Releases: openenclave/openenclave
v0.19.8
Added
- Added OpenSSL provider plugin that wraps SymCrypt. To understand how to use this provider, please see https://github.com/openenclave/openenclave/tree/v0.19.x/samples/attested_tls. Specifically, you would need to set
OE_CRYPTO_LIB
toopenssl_3_symcrypt_prov_fips
as described in the sample.
Packages this release was tested against
On Ubuntu 20.04: DCAP: 1.21.100.3-focal1 PSW: 2.24.100.3-focal1 SGXDriver: 1.41
On Windows Server 2019/2022: DCAP:1.21.100.3 PSW 2.24.100.3
v0.19.7
Changed
- Updated SymCrypt to 103.4.2 and added aligned_alloc to corelibc. Also avoid enclave abort when snmalloc's aligned_alloc is called with size not being a multiple of alignment
Fixed
- trace.h is installed with oehostverify package
Security
- The OpenSSL 3 libs shipped with OE are now OpenSSL 3.1.6. Please see https://www.openssl.org/news/openssl-3.1-notes.html for CVEs and bugs fixed in the latest revision
Packages this release was tested against
On Ubuntu 20.04: DCAP: 1.21.100.3-focal1 PSW: 2.24.100.3-focal1 SGXDriver: 1.41
On Windows Server 2019/2022: DCAP:1.21.100.3 PSW 2.24.100.3
v0.19.6
Fixed
trace.h is installed with oehostverify package
Security
The OpenSSL 3 libs shipped with OE are now OpenSSL 3.1.5. Please see https://www.openssl.org/news/openssl-3.1-notes.html for CVEs and bugs fixed in the latest revision
v0.19.4
Added
-
Added the ability to verify v5 TDX quotes
-
Added the ability to change the SGX QL load policy via an environment variable
OE_INTEL_QVL_LOAD_POLICY
. It is recommended that applications on Icelake servers with high EPC memory setOE_INTEL_QVL_LOAD_POLICY
=SGX_QL_PERSISTENT_QVE_MULTI_THREAD
to improve the performance for TDX quote validation. The following are the possible values you can use for this environment variable.- SGX_QL_EPHEMERAL (Default) β Same as behavior used for TDX quote verification in previous releases. Also used when OE_INTEL_QVL_LOAD_POLICY is not defined
- Only allow one QVL thread when QvE is used. Limits EPC usage to 1 QvE (one QvE instance).
- QvE is unloaded after QvE ECALL completes
- SGX_QL_PERSISTENT
- Only allow one QVL Thread when QvE is used. Limits EPC usage to 1 QvE.
- QvE is kept loaded for as long as the process lives.
- SGX_QL_PERSISTENT_QVE_MULTI_THREAD
- Allow a new QvE instance per thread.
- QvE is unloaded when thread is deleted.
- EPC usage is controlled by the number of extant threads called into the DCAP QVL w/QvE
- Provides the highest performance
- SGX_QL_EPHEMERAL_QVE_MULTI_THREAD β
- Allow a new QvE instance per thread.
- QvE is unloaded once QvE ECALL completes.
- EPC usage is controlled by the number of simultaneous threads calling into the DCAP QVL w/QvE
- Performance is impacted by the loading/unloading of QvE
- SGX_QL_EPHEMERAL (Default) β Same as behavior used for TDX quote verification in previous releases. Also used when OE_INTEL_QVL_LOAD_POLICY is not defined
Packages this release was tested against
On Ubuntu 20.04: DCAP: 1.18.100.1-focal1 PSW: 2.21.100.1-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP: v1.18.100.1 PSW 2.20.100.1
v0.19.3
Security
- There are two CVEs mitigated in this release. Please refer to the security advisory for more details.
Packages this release was tested against
On Ubuntu 20.04: DCAP: 1.16.100.2-focal1 PSW: 2.19.100.3-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP: 1.16.100.2 PSW:2.18.100.2
v0.19.2
Added
- OE SDK packages now contain OpenSSL 3.1 in addition to OpenSSL 1.1.1
- OE SDK will continue to support OpenSSL 1.1.1 until its EOL in Sep 2023. Developers should update their enclave applications to use OpenSSL 3.1 by then.
- Note: Since OpenSSL 3.1 has not been tested in production environments as yet, we recommend you experiment with updating enclave applications to use OpenSSL 3.1 as soon as possible and file any issues that you may find. We will address all issues filed in the next month and make another release, if necessary, in August.
- The Attested TLS sample has been modified to support building enclave applications with OpenSSL 3.1.
- Refer to OpenSSL 3.1 support docs for additional details
- Some of the assembly files generated via a Perl script in OpenSSL 3.1 do not contain LVI mitigations as yet. These are contingent on upstream work and will be updated as soon as LVI mitigations are available.
- Added
oe_generate_attestation_certificate_v2
API which takes two additional params that determine certificate validity period.
Changed
- snmalloc has been updated to 0.6.2
- Dropped TDX supplemental data size check since the size is changing
Packages this release was tested against
On Ubuntu 20.04: DCAP: 1.16.100.2-focal1 PSW: 2.19.100.3-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP: 1.16.100.2 PSW:2.18.100.2
v0.19.0
Added
-
OE SDK can now be built with Clang-11 and it is recommended to upgrade the compiler to Clang-11 if you are building the SDK from source. The OE SDK packages in this release are built with Clang-11 with ControlFlow-GNU LVI mitigation. Please see below for details.
- Building OE SDK enclaves now includes the following LVI mitigation options:
ControlFlow-GNU
- enables LVI mitigation using the existing GNU-based mitigation specified byLVI_MITIGATION_BINDIR
. This option is recommended when building OE SDK with Clang-10.ControlFlow-Clang
- enables Clang-based LVI mitigations. Choosing this option requires Clang-11.ControlFlow
- enables LVI mitigation but default to the recommended method, which is currently ControlFlow-GNU.None
- no LVI mitigations are enabled.
- Building OE SDK enclaves now includes the following LVI mitigation options:
-
Added a TDX verifier plugin based on Intel QVL/QvE
- Added two public APIs to initialize and shut down
the plugin defined in theopenenclave/attestation/tdx/evidence.h
oe_tdx_verifier_initialize()
oe_tdx_verifier_shutdown()
- Added a new format uuid for TDX quote
OE_FORMAT_UUID_TDX_QUOTE_ECDSA
- Added a new OCALL
oe_verify_tdx_quote_ocall
that is
used by the plugin internally (seeopenenclave/edl/sgx/tdx_verification.edl
) - Steps for verify a TDX quote
- Initialize the plugin via
oe_tdx_verifier_initialize
- Invoke
oe_verify_evidence
by specifying the quote and
format id asOE_FORMAT_UUID_TDX_QUOTE_ECDSA
- Parse the claims (refer the definitions of TDX claims
toopenenclave/attestation/evidence.h
)
- Initialize the plugin via
- Note that the
oe_verify_evidence
with the plugin currently
does not support input endorsements (must beNULL
)
- Added two public APIs to initialize and shut down
-
Added two APIs
oe_get_tdx_endorsements
andoe_free_tdx_endorsements
to fetch
and free the endorsements for the given TDX quote. The APIs are for users who want
to manage (e.g., caching) the endorsements by themselves instead of relying on the
existing caching mechanisms (e.g., supported by DCAP).
Seeopenenclave/attestation/tdx/evidence.h
for more detail of the APIs. -
Added support for V4 collateral from Intel for SGX and TDX
Changed
- snmalloc (0.6.0) now only requires 16KiB initially per thread, compared to 256 KiB previously (0.5.3). Thread-local heaps only grow by a constant amount until the next power of 2, eg. 16KiB, 16KiB, 32KiB, 64KiB, ... 1MiB, 2MiB, 2MiB, ..., as opposed to a fixed amount previously (256 KiB). Allocator metadata is kept separately, making corruption attacks less likely. There are some applications for which this update in snmalloc will result in an increase in EPC memory as specified in the enclave configuration file.
Packages this release was tested against
On Ubuntu 20.04: DCAP: 1.16.100.2-focal1 PSW: 2.19.100.3-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP: 1.16.100.2 PSW:2.18.100.2
v0.19.0-rc1
Added
-
OE SDK can now be built with Clang-11 and it is recommended to upgrade the compiler to Clang-11 if you are building the SDK from source. The OE SDK packages in this release are built with Clang-11 with ControlFlow-GNU LVI mitigation. Please see below for details.
- Building OE SDK enclaves now includes the following LVI mitigation options:
ControlFlow-GNU
- enables LVI mitigation using the existing GNU-based mitigation specified byLVI_MITIGATION_BINDIR
. This option is recommended when building OE SDK with Clang-10.ControlFlow-Clang
- enables Clang-based LVI mitigations. Choosing this option requires Clang-11.ControlFlow
- enables LVI mitigation but default to the recommended method, which is currently ControlFlow-GNU.None
- no LVI mitigations are enabled.
- Building OE SDK enclaves now includes the following LVI mitigation options:
-
Added a TDX verifier plugin based on Intel QVL/QvE
- Added two public APIs to initialize and shut down
the plugin defined in theopenenclave/attestation/tdx/evidence.h
oe_tdx_verifier_initialize()
oe_tdx_verifier_shutdown()
- Added a new format uuid for TDX quote
OE_FORMAT_UUID_TDX_QUOTE_ECDSA
- Added a new OCALL
oe_verify_tdx_quote_ocall
that is
used by the plugin internally (seeopenenclave/edl/sgx/tdx_verification.edl
) - Steps for verify a TDX quote
- Initialize the plugin via
oe_tdx_verifier_initialize
- Invoke
oe_verify_evidence
by specifying the quote and
format id asOE_FORMAT_UUID_TDX_QUOTE_ECDSA
- Parse the claims (refer the definitions of TDX claims
toopenenclave/attestation/evidence.h
)
- Initialize the plugin via
- Note that the
oe_verify_evidence
with the plugin currently
does not support input endorsements (must beNULL
)
- Added two public APIs to initialize and shut down
-
Added two APIs
oe_get_tdx_endorsements
andoe_free_tdx_endorsements
to fetch
and free the endorsements for the given TDX quote. The APIs are for users who want
to manage (e.g., caching) the endorsements by themselves instead of relying on the
existing caching mechanisms (e.g., supported by DCAP).
Seeopenenclave/attestation/tdx/evidence.h
for more detail of the APIs. -
Added support for V4 collateral from Intel for SGX and TDX
Changed
- snmalloc (0.6.0) now only requires 16KiB initially per thread, compared to 256 KiB previously (0.5.3). Thread-local heaps only grow by a constant amount until the next power of 2, eg. 16KiB, 16KiB, 32KiB, 64KiB, ... 1MiB, 2MiB, 2MiB, ..., as opposed to a fixed amount previously (256 KiB). Allocator metadata is kept separately, making corruption attacks less likely. There are some applications for which this update in snmalloc will result in an increase in EPC memory as specified in the enclave configuration file.
Known issues
- oeutil crashes on Windows and a fix is available in master and will be available in the final release
v0.18.5
Security
- Updated OpenSSL used inside the enclave to v1.1.1t. See OpenSSL's release notes for more details
Packages this release was tested against
On Ubuntu 18.04: DCAP: 1.15.100.3-bionic1 PSW: 2.18.101.1-bionic1 SGXDriver: 1.33.2
On Ubuntu 20.04: DCAP: 1.15.100.3-focal1 PSW: 2.18.101.1-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP 1.15.100.2 PSW 2.17.100.2
v0.18.4
Added
- Added oe_set_host_log_level and oe_set_enclave_log_level APIs to dynamically modify host and enclave log level verbosity, respectively. See #4610 for more details
- Added backtrace debug log for unhandled exceptions if the enclave is configured with and CapturePFGPExceptions=1, the backtrace information will be printed in the enclave log when an in-enclave exception is not handled by trusted handlers. If the enclave is not configured with CapturePFGPExceptions=1, the similar helper message in the following will be printed in the log:
2022-07-13T00:25:05+0000.276579Z (H)ERROR] tid(0x7f6cbb2b1f40) | Unhandled in-enclave exception. To get more information, configure the enclave with CapturePFGPExceptions=1 and enable the in-enclave logging.
Changed
- Fixed bugs in oe_validate_revocation_list regarding PCCS API v3.0
- Fixed issue where oe_hex_dump prints data to stdout, even when logging callback is set
- Fixed the issue where enclave stack was not showing up in ocall callstack in Windows debuggers. Added padding to restore offset of callsites field to previous value.
Security
- Updated OpenSSL used inside the enclave to v1.1.1q. See OpenSSL's release notes for more details
- Update Mbed-TLS used inside the enclave to 2.28.1. See Mbed-TLS's release notes for more details.
Packages this release was tested against
On Ubuntu 18.04: DCAP: 1.14.100.3-bionic1 PSW: 2.17.100.3-bionic1 SGXDriver: 1.33.2
On Ubuntu 20.04: DCAP: 1.14.100.3-focal1 PSW: 2.17.100.3-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP: 1.14.100.3 PSW: 2.16.100.3