From db454982d9a20e33af521b85f93744825e51c162 Mon Sep 17 00:00:00 2001
From: Denis <dev-adv@swisstronik.com>
Date: Fri, 15 Mar 2024 18:55:40 +0400
Subject: [PATCH] Change flags order in CXX call, revert to focal

---
 docker/deb.Dockerfile |  2 +-
 sgxvm/Makefile        | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/docker/deb.Dockerfile b/docker/deb.Dockerfile
index aa0437cf..6892bdc4 100644
--- a/docker/deb.Dockerfile
+++ b/docker/deb.Dockerfile
@@ -1,5 +1,5 @@
 ############ Install Intel SGX SDK & SGX PSW
-FROM ghcr.io/sigmagmbh/sgx:2.23-jammy-554238b as base
+FROM ghcr.io/sigmagmbh/sgx:2.23-focal-77382c8 as base
 RUN wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
 RUN apt-get update
 
diff --git a/sgxvm/Makefile b/sgxvm/Makefile
index 838b38c6..3a072383 100644
--- a/sgxvm/Makefile
+++ b/sgxvm/Makefile
@@ -11,6 +11,8 @@ ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave
 Trts_Library_Name = sgx_trts
 Service_Library_Name = sgx_tservice
 Enclave_build_feature = hardware_mode
+# Enable the security flags
+Enclave_Security_Link_Flags := -Wl,-z,relro,-z,now,-z,noexecstack
 
 # ENCLAVE SETTINGS
 ifneq ($(SGX_MODE), HW)
@@ -75,11 +77,14 @@ endef
 
 define compile_unsigned_enclave
 	@echo "Compile into unsinged enclave"
-	@$(CXX) $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \
-		-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
-		-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_dcap_tvl -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs -lpthread \
-		-L$(CURDIR)/sgx-artifacts/lib -lenclave -Wl,--end-group -Wl,--version-script=$(CURDIR)/Enclave.lds -Wl,-z,relro,-z,now,-z,noexecstack -Wl,-Bstatic -Wl,-Bsymbolic \
-		-Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--gc-sections -Wl,--defsym,__ImageBase=0
+	@$(CXX) $(CURDIR)/Enclave_t.o -o $(CURDIR)/enclave.unsigned.so $(Enclave_Security_Link_Flags) -fPIC \
+	    -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 \
+		-Wl,--whole-archive -lsgx_dcap_tvl -l$(Trts_Library_Name) -Wl,--no-whole-archive \
+		-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Service_Library_Name) -lsgx_tcrypto -lsgx_tprotected_fs -lpthread -L$(CURDIR)/sgx-artifacts/lib -lenclave -Wl,--end-group \
+		-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
+		-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
+		-Wl,--gc-sections -Wl,--defsym,__ImageBase=0 \
+		-Wl,--version-script=$(CURDIR)/Enclave.lds
 endef
 
 define sign_enclave