From fb9bcb1cfacfdb2db88e4973fa0b14a01527c855 Mon Sep 17 00:00:00 2001
From: Ed Tubbs <ectubbs@gmail.com>
Date: Thu, 27 Feb 2025 15:01:26 -0600
Subject: [PATCH] Updated enclave build for dogebox

Updated Windows signing certs and root
---
 .github/workflows/ci.yml | 26 +++++++++++++++++++++-----
 doc/enclaves.md          |  1 +
 src/optee/ta/sub.mk      |  2 +-
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index caa082390..3a52146cc 100755
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -452,6 +452,7 @@ jobs:
                     cd /src/src/optee/ta && \
                     make -j"$(getconf _NPROCESSORS_ONLN)" \
                       CROSS_COMPILE=aarch64-linux-gnu- \
+                      LIBDIR=/src/depends/aarch64-linux-gnu/lib \
                       LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
                       CFLAGS=\"-I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/dogecoin\" \
                       PLATFORM=vexpress-qemu_armv8a \
@@ -584,12 +585,19 @@ jobs:
 
       - name: Import certificate (x86_64-win)
         run: |
+          $rootData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_ROOT_DATA }}"
+          $rootBytes = [Convert]::FromBase64String($rootData)
+          [IO.File]::WriteAllBytes("./dogecoin_root.cer", $rootBytes)
+          Import-Certificate -FilePath ./dogecoin_root.cer -CertStoreLocation Cert:\LocalMachine\Root
+
           $certData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}"
           $certBytes = [Convert]::FromBase64String($certData)
           [IO.File]::WriteAllBytes("./mycert.pfx", $certBytes)
           $password = ConvertTo-SecureString -String "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}" -Force -AsPlainText
-          Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $password
+          Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $password
+
           Remove-Item ./mycert.pfx
+          Remove-Item ./dogecoin_root.cer
         shell: pwsh
 
       - name: Sign spvnode.exe (x86_64-win)
@@ -638,12 +646,16 @@ jobs:
 
       - name: Import certificate (x86_64-win)
         run: |
+          $rootData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_ROOT_DATA }}"
+          $rootBytes = [Convert]::FromBase64String($rootData)
+          [IO.File]::WriteAllBytes("./dogecoin_root.cer", $rootBytes)
+          Import-Certificate -FilePath ./dogecoin_root.cer -CertStoreLocation Cert:\LocalMachine\Root
+
           $certData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}"
           $certBytes = [Convert]::FromBase64String($certData)
           [IO.File]::WriteAllBytes("./mycert.pfx", $certBytes)
           $password = ConvertTo-SecureString -String "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}" -Force -AsPlainText
-          Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $password
-          Remove-Item ./mycert.pfx
+          Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $password
         shell: pwsh
 
       - name: Sign spvnode.exe (x86_64-win-native)
@@ -687,12 +699,16 @@ jobs:
 
       - name: Import certificate (i686-win)
         run: |
+          $rootData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_ROOT_DATA }}"
+          $rootBytes = [Convert]::FromBase64String($rootData)
+          [IO.File]::WriteAllBytes("./dogecoin_root.cer", $rootBytes)
+          Import-Certificate -FilePath ./dogecoin_root.cer -CertStoreLocation Cert:\LocalMachine\Root
+
           $certData = "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_DATA }}"
           $certBytes = [Convert]::FromBase64String($certData)
           [IO.File]::WriteAllBytes("./mycert.pfx", $certBytes)
           $password = ConvertTo-SecureString -String "${{ secrets.LIBDOGECOIN_DEV_WINDOWS_CERT_PASSWORD }}" -Force -AsPlainText
-          Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $password
-          Remove-Item ./mycert.pfx
+          Import-PfxCertificate -FilePath ./mycert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $password
         shell: pwsh
 
       - name: Sign spvnode.exe (i686-win)
diff --git a/doc/enclaves.md b/doc/enclaves.md
index 4e460e4c7..c269485b1 100644
--- a/doc/enclaves.md
+++ b/doc/enclaves.md
@@ -401,6 +401,7 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
 
     # Build libdogecoin for OP-TEE
     cd /src/ && \
+    make -j 4 -C depends CFLAGS=-U_FORTIFY_SOURCE HOST=aarch64-linux-gnu && \
     ./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd --enable-optee CFLAGS=-U_FORTIFY_SOURCE HOST=aarch64-linux-gnu && \
     make -j 4 && \
     make install && \
diff --git a/src/optee/ta/sub.mk b/src/optee/ta/sub.mk
index 8cdf73166..ef4b31e57 100644
--- a/src/optee/ta/sub.mk
+++ b/src/optee/ta/sub.mk
@@ -1,4 +1,4 @@
 global-incdirs-y += include
 srcs-y += libdogecoin_ta.c
 libnames += dogecoin utils unistring yubikey usb-1.0 ykpers-1
-libdirs += /src/depends/aarch64-linux-gnu/lib
+libdirs += ${LIBDIR}