v1.2

Important changes

This change log covers the changes since the last release.

Breaking changes

• Installation instructions changed starting from this version, see below.
• fs.mount was renamed to fs.mounts and now uses a proper TOML array syntax. The old syntax is still supported, but deprecated.
• Relative mount paths in manifests are now deprecated.
• Protected files were renamed to a more intuitive name: encrypted files.
• Encrypted files are now implemented on the mountpoints layer and support having different keys per each mount. See the documentation for the new syntax.
• Encrypted files' keys should now be modified through special files at /dev/attestation/keys/<key_name>. Unlike the deprecated /dev/attestation/protected_files_key, the new files use raw binary, not hex strings.
• Attestation-related environment variables (RA_TLS_MRSIGNER etc.) passed to RA-TLS must be explicitly ignored if not used.

New features

• All filesystems use inodes now, which fixes issues with renaming and unlinking semantics.
• Created gramine-sgx-gen-private-key tool to simplify SGX signing key generation.
• Added proper renaming support to encrypted files.
• Added simple fallocate syscall implementation.
• Executable scripts (with a shebang) are now supported.
• Running on systems with some CPU threads/cores shut down is now supported.

Security fixes

• CPU and NUMA topology is now properly sanitized and thus enabled by default.

New sample integrations

• Added an asynchronous web server example in Rust.

Bugfixes, stability and refactoring

• Added a workaround for a Linux bug which broke gramine-direct on systems with 5-level page tables.
• Fixed a crash in gramine-sgx-pf-crypt when compiled with Clang in release mode.
• werror is not enabled by default anymore when building Gramine (but it is still enabled in CI).
• Multiple other small bugfixes.

Miscellaneous

• Created "Onboarding" page in the documentation with suggested learning material for aspiring Gramine developers.
• Updated tools to use IAS API v4.
• Added integration with VTune profiler.

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages. Note you cannot cleanly update to a new release, because of dependency on external repository introduced in this release.

Before installing or updating Gramine, add Intel's SGX repository:

curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

(focal is good for Ubuntu 20.04 and Debian 11; for Ubuntu 18.04, change focal to bionic).

Then add Gramine's official repo and install the package.

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

If you are updating from v1.1, you need to add Intel's SGX repo (see above), then update like usual:

• apt-get update && apt-get upgrade for Debian/Ubuntu
• dnf update for RHEL/Fedora/CentOS

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

v1.1

Important changes

This change log covers the changes since the last release.

New features

• Support for musl C standard library (v1.2.2).
• Support of the sysinfo() system call.
• Support of the mlock() family of system calls.
• Support of the /proc/meminfo and /proc/stat pseudo-files.
• Support of Intel Advanced Matrix Extensions (AMX).

Security improvements

• Better CPU and NUMA topology sanitization (hidden under the fs.experimental__enable_sysfs_topology manifest option until we finish securing this interface).
• Three new manifest options to specify different masks for SGX sealing key derivation:
  • sgx.seal_key.flags_mask for KEYREQUEST.ATTRIBUTESMASK.FLAGS,
  • sgx.seal_key.xfrm_mask for KEYREQUEST.ATTRIBUTESMASK.XFRM,
  • sgx.seal_key.misc_mask for KEYREQUEST.MISCMASK.

Performance improvements

• For gramine-direct: internal locks no longer issue a futex syscall in the uncontested case.
• For gramine-sgx: faster SGX enclave initialization time due to the removal of the static 64MB memory pool.
• For both: faster emulation of sendfile() system call.

GSC improvements

• Support for Ubuntu 21.04 and CentOS 8.
• GSC skips generating trusted files if sgx.file_check_policy = "allow_all_but_log" is specified in user manifest (only for testing; not for production).
• GSC uses a proper TOML parser instead of ad-hoc string-based parsing.

New sample integrations

• Simple HelloWorld example (for quick testing).

Bugfixes, stability and refactoring

• Rewritten the epoll mechanism.
• Rewritten ELF parsing and RTLD code in PAL.
• Rewritten LibOS events mechanism (new version uses normal PAL pipes).
• More features of AddressSanitizer are enabled (stack/globals sanitization is enabled, better integration with SGX).

Miscellaneous

• Gramine now skips inaccessible files in manifest trusted files expansion.
• Gramine now allows non-existing (but never accessed) files in the sgx.trusted_files list.
• Gramine tests are built using Meson and run using Pytest.
• gramine-direct runs under a special seccomp policy to support inline syscalls.
• loader.preload manifest option was renamed to loader.entrypoint. The old name is deprecated, but still supported.

Installation instructions

Starting from release v1.0, Gramine is available as .deb and .rpm packages.

If you are updating from v1.0, one of the following commands is enough to update to v1.1:

• apt update && apt upgrade for Debian/Ubuntu
• dnf update for RHEL/Fedora/CentOS

If you are not updating, then to install Gramine v1.1, follow the below commands:

• for Debian/Ubuntu

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

• for RHEL/Fedora/CentOS:

# first time you need to confirm the key fingerprint, which should be F3FFBE5FC0477DB46E4851E737B04F03659B87AF
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine     # for 5.11+ upstream, in-kernel driver

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.

v1.0

Important changes

This text covers the changes since the last public release candidate. This version is intended to be ready for production use.

New name and new home

• As you probably have already noticed, Graphene was renamed to Gramine. The name "Graphene" was deemed too common, could be impossible to trademark, and collided with several other software projects. Thus, a new name "Gramine" was chosen.
• We migrated our repositories to https://github.com/gramineproject.
• We also joined Confidential Computing Consortium (part of Linux Foundation).
• GSC and some of the examples were moved to separate repositories: gramineproject/gsc and gramineproject/examples.
• We reset the version numbering with the rename.

New features

• Improved filesystem support - we introduced inodes, which allowed more accurate emulation of filesystem.
• Insecure options summary - now when you start Gramine, if we detect a known insecure configuration, we print a warning listing the problems.
• Support for selective passthrough of environment variables (via loader.env.[ENVIRON] = {passthrough=true}).
• Python API for our tooling (manifest generation, signing, etc.).
• Support for SGX sealing in protected files - now you can encrypt to MRSIGNER or MRENCLAVE instead of provisioning an external key.
• loader.uid and loader.gid manifest options to change the default user/group id emulated inside Gramine.

Security improvements

• All IDs are now virtualized inside Gramine.
• Reviewed OCALLs and added some missing sanitizations.
• We implemented custom UndefinedBehaviorSanitizer and AddressSanitizer integrations and run them in our CI.
• Fixed a few security bugs around attestation and key exchange.
• Fixed multiple memory corruption bugs.

New sample integrations

• OpenJDK
• SQLite

Stability and refactoring

• A lot of fixed in various syscalls corner cases.
• Rewritten most of filesystem code.

Miscellaneous

• Better support for RHEL, CentOS and Fedora.
• Added Clang support.
• Updated Glibc patches to 2.34.
• Now the whole Gramine (except tests) is built using Meson.

Breaking changes

• We made our manifest syntax more TOML-ish - now allowed, trusted and protected files are listed as arrays. The old syntax is deprecated, but still supported.
• The default enclave mode is now release. If you want a debug enclave, add sgx.debug = true to your manifest.
• Build instructions have changed because of migration to Meson. The documentation was updated to reflect this.
• Topology information in sysfs was deemed not ready for production yet (due to security concerns) and was hidden behind a feature flag in manifests - fs.experimental__enable_sysfs_topology = [true|false]. We plan to polish the implementation and make it production-quality in upcoming weeks.
• sgx.protected_files_key manifest option was renamed to sgx.insecure__protected_files_key.

Installation instructions

Starting from this release Gramine is available as .deb and .rpm packages. To install them, follow the below commands:

• for Debian/Ubuntu

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update

sudo apt-get install gramine      # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot  # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver

• for RHEL/Fedora/CentOS:

# first time you need to confirm the key fingerprint, which is F3FFBE5FC0477DB46E4851E737B04F03659B87AF.
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine     # for 5.11+ upstream, in-kernel driver

The same instructions can be found in our documentation's Quick Start.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.