oesdk@lists.confidentialcomputing.io | Open Enclave SDK v0.10.0 Release

Home Messages Hashtags Subgroups Wiki

Date Date 1 - 2 of 2

Open Enclave SDK v0.10.0 Release

Radhika Jandhyala #53 Hi, Open Enclave version 0.10.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.10.0-rc1 tag: https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0> Please test these packages and let us know if you come across any issues. Thank you so much for your help! To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Release notes: ----------------- Added * Added oe_sgx_get_signer_id_from_public_key() function which helps a verifier of SGX reports extract the expected MRSIGNER value from the signer's public key PEM certificate. * OE SDK can now be built and run in simulation mode on a non SGX x64 Windows machine by passing HAS_QUOTE_PROVIDER=off. Previously, the build would work, but running applications would fail due to missing sgx_enclave_common.dll. * OE SDK can now be installed from published packages on SGX machines without FLC, and non-SGX machines. Previously, OE SDK could only be installed on SGX1 FLC machines due to a link-time dependency on sgx_dcap_ql which was available only on SGX1 FLC machines. * oesign tool supports the new digest command and options for 2-step signing using the digest<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/oesign_digest_signing_support.md>. * Oeedger8r now supports the --use-prefix feature. * Oeedger8r now supports a subset of C-style preprocessor directives (#ifdef, #ifndef, #else, #endif). * The default memory allocator (dlmalloc) can be replaced by providing replacement functions. This ability to plug-in a custom allocator is most applicable for multi-threaded enclaves with memory allocation patterns where the default memory allocator may not be performant. See Pluggable Allocators<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/Pluggableallocators.md>. * snmalloc is available as a pluggable allocator library oesnmalloc. An enclave can use snmalloc instead of dlmalloc by specifying liboesnmalloc.a before liboelibc.a and liboecore.a in the linker line. * Added pluggable_allocator sample. * Gcov is used to obtain code coverage information for the SDK. See Code Coverage<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/GettingStartedDocs/Contributors/CodeCoverage.md>. * Added include\openenclave\attestation\attester.h to support attestation plug-in model attester scenarios. * Added include\openenclave\attestation\verifier.h to support attestation plug-in model verifier scenarios. Changed * COMPILE_SYSTEM_EDL is now OFF by default, meaning system EDL must be imported by application EDL. See system EDL opt-in document<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/system_ocall_opt_in.md#how-to-port-your-application> for more information. * Note: SDK users would need to import logging.edl to enable logging. Logging is disabled by default. * See System edls<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/SystemEdls.md> for list of all edls and associated OCalls. * A known issue is that different enclaves importing functions from System EDLs cannot be loaded by the same host app unless all of the functions were imported with exactly the same ordinals. See #3250<https://github.com/openenclave/openenclave/issues/3250> for details. This will be addressed in the next release based on design proposal #3086<https://github.com/openenclave/openenclave/pull/3086>. * A workaround for this issue in the meantime is to define a standard import EDL for any enclaves that need to be loaded into the same host app. Ensuring this shared EDL is then the first import in each enclave's EDL will result in the common imports being assigned the same ordinals in each resulting enclave. * Mark APIs in include/openenclave/attestation/sgx/attester.h and verifier.h as experimental. * Remove CRL_ISSUER_CHAIN_PCK_PROC_CA field from endorsement struct define in include/openenclave/bits/attestation.h. * Switch to oeedger8r written in C++. * Fix #3143<https://github.com/openenclave/openenclave/issues/3143>. oesign tool will now reject .conf files that contain duplicate property definitions. * SGX Simulation Mode does not need SGX libraries to be present in the system. * oehost library dynamically loads sgx_dcap_ql shared library instead of linking against it. This allows the SDK to be installed on non-FLC and non-SGX machines. * Fix #3134<https://github.com/openenclave/openenclave/issues/3134>. ParseSGXExtensions will now correctly parse the SGX extensions for PCK Certificates defined in SGX spec<https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf>. * oesign dump command now also displays the MRSIGNER value of an SGX enclave signature if it exists. * The Deep-copy feature of oeedger8r is now enabled by default. * The oeedger8r-generated header files now contain only the function prototypes. Marshalling structs, function id enums, and function tables are generated only in the c files. * Docs and scripts updated to use Azure DCAP client v1.6.0. * Fix #2930<https://github.com/openenclave/openenclave/issues/2930>. Fixes the logic of detecting compilers when LVI mitigation is enabled. That is, the old logic always picks clang-7 (if installed) regardless of whether the environment variable CC is set to gcc. * Fix #2670<https://github.com/openenclave/openenclave/issues/2670>. This fix also allows users to specify the version of clang (default is clang-7) when building the helloworld sample with LVI mitigation. * Fix #3056<https://github.com/openenclave/openenclave/issues/3056>. oe_is_within_enclave() and oe_is_outside_enclave() now reflect the SGX enclave boundary as determined by the enclave SECS rather than the limit of the pages initially provisioned in to the enclave. * If not specified, CMAKE_BUILD_TYPE is set to Debug. This ensures that cmake and cmake -DCMAKE_BUILD_TYPE=Debug result in the same build configuration. * Moved include/openenclave/attestation/plugin.h to internal. Currently only support internal attestation plugin registration. * Parameter flags is removed from experimental function oe_get_evidence(). Use 'evidence_format' parameter to select evidence format. Removed * Removed oehostapp and the appendent "-rdynamic" compiling option. Please use oehost instead and add the option back manually if necessary. * Removed dependencies on nodejs and esy, which were previously used to build Ocaml compiler and oeedger8r. Security * Fix ABI poisoning vulnerability for x87 FPU operations in enclaves<https://github.com/openenclave/openenclave/security/advisories/GHSA-7wjx-wcwg-w999>. Thanks, Radhika
More All Messages By This Member
Radhika Jandhyala #54 Hello everyone, The 0.10.0 version of the Open Enclave SDK has been released. You can find the release page for v0.10.0 in the link below, where you can download the packages/sources and find the changelog: https://github.com/openenclave/openenclave/releases/tag/v0.10.0 For the Ubuntu 16.04 and 18.04 packages: they will be published to the production packages.microsoft.com APT repo (for each distro) later this week. For the Windows NuGet packages: They will be on nuget.org later this week, but for now you can download the NuGet packages available in the "Assets" field in release link above. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Thanks, Radhika From: Radhika Jandhyala Sent: Wednesday, July 15, 2020 5:28 PM To: oesdk@... Subject: Open Enclave SDK v0.10.0 Release Hi, Open Enclave version 0.10.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.10.0-rc1 tag: https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0> Please test these packages and let us know if you come across any issues. Thank you so much for your help! To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so. Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK! Release notes: ----------------- Added * Added oe_sgx_get_signer_id_from_public_key() function which helps a verifier of SGX reports extract the expected MRSIGNER value from the signer's public key PEM certificate. * OE SDK can now be built and run in simulation mode on a non SGX x64 Windows machine by passing HAS_QUOTE_PROVIDER=off. Previously, the build would work, but running applications would fail due to missing sgx_enclave_common.dll. * OE SDK can now be installed from published packages on SGX machines without FLC, and non-SGX machines. Previously, OE SDK could only be installed on SGX1 FLC machines due to a link-time dependency on sgx_dcap_ql which was available only on SGX1 FLC machines. * oesign tool supports the new digest command and options for 2-step signing using the digest<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/oesign_digest_signing_support.md>. * Oeedger8r now supports the --use-prefix feature. * Oeedger8r now supports a subset of C-style preprocessor directives (#ifdef, #ifndef, #else, #endif). * The default memory allocator (dlmalloc) can be replaced by providing replacement functions. This ability to plug-in a custom allocator is most applicable for multi-threaded enclaves with memory allocation patterns where the default memory allocator may not be performant. See Pluggable Allocators<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/Pluggableallocators.md>. * snmalloc is available as a pluggable allocator library oesnmalloc. An enclave can use snmalloc instead of dlmalloc by specifying liboesnmalloc.a before liboelibc.a and liboecore.a in the linker line. * Added pluggable_allocator sample. * Gcov is used to obtain code coverage information for the SDK. See Code Coverage<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/GettingStartedDocs/Contributors/CodeCoverage.md>. * Added include\openenclave\attestation\attester.h to support attestation plug-in model attester scenarios. * Added include\openenclave\attestation\verifier.h to support attestation plug-in model verifier scenarios. Changed * COMPILE_SYSTEM_EDL is now OFF by default, meaning system EDL must be imported by application EDL. See system EDL opt-in document<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/DesignDocs/system_ocall_opt_in.md#how-to-port-your-application> for more information. * Note: SDK users would need to import logging.edl to enable logging. Logging is disabled by default. * See System edls<https://github.com/openenclave/openenclave/blob/v0.10.0-rc1/docs/SystemEdls.md> for list of all edls and associated OCalls. * A known issue is that different enclaves importing functions from System EDLs cannot be loaded by the same host app unless all of the functions were imported with exactly the same ordinals. See #3250<https://github.com/openenclave/openenclave/issues/3250> for details. This will be addressed in the next release based on design proposal #3086<https://github.com/openenclave/openenclave/pull/3086>. * A workaround for this issue in the meantime is to define a standard import EDL for any enclaves that need to be loaded into the same host app. Ensuring this shared EDL is then the first import in each enclave's EDL will result in the common imports being assigned the same ordinals in each resulting enclave. * Mark APIs in include/openenclave/attestation/sgx/attester.h and verifier.h as experimental. * Remove CRL_ISSUER_CHAIN_PCK_PROC_CA field from endorsement struct define in include/openenclave/bits/attestation.h. * Switch to oeedger8r written in C++. * Fix #3143<https://github.com/openenclave/openenclave/issues/3143>. oesign tool will now reject .conf files that contain duplicate property definitions. * SGX Simulation Mode does not need SGX libraries to be present in the system. * oehost library dynamically loads sgx_dcap_ql shared library instead of linking against it. This allows the SDK to be installed on non-FLC and non-SGX machines. * Fix #3134<https://github.com/openenclave/openenclave/issues/3134>. ParseSGXExtensions will now correctly parse the SGX extensions for PCK Certificates defined in SGX spec<https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf>. * oesign dump command now also displays the MRSIGNER value of an SGX enclave signature if it exists. * The Deep-copy feature of oeedger8r is now enabled by default. * The oeedger8r-generated header files now contain only the function prototypes. Marshalling structs, function id enums, and function tables are generated only in the c files. * Docs and scripts updated to use Azure DCAP client v1.6.0. * Fix #2930<https://github.com/openenclave/openenclave/issues/2930>. Fixes the logic of detecting compilers when LVI mitigation is enabled. That is, the old logic always picks clang-7 (if installed) regardless of whether the environment variable CC is set to gcc. * Fix #2670<https://github.com/openenclave/openenclave/issues/2670>. This fix also allows users to specify the version of clang (default is clang-7) when building the helloworld sample with LVI mitigation. * Fix #3056<https://github.com/openenclave/openenclave/issues/3056>. oe_is_within_enclave() and oe_is_outside_enclave() now reflect the SGX enclave boundary as determined by the enclave SECS rather than the limit of the pages initially provisioned in to the enclave. * If not specified, CMAKE_BUILD_TYPE is set to Debug. This ensures that cmake and cmake -DCMAKE_BUILD_TYPE=Debug result in the same build configuration. * Moved include/openenclave/attestation/plugin.h to internal. Currently only support internal attestation plugin registration. * Parameter flags is removed from experimental function oe_get_evidence(). Use 'evidence_format' parameter to select evidence format. Removed * Removed oehostapp and the appendent "-rdynamic" compiling option. Please use oehost instead and add the option back manually if necessary. * Removed dependencies on nodejs and esy, which were previously used to build Ocaml compiler and oeedger8r. Security * Fix ABI poisoning vulnerability for x87 FPU operations in enclaves<https://github.com/openenclave/openenclave/security/advisories/GHSA-7wjx-wcwg-w999>. Thanks, Radhika
More All Messages By This Member

1 - 2 of 2

1

Previous Topic Next Topic

Home Hashtags Subgroups Wiki Terms