v0.6.8

0.6.8 (2020-12-17)

Bug fixes:

• xen: Fix corrupted console output by correctly waiting for xenconsoled to consume all data. (#490)
• hvt: Free kvm_cpuid after use. (#485)

New features:

• xen: Add multiboot support. (#482)

Acknowledgements:

• Thanks to Marek Marczykowski-Górecki (@marmarek) for implementing multiboot support for the Xen target.

v0.6.7

0.6.7 (2020-10-08)

Bug fixes:

• spt: Fix a bug where libseccomp's seccomp_load() would cause the tender to be killed by SIGSYS due to calling free(), which would under certain conditions call sbrk(), which is not in our seccomp filter. Work around this behaviour by exporting the generated BPF filter and loading it into the kernel manually. (#479)
• Various improvements to the Xen bindings for use by MirageOS. (#480, #476).

v0.6.6

0.6.6 (2020-07-21)

New features:

• This release adds minimal bindings for the Xen hypervisor. Hosts running
  Xen 4.10 or later on x86_64 are supported, and the bindings build Solo5
  unikernels as PVHv2 domUs only. These bindings are not a full Solo5 target;
  they exist for the purpose of providing low-level bootstrap code to MirageOS
  and do not provide any network or block I/O functionality.

Bug fixes:

• genode: Do not yield for expired deadlines. (#466)

v0.6.5

0.6.5 (2020-05-14)

New features:

• Stop host kernels from attempting to execute Solo5 binaries. This improves
  both the user experience on some hosts (e.g. "No such file or directory" vs.
  "Segmentation fault" on Linux) and overall security posture by forcing the
  host kernel ELF loader to bail out earlier rather than actually jumping to
  the unikernel code. (#442)
• hvt: Full support for W^X and correct guest-side page protections on OpenBSD
  6.7+ systems with EPT. (#447)
• hvt: capsicum(4) sandbox for the hvt tender on FreeBSD 12+. (#366)

Bug fixes:

• hvt: Fix hang in HVT_HYPERCALL_POLL. On Linux hosts, if solo5_yield() was
  called with a deadline that has already passed and the unikernel was not using
  any network devices then the underlying hypercall would hang forever. Not
  known to affect any existing code in production. (#460)

Other notable changes:

• muen: Muen ABI updates, now uses ABI version 2 on the Solo5 side. Muen
  commit f10bd6b or later is required. (#454, #448)
• genode: Support for Genode is limited by toolchain issues and Genode bindings
  are no longer built by default. (#446, see also ocaml/opam-repository#16368)
• Improvements to the build system on BSD/clang hosts. System headers
  (sys/endian.h, osreldate.h) that were mistakenly being installed into the
  Solo5-provided include paths have been removed. For OCaml/MirageOS users,
  ocaml-freestanding 0.6.0 or later is now required. (#453, #455, #457, #461,
  see also mirage/ocaml-solo5#77)
• Improvements to built-in self tests. (#451)
• Fix build failures with GCC >= 10. (#459)

Known issues:

• Full W^X support / correct guest-side page protections are currently only
  available on the "spt" target on Linux, and the "hvt" target on OpenBSD 6.7
  or later. (#303)
• On OpenBSD, "hvt" operation with multiple network devices results in packet
  loss. This appears to be a bug in kqueue(2) but we have no confirmation from
  upstream. (#374)
• virtio-net is not functional on at least QEMU 5.0 and possibly earlier
  versions. QEMU versions up to and including 3.1.0 are known to work. (#463)

Acknowledgements:

• Thanks to Adam Steen (@adamsteen) for pushing for OpenBSD kernel support for
  manipulating guest EPT mappings, bringing full W^X to hvt on OpenBSD 6.7 or
  later.
• Thanks to Adrian-Ken Rueegsegger (@Kensan) for the Muen updates.
• Thanks to Anurag Soni (@anuragsoni) for diagnosing and fixing the build on
  systems with GCC >= 10.
• Thanks to Hannes Mehnert (@hannesm) for diagnosing #460 and for help with
  testing BSD/clang build system changes and generally helping out.
• Thanks to Stefan Grundmann (@sg2342) for the capsicum(4) hvt tender sandbox
  on FreeBSD.

v0.6.4

0.6.4 (2019-11-14)

This release updates the Genode and Muen bindings, and fixes the following
notable issues:

• Disk images produced by solo5-virtio-mkimage were not bootable due to changes
  in recent SYSLINUX versions (thanks to Ricardo Koller, @ricarkol for finding
  the fix).
• Build failure on FreeBSD 12.1+ (clang 8.0.1) due to issues with TLS in the
  toolchain.

New features:

• "configure.sh" has a new "--only-tools" option, which builds no tenders or
  bindings. In conjunction with "make install-tools", this can be used to
  install "solo5-elftool" only. This is intended for downstream systems which
  need to make use of "solo5-elftool" to query manifest information.
• A "scripts/opam-release.sh" tool has been added to generate OPAM repository
  metadata as part of the Solo5 release process.

Apart from that, this release contains documentation updates and the "hvt"
tender on the aarch64 architecture is now considered production-quality.

v0.6.3

0.6.3 (2019-10-08)

This release fixes a build problem with Linux distributions such as OpenSUSE
which install libseccomp headers into subdirectories of /usr/include. Note that
this introduces pkg-config as a dependency for building Solo5 on Linux.

No functional changes.

v0.6.2

0.6.2 (2019-09-23)

This release fixes further OPAM/MirageOS installation problems found by CI, and
the following build problems:

• spt: Support ppc64le on RedHat (thanks to Stefan Berger, @stefanberger).
• Fix check/warning for libseccomp >= 2.3.3 (thanks to Mechiel Lukkien, @mjl-).

No functional changes.

v0.6.1

0.6.1 (2019-09-19)

This release fixes OPAM/MirageOS installation problems found by CI. No
functional changes.

Additionally, the following entry was missed from the changes for 0.6.0:

• Solo5 tenders, tools and bindings now have an embedded version number, using
  the well-known convention "v0.6.0-4-gc9786d87". Bindings will log the version
  number during start-up. As a consequence of this, Solo5 now needs to be built
  from either a Git tree or a tarball produced by "make distrib". Suitable
  tarballs are uploaded to Github during the release process.

v0.6.0

0.6.0 (2019-09-19)

This is a major feature release which introduces the concept of an "application
manifest", which enables support for multiple network and block devices.

This release removes the compile-time specialization of the "hvt" tender. While
this was a nice experiment, it is not practical for real-world deployment
scenarios where it is expected that the party supplying the tender (i.e. the
operator / user) will be different to the party supplying the unikernel (i.e.
the developer).

Due to these and other changes, both the public Solo5 APIs (as defined and
documented in solo5.h) and internal tenders/bindings ABI have changed.
Likewise, the build process for Solo5-based unikernels has changed, and
downstream projects will need to be updated.

Please refer to the following list of changes and the Solo5 documentation in
docs/ for details.

New features:

• Application manifest and support for multiple devices. New APIs have been
  added and existing APIs changed. See solo5.h for details. A new tool,
  "solo5-elftool" has been added to generate the binary application manifest
  from JSON source.
• New "spt" (sandboxed process tender) target, allows running Solo5-based
  unikernels as user processes on Linux, using a minimal, strict seccomp-BPF
  sandbox for isolation. Runs on the x86_64, aarch64 and ppc64le processor
  architectures.
• Compile-time specialization of the "hvt" (hardware virtualized tender) target
  has been removed. Two variants of the "hvt" tender are built, "solo5-hvt" and
  "solo5-hvt-debug" with support for GDB and guest coredumps where available.
• Both the "hvt" and "spt" tenders and bindings now have an internal ABI
  version, and this ABI version is embedded into the unikernel binary. Tenders
  will not run a binary whose ABI version or target does not match.
• Downsteam libOS projects using custom linker scripts for Solo5 will need to
  be updated to handle the ELF NOTEs used to embed the ABI version and
  application manifest in a Solo5 binary.

Security improvements:

• Stack smashing protection is now supported and all bindings, tenders and
  other host tools are built with -fstack-protector-strong. This setting is
  also passed down to MirageOS unikernels via OPAM/pkg-config.
• On Linux, tenders are built with -z noexecstack to enforce a non-executable
  stack.
• Low memory, including the zero page, is now unmapped on "hvt", "spt" and
  "virtio" targets. Tender-internal structures in this memory range are mapped
  read-only.
• Tests for W^X / guest-side page protections have been added and are enforced
  on those targets where this is supported.
• The ELF loader used by tenders has undergone extensive review and
  re-factoring, and fixes for a number of potential security issues have been
  put in place.

Other changes:

• The "hvt" tender now uses epoll(7) on Linux and kqueue(2) on the BSDs for
  network I/O.
• The "hvt" tender "--dumpcore" option now requires a directory, which must
  exist at run time.
• The printf() implementation used by bindings has been replaced with a much
  better implementation from https://github.com/mpaland/printf.
• The solo5_set_tls_base() API has been added to give language runtimes that
  wish to manipulate the architecture-specific TLS base register an interface
  for it.
• Many bug fixes, improvements and a lot of code review throughout.
• A C11 compiler is now required, to allow for the use of _Static_assert().

Known issues:

• Full W^X support is currently only possible on the "spt" target. Partial
  support is possible for the "hvt" target running on Linux/KVM hosts. (#303)
• On OpenBSD, "hvt" operation with multiple network devices results in packet
  loss. This appears to be a bug in kqueue(2) but we have no confirmation from
  upstream. (#374)

Acknowledgements:

Thanks to the following new contributors to this release:

• Frithjof Schulze (@schulze)
• Haibo Xu (@xiaobo55x)
• Stefan Berger (@stefanberger)

And finally, a special thank you to C For C's Sake (@cfcs) for extensive code
review.

v0.4.1

0.4.1 (2018-11-08)

This release introduces experimental support for the Genode Operating System Framework as a target for Solo5-based unikernels, and basic support for dropping "root" privileges in the "hvt" tender on FreeBSD and OpenBSD.

Other changes:

• Migrate OPAM integration to OPAM 2.

Acknowledgements:

Thanks to the following new contributors to this release:

• Emery Hemingway
• Stefan Grundmann