# We only contain headers, but we want to be an arch # specific package since SGX is only included on x86 %define debug_package %{nil} Summary: The GNU libc libraries for SGX enclave builds Name: sgx-compat-glibc-headers2.34 Version: 2.34 Release: 210.1%{?dist} # Sync from native glibc.spec License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and Public Domain and GFDL URL: http://www.gnu.org/software/glibc/ Source0: https://ftp.gnu.org/gnu/glibc/glibc-%{version}.tar.xz Source1: headers.sha256 # Patches must match those used in NixOS to ensure # reproducible code generation behaviour Patch1: glibc-2.34-210-ge123f08ad5.patch Patch2: 0001-string.h-fix-__fortified_attr_access-macro-call-BZ-2.patch # SGX is a technology that only exists in Intel x86 CPUs ExclusiveArch: x86_64 BuildRequires: sgx-srpm-macros BuildRequires: gcc BuildRequires: make BuildRequires: bison BuildRequires: python3 %description The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. This variant of the glibc package provides headers only, as needed for the reproducible build of SGX enclaves. %prep %autosetup -n glibc-%{version} -p1 %build # libc_nonshared.a cannot be built with the default hardening flags # because the glibc build system is incompatible with # -D_FORTIFY_SOURCE. The object files need to be marked as to be # skipped in annobin annotations. (The -specs= variant of activating # annobin does not work here because of flag ordering issues.) # See . BuildFlagsNonshared="-fplugin=annobin -fplugin-arg-annobin-disable -Wa,--generate-missing-build-notes=yes" %define enablekernel 3.2 EnableKernel="--enable-kernel=%{enablekernel}" mkdir build pushd build ../configure \ CC=gcc CXX=g++ \ 'CFLAGS=-O2 -g -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' \ --prefix=%{sgx_prefix} \ --includedir=%{sgx_includedir}/glibc-%{version} \ --with-headers=%{_prefix}/include $EnableKernel \ --with-nonshared-cflags="$BuildFlagsNonshared" \ --enable-bind-now \ --build=%{_target_cpu}-redhat-linux \ --with-rtld-early-cflags=-march=x86-64 \ --enable-stack-protector=strong \ --disable-multi-arch \ --disable-werror \ --disable-profile \ --without-selinux \ --without-gd || { cat config.log; false; } make gnu/lib-names-64.h %install cd build %make_build install_root=%{buildroot} install-headers cp gnu/lib-names-64.h %{buildroot}%{sgx_includedir}/glibc-%{version}/gnu/ %check # Validate that the headers we've installed match the headers # from the NixOS package. This is a sanity check to make it # easier to diagnose reproducibilty problems as early as possible (cd %{buildroot}%{sgx_includedir}/glibc-%{version} && \ find -type f | sort | xargs sha256sum) > headers.got # We're not building the stubs headers and they don't matter # since we're not building the library either. grep -v gnu/stubs %{SOURCE1} > headers.want diff headers.want headers.got %files %license COPYING COPYING.LIB LICENSES %dir %{sgx_prefix} %dir %{sgx_includedir} %{sgx_includedir}/glibc-%{version}/