Skip to content

v1.1
Compare
Choose a tag to compare
@dimakuv dimakuv released this 03 Feb 23:18
· 899 commits to master since this release
v1.1
3623e63

Important changes

This change log covers the changes since the last release.

New features

  • Support for musl C standard library (v1.2.2).
  • Support of the sysinfo() system call.
  • Support of the mlock() family of system calls.
  • Support of the /proc/meminfo and /proc/stat pseudo-files.
  • Support of Intel Advanced Matrix Extensions (AMX).

Security improvements

  • Better CPU and NUMA topology sanitization (hidden under the fs.experimental__enable_sysfs_topology manifest option until we finish securing this interface).
  • Three new manifest options to specify different masks for SGX sealing key derivation:
    • sgx.seal_key.flags_mask for KEYREQUEST.ATTRIBUTESMASK.FLAGS,
    • sgx.seal_key.xfrm_mask for KEYREQUEST.ATTRIBUTESMASK.XFRM,
    • sgx.seal_key.misc_mask for KEYREQUEST.MISCMASK.

Performance improvements

  • For gramine-direct: internal locks no longer issue a futex syscall in the uncontested case.
  • For gramine-sgx: faster SGX enclave initialization time due to the removal of the static 64MB memory pool.
  • For both: faster emulation of sendfile() system call.

GSC improvements

  • Support for Ubuntu 21.04 and CentOS 8.
  • GSC skips generating trusted files if sgx.file_check_policy = "allow_all_but_log" is specified in user manifest (only for testing; not for production).
  • GSC uses a proper TOML parser instead of ad-hoc string-based parsing.

New sample integrations

  • Simple HelloWorld example (for quick testing).

Bugfixes, stability and refactoring

  • Rewritten the epoll mechanism.
  • Rewritten ELF parsing and RTLD code in PAL.
  • Rewritten LibOS events mechanism (new version uses normal PAL pipes).
  • More features of AddressSanitizer are enabled (stack/globals sanitization is enabled, better integration with SGX).

Miscellaneous

  • Gramine now skips inaccessible files in manifest trusted files expansion.
  • Gramine now allows non-existing (but never accessed) files in the sgx.trusted_files list.
  • Gramine tests are built using Meson and run using Pytest.
  • gramine-direct runs under a special seccomp policy to support inline syscalls.
  • loader.preload manifest option was renamed to loader.entrypoint. The old name is deprecated, but still supported.

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages.

If you are updating from v1.0, one of the following commands is enough to update to v1.1:

  • apt update && apt upgrade for Debian/Ubuntu
  • dnf update for RHEL/Fedora/CentOS

If you are not updating, then to install Gramine v1.1, follow the below commands:

  • for Debian/Ubuntu
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver
  • for RHEL/Fedora/CentOS:
# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine     # for 5.11+ upstream, in-kernel driver

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

Assets 6
Loading