You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upgrade the SGX-SSL library to utilize OpenSSL 3.0.17 while leaving OpenSSL 3.1.6 to provide FIPS support.
Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>
The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications.
9
9
The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose cryptography library.
10
10
11
-
This branch supports OpenSSL version 3.1.*, but works in 1.1.1 compatible mode.
11
+
This branch supports the OpenSSL 3.0 series, but works in 1.1.1 compatible mode.
(Note: Perl, NASM need to be included in machine's PATH variable)
36
37
37
-
To build Intel® SGX SSL package in Windows OS:
38
-
1. Download OpenSSL package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.1.*.tar.gz)
39
-
2. Download and install latest SGX SDK from [Intel Developer Zone](https://software.intel.com/en-us/sgx-sdk/download). You can find installation guide from the same website.
38
+
### Building
39
+
40
+
To build the Intel® SGX SSL package in Windows OS:
41
+
1. Download the OpenSSL package into the openssl_source/ directory. (tar.gz package, e.g. openssl-3.0.*.tar.gz)
42
+
2. Download and install the latest SGX SDK from [Intel Developer Zone](https://software.intel.com/en-us/sgx-sdk/download). You can find the installation guide in the same website.
40
43
3. Change the directory to the SGXSSL path and enter the following command:
This will build the Intel® SGX SSL libraries (libsgx_tsgxssl.lib, libsgx_usgxssl.lib, libsgx_tsgxssl_crypto.lib), which can be found in package/lib/{Win32|X64}/{debug|release}/. And the version with CVE-2020-0551 Mitigation enabled can be found in package/lib/X64/{CVE-2020-0551-CF-Release|CVE-2020-0551-Load-Release}/.
47
+
This builds the Intel® SGX SSL libraries (libsgx_tsgxssl.lib, libsgx_usgxssl.lib, libsgx_tsgxssl_crypto.lib) that can be found in package/lib/{Win32|X64}/{debug|release}/. The version with CVE-2020-0551 mitigation enabled can be found in package/lib/X64/{CVE-2020-0551-CF-Release|CVE-2020-0551-Load-Release}/.
48
+
49
+
## Linux
45
50
46
-
Linux
47
-
----------------------------
48
51
### Prerequisites
49
52
- Perl
50
53
- Toolchain with mitigation (refer to [SGX Linux README](https://github.com/intel/linux-sgx/blob/master/README.md))
51
-
- Intel(R) SGX Linux latest release, including SDK, PSW, and driver
54
+
- Intel(R) SGX Linux latest release, including SDKand PSW.
52
55
53
-
To build Intel® SGX SSL package in Linux OS:
54
-
=======
55
-
1. Download OpenSSL 3.1.* package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.1.*.tar.gz)
56
-
2. Download and install latest SGX SDK from [01.org](https://download.01.org/intel-sgx/latest/). You can find the installation guide in the same website.
56
+
### Building
57
+
58
+
To build the Intel® SGX SSL package in Linux OS:
59
+
1. Download the OpenSSL 3.0.* package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.0.*.tar.gz)
60
+
2. Download and install the latest SGX SDK from [01.org](https://download.01.org/intel-sgx/latest/). You can find the installation guide in the same website.
57
61
3. Source SGX SDK's environment variables.
58
-
4.Cd to Linux/ directory and run:
62
+
4.Change into the Linux/ directory and run:
59
63
```
60
64
make all test
61
65
```
62
-
This will build and test the Intel® SGX SSL libraries (libsgx_tsgxssl.a, libsgx_usgxssl.a, libsgx_tsgxssl_crypto.a), which can be found in package/lib64/. And the Intel® SGX SSL trusted libraries (libsgx_tsgxssl.lib, libsgx_tsgxssl_crypto.lib) with CVE-2020-0551 Mitigation enabled can be found in package/lib64/{cve_2020_0551_cf|cve_2020_0551_load}/.
66
+
This builds and tests the Intel® SGX SSL libraries (libsgx_tsgxssl.a, libsgx_usgxssl.a, libsgx_tsgxssl_crypto.a), which can be found in package/lib64/. The Intel® SGX SSL trusted libraries (libsgx_tsgxssl.lib, libsgx_tsgxssl_crypto.lib) with CVE-2020-0551 mitigation enabled can be found in package/lib64/{cve_2020_0551_cf|cve_2020_0551_load}/.
63
67
64
68
### Available `make` flags:
65
69
- DEBUG={1,0}: Libraries build mode, with debug symbols or without. Default ``0``.
66
70
- NO_THREADS={1,0}: Enable ``no-threads`` in the OpenSSL's build configuration options. Default ``0``.
67
71
- SGX_MODE={HW,SIM}: User can take ``SIM`` to run the unit test on non-SGX platform if necessary. Default ``HW``.
68
72
- DESTDIR=\<PATH\>: Directory realpath to install Intel® SGX SSL libraries in. Default ``/opt/intel/sgxssl/``.
69
73
- VERBOSE={1,0}: Makefile verbose mode. Print compilation commands before executing it. Default ``0``.
70
-
- OSSL3ONLY={1,0}: USE only OpenSSL 3.x APIs, and legacy functions will not be valid. Default ``0``.
74
+
- OSSL3ONLY={1,0}: Use only OpenSSL 3.x APIs, and legacy functions will not be valid. Default ``0``.
75
+
- FIPS={1,0}: Use the OpenSSL FIPS provider as an experimental feature. Default ``0``.
71
76
72
77
To install Intel® SGX SSL libraries in Linux OS, run:
73
78
```
74
79
make all test
75
80
sudo make install
76
81
```
77
82
78
-
Note for Version 3.*
79
-
--------------------
80
-
To use the trusted cryptography library with SGX SSL/OpenSSL 3.*, it possibly needs to increase the value in the enclave signing configuration XML file:
83
+
## Note for Version 3.*
84
+
85
+
To use the trusted cryptography library with SGX SSL/OpenSSL 3.*, especially for the multithreaded enclaves, you may need to increase the enclave heap size adjusting the enclave signing configuration XML file:
81
86
```
82
87
...
83
88
<HeapMaxSize>...</HeapMaxSize>
84
89
...
85
90
```
86
-
, especially for the enclave with multithreads.
91
+
92
+
## OpenSSL FIPS Provider
93
+
94
+
As an experimental feature, the SGX SDK supports building the SGX SSL library using the OpenSSL FIPS provider, instead of the default provider. Note: This feature is only supported on Linux and OpenSSL 3.1.6. You must download two separate OpenSSL packages: one from the OpenSSL 3.0 series and one for OpenSSL 3.1.6.
95
+
To build and install the Intel® SGX SSL package and the OpenSSL FIPS provider run:
96
+
97
+
```
98
+
make all FIPS=1
99
+
sudo make install
100
+
```
101
+
102
+
You may build and run one or both test programs that utilize the FIPS provider. The `FIPS=1` option must be specified; otherwise, a linker error will occur.
0 commit comments