v1.0
Important changes
This text covers the changes since the last public release candidate. This version is intended to be ready for production use.
New name and new home
- As you probably have already noticed, Graphene was renamed to Gramine. The name "Graphene" was deemed too common, could be impossible to trademark, and collided with several other software projects. Thus, a new name "Gramine" was chosen.
- We migrated our repositories to https://github.com/gramineproject.
- We also joined Confidential Computing Consortium (part of Linux Foundation).
- GSC and some of the examples were moved to separate repositories: gramineproject/gsc and gramineproject/examples.
- We reset the version numbering with the rename.
New features
- Improved filesystem support - we introduced inodes, which allowed more accurate emulation of filesystem.
- Insecure options summary - now when you start Gramine, if we detect a known insecure configuration, we print a warning listing the problems.
- Support for selective passthrough of environment variables (via
loader.env.[ENVIRON] = {passthrough=true}
). - Python API for our tooling (manifest generation, signing, etc.).
- Support for SGX sealing in protected files - now you can encrypt to MRSIGNER or MRENCLAVE instead of provisioning an external key.
loader.uid
andloader.gid
manifest options to change the default user/group id emulated inside Gramine.
Security improvements
- All IDs are now virtualized inside Gramine.
- Reviewed OCALLs and added some missing sanitizations.
- We implemented custom UndefinedBehaviorSanitizer and AddressSanitizer integrations and run them in our CI.
- Fixed a few security bugs around attestation and key exchange.
- Fixed multiple memory corruption bugs.
New sample integrations
- OpenJDK
- SQLite
Stability and refactoring
- A lot of fixed in various syscalls corner cases.
- Rewritten most of filesystem code.
Miscellaneous
- Better support for RHEL, CentOS and Fedora.
- Added Clang support.
- Updated Glibc patches to 2.34.
- Now the whole Gramine (except tests) is built using Meson.
Breaking changes
- We made our manifest syntax more TOML-ish - now allowed, trusted and protected files are listed as arrays. The old syntax is deprecated, but still supported.
- The default enclave mode is now release. If you want a debug enclave, add
sgx.debug = true
to your manifest. - Build instructions have changed because of migration to Meson. The documentation was updated to reflect this.
- Topology information in sysfs was deemed not ready for production yet (due to security concerns) and was hidden behind a feature flag in manifests -
fs.experimental__enable_sysfs_topology = [true|false]
. We plan to polish the implementation and make it production-quality in upcoming weeks. sgx.protected_files_key
manifest option was renamed tosgx.insecure__protected_files_key
.
Installation instructions
Starting from this release Gramine is available as .deb and .rpm packages. To install them, follow the below commands:
- for Debian/Ubuntu
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | sudo tee /etc/apt/sources.list.d/gramine.list
sudo apt-get update
sudo apt-get install gramine # for 5.11+ upstream, in-kernel driver
sudo apt-get install gramine-oot # for out-of-tree SDK driver
sudo apt-get install gramine-dcap # for out-of-tree DCAP driver
- for RHEL/Fedora/CentOS:
# first time you need to confirm the key fingerprint, which is F3FFBE5FC0477DB46E4851E737B04F03659B87AF.
sudo curl -fsSLo /etc/yum.repos.d/gramine.repo https://packages.gramineproject.io/rpm/gramine.repo
sudo dnf install gramine # for 5.11+ upstream, in-kernel driver
The same instructions can be found in our documentation's Quick Start.
If you prefer to build the sources yourself, please follow the building instructions from our documentation.