v1.6

Important changes

This change log covers the changes since the last release.

Breaking changes

• sgx.use_exinfo manifest option is now required if the application uses memory-fault (SIGSEGV, SIGBUS) exception handlers.

  • Done for security reasons -- to not propagate a wrong address 0 to the application's exception handler (as it was previously).
  • WARNING: some applications may not work on old Intel CPUs, as they do not support the SGX EXINFO hardware feature.
  • You can find discussions here.

• Devices mounted via fs.mounts (e.g., with uri="dev:/dev/zero") must be explicitly allowed via sgx.allowed_files (e.g., with an item "dev:/dev/zero".

  • Example: fs.mounts = [ {... uri = "dev:/dev/zero"} ] must be accompanied by sgx.allowed_files = [ "dev:/dev/zero" ].
  • Done for security reasons -- devices in Gramine are pass-through; Gramine doesn't add any protections to the app-to-device communication.
  • You can find discussions here.

Security fixes

• Glibc 2.38 release does not contain the fixes of CVEs listed below, therefore Gramine applies the fixes (taken from the corresponding glibc commits):

  • GHSA-hmf7-f8gf-8f4p
  • GHSA-5f52-v49r-796w
  • GHSA-m77w-6vjw-wh2f
  • GHSA-m7p3-g2hx-xfc3
  • See details here.

• Fixed a vulnerability by cross-verifying SW signals vs HW exceptions.

  • This bug was found by Gramine maintainers during manual review of the SGX exception handling path, while working on EDMM #PF handling.
  • This bug (a security vulnerability) was also independently found and reported to the Gramine team on 29. Nov 2023 by a team from ETH Zürich: Supraja Sridhara, Benedict Schlueter, Mark Kuhne, Andrin Bertschi and Shweta Shinde (emails: [email protected]).

New features

• Added shared untrusted memory support.
  • This manifest option is insecure.
  • It is the responsibility of the app developer to correctly use shared memory, with security implications in mind.
• Added EDMM support for dynamic thread creation.
• Added the onlyif manifest syntax to flexible IOCTLs.
• Added CPU-describing info to /proc/ and /sys/ pseudo-files:
  • added "siblings" line in /proc/cpuinfo,
  • added /sys/devices/system/cpu/kernel_max file,
  • added /sys/devices/system/cpu/{offline,present} files.
• Added gramine-direct --version and gramine-sgx --version.
• Added support for passphrase-protected SGX signing keys.
• Added gramine-sgx-sign --date option.

Performance improvements

• Added optimization of a statically allocated buffer in the sendfile() system call (only for the first thread).
• Introduced sgx.cpu_features.[...] = "[unspecified|disabled|required]" instead of sgx.require_[...] = true|false.
  • sgx.cpu_features.[...] = "disabled" may improve SGX enclave performance because the corresponding CPU feature will not be saved and restored during enclave entry/exit.
  • See here for details.
• Added Invariant TSC query fallback for hypervisors (in particular, improves performance of QEMU).
• Fixed a performance bug on on I/O intensive benchmarks (observed 5% improvement in performance).

Bugfixes, stability and refactoring

• Added support for EINPROGRESS on non-blocking sockets connect() system call.
• Fixed a bug of not updating mmaped regions when writing to files.

Miscellaneous

• Updated Gramine dependencies:
  • libcurl to version 8.4.0.
  • glibc to version 2.38.
  • mbedTLS to version 3.5.0.
• Applied a fix for posix_memalign() performance regression (glibc bug).
• Added description of Scaffolding for Gramine to documentation.
• Updated the "Gramine features" document to reflect the changes incorporated in this release. See the delta here.

Installation instructions

If you are updating from v1.5:

• apt-get update && apt-get upgrade for Debian/Ubuntu
• dnf update for AlmaLinux and compatible

If you are not updating, then to install Gramine v1.6, follow the distribution-specific commands in the respective section below. The same instructions can be found in our documentation.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

Debian 12:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Debian 11:

# if you don't already have backports repo enabled:
echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" \
| sudo tee /etc/apt/sources.list.d/backports.list

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Ubuntu 22.04 LTS, 20.04 LTS:

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

We have discontinued packages for Ubuntu 18.04 LTS, which is already EOL.

AlmaLinux and other compatible distros, versions 9 and 8:

1. Install EPEL repository as described here: https://docs.fedoraproject.org/en-US/epel/
2. Install Gramine:

# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine

Alpine Linux

Packages and repositories for Alpine Linux are not published, but you can compile the packages using APKBUILD in packages/alpine subdirectory.