Skip to content

v1.9

Latest
Latest
Compare
Choose a tag to compare
@woju woju released this 20 Jun 12:41
· 2 commits to master since this release
v1.9
This tag was signed with the committer’s verified signature.
woju Wojtek Porczyk
GPG key ID: 044D9664E7A77E16
Verified
Learn about vigilant mode.
0d1a4b7
This commit was signed with the committer’s verified signature.
woju Wojtek Porczyk
GPG key ID: 044D9664E7A77E16
Verified
Learn about vigilant mode.

Important changes

This change log covers the changes since the last release.

Breaking changes

  • We dropped support for OOT SGX driver and EPID attestation, and non-FLC hardware. All our supported distributions now feature kernels with upstream SGX driver, which requires FLC. There's no gramine-ratls-epid package anymore. If you still have non-FLC CPU, it can be made to work with out-of-tree DCAP driver and self-compiled Gramine (but this configuration is not officially supported by our project).
  • Deprecated syntax for libos.entrypoint is now removed.
  • Encrypted files (aka protected files) format has changed (now at major version number 2).
  • Support for deprecated environment variable SECRET_PROVISION_SET_PF_KEY is now removed.

Security fixes

  • Updated mbedtls to v3.6.3, which includes fixes for a few vulnerabilities in mbedtls.

New features

  • File recovery support for encrypted files (the reason for why the format changed)
  • O_APPEND emulation for single process.

Performance improvements

  • Improved performance of memmgr's free list traversal (in Gramine's allocator).

Bugfixes, stability and refactoring

  • Fixed RLIMIT_STACK inheritance - now children correctly inherit its value from the parent process.
  • Removed symmetry check for NUMA distances.

Miscellaneous

  • Minimum Meson version is now 0.58.

Installation instructions

If you are updating from v1.8:

  • apt-get update && apt-get upgrade for Debian/Ubuntu
  • dnf update for AlmaLinux and compatible

If you are not updating, then to install Gramine v1.9, follow the distribution-specific commands in the respective section below. The same instructions can be found in our documentation.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

Debian 12:

sudo curl -fsSLo /etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg https://packages.gramineproject.io/gramine-keyring-$(lsb_release -sc).gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /etc/apt/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Debian 11:

# if you don't already have backports repo enabled:
echo "deb http://deb.debian.org/debian $(lsb_release -sc)-backports main" \
| sudo tee /etc/apt/sources.list.d/backports.list

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring-$(lsb_release -sc).gpg https://packages.gramineproject.io/gramine-keyring-$(lsb_release -sc).gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring-$(lsb_release -sc).gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

Ubuntu 24.04 LTS, 22.04 LTS:

sudo curl -fsSLo /etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg https://packages.gramineproject.io/gramine-keyring-$(lsb_release -sc).gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/gramine-keyring-$(lsb_release -sc).gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update
sudo apt-get install gramine

AlmaLinux and other compatible distros, versions 9 and 8:

  1. Install EPEL repository as described here: https://docs.fedoraproject.org/en-US/epel/
  2. Install Gramine:
# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine

Alpine Linux

Packages and repositories for Alpine Linux are not published, but you can compile the packages using APKBUILD in packages/alpine subdirectory.

Assets 6
Loading