Generate an OpenSSL configuration file at build time.

Both sample apps include a template from which an OpenSSL configuration
file is be generated rather than copying one from the SGX SDK.

Signed-off-by: Juan del Cuvillo <[email protected]>

Author: jbdelcuv

Linux/sgx/fips_test/openssl.cnf.tmpl

@@ -0,0 +1,25 @@
+#
+# OpenSSL example configuration file.
+# See https://docs.openssl.org/master/man5/config/ for more info.
+#
+# This is mostly being used for explicitly activating the FIPS
+# provider so the default provider is not activated implicitly.
+#
+
+config_diagnostics = 1
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+fips = fips_sect
+base = base_sect
+
+[base_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes
+

Linux/sgx/fips_test/sgx_t.mk

@@ -63,7 +63,7 @@ ifeq ($(DEBUG), 1)
     endif
 endif
 
-# Added to build with SgxSSL library
+# Added to build with the SGX-SSL library
 OPENSSL_LIBRARY_PATH := $(PACKAGE_LIB)/
 TSETJMP_LIB := -lsgx_tsetjmp
 
@@ -88,7 +88,8 @@ else
     Trts_Library_Name := sgx_trts
     Service_Library_Name := sgx_tservice
 endif
-# tRTS library that provides the symbol get_fips_sym_addr()
+
+# tRTS library that provides the symbol sgx_get_fips_sym_addr()
 SGXSSL_FIPS_TLIB = sgx_ossl_fips
 
 ifeq ($(SGX_MODE), HW)
@@ -130,7 +131,12 @@ Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefau
 
 Enclave_Test_Key := $(ENCLAVE_DIR)/enclave_private.pem
 
-.PHONY: all clean
+# OpenSSL configuration file
+OPENSSLCONF:=openssl.cnf
+FIPSMODULECONF:=fipsmodule.cnf
+LIBDIR := lib64
+
+.PHONY: all clean install_conf
 
 all: enclave.signed.so
 
@@ -161,15 +167,20 @@ enclave.so: $(ENCLAVE_DIR)/enclave_t.o $(Enclave_Cpp_Objects) $(Enclave_C_Object
 	$(VCXX) $^ -o $@ $(Enclave_Link_Flags)
 	@echo "LINK =>  $@"
 
-enclave.signed.so: enclave.so
+enclave.signed.so: enclave.so install_conf
 ifeq ($(wildcard $(Enclave_Test_Key)),)
 	@echo "There is no enclave test key <enclave_private.pem>."
 	@echo "The project will generate a key <enclave_private.pem> for testing."
 	@openssl genrsa -out $(Enclave_Test_Key) -3 3072
 endif
 	@echo "SIGN =>  $@"
 	$(SGX_ENCLAVE_SIGNER) sign -key $(Enclave_Test_Key) -enclave enclave.so -out $@ -config $(ENCLAVE_DIR)/enclave.config.xml
-	@cp $(SGX_LIBRARY_PATH)/openssl.cnf .
+
+install_conf:
+	@echo "*** Installing OpenSSL configuration"
+	@echo "install $(OPENSSLCONF) -> $(SGX_SDK)/$(LIBDIR)/$(OPENSSLCONF)"
+	@cp -f $(OPENSSLCONF).tmpl $(OPENSSLCONF)
+	echo ".include $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)" >> $(OPENSSLCONF)
 
 clean:
 	@rm -f enclave.* $(ENCLAVE_DIR)/enclave_t.* $(Enclave_Cpp_Objects) $(Enclave_C_Objects) $(Enclave_Test_Key)

Linux/sgx/test_app/openssl.cnf.tmpl

@@ -0,0 +1,25 @@
+#
+# OpenSSL example configuration file.
+# See https://docs.openssl.org/master/man5/config/ for more info.
+#
+# This is mostly being used for explicitly activating the FIPS
+# provider so the default provider is not activated implicitly.
+#
+
+config_diagnostics = 1
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+fips = fips_sect
+base = base_sect
+
+[base_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes
+

Linux/sgx/test_app/sgx_t.mk

@@ -74,7 +74,7 @@ $(error Cannot set DEBUG and SGX_PRERELEASE at the same time!!)
 endif
 endif
 
-# Added to build with SgxSSL libraries
+# Added to build with the SGX-SSL library
 TSETJMP_LIB := -lsgx_tsetjmp
 OPENSSL_LIBRARY_PATH := $(PACKAGE_LIB)/
 
@@ -130,6 +130,7 @@ SgxSSL_Link_Libraries := -L$(OPENSSL_LIBRARY_PATH) -Wl,--whole-archive -l$(SGXSS
 Security_Link_Flags := -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -pie
 
 ifeq ($(FIPS), 1)
+# tRTS library that provides the symbol sgx_get_fips_sym_addr()
 SGXSSL_FIPS_TLIB = -lsgx_ossl_fips
 endif
 
@@ -145,6 +146,11 @@ TestEnclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nod
 
 Enclave_Test_Key := $(ENCLAVE_DIR)/TestEnclave_private_test.pem
 
+# OpenSSL configuration file
+OPENSSLCONF:=openssl.cnf
+FIPSMODULECONF:=fipsmodule.cnf
+LIBDIR := lib64
+
 .PHONY: all test
 
 all: TestEnclave.signed.so
@@ -193,8 +199,8 @@ endif
 	@echo "SIGN =>  $@"
 ifeq ($(FIPS), 1)
 	@$(SGX_ENCLAVE_SIGNER) sign -key $(Enclave_Test_Key) -enclave TestEnclave.so -out $@ -config $(ENCLAVE_DIR)/TestEnclave.fips.config.xml
-	cp $(SGX_LIBRARY_PATH)/openssl.cnf .
-	cp $(SGX_LIBRARY_PATH)/fips.so .
+	@cp -f $(OPENSSLCONF).tmpl $(OPENSSLCONF)
+	echo ".include $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)" >> $(OPENSSLCONF)
 else
 	@$(SGX_ENCLAVE_SIGNER) sign -key $(Enclave_Test_Key) -enclave TestEnclave.so -out $@ -config $(ENCLAVE_DIR)/TestEnclave.config.xml
 endif