From 48b580e43f5047e9286e4fba1f55b7c5e1eca369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 10 Jul 2024 14:46:44 +0100 Subject: [PATCH] buildenv: enable pointing enclave build to alternative glibc headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The enclaves must be built with headers from a specific glibc version for the sake of reproducibility. It does not actually link to glibc, merely requiring a few self contained definitions. In the NixOS build env the glibc system include directories get set through various wrapper scripts NixOS creates. When attempting a reproducible build outside of NixOS though, we can't rely on the compiler having the matching glibc system include dirs. Instead there needs to be a way to inject "-isystem/some/path" args into the enclave compiler flags. This commit adds a "ENCLAVE_SYSTEM_INCLUDES" make var can be set by the person triggering 'make', to provide a way to inject system include directories to the enclave build process. Signed-off-by: Daniel P. Berrangé --- buildenv.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildenv.mk b/buildenv.mk index 4689c6034..248706dfb 100644 --- a/buildenv.mk +++ b/buildenv.mk @@ -285,7 +285,7 @@ endif # When `pie' is enabled, the linker (both BFD and Gold) under Ubuntu 14.04 # will hide all symbols from dynamic symbol table even if they are marked # as `global' in the LD version script. -ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks +ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks $(ENCLAVE_SYSTEM_INCLUDES) ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++ ENCLAVE_LDFLAGS = $(ENC_LDFLAGS) $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \