v0.8.0-rc1

First candidate for the v0.8.0 release.

v0.7.0

Added:

• Added support for Ubuntu 20.04

• Added sample and design for secure secret release, see https://github.com/deislabs/mystikos/blob/main/doc/design/secret-provisioning.md and https://github.com/deislabs/mystikos/tree/main/solutions/confidential_ml

• Added tests for Python Flask, PANDAS, Azure Python SDK

• Added mpd.py to debug Python applications in Mystikos.

• Added Python PTY support

• Added support for #! Execution

• Added support for ioctl(FIONBIO), LD_PRELOAD, SYS_Setsid, SYS_Write, execveat,sched_getparam, umask support in create/open/mkdir syscalls, /proc/stat for enclaves, /proc/[pid]/stat for enclaves.

• Added Support for interruptible syscalls

• Added sample to demonstrate ONNX running in Mystikos

• Added sample for running Mystikos on Kubernetes

• Added feature to get the environmental variables specified in the docker container to be available inside Mystikos

Changed:

• Improved stability and performance in general - fixes for mprotect, msync, FUTEX, dup, sendfile, recvfrom, O_PATH, Python itimer, locale support for Ubuntu based apps

• Enabled .NET core P1 tests

Known issues:

• Developers should refrain from using AF_LOCAL and AF_ALG for sensitive data exchanges. Use AF_INET or IF_INET6 and make sure the traffic over the socket is always encrypted.

v0.7.0-rc1

First release candidate for the v0.7.0 release.

Added:

• Added support for Ubuntu 20.04

• Added sample and design for secure secret release, see https://github.com/deislabs/mystikos/blob/main/doc/design/secret-provisioning.md and https://github.com/deislabs/mystikos/tree/main/solutions/confidential_ml

• Added tests for Python Flask, PANDAS, Azure Python SDK

• Added mpd.py to debug Python applications in Mystikos.

• Added Python PTY support

• Added support for #! Execution

• Added support for ioctl(FIONBIO), LD_PRELOAD, SYS_Setsid, SYS_Write, execveat,sched_getparam, umask support in create/open/mkdir syscalls, /proc/stat for enclaves, /proc/[pid]/stat for enclaves.

• Added Support for interruptible syscalls

• Added sample to demonstrate ONNX running in Mystikos

• Added sample for running Mystikos on Kubernetes

• Added feature to get the environmental variables specified in the docker container to be available inside Mystikos

Changed:

• Improved stability and performance in general - fixes for mprotect, msync, FUTEX, dup, sendfile, recvfrom, O_PATH, Python itimer, locale support for Ubuntu based apps

• Enabled .NET core P1 tests

Known issues:

• Developers should refrain from using AF_LOCAL and AF_ALG for sensitive data exchanges. Use AF_INET or IF_INET6 and make sure the traffic over the socket is always encrypted.

v0.5.0

Added:

• Added support for the following syscalls: vfork, SYS_sendmsg, SYS_recvmsg, SYS_sync, SYS_pause, RLIMIT options (NPROC, AS and FSIZE), F_SETFL for fcntl, SYS_waitid, SYS_fsetxattr, SYS_mkdirat, SYS_fchmodat
• Added samples demonstrating tensorflow_lite and NginX inside Mystikos
• Added myst_lldb, a utility to enable debugging of .NET applications in Mystikos
• Enabled cypthon3.9 test suite, PANDAS test suite, Microsoft C++ REST SDK test suite
• Added NoBrk(an option to enable a safer way to run multi-process apps using fork-exec) option to configuration options
• Added UnhandledSyscallEnosys(an option to prevent the termination of a program using myst_panic when an unimplemented syscall is encountered in the mystikos) option to configuration options
• Added /proc/[pid]/stat
• Support SIGSTOP and SIGCONT signals and waitpid() option WUNTRACED

Changed:

• Improved stability and performance in general
• Improved coverage for cpython3.8 test suite, LTP test suite, .NET 5 test suite
• Improved support for .NET applications in Mystikos
• Moved to using OpenSSL 1.1.1L as the underlying crypto library for Open Enclave SDK libraries
• Settings in config.json overwrite command line arguments. If not specified in config.json explicitly the default config setting is used.
• Improved stability in fork mode pseudo_wait_for_exit_exec
• Child processes now get SIGHUP when parent is shutting down
• Main top-level process does not completely exit until all children have shutdown

Removed:

• Fork mode pseudo_kill_children was removed in favor of sending SIGHUP to children

Known issues:

• Some synchronous pipe, file and socket APIs are not interruptible with signals which can cause shutdown of applications to hang
• Only support fork mode pseudo_wait_for_exit_exec. Fork mode pseudo is only used for testing and has many limitations

Security updates:

• Fixed issue# #772 which ensures that the configuration running inside the enclave is what is reflected in the attestation report

v0.5.0-rc2

Second RC for the v0.5.0 release

v0.5.0-rc1

First release candidate for the v0.5.0 release

v0.2.0-rc2

Second release candidate for the mystikos v0.2.0 release

v0.2.0

Added:

• EXT2 file system support
• Added an experimental pseudo-fork feature (disabled by default) that can work in similar ways to the vfork system call, except it gets its own copy of the stack
• Included the following test suites in our test pipelines: libcxx (targeting both musl and glibc), sockperf, Azure SDK for dotnet, and Azure SDK for C++
• Added code coverage measurement with gcov, using lcov to generate a report in our pipeline
• Added support for identity related syscalls, and partially enforce the permissions tied to the identities
• Added full or partial support for ~50 syscalls used by .NET runtime, Python runtime, and other key usages
• Allowed host file systems to be auto-mounted through config.json
• Multiple samples/solutions to showcase support for selected C/C++, C#, Java, Rust, and Python applications
• Partial support for virtual files under /dev and /proc
• Debugging capability of .NET applications with libsos
• Forward hardware exceptions to the kernel
• ‘Debug malloc’ option for detecting memory leaks and memory related bugs

Changed:

• Augmented musl based C-runtime for better compatibility with applications built against the glibc C-runtime
• Adopted Open Enclave SDK version 0.17.0 and the security fix from Open Enclave version 0.17.1.
• Enabled more tests in the following existing test suites: libc, .NET runtime, and ltp
• The attestation credentials generated by Mystikos and the interface for applications to request such credentials during startup time
• Retrieve DNS server configuration during Mystikos app launch time instead of build time
• Enhancement to the memory manager
• Separate kernel stacks from application stacks, and allocate the kernel stack on demand
• Improved capability and usability of myst-appbuilder tool
• Improved stability and performance in general
• Addressed issues report by CodeQL scan

Removed:

• The dependency on musl-gcc or Alpine Linux
• The need for users to specify a kernel memory size in config.json
• The need for users to specify a maximum number of threads required in config.json

Known issues:

• Under certain situations, a Mystikos app might fail to exit due to a blocking I/O syscall
• Under rare situation, a Mystikos app might crash instead of exiting normally.

Security updates:

• Applied Open Enclave SDK's fix to CVE-2021-33767

v0.2-rc1

• Release candidate for the v0.2.0 release

Mystikos release 0.1.2

Added

• A kernel that handles syscalls within the constraints of a TEE environment
• Patches to MUSL libc that adapts it to the kernel
• An open architecture that allows plugin of different hardware TEEs
• Tools for creating container images consumable by Mystikos
• Documentations and solutions showcasing various use cases of Mystikos

Changed

• N/A

Removed

• N/A

Fixed

• N/A

Deprecated

• N/A

Known issues

• Samples are incomplete. Tests and solutions are complementary to samples.
• Sample echo is broken.
• Building from the source needs a manual fix in the underlying OE SDK.