Skip to content

@mato mato released this Sep 19, 2019 · 53 commits to master since this release

0.6.0 (2019-09-19)

This is a major feature release which introduces the concept of an "application
manifest", which enables support for multiple network and block devices.

This release removes the compile-time specialization of the "hvt" tender. While
this was a nice experiment, it is not practical for real-world deployment
scenarios where it is expected that the party supplying the tender (i.e. the
operator / user) will be different to the party supplying the unikernel (i.e.
the developer).

Due to these and other changes, both the public Solo5 APIs (as defined and
documented in solo5.h) and internal tenders/bindings ABI have changed.
Likewise, the build process for Solo5-based unikernels has changed, and
downstream projects will need to be updated.

Please refer to the following list of changes and the Solo5 documentation in
docs/ for details.

New features:

  • Application manifest and support for multiple devices. New APIs have been
    added and existing APIs changed. See solo5.h for details. A new tool,
    "solo5-elftool" has been added to generate the binary application manifest
    from JSON source.
  • New "spt" (sandboxed process tender) target, allows running Solo5-based
    unikernels as user processes on Linux, using a minimal, strict seccomp-BPF
    sandbox for isolation. Runs on the x86_64, aarch64 and ppc64le processor
    architectures.
  • Compile-time specialization of the "hvt" (hardware virtualized tender) target
    has been removed. Two variants of the "hvt" tender are built, "solo5-hvt" and
    "solo5-hvt-debug" with support for GDB and guest coredumps where available.
  • Both the "hvt" and "spt" tenders and bindings now have an internal ABI
    version, and this ABI version is embedded into the unikernel binary. Tenders
    will not run a binary whose ABI version or target does not match.
  • Downsteam libOS projects using custom linker scripts for Solo5 will need to
    be updated to handle the ELF NOTEs used to embed the ABI version and
    application manifest in a Solo5 binary.

Security improvements:

  • Stack smashing protection is now supported and all bindings, tenders and
    other host tools are built with -fstack-protector-strong. This setting is
    also passed down to MirageOS unikernels via OPAM/pkg-config.
  • On Linux, tenders are built with -z noexecstack to enforce a non-executable
    stack.
  • Low memory, including the zero page, is now unmapped on "hvt", "spt" and
    "virtio" targets. Tender-internal structures in this memory range are mapped
    read-only.
  • Tests for W^X / guest-side page protections have been added and are enforced
    on those targets where this is supported.
  • The ELF loader used by tenders has undergone extensive review and
    re-factoring, and fixes for a number of potential security issues have been
    put in place.

Other changes:

  • The "hvt" tender now uses epoll(7) on Linux and kqueue(2) on the BSDs for
    network I/O.
  • The "hvt" tender "--dumpcore" option now requires a directory, which must
    exist at run time.
  • The printf() implementation used by bindings has been replaced with a much
    better implementation from https://github.com/mpaland/printf.
  • The solo5_set_tls_base() API has been added to give language runtimes that
    wish to manipulate the architecture-specific TLS base register an interface
    for it.
  • Many bug fixes, improvements and a lot of code review throughout.
  • A C11 compiler is now required, to allow for the use of _Static_assert().

Known issues:

  • Full W^X support is currently only possible on the "spt" target. Partial
    support is possible for the "hvt" target running on Linux/KVM hosts. (#303)
  • On OpenBSD, "hvt" operation with multiple network devices results in packet
    loss. This appears to be a bug in kqueue(2) but we have no confirmation from
    upstream. (#374)

Acknowledgements:

Thanks to the following new contributors to this release:

And finally, a special thank you to C For C's Sake (@cfcs) for extensive code
review.

Assets 3
You can’t perform that action at this time.