Skip to content

v1.8

Latest
Compare
Choose a tag to compare
@woju woju released this 21 Oct 16:52
· 23 commits to master since this release
v1.8
8fc123d

Important changes

This change log covers the changes since the last release.

Breaking changes

  • The gramine-manifest tool's built-in check against the manifest schema is now enabled in hard-error mode by default and might fail on previously-working but non-conformant manifests. Use --no-check to suppress.
  • Attestation-related environment variables (RA_TLS_*, e.g., RA_TLS_MRSIGNER) passed to RA-TLS must now be explicitly set. Note that the special value any can be specified to skip verifying a particular measurement if not used.
  • The previously-deprecated manifest option sgx.require_[...] = true|false was removed -- use sgx.cpu_features.[...] = "[unspecified|disabled|required]" instead.

Security fixes

New features

  • loader.entrypoint is now optional and only needed if one wanted to replace Gramine's LibOS with their own implementation.
  • gramine-direct should now be able to run under Windows Subsystem for Linux, although this isn't an officially supported feature.
  • New system calls implemented:
    • close_range.
    • {,l,f}getxattr and {,l,f}listxattr.
  • New manifest options added:
    • sys.debug__mock_syscalls = [ ... ], which allows mocking selected syscalls.
    • sys.fds.limit, which sets the Linux's RLIMIT_NOFILE resource limit, i.e., maximum number of open file descriptors.
  • /dev/fd/ directory is now properly emulated.
  • Added shared_cpu_list file to sysfs cache info.
  • Sending SIGUSR1 signal to Gramine built in debug configuration now resets the perf profiling and SGX statistics. This allows to gather more precise stats on long-running applications.
  • Modified RA-TLS to adhere to Interoperable RA-TLS standard.

Performance improvements

  • Added support for lazy memory allocation when using EDMM and mmap with MAP_NORESERVE. This significantly improves EDMM performance of e.g. Java workloads.

Bugfixes, stability and refactoring

  • Fixed communication with AESM daemon, which sometimes caused it to return error 42 when using DCAP attestation.
  • Added stat() and hstat() callbacks to FIFOs, the lack of these caused some apps to misbehave.
  • Fixed ENOENT error in fchown syscall on unlinked file.
  • Correctly emulate in/out instructions (as SIGSEGV, not SIGILL as it was before).
  • Fixed up locking around read/write on encrypted pipes, which got accidentally broken in v1.7 release.
  • File-backed mappings are now emulated via PAL read/write APIs. This fixed multiple deviations from the semantics of those mappings as implemented in Linux.
  • Added missing locks around dentry->inode accesses.
  • Fixed a long-standing issue about not waiting for the async thread to exit.

Miscellaneous

  • is-sgx-available was extended to show EDECCSSA and AEX-Notify information.
  • Additional logging for raw syscall instructions.
  • Multiple documentation updates.
  • Multiple refactorings and minor bugfixes.
  • The key used for signing APT repos is being rotated. Existing repos did not change the signing key, but newer repos (starting with noble, Ubuntu 24.04 LTS) are being released with one of two new keys (there are two keys for backup reasons):
pub   ed25519 2024-09-03 [SC]
      1CBF71E00FF0A5577A4EA6984B8D8EC2F8BE4647
uid           Gramine Project signing key (2024a)

pub   ed25519 2024-07-04 [SC]
      71807D6094DDF649D9591A53B951298EB73C9392
uid           Gramine Project signing key (2024b)

We've also generated two keys for RPM packages, but those are not yet it use, they're waiting for new release of any supported RPM distribution:

pub   rsa4096 2024-09-03 [SC]
      AB6A3E8D7000D03ADAD447270DECAAD7765E4B3F
uid           Gramine Project signing key, RPM (2024a)

pub   rsa4096 2024-07-04 [SC]
      302BDEFEA069FA50BFE449BEA5C4FF471AC36540
uid           Gramine Project signing key, RPM (2024b)

Known issues

  • Multithreaded applications which issue a lot of OCALLs concurrently might experience reliability issues: #1261 (comment)
  • There's a bug in GDB introduced somewhere between versions 12 and 13 (and still present in 15.x): When using set detach-on-fork off and set schedule-multiple on non-main threads in the parent process get stuck in "tracing stop" state after vfork + execve. This causes GDB to be unusable for debugging gramine-direct on Debian 12 and Ubuntu 24.04.

Installation instructions

If you are updating from v1.7:

  • apt-get update && apt-get upgrade for Debian/Ubuntu
  • dnf update for AlmaLinux and compatible

If you are not updating, then to install Gramine v1.8, follow the distribution-specific commands in the respective section below. The same instructions can be found in our documentation.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

Debian 12:

sudo curl -fsSLo /etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg https://packages.gramineproject.io/gramine-keyring-$(lsb_release -sc).gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /etc/apt/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Debian 11:

# if you don't already have backports repo enabled:
echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" \
| sudo tee /etc/apt/sources.list.d/backports.list

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring-$(lsb_release -sc).gpg https://packages.gramineproject.io/gramine-keyring-$(lsb_release -sc).gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring-$(lsb_release -sc).gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Ubuntu 24.04 LTS, 22.04 LTS:

sudo curl -fsSLo /etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg https://packages.gramineproject.io/gramine-keyring-$(lsb_release -sc).gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

AlmaLinux and other compatible distros, versions 9 and 8:

  1. Install EPEL repository as described here: https://docs.fedoraproject.org/en-US/epel/
  2. Install Gramine:
# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine

Alpine Linux

Packages and repositories for Alpine Linux are not published, but you can compile the packages using APKBUILD in packages/alpine subdirectory.