Skip to content

v1.2
Compare
Choose a tag to compare
@mkow mkow released this 27 May 13:31
· 734 commits to master since this release
v1.2
fd2e302

Important changes

This change log covers the changes since the last release.

Breaking changes

  • Installation instructions changed starting from this version, see below.
  • fs.mount was renamed to fs.mounts and now uses a proper TOML array syntax. The old syntax is still supported, but deprecated.
  • Relative mount paths in manifests are now deprecated.
  • Protected files were renamed to a more intuitive name: encrypted files.
  • Encrypted files are now implemented on the mountpoints layer and support having different keys per each mount. See the documentation for the new syntax.
  • Encrypted files' keys should now be modified through special files at /dev/attestation/keys/<key_name>. Unlike the deprecated /dev/attestation/protected_files_key, the new files use raw binary, not hex strings.
  • Attestation-related environment variables (RA_TLS_MRSIGNER etc.) passed to RA-TLS must be explicitly ignored if not used.

New features

  • All filesystems use inodes now, which fixes issues with renaming and unlinking semantics.
  • Created gramine-sgx-gen-private-key tool to simplify SGX signing key generation.
  • Added proper renaming support to encrypted files.
  • Added simple fallocate syscall implementation.
  • Executable scripts (with a shebang) are now supported.
  • Running on systems with some CPU threads/cores shut down is now supported.

Security fixes

  • CPU and NUMA topology is now properly sanitized and thus enabled by default.

New sample integrations

  • Added an asynchronous web server example in Rust.

Bugfixes, stability and refactoring

  • Added a workaround for a Linux bug which broke gramine-direct on systems with 5-level page tables.
  • Fixed a crash in gramine-sgx-pf-crypt when compiled with Clang in release mode.
  • werror is not enabled by default anymore when building Gramine (but it is still enabled in CI).
  • Multiple other small bugfixes.

Miscellaneous

  • Created "Onboarding" page in the documentation with suggested learning material for aspiring Gramine developers.
  • Updated tools to use IAS API v4.
  • Added integration with VTune profiler.

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages. Note you cannot cleanly update to a new release, because of dependency on external repository introduced in this release.

Before installing or updating Gramine, add Intel's SGX repository:

curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

(focal is good for Ubuntu 20.04 and Debian 11; for Ubuntu 18.04, change focal to bionic).

Then add Gramine's official repo and install the package.

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

If you are updating from v1.1, you need to add Intel's SGX repo (see above), then update like usual:

  • apt-get update && apt-get upgrade for Debian/Ubuntu
  • dnf update for RHEL/Fedora/CentOS

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

Assets 10
Loading