Skip to content

v1.5

Compare
Choose a tag to compare
@dimakuv dimakuv released this 07 Jul 14:39
· 308 commits to master since this release

Important changes

This change log covers the changes since the last release.

Breaking changes

  • Renamed gramine-sgx-quote-dump tool to gramine-sgx-quote-view.
  • RA_TLS_ALLOW_OUTDATED_TCB_INSECURE environment variable is split into three:
    • RA_TLS_ALLOW_OUTDATED_TCB_INSECURE (same as before) -- whether to allow "outdated TCB" status
    • RA_TLS_ALLOW_HW_CONFIG_NEEDED -- whether to allow "HW configuration needed" status
    • RA_TLS_ALLOW_SW_HARDENING_NEEDED -- whether to allow "SW hardening needed" status
  • The following previously-deprecated syntax was removed:
    • loader.debug_type -- use loader.log_level and loader.log_file instead
    • fs.mount.[identifier].type, fs.mount.[identifier].path, fs.mount.[identifier].uri -- use fs.mounts = [ ... ] instead
    • sgx.thread_num = [NUM] -- use sgx.max_threads instead
    • sgx.remote_attestation = [true|false] -- use sgx.remote_attestation = "[none|epid|dcap]" instead
    • sgx.protected_files, sgx.protected_mrenclave_files, sgx.protected_mrsigner_files -- use fs.mounts = [ type="encrypted", ... ] instead
    • sgx.insecure__protected_files_key -- use fs.insecure__keys.[KEY_NAME] instead
    • loader.pal_internal_mem_size: not required anymore
    • fs.experimental__enable_sysfs_topology: not required anymore
    • sgx.nonpie_binary: not required anymore
  • While configuring the build, only one libc (either glibc or musl) can be chosen at a time. Musl was removed from DEB and RPM packages. If you need musl on glibc systems, for 1.5 release you need to compile Gramine yourself.

Security fixes

New features

Performance improvements

  • Added readers-writer lock implementation and use it during search in file descriptors table.

Bugfixes, stability and refactoring

  • Fixed wrong format of SIGSTRUCT.DATE in the SIGSTRUCT (.sig) file. See #1287 for details.
  • Fixed POSIX locking on encrypted files in child processes.
  • Gramine now treats (e)poll error ((E)POLLERR) and hang-up ((E)POLLHUP/(E)POLLRDHUP) events separately.

Miscellaneous

  • Gramine sets sgx.enclave_size to 1TB on EDMM by default; there is no need now to specify the enclave size explicitly if EDMM is enabled.
  • Gramine uses dynamic allocation for process cmdline field, instead of 4KB pre-allocated field (required for e.g. Apache Kafka).
  • Added aux vectors AT_UID, AT_EUID, AT_GID, AT_EGID, AT_SECURE for glibc/musl to consume on app startup.
  • Gramine exposes SGX sealing keys under /dev/attestation/keys/.
  • Gramine now doesn't allow the removal of pseudo-files (/dev, /proc, /sys).
  • Updated mbedTLS dependency to version 3.4.0.
  • Updated musl dependency to version 1.2.4.
  • Updated glibc dependency to version 2.37.
  • Gramine can be built under Alpine.
  • Gramine ReadTheDocs documentation is rearranged.
  • Added the "Gramine features" technical document.

We welcome Kailun Qin as the new maintainer of Gramine!

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages.

If you are updating from v1.4:

  • apt-get update && apt-get upgrade for Debian/Ubuntu
  • dnf update for AlmaLinux

If you are not updating, then to install Gramine v1.5, follow the distribution-specific commands in the respective section below. The same instructions can be found in our documentation.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

Debian 12:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Debian 11:

# if you don't already have backports repo enabled:
echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" \
| sudo tee /etc/apt/sources.list.d/backports.list

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Ubuntu 22.04 LTS, 20.04 LTS:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

We have discontinued packages for Ubuntu 18.04 LTS, which is already EOL.

AlmaLinux and other compatible distros, versions 9 and 8:

  1. Install EPEL repository as described here: https://docs.fedoraproject.org/en-US/epel/
  2. Install Gramine:
# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine

NOTE: Because of recent changes to RHEL sources availability, at the time of this release it is too early for us to ascertain future compatibility between RHEL proper and downstream rebuilders like AlmaLinux, Rocky Linux and other. We have always built .el packages on AlmaLinux, and this did not change, but for 1.5 release cycle we feel we cannot claim compatibility with RHEL. We do not use many features of the distribution, and those packages might in fact be compatible, but we just do not know. Instead we resolve to release packages for "AlmaLinux and other compatible distributions".

Alpine Linux

Packages and repositories for Alpine Linux will be added at later stage, and this release text will be edited.