v1.5
Important changes
This change log covers the changes since the last release.
Breaking changes
- Renamed
gramine-sgx-quote-dumptool togramine-sgx-quote-view. RA_TLS_ALLOW_OUTDATED_TCB_INSECUREenvironment variable is split into three:RA_TLS_ALLOW_OUTDATED_TCB_INSECURE(same as before) -- whether to allow "outdated TCB" statusRA_TLS_ALLOW_HW_CONFIG_NEEDED-- whether to allow "HW configuration needed" statusRA_TLS_ALLOW_SW_HARDENING_NEEDED-- whether to allow "SW hardening needed" status
- The following previously-deprecated syntax was removed:
loader.debug_type-- useloader.log_levelandloader.log_fileinsteadfs.mount.[identifier].type,fs.mount.[identifier].path,fs.mount.[identifier].uri-- usefs.mounts = [ ... ]insteadsgx.thread_num = [NUM]-- usesgx.max_threadsinsteadsgx.remote_attestation = [true|false]-- usesgx.remote_attestation = "[none|epid|dcap]"insteadsgx.protected_files,sgx.protected_mrenclave_files,sgx.protected_mrsigner_files-- usefs.mounts = [ type="encrypted", ... ]insteadsgx.insecure__protected_files_key-- usefs.insecure__keys.[KEY_NAME]insteadloader.pal_internal_mem_size: not required anymorefs.experimental__enable_sysfs_topology: not required anymoresgx.nonpie_binary: not required anymore
- While configuring the build, only one libc (either glibc or musl) can be chosen at a time. Musl was removed from DEB and RPM packages. If you need musl on glibc systems, for 1.5 release you need to compile Gramine yourself.
Security fixes
- Mitigated CVE-2022-21166 aka INTEL-SA-00615.
- Fixed a bug of text segment of the LibOS binary (
libsysdb.so) being RWX (now it's RX).
New features
- Added
sys.disallow_subprocessesmanifest option. - Added flexible socket- and device-specific IOCTL support via
sys.ioctl_structsandsys.allowed_ioctlsmanifest options.- This feature can be used to implement
SIOCGIFCONFandSIOCGIFHWADDRsocket IOCTLs, see example here.
- This feature can be used to implement
- Added
gramine-sgx-sigstruct-viewtool -- it shows metadata of an SGX enclave (MRSIGNER, MRENCLAVE, etc.). - Added
gramine-ratlstool. - Added support for
setsid()/getsid()system calls. - Added experimental support for
flock()system call. To enable it, use thesys.experimental__enable_flockmanifest option. - Added dummy ancillary data support for sockets (
struct msghdrancillary data).- No ancillary data type is truly supported currently,
SCM_RIGHTS/SCM_CREDENTIALSare ignored in TCP/UDP sockets (same as in Linux),recvmsg()now indicates that there is no ancillary data added to the received network packet.
- Added emulation of the
iretassembly instruction (used by e.g. ASP.NET). - RA-TLS and Secret Provisioning libraries' installations can now be used to write external plugins: corresponding header files
and pkg-config files are available. See e.g. thera-tls-mbedtlsexample on the usage. - Added RA-TLS API
find_oid_in_cert_extensions(), useful to write external plugins. - Added RA-TLS API
ra_tls_verify_callback_extended_der()to expose additional verification results.
Performance improvements
- Added readers-writer lock implementation and use it during search in file descriptors table.
Bugfixes, stability and refactoring
- Fixed wrong format of
SIGSTRUCT.DATEin the SIGSTRUCT (.sig) file. See #1287 for details. - Fixed POSIX locking on encrypted files in child processes.
- Gramine now treats (e)poll error (
(E)POLLERR) and hang-up ((E)POLLHUP/(E)POLLRDHUP) events separately.
Miscellaneous
- Gramine sets
sgx.enclave_sizeto 1TB on EDMM by default; there is no need now to specify the enclave size explicitly if EDMM is enabled. - Gramine uses dynamic allocation for process
cmdlinefield, instead of 4KB pre-allocated field (required for e.g. Apache Kafka). - Added aux vectors
AT_UID,AT_EUID,AT_GID,AT_EGID,AT_SECUREfor glibc/musl to consume on app startup. - Gramine exposes SGX sealing keys under
/dev/attestation/keys/. - Gramine now doesn't allow the removal of pseudo-files (
/dev,/proc,/sys). - Updated mbedTLS dependency to version 3.4.0.
- Updated musl dependency to version 1.2.4.
- Updated glibc dependency to version 2.37.
- Gramine can be built under Alpine.
- Gramine ReadTheDocs documentation is rearranged.
- Added the "Gramine features" technical document.
We welcome Kailun Qin as the new maintainer of Gramine!
Installation instructions
Starting from release v1.0, Gramine is available as .deb and .rpm packages.
If you are updating from v1.4:
apt-get update && apt-get upgradefor Debian/Ubuntudnf updatefor AlmaLinux
If you are not updating, then to install Gramine v1.5, follow the distribution-specific commands in the respective section below. The same instructions can be found in our documentation.
If you prefer to build the sources yourself, please follow the building instructions from our documentation.
Debian 12:
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list
sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install gramineDebian 11:
# if you don't already have backports repo enabled:
echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" \
| sudo tee /etc/apt/sources.list.d/backports.list
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list
sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install gramineUbuntu 22.04 LTS, 20.04 LTS:
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list
sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install gramineWe have discontinued packages for Ubuntu 18.04 LTS, which is already EOL.
AlmaLinux and other compatible distros, versions 9 and 8:
- Install EPEL repository as described here: https://docs.fedoraproject.org/en-US/epel/
- Install Gramine:
# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramineNOTE: Because of recent changes to RHEL sources availability, at the time of this release it is too early for us to ascertain future compatibility between RHEL proper and downstream rebuilders like AlmaLinux, Rocky Linux and other. We have always built .el packages on AlmaLinux, and this did not change, but for 1.5 release cycle we feel we cannot claim compatibility with RHEL. We do not use many features of the distribution, and those packages might in fact be compatible, but we just do not know. Instead we resolve to release packages for "AlmaLinux and other compatible distributions".
Alpine Linux
Packages and repositories for Alpine Linux will be added at later stage, and this release text will be edited.