/linux/installer/rpm/sgx-aesm-service/libsgx-ae-pce.spec
-+++ b/linux/installer/rpm/sgx-aesm-service/libsgx-ae-pce.spec
-@@ -65,7 +65,6 @@ rm -fr %{?buildroot}/%{name}
- 
- %files -f %{_specdir}/list-%{name}
- 
--%debug_package
- 
- %changelog
- * Mon Jul 29 2019 SGX Team
--- 
-2.23.0
-

0002-fix-building-error-for-systemd.patch

@@ -12,10 +12,10 @@ Subject: [PATCH] systemd
  linux/installer/common/sgx-aesm-service/startup.sh        | 2 +-
  6 files changed, 14 insertions(+), 14 deletions(-)
 
-diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
+diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
 index 1f3efdb..81592b1 100644
---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
+--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
-+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/common/sgx-ra-service/Makefile
 @@ -37,9 +37,9 @@ PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*))
  VAR_OPT_PATH=/var/opt/sgxra
  USR_LIB_PATH=/usr/$(notdir $(shell gcc -print-multi-os-directory))/$(shell dpkg-architecture -qDEB_HOST_MULTIARCH 2> /dev/null)
@@ -29,10 +29,10 @@ index 1f3efdb..81592b1 100644
  
  ifeq ($(RAD_CONF_NAME),)
  ifneq ($(shell awk -F/ '$$2 == "docker"' /proc/self/cgroup),)
-diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
+diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
 index 89c1d8d..5c10e80 100644
---- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
+--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
-+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.8/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
++++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/tools/SGXPlatformRegistration/package/installer/rpm/sgx-ra-service/sgx-ra-service.spec
 @@ -72,7 +72,7 @@ MPA_DST_PATH=%{_instal_path}
  
  # Install the MPA service
@@ -43,7 +43,7 @@ index 89c1d8d..5c10e80 100644
      MPA_TEMP=$MPA_DST_PATH/$MPA_NAME
      if [ -d /lib/systemd/system ]; then
 @@ -122,7 +122,7 @@ systemctl start mpa_registration_tool.service
- MPA_DST_PATH=%{_instal_path}
+ MPA_DST_PATH=%{_install_path}
  
  # Disable service
 -if [ -d /run/systemd/system ]; then

add-secure-compilation-options.patch

@@ -0,0 +1,179 @@
+From 89a45f1ce701e168dcab9fa0dadec533eff11d6b Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Mon, 30 May 2022 19:18:21 +0800
+Subject: [PATCH] add-secure-compilation-options
+
+---
+ external/ippcp_internal/Makefile              | 22 +------------------
+ .../ippcp_internal/ipp-crypto/CMakeLists.txt  |  3 +++
+ .../sources/cmake/linux/GNU8.2.0.cmake        |  2 +-
+ .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake |  2 +-
+ .../openmp/openmp_code/final/CMakeLists.txt   |  2 ++
+ .../protobuf_code/cmake/CMakeLists.txt        |  2 ++
+ .../protobuf_code/cmake/install.cmake         |  7 ------
+ .../le_launch_service_bundle/CMakeLists.txt   |  2 +-
+ .../source/core/ipc/CMakeLists.txt            |  1 +
+ .../aesm_service/source/utils/CMakeLists.txt  |  2 +-
+ 10 files changed, 13 insertions(+), 32 deletions(-)
+
+diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
+index 96187ed..7b5ef26 100644
+--- a/external/ippcp_internal/Makefile
++++ b/external/ippcp_internal/Makefile
+@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
+ PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5)
+ CHECK_PATCHED :=
+ 
+-CHECK_SOURCE :=
+-# For reproducibility build in docker, the code should be 
+-# prepared before build. So skip the code check to avoid
+-# triggering network request 
+-ifneq ($(origin NIX_PATH), environment)
+-ifneq ($(PATCH_LOG), SGX.)
+-CHECK_SOURCE:= ipp_source
+-endif
+-endif
+-
+ .PHONY: all build_ipp
+ all: build_ipp
+ 	# copy the built out lib, header files and license to the target folder
+@@ -84,19 +74,9 @@ all: build_ipp
+ 	$(MKDIR) license
+ 	$(CP) ipp-crypto/LICENSE ./license/
+ 
+-build_ipp: $(CHECK_SOURCE)
++build_ipp:
+ 	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
+ 
+-.PHONY: ipp_source
+-ipp_source:
+-ifeq ($(shell git rev-parse --is-inside-work-tree), true)
+-	git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
+-else
+-	$(RM) -rf $(IPP_SOURCE)
+-	git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
+-endif
+-	cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch
+-
+ .PHONY: clean
+ clean:
+ 	$(RM) -rf ipp-crypto/build
+diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+index f750c7b..6b1eef3 100644
+--- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt
++++ b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+@@ -20,6 +20,9 @@
+ 
+ cmake_minimum_required(VERSION 3.12)
+ 
++set(SGX_PROGRAM_SEARCH_PATH)
++LIST(APPEND CMAKE_PROGRAM_PATH "/usr/local/bin/" ${SGX_PROGRAM_SEARCH_PATH} ...)
++
+ include("${CMAKE_CURRENT_SOURCE_DIR}/sources/cmake/ippcp-utils.cmake")
+ ippcp_getlibversion("${CMAKE_CURRENT_SOURCE_DIR}/include/ippversion.h")
+ if ((NOT DEFINED IPPCP_VERSION_MAJOR) OR
+diff --git a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+index 24d7e0f..a137ee6 100644
+--- a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
++++ b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+@@ -70,7 +70,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flto-report")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
+ if ((${ARCH} MATCHES "ia32") OR (NOT NONPIC_LIB))
+   # Stack-based Buffer Overrun Detection (only when not nonpic intel64)
+-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector")
++  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong")
+ endif()
+ 
+ # Security flag that adds compile-time and run-time checks
+diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+index 5d148a1..0c33a20 100644
+--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
++++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+@@ -34,7 +34,7 @@ if(${CMAKE_BUILD_TYPE} STREQUAL "Release")
+ endif()
+ 
+ # Stack-based Buffer Overrun Detection
+-set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector")
++set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector-strong")
+ # Stack-based Buffer Overrun Detection
+ set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-clash-protection")
+ # Position Independent Execution (PIE)
+diff --git a/external/openmp/openmp_code/final/CMakeLists.txt b/external/openmp/openmp_code/final/CMakeLists.txt
+index 597eedc..00ee39e 100644
+--- a/external/openmp/openmp_code/final/CMakeLists.txt
++++ b/external/openmp/openmp_code/final/CMakeLists.txt
+@@ -1,5 +1,7 @@
+ cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
+ 
++add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
++
+ # Add cmake directory to search for custom cmake functions.
+ set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
+ 
+diff --git a/external/protobuf/protobuf_code/cmake/CMakeLists.txt b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+index 52661f5..ec0b64f 100644
+--- a/external/protobuf/protobuf_code/cmake/CMakeLists.txt
++++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+@@ -1,6 +1,8 @@
+ # Minimum CMake required
+ cmake_minimum_required(VERSION 3.1.3)
+ 
++add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
++
+ if(protobuf_VERBOSE)
+   message(STATUS "Protocol Buffers Configuring...")
+ endif()
+diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake
+index 4091bc8..8e12831 100644
+--- a/external/protobuf/protobuf_code/cmake/install.cmake
++++ b/external/protobuf/protobuf_code/cmake/install.cmake
+@@ -31,13 +31,6 @@ endforeach()
+ if (protobuf_BUILD_PROTOC_BINARIES)
+   install(TARGETS protoc EXPORT protobuf-targets
+     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
+-  if (UNIX AND NOT APPLE)
+-    set_property(TARGET protoc
+-      PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
+-  elseif (APPLE)
+-    set_property(TARGET protoc
+-      PROPERTY INSTALL_RPATH "@loader_path/../lib")
+-  endif()
+ endif (protobuf_BUILD_PROTOC_BINARIES)
+ 
+ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/protobuf.pc ${CMAKE_CURRENT_BINARY_DIR}/protobuf-lite.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
+diff --git a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+index 9f3aba8..87f6582 100644
+--- a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
++++ b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+@@ -28,4 +28,4 @@ add_custom_command(
+ )
+ 
+ target_link_libraries(${bundle} oal utils urts_internal)
+-set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
++set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
+diff --git a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+index f233595..72e9246 100644
+--- a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
++++ b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+@@ -25,4 +25,5 @@ target_link_libraries(ipc
+     PUBLIC
+     ${PROTOBUF_LIBRARIES}
+ )
++set_property(TARGET ipc APPEND_STRING PROPERTY LINK_FLAGS " -O2 -D_FORTIFY_SOURCE=2")
+ 
+diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt
+index 77aac37..6d17c19 100644
+--- a/psw/ae/aesm_service/source/utils/CMakeLists.txt
++++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt
+@@ -25,7 +25,7 @@ target_compile_definitions(utils PRIVATE
+   $<$<CONFIG:Debug>:DBG_LOG>
+ )
+ 
+-set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
++set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
+ 
+ target_link_libraries(utils
+     ${OPENSSL_LIBRARIES}
+-- 
+2.27.0
+

linux-sgx.spec

@@ -1,25 +1,28 @@
 Name:           linux-sgx
-Version:        2.11.100
+Version:        2.15.1
-Release:        10
+Release:        1
 Summary:        Intel(R) Software Guard Extensions for Linux* OS
 ExclusiveArch:	x86_64
 License:        BSD-3-Clause
 URL:            https://github.com/intel/linux-sgx
-Source0:        https://github.com/intel/linux-sgx/archive/sgx_%{version}.tar.gz
+Source0:        https://github.com/intel/linux-sgx/archive/refs/tags/sgx_2.15.1.tar.gz
-Source1:        https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/DCAP_1.8.tar.gz
+Source1:        https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/refs/tags/DCAP_1.12.1.tar.gz
-Source2:        https://github.com/llvm-mirror/openmp/archive/svn-tags/RELEASE_801.zip
+Source2:        https://github.com/llvm-mirror/openmp/archive/svn-tags/openmp_code.tar.gz
-Source3:        https://github.com/oneapi-src/oneDNN/archive/v1.1.1.tar.gz
+Source3:        https://github.com/oneapi-src/oneDNN/archive/oneDNN-2.5.tar.gz
-Source4:        https://github.com/intel/ipp-crypto/archive/ipp-crypto_2019_update5.zip
+Source4:        https://github.com/intel/ipp-crypto/archive/ipp-crypto.tar.gz
-Source5:        https://download.01.org/intel-sgx/sgx-linux/2.11/optimized_libs_2.11.tar.gz
+Source5:        https://download.01.org/intel-sgx/sgx-linux/2.15.1/optimized_libs_2.15.1.tar.gz
-Source6:        https://download.01.org/intel-sgx/sgx-linux/2.11/prebuilt_ae_2.11.tar.gz
+Source6:        https://download.01.org/intel-sgx/sgx-linux/2.15.1/prebuilt_ae_2.15.1.tar.gz
-Source7:        https://github.com/intel/intel-sgx-ssl/archive/lin_2.10_1.1.1g.zip
+Source7:        https://github.com/protocolbuffers/protobuf/archive/refs/tags/protobuf_code.tar.gz
-Source8:        https://www.openssl.org/source/old/1.1.1/openssl-1.1.1g.tar.gz
+Source8:        https://download.01.org/intel-sgx/sgx-dcap/1.9/linux/prebuilt_dcap_1.9.tar.gz
-Source9:        https://download.01.org/intel-sgx/sgx-dcap/1.8/linux/prebuilt_dcap_1.8.tar.gz
+Source9:        https://download.01.org/intel-sgx/sgx-linux/2.15.1/as.ld.objdump.r4.tar.gz
+Source10:       https://github.com/openssl/openssl/archive/refs/tags/openssl-1.1.1l.tar.gz
+Source11:       https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip
 
-Patch0:         0001-fix-error-for-openeuler-building.patch
+Patch0:         0001-disable-the-download-process-in-building.patch
-Patch1:         0001-fix-building-error-for-systemd.patch
+Patch1:         0002-fix-building-error-for-systemd.patch
+Patch2:         add-secure-compilation-options.patch
 
-BuildRequires:  gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl-devel cmake python3-unversioned-command curl-devel createrepo_c git
+BuildRequires:  gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm
 
 Requires:       glibc 
 
@@ -53,7 +56,6 @@ Intel(R) Software Guard Extensions QE3 logic
 
 %package -n sgx-aesm-service
 Summary:    Intel(R) Software Guard Extensions AESM Service
-Requires:   glibc >= 2.28-66.oe1
 %description -n sgx-aesm-service
 Intel(R) Software Guard Extensions AESM Service
 
@@ -176,7 +178,6 @@ Intel(R) Software Guard Extensions Default Quote Provider Library for Developers
 
 %package -n sgx-dcap-pccs
 Summary:	Intel(R) Software Guard Extensions PCK Caching Service
-Requires:	npm
 %description -n sgx-dcap-pccs
 Intel(R) Software Guard Extensions PCK Caching Service
 
@@ -212,7 +213,7 @@ Intel(R) Software Guard Extensions Data Center Attestation Primitives for Develo
 
 %package -n sgx-pck-id-retrieval-tool
 Summary:	Intel(R) Software Guard Extensions:this tool is used to collect the platform information to retrieve the PCK certs from PCS(Provisioning Certification Server)
-Recommends:	libsgx-urts >= 2.11, libsgx-dcap-ql >= %{version}-%{release}, libsgx-ra-uefi >= %{version}-%{release}
+Recommends:	libsgx-urts >= %{version}-%{release}, libsgx-dcap-ql >= %{version}-%{release}, libsgx-ra-uefi >= %{version}-%{release}
 %description -n sgx-pck-id-retrieval-tool
 
 %package -n libsgx-ra-uefi
@@ -243,39 +244,51 @@ Requires:	libsgx-ra-uefi >= %{version}-%{release}, libsgx-ra-network >= %{versio
 %description -n sgx-ra-service
 Intel(R) Software Guard Extensions Registration Agent Service
 
+%package -n libsgx-headers
+Summary:	Intel(R) Software Guard Extensions Basic Headers
+%description -n libsgx-headers
+Intel(R) Software Guard Extensions Basic Headers
+
 %package_help
 %prep
-%setup -q -b 0 -n linux-sgx-sgx_2.11
+%setup -q -b 0 -n linux-sgx-sgx_%{version}
-%%setup -q -D -a 1 -n linux-sgx-sgx_2.11/external/dcap_source
+%%setup -q -D -a 1 -n linux-sgx-sgx_%{version}/external/dcap_source
-%%setup -q -D -a 2 -n linux-sgx-sgx_2.11/external/openmp/openmp_code
+%%setup -q -D -a 2 -n linux-sgx-sgx_%{version}/external/openmp
-%%setup -q -D -a 3 -n linux-sgx-sgx_2.11/external/dnnl/dnnl
+%%setup -q -D -a 3 -n linux-sgx-sgx_%{version}/external/dnnl/dnnl
-%%setup -q -D -a 4 -n linux-sgx-sgx_2.11/external/ippcp_internal/ipp-crypto/
+%%setup -q -D -a 4 -n linux-sgx-sgx_%{version}/external/ippcp_internal
-%%setup -q -D -a 5 -n linux-sgx-sgx_2.11
+%%setup -q -D -a 5 -n linux-sgx-sgx_%{version}
-%%setup -q -D -a 6 -n linux-sgx-sgx_2.11
+%%setup -q -D -a 6 -n linux-sgx-sgx_%{version}
+%%setup -q -D -a 7 -n linux-sgx-sgx_%{version}/external/protobuf
+%%setup -q -D -a 8 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration
+%%setup -q -D -a 11 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/
+%%setup -q -D -a 9 -n linux-sgx-sgx_%{version}
+
 %%patch0 -p1
 %%patch1 -p1
+%%patch2 -p1
 
 %build
-cp %{SOURCE7} %{SOURCE8} %{SOURCE9} ./
+
 pushd external/dcap_source/
-mv SGXDataCenterAttestationPrimitives-DCAP_1.8/* SGXDataCenterAttestationPrimitives-DCAP_1.8/.[^.]* .
+mv SGXDataCenterAttestationPrimitives-DCAP_1.12.1/{.[!.],}* .
-rmdir SGXDataCenterAttestationPrimitives-DCAP_1.8
+rm -rf SGXDataCenterAttestationPrimitives-DCAP_1.12.1
 popd
-pushd external/openmp/openmp_code
+
-mv openmp-svn-tags-RELEASE_801/* .
+pushd external/dcap_source/QuoteVerification
-rmdir openmp-svn-tags-RELEASE_801
+mv intel-sgx-ssl-lin_2.15.1_1.1.1l sgxssl
 popd
+
+cp %{SOURCE10} external/dcap_source/QuoteVerification/sgxssl/openssl_source
+
 pushd external/dnnl/dnnl
-mv oneDNN-1.1.1/* oneDNN-1.1.1/.[^.]* .
+mv oneDNN-2.5/{.[!.],}* .
-rmdir oneDNN-1.1.1
+rm -rf oneDNN-2.5
 popd
-pushd external/ippcp_internal/ipp-crypto
+
-mv ipp-crypto-ipp-crypto_2019_update5/* ipp-crypto-ipp-crypto_2019_update5/.[^.]* .
+make -j -C external/ippcp_internal/
-rmdir ipp-crypto-ipp-crypto_2019_update5
+
-popd
-make preparation
 make -j2 sdk_install_pkg_no_mitigation
-linux/installer/bin/sgx_linux_x64_sdk_2.11.100.2.bin --prefix=./
+linux/installer/bin/sgx_linux_x64_sdk_2.15.101.1.bin --prefix=./
 source ./sgxsdk/environment
 
 make -j2 psw
@@ -400,6 +413,11 @@ source ./%{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/installConfig
 mkdir -p %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build
 tar -xvf %{TOOLS_INSTALLER_COMMON_DIR}/sgx-ra-service/output/${TARBALL_NAME} -C %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build
 
+source ./%{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/installConfig
+%{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/createTarball.sh
+mkdir -p %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build
+tar -xvf %{LINUX_INSTALLER_COMMON_DIR}/libsgx-headers/output/${TARBALL_NAME} -C %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build
+
 %install
 pushd %{LINUX_INSTALLER_RPM_DIR}/sdk/build
 mkdir %{?buildroot}/sdk-dir/
@@ -480,7 +498,7 @@ popd
 find %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/sgx-dcap-pccs-dir%{_docdir}/sgx-dcap-pccs/COPYING
 echo "/opt/intel/sgx-dcap-pccs" > %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
 echo %{_docdir}/sgx-dcap-pccs/COPYING >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
-echo "%config /opt/intel/sgx-dcap-pccs/config/production-0.json" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
+echo "%config /opt/intel/sgx-dcap-pccs/config/default.json" >> %{DCAP_LINUX_INSTALLER_RPM_DIR}/sgx-dcap-pccs/build/list-sgx-dcap-pccs
 cp -r %{?buildroot}/sgx-dcap-pccs-dir/* %{?buildroot}/
 rm -rf %{?buildroot}/sgx-dcap-pccs-dir/
 
@@ -708,7 +726,17 @@ sed -i 's#^/etc/rad.conf#%config &#' %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/b
 cp -r %{?buildroot}/sgx-ra-service-dir/* %{?buildroot}/
 rm -rf %{?buildroot}/sgx-ra-service-dir/
 
-
+pushd %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build
+mkdir %{?buildroot}/libsgx-headers-dir/
+make DESTDIR=%{?buildroot}/libsgx-headers-dir/ install
+install -d %{?buildroot}/libsgx-headers-dir%{_docdir}/libsgx-headers
+popd
+find %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/package/licenses/ -type f -print0 | xargs -0 -n1 cat >> %{?buildroot}/libsgx-headers-dir%{_docdir}/libsgx-headers/COPYING
+for f in $(find %{?buildroot}/libsgx-headers-dir -type f -o -type l); do
+    echo $f | sed -e "s#%{?buildroot}/libsgx-headers-dir##" >> %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
+done
+cp -r %{?buildroot}/libsgx-headers-dir/* %{?buildroot}/
+rm -rf %{?buildroot}/libsgx-headers-dir/
 
 
 %pre
@@ -717,15 +745,54 @@ rm -rf %{?buildroot}/sgx-ra-service-dir/
 if [ -x /opt/intel/sgx-aesm-service/startup.sh ]; then /opt/intel/sgx-aesm-service/startup.sh; fi
 
 %post -n libsgx-enclave-common
-udevadm trigger &>/dev/null || true
+trigger_udev() {
+    if ! which udevadm &> /dev/null; then
+        return 0
+    fi
+    udevadm control --reload || :
+    udevadm trigger || :
+}
+trigger_udev
 
 %post -n sgx-dcap-pccs
-chown -R $(logname):$(logname) /opt/intel/sgx-dcap-pccs
+PCCS_USER=pccs
-if which pm2 > /dev/null; then
+PCCS_HOME=/opt/intel/sgx-dcap-pccs
-    echo "pm2 is installed, continue ..."
+if [ ! $(getent group $PCCS_USER) ]; then
-else
+    groupadd $PCCS_USER
-    npm install -g pm2
 fi
+if ! id "$PCCS_USER" &>/dev/null; then
+    adduser --system $PCCS_USER -g $PCCS_USER --home $PCCS_HOME --no-create-home --shell /bin/bash
+fi
+chown -R $PCCS_USER:$PCCS_USER $PCCS_HOME
+chmod 640 $PCCS_HOME/config/default.json
+#Install PCCS as system service
+echo -n "Installing PCCS service ..."
+if [ -d /run/systemd/system ]; then
+    PCCS_NAME=pccs.service
+    PCCS_TEMP=$PCCS_HOME/$PCCS_NAME
+    if [ -d /lib/systemd/system ]; then
+        PCCS_DEST=/lib/systemd/system/$PCCS_NAME
+    else
+        PCCS_DEST=/usr/lib/systemd/system/$PCCS_NAME
+    fi
+    cp $PCCS_TEMP $PCCS_DEST
+    chmod 0644 $PCCS_DEST
+    systemctl daemon-reload
+    systemctl enable pccs
+elif [ -d /etc/init/ ]; then
+    PCCS_NAME=pccs.service
+    PCCS_TEMP=$PCCS_HOME/$PCCS_NAME
+    PCCS_DEST=/etc/init/$PCCS_NAME
+    cp $PCCS_TEMP $PCCS_DEST
+    chmod 0644 $PCCS_DEST
+    /sbin/initctl reload-configuration
+else
+    echo " failed."
+    echo "Unsupported platform - neither systemctl nor initctl was found."
+    exit 5
+fi
+echo "finished."
+echo "Installation completed successfully."
 
 %post -n sgx-pck-id-retrieval-tool
 ################################################################################
@@ -733,7 +800,7 @@ fi
 ################################################################################
 
 # Install the SGX_PCK_ID_RETRIEVE_TOOL
-ln -s /opt/intel/sgx-pck-id-retrieval-tool/PCKIDRetrievalTool /usr/local/bin/PCKIDRetrievalTool
+ln -s -f /opt/intel/sgx-pck-id-retrieval-tool/PCKIDRetrievalTool /usr/local/bin/PCKIDRetrievalTool
 retval=$?
 
 if test $retval -ne 0; then
@@ -743,6 +810,20 @@ fi
 
 echo -e "Installation succeed!"
 
+%post -n libsgx-ae-pce
+trigger_udev() {
+    if ! which udevadm &> /dev/null; then
+        return 0
+    fi
+    udevadm control --reload || :
+    udevadm trigger || :
+}
+# Add sgx_prv for in-kernel driver.
+if [ -c /dev/sgx_provision -o -c /dev/sgx/provision ]; then
+    /usr/bin/getent group sgx_prv &> /dev/null || /usr/sbin/groupadd sgx_prv
+    trigger_udev
+fi
+
 %post -n sgx-ra-service
 ################################################################################
 # Set up SGX Registration Agent                                                #
@@ -822,25 +903,44 @@ echo -e "Uninstallation succeed!"
 
 %postun -n sgx-pck-id-retrieval-tool
 # Removing SGX_PCK_ID_RETRIEVE_TOOL soft link file
-rm -f /usr/local/bin/PCKIDRetrievalTool
+if [ "$1" = "0" ]; then
+    rm -f /usr/local/bin/PCKIDRetrievalTool
+fi
 
 echo -e "Uninstallation succeed!"
 
 %preun -n sgx-aesm-service
-if [ -x /opt/intel/sgx-aesm-service/cleanup.sh ]; then /opt/intel/sgx-aesm-service/cleanup.sh; fi
+if [ "$1" = "0" ]; then
-
+    if [ -x /opt/intel/sgx-aesm-service/cleanup.sh ]; then /opt/intel/sgx-aesm-service/cleanup.sh; fi
-%postun -n sgx-dcap-pccs
-if which pm2 > /dev/null; then
-    pm2 stop pccs || true
-    pm2 delete pccs || true
-    pm2cfg=`/bin/su -c "pm2 unstartup | grep 'sudo'" - $(logname)` || true
-    eval $pm2cfg || true
 fi
 
-if [ -d /opt/intel/sgx-dcap-pccs ]; then
+%postun -n sgx-dcap-pccs
-    pushd /opt/intel/sgx-dcap-pccs &> /dev/null
+if [ $1 == 0 ]; then
-    rm -rf node_modules || true
+    echo -n "Uninstalling PCCS service ..."
-    popd &> /dev/null
+    if [ -d /run/systemd/system ]; then
+        PCCS_NAME=pccs.service
+        if [ -d /lib/systemd/system ]; then
+            PCCS_DEST=/lib/systemd/system/$PCCS_NAME
+        else
+            PCCS_DEST=/usr/lib/systemd/system/$PCCS_NAME
+        fi
+        systemctl stop pccs || true
+        systemctl disable pccs || true
+        rm $PCCS_DEST || true
+        systemctl daemon-reload
+    elif [ -d /etc/init/ ]; then
+        PCCS_NAME=pccs.service
+        PCCS_DEST=/etc/init/$PCCS_NAME
+        rm $PCCS_DEST || true
+        /sbin/initctl reload-configuration
+    fi
+    echo "finished."
+
+    if [ -d %{_install_path} ]; then
+        pushd %{_install_path} &> /dev/null
+        rm -rf node_modules || true
+        popd &> /dev/null
+    fi
 fi
 
 
@@ -918,33 +1018,8 @@ fi
 
 %files -n sgx-ra-service -f %{TOOLS_INSTALLER_RPM_DIR}/sgx-ra-service/build/list-sgx-ra-service
 
+%files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
+
 %changelog
-* Wed Sep 8 2021 wangcheng <wangcheng156@huawei.com> - 2.11.100-10
+* Mon Jun 13 2022 wangyu <wangyu283@huawei.com> - 2.15.1-1
-- rebuild sgxsdk install package
-
-* Mon Jul 19 2021 chenmaodong <chenmaodong@huawei.com> - 2.11.100-9
-- add glibc as requires for sgx-aesm-service
-
-* Thu Jul 1 2021 chenmaodong <chenmaodong@huawei.com> - 2.11.100-8
-- add buildrequires to linux-sgx 
-
-* Fri Apr 9 2021 chenmaodong <chenmaodong@huawei.com> - 2.11.100-7
-- build with debuginfo package
-
-* Tue Mar 9 2021 chenmaodong <chenmaodong@huawei.com> - 2.11.100-6
-- fix aesmd service start error
-
-* Mon Mar 8 2021 chenmaodong <chenmaodong@huawei.com> - 2.11.100-5
-- rewrite spec
-
-* Sat Feb 20 2021 chenmaodong <chenmaodong@huawei.com> - 2.11-4
-- add new symbol in Provides item
-
-* Sat Feb 20 2021 chenmaodong <chenmaodong@huawei.com> - 2.11-3
-- fix license error in spec
-
-* Mon Jan 18 2021 chenmaodong <chenmaodong@huawei.com> - 2.11-2
-- fix arm building error
-
-* Thu Dec 29 2020 chenmaodong <chenmaodong@huawei.com> - 2.11-1
 - init