Hello Everyone,

The 0.18.0 version of the Open Enclave SDK has been released.

You can find the release page for v0.18.0 at https://github.com/openenclave/openenclave/releases, where you can download the packages/sources and find the changelog.

The Ubuntu packages are available to download from packages.microsoft.com APT repo.

The Windows NuGet packages are on nuget.org.

Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK!

Release notes

0.18.0<https://github.com/openenclave/openenclave/releases/tag/v0.18.0>
Pre-release
Added

* oeapkman is a Linux tool for installing and using Alpine Linux static libraries within enclaves.
* The command oeapkman add package can be used to install the specified package.
Typically -static and -dev (e.g.: sqlite-static, sqlite-dev) packages need to be installed.
* The command oeapkman root prints out the path to the Alpine Linux distribution maintained by oeapkman.
The root path is useful for providing paths to header files and static libraries to the compiler and linker respectively.
* The command oeapkman exec can be used to execute commands within the Alpine Linux environment.
For example, after executing oeapkman add clang build-base cmake to install development tools,
running oeapkman exec clang -c file.c would compile file.c in current folder using the clang compiler that
has been installed in the Alpine Linux environment. oeapkman exec bash would launch a bash shell in the current folder.
* The --optee prefix can be applied to the commands to target OP-TEE.
oeapkman --optee add sqlite-static installs aarch64 sqlite static library.
oeapkman --optee exec gcc -c file.c cross-compile file.c to target OP-TEE.
* See samples/apkman<https://github.com/openenclave/openenclave/blob/v0.18.0/samples/apkman> for a complete example demonstrating use of the sqlite database library within enclaves.
* Support for compiler-rt. oelibc includes LLVM's compiler-rt-10.0.1.
* Update logging function setup API name for SGX Quote Provider plugin to sgx_ql_set_logging_callback and mark API name sgx_ql_set_logging_function as deprecated.
* Add new policy type OE_POLICY_ENDORSEMENTS_BASELINE for oe_verify_evidence API to pass additional parameters to QVL for more advanced quote validation.
* The CapturePFGPExceptions preference is now supported in SGX1 debug mode on Linux.
* When setting CapturePFGPExceptions=1, OE will simulate all the SIGSEGV as #PF by forwarding the host information (faulting address) to in-enclave exception handlers.
* Note that this feature is for debug only and there is no guarantee that the simulated behavior works the same as the hardware feature in SGX2.
* Added the support of using vDSO interfaces for SGX enclaves on Linux to enable synchronous exception handling. The oehost library automatically opts into the vDSO interface when it is available (Linux kernel 5.11+).

Changed

* Updated libcxx to version 10.0.1
* Updated the mbedTLS from 2.16 LTS to 2.28 LTS
* Updated the SymCrypt-OpenSSL to v1.1.0
* Updated the support of the SymCrypt module to v101.3.0

Security

* This release contains mitigations for CVE-2022-21166 described in INTEL-SA-00615<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html>. Please refer to the security advisory<https://github.com/openenclave/openenclave/security/advisories/GHSA-wm9w-8857-8fgj> for more details and the developer guide<https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/SecurityGuideForMMIOVulnerabilities.md> for mitigating the vulnerability.
* Updated openssl to version 1.1.1o. Please refer to release notes<https://www.openssl.org/news/openssl-1.1.1-notes.html> to find CVEs addressed by this version.

Packages this release was tested against

On Ubuntu 18.04: DCAP: 1.13.100.4-bionic1 PSW: 2.16.100.4-bionic1 SGXDriver: 1.33.2
On Ubuntu 20.04: DCAP: 1.13.100.4-focal1 PSW: 2.16.100.4-focal1 SGXDriver: 1.41
On Windows Server 2019: DCAP: 1.13.100.4 PSW: 2.15.100.4
Note: We will be testing with the latest Intel packages in the next couple of days and updating this section


Thanks,
Radhika