v1.9.0

What's Changed

🎁 New features

• cli: allow specifying custom qcnl config when installing MarbleRun by @daniel-weisse in #851
• security: update P256 elliptic keys to P384 by @daniel-weisse in #857
• recovery: enable clients to send encrypted recovery secrets by @daniel-weisse in #878
• Enable recovery using a subset of recovery keys by @daniel-weisse in #879
• coordinator: HSM seal key wrapping by @daniel-weisse in #885
• Enable FIPS 140 crypto for Go binaries by @thomasten in #897
• coordinator: allow updates to recovery secrets by @daniel-weisse in #893
• coordinator: build with symcrypt for FIPS crypto by @thomasten in #896
• coordinator: allow access to secrets of previous manifest cycle by @daniel-weisse in #899

🐛 Bug fixes

• api: ensure backwards compatbility on update apply by @daniel-weisse in #860

🔧 Other changes

• coordinator: seal with 32 byte key by @daniel-weisse in #850
• Merge enterprise code by @daniel-weisse in #877
• coordinator: reduce grpc logging noise by default by @daniel-weisse in #880
• cli: remove --wait because not waiting isn't supported anymore in helm v4 by @thomasten in #907

📖 Documentation

• markdown: fix redirects and outdated links by @daniel-weisse in #887
• docs: Azure HSM sealing integration by @daniel-weisse in #886
• docs: explain RecoveryThreshold config option by @daniel-weisse in #900
• docs: add note about changing recovery secrets by @daniel-weisse in #901
• docs: explain air-gapped recovery workflow by @daniel-weisse in #902
• docs: root key rotation by @daniel-weisse in #903

New Contributors

• @msanft made their first contribution in #890

Full Changelog: v1.8.0...v1.9.0

v1.8.0

What's Changed

🛠 Breaking changes

• This PR introduces two breaking changes in the Go API:
  • ManifestUpdateAcknowledge now returns a list of users who have not acknowledged the update as well as the number of users that still need to send an acknowledgement for the update to be applied. This changes the function's return values from []string, error to []string, int, error.
  • ManifestUpdateApply now returns a list of a users who may acknowledge the update, as well as the number of missing acknowledgements for the update to be applied (in case of full manifest updates with more than 1 user). This changes the function's return values from error to []string, int, error.

🐛 Bug fixes

• cli: report accurate number of missing acknowledgements and users on update by @daniel-weisse in #808
• cli: accept both PKCS#8 and PKCS#1 private keys for recovery by @daniel-weisse in #798
• Update EdgelessRT dependency to fix OE_INVALID_PARAMETER "SGX endorsements are too large" errors during quote verification

Full Changelog: v1.7.0...v1.8.0

v1.7.0

What's Changed

⚠️ Security

This release includes a security fix of high severity.
Please read the GHSA-w7wm-2425-7p2h advisory carefully to assess the impact on your deployment and plan the update accordingly.

Please be aware that updating a deployment to v1.7.0 will require manual recovery of the Coordinator.
Additionally, starting with v1.7.0, recovery will require access to the recovery private keys, matching the recovery public keys defined in the manifest, either as files or through a PKCS #11 compatible backend.

🎁 New features

• premain: enable JSON formatted logs if EDG_LOG_FORMAT=json by @daniel-weisse in #766
• cli: support for authenticating with private keys and certificates stored in PKCS #11 backend by @daniel-weisse in #771
• Support injection of Coordinator root and intermediate certificates into Marble environment by @daniel-weisse in #784
• coordinator: add debug logging by @daniel-weisse in #786

🐛 Bug fixes

• fix: JSON formatted logs for all Coordinator and marble-injector messages by @daniel-weisse in #764
• coordinator: fix equality checks for manifest properties by @daniel-weisse in #777
• Fix Marble verification with Coordinator root certificate by @thomasten in #782
• cli: fix certificate command errors when --insecure flag is set by @daniel-weisse in #790

🔧 Other changes

• coordinator: atomically replace the sealed data file on store commit by @thomasten in #762
• charts: allow configuration of Coordinator PVC size through helm values file by @Nabsku in #793

📖 Documentation

• docs: replace base64 command with openssl by @thomasten in #757
• docs: add backup workflow by @thomasten in #763

New Contributors

• @Nabsku made their first contribution in #793

Full Changelog: v1.6.0...v1.7.0

v1.6.0

What's Changed

Additions

• Log TCB advisories if status is not UpToDate by @thomasten in #729
• Allow specifying accepted avisories for SWHardeningNeeded TCB status by @daniel-weisse in #733
• Let Coordinator serve monotonic counters to Marbles by @thomasten in #741
• Derive marble private secrets using marble type in addition to UUID by @daniel-weisse in #730
  • Previously, secrets were only derived based on a Marble's UUID, which would provide two different Marbles reporting the same UUID with the same secret. This release enforces two different Marbles will always receive different secrets, regardless of their UUID. If two Marbles require access to the same secret, the secret should be marked as Shared instead. To restore the behavior of MarbleRun previous to v1.6, set the DisableSecretBinding property of the Marble in the manifest to true.

Fixes

• coordinator: fix failing user verification when multiple client certs are provided by @thomasten in #738

Misc

• Change license from MPL-2.0 to BUSL-1.1 by @thomasten in #752

Full Changelog: v1.5.2...v1.6.0

v1.5.2

What's Changed

• Fix OE_JSON_INFO_PARSE_ERROR during attestation verification with recent Intel collaterals

Full Changelog: v1.5.1...v1.5.2

v1.5.1

What's Changed

Fixes

• coordinator: don't include OE header in signature for raw SGX quotes when calling /sign-quote endpoint by @daniel-weisse in #718
• cli: don't try to download era config if --insecure flag is set by @daniel-weisse in #721

Misc

• api: elaborate on nonce and quote by @thomasten in #683
• charts: use v2 api for probes by @thomasten in #693
• Update samples to Gramine v1.7 by @daniel-weisse in #599

Full Changelog: v1.5.0...v1.5.1

v1.5.0

What's Changed

Additions

• cli: allow users to use a custom nonce for SGX quote verification using --nonce flag by @daniel-weisse in #644

• cli: add --save-sgx-quote flag to save a Coordinator's SGX quote to disk by @daniel-weisse in #647

• Add a public Go API by @daniel-weisse in #658

  • Offers functions to interact with the Coordinator Client API, and implements the same functionality as the CLI
  • documentation: https://pkg.go.dev/github.com/edgelesssys/marblerun/api

• coordinator: Add client API v2, which offers the same endpoints as the previous client API with an updated format by @daniel-weisse in #661

  • API v1 is still available and functional in the Coordinator, but should be considered deprecated
  • The CLI and Go API will default to using the v2 API, falling back to v1 if unavailable
  • API reference is available at https://docs.edgeless.systems/marblerun/reference/coordinator

• coordinator: add a new client API endpoint, /api/v2/sign-quote, to verify and sign SGX quotes by @daniel-weisse in #659

  • Requires setting the new manifest option .Config.FeatureGates to ["SignQuoteEndpoint"] to enable

• cli: allow setting multiple DNS names or IPs using --domain flag in marblerun install by @daniel-weisse in #674

• coordinator: add manifest option to seal with unique key or disable sealing by @thomasten in #677

  • controlled by setting the new manifest option .Config.SealMode:
    • ProductKey: Sealing uses the product key. This is the default if not set.
    • UniqueKey: Sealing uses the unique key.
    • Disabled: If set, the Coordinator won't persist state. This can be useful for ephemeral deployments.

Full Changelog: v1.4.1...v1.5.0

Release v1.4.1

What's Changed

Security

This release includes a critical security fix and a security feature improvement.
Please read this changelog carefully and check whether you're affected.
If you're affected, you should update as soon as possible.
If you're not affected, we still recommend updating for the case that you might be affected in the future by changing the manifest.

• Fixed a critical issue with TTLS. See GHSA-x5r5-2qrx-rqj8 for full details.
• Added the ability to not accept TCB status SWHardeningNeeded during remote attestation
• Update SGX libraries to 2.22 (PSW) and 1.19 (DCAP)
• Updates of other dependencies

Fixes

• Fix webhook certificates always being issued for the marblerun namespace when installing with CLI (#573)

Full Changelog: v1.4.0...v1.4.1

v1.4.0

What's Changed

• Build premain on Ubuntu 20.04 by @thomasten in #487
• Allow adding additional IPs for Coordinator root cert by @daniel-weisse in #528
• Allow specifying Kubernetes namespace when installing MarbleRun, or working with a Kubernetes deployment of MarbleRun, using the --namespace flag
• Pin Coordinator root certificate for all commands interacting withe the Coordinator after marblerun manifest set
  • The certificate is saved to ~/.config/marblerun/coordinator-cert.pem by default
  • Specify the --coordinator-cert flag to set a custom location

Security fixes

• Fix a MITM vulnerability when using the CLI to interact with a MarbleRun deployment after the manifest has been set
  • See the advisory for more details

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Fixes

• fix nightly image builds by @thomasten in #435
• fix webhook certificates not being reloaded on change by @daniel-weisse in #470
• remove version label from marble-injector selector by @daniel-weisse in #472
  • this caused issues resulting in the deployment being unable to be upgraded to a new image version using helm
  • when upgrading from a previous release using Helm, the marble-injector deployment has to be removed before upgrades can be applied:

    kubectl delete deployments -n marblerun marble-injector
    helm upgrade -n marblerun marblerun ...

Additions

• cli: require chart path when using enterprise access token by @thomasten in #433
• helm: Make health probes of Coordinator deployment configurable by @daniel-weisse in #442
• remove az-dcap-client from Coordinator image by @daniel-weisse in #447
  • the image now uses just libsgx-dcap-default-qpl
  • the Coordinator will still automatically configure itself to run with the Azure PCCS if available
  • the --dcap-qpl flag has been deprecated since it is no longer necessary to set the QPL to use (there is only one)
• Build CLI for Ubuntu 20.04, 22.04, and AppImage by @thomasten in #459
  • This means release will now include CLI binaries built for Ubuntu 20.04, Ubuntu 22.0, and an AppImage for Linux x86_64

Full Changelog: v1.2.0...v1.3.0

Edit (28.08.2023)

The CLI binaries marblerun-x86_64.AppImage and marblerun-ubuntu-20.04 were built on an incorrect commit (3750726f912244854c1b000c2c6085d0da158b5f instead of 411e3bcbb01a9a069c69d87f6713a0cde282511b).
We have since updated the binaries and the checksums.txt file.
The old, incorrect files are still available in the release with the old. prefix.
Other files were left untouched.