v1.3

Important changes

This change log covers the changes since the last release.

Breaking changes

• Public API of Secret Provisioning was modified. User applications relying on this API must be updated as follows:
  • secret_provision_start() allocates a context that should be supplied to all other Secret Prov APIs and must be closed afterwards.
  • secret_provision_get() requires a context as the first argument, and extracts a copy of the secret that is associated with this context.
  • secret_provision_destroy() is removed. Use secret_provision_close() instead: it will both close the session and destroy the secret.
  • SECRET_PROVISION_SET_KEY environment variable is introduced, instead of deprecated SECRET_PROVISION_SET_PF_KEY.
• The Secret Provisioning service must send the encryption key in 16-byte raw binary form (previously, the encryption key was sent in 32-char NULL-terminated hex form, and hex decoding can leak information about the encryption key). Users must update the Secret Provisioning service and/or the Secret Provisioning client if needed.
• Public API of RA-TLS shared library was modified: ra_tls_verify_callback() and ra_tls_create_key_and_crt() mbedTLS-specific functions were removed. Users must use TLS-library-agnostic versions now: ra_tls_verify_callback_der() and ra_tls_create_key_and_crt_der().
• loader.argv0_override manifest option was removed. Gramine ignores this option from now on. See our documentation on how to specify command-line arguments in the manifest.
• Due to the introduced mitigation of vulnerability CVE-2022-21233, the Exitless feature is considered insecure from now on, and the corresponding manifest option was renamed from sgx.rpc_thread_num to sgx.insecure__rpc_thread_num.

New features

• New manifest option sys.enable_extra_runtime_domain_names_conf to enable extra runtime configuration for domain names and DNS:
  • Enabling this option generates the file /etc/resolv.conf, as well as the hostname, based on the host's configuration.
  • This option is a secure counterpart to the insecure sgx.allowed_files = [ "file:/etc/resolv.conf" ] manifest option.
• New manifest option loader.argv to specify command-line arguments in the manifest directly.
• New manifest option sgx.remote_attestation = "[none|epid|dcap]", instead of now-deprecated sgx.remote_attestation = true.
  • Also, a new file /dev/attestation/attestation_type is introduced, to help apps determine which attestation scheme is used.
  • Relevant CI examples were rewritten to use the new syntax.
• Support for executable scripts (shebangs) during execve() system call and as libos.entrypoint.
• Support for getcpu() and fadvise64() system calls.
• Added O_PATH support to open() system call.
• Support of the /sys/devices/system/node/nodeX/meminfo files.
• Support all currently known CPU feature flags in /proc/cpuinfo.

Security improvements

• Mitigated vulnerability CVE-2022-21233 aka INTEL-SA-00657.
• Fixed a vulnerability of insecurely allocating untrusted memory for futex objects.
• Fixed a vulnerability of the Secret Provisioning service sending the encryption key in 32-char hex form (could leak information about the encryption key through memory access patterns during hex decoding).
• Fixed a vulnerability of NULL pointer dereference when there are no epoll items during epoll_wait() system call.
• Per-thread CPU affinity mask is initialized once and cached in Gramine; previously, the mask was queried from the untrusted host.
• Introduced constant-time memcmp() and use it for MAC check in sgx_verify_report() (to avoid side-channel leaks via timing attacks).

GSC improvements

• Support for Docker images that have a non-root user.
• Support for specifying an image registry via Registry option in config.yaml.

Bugfixes, stability and refactoring

• Completely rewritten the sockets (networking) subsystem.
• Fixed several resource and memory leaks.

Miscellaneous

• Released an official Gramine Docker image; the sources for this Docker image can be found here.
• Updated mbedTLS dependency to version 3.2.1.
• Updated Glibc dependency to version 2.35.
• gramine-sgx-pf-crypt tool can be run in a Gramine SGX enclave now; this is helpful when the enclavized application wants to use this tool (or its underlying library libsgx_util.so) to perform encryption/decryption of files explicitly.
• Added peak memory usage (VmPeak) field to /proc/<pid>/status file.
• Internal refactoring of Gramine source code:
  • Lowercased directory names.
  • Directory LibOS/shim/ is flattened to simply libos/.
  • Replaced legacy prefixes Dk, db, shim to Pal, enclave/host, libos ones.
  • Moved SGX tools and libraries to tools/sgx/.

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages.

If you are updating from v1.2:

• If you have Ubuntu 18.04 or 20.04, before upgrading, you need to edit repository definition and change stable to bionic (for Ubuntu 18.04) or focal (for Ubuntu 20.04). The line should be like in the fresh install snippet below. (If you have newer Ubuntu or Debian, this step should be skipped.)
• apt update && apt upgrade for Debian/Ubuntu
• dnf update for RHEL/CentOS/AlmaLinux

If you are not updating, then to install Gramine v1.3, follow the below commands:

• for Ubuntu 18.04:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ bionic main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

• for Ubuntu 20.04:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ focal main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

• for other Ubuntu/Debian:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

• for RHEL/CentOS/AlmaLinux:

# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine     # for 5.11+ upstream, in-kernel driver

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.