Mystikos Versions Save

Tools and runtime for launching unmodified container images in Trusted Execution Environments

v0.13.0

1 month ago

0.13.0

What's Changed

v0.12.0

8 months ago

Changed

Changed the Open Enclave layer to use OpenSSL 3.1 instead of OpenSSL 1.1.1. This is because OpenSSL 1.1.1 is at EOL.

  • This change requires us to reserve 2 MiB of space for the Open Enclave layer to use as opposed to 256 KiB it used with OpenSSL 1.1.1.
  • Note: this is also unrelated to "MemorySize" configuration, which is size of Mystikos controlled memory region. You will not need to change "MemorySize".

v0.11.0

9 months ago

Security Fixes

  • This release updates Open Enclave SDK to its latest release. There are two CVEs mitigated in this Open Enclave SDK release. Please refer to the security advisory for more details.

What's Changed

v0.11.0-rc1

9 months ago

Security Fixes

  • This release updates Open Enclave SDK to its latest release. There are two CVEs mitigated in this Open Enclave SDK release. Please refer to the security advisory for more details.

What's Changed

v0.10.0

1 year ago

What's Added

Fixes and improvements

Security

v0.10.0-rc1

1 year ago

What's Added

Fixes and improvements

Security

v0.9.3

1 year ago

Added

v0.9.1

1 year ago

Security

Updated to use Open Enclave SDK v0.18.2 which mitigates CVE-2022-21233. Please refer to the security advisory for the same

v0.9.0

1 year ago

Added:

  • Abstract namespace addresses support for Unix domain sockets: Conventionally Unix domain socket addresses are a path in the file hierarchy. Abstract namespace identifiers allow addresses without creating a corresponding file path. They are differentiated from conventional UDS addresses by starting the address with a null character.

  • Support for SOCK_STREAM Unix domain sockets bound to hostfs paths.

Changed:

  • Track kernel and user time on a per-process basis: Previously, we were incorrectly tracking system and user time usage as a global variable.A number of the time commands actually require this to be reported on a per-process basis.

  • Clock resolution in the Mystikos kernel is changed to 100ns.

  • MUSL’s pathconf and fpathconf is patched to report invalid input for option PC_NAME_MAX.

Security

  • Updated to use Open Enclave SDK v0.18.0 which mitigates CVE-2022-21166 described in INTEL-SA-00615.

v0.8.0

2 years ago

Containers:

Ubuntu 18.04: mystikos.azurecr.io/mystikos-bionic:v0.8.0 Ubuntu 20.04: mystikos.azurecr.io/mystikos-focal:v0.8.0

Added:

· Implemented Unix-domain sockets in which all data is exchanged within the kernel (inside the enclave), added support for AF_LOCAL dup()

· Added support and tests for .NET and ASP.NET v6

· Added PyTorch core tests, CPython 3.10 tests

· Documented support and limitations for .NET https://github.com/deislabs/mystikos/blob/main/doc/dotnet-support.md

· Documented support and limitations for Python https://github.com/deislabs/mystikos/blob/main/doc/PythonSupport.md

· Enabled full 32-bit uid/gid support in ext2fs implementation

· Added address validity check and set error code to match Linux spec for sched_getaffinity and sched_setaffinity

· Implemented AF_LOCAL ioctl() FIONREAD, ppoll, SYS_kill, /proc/sys/kernel/pid_max, SYS_linkat, SYS_copy_file_range, FIOCLEX/FIONCLEX ioctl support for pipe

· Improved signal handling

· Added warning for small stacksize for glibc applications

· Enabled tests on Intel Ice Lake platform which has SGX2 support

Changed:

· Breaking change: Host environment variables are no longer exported unless there is a config. "HostApplicationParameters" and "HostEnvironmentVariables" are used to pass host environment variables to the enclave

· Removed glibc ifaddrs due to known limitation

· Improved stability in general