Asylo 0.6.0 Release

[Asylo Users]

Asylo 0.6.0 has just been released, containing 215 commits since the last release. A number of infrastructural changes that have been building for a few releases have been completed and enabled — improving security, performance, functionality, and ease of use.

Asylo has integrated Intel’s fixes for the LVI vulnerability into the toolchain. These come with a non-trivial performance penalty, so we’ve provided knobs to select the level of mitigation. By default, the most aggressive mitigation is chosen, which places memory fences around many types of memory accesses. If you have analyzed your security posture and determined this vulnerability does not impact your use case, mitigations can be disabled entirely by specifying `--features=lvi_no_auto_mitigation` on the command line when building or by adding `transitive_features = ["lvi_no_auto_mitigation"]` to your BUILD target. As a middle ground, an “lvi_control_flow_mitigation” feature is also provided that adds mitigations to the most critical places (around control flow decisions) identified in the vulnerability while avoiding most of the performance penalty associated with the full mitigation.

Synchronization primitives inside of Asylo enclaves now maintain correctness without needing to “spin” execution. The futex mechanism of the host kernel is used to efficiently block execution, while trusted code inside the enclave ensures a malicious host still cannot disrupt synchronization correctness. This dramatically reduces CPU utilization in wait-heavy workloads (e.g., gRPC servers).

Bazel’s new Transitions feature has matured to the point that we have enabled it by default for enclave target and enclave test definitions. This simplifies the build process and `--config=sgx` (and similar) flags are no longer needed to build enclave targets. Instead, the needed build flags and configuration are dynamically added to relevant targets and dependencies automatically. See our Building documentation for more details.

Remote attestation, using either Asylo’s Assertion Generator Enclave (AGE) or Intel’s Quoting Enclave (QE), support is complete and can be used to verify the identity of enclaves running on remote systems. Through Asylo’s integration of the Enclave Key Exchange Protocol (EKEP), remote attestation can be easily taken advantage of by applications using gRPC.

Changes since 0.5.3 include:

• LVI vulnerability mitigations
• Bazel transitions support
• Efficient synchronization primitives
• Remote attestation support complete. See SgxIntelEcdsaQeRemoteAssertionGenerator and EnclaveCredentialsOptions.
• Utility provided to fetch PCK certificates from Intel’s PCS
• Support for Intel’s (soon-to-be) upstream SGX kernel driver. Asylo now supports both Intel’s separate GitHub SGX kernel driver and the version being integrated with the main Linux kernel tree.
• Additional input validation for fork() and recvfrom(). Fixes vulnerabilities reported by Baidu Security (commits: e582f36a, 299f804a).
• Updated to newer versions of dependencies
• Improved documentation and testing
• Maintenance work and bug fixes

Compatibility:

• AesGcmSivCryptor was previously deprecated and is now removed. Use AeadCryptor instead (commits: 72202635, df55fa1)
• The ENCLAVE_STORAGE_SET_KEY ioctl definition (needed for using Asylo’s secure storage) is no longer included in <sys/ioctl.h> (deprecated previously). Users must now include “asylo/secure_storage.h” to get this macro. (commit: 0e0f9e0)
• The “Match” method on expectation matches is deprecated. Use “MatchAndExplain” instead (commit: 03b767d6)
• Bazel transitions support enabled by default. “--config=<backend>” flags should no longer be given on the Bazel command line. If you need to block this change for any of your targets, the non-transition-based build style can be reactivated from your WORKSPACE file during a transitional period. See Building documentation. (commit: 66f4184c)
• Identity-related headers were previously moved, but the old locations remained for compatibility. Those old locations have now been removed. (commit: 2fd415c4)
• In order to use gRPC, a project’s WORKSPACE file should call grpc_deps() and grpc_extra_deps(). In the past, Asylo implicitly imported some of gRPC’s dependencies, but this should not be relied upon. (commit: 806eeffc)
• Support for legacy `SgxIdentity` messages (previously deprecated) has been removed. (commit: e7abad7f)