Skip to content

SCONE 5.9.0

Bug Fixes

A large number of fixes.

Features

  • activate mprotect by default
  • Add LICENSE.md to packages
  • Authenticated-only volume files
  • build: Upgrade & Split OpenSSL and SQLCipher static libraries
  • cas: Add CAS image with busybox base image
  • cas: add container healthcheck
  • cas: Add default root namespace
  • cas: Add fspf_update_policy to main FSPFs
  • cas: Add must_be_sgx_local attestation
  • cas: Add namespace_hash
  • cas: Add provisioning_cas_owner_certificate_chain to CAS attestation report v4
  • cas: Add REST API signing
  • cas: Add REST API signing key selection parameter
  • cas: Add root namespace path
  • cas: Add secure rollback-protected CAS provisioning
  • cas: Add SGX Local Attestation of service enclaves
  • cas: Allow SO_OOBINLINE socket flag if set to [secure]
  • cas: Always update last DB snapshot directory mtime
  • cas: attest command
  • cas: get-audit-log-checkpoints command
  • cas: Improve SGX PCS API error display
  • cas: Increase session name length limit to 512
  • cas: Restrict allowed secret names for services
  • cas: Warn when one of database or key store file are missing
  • ci: enable colored output for cargo commands
  • cli: Embed original CAS attestation result into CLI config
  • cli: Validate signature when loading a session
  • dockerfiles: Add LAS using Debian 12 as base image
  • dockerfiles: add sysbench
  • dockerfiles: enable non root user for scone.cloud (las and cas)
  • fss: /proc/meminfo provides in-enclave available memory
  • fss: migration to Rust
  • fss: WAL
  • init: warn if SCONE_HOST_PATH is replaced via binary fs
  • intel-sdk: Update Intel SGX SDK from 2.20 to 2.23
  • las: added container healthcheck
  • log error in cross_ffi_entry if logging severity is at least debug
  • madvise: handle MADV_FREE inside the enclave
  • metrics: introduce runtime metrics
  • pccs: add container healthcheck
  • qpl: user configuration of azure pccs usage
  • runtime: Add scone_get_secret_version() API
  • runtime: allow debug and trace logs in production builds
  • runtime: Check whether main FSPF exists locally
  • runtime: don't connect to LAS in sim mode
  • runtime: implement readlinkat for injected files
  • runtime: introduce context switch mode
  • runtime: Support epoll_pwait2
  • rust: Add public-key secrets to session lang 0.3.11
  • rust: handle arbitrary cmd output in command builder
  • rust: implement sgx report verification
  • rust: Upgrade from Rust 1.70.0 to Rust 1.75.0
  • scone_types: do ereport and egetkey in rust
  • scone-signer: add --builtin-signer argument
  • scone-signer: support external signer key
  • sconify: check DOCKER_HOST
  • sysinfo: adapt sysinfo system call response

Performance Improvements

  • fix FSPF v1/v2 loading performance regression
  • getrusage: error if who == RUSAGE_THREAD
  • mariadb: increase innodb_buffer_pool_size to improve performance
  • omit gettimeofday system call by using optimized clock_gettime instead