Skip to content

SCONE 5.8.0

Bug Fixes

A large number of fixes.

Features

  • add AEPIC Leak intel advisory id
  • Add automatic DNS retry & caching via trust-dns
  • add detection of supported ELFs
  • add nextcloud-apache image
  • add pccs image
  • add php-8.1-apache-zts image
  • akv: delete AKV secrets
  • akv: set AKV secrets
  • attestation_hook: provide reasonable default reports
  • bash-cli: allow executing of subcommands in hardware mode
  • cas: Add /v1/version REST API endpoint
  • cas: Add absolute/relative session paths
  • cas: Add AKV secret backend
  • cas: Add base32 encoding for binary secrets
  • cas: Add base64url encoding for binary secrets
  • cas: Add binary pgp-key secret formats
  • cas: Add CAS database file snapshot task
  • cas: Add CAS database integrity check on startup
  • cas: Add CasAttestationDataV3
  • cas: Add config-fragment secrets
  • cas: Add governance access policy rules
  • cas: Add MAA tokens to error output
  • cas: Add pgp-key session secrets
  • cas: Add PUT /v1/encrypted_sessions REST API endpoint
  • cas: Add relative session paths to secret exports
  • cas: Add relative session paths to secret imports
  • cas: Add relative session paths to volume exports
  • cas: Add relative session paths to volume imports
  • cas: Add san to x509 secrets
  • cas: Add session encryption keypair
  • cas: Allow multiple session signers
  • cas: Allow pre-configured session creator
  • cas: Allow SCONE variables in OTP shared secret
  • cas: Allow self-provisioning for production-mode CASes
  • cas: Allow signer as session creator
  • cas: Allow signer keys in access policies
  • cas: Allow taking OTP shared secrets from binary secrets
  • cas: Allow uploading signed sessions
  • cas: Allow variable substitution in session security section
  • cas: Cache AAD tokens during secret lookup
  • cas: Config fragment replacement in session access_policy
  • cas: Distinct message when OTP was already used
  • cas: Do not allow signer as CREATOR in session read access policy
  • cas: Emit warnings on session validation
  • cas: Ensure session hash consistency
  • cas: Further improve logging in enclave API
  • cas: immediately do db snapshot
  • cas: Improve error message for unregistered DCAP platforms
  • cas: Improve LAS error message when provisioning DCAP PCK cert
  • cas: Include CAS version in attestation report data
  • cas: introduce faster db snapshotting algorithm
  • cas: Introduce session lang minor/patch versions
  • cas: Negotiate attestation report data version
  • cas: Omit session creator if not needed
  • cas: Per-service OTP
  • cas: Prevent variables nested in variables
  • cas: Print only session on 'scone session check' stdout
  • cas: Print version on startup
  • cas: provision updated PCK certificate to user enclaves
  • cas: Send CAS version along with REST API errors
  • cas: Session signature verification
  • cas: Show warnings when deserialization of variable config fails prior to substitution
  • cas: support usage of pccs for dcap verification
  • cas: Use HttpStatusCode in CAS backend
  • cas: Variable substitution for service attestation section
  • cas: Variable substitution for service platforms
  • cas: Volume export aliases
  • cli: Add 'scone cas version' command
  • cli: add preserve links argument to binary-fs command
  • cli: Add scone session calculate-hash
  • cli: Add scone session encrypt command
  • cli: Add scone session sign command
  • cli: Allow all session commands to interoperate with signed sessions
  • cli: Allow combining --mrsigner and --only_for_testing-debug
  • cli: Allow substitution of ~ as None in session templates
  • cli: Allow uploading encrypted sessions
  • cli: Automatic retries
  • cli: copy files to authenticated regions
  • cli: fall back to locked file writing if rename fails
  • cli: handle concurrent cli runs
  • cli: las liveness probe
  • cli: las provision-pck-certifcate command
  • cli: las show-tcb-state command
  • cli: Manage session signing keypair
  • cli: offline CAS attestation
  • cli: Prevent using configs created by newer CLI versions
  • cli: Store CAS session encryption key
  • cli: support argument files
  • cli: support escaping of variables
  • cli: write output to file
  • dcap: expose platform tcb information
  • dcap: pck certificate renewal
  • dcap: support Azure PCCS cache
  • dcap: support DCAP API v4 data models
  • dockerfiles: add Apache Flink image
  • dockerfiles: add binary-fs-flavored mariadb
  • dockerfiles: add binary-fs-flavored nginx
  • dockerfiles: add memcached binary-fs-flavored image
  • dockerfiles: add php-8.0-fpm
  • dockerfiles: add pytorch1.5.1-ubuntu20.04
  • dockerfiles: add Redis-6.2.6 working with glibc
  • dockerfiles: add s3proxy curated image
  • dockerfiles: add TensorFlowLite-2.7.0 to CI
  • Exchange SCONE version between CAS/runtime/LAS
  • fpsf: introduce fspf v3
  • fspf: improve performance using serde_bytes
  • fss: allow directory listing /proc/self/fd
  • fss: introduce blake3 file protection algorithm
  • fss: support for sparse file chunks during ftruncate
  • fss: use always full chunks to counter
  • fss: user configurable secret injection file permissions
  • heracles: add image labels
  • inform about memory overcomitting setting
  • intel_dcap: retry requests on failure
  • intel-sdk: Update to Intel SGX SDK 2.16
  • intel-sdk: Update to Intel SGX SDK 2.17
  • introduce SCONE_FSS_VERIFICATION_ERROR envvar
  • isa-l_crypto: support 128 bit aes gcm keys
  • las: don't terminate on (unexpected) EPID errors
  • las: only retry (blocking) EPID initialization if DCAP is not available
  • las: support IPv6
  • las: warn if TTY is not present
  • libsgx: print message with error code when no messsage is available
  • logging: use separate fd
  • only send tag updates if necessary
  • provide signer functionality in rust-cli
  • qpl: query azure cache for PCK cert
  • regression: show test output on console as well
  • rrt: allow path resolution from rust runtime
  • runtime: add getpgrp syscall wrapper
  • runtime: add scone init done hook
  • runtime: Add TolerateInsecureUnixCredentials network shield socket flag
  • runtime: add utime syscall wrapper
  • runtime: allow readlink in unprotected regions
  • runtime: allow untrusted futex calls
  • runtime: Async. I/O event remapping for poll
  • runtime: handle stdio in rust runtime
  • runtime: Improve Network Shield logging & error codes
  • runtime: improve page allocator
  • runtime: introduce at exit hook
  • runtime: introduce pre initialization hook
  • runtime: Introduce SCONE_SYNC_FSPF_TAG_WITH_CAS
  • runtime: reduce memory consumption of logging
  • runtime: support comments in expected cas key hash file
  • runtime: support setuid/setgid
  • runtime: Support Unix sockets in Network Shield
  • runtime: use rust for getrandom
  • runtime: Use SCONE_CAS_ADDR as SNI hostname during attestation
  • runtime: warn about EPC exhaustion on SIGBUS
  • runtime: warn on exhaustion of SCONE_SLOTS
  • rust: Add HttpStatusCode for errors
  • rust: Add LTO & panic=abort capabilities to scone Rust target
  • rust: Allow building shared libraries with scone Rust target
  • rust: expose scone toolchain wrapper through cargo custom command
  • rust: Extend derivable error attributes for structs
  • rust: Filter out duplicate error messages
  • rust: isa-l_crypto bindings
  • rust: Make error attribute derivation even more generic
  • rust: scone-cargo applies target x86_64-scone-linux-musl by default
  • rust: show helpful error message for invalid compilation options
  • rust: Update Rust from 1.57.0 to 1.58.1
  • rust: Upgrade from Rust 1.58.1 to 1.59.0
  • rust: Upgrade from Rust 1.59.1 to 1.60.0
  • rust: Upgrade from Rust 1.60.0 to 1.61.0
  • rust: Upgrade Rust from 1.61.0 to 1.63.0
  • rust: Upgrade Rust from 1.63.0 to 1.64.0
  • rust: Upgrade Rust from 1.64.0 to 1.66.1
  • rust: Upgrade Rust from 1.66.1 to 1.68.0 and enable sparse registry
  • rust: Upgrade Rust from 1.68.0 to 1.68.2
  • rust: Upgrade Rust from 1.68.2 to 1.69.0
  • rust: Upgrade Rust from 1.69.0 to 1.70.0
  • rust: Use HttpStatusCode for CAS REST & enclave APIs
  • scone_secrets: introduce JSON string character encoding
  • scone_types: offer rand_core compatible rng
  • scone-signer: print enclave info in yaml format
  • sconify-image: activate bats test timing
  • sconify: add almalinux python fspf support
  • sconify: add executable path resolution
  • sconify: add version
  • sconify: protect /tmp dir by default
  • sdk: Upgrade to Intel SDK 2.18
  • security: prevent and warn about insecure FSPF config
  • session-lang: support ecc session signer keys
  • Show correct SCONE version in CAS & CLI
  • starter: Add SCONE_TIME_OFFSET testing env variable
  • starter: format enclave size and show actual size as well
  • starter: improve out-of-memory error messages
  • support custom miscselect
  • support self-serving LAS/AESM (e.g. Azure LAS)
  • test: Add cargo-deny
  • warn user about * in host path

Performance Improvements

  • cli: run fspf and binaryfs command natively
  • fspf: reduce memory usage of fspf operations