Added
- Open Enclave SDK release packages can now be built on non-SGX and non-FLC machines.
- Support for arbitrarily large thread-local data for SGX machines.
- Experimental support for OpenSSL inside enclaves has been added while building the SDK from source.
- Use BUILD_OPENSSL flag while compiling the SDK.
- OpenSSLSupport.md documents supported options and configuration needed to use OpenSSL inside an enclave.
- Custom claims buffer serialization/de-serialization helper functions.
- SGX attestation endorsement claims from oe_verify_evidence() will contain the following:
- OE_CLAIM_SGX_TCB_INFO
- OE_CLAIM_SGX_TCB_ISSUER_CHAIN
- OE_CLAIM_SGX_PCK_CRL
- OE_CLAIM_SGX_ROOT_CA_CRL
- OE_CLAIM_SGX_CRL_ISSUER_CHAIN
- OE_CLAIM_SGX_QE_ID_INFO
- OE_CLAIM_SGX_QE_ID_ISSUER_CHAIN
- The attestation functions in local_attestation/remote_attestation/attested_tls/host_verify samples now use attestation plugin APIs, defined in attestation/attester.h and attestation/verifier.h to generate and verify evidence.
- oe_get_evidence() support for generation of SGX EPID evidences, in formats OE_FORMAT_UUID_SGX_EPID_LINKABLE and OE_FORMAT_UUID_SGX_EPID_UNLINKABLE.
Changed
- Rename the custom claims buffer added by oe_get_evidence from "custom_claims" to "custom_claims_buffer". Likewise, replace the
OE_CLAIM_CUSTOM_CLAIMS
definition for this name withOE_CLAIM_CUSTOM_CLAIMS_BUFFER
. - Building SDK from source
- HAS_QUOTE_PROVIDER cmake option has been removed. This is a continuation of the work in the previous release to allow the same build of OE SDK to run on both FLC and non-FLC machines.
- Intel SGX EnclaveCommonAPI packages are no longer needed to build the SDK.
- COMPILE_SYSTEM_EDL cmake option has been removed. - oe_verify_attestation_certificate_with_evidence() can now verify certificates generated by oe_generate_attestation_certificate() as well as oe_get_attestation_certificate_with_evidence().
- The SGX attestation evidence internal structure has changed. The current structure (version 3) is not compatible with the previous version. Applications that call oe_get_evidence() or oe_verify_evidence() have to be rebuilt.
- Some SGX attestation format IDs have been renamed:
Old | New |
---|---|
OE_FORMAT_UUID_SGX_ECDSA_P256 | OE_FORMAT_UUID_SGX_ECDSA |
OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT | OE_FORMAT_UUID_LEGACY_REPORT_REMOTE |
OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE | OE_FORMAT_UUID_RAW_SGX_QUOTE_ECDSA |
Removed
- Declaration of SGX format ID OE_FORMAT_UUID_SGX_ECDSA_P384 is removed.
- oe_get_evidence() support of SGX legacy formats OE_FORMAT_UUID_SGX_ECDSA_P256_REPORT and OE_FORMAT_UUID_SGX_ECDSA_P256_QUOTE is removed.
Security
- Update mbedTLS to version 2.16.7. Refer to the 2.16.7 release notes for the set of
issues addressed.