From b5b44c9132e309e822ae23925662153428d5e856 Mon Sep 17 00:00:00 2001 From: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:45:39 -0700 Subject: [PATCH] symcrypt: upgrade to 103.5.1 (#10806) --- ...to-prevent-stripping-and-post-proces.patch | 49 ++++++---- SPECS/SymCrypt/SymCrypt.signatures.json | 5 +- SPECS/SymCrypt/SymCrypt.spec | 14 +-- ...sion-script-to-print-the-commit-info.patch | 74 +++++++++++++++ SPECS/SymCrypt/generate-env-file.sh | 89 +++++++++++++++++++ ...pt-build-environment-variables-v103.5.1.sh | 5 ++ cgmanifest.json | 4 +- 7 files changed, 214 insertions(+), 26 deletions(-) create mode 100644 SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch create mode 100755 SPECS/SymCrypt/generate-env-file.sh create mode 100644 SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh diff --git a/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch b/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch index 1019dbb44d0..3706904d559 100644 --- a/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch +++ b/SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch @@ -1,8 +1,23 @@ -From a91f9a55e6b8b01511538827005a6e948ccf6e27 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Sat, 12 Oct 2024 02:06:21 +0000 -Subject: [PATCH] add build flags to prevent stripping and post processing +From 997c3bdf24749edbdb562af15f9d95be35f062de Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 15 Oct 2024 16:21:27 +0000 +Subject: [PATCH] Merged PR 11601893: add build flags to prevent stripping and + post processing +## Description: +Add build flags to prevent stripping and post processing of binary after building. This is useful to fit in to different package build systems. + +---- +#### AI description (iteration 1) +#### PR Classification +New feature + +#### PR Summary +This pull request introduces build flags to control binary stripping and FIPS postprocessing. +- `CMakeLists.txt`: Added options `SYMCRYPT_STRIP_BINARY` and `SYMCRYPT_FIPS_POSTPROCESS` with default values set to `ON`. +- `scripts/build.py`: Added command-line arguments `--no-strip-binary` and `--no-fips-postprocess` to control the new build options. +- `BUILD.md`: Updated documentation to include the new build options. +- `modules/linux/common/ModuleCommon.cmake`: Modified conditions to respect the new build flags for stripping and FIPS postprocessing. --- BUILD.md | 2 ++ CMakeLists.txt | 14 ++++++++++++++ @@ -11,10 +26,10 @@ Subject: [PATCH] add build flags to prevent stripping and post processing 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/BUILD.md b/BUILD.md -index e7f0618..a4984da 100644 +index f6c781d..e8eaa88 100644 --- a/BUILD.md +++ b/BUILD.md -@@ -63,6 +63,8 @@ and building the Linux modules with FIPS integrity checks. +@@ -74,6 +74,8 @@ and building the Linux modules with FIPS integrity checks. * To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake` * `-DSYMCRYPT_USE_ASM=` to choose whether to use assembly optimizations. Defaults to `ON`. * `-DSYMCRYPT_FIPS_BUILD=` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds. @@ -24,11 +39,11 @@ index e7f0618..a4984da 100644 1. `cmake --build bin` * Optionally, for a release build on Windows, specify `--config Release` diff --git a/CMakeLists.txt b/CMakeLists.txt -index 6da485d..1533e9d 100644 +index cd9aa15..9e0c599 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -54,6 +54,18 @@ if(SYMCRYPT_FIPS_BUILD) - add_compile_options(-DSYMCRYPT_DO_FIPS_SELFTESTS=1) +@@ -56,6 +56,18 @@ if(SYMCRYPT_FIPS_BUILD) + add_compile_definitions(SYMCRYPT_DO_FIPS_SELFTESTS=1) endif() +option( @@ -46,20 +61,20 @@ index 6da485d..1533e9d 100644 option( SYMCRYPT_TEST_LEGACY_IMPL "When enabled, the SymCrypt unit tests will be linked against and configured to run compatibility and performance tests on the legacy -@@ -94,6 +106,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}") +@@ -104,6 +116,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}") message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}") message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}") message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}") +message(STATUS "Strip binary: ${SYMCRYPT_STRIP_BINARY}") +message(STATUS "FIPS postprocess: ${SYMCRYPT_FIPS_POSTPROCESS}") - # Set output directories binaries - # Note: we use a generator expression because "Multi-configuration generators [e.g. Visual Studio] + # Validate compiler versions + if("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") diff --git a/modules/linux/common/ModuleCommon.cmake b/modules/linux/common/ModuleCommon.cmake -index ced60ac..7d626c0 100644 +index e6db214..fbe1421 100644 --- a/modules/linux/common/ModuleCommon.cmake +++ b/modules/linux/common/ModuleCommon.cmake -@@ -57,7 +57,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION}) +@@ -61,7 +61,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION}) set_target_properties(${TARGET_NAME} PROPERTIES SOVERSION ${PROJECT_VERSION_MAJOR}) @@ -68,7 +83,7 @@ index ced60ac..7d626c0 100644 add_custom_command( TARGET ${TARGET_NAME} POST_BUILD -@@ -69,7 +69,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo") +@@ -73,7 +73,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo") ) endif() @@ -78,7 +93,7 @@ index ced60ac..7d626c0 100644 TARGET ${TARGET_NAME} POST_BUILD diff --git a/scripts/build.py b/scripts/build.py -index bbf0c89..48a7146 100755 +index af9b0bc..3a70b84 100755 --- a/scripts/build.py +++ b/scripts/build.py @@ -101,6 +101,12 @@ def configure_cmake(args : argparse.Namespace) -> None: @@ -94,7 +109,7 @@ index bbf0c89..48a7146 100755 if args.test_legacy_impl: cmake_args.append("-DSYMCRYPT_TEST_LEGACY_IMPL=ON") -@@ -215,6 +221,8 @@ def main() -> None: +@@ -218,6 +224,8 @@ def main() -> None: parser_cmake.add_argument("--cxx", type = str, help = "Specify the C++ compiler to use. If not provided, uses platform default.") parser_cmake.add_argument("--no-asm", action = "store_false", dest = "asm", help = "Disable handwritten ASM optimizations.", default = True) parser_cmake.add_argument("--no-fips", action = "store_false", dest = "fips", help = "Disable FIPS selftests and postprocessing of binary. Currently only affects Linux targets.", default = True) diff --git a/SPECS/SymCrypt/SymCrypt.signatures.json b/SPECS/SymCrypt/SymCrypt.signatures.json index fda91f59fc9..ac72e9252ed 100644 --- a/SPECS/SymCrypt/SymCrypt.signatures.json +++ b/SPECS/SymCrypt/SymCrypt.signatures.json @@ -1,7 +1,8 @@ { "Signatures": { - "SymCrypt-103.4.2.tar.gz": "7cbcee7625fd1d99286e393a727504189dab4d407c6c3474bd2532d5ee231921", + "SymCrypt-103.5.1.tar.gz": "1c4d41972f7683cb2c053ddc58452d6f4b56c1b556b7499f9fedbd7706ccd0fe", "find-debuginfo": "356800f19b755879993103c121c83fb4cc97d0e8656ea34d051daa310f54cedf", - "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487" + "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487", + "symcrypt-build-environment-variables-v103.5.1.sh": "6f6e162011e8203de66be6af59c0b4511992b731370a152044b028e8075578a7" } } \ No newline at end of file diff --git a/SPECS/SymCrypt/SymCrypt.spec b/SPECS/SymCrypt/SymCrypt.spec index 827a80bfdf8..07543a0bc28 100644 --- a/SPECS/SymCrypt/SymCrypt.spec +++ b/SPECS/SymCrypt/SymCrypt.spec @@ -1,7 +1,7 @@ Summary: A core cryptographic library written by Microsoft Name: SymCrypt -Version: 103.4.2 -Release: 2%{?dist} +Version: 103.5.1 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,6 +10,9 @@ URL: https://github.com/microsoft/SymCrypt Source0: https://github.com/microsoft/SymCrypt/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/smuellerDD/jitterentropy-library/archive/v3.3.1.tar.gz#/jitterentropy-library-3.3.1.tar.gz Source2: find-debuginfo +# Use ./generate-env-file.sh --release-tag to generate this. For example: +# ./generate-env-file.sh --release-tag v103.5.1 +Source3: symcrypt-build-environment-variables-v%{version}.sh Patch1: 0001-add-build-flags-to-prevent-stripping-and-post-proces.patch Patch2: 0001-add-parameter-to-process_fips_module-to-specify-the-.patch BuildRequires: cmake @@ -48,9 +51,7 @@ rm -rf 3rdparty/jitterentropy-library ln -s ../jitterentropy-library-3.3.1 3rdparty/jitterentropy-library %build -SYMCRYPT_BRANCH=main \ -SYMCRYPT_COMMIT_HASH=a84ffe1 \ -SYMCRYPT_COMMIT_TIMESTAMP=2024-01-26T22:00:47-08:00 \ +source %{SOURCE3} cmake -S . -B bin \ -DSYMCRYPT_TARGET_ARCH=%{symcrypt_arch} \ -DSYMCRYPT_STRIP_BINARY=OFF \ @@ -104,6 +105,9 @@ chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version} %{_includedir}/* %changelog +* Mon Oct 21 2024 Tobias Brick - 103.5.1-1 +- Update 103.5.1 + * Mon Oct 14 2024 Tobias Brick - 103.4.2-2 - Add debuginfo package diff --git a/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch b/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch new file mode 100644 index 00000000000..560123550cf --- /dev/null +++ b/SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch @@ -0,0 +1,74 @@ +From 1425f9e27cb1bae39e0b22e25fce50daa47618ca Mon Sep 17 00:00:00 2001 +From: Tobias Brick +Date: Tue, 15 Oct 2024 22:59:08 +0000 +Subject: [PATCH] Merged PR 11618838: add parameter to version script to print + the commit info environment variables + +Add parameter to version script to print the commit info environment variables. This makes it easier to get those right for builds based on the source tarball rather than from a git clone. + +---- +#### AI description (iteration 1) +#### PR Classification +New feature + +#### PR Summary +Added a new parameter to the version script to print commit information as environment variables. +- `scripts/version.py`: Introduced `--commit-info` argument to print commit hash and timestamp as environment variables. Added `print_commit_info` function to handle this new feature. +--- + scripts/version.py | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/scripts/version.py b/scripts/version.py +index 49edf9b..4ac1862 100644 +--- a/scripts/version.py ++++ b/scripts/version.py +@@ -180,27 +180,43 @@ def print_devops_vars(version_info: SymCryptVersion) -> None: + set_task_variable("VER_MINOR", version_info.minor) + set_task_variable("VER_PATCH", version_info.patch) + ++def print_commit_info(version_info: SymCryptVersion) -> None: ++ """ ++ Prints the commit information as environment variables that would override the commit hash and timestamp. ++ """ ++ ++ print("export {}={}".format(ENV_SYMCRYPT_BRANCH, version_info.branch)) ++ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_HASH, version_info.commit_hash)) ++ print("export {}={}".format(ENV_SYMCRYPT_COMMIT_TIMESTAMP, version_info.commit_timestamp.isoformat(timespec = "seconds"))) ++ + def main() -> None: + """ + Entrypoint + """ + + parser = argparse.ArgumentParser(description = "Versioning helper script for SymCrypt.") ++ parser.add_argument("--no-print-version-number", dest = "print_version_number", help = "Do not print the version number", action = "store_false", default = True) + group = parser.add_mutually_exclusive_group() + group.add_argument("-b", "--build-info", help = "Generate buildInfo.h", action = "store_true") + group.add_argument("--devops", help = "Format output to set Azure DevOps variables", action = "store_true") ++ group.add_argument("--commit-info", ++ help = "Format commit info as environment variables that would override the commit hash and timestamp, which can then be used when building from the source tarball rather than a git clone.", ++ action = "store_true") + + args = parser.parse_args() + + # Parse the version information from the SymCrypt headers + version_info = get_version_info() + +- print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch)) ++ if args.print_version_number: ++ print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch)) + + if args.build_info: + generate_build_info(version_info) + elif args.devops: + print_devops_vars(version_info) ++ elif args.commit_info: ++ print_commit_info(version_info) + + if __name__ == "__main__": +- main() +\ No newline at end of file ++ main() +-- +2.39.4 + diff --git a/SPECS/SymCrypt/generate-env-file.sh b/SPECS/SymCrypt/generate-env-file.sh new file mode 100755 index 00000000000..fd3864727cb --- /dev/null +++ b/SPECS/SymCrypt/generate-env-file.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# Fail out if anything fails. +set -e + +SYMCRYPT_REPO='https://github.com/microsoft/SymCrypt.git' +SYMCRYPT_DIR='./SymCrypt' + +CURRENT_DIR=$(pwd) +RELEASE_TAG= + +function show_help() { + echo "Usage: $0 [--release-tag ]" + echo + echo "Options:" + echo " --release-tag The release tag to use for the build, e.g.: v103.5.1" + echo " --debug Enable debug output, which is just 'set -x'" + echo " --help Display this help message" + echo + echo "Generates a sourceable script file that sets git-related environment variables for the SymCrypt build." + echo "The script file will be named 'symcrypt-build-environment-variables-.sh" +} + +while [[ "$#" -gt 0 ]]; do + case $1 in + -h|--help) + show_help + exit 0 + ;; + -t|--tag|--release-tag) + RELEASE_TAG="$2" + shift + ;; + -d|--debug) + set -x + ;; + *) + echo "Unknown parameter passed: $1" + exit 1 + ;; + esac + shift +done + +if [ -z "${RELEASE_TAG}" ]; then + echo "release tag is required" >> /dev/stderr + show_help + exit 1 +fi + +echo "generating env file for release tag: '${RELEASE_TAG}'" + +# Create a temporary directory to clone the git repo +TEMP_DIR=$(mktemp -d) +if [[ ! "$TEMP_DIR" || ! -d "$TEMP_DIR" ]]; then + echo "Could not create temp dir to clone git repo" >> /dev/stderr + exit 1 +fi + +# Clone into the temp directory +pushd "${TEMP_DIR}" > /dev/null +echo "Cloning SymCrypt repo '${SYMCRYPT_REPO}' into temp directory '${TEMP_DIR}" +git clone "${SYMCRYPT_REPO}" + +# The version script uses the current git branch, which want to main but at the commit for the release tag. +echo "Getting to the commit for release tag '${RELEASE_TAG}'" +cd "${SYMCRYPT_DIR}" +TAG_COMMIT=$(git rev-parse --verify "${RELEASE_TAG}") +if [[ ! "$TAG_COMMIT" ]]; then + echo "Could not find commit for release tag '${RELEASE_TAG}'" + exit 1 +fi +echo "Tag commit is '${TAG_COMMIT}'" +git reset --hard "${TAG_COMMIT}" + +# Patching the version script; will be unneeded as of v103.5.2 +git apply "${CURRENT_DIR}/add-parameter-to-version-script-to-print-the-commit-info.patch" + +# Call the version script to get the properly formmatted git info +ENV_SCRIPT_FILE_NAME="symcrypt-build-environment-variables-${RELEASE_TAG}.sh" +echo "#!/bin/bash" > "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" +echo "# Generated by 'generate-env-file.sh'" >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" +echo "Running version script" +python3 scripts/version.py --no-print-version-number --commit-info >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}" +echo "Generated '${ENV_SCRIPT_FILE_NAME}'" + +# Clean up the temp directory +popd > /dev/null +rm -rf "${TEMP_DIR}" diff --git a/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh new file mode 100644 index 00000000000..d454862c5c5 --- /dev/null +++ b/SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# Generated by 'generate-env-file.sh' +export SYMCRYPT_BRANCH=main +export SYMCRYPT_COMMIT_HASH=907622c +export SYMCRYPT_COMMIT_TIMESTAMP=2024-09-18T20:38:10+00:00 diff --git a/cgmanifest.json b/cgmanifest.json index 4cbae68d84d..5553bf330f2 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -28216,8 +28216,8 @@ "type": "other", "other": { "name": "SymCrypt", - "version": "103.4.2", - "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.4.2.tar.gz" + "version": "103.5.1", + "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.5.1.tar.gz" } } },