SCONE 5.8.0
Bug Fixes
A large number of fixes.
Features
- add AEPIC Leak intel advisory id
- Add automatic DNS retry & caching via trust-dns
- add detection of supported ELFs
- add nextcloud-apache image
- add pccs image
- add php-8.1-apache-zts image
- akv: delete AKV secrets
- akv: set AKV secrets
- attestation_hook: provide reasonable default reports
- bash-cli: allow executing of subcommands in hardware mode
- cas: Add /v1/version REST API endpoint
- cas: Add absolute/relative session paths
- cas: Add AKV secret backend
- cas: Add base32 encoding for binary secrets
- cas: Add base64url encoding for binary secrets
- cas: Add binary pgp-key secret formats
- cas: Add CAS database file snapshot task
- cas: Add CAS database integrity check on startup
- cas: Add CasAttestationDataV3
- cas: Add config-fragment secrets
- cas: Add governance access policy rules
- cas: Add MAA tokens to error output
- cas: Add pgp-key session secrets
- cas: Add PUT /v1/encrypted_sessions REST API endpoint
- cas: Add relative session paths to secret exports
- cas: Add relative session paths to secret imports
- cas: Add relative session paths to volume exports
- cas: Add relative session paths to volume imports
- cas: Add san to x509 secrets
- cas: Add session encryption keypair
- cas: Allow multiple session signers
- cas: Allow pre-configured session creator
- cas: Allow SCONE variables in OTP shared secret
- cas: Allow self-provisioning for production-mode CASes
- cas: Allow signer as session creator
- cas: Allow signer keys in access policies
- cas: Allow taking OTP shared secrets from binary secrets
- cas: Allow uploading signed sessions
- cas: Allow variable substitution in session security section
- cas: Cache AAD tokens during secret lookup
- cas: Config fragment replacement in session access_policy
- cas: Distinct message when OTP was already used
- cas: Do not allow signer as CREATOR in session read access policy
- cas: Emit warnings on session validation
- cas: Ensure session hash consistency
- cas: Further improve logging in enclave API
- cas: immediately do db snapshot
- cas: Improve error message for unregistered DCAP platforms
- cas: Improve LAS error message when provisioning DCAP PCK cert
- cas: Include CAS version in attestation report data
- cas: introduce faster db snapshotting algorithm
- cas: Introduce session lang minor/patch versions
- cas: Negotiate attestation report data version
- cas: Omit session creator if not needed
- cas: Per-service OTP
- cas: Prevent variables nested in variables
- cas: Print only session on 'scone session check' stdout
- cas: Print version on startup
- cas: provision updated PCK certificate to user enclaves
- cas: Send CAS version along with REST API errors
- cas: Session signature verification
- cas: Show warnings when deserialization of variable config fails prior to substitution
- cas: support usage of pccs for dcap verification
- cas: Use HttpStatusCode in CAS backend
- cas: Variable substitution for service attestation section
- cas: Variable substitution for service platforms
- cas: Volume export aliases
- cli: Add 'scone cas version' command
- cli: add preserve links argument to binary-fs command
- cli: Add scone session calculate-hash
- cli: Add scone session encrypt command
- cli: Add scone session sign command
- cli: Allow all session commands to interoperate with signed sessions
- cli: Allow combining --mrsigner and --only_for_testing-debug
- cli: Allow substitution of ~ as None in session templates
- cli: Allow uploading encrypted sessions
- cli: Automatic retries
- cli: copy files to authenticated regions
- cli: fall back to locked file writing if rename fails
- cli: handle concurrent cli runs
- cli: las liveness probe
- cli: las provision-pck-certifcate command
- cli: las show-tcb-state command
- cli: Manage session signing keypair
- cli: offline CAS attestation
- cli: Prevent using configs created by newer CLI versions
- cli: Store CAS session encryption key
- cli: support argument files
- cli: support escaping of variables
- cli: write output to file
- dcap: expose platform tcb information
- dcap: pck certificate renewal
- dcap: support Azure PCCS cache
- dcap: support DCAP API v4 data models
- dockerfiles: add Apache Flink image
- dockerfiles: add binary-fs-flavored mariadb
- dockerfiles: add binary-fs-flavored nginx
- dockerfiles: add memcached binary-fs-flavored image
- dockerfiles: add php-8.0-fpm
- dockerfiles: add pytorch1.5.1-ubuntu20.04
- dockerfiles: add Redis-6.2.6 working with glibc
- dockerfiles: add s3proxy curated image
- dockerfiles: add TensorFlowLite-2.7.0 to CI
- Exchange SCONE version between CAS/runtime/LAS
- fpsf: introduce fspf v3
- fspf: improve performance using serde_bytes
- fss: allow directory listing /proc/self/fd
- fss: introduce blake3 file protection algorithm
- fss: support for sparse file chunks during ftruncate
- fss: use always full chunks to counter
- fss: user configurable secret injection file permissions
- heracles: add image labels
- inform about memory overcomitting setting
- intel_dcap: retry requests on failure
- intel-sdk: Update to Intel SGX SDK 2.16
- intel-sdk: Update to Intel SGX SDK 2.17
- introduce SCONE_FSS_VERIFICATION_ERROR envvar
- isa-l_crypto: support 128 bit aes gcm keys
- las: don't terminate on (unexpected) EPID errors
- las: only retry (blocking) EPID initialization if DCAP is not available
- las: support IPv6
- las: warn if TTY is not present
- libsgx: print message with error code when no messsage is available
- logging: use separate fd
- only send tag updates if necessary
- provide signer functionality in rust-cli
- qpl: query azure cache for PCK cert
- regression: show test output on console as well
- rrt: allow path resolution from rust runtime
- runtime: add getpgrp syscall wrapper
- runtime: add scone init done hook
- runtime: Add TolerateInsecureUnixCredentials network shield socket flag
- runtime: add utime syscall wrapper
- runtime: allow readlink in unprotected regions
- runtime: allow untrusted futex calls
- runtime: Async. I/O event remapping for poll
- runtime: handle stdio in rust runtime
- runtime: Improve Network Shield logging & error codes
- runtime: improve page allocator
- runtime: introduce at exit hook
- runtime: introduce pre initialization hook
- runtime: Introduce SCONE_SYNC_FSPF_TAG_WITH_CAS
- runtime: reduce memory consumption of logging
- runtime: support comments in expected cas key hash file
- runtime: support setuid/setgid
- runtime: Support Unix sockets in Network Shield
- runtime: use rust for getrandom
- runtime: Use SCONE_CAS_ADDR as SNI hostname during attestation
- runtime: warn about EPC exhaustion on SIGBUS
- runtime: warn on exhaustion of SCONE_SLOTS
- rust: Add HttpStatusCode for errors
- rust: Add LTO & panic=abort capabilities to scone Rust target
- rust: Allow building shared libraries with scone Rust target
- rust: expose scone toolchain wrapper through cargo custom command
- rust: Extend derivable error attributes for structs
- rust: Filter out duplicate error messages
- rust: isa-l_crypto bindings
- rust: Make error attribute derivation even more generic
- rust: scone-cargo applies target x86_64-scone-linux-musl by default
- rust: show helpful error message for invalid compilation options
- rust: Update Rust from 1.57.0 to 1.58.1
- rust: Upgrade from Rust 1.58.1 to 1.59.0
- rust: Upgrade from Rust 1.59.1 to 1.60.0
- rust: Upgrade from Rust 1.60.0 to 1.61.0
- rust: Upgrade Rust from 1.61.0 to 1.63.0
- rust: Upgrade Rust from 1.63.0 to 1.64.0
- rust: Upgrade Rust from 1.64.0 to 1.66.1
- rust: Upgrade Rust from 1.66.1 to 1.68.0 and enable sparse registry
- rust: Upgrade Rust from 1.68.0 to 1.68.2
- rust: Upgrade Rust from 1.68.2 to 1.69.0
- rust: Upgrade Rust from 1.69.0 to 1.70.0
- rust: Use HttpStatusCode for CAS REST & enclave APIs
- scone_secrets: introduce JSON string character encoding
- scone_types: offer rand_core compatible rng
- scone-signer: print enclave info in yaml format
- sconify-image: activate bats test timing
- sconify: add almalinux python fspf support
- sconify: add executable path resolution
- sconify: add version
- sconify: protect
/tmp
dir by default - sdk: Upgrade to Intel SDK 2.18
- security: prevent and warn about insecure FSPF config
- session-lang: support ecc session signer keys
- Show correct SCONE version in CAS & CLI
- starter: Add SCONE_TIME_OFFSET testing env variable
- starter: format enclave size and show actual size as well
- starter: improve out-of-memory error messages
- support custom miscselect
- support self-serving LAS/AESM (e.g. Azure LAS)
- test: Add cargo-deny
- warn user about * in host path
Performance Improvements
- cli: run fspf and binaryfs command natively
- fspf: reduce memory usage of fspf operations