OpenEnclave SDK v0.12.0 Release


Radhika Jandhyala
 

Hi,


Open Enclave version 0.12.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.12.0-rc1 tag:

https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0>

Please test these packages and let us know if you come across any issues. Thank you so much for your help!

To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so.

Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK!


Release Notes

Added

* Initial implementation of the Malloc Info API<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/DesignDocs/Mallinfo.md> for dlmalloc (default allocator), and snmalloc.
* Added missing attribute validations to oeedger8r C++ implementation.
* Added new API oe_log_message. See design doc<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/DesignDocs/oe_log_message()_callback_proposal.md> and sample<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/samples/log_callback/README.md>.

Changed

* Fixed #3543<https://github.com/openenclave/openenclave/issues/3543>, updated openenclaverc file and documents on Windows to avoid overwriting CMAKE_PREFIX_PATH.
* The local and remote attestation samples are merged into a single sample<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/samples/attestation/README.md>.
* Disabled a set of OpenSSL APIs/macros that are considered as unsafe based on OE's threat model.
More specifically, those APIs allow users to configure an OpenSSL application to read certificates from the host filesystem, which is not trusted, and therefore not recommended for use in enclaves. OpenSSLSupport.md<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/OpenSSLSupport.md> has been updated to reflect the changes.

Deprecated

* The Open Enclave SDK will be dropping support for Ubuntu 16.04 after Dec 2020.
Developers and partners using Ubuntu 16.04 will need to move to using Ubuntu 18.04 by then.
#3625<https://github.com/openenclave/openenclave/issues/3625> tracks this.
* The Open Enclave SDK will be dropping support for WS2016 after Dec 2020.
Developers and partners using WS2016 will need to move to using WS2019 by then.
#3539<https://github.com/openenclave/openenclave/issues/3539> tracks this.
* The Open Enclave SDK is deprecating support for gcc while building the SDK from source after Dec 2020.
The recommended compiler while building the SDK from source is Clang.
#3555<https://github.com/openenclave/openenclave/issues/3555> tracks this.

Security

* Security fixes in oeedger8r
* Fix TOCTOU vulnerability in NULL terminator checks for ocall in/out string parameters.
* Count/size properties in deep-copied in/out structs are treated as read-only to prevent the host
from changing corrupting enclave memory by changing these properties.
* Fixed Socket syscalls can leak enclave memory contents<https://github.com/openenclave/openenclave/security/advisories/GHSA-525h-wxcc-f66m> (CVE-2020-15224).

Known issues

* In the open-enclave-hostverify package, the host-verify sample cannot be built with cmake. Use make to build it on Linux. On Windows, it cannot be built currently. #3300<https://github.com/openenclave/openenclave/issues/3300> tracks issues related to the host-verify sample.



Thanks,
Rahdika


Radhika Jandhyala
 

Hi,

We have RC2 packages in v0.12.0-rc2 tag:
https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0>


The changes from the RC1 packages are:
- Added APIs and a library for developers to detect leaks in enclaves. See design doc( https://github.com/openenclave/openenclave/blob/master/docs/DesignDocs/Enabledebugmalloc.md) and sample( https://github.com/openenclave/openenclave/tree/master/samples/debugmalloc).
-Windows prereqs script updated to use Intel PSW 2.10.100.2.

Thanks,
Radhika

From: Radhika Jandhyala
Sent: Monday, October 12, 2020 10:13 PM
To: oesdk@lists.confidentialcomputing.io
Subject: OpenEnclave SDK v0.12.0 Release

Hi,


Open Enclave version 0.12.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.12.0-rc1 tag:

https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0>

Please test these packages and let us know if you come across any issues. Thank you so much for your help!

To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so.

Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK!


Release Notes

Added

* Initial implementation of the Malloc Info API<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/DesignDocs/Mallinfo.md> for dlmalloc (default allocator), and snmalloc.
* Added missing attribute validations to oeedger8r C++ implementation.
* Added new API oe_log_message. See design doc<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/DesignDocs/oe_log_message()_callback_proposal.md> and sample<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/samples/log_callback/README.md>.

Changed

* Fixed #3543<https://github.com/openenclave/openenclave/issues/3543>, updated openenclaverc file and documents on Windows to avoid overwriting CMAKE_PREFIX_PATH.
* The local and remote attestation samples are merged into a single sample<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/samples/attestation/README.md>.
* Disabled a set of OpenSSL APIs/macros that are considered as unsafe based on OE's threat model.
More specifically, those APIs allow users to configure an OpenSSL application to read certificates from the host filesystem, which is not trusted, and therefore not recommended for use in enclaves. OpenSSLSupport.md<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/OpenSSLSupport.md> has been updated to reflect the changes.

Deprecated

* The Open Enclave SDK will be dropping support for Ubuntu 16.04 after Dec 2020.
Developers and partners using Ubuntu 16.04 will need to move to using Ubuntu 18.04 by then.
#3625<https://github.com/openenclave/openenclave/issues/3625> tracks this.
* The Open Enclave SDK will be dropping support for WS2016 after Dec 2020.
Developers and partners using WS2016 will need to move to using WS2019 by then.
#3539<https://github.com/openenclave/openenclave/issues/3539> tracks this.
* The Open Enclave SDK is deprecating support for gcc while building the SDK from source after Dec 2020.
The recommended compiler while building the SDK from source is Clang.
#3555<https://github.com/openenclave/openenclave/issues/3555> tracks this.

Security

* Security fixes in oeedger8r
* Fix TOCTOU vulnerability in NULL terminator checks for ocall in/out string parameters.
* Count/size properties in deep-copied in/out structs are treated as read-only to prevent the host
from changing corrupting enclave memory by changing these properties.
* Fixed Socket syscalls can leak enclave memory contents<https://github.com/openenclave/openenclave/security/advisories/GHSA-525h-wxcc-f66m> (CVE-2020-15224).

Known issues

* In the open-enclave-hostverify package, the host-verify sample cannot be built with cmake. Use make to build it on Linux. On Windows, it cannot be built currently. #3300<https://github.com/openenclave/openenclave/issues/3300> tracks issues related to the host-verify sample.



Thanks,
Rahdika


Radhika Jandhyala
 

Hello everyone,

The 0.12.0 version of the Open Enclave SDK has been released.

You can find the release page for v0.12.0 in the link below, where you can download the packages/sources and find the changelog:

https://github.com/openenclave/openenclave/releases/tag/v0.12.0

For the Ubuntu 16.04 and 18.04 packages: they will be published to the production packages.microsoft.com APT repo (for each distro) later this week.

For the Windows NuGet packages: They will be on nuget.org later this week, but for now you can download the NuGet packages available in the "Assets" field in release link above.

Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK!

Release notes

Added

* Initial implementation of the Malloc Info API<https://github.com/openenclave/openenclave/blob/v0.12.0/docs/DesignDocs/Mallinfo.md> for dlmalloc (default allocator), and snmalloc.
* Added missing attribute validations to oeedger8r C++ implementation.
* Added new API oe_log_message. See design doc<https://github.com/openenclave/openenclave/blob/v0.12.0/docs/DesignDocs/oe_log_message()_callback_proposal.md> and sample<https://github.com/openenclave/openenclave/blob/v0.12.0/samples/log_callback/README.md>.
* Added APIs and a library for developers to detect leaks in enclaves. See design doc<https://github.com/openenclave/openenclave/blob/v0.12.0/docs/DesignDocs/Enabledebugmalloc.md> and sample<https://github.com/openenclave/openenclave/blob/v0.12.0/samples/debugmalloc/README.md>.
* Added support of QVL/QVE based SGX evidence verification, as described in design doc<https://github.com/openenclave/openenclave/blob/v0.12.0/docs/DesignDocs/SGX_QuoteVerify_Integration.md>.
* Added a new oeverify tool that subsumes the existing host_verify sample which was installed as part of the host verify package.
It is basically the same utility as host_verify with added flexibility to pass a custom format for the evidence to be verified.

Changed

* Fixed #3543<https://github.com/openenclave/openenclave/issues/3543>, updated openenclaverc file and documents on Windows to avoid overwriting CMAKE_PREFIX_PATH.
* The local and remote attestation samples are merged into a single sample<https://github.com/openenclave/openenclave/blob/v0.12.0/samples/attestation/README.md>.
* Disabled a set of OpenSSL APIs/macros that are considered as unsafe based on OE's threat model.
More specifically, those APIs allow users to configure an OpenSSL application to read certificates from the host filesystem, which is not trusted, and therefore not recommended for use in enclaves. OpenSSLSupport.md<https://github.com/openenclave/openenclave/blob/v0.12.0/docs/OpenSSLSupport.md> has been updated to reflect the changes.

Deprecated

* The Open Enclave SDK will be dropping support for Ubuntu 16.04 after Dec 2020.
Developers and partners using Ubuntu 16.04 will need to move to using Ubuntu 18.04 by then.
#3625<https://github.com/openenclave/openenclave/issues/3625> tracks this.
* The Open Enclave SDK will be dropping support for WS2016 after Dec 2020.
Developers and partners using WS2016 will need to move to using WS2019 by then.
#3539<https://github.com/openenclave/openenclave/issues/3539> tracks this.
* The Open Enclave SDK is deprecating support for gcc while building the SDK from source after Dec 2020.
The recommended compiler while building the SDK from source is Clang.
#3555<https://github.com/openenclave/openenclave/issues/3555> tracks this.

Security

* Security fixes in oeedger8r
* Fix TOCTOU vulnerability in NULL terminator checks for ocall in/out string parameters.
* Count/size properties in deep-copied in/out structs are treated as read-only to prevent the host
from changing corrupting enclave memory by changing these properties.
* Fixed Socket syscalls can leak enclave memory contents<https://github.com/openenclave/openenclave/security/advisories/GHSA-525h-wxcc-f66m> (CVE-2020-15224).

Known issues

* In the open-enclave-hostverify package, the host-verify sample cannot be built with cmake. Use make to build it on Linux. On Windows it cannot be built currently. #3300<https://github.com/openenclave/openenclave/issues/3300> tracks issues related to the host-verify sample.

Packages in this release have been tested against the following Intel Packages

On Ubuntu 1804: DCAP: 1.8.100.2-bionic1 PSW: 2.11.100.2-bionic1
On Ubuntu 1604: DCAP: 1.8.100.2-xenial1 PSW: 2.11.100.2-xenial1
On Windows Server 2016: DCAP: 1.8.100.2 PSW: 2.10.100.2
On Windows Server 2019: DCAP: 1.8.100.2 PSW: 2.10.100.2


Thanks,
Radhika



From: Radhika Jandhyala
Sent: Friday, October 16, 2020 9:14 AM
To: oesdk@lists.confidentialcomputing.io
Subject: RE: OpenEnclave SDK v0.12.0 Release

Hi,

We have RC2 packages in v0.12.0-rc2 tag:
https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0>


The changes from the RC1 packages are:
- Added APIs and a library for developers to detect leaks in enclaves. See design doc( https://github.com/openenclave/openenclave/blob/master/docs/DesignDocs/Enabledebugmalloc.md) and sample( https://github.com/openenclave/openenclave/tree/master/samples/debugmalloc).
-Windows prereqs script updated to use Intel PSW 2.10.100.2.

Thanks,
Radhika

From: Radhika Jandhyala
Sent: Monday, October 12, 2020 10:13 PM
To: oesdk@lists.confidentialcomputing.io<mailto:oesdk@lists.confidentialcomputing.io>
Subject: OpenEnclave SDK v0.12.0 Release

Hi,


Open Enclave version 0.12.0 will soon be published, and we want to send out some release candidate packages (for Windows Server 2016 and 2019, Ubuntu 16.04/18.04) for pre-release testing. You can find the release candidate packages on GitHub below under the v0.12.0-rc1 tag:

https://github.com/openenclave/openenclave/releases<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenenclave%2Fopenenclave%2Freleases&data=02%7C01%7Cradhikaj%40microsoft.com%7C9b906ec7b73c4fa7da1808d7a0826790%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637154354265332253&sdata=e0DQ36Qk5d2DJ3DrkM0ZjYzzPODpk8%2BjfpqD3tja1Ls%3D&reserved=0>

Please test these packages and let us know if you come across any issues. Thank you so much for your help!

To the Committers of the OE SDK: Please let us know if we have missed anything in the release notes. We should update our CHANGELOG if so.

Thank you so much to everyone in helping us drive and deliver this release! Please use our GitHub repo to report any issues that you may come across in your use of the SDK!


Release Notes

Added

* Initial implementation of the Malloc Info API<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/DesignDocs/Mallinfo.md> for dlmalloc (default allocator), and snmalloc.
* Added missing attribute validations to oeedger8r C++ implementation.
* Added new API oe_log_message. See design doc<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/DesignDocs/oe_log_message()_callback_proposal.md> and sample<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/samples/log_callback/README.md>.

Changed

* Fixed #3543<https://github.com/openenclave/openenclave/issues/3543>, updated openenclaverc file and documents on Windows to avoid overwriting CMAKE_PREFIX_PATH.
* The local and remote attestation samples are merged into a single sample<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/samples/attestation/README.md>.
* Disabled a set of OpenSSL APIs/macros that are considered as unsafe based on OE's threat model.
More specifically, those APIs allow users to configure an OpenSSL application to read certificates from the host filesystem, which is not trusted, and therefore not recommended for use in enclaves. OpenSSLSupport.md<https://github.com/openenclave/openenclave/blob/v0.12.0-rc1/docs/OpenSSLSupport.md> has been updated to reflect the changes.

Deprecated

* The Open Enclave SDK will be dropping support for Ubuntu 16.04 after Dec 2020.
Developers and partners using Ubuntu 16.04 will need to move to using Ubuntu 18.04 by then.
#3625<https://github.com/openenclave/openenclave/issues/3625> tracks this.
* The Open Enclave SDK will be dropping support for WS2016 after Dec 2020.
Developers and partners using WS2016 will need to move to using WS2019 by then.
#3539<https://github.com/openenclave/openenclave/issues/3539> tracks this.
* The Open Enclave SDK is deprecating support for gcc while building the SDK from source after Dec 2020.
The recommended compiler while building the SDK from source is Clang.
#3555<https://github.com/openenclave/openenclave/issues/3555> tracks this.

Security

* Security fixes in oeedger8r
* Fix TOCTOU vulnerability in NULL terminator checks for ocall in/out string parameters.
* Count/size properties in deep-copied in/out structs are treated as read-only to prevent the host
from changing corrupting enclave memory by changing these properties.
* Fixed Socket syscalls can leak enclave memory contents<https://github.com/openenclave/openenclave/security/advisories/GHSA-525h-wxcc-f66m> (CVE-2020-15224).

Known issues

* In the open-enclave-hostverify package, the host-verify sample cannot be built with cmake. Use make to build it on Linux. On Windows, it cannot be built currently. #3300<https://github.com/openenclave/openenclave/issues/3300> tracks issues related to the host-verify sample.



Thanks,
Rahdika