Intel(R) SGX DCAP 1.19 Release

Resigned all Intel SGX Architecture Enclaves.
Upgraded Intel SGX Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.10.
Added Attestation Library support for Intel(R) TDX Migration TD.
Added Rust wrapper for low-level Quote Generation APIs.
Enabled `SE_TRACE` log in release binary.
Updated Rust QVL wrapper to use native Rust structure for quote verification
  collateral.
Added a limitation in the DCAP QVL to only allow the user to set the QvE load
  policy once.
Fixed bugs.

Signed-off-by: Li, Xun <[email protected]>

QuoteGeneration/README.md

@@ -39,7 +39,7 @@ For Windows* OS
 **NOTE**:`sgx_dcap_dev.inf` is for Windows* Server 2016 LTSC and `sgx_dcap.inf` is for Windows* Server 2019 LTSC.
 
 ## How to install
-   Refer to the *"Installation Instructions"* section in the [Intel(R) Software Guard Extensions: Data Center Attestation Primitives Installation Guide For Windows* OS](https://download.01.org/intel-sgx/sgx-dcap/1.18/windows/docs/Intel_SGX_DCAP_Windows_SW_Installation_Guide.pdf) to install the right packages on your platform.
+   Refer to the *"Installation Instructions"* section in the [Intel(R) Software Guard Extensions: Data Center Attestation Primitives Installation Guide For Windows* OS](https://download.01.org/intel-sgx/sgx-dcap/1.19/windows/docs/Intel_SGX_DCAP_Windows_SW_Installation_Guide.pdf) to install the right packages on your platform.
 
 
 For Linux* OS

QuoteGeneration/common/inc/internal/se_trace.h

@@ -43,16 +43,28 @@
 
 typedef enum
 {
+    SE_TRACE_NONE,
     SE_TRACE_ERROR,
     SE_TRACE_WARNING,
     SE_TRACE_NOTICE,
     SE_TRACE_DEBUG
 } se_trace_t;
 
+#ifdef _WIN32
+#ifndef SE_DEBUG_LEVEL
+/* Each module need define their own SE_DEBUG_LEVEL */
+#define sgx_trace_loglevel SE_TRACE_ERROR
+#else
+#define sgx_trace_loglevel SE_DEBUG_LEVEL
+#endif
+#else /* _WIN32 */
 #ifndef SE_DEBUG_LEVEL
 /* Each module need define their own SE_DEBUG_LEVEL */
-#define SE_DEBUG_LEVEL SE_TRACE_ERROR
+__attribute__((weak)) se_trace_t sgx_trace_loglevel = SE_TRACE_NONE;
+#else
+__attribute__((weak)) se_trace_t sgx_trace_loglevel = (se_trace_t)SE_DEBUG_LEVEL;
 #endif
+#endif /* _WIN32 */
 
 #ifdef __cplusplus
 extern "C" {
@@ -69,45 +81,47 @@ extern void sgx_proc_log_report(int channel, int level, const char* format, ...)
 #endif 
 #else
 void  __attribute__((weak)) sgx_proc_log_report(int level, const char* format, ...);
+
+typedef void (*sgx_logging_callback_t)(int level, const char* message);
+
+__attribute__((weak)) sgx_logging_callback_t sgx_trace_logger_callback = NULL;
 #endif
 #ifdef __cplusplus
 }
 #endif
 
-
 /* For libraries, we usually define DISABLE_TRACE to disable any trace. */
 /* For apps, we usually enable trace. */
-#ifdef DISABLE_TRACE
+#if(defined _WIN32) && (defined DISABLE_TRACE)
 #define SE_TRACE(...)
 #define se_trace(...)
 #define se_trace_verbose(...)
-#else /* DISABLE_TRACE */
+#else
 #define se_trace_verbose(debug_level, fmt, ...)     \
     do {                                            \
         se_trace_t trace_level = debug_level;       \
-        if(trace_level <= SE_DEBUG_LEVEL)           \
+        if(trace_level <= sgx_trace_loglevel)       \
             se_trace_internal(trace_level, "[%s %s:%d] " fmt, __FUNCTION__, __FILE__, __LINE__, ##__VA_ARGS__);       \
     }while(0)
 
 #define se_trace(debug_level, fmt, ...)         \
     do {                                        \
         se_trace_t trace_level = debug_level;   \
-        if(trace_level <= SE_DEBUG_LEVEL)       \
+        if(trace_level <= sgx_trace_loglevel)   \
             se_trace_internal(trace_level, fmt, ##__VA_ARGS__);       \
     }while(0)
 
 /* For compatibility, SE_TRACE/se_trace is used in old code. */
 /* New code should use SE_TRACE_DEBUG, SE_TRACE_NOTICE, SE_TRACE_WARNING, SE_TRACE_ERROR */
 #define SE_TRACE(debug_level, fmt, ...) \
         se_trace_verbose(debug_level, fmt, ##__VA_ARGS__)
-#endif/* DISABLE_TRACE */
 
-/* SE_TRACE_DEBUG and SE_TRACE_NOTICE print the debug information plus message. */
+/* Print the debug information plus message. */
 #define SE_TRACE_DEBUG(fmt, ...) se_trace_verbose(SE_TRACE_DEBUG, fmt, ##__VA_ARGS__)
 #define SE_TRACE_NOTICE(fmt, ...) se_trace_verbose(SE_TRACE_NOTICE, fmt, ##__VA_ARGS__)
-//SE_TRACE_WARNING and SE_TRACE_ERROR only print message.
-#define SE_TRACE_WARNING(fmt, ...) se_trace(SE_TRACE_WARNING, fmt, ##__VA_ARGS__)
-#define SE_TRACE_ERROR(fmt, ...) se_trace(SE_TRACE_ERROR, fmt, ##__VA_ARGS__)
+#define SE_TRACE_WARNING(fmt, ...) se_trace_verbose(SE_TRACE_WARNING, fmt, ##__VA_ARGS__)
+#define SE_TRACE_ERROR(fmt, ...) se_trace_verbose(SE_TRACE_ERROR, fmt, ##__VA_ARGS__)
+#endif
 
 /* SE_PROD_LOG will output message to stdout by default in production mode.
    When the executable is running as daemon, it will output to syslog. */

QuoteGeneration/common/inc/internal/se_version.h

@@ -28,21 +28,21 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */
-#define STRFILEVER    "1.18.100.1"
+#define STRFILEVER    "1.19.100.3"
 #define COPYRIGHT      "Copyright (C) 2023 Intel Corporation"
-#define FILEVER        1,18,100,1
-#define PRODUCTVER     1,18,100,1
-#define STRPRODUCTVER  "1.18.100.1"
+#define FILEVER        1,19,100,3
+#define PRODUCTVER     1,19,100,3
+#define STRPRODUCTVER  "1.19.100.3"
 #define COMPANYNAME    "Intel Corporation"
 #define PRODUCTNAME    "Intel® Software Guard Extensions"
 
-#define DEFAULT_QPL_VERSION          "1.13.105.1"
-#define QUOTE_VERIFIER_VERSION       "1.12.105.1"
-#define QUOTE_LOADER_VERSION         "1.11.105.1"
-#define TDQE_WRAPPER_VERSION         "1.14.105.1"
-#define PCE_WRAPPER_VERSION          "1.14.105.1"
+#define DEFAULT_QPL_VERSION          "1.13.106.3"
+#define QUOTE_VERIFIER_VERSION       "1.12.106.3"
+#define QUOTE_LOADER_VERSION         "1.11.106.3"
+#define TDQE_WRAPPER_VERSION         "1.14.106.3"
+#define PCE_WRAPPER_VERSION          "1.14.106.3"
 
-#define QE3_VERSION                  "1.16.100.1"
-#define QVE_VERSION                  "1.18.100.1"
-#define IDE_VERSION                  "1.16.100.1"
-#define TDQE_VERSION                 "1.16.100.1"
+#define QE3_VERSION                  "1.19.100.1"
+#define QVE_VERSION                  "1.19.100.1"
+#define IDE_VERSION                  "1.19.100.1"
+#define TDQE_VERSION                 "1.19.100.1"

QuoteGeneration/common/src/se_trace.c

@@ -52,6 +52,20 @@ void se_trace_internal(int debug_level, const char *fmt, ...)
     va_list args;
 
     va_start(args, fmt);
+#ifndef _WIN32
+    if (sgx_trace_logger_callback && debug_level)
+    {
+        char message[2500]; // to make sure the full URL can be logged.
+        vsnprintf(message, sizeof(message), fmt, args);
+        va_end(args);
+
+        // ensure buf is always null-terminated
+        message[sizeof(message) - 1] = 0;
+
+        sgx_trace_logger_callback(debug_level - 1, message);
+        return;
+    }
+#endif
     if (SE_TRACE_NOTICE == debug_level)
         vfprintf(stdout, fmt, args);
     else

QuoteGeneration/download_prebuilt.bat

@@ -29,9 +29,9 @@
 
 @echo off
 
-set ae_file_name=prebuilt_windows_dcap_1.18.zip
-set checksum_file=SHA256SUM_prebuilt_windows_dcap_1.18.cfg
-set server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.18/windows/
+set ae_file_name=prebuilt_windows_dcap_1.19.zip
+set checksum_file=SHA256SUM_prebuilt_windows_dcap_1.19.cfg
+set server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.19/windows/
 set server_ae_url=%server_url_path%/%ae_file_name%
 set server_checksum_url=%server_url_path%/%checksum_file%
 

QuoteGeneration/download_prebuilt.sh

@@ -32,9 +32,9 @@
 
 top_dir=`dirname $0`
 out_dir=$top_dir
-ae_file_name=prebuilt_dcap_1.18.tar.gz
-checksum_file=SHA256SUM_prebuilt_dcap_1.18.cfg
-server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.18/linux/
+ae_file_name=prebuilt_dcap_1.19.tar.gz
+checksum_file=SHA256SUM_prebuilt_dcap_1.19.cfg
+server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.19/linux/
 server_ae_url=$server_url_path/$ae_file_name
 server_checksum_url=$server_url_path/$checksum_file
 

QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.0/debian/control

@@ -9,11 +9,11 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives
 Package: libsgx-dcap-ql
 Architecture: amd64
 Depends: libsgx-qe3-logic(>= @dep_version@), libsgx-pce-logic(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends}
-Recommends: libsgx-dcap-quote-verify(>= @dep_version@), libsgx-quote-ex(>= 2.21)
+Recommends: libsgx-dcap-quote-verify(>= @dep_version@), libsgx-quote-ex(>= 2.22)
 Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives
 
 Package: libsgx-dcap-ql-dev
 Section: devel
 Architecture: amd64
-Depends: libsgx-dcap-ql (= @dep_version@), libsgx-headers (>= 2.21)
+Depends: libsgx-dcap-ql (= @dep_version@), libsgx-headers (>= 2.22)
 Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives For Developers

QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify-1.0/debian/control

@@ -9,11 +9,11 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives
 Package: libsgx-dcap-quote-verify
 Architecture: amd64
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Recommends: libsgx-ae-qve (>= @dep_version@), libsgx-urts (>= 2.21)
+Recommends: libsgx-ae-qve (>= @dep_version@), libsgx-urts (>= 2.22)
 Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives
 
 Package: libsgx-dcap-quote-verify-dev
 Section: devel
 Architecture: amd64
-Depends: libsgx-dcap-quote-verify (= @dep_version@), libsgx-headers (>= 2.21)
+Depends: libsgx-dcap-quote-verify (= @dep_version@), libsgx-headers (>= 2.22)
 Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives For Developers

QuoteGeneration/installer/linux/deb/libsgx-pce-logic/libsgx-pce-logic-1.0/debian/control

@@ -8,5 +8,5 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives
 
 Package: libsgx-pce-logic
 Architecture: amd64
-Depends: libsgx-urts (>= 2.21), libsgx-ae-pce(>= 2.21), ${shlibs:Depends}, ${misc:Depends}
+Depends: libsgx-urts (>= 2.22), libsgx-ae-pce(>= 2.22), ${shlibs:Depends}, ${misc:Depends}
 Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives

QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/libsgx-qe3-logic-1.0/debian/control

@@ -8,5 +8,5 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives
 
 Package: libsgx-qe3-logic
 Architecture: amd64
-Depends: libsgx-urts (>= 2.21), libsgx-ae-qe3(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends}
+Depends: libsgx-urts (>= 2.22), libsgx-ae-qe3(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends}
 Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives

QuoteGeneration/installer/linux/deb/libsgx-tdx-logic/libsgx-tdx-logic-1.0/debian/control

@@ -8,11 +8,11 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives
 
 Package: libsgx-tdx-logic
 Architecture: amd64
-Depends: libsgx-urts (>= 2.21), libsgx-pce-logic(>= @dep_version@), libsgx-ae-tdqe(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends}
+Depends: libsgx-urts (>= 2.22), libsgx-pce-logic(>= @dep_version@), libsgx-ae-tdqe(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends}
 Description: Intel(R) Trust Domain Extensions QE logic library
 
 Package: libsgx-tdx-logic-dev
 Section: devel
 Architecture: amd64
-Depends: libsgx-tdx-logic (= @dep_version@), libsgx-headers (>= 2.21)
+Depends: libsgx-tdx-logic (= @dep_version@), libsgx-headers (>= 2.22)
 Description: Intel(R) Trust Domain Extensions QE logic library For Developers

QuoteGeneration/installer/linux/rpm/libsgx-dcap-ql/libsgx-dcap-ql.spec

@@ -37,7 +37,7 @@ Release:        1%{?dist}
 Summary:        Intel(R) Software Guard Extensions Data Center Attestation Primitives
 Group:          Development/Libraries
 Requires:       libsgx-qe3-logic >= %{version}-%{release} libsgx-pce-logic >= %{version}-%{release}
-Recommends:     libsgx-dcap-quote-verify >= %{version}-%{release} libsgx-quote-ex >= 2.21
+Recommends:     libsgx-dcap-quote-verify >= %{version}-%{release} libsgx-quote-ex >= 2.22
 
 License:        BSD License
 URL:            https://github.com/intel/SGXDataCenterAttestationPrimitives
@@ -49,7 +49,7 @@ Intel(R) Software Guard Extensions Data Center Attestation Primitives
 %package devel
 Summary:        Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers
 Group:          Development/Libraries
-Requires:       %{name} = %{version}-%{release} libsgx-headers >= 2.21
+Requires:       %{name} = %{version}-%{release} libsgx-headers >= 2.22
 
 %description devel
 Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers

QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify.spec

@@ -36,7 +36,7 @@ Version:        @version@
 Release:        1%{?dist}
 Summary:        Intel(R) Software Guard Extensions Data Center Attestation Primitives
 Group:          Development/Libraries
-Recommends:     libsgx-ae-qve >= %{version}-%{release} libsgx-urts >= 2.21
+Recommends:     libsgx-ae-qve >= %{version}-%{release} libsgx-urts >= 2.22
 
 License:        BSD License
 URL:            https://github.com/intel/SGXDataCenterAttestationPrimitives
@@ -48,7 +48,7 @@ Intel(R) Software Guard Extensions Data Center Attestation Primitives
 %package devel
 Summary:        Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers
 Group:          Development/Libraries
-Requires:       %{name} = %{version}-%{release} libsgx-headers >= 2.21
+Requires:       %{name} = %{version}-%{release} libsgx-headers >= 2.22
 
 %description devel
 Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers

QuoteGeneration/installer/linux/rpm/libsgx-pce-logic/libsgx-pce-logic.spec

@@ -36,7 +36,7 @@ Version:        @version@
 Release:        1%{?dist}
 Summary:        Intel(R) Software Guard Extensions PCE logic
 Group:          Development/Libraries
-Requires:       libsgx-urts >= 2.21 libsgx-ae-pce >= 2.21
+Requires:       libsgx-urts >= 2.22 libsgx-ae-pce >= 2.22
 
 License:        BSD License
 URL:            https://github.com/intel/SGXDataCenterAttestationPrimitives

QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/libsgx-qe3-logic.spec

@@ -36,7 +36,7 @@ Version:        @version@
 Release:        1%{?dist}
 Summary:        Intel(R) Software Guard Extensions QE3 logic
 Group:          Development/Libraries
-Requires:       libsgx-urts >= 2.21 libsgx-ae-qe3 >= %{version}-%{release} libsgx-ae-id-enclave >= %{version}-%{release}
+Requires:       libsgx-urts >= 2.22 libsgx-ae-qe3 >= %{version}-%{release} libsgx-ae-id-enclave >= %{version}-%{release}
 
 License:        BSD License
 URL:            https://github.com/intel/SGXDataCenterAttestationPrimitives

QuoteGeneration/installer/linux/rpm/libsgx-tdx-logic/libsgx-tdx-logic.spec

@@ -36,7 +36,7 @@ Version:        @version@
 Release:        1%{?dist}
 Summary:        Intel(R) Trust Domain Extensions QE logic library
 Group:          Development/Libraries
-Requires:       libsgx-urts >= 2.21 libsgx-ae-tdqe >= %{version}-%{release}  libsgx-ae-id-enclave >= %{version}-%{release} libsgx-pce-logic >= %{version}-%{release}
+Requires:       libsgx-urts >= 2.22 libsgx-ae-tdqe >= %{version}-%{release}  libsgx-ae-id-enclave >= %{version}-%{release} libsgx-pce-logic >= %{version}-%{release}
 
 License:        BSD License
 URL:            https://github.com/intel/SGXDataCenterAttestationPrimitives
@@ -49,7 +49,7 @@ Intel(R) Trust Domain Extensions QE logic library
 %package devel
 Summary:        Intel(R) Trust Domain Extensions QE logic library For Developers 
 Group:          Development/Libraries
-Requires:       %{name} = %{version}-%{release} libsgx-headers >= 2.21
+Requires:       %{name} = %{version}-%{release} libsgx-headers >= 2.22
 %description devel
 Intel(R) Trust Domain Extensions QE logic library For Developers
 %prep

QuoteGeneration/installer/win/DCAP_Components.bat

@@ -5,7 +5,7 @@ set QGFOLDER="..\..\"
 set QVFOLDER="%TOPFOLDER%\QuoteVerification"
 set DEBUGFILEFOLDER="..\..\..\x64\Debug\"
 set RELEASEFILEFOLDER="..\..\..\x64\Release\"
-set PACKAGETNAME=DCAP_Components.1.18.100.0
+set PACKAGETNAME=DCAP_Components.1.19.100.0
 set pwd=%~dp0DCAP_Components
 
 pushd "%~dp0"

QuoteGeneration/installer/win/DCAP_Components/DCAP_Components.nuspec

@@ -2,15 +2,15 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
   <metadata>
     <id>DCAP_Components</id>
-    <version>1.18.100.1</version>
+    <version>1.19.100.3</version>
     <title>DCAP Components</title>
     <authors>Intel(R) SGX</authors>
     <owners>Intel</owners>
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <description>DCAP Components</description>
     <copyright>Copyright (C) 2022 Intel Corporation</copyright>
     <dependencies>
-      <dependency id="SgxHeaders" version="2.20.100.1" />
+      <dependency id="SgxHeaders" version="2.21.100.3" />
     </dependencies>
   </metadata>
   <files>