Releases: edgelesssys/marblerun
Release v1.4.1
What's Changed
Security
This release includes a critical security fix and a security feature improvement.
Please read this changelog carefully and check whether you're affected.
If you're affected, you should update as soon as possible.
If you're not affected, we still recommend updating for the case that you might be affected in the future by changing the manifest.
- Fixed a critical issue with TTLS. See GHSA-x5r5-2qrx-rqj8 for full details.
- Added the ability to not accept TCB status SWHardeningNeeded during remote attestation
- Update SGX libraries to 2.22 (PSW) and 1.19 (DCAP)
- Updates of other dependencies
Fixes
- Fix webhook certificates always being issued for the marblerun namespace when installing with CLI (#573)
Full Changelog: v1.4.0...v1.4.1
v1.4.0
What's Changed
- Build premain on Ubuntu 20.04 by @thomasten in #487
- Allow adding additional IPs for Coordinator root cert by @daniel-weisse in #528
- Allow specifying Kubernetes namespace when installing MarbleRun, or working with a Kubernetes deployment of MarbleRun, using the
--namespace
flag - Pin Coordinator root certificate for all commands interacting withe the Coordinator after
marblerun manifest set
- The certificate is saved to
~/.config/marblerun/coordinator-cert.pem
by default - Specify the
--coordinator-cert
flag to set a custom location
- The certificate is saved to
Security fixes
- Fix a MITM vulnerability when using the CLI to interact with a MarbleRun deployment after the manifest has been set
Full Changelog: v1.3.0...v1.4.0
v1.3.0
Fixes
- fix nightly image builds by @thomasten in #435
- fix webhook certificates not being reloaded on change by @daniel-weisse in #470
- remove version label from
marble-injector
selector by @daniel-weisse in #472- this caused issues resulting in the deployment being unable to be upgraded to a new image version using helm
- when upgrading from a previous release using Helm, the
marble-injector
deployment has to be removed before upgrades can be applied:kubectl delete deployments -n marblerun marble-injector helm upgrade -n marblerun marblerun ...
Additions
- cli: require chart path when using enterprise access token by @thomasten in #433
- helm: Make health probes of Coordinator deployment configurable by @daniel-weisse in #442
- remove az-dcap-client from Coordinator image by @daniel-weisse in #447
- the image now uses just
libsgx-dcap-default-qpl
- the Coordinator will still automatically configure itself to run with the Azure PCCS if available
- the
--dcap-qpl
flag has been deprecated since it is no longer necessary to set the QPL to use (there is only one)
- the image now uses just
- Build CLI for Ubuntu 20.04, 22.04, and AppImage by @thomasten in #459
- This means release will now include CLI binaries built for Ubuntu 20.04, Ubuntu 22.0, and an AppImage for Linux x86_64
Full Changelog: v1.2.0...v1.3.0
Edit (28.08.2023)
The CLI binaries marblerun-x86_64.AppImage
and marblerun-ubuntu-20.04
were built on an incorrect commit (3750726f912244854c1b000c2c6085d0da158b5f
instead of 411e3bcbb01a9a069c69d87f6713a0cde282511b
).
We have since updated the binaries and the checksums.txt
file.
The old, incorrect files are still available in the release with the old.
prefix.
Other files were left untouched.
v1.2.0
Fixes
- add missing YAML conversion to manifest verify by @daniel-weisse in #391
- fix Recover call not properly resetting store's recovery mode by @daniel-weisse in #395
- return error on SetManifest if state cannot be committed by @daniel-weisse in #397
- align capitalization of log messages by @daniel-weisse in #394
Additions
- output status if tcb level is invalid by @thomasten in #386
- better error message on failed property validation by @daniel-weisse in #425
Misc
- split util package to reduce dependencies of premain by @thomasten in #387
- remove context.TODO from CLI by @daniel-weisse in #390
- Only work on store transactions by @daniel-weisse in #388
- Move file saving from Sealer to StdStore by @daniel-weisse in #392
- add versioned docs by @m1ghtym0 in #399
Full Changelog: v1.1.0...v1.2.0
v1.1.0
Fixes
- charts: fix namespace in injector.yaml by @OverOrion in #366
- charts: fix missing provision in resources.limits by @OverOrion in #367
Additions
- docs: add examples for multi-party workflows by @m1ghtym0 in #355
- charts: enable MarbleRun Kubernetes installation using only helm by @daniel-weisse in #368
- charts: allow usage of custom PVC for Coordinator storage by @daniel-weisse in #382
- Update Go version to v1.20
Misc
- ci: update image name in workflow by @daniel-weisse in #364
- Update sample-manifest.json by @thomasten in #365
- Upgrade dependencies by @daniel-weisse in #369
- docs: update helm installation docs by @daniel-weisse in #372
- docs: reference AllowedTCBStatuses in manifest docs by @daniel-weisse in #375
- charts: Set all required resources keys for Intel Device Plugin by @daniel-weisse in #376
- Don't use apt in running container by @daniel-weisse in #379
- Refactor CLI code by @daniel-weisse in #380
- Remove direct dependency on gorilla mux by @daniel-weisse in #384
Full Changelog: v1.0.0...v1.1.0
v1.0.0
Fixes
- Fix potentially invalid variable access by @daniel-weisse in #324
- Catch potential seg fault when updating debug marbles by @daniel-weisse in #325
- Remove nodename from gramine libos detection by @lead4good in #333
Additions
- Add logging for failed marble activations by @daniel-weisse in #329
- Allow TCB levels to be accepted besides UpToDate by @OverOrion in #344
- Enforce unique certificates for users by @daniel-weisse in #353
- Reuse existing era config file by @daniel-weisse in #358
- Add reproducible build and production build by @thomasten in #362
Misc
- Separate client API from core package by @daniel-weisse in #328
- Only inject UUID volumes if not already present by @daniel-weisse in #330
- Update samples and PreMain for Gramine v1.3 compatibility by @daniel-weisse in #346
- Don't panic in premain by @daniel-weisse in #360
New Contributors
- @OverOrion made their first contribution in #344
Full Changelog: v0.6.1...v1.0.0
v0.6.1
v0.6.0
- Security
- Upgrade EGo and Edgeless RT dependencies for mitigations for INTEL-SA-00615
- premain
- Updates to support Occlum v0.27
- Coordinator
- HTTP-API endpoint to retrieve the a ECDSA signature of the set manifest, by @lead4good (#291)
v0.5.1
-
CLI:
- Removed
namespace
command
- Removed
-
Injector:
- Pods with the
marblerun/marbletype
label will be automatically injected. Use the labelmarblerun/resource-injection=disabled
to disable injection for a Pod. - Fix injecting DNS names with uppercase letters
- Pods with the
-
Coordinator:
- Throw an error when the Coordinator is unable to generate a quote in SGX mode. Use the
EDG_COORDINATOR_DEV_MODE=1
env variable to ignore this error.
- Throw an error when the Coordinator is unable to generate a quote in SGX mode. Use the
-
Samples:
- Graphene was renamed to Gramine. Use their binary release to run our samples!
- Update Occlum sample to use release v0.24.1
-
Repository:
- Add ROADMAP.md
- Add MarbleRun helm chart
v0.5.0
- Rename Marblerun to MarbleRun
- New logo
- Enhance SGX DCAP support:
- Add support for Intel's default DCAP implementation
- Add support for Alibaba's DCAP infrastructure
- Allow users to configure DCAP backend
- Manifest:
- Breaking change due to renaming all secrets below
.Marblerun.
->.MarbleRun.
- Enhance manifest's
Parameters
section:- Extend encoding support for
Files
- Make sure
Env
values are valid c-strings
- Extend encoding support for
- Remove never implemented
Clients
section
- Breaking change due to renaming all secrets below
- CLI
- Generalize
sgxsdk-package-info
command intopackage-info
supporting Open Enclave / Graphene / Occlum / EGo / Edgeless RT enclaves
- Generalize
- Add OpenAPI/Swagger annotations for ClientAPI
- Add GitHub actions to automatically validate annotations and generate swagger.json for the docs