v1.2-rc1

Change log

New features

• New invocation methods (graphene-direct and graphene-sgx instead of pal_loader).
• Support for CPU topology and affinity.
• Support for multi-process POSIX locks (fcntl).
• Introduced in-memory tmpfs file system.
• Switched to TOML format for manifest files.
• Whole directories can be specified for SGX Trusted Files.
• Jinja-based manifest renderer (graphene-manifest).
• Support for EPOLLET in epoll emulation.
• Basic communication with host devices.

Security improvements

• Enabled GCC's stack protector in all Graphene binaries.
• Updated mbedTLS to version 2.26.0.
• Better crypto in encrypted IPC (e.g., HKDF-SHA256 instead of SHA256).
• Bug fixes in Trusted and Protected Files in Linux-SGX PAL.

Deployment improvements

• Switched (partially) to Meson from Make.
• Support for Glibc 2.33.
• Support for Ubuntu 21.04, Fedora, CentOS, ClearLinux.
• Support for the latest Intel SGX drivers, including the in-kernel Linux driver.

Performance improvements

• New manifest option libos.check_invalid_pointers to disable checks of invalid pointers on syscall invocations.
• New manifest option sgx.preheat_enclave to choose between fast startup and run-time performance.
• Using seqlocks for fast gettimeofday() emulation on Linux-SGX.
• Using AVL trees for managing futexes.

Debugging improvements

• Support for perf-based SGX profiling. To this end, family of manifest options sgx.profile is introduced.
• Rewritten GDB integration.
• Better Graphene logs.

Documentation

• Added "Attestation and Secret Provisioning" page.
• Added "Performance tuning and analysis" page.
• Added the PyTorch PPML framework tutorial.

New sample integrations

• Created a single Python example.
• Updated OpenVINO to version 2020.4.
• Added SSL/TLS configuration to Nginx.
• Fixed the R example.
• Fixed the PyTorch example and added a tutorial on its usage.

Stability and refactoring

• Rewritten Inter-Process Communication in LibOS.
• Rewritten signal handling in LibOS.
• Refactored all file system components in LibOS.
• Rewritten RTLD and ELF parsing components in LibOS.

Miscellaneous

• Fixed memory corruptions due to insufficient memory. To this end, introduced loader.pal_internal_mem_size manifest option.
• New syscalls implemented: rt_sigtimedwait, msync, madvise, getrandom, waitid, sethostname, setdomainname and readlinkat.
• Save/restore of FP/SSE/AVX/... control words on syscalls.
• Added info-image command to GSC.
• Added /proc/self/cmdline.
• Upgraded LTP to 20200930. Enabled multiple previously disabled LTP tests.
• And hundreds of other small bugfixes and improvements which didn't get to this list.

Breaking changes

• New invocation methods (graphene-direct and graphene-sgx instead of pal_loader).
• TOML format of manifest files. All example manifests were rewritten to TOML (for the full list of manifest options and the TOML syntax, check our readthedocs page).
• Removed loader.exec. Use loader.entrypoint instead.
• Removed loader.debug_type. Use loader.log_level instead.
• Removed sgx.allow_file_creation.
• Removed System V interprocess communication mechanisms (msgget and semget families of syscalls).
• Ubuntu 16.04 is not tested anymore and deprecated for use with Graphene.
• Dropped patches for Glibc 2.23 and 2.27.

Installation instructions

Starting from this release Graphene is available as .deb packages. To install them, follow the below commands:

sudo apt-key adv --fetch-keys https://packages.grapheneproject.io/graphene.asc
echo 'deb [arch=amd64 signed-by=EA3C2D624681AC968521587A5EE1171912234070] https://packages.grapheneproject.io/ unstable main' | sudo tee /etc/apt/sources.list.d/graphene-unstable.list
sudo apt update

sudo apt install graphene-inkernel # for 5.11+ driver
sudo apt install graphene-oot      # for out-of-tree SDK driver
sudo apt install graphene-dcap     # for out-of-tree DCAP driver

We plan to also support .rpm format in the future.

If you prefer to build the sources yourself, please follow the building instructions from our documentation.