Skip to content

v1.4

Compare
Choose a tag to compare
@woju woju released this 13 Feb 18:23
· 433 commits to master since this release

Important changes

This change log covers the changes since the last release.

Breaking changes

  • Gramine packages gramine-dcap and gramine-oot were retired (these packages contained Gramine built against the out-of-tree DCAP SGX driver and the out-of-tree legacy non-FLC SGX driver).

    • Only gramine package is left (contains Gramine built against the in-kernel SGX driver).
    • The gramine package can be used on systems with the out-of-tree DCAP SGX driver.
    • If you must use Gramine on a system with the legacy non-FLC SGX driver, you must build Gramine manually.
  • Manifest option sgx.thread_num is renamed to sgx.max_threads. sgx.thread_num is deprecated and will be removed in the future.

Security fixes

  • Gramine now enforces AES-NI, XSAVE and RDRAND CPUID features, and refuses to start without them:
    • XSAVE is used internally by Gramine,
    • AES-NI and RDRAND are required, otherwise some crypto libraries (e.g. mbedtls) silently switch to side-channel-prone software implementations of crypto algorithms.

New features

  • Support for EDMM (Enclave Dynamic Memory Management), enabled via a new manifest option sgx.edmm_enable.

  • Added /proc/[pid]/stat and /proc/[pid]/statm pseudo-files.

  • PAL component doesn't need a separate memory pool anymore. Thus, loader.pal_internal_mem_size is not needed anymore and deprecated.

  • Support for socket flags: SO_REUSEPORT, TCP_USER_TIMEOUT, TCP_KEEPIDLE, TCP_KEEPINTVL, TCP_KEEPCNT.

Performance improvements

  • Reduced lock contention in poll.

Bugfixes, stability and refactoring

  • Completely rewritten poll and select syscalls implementations.
  • SGX tokens (aka EINITTOKENs) are not generated on newer (FLC-based) SGX CPUs anymore.
    • For the context, see #363.
  • All SGX tools and libraries are built statically (including RA-TLS and Secret Prov libraries).
  • Reworked setuid and setgid syscalls, as well as chown(), fchown() and fchownat() syscalls (for UID/GID owner on files).

Miscellaneous

  • Updated the official Gramine Docker image; the sources for this Docker image can be found here.
  • Updated mbedTLS dependency to version 3.3.0.
  • Updated Glibc dependency to version 2.36.
  • Switched signing algorithm for RA-TLS certs from RSA-3072 to ECDSA-384.
  • Gramine now ignores MSG_MORE flag for TCP sockets in send* syscalls (which is semantically correct).
  • Documentation describes how to build Gramine without network access.
  • Added Scikit-learn example.
  • Added python.get_sys_path() to manifest template API; this is useful for manifests of Python-based workloads.
  • All CI examples are hardened (e.g., no sgx.allowed_files anymore).

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages.

If you are updating from v1.3.x:

  • If you have Debian 11 or Ubuntu 22.04, before upgrading, you need to edit repository definition and change stable to bullseye or jammy, respectively.
  • apt-get update --allow-releaseinfo-change && apt-get upgrade for Debian/Ubuntu
  • dnf update for RHEL/AlmaLinux

NOTE: because we have changed repository metadata, it's required to add --allow-releaseinfo-change to apt-get update a single time. Otherwise you might get an error about metadata changes.

If you are not updating, then to install Gramine v1.4, follow the below commands:

  • for Debian 11:
# if you don't already have backports repo enabled:
echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" \
| sudo tee /etc/apt/sources.list.d/backports.list

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine
  • experimentally, for Debian bookworm (Debian Testing at the time of this release)
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine
  • for Ubuntu 22.04 LTS, 20.04 LTS and 18.04 LTS:
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine
# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.