Skip to content

Release Notes

Jump to bottom
John Jose edited this page Jan 23, 2023 · 5 revisions

Release notes

1.3.1

To make deploying enclaves built with Conclave easier, files containing the enclave code hash and signer are now generated when an enclave is built. See here for more information. Added support for the Intel PCCS (Provisioning certificate caching service) and Intel DCAP plugin. See here for more information.

1.3

  1. 🎉 The Conclave Core SDK is now open source! 🎉 Read our blog post on why we did this and what it means for you. You can find the source code for the SDK here.
  2. The SDK artifacts are now available on Maven Central. There's no longer any need to have a local repo directory in your Conclave project. See the API changes page for more details.
  3. The Core SDK powers the Conclave Cloud platform.
  4. 🧩 New feature The Conclave Key Derivation Service (KDS) is out of beta and now supports production workloads. The REST API docs can be found here.
  5. 🧩 New feature Support for stable enclave encryption keys with Mail by using the KDS. This enables use cases where the enclave can restart or move to a different physical machine without affecting the client. It also enables horizontally-scaled enclave solutions. See the API docs for the new KDS post office for more details.
  6. 🧩 Java 17 is now supported inside the enclave. There's no need to configure anything. Just ensure you're using JDK 17 when building your enclave to benefit from the new language features.
  7. Exceptions thrown during enclave startup in release mode now propagate to the host. This provides better feedback if the enclave is unable to start.
  8. Gradle 7 is now supported.
  9. GraalVM has been updated to version 22.0.
  10. Intel SGX SDK has been updated to 2.17.1. This provides bug fixes, security updates, and other improvements. See the SGX SDK release notes for more details.
  11. Conclave now supports Ubuntu 20.04 LTS and 18.04 LTS. 16.04 LTS is no longer supported.
  12. We've introduced the concept of beta APIs to facilitate quick iterative feedback on APIs before they're finalized. Anything annotated with @Beta is subject to change and may even be removed in a later release.
  13. 🧩 Beta feature New API method which creates an attestation quote with custom report data, for use with external SGX-enabled applications which require a signed quote with specific content. See Enclave.createAttestationQuote for more information.
  14. We have added Intel advisory IDs to DCAP-based attestation reports. These provide more information on any platform vulnerabilities that may be present in the system.

Please read the list of known issues.

1.2.1

This is a small release with some minor improvements:

  1. Compatibility with some libraries (such as Tribuo) has been improved.
  2. The CorDapp sample has been updated to use Corda v4.8.5, which is patched against the "Log4Shell" vulnerability.
  3. Better error message by the plugin if no enclave class is found.

1.2

  1. There are a few breaking changes in 1.2. Read the API changes page on how to migrate your existing project.

  2. In our previous release, we deprecated Avian support. This is now completely removed in 1.2. Enclaves built with GraalVM native image have many benefits over Avian enclaves, including enhanced security, performance, and capabilities.

  3. 🧩 New feature Now you can deploy enclaves on the cloud with the Conclave Key Derivation Service (KDS). The sealing key is no more dependent on a single physical CPU. You can now easily migrate data from one VM to another, unlock clusters and high-availability architectures, and enable seamless redeployment of VMs by cloud service providers. Learn more about the KDS and how to start using the public preview.

  4. 🧩 New feature We've vastly improved how data is persisted inside the enclave. Previously we recommended the "mail-to-self" pattern for storing data across enclave restarts. This is cumbersome to write, not easy to understand, and does not provide rollback protection against the host. To address all these issues, the enclave has a simple key-value store represented as a java.util.Map object. Conclave securely persists this map such that it survives restarts and is resilient to attempts by the host to roll it back to previous states. Find out more here.

  5. 🧩 New feature We've actually introduced two forms of enclave persistence in 1.2! The rollback protection provided by the persistent map above may not be needed and comes at a cost of increased overheads. As an alternative, the in-memory file system inside the enclave can be persisted directly to disk as an encrypted file on the host for faster performance. Find out more here.

  6. 🧩 New feature To eliminate the need to write the same boilerplate code for the host, we've introduced a simple new host web server that exposes a REST API for sending and receiving mail and which implements the necessary behavior of an enclave host. Your host module only needs to reference conclave-web-host as a runtime dependency, and then all of the boilerplate host code can be done away with. Have a look at the updated hello world sample to see how it's used.

  7. 🧩 New feature To complement the host web server, we've also introduced a client library to make it super easy to write a web-based enclave client. Add conclave-web-client as a dependency to your client module and make use of the new WebEnclaveTransport class in conjunction with the new EnclaveClient.

  8. 🧩 New feature EnclaveClient is a new API in conclave-client which greatly simplifies your client code and handles all the complexities when communicating with an enclave. It is agnositic to the transport layer between it and the host and support for other network protocols beside HTTP can be added.

  9. 🧩 Java 11 is now the default JDK version inside the enclave. You can use the new APIs and features introduced since Java 8 when writing your enclave code. For compatibility, the Conclave libraries are still compiled using Java 8. So you can continue to use Java 8 (or above) outside the enclave.

  10. 🧩 New feature We have made it easier than ever to start a Conclave project using our new tool, Conclave Init.

  11. 🧩 New feature We've added enclave lifecycle methods so you can do any necessary enclave startup initialization and shutdown cleanup. Override onStartup and onShutdown respectively.

  12. 🧩 New feature The host can now update the enclave's attestation without having to restart it. Previously restarting was the only way to force an update on the EnclaveInstanceInfo object. Now you can call EnclaveHost.updateAttestation while the enclave is still running and the enclaveInstanceInfo property will be updated.

  13. 🧩 New feature We've further improved the Conclave plugin and added more automation to reduce boilerplate. It's no longer necessary to add the conclave-enclave library as a dependency on your enclave module. Also, the plugin will automatically add conclave-host as a testImplementation dependency to enable mock testing. And finally, the plugin will automatically add any enclave resource files in src/main/resources. Previously, resource files had to be specified manually.

  14. 🧩 New feature We've added a new overload of EnclaveHost.load which no longer requires having to specify the enclave class name as a parameter. Instead, EnclaveHost scans for the matching enclave on the classpath.

  15. 🧩 New experimental feature! Easily enable and use Python. It is JIT compiled inside the enclave and can interop with JVM bytecode. Use this feature with care. Python support is still in an experimental state. While it is possible to run simple Python functions, importing modules will likely lead to build issues.

  16. The gradle plugin will now check your build configuration for productID and revocationLevel properties and print a helpful error message if they are missing.

  17. Improved the API for checking platform support on the host. EnclaveHost.checkPlatformSupportsEnclaves was found to be too complex and did too many things. It's been replaced by easier-to-understand methods. See the
    API changes page for more information.

  18. Conclave now uses version 2.14 of the Intel SGX SDK. This provides bug fixes and other improvements. See the SGX SDK release notes for more details.

  19. Removed the container Gradle script due to stability issues. If you are using container Gradle to develop on Mac, please follow these instructions instead, to run your conclave projects.

Clone this wiki locally