|
Open Eclave SDK Sig-Testing meeting canceled for 9/8/2020
Radhika Jandhyala
Hi,
The SIG-Testing meeting scheduled for 9/8/2020, 5:30 PST is cancelled because there are no topics to discuss at this time. Thanks, Radhika
|
|
|
|
OpenEnclave SDK v0.11.0-RC1 Release
Radhika Jandhyala
Hi,
Open Enclave version 0.11.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.11.0-rc1 tag: https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0> Please test these packages and let us know if you come across any issues. Thank you so much for your help! To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Release Notes Added * Open Enclave SDK release packages can now be built on non-SGX and non-FLC machines. * Support for arbitrarily large thread-local data for SGX machines. * Experimental support for OpenSSL inside enclaves has been added while building the SDK from source. * Use BUILD_OPENSSL flag while compiling the SDK. * OpenSSLSupport.md<https://github.com/openenclave/openenclave/blob/v0.11.0-rc1/docs/OpenSSLSupport.md> documents supported options and configuration needed to use OpenSSL inside an enclave. * Custom claims buffer serialization/de-serialization helper functions. * SGX attestation endorsement claims from oe_verify_evidence() will contain the following: * OE_CLAIM_SGX_TCB_INFO * OE_CLAIM_SGX_TCB_ISSUER_CHAIN * OE_CLAIM_SGX_PCK_CRL * OE_CLAIM_SGX_ROOT_CA_CRL * OE_CLAIM_SGX_CRL_ISSUER_CHAIN * OE_CLAIM_SGX_QE_ID_INFO * OE_CLAIM_SGX_QE_ID_ISSUER_CHAIN * The attestation functions in local_attestation/remote_attestation/attested_tls/host_verify samples now use attestation plugin APIs, defined in attestation/attester.h and attestation/verifier.h to generate and verify evidence. * oe_get_evidence() support for generation of SGX EPID evidences, in formats OE_FORMAT_UUID_SGX_EPID_LINKABLE and OE_FORMAT_UUID_SGX_EPID_UNLINKABLE. Changed * Rename the custom claims buffer added by oe_get_evidence from "custom_claims" to "custom_claims_buffer". Likewise, replace the OE_CLAIM_CUSTOM_CLAIMS definition for this name with OE_CLAIM_CUSTOM_CLAIMS_BUFFER. * Building SDK from source - HAS_QUOTE_PROVIDER cmake option has been removed. This is a continuation of the work in the previous release to allow the same build of OE SDK to run on both FLC and non-FLC machines. - Intel SGX EnclaveCommonAPI packages are no longer needed to build the SDK. - COMPILE_SYSTEM_EDL option has been removed. * oe_verify_attestation_certificate_with_evidence() can now verify certificates generated by oe_generate_attestation_certificate() as well as oe_get_attestation_certificate_with_evidence(). * The SGX attestation evidence internal structure has changed. The current structure (version 3) is not compatible with the previous version. Applications that call oe_get_evidence() or oe_verify_evidence() have to be rebuilt. * Some SGX attestation format IDs have been renamed: Old New OE_FORMAT_UUID_SGX_ECDSA_P256 OE_FORMAT_UUID_SGX_ECDSA OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT OE_FORMAT_UUID_LEGACY_REPORT_REMOTE OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA Removed * Declaration of SGX format ID OE_FORMAT_UUID_SGX_ECDSA_P384 is removed. * oe_get_evidence() support of SGX legacy formats OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT and OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE is removed. Security * Update mbedTLS to version 2.16.7. Refer to the 2.16.7 release notes<https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7> for the set of issues addressed. Thanks, Rahdika
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 09/02/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 08/26/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Event: Sig-attestation Special Session - Wednesday, 26 August 2020
#cal-invite
oesdk@lists.confidentialcomputing.io Calendar <oesdk@...>
Sig-attestation Special Session When: Where: Organizer: radhikaj@... Description: Join Zoom Meeting
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
SIG-Attestation special session 8/26/2020 – 4:00 PM PST
Radhika Jandhyala
Hi,
This is a special session to discuss integrating SGX DCAP quote verification into OE SDK. Wednesday 8/26/2020 – 4:00 PM PST Join Zoom Meeting https://zoom.us/j/99552932630?pwd=d1NCR2FkS2gwY0w3Wm9aK096cXZzUT09 Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Password: 010209 One tap mobile +12532158782,,99552932630#,,1#,010209# US (Tacoma) +13462487799,,99552932630#,,1#,010209# US (Houston) Dial by your location +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 669 900 6833 US (San Jose) +1 312 626 6799 US (Chicago) +1 929 205 6099 US (New York) +1 301 715 8592 US (Germantown) 877 853 5247 US Toll-free 888 788 0099 US Toll-free Meeting ID: 995 5293 2630 Password: 010209 Find your local number: https://zoom.us/u/au4r6sLy7 Thanks Radhika
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 08/19/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 08/12/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Special session for Sig-Arch 08/12
Radhika Jandhyala
Hi Everybody,
We will have a special session to get through topics on which we would like to make progress. When: 08/12 Wednesday 9-10 AM PST The agenda is here: https://hackmd.io/@aeva/oesdk-sig-arch Join Zoom Meeting https://zoom.us/j/95309871627?pwd=K1RmbmZtUUowNFhRbWFZRVN4R2VmUT09 Meeting ID: 953 0987 1627 Password: 208079 One tap mobile +12532158782,,95309871627#,,1#,208079# US (Tacoma) +16699006833,,95309871627#,,1#,208079# US (San Jose) Dial by your location +1 253 215 8782 US (Tacoma) +1 669 900 6833 US (San Jose) +1 346 248 7799 US (Houston) +1 301 715 8592 US (Germantown) +1 312 626 6799 US (Chicago) +1 929 205 6099 US (New York) 888 788 0099 US Toll-free 877 853 5247 US Toll-free Meeting ID: 953 0987 1627 Password: 208079 Find your local number: https://zoom.us/u/abCkV8PQIw Thanks, Radhika
|
|
|
|
Event: OE SDK Sig-Arch Special session - Wednesday, 12 August 2020
#cal-invite
oesdk@lists.confidentialcomputing.io Calendar <oesdk@...>
OE SDK Sig-Arch Special session When: Where: Organizer: Radhika radhikaj@... Description: Hi Everybody, We decided we needed 1 more hour next week to go through topics in SIG-Arch.
When: The agenda is here: https://hackmd.io/@aeva/oesdk-sig-arch Join Zoom Meeting Meeting ID: 953 0987 1627 Dial by your location Thanks, Radhika
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 08/05/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 07/29/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Event: OE SDK Sig-Arch special session - Wednesday, 29 July 2020
#cal-invite
oesdk@lists.confidentialcomputing.io Calendar <oesdk@...>
OE SDK Sig-Arch special session When: Where: Organizer: Radhika Jandhyala radhikaj@... Description: Hi Everybody, Today, we ran out of time and could not get to a topic related to DevEx for ocalls on the agenda and we would like to start making progress on this topic. When: The agenda is here: https://hackmd.io/@aeva/oesdk-sig-arch Join Zoom Meeting Meeting ID: 953 0987 1627 Dial by your location Thanks, Radhika
|
|
|
|
Special session for Sig-Arch tomorrow
Radhika Jandhyala
Hi Everybody,
Today, we ran out of time and could not get to a topic related to DevEx for ocalls on the agenda and we would like to start making progress on this topic. When: 7/29 Wednesday 9-10 AM PST The agenda is here: https://hackmd.io/@aeva/oesdk-sig-arch Join Zoom Meeting https://zoom.us/j/95309871627?pwd=K1RmbmZtUUowNFhRbWFZRVN4R2VmUT09 Meeting ID: 953 0987 1627 Password: 208079 One tap mobile +12532158782,,95309871627#,,1#,208079# US (Tacoma) +16699006833,,95309871627#,,1#,208079# US (San Jose) Dial by your location +1 253 215 8782 US (Tacoma) +1 669 900 6833 US (San Jose) +1 346 248 7799 US (Houston) +1 301 715 8592 US (Germantown) +1 312 626 6799 US (Chicago) +1 929 205 6099 US (New York) 888 788 0099 US Toll-free 877 853 5247 US Toll-free Meeting ID: 953 0987 1627 Password: 208079 Find your local number: https://zoom.us/u/abCkV8PQIw Thanks, Radhika
|
|
|
|
July 28th 9:00 AM - 11:00 AM PST Sig-Arch meeting
Radhika Jandhyala
Hi,
We will have a two hour SIG-arch meeting on July 28th. The zoom meeting details are the same as the regular SIG-Arch meeting that happens on Tuesdays. The agenda is here: https://hackmd.io/@aeva/oesdk-sig-arch. When: Tuesday, 28 July 2020 9:00am to 11:00am PST Join Zoom Meeting https://zoom.us/j/95309871627?pwd=K1RmbmZtUUowNFhRbWFZRVN4R2VmUT09 Meeting ID: 953 0987 1627 Password: 208079 One tap mobile +12532158782,,95309871627#,,1#,208079# US (Tacoma) +16699006833,,95309871627#,,1#,208079# US (San Jose) Dial by your location +1 253 215 8782 US (Tacoma) +1 669 900 6833 US (San Jose) +1 346 248 7799 US (Houston) +1 301 715 8592 US (Germantown) +1 312 626 6799 US (Chicago) +1 929 205 6099 US (New York) 888 788 0099 US Toll-free 877 853 5247 US Toll-free Meeting ID: 953 0987 1627 Password: 208079 Find your local number: https://zoom.us/u/abCkV8PQIw Thanks, Radhika
|
|
|
|
Event: 2 Hour Sig-Arch Meeting - Tuesday, 28 July 2020
#cal-invite
oesdk@lists.confidentialcomputing.io Calendar <oesdk@...>
2 Hour Sig-Arch Meeting When: Where: Organizer: Radhika radhikaj@... Description: Just for July 28th, making the SIG-Arch meeting two hours long. Please note that the zoom link and details are the same as the regularly recurring SIG-Arch meeting that takes place on Tuesdays at 10:00 AM. On July 28th, the meeting will start at 9:00 AM and finish at 11:00 AM. Meeting ID: 953 0987 1627 Dial by your location
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 07/22/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|
|
Re: Open Enclave SDK v0.10.0 Release
Radhika Jandhyala
Hello everyone,
The 0.10.0 version of the Open Enclave SDK has been released. You can find the release page for v0.10.0 in the link below, where you can download the packages/sources and find the changelog: https://github.com/openenclave/openenclave/releases/tag/v0.10.0 For the Ubuntu 16.04 and 18.04 packages: they will be published to the production packages.microsoft.com APT repo (for each distro) later this week. For the Windows NuGet packages: They will be on nuget.org later this week, but for now you can download the NuGet packages available in the "Assets" field in release link above. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Thanks, Radhika From: Radhika Jandhyala Sent: Wednesday, July 15, 2020 5:28 PM To: oesdk@... Subject: Open Enclave SDK v0.10.0 Release Hi, Open Enclave version 0.10.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.10.0-rc1 tag: https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0> Please test these packages and let us know if you come across any issues. Thank you so much for your help! To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Release notes: ----------------- Added * Added oe_sgx_get_signer_id_from_public_key() function which helps a verifier of SGX reports extract the expected MRSIGNER value from the signer's public key PEM certificate. * OE SDK can now be built and run in simulation mode on a non SGX x64 Windows machine by passing HAS_QUOTE_PROVIDER=off. Previously, the build would work, but running applications would fail due to missing sgx_enclave_common.dll. * OE SDK can now be installed from published packages on SGX machines without FLC, and non-SGX machines. Previously, OE SDK could only be installed on SGX1 FLC machines due to a link-time dependency on sgx_dcap_ql which was available only on SGX1 FLC machines. * oesign tool supports the new digest command and options for 2-step signing using the digest<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/oesign_digest_signing_support.md>. * Oeedger8r now supports the --use-prefix feature. * Oeedger8r now supports a subset of C-style preprocessor directives (#ifdef, #ifndef, #else, #endif). * The default memory allocator (dlmalloc) can be replaced by providing replacement functions. This ability to plug-in a custom allocator is most applicable for multi-threaded enclaves with memory allocation patterns where the default memory allocator may not be performant. See Pluggable Allocators<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/Pluggableallocators.md>. * snmalloc is available as a pluggable allocator library oesnmalloc. An enclave can use snmalloc instead of dlmalloc by specifying liboesnmalloc.a before liboelibc.a and liboecore.a in the linker line. * Added pluggable_allocator sample. * Gcov is used to obtain code coverage information for the SDK. See Code Coverage<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/GettingStartedDocs/Contributors/CodeCoverage.md>. * Added include\openenclave\attestation\attester.h to support attestation plug-in model attester scenarios. * Added include\openenclave\attestation\verifier.h to support attestation plug-in model verifier scenarios. Changed * COMPILE_SYSTEM_EDL is now OFF by default, meaning system EDL must be imported by application EDL. See system EDL opt-in document<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/system_ocall_opt_in.md#how-to-port-your-application> for more information. * Note: SDK users would need to import logging.edl to enable logging. Logging is disabled by default. * See System edls<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/SystemEdls.md> for list of all edls and associated OCalls. * A known issue is that different enclaves importing functions from System EDLs cannot be loaded by the same host app unless all of the functions were imported with exactly the same ordinals. See #3250<https://github.com/openenclave/openenclave/issues/3250> for details. This will be addressed in the next release based on design proposal #3086<https://github.com/openenclave/openenclave/pull/3086>. * A workaround for this issue in the meantime is to define a standard import EDL for any enclaves that need to be loaded into the same host app. Ensuring this shared EDL is then the first import in each enclave's EDL will result in the common imports being assigned the same ordinals in each resulting enclave. * Mark APIs in include/openenclave/attestation/sgx/attester.h and verifier.h as experimental. * Remove CRL_ISSUER_CHAIN_PCK_PROC_CA field from endorsement struct define in include/openenclave/bits/attestation.h. * Switch to oeedger8r written in C++. * Fix #3143<https://github.com/openenclave/openenclave/issues/3143>. oesign tool will now reject .conf files that contain duplicate property definitions. * SGX Simulation Mode does not need SGX libraries to be present in the system. * oehost library dynamically loads sgx_dcap_ql shared library instead of linking against it. This allows the SDK to be installed on non-FLC and non-SGX machines. * Fix #3134<https://github.com/openenclave/openenclave/issues/3134>. ParseSGXExtensions will now correctly parse the SGX extensions for PCK Certificates defined in SGX spec<https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf>. * oesign dump command now also displays the MRSIGNER value of an SGX enclave signature if it exists. * The Deep-copy feature of oeedger8r is now enabled by default. * The oeedger8r-generated header files now contain only the function prototypes. Marshalling structs, function id enums, and function tables are generated only in the c files. * Docs and scripts updated to use Azure DCAP client v1.6.0. * Fix #2930<https://github.com/openenclave/openenclave/issues/2930>. Fixes the logic of detecting compilers when LVI mitigation is enabled. That is, the old logic always picks clang-7 (if installed) regardless of whether the environment variable CC is set to gcc. * Fix #2670<https://github.com/openenclave/openenclave/issues/2670>. This fix also allows users to specify the version of clang (default is clang-7) when building the helloworld sample with LVI mitigation. * Fix #3056<https://github.com/openenclave/openenclave/issues/3056>. oe_is_within_enclave() and oe_is_outside_enclave() now reflect the SGX enclave boundary as determined by the enclave SECS rather than the limit of the pages initially provisioned in to the enclave. * If not specified, CMAKE_BUILD_TYPE is set to Debug. This ensures that cmake and cmake -DCMAKE_BUILD_TYPE=Debug result in the same build configuration. * Moved include/openenclave/attestation/plugin.h to internal. Currently only support internal attestation plugin registration. * Parameter flags is removed from experimental function oe_get_evidence(). Use 'evidence_format' parameter to select evidence format. Removed * Removed oehostapp and the appendent "-rdynamic" compiling option. Please use oehost instead and add the option back manually if necessary. * Removed dependencies on nodejs and esy, which were previously used to build Ocaml compiler and oeedger8r. Security * Fix ABI poisoning vulnerability for x87 FPU operations in enclaves<https://github.com/openenclave/openenclave/security/advisories/GHSA-7wjx-wcwg-w999>. Thanks, Radhika
|
|
|
|
Open Enclave SDK v0.10.0 Release
Radhika Jandhyala
Hi,
Open Enclave version 0.10.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.10.0-rc1 tag: https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0> Please test these packages and let us know if you come across any issues. Thank you so much for your help! To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Release notes: ----------------- Added * Added oe_sgx_get_signer_id_from_public_key() function which helps a verifier of SGX reports extract the expected MRSIGNER value from the signer's public key PEM certificate. * OE SDK can now be built and run in simulation mode on a non SGX x64 Windows machine by passing HAS_QUOTE_PROVIDER=off. Previously, the build would work, but running applications would fail due to missing sgx_enclave_common.dll. * OE SDK can now be installed from published packages on SGX machines without FLC, and non-SGX machines. Previously, OE SDK could only be installed on SGX1 FLC machines due to a link-time dependency on sgx_dcap_ql which was available only on SGX1 FLC machines. * oesign tool supports the new digest command and options for 2-step signing using the digest<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/oesign_digest_signing_support.md>. * Oeedger8r now supports the --use-prefix feature. * Oeedger8r now supports a subset of C-style preprocessor directives (#ifdef, #ifndef, #else, #endif). * The default memory allocator (dlmalloc) can be replaced by providing replacement functions. This ability to plug-in a custom allocator is most applicable for multi-threaded enclaves with memory allocation patterns where the default memory allocator may not be performant. See Pluggable Allocators<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/Pluggableallocators.md>. * snmalloc is available as a pluggable allocator library oesnmalloc. An enclave can use snmalloc instead of dlmalloc by specifying liboesnmalloc.a before liboelibc.a and liboecore.a in the linker line. * Added pluggable_allocator sample. * Gcov is used to obtain code coverage information for the SDK. See Code Coverage<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/GettingStartedDocs/Contributors/CodeCoverage.md>. * Added include\openenclave\attestation\attester.h to support attestation plug-in model attester scenarios. * Added include\openenclave\attestation\verifier.h to support attestation plug-in model verifier scenarios. Changed * COMPILE_SYSTEM_EDL is now OFF by default, meaning system EDL must be imported by application EDL. See system EDL opt-in document<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/system_ocall_opt_in.md#how-to-port-your-application> for more information. * Note: SDK users would need to import logging.edl to enable logging. Logging is disabled by default. * See System edls<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/SystemEdls.md> for list of all edls and associated OCalls. * A known issue is that different enclaves importing functions from System EDLs cannot be loaded by the same host app unless all of the functions were imported with exactly the same ordinals. See #3250<https://github.com/openenclave/openenclave/issues/3250> for details. This will be addressed in the next release based on design proposal #3086<https://github.com/openenclave/openenclave/pull/3086>. * A workaround for this issue in the meantime is to define a standard import EDL for any enclaves that need to be loaded into the same host app. Ensuring this shared EDL is then the first import in each enclave's EDL will result in the common imports being assigned the same ordinals in each resulting enclave. * Mark APIs in include/openenclave/attestation/sgx/attester.h and verifier.h as experimental. * Remove CRL_ISSUER_CHAIN_PCK_PROC_CA field from endorsement struct define in include/openenclave/bits/attestation.h. * Switch to oeedger8r written in C++. * Fix #3143<https://github.com/openenclave/openenclave/issues/3143>. oesign tool will now reject .conf files that contain duplicate property definitions. * SGX Simulation Mode does not need SGX libraries to be present in the system. * oehost library dynamically loads sgx_dcap_ql shared library instead of linking against it. This allows the SDK to be installed on non-FLC and non-SGX machines. * Fix #3134<https://github.com/openenclave/openenclave/issues/3134>. ParseSGXExtensions will now correctly parse the SGX extensions for PCK Certificates defined in SGX spec<https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf>. * oesign dump command now also displays the MRSIGNER value of an SGX enclave signature if it exists. * The Deep-copy feature of oeedger8r is now enabled by default. * The oeedger8r-generated header files now contain only the function prototypes. Marshalling structs, function id enums, and function tables are generated only in the c files. * Docs and scripts updated to use Azure DCAP client v1.6.0. * Fix #2930<https://github.com/openenclave/openenclave/issues/2930>. Fixes the logic of detecting compilers when LVI mitigation is enabled. That is, the old logic always picks clang-7 (if installed) regardless of whether the environment variable CC is set to gcc. * Fix #2670<https://github.com/openenclave/openenclave/issues/2670>. This fix also allows users to specify the version of clang (default is clang-7) when building the helloworld sample with LVI mitigation. * Fix #3056<https://github.com/openenclave/openenclave/issues/3056>. oe_is_within_enclave() and oe_is_outside_enclave() now reflect the SGX enclave boundary as determined by the enclave SECS rather than the limit of the pages initially provisioned in to the enclave. * If not specified, CMAKE_BUILD_TYPE is set to Debug. This ensures that cmake and cmake -DCMAKE_BUILD_TYPE=Debug result in the same build configuration. * Moved include/openenclave/attestation/plugin.h to internal. Currently only support internal attestation plugin registration. * Parameter flags is removed from experimental function oe_get_evidence(). Use 'evidence_format' parameter to select evidence format. Removed * Removed oehostapp and the appendent "-rdynamic" compiling option. Please use oehost instead and add the option back manually if necessary. * Removed dependencies on nodejs and esy, which were previously used to build Ocaml compiler and oeedger8r. Security * Fix ABI poisoning vulnerability for x87 FPU operations in enclaves<https://github.com/openenclave/openenclave/security/advisories/GHSA-7wjx-wcwg-w999>. Thanks, Radhika
|
|
|
|
Open Enclave SDK SIG-Attestation Meeting Series - Wed, 07/15/2020
#cal-notice
oesdk@lists.confidentialcomputing.io Calendar <noreply@...>
Open Enclave SDK SIG-Attestation Meeting Series When: Where: Organizer: Description:
Agenda and Minutes: https://hackmd.io/Xj6GpDSKSwuz5cZgQ0yg1A Meeting ID: 995 5293 2630 Dial by your location
|
|
|