Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: edgelesssys/marblerun
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.6.0
Choose a base ref
...
head repository: edgelesssys/marblerun
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref

Commits on Oct 30, 2024

  1. docs: release v1.6 (#754)

    * Add versioned docs for v1.6
    * Set MarbleRun and EStore versions for estore sample to stable release
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Oct 30, 2024
    Copy the full SHA
    d8deb71 View commit details

Commits on Nov 4, 2024

  1. deps: update module github.com/edgelesssys/ego to v1.6.0 (#756)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 4, 2024
    Copy the full SHA
    9f22676 View commit details
  2. deps: update gramineproject/gramine Docker tag to v1.8 (#755)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 4, 2024
    Copy the full SHA
    7d34673 View commit details

Commits on Nov 7, 2024

  1. Copy the full SHA
    f8fe8f7 View commit details
  2. docs: fix link

    thomasten committed Nov 7, 2024
    Copy the full SHA
    f7653fb View commit details

Commits on Nov 12, 2024

  1. deps: update lycheeverse/lychee-action action to v2.1.0 (#760)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 12, 2024
    Copy the full SHA
    6208927 View commit details

Commits on Nov 13, 2024

  1. deps: update Go dependencies (#759)

    * deps: update Go dependencies
    
    * Bump Go version to 1.23.3
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    Co-authored-by: Daniel Weiße <dw@edgeless.systems>
    renovate[bot] and daniel-weisse authored Nov 13, 2024
    Copy the full SHA
    73cc2ca View commit details
  2. Copy the full SHA
    82dc444 View commit details

Commits on Nov 14, 2024

  1. docs: add backup workflow (#763)

    * docs: add backup workflow
    
    * add to current docs
    thomasten authored Nov 14, 2024
    Copy the full SHA
    21c4dca View commit details

Commits on Nov 18, 2024

  1. deps: update Go dependencies (#765)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 18, 2024
    Copy the full SHA
    1a39a52 View commit details
  2. fix: JSON formatted logs for all Coordinator and marble-injector mess…

    …ages (#764)
    
    * Log Coordinator's http internal errors to zap logger
    * Use structured logging in marble-injector
    * Refactor marble-injector test
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Nov 18, 2024
    Copy the full SHA
    47b1793 View commit details

Commits on Nov 20, 2024

  1. deps: update Node dependencies (#761)

    * deps: update Node dependencies
    * Remove redocusaurus package override
    * Add package-lock.json
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    Co-authored-by: Daniel Weiße <dw@edgeless.systems>
    renovate[bot] and daniel-weisse authored Nov 20, 2024
    Copy the full SHA
    545d5f1 View commit details
  2. premain: enable JSON formatted logs if EDG_LOG_FORMAT=json (#766)

    * marble-injector: fix incorrect log level for error messages
    * premain: enable JSON formatted logs if env var is set
    * Document EDG_LOG_FORMAT variable
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Nov 20, 2024
    Copy the full SHA
    82ce121 View commit details

Commits on Nov 21, 2024

  1. deps: update module github.com/cert-manager/cert-manager to v1.16.2 […

    …SECURITY] (#767)
    
    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 21, 2024
    Copy the full SHA
    cad3da2 View commit details

Commits on Nov 22, 2024

  1. docs: refactor gtag

    thomasten committed Nov 22, 2024
    Copy the full SHA
    33de69e View commit details

Commits on Nov 25, 2024

  1. deps: update Go dependencies (#769)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 25, 2024
    Copy the full SHA
    8337710 View commit details
  2. deps: update Node dependencies to v3.6.3 (#770)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Nov 25, 2024
    Copy the full SHA
    630732e View commit details

Commits on Dec 9, 2024

  1. deps: update Go dependencies (#772)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Dec 9, 2024
    Copy the full SHA
    981bdaa View commit details

Commits on Dec 10, 2024

  1. cli: support for authenticating with private keys and certificates st…

    …ored in PKCS #11 backend (#771)
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Dec 10, 2024
    Copy the full SHA
    62bacea View commit details
  2. cli: align descriptions of --cert and --key flags (#775)

    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Dec 10, 2024
    Copy the full SHA
    a632a9b View commit details

Commits on Dec 12, 2024

  1. deps: update module golang.org/x/crypto to v0.31.0 [SECURITY] (#776)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Dec 12, 2024
    Copy the full SHA
    8e1aacf View commit details

Commits on Dec 13, 2024

  1. Require labels on PRs (#778)

    * Add release template
    * Add require-label workflow
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Dec 13, 2024
    Copy the full SHA
    ac0523f View commit details

Commits on Dec 16, 2024

  1. deps: update dependency prism-react-renderer to v2.4.1 (#780)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Dec 16, 2024
    Copy the full SHA
    512f38c View commit details
  2. coordinator: fix equality checks for manifest properties (#777)

    * fix DisableSecretBinding ignored in Marble.Equal
    
    * fix AcceptedTCBStatuses and AcceptedAdvisories ignored in PackageProperties.Equal
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
    daniel-weisse and thomasten authored Dec 16, 2024
    Copy the full SHA
    e7ee0c1 View commit details

Commits on Jan 6, 2025

  1. deps: update GitHub action dependencies (#781)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Jan 6, 2025
    Copy the full SHA
    8c0ab53 View commit details
  2. deps: update Node dependencies to v3.7.0 (#783)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Jan 6, 2025
    Copy the full SHA
    9b4066f View commit details

Commits on Jan 8, 2025

  1. Fix Marble verification with Coordinator root certificate (#782)

    * Fix Marble verification with Coordinator root certificate
    
    * fix lint
    thomasten authored Jan 8, 2025
    Copy the full SHA
    b876f1a View commit details

Commits on Jan 9, 2025

  1. Support injection of Coordinator root and intermediate certificates i…

    …nto Marble environment (#784)
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Jan 9, 2025
    Copy the full SHA
    ea27924 View commit details

Commits on Jan 13, 2025

  1. deps: update actions/upload-artifact action to v4.6.0 (#787)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Jan 13, 2025
    Copy the full SHA
    55456de View commit details

Commits on Jan 14, 2025

  1. coordinator: threshold manifest update support (#785)

    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Jan 14, 2025
    Copy the full SHA
    c0ea5c1 View commit details

Commits on Jan 15, 2025

  1. Copy the full SHA
    183281e View commit details
  2. cli: fix missing newline when performing multi party recovery (#789)

    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Jan 15, 2025
    Copy the full SHA
    a321108 View commit details
  3. cli: fix certificate command errors when --insecure flag is set (#790)

    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Jan 15, 2025
    Copy the full SHA
    00443fd View commit details
  4. coordinator: add debug logging (#786)

    * coordinator: add debug logging
    * Use Coordinator debug logging in integration test
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Jan 15, 2025
    Copy the full SHA
    8214a38 View commit details

Commits on Jan 20, 2025

  1. deps: update dependency redocusaurus to v2.2.1 (#792)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Jan 20, 2025
    Copy the full SHA
    3f55e9c View commit details
  2. deps: update golangci/golangci-lint-action action to v6.2.0 (#791)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Jan 20, 2025
    Copy the full SHA
    47eef49 View commit details

Commits on Jan 29, 2025

  1. Copy the full SHA
    701a308 View commit details

Commits on Feb 1, 2025

  1. deps: update Go dependencies

    renovate[bot] authored and thomasten committed Feb 1, 2025
    Copy the full SHA
    4c62203 View commit details

Commits on Feb 3, 2025

  1. Prepare release v1.7.0

    thomasten committed Feb 3, 2025
    Copy the full SHA
    08a4d8b View commit details

Commits on Feb 4, 2025

  1. Merge commit from fork

    * verify recovery key signatures before comitting recovery
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * cli: fix private key loading function
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * coordinator: increase security version number to 2
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * store: tighten up interface
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * stdstore: revert nil check
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * coordinator: bind sealed key to state
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * coordinator: split up setting and sealing of store key
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * coordinator: add context to BeginReadTransaction
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * coordinator: remove redundant key sealing
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * clientapi: fix incorrect secret when starting read transaction
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * cli: add test for pkcs11 rsa key loading
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * cli: update recover command documentation
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * sealer: fix doc comment
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * server: remove redundant return statement
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * stdstore: replace key backup with atomic file replace
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * add tests for security fix
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * stdstore: fix seal mode not being correctly set after recovery
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * add integration test to verify key binding
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * docs: update recovery workflows
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    * fix linting issues
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Feb 4, 2025
    Copy the full SHA
    e4864f9 View commit details
  2. docs: v1.7 versioned docs (#796)

    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    daniel-weisse authored Feb 4, 2025
    Copy the full SHA
    387eb1c View commit details

Commits on Feb 5, 2025

  1. cli: accept both PKCS#1 and PKCS#8 private keys for recovery (#798)

    * cli: accept both PKCS#1 and PKCS#8 private recovery keys
    * docs: add hint about converting key to PKCS#8 format
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
    daniel-weisse and thomasten authored Feb 5, 2025
    Copy the full SHA
    fcadb65 View commit details

Commits on Feb 6, 2025

  1. deps: update module github.com/edgelesssys/marblerun to v1.7.0 [SECUR…

    …ITY] (#797)
    
    * deps: update module github.com/edgelesssys/marblerun to v1.7.0 [SECURITY]
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    Co-authored-by: Daniel Weiße <dw@edgeless.systems>
    renovate[bot] and daniel-weisse authored Feb 6, 2025
    Copy the full SHA
    7de4e7d View commit details

Commits on Feb 10, 2025

  1. deps: update Go dependencies (#800)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Feb 10, 2025
    Copy the full SHA
    d4fb426 View commit details
  2. deps: update GitHub action dependencies (#799)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Feb 10, 2025
    Copy the full SHA
    2ff71ba View commit details

Commits on Feb 14, 2025

  1. Copy the full SHA
    f800058 View commit details
  2. docs: backport

    thomasten committed Feb 14, 2025
    Copy the full SHA
    7bc2d1a View commit details
  3. Copy the full SHA
    fb86b52 View commit details

Commits on Feb 17, 2025

  1. deps: update golangci/golangci-lint-action action to v6.5.0 (#803)

    * deps: update golangci/golangci-lint-action action to v6.5.0
    * fix golangci-lint config
    * replace deprecated linters
    
    ---------
    
    Signed-off-by: Daniel Weiße <dw@edgeless.systems>
    Co-authored-by: Daniel Weiße <dw@edgeless.systems>
    renovate[bot] and daniel-weisse authored Feb 17, 2025
    Copy the full SHA
    e3fca5b View commit details
  2. deps: update Go dependencies (#802)

    Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    renovate[bot] authored Feb 17, 2025
    Copy the full SHA
    e4a3477 View commit details
Showing with 33,572 additions and 1,272 deletions.
  1. +23 −0 .github/release.yml
  2. +1 −1 .github/workflows/links.yml
  3. +1 −1 .github/workflows/lint.yml
  4. +24 −0 .github/workflows/require-label.yml
  5. +1 −1 .github/workflows/unittests.yml
  6. +1 −0 .github/workflows/vale.yml
  7. +4 −3 .golangci.yml
  8. +6 −4 CMakeLists.txt
  9. +45 −21 api/api.go
  10. +0 −25 api/v1.go
  11. +5 −2 api/v2.go
  12. +2 −2 charts/Chart.yaml
  13. +2 −2 charts/README.md
  14. +1 −1 charts/templates/coordinator.yaml
  15. +7 −6 charts/values.yaml
  16. +36 −6 cli/internal/certcache/cert.go
  17. +3 −1 cli/internal/cmd/certificate.go
  18. +21 −0 cli/internal/cmd/cmd.go
  19. +21 −16 cli/internal/cmd/manifestUpdate.go
  20. +95 −6 cli/internal/cmd/recover.go
  21. +92 −0 cli/internal/cmd/recover_test.go
  22. +1 −5 cli/internal/cmd/secret.go
  23. +6 −1 cli/internal/cmd/secretGet.go
  24. +6 −1 cli/internal/cmd/secretSet.go
  25. +122 −0 cli/internal/pkcs11/pkcs11.go
  26. +261 −0 cli/internal/pkcs11/pkcs11_integration_test.go
  27. +9 −2 cmd/coordinator/enclavemain.go
  28. +10 −2 cmd/coordinator/main.go
  29. +1 −18 cmd/coordinator/run.go
  30. +22 −8 cmd/marble-injector/main.go
  31. +6 −3 cmd/marble-test/main.go
  32. +19 −1 cmd/premain-libos/main.go
  33. +69 −47 coordinator/clientapi/clientapi.go
  34. +123 −47 coordinator/clientapi/clientapi_test.go
  35. +1 −1 coordinator/clientapi/legacy_test.go
  36. +5 −0 coordinator/constants/constants.go
  37. +1 −1 coordinator/core/certificate_test.go
  38. +16 −7 coordinator/core/core.go
  39. +21 −11 coordinator/core/core_test.go
  40. +26 −29 coordinator/core/marbleapi.go
  41. +15 −14 coordinator/core/marbleapi_test.go
  42. +6 −6 coordinator/core/metrics_test.go
  43. +31 −17 coordinator/manifest/manifest.go
  44. +279 −15 coordinator/manifest/manifest_test.go
  45. +6 −0 coordinator/quote/ert.go
  46. +2 −2 coordinator/recovery/recovery.go
  47. +1 −6 coordinator/recovery/single.go
  48. +12 −4 coordinator/seal/mocksealer.go
  49. +35 −21 coordinator/seal/noenclavesealer.go
  50. +52 −28 coordinator/seal/seal.go
  51. +3 −2 coordinator/seal/seal_test.go
  52. +1 −1 coordinator/server/handler/handler.go
  53. +1 −1 coordinator/server/metrics_test.go
  54. +2 −0 coordinator/server/server.go
  55. +5 −35 coordinator/server/v1/v1.go
  56. +2 −0 coordinator/server/v2/types.go
  57. +1 −1 coordinator/server/v2/v2.go
  58. +155 −39 coordinator/store/stdstore/stdstore.go
  59. +12 −11 coordinator/store/stdstore/stdstore_test.go
  60. +18 −2 coordinator/store/store.go
  61. +3 −2 coordinator/store/wrapper/wrapper_test.go
  62. +4 −4 dockerfiles/Dockerfile.cli
  63. +4 −4 dockerfiles/Dockerfile.coordinator
  64. +1 −2 docs/.gitignore
  65. +1 −1 docs/docs/deployment/platforms/alibaba.md
  66. +56 −20 docs/docs/reference/cli.md
  67. +7 −42 docs/docs/reference/coordinator.md
  68. +4 −2 docs/docs/workflows/add-service.md
  69. +108 −0 docs/docs/workflows/backup.md
  70. +13 −1 docs/docs/workflows/define-manifest.md
  71. +11 −31 docs/docs/workflows/recover-coordinator.md
  72. +3 −2 docs/docs/workflows/update-manifest.md
  73. +50 −0 docs/docs/workflows/user-authentication.md
  74. +5 −7 docs/docusaurus.config.js
  75. +19,103 −0 docs/package-lock.json
  76. +5 −9 docs/package.json
  77. +10 −0 docs/sidebars.js
  78. +5 −0 docs/static/gtagman.js
  79. +4 −3 docs/versioned_docs/version-1.1/workflows/recover-coordinator.md
  80. +1 −1 docs/versioned_docs/version-1.2/deployment/platforms/alibaba.md
  81. +1 −1 docs/versioned_docs/version-1.2/features/attestation.md
  82. +2 −0 docs/versioned_docs/version-1.2/features/secrets-management.md
  83. +2 −2 docs/versioned_docs/version-1.2/workflows/add-service.md
  84. +7 −1 docs/versioned_docs/version-1.2/workflows/define-manifest.md
  85. +4 −3 docs/versioned_docs/version-1.2/workflows/recover-coordinator.md
  86. +2 −0 docs/versioned_docs/version-1.2/workflows/update-manifest.md
  87. +1 −1 docs/versioned_docs/version-1.3/deployment/platforms/alibaba.md
  88. +1 −1 docs/versioned_docs/version-1.3/features/attestation.md
  89. +2 −0 docs/versioned_docs/version-1.3/features/secrets-management.md
  90. +2 −2 docs/versioned_docs/version-1.3/workflows/add-service.md
  91. +7 −1 docs/versioned_docs/version-1.3/workflows/define-manifest.md
  92. +4 −3 docs/versioned_docs/version-1.3/workflows/recover-coordinator.md
  93. +2 −0 docs/versioned_docs/version-1.3/workflows/update-manifest.md
  94. +1 −1 docs/versioned_docs/version-1.4/deployment/platforms/alibaba.md
  95. +1 −1 docs/versioned_docs/version-1.4/features/attestation.md
  96. +2 −0 docs/versioned_docs/version-1.4/features/secrets-management.md
  97. +2 −2 docs/versioned_docs/version-1.4/workflows/add-service.md
  98. +7 −1 docs/versioned_docs/version-1.4/workflows/define-manifest.md
  99. +4 −3 docs/versioned_docs/version-1.4/workflows/recover-coordinator.md
  100. +2 −0 docs/versioned_docs/version-1.4/workflows/update-manifest.md
  101. +1 −1 docs/versioned_docs/version-1.5/deployment/platforms/alibaba.md
  102. +2 −2 docs/versioned_docs/version-1.5/workflows/add-service.md
  103. +7 −1 docs/versioned_docs/version-1.5/workflows/define-manifest.md
  104. +4 −3 docs/versioned_docs/version-1.5/workflows/recover-coordinator.md
  105. +3 −0 docs/versioned_docs/version-1.6/_media/cert-chain.svg
  106. +37 −0 docs/versioned_docs/version-1.6/_media/coordinator_deployment.svg
  107. +3 −0 docs/versioned_docs/version-1.6/_media/enc-state-distributed.svg
  108. +3 −0 docs/versioned_docs/version-1.6/_media/enc-state-single.svg
  109. +53 −0 docs/versioned_docs/version-1.6/_media/marble_deployment.svg
  110. +41 −0 docs/versioned_docs/version-1.6/_media/overview.svg
  111. +3 −0 docs/versioned_docs/version-1.6/_media/security_architecture.svg
  112. +36 −0 docs/versioned_docs/version-1.6/_media/service_mesh.svg
  113. +37 −0 docs/versioned_docs/version-1.6/_media/verify_cluster.svg
  114. +35 −0 docs/versioned_docs/version-1.6/architecture/concepts.md
  115. +27 −0 docs/versioned_docs/version-1.6/architecture/coordinator.md
  116. +6 −0 docs/versioned_docs/version-1.6/architecture/marbles.md
  117. +115 −0 docs/versioned_docs/version-1.6/architecture/security.md
  118. +20 −0 docs/versioned_docs/version-1.6/building-marbles/ego.md
  119. +164 −0 docs/versioned_docs/version-1.6/building-marbles/gramine.md
  120. +78 −0 docs/versioned_docs/version-1.6/building-marbles/occlum.md
  121. +210 −0 docs/versioned_docs/version-1.6/deployment/kubernetes.md
  122. +71 −0 docs/versioned_docs/version-1.6/deployment/platforms/alibaba.md
  123. +29 −0 docs/versioned_docs/version-1.6/deployment/platforms/azure.md
  124. +90 −0 docs/versioned_docs/version-1.6/deployment/platforms/on-prem.md
  125. +16 −0 docs/versioned_docs/version-1.6/deployment/platforms/platforms.md
  126. +56 −0 docs/versioned_docs/version-1.6/deployment/standalone.md
  127. +58 −0 docs/versioned_docs/version-1.6/features/attestation.md
  128. +71 −0 docs/versioned_docs/version-1.6/features/kubernetes-integration.md
  129. +32 −0 docs/versioned_docs/version-1.6/features/manifest.md
  130. +53 −0 docs/versioned_docs/version-1.6/features/recovery.md
  131. +20 −0 docs/versioned_docs/version-1.6/features/runtimes.md
  132. +33 −0 docs/versioned_docs/version-1.6/features/secrets-management.md
  133. +12 −0 docs/versioned_docs/version-1.6/features/transparent-TLS.md
  134. +30 −0 docs/versioned_docs/version-1.6/getting-started/examples.md
  135. +134 −0 docs/versioned_docs/version-1.6/getting-started/installation.md
  136. +174 −0 docs/versioned_docs/version-1.6/getting-started/quickstart.md
  137. +45 −0 docs/versioned_docs/version-1.6/intro.md
  138. +997 −0 docs/versioned_docs/version-1.6/reference/cli.md
  139. +1,233 −0 docs/versioned_docs/version-1.6/reference/coordinator.md
  140. +167 −0 docs/versioned_docs/version-1.6/workflows/add-service.md
  141. +108 −0 docs/versioned_docs/version-1.6/workflows/backup.md
  142. +546 −0 docs/versioned_docs/version-1.6/workflows/define-manifest.md
  143. +92 −0 docs/versioned_docs/version-1.6/workflows/managing-secrets.md
  144. +54 −0 docs/versioned_docs/version-1.6/workflows/monitoring.md
  145. +137 −0 docs/versioned_docs/version-1.6/workflows/recover-coordinator.md
  146. +30 −0 docs/versioned_docs/version-1.6/workflows/set-manifest.md
  147. +178 −0 docs/versioned_docs/version-1.6/workflows/update-manifest.md
  148. +56 −0 docs/versioned_docs/version-1.6/workflows/updates.md
  149. +40 −0 docs/versioned_docs/version-1.6/workflows/verification.md
  150. +3 −0 docs/versioned_docs/version-1.7/_media/cert-chain.svg
  151. +37 −0 docs/versioned_docs/version-1.7/_media/coordinator_deployment.svg
  152. +3 −0 docs/versioned_docs/version-1.7/_media/enc-state-distributed.svg
  153. +3 −0 docs/versioned_docs/version-1.7/_media/enc-state-single.svg
  154. +53 −0 docs/versioned_docs/version-1.7/_media/marble_deployment.svg
  155. +41 −0 docs/versioned_docs/version-1.7/_media/overview.svg
  156. +3 −0 docs/versioned_docs/version-1.7/_media/security_architecture.svg
  157. +36 −0 docs/versioned_docs/version-1.7/_media/service_mesh.svg
  158. +37 −0 docs/versioned_docs/version-1.7/_media/verify_cluster.svg
  159. +35 −0 docs/versioned_docs/version-1.7/architecture/concepts.md
  160. +27 −0 docs/versioned_docs/version-1.7/architecture/coordinator.md
  161. +6 −0 docs/versioned_docs/version-1.7/architecture/marbles.md
  162. +115 −0 docs/versioned_docs/version-1.7/architecture/security.md
  163. +20 −0 docs/versioned_docs/version-1.7/building-marbles/ego.md
  164. +164 −0 docs/versioned_docs/version-1.7/building-marbles/gramine.md
  165. +78 −0 docs/versioned_docs/version-1.7/building-marbles/occlum.md
  166. +210 −0 docs/versioned_docs/version-1.7/deployment/kubernetes.md
  167. +71 −0 docs/versioned_docs/version-1.7/deployment/platforms/alibaba.md
  168. +29 −0 docs/versioned_docs/version-1.7/deployment/platforms/azure.md
  169. +90 −0 docs/versioned_docs/version-1.7/deployment/platforms/on-prem.md
  170. +16 −0 docs/versioned_docs/version-1.7/deployment/platforms/platforms.md
  171. +56 −0 docs/versioned_docs/version-1.7/deployment/standalone.md
  172. +58 −0 docs/versioned_docs/version-1.7/features/attestation.md
  173. +71 −0 docs/versioned_docs/version-1.7/features/kubernetes-integration.md
  174. +32 −0 docs/versioned_docs/version-1.7/features/manifest.md
  175. +53 −0 docs/versioned_docs/version-1.7/features/recovery.md
  176. +20 −0 docs/versioned_docs/version-1.7/features/runtimes.md
  177. +33 −0 docs/versioned_docs/version-1.7/features/secrets-management.md
  178. +12 −0 docs/versioned_docs/version-1.7/features/transparent-TLS.md
  179. +30 −0 docs/versioned_docs/version-1.7/getting-started/examples.md
  180. +134 −0 docs/versioned_docs/version-1.7/getting-started/installation.md
  181. +174 −0 docs/versioned_docs/version-1.7/getting-started/quickstart.md
  182. +45 −0 docs/versioned_docs/version-1.7/intro.md
  183. +1,033 −0 docs/versioned_docs/version-1.7/reference/cli.md
  184. +1,198 −0 docs/versioned_docs/version-1.7/reference/coordinator.md
  185. +169 −0 docs/versioned_docs/version-1.7/workflows/add-service.md
  186. +108 −0 docs/versioned_docs/version-1.7/workflows/backup.md
  187. +552 −0 docs/versioned_docs/version-1.7/workflows/define-manifest.md
  188. +92 −0 docs/versioned_docs/version-1.7/workflows/managing-secrets.md
  189. +54 −0 docs/versioned_docs/version-1.7/workflows/monitoring.md
  190. +129 −0 docs/versioned_docs/version-1.7/workflows/recover-coordinator.md
  191. +30 −0 docs/versioned_docs/version-1.7/workflows/set-manifest.md
  192. +179 −0 docs/versioned_docs/version-1.7/workflows/update-manifest.md
  193. +56 −0 docs/versioned_docs/version-1.7/workflows/updates.md
  194. +50 −0 docs/versioned_docs/version-1.7/workflows/user-authentication.md
  195. +40 −0 docs/versioned_docs/version-1.7/workflows/verification.md
  196. +232 −0 docs/versioned_sidebars/version-1.6-sidebars.json
  197. +237 −0 docs/versioned_sidebars/version-1.7-sidebars.json
  198. +2 −0 docs/versions.json
  199. +1 −1 enclave/coordinator.conf
  200. +78 −76 go.mod
  201. +249 −194 go.sum
  202. +55 −34 injector/injector.go
  203. +232 −261 injector/injector_test.go
  204. +6 −0 internal/constants/constants.go
  205. +52 −0 internal/logging/logging.go
  206. +2 −2 marble/premain/occlum.go
  207. +20 −0 marble/premain/premain.go
  208. +12 −12 samples/estore/go.mod
  209. +33 −33 samples/estore/go.sum
  210. +1 −1 samples/gramine-redis/Dockerfile
  211. +9 −7 test/framework/framework.go
  212. +135 −3 test/integration_test.go
  213. +9 −0 test/manifests.go
  214. +29 −0 util/util.go
  215. +37 −0 util/util_test.go
23 changes: 23 additions & 0 deletions .github/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
changelog:
include:
labels:
- breaking change
- feature
- bug fix
- changelog
categories:
- title: 🛠 Breaking changes
labels:
- breaking change
- title: 🎁 New features
labels:
- feature
- title: 🐛 Bug fixes
labels:
- bug fix
- title: 🔧 Other changes
labels:
- changelog
- title: 📖 Documentation
labels:
- documentation
2 changes: 1 addition & 1 deletion .github/workflows/links.yml
Original file line number Diff line number Diff line change
@@ -22,7 +22,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Link Checker
uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede # v2.0.2
uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
with:
fail: true
env:
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -29,7 +29,7 @@ jobs:
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: golangci-lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
with:
skip-cache: true
args: --timeout=30m
24 changes: 24 additions & 0 deletions .github/workflows/require-label.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: 'Check: require label'

on:
pull_request:
types: [opened, labeled, unlabeled, synchronize]

jobs:
label:
runs-on: ubuntu-24.04
permissions:
pull-requests: read
steps:
- uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # 5.5.0
with:
mode: minimum
count: 1
labels: |
breaking change
bug fix
changelog
dependencies
feature
documentation
no changelog
2 changes: 1 addition & 1 deletion .github/workflows/unittests.yml
Original file line number Diff line number Diff line change
@@ -45,7 +45,7 @@ jobs:
working-directory: test

- name: Build artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: marblerun
path: |
1 change: 1 addition & 0 deletions .github/workflows/vale.yml
Original file line number Diff line number Diff line change
@@ -21,3 +21,4 @@ jobs:
with:
files: docs/docs
fail_on_error: true
version: 3.9.3
7 changes: 4 additions & 3 deletions .golangci.yml
Original file line number Diff line number Diff line change
@@ -5,7 +5,8 @@ run:
modules-download-mode: readonly

output:
format: tab
formats:
- format: tab
sort-results: true

linters:
@@ -21,14 +22,14 @@ linters:
# Additional linters
- bodyclose
- errname
- exportloopref
- copyloopvar
- godot
- gofmt
- gofumpt
- misspell
- noctx
- revive
- tenv
- usetesting
- unconvert
- unparam

10 changes: 6 additions & 4 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
cmake_minimum_required(VERSION 3.11)

project(marblerun VERSION 1.6.0)
project(marblerun VERSION 1.7.0)
find_package(OpenEnclave CONFIG REQUIRED)

if (NOT CMAKE_BUILD_TYPE)
@@ -79,10 +79,12 @@ add_custom_target(sign-coordinator ALL DEPENDS coordinator-enclave.signed coordi
#

add_custom_target(marble-injector ALL
COMMAND
CGO_ENABLED=0
go build ${TRIMPATH}
-o ${CMAKE_BINARY_DIR}
-buildvcs=false
${CMAKE_COMMAND} -P ${CMAKE_SOURCE_DIR}/build_with_version.cmake
"go" "${PROJECT_VERSION}" "${CMAKE_BINARY_DIR}/marble-injector"
"main"
${TRIMPATH}
WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/cmd/marble-injector
)

66 changes: 45 additions & 21 deletions api/api.go
Original file line number Diff line number Diff line change
@@ -9,7 +9,9 @@ package api
import (
"bytes"
"context"
"crypto"
"crypto/ecdsa"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/tls"
@@ -159,38 +161,33 @@ func VerifyMarbleRunDeployment(ctx context.Context, endpoint string, opts Verify
}

// Recover performs recovery on a Coordinator instance by setting the decrypted recoverySecret.
// The signer is used to generate a signature over the recoverySecret.
// The Coordinator will verify this signature matches one of the recovery public keys set in the manifest.
// On success, it returns the number of remaining recovery secrets to be set,
// as well as the verified SGX quote.
//
// If this function is called from inside an EGo enclave, the "marblerun_ego_enclave" build tag must be set when building the binary.
func Recover(ctx context.Context, endpoint string, opts VerifyOptions, recoverySecret []byte) (remaining int, sgxQuote []byte, err error) {
opts.setDefaults()

rootCert, _, sgxQuote, err := VerifyCoordinator(ctx, endpoint, opts)
func Recover(ctx context.Context, endpoint string, opts VerifyOptions, recoverySecret []byte, signer crypto.Signer) (remaining int, sgxQuote []byte, err error) {
signature, err := util.SignPKCS1v15(signer, recoverySecret)
if err != nil {
return -1, nil, err
}
return recoverCoordinator(ctx, endpoint, opts, recoverySecret, signature)
}

client, err := rest.NewClient(endpoint, rootCert, nil)
if err != nil {
return -1, nil, fmt.Errorf("setting up client: %w", err)
}

// Attempt recovery using the v2 API first
remaining, err = recoverV2(ctx, client, recoverySecret)
if rest.IsNotAllowedErr(err) {
remaining, err = recoverV1(ctx, client, recoverySecret)
}
if err != nil {
return -1, nil, fmt.Errorf("sending recovery request: %w", err)
}

return remaining, sgxQuote, err
// RecoverWithSignature performs recovery on a Coordinator instance by setting the decrypted recoverySecret.
// This is the same as [Recover], but allows passing in the recoverySecretSignature directly,
// instead of generating it using a [crypto.Signer].
// The recoveryKeySignature must be a PKCS#1 v1.5 signature over the SHA-256 hash of recoverySecret.
//
// If this function is called from inside an EGo enclave, the "marblerun_ego_enclave" build tag must be set when building the binary.
func RecoverWithSignature(ctx context.Context, endpoint string, opts VerifyOptions, recoverySecret, recoverySecretSignature []byte) (remaining int, sgxQuote []byte, err error) {
return recoverCoordinator(ctx, endpoint, opts, recoverySecret, recoverySecretSignature)
}

// DecryptRecoveryData decrypts recovery data returned by a Coordinator during [ManifestSet] using a parties private recovery key.
func DecryptRecoveryData(recoveryData []byte, recoveryPrivateKey *rsa.PrivateKey) ([]byte, error) {
return util.DecryptOAEP(recoveryPrivateKey, recoveryData)
func DecryptRecoveryData(recoveryData []byte, recoveryPrivateKey crypto.Decrypter) ([]byte, error) {
return recoveryPrivateKey.Decrypt(rand.Reader, recoveryData, &rsa.OAEPOptions{Hash: crypto.SHA256})
}

// GetStatus retrieves the status of a MarbleRun Coordinator instance.
@@ -577,3 +574,30 @@ func getMarbleCredentialsFromEnv() (tls.Certificate, *x509.Certificate, error) {

return tlsCert, coordinatorRoot, nil
}

// recoverCoordinator performs recovery on a Coordinator instance by setting the decrypted recoverySecret.
// The signer is used to generate a signature over the recoverySecret.
// The Coordinator will verify this signature matches one of the recovery public keys set in the manifest.
// On success, it returns the number of remaining recovery secrets to be set,
// as well as the verified SGX quote.
func recoverCoordinator(ctx context.Context, endpoint string, opts VerifyOptions, recoverySecret, recoverySecretSignature []byte) (remaining int, sgxQuote []byte, err error) {
opts.setDefaults()

rootCert, _, sgxQuote, err := VerifyCoordinator(ctx, endpoint, opts)
if err != nil {
return -1, nil, err
}

client, err := rest.NewClient(endpoint, rootCert, nil)
if err != nil {
return -1, nil, fmt.Errorf("setting up client: %w", err)
}

// The v1 API does not support recovery, therefore only attempt the v2 API
remaining, err = recoverV2(ctx, client, recoverySecret, recoverySecretSignature)
if err != nil {
return -1, nil, fmt.Errorf("sending recovery request: %w", err)
}

return remaining, sgxQuote, err
}
25 changes: 0 additions & 25 deletions api/v1.go
Original file line number Diff line number Diff line change
@@ -20,31 +20,6 @@ import (
apiv1 "github.com/edgelesssys/marblerun/coordinator/server/v1"
)

// recoverV1 performs recovery of the Coordinator using the legacy v1 API.
func recoverV1(ctx context.Context, client *rest.Client, recoverySecret []byte) (remaining int, err error) {
resp, err := client.Post(ctx, rest.RecoverEndpoint, rest.ContentPlain, bytes.NewReader(recoverySecret))
if err != nil {
return -1, err
}

var response apiv1.RecoveryStatusResponse
if err := json.Unmarshal(resp, &response); err != nil {
return -1, fmt.Errorf("unmarshalling Coordinator response: %w", err)
}

if response.StatusMessage == "Recovery successful." {
return 0, nil
}

remainingStr, _, _ := strings.Cut(response.StatusMessage, ": ")
remaining, err = strconv.Atoi(remainingStr)
if err != nil {
return -1, fmt.Errorf("parsing remaining recovery secrets: %w", err)
}

return remaining, nil
}

// getStatusV1 retrieves the status of the Coordinator using the legacy v1 API.
func getStatusV1(ctx context.Context, client *rest.Client) (int, string, error) {
resp, err := client.Get(ctx, rest.StatusEndpoint, http.NoBody)
7 changes: 5 additions & 2 deletions api/v2.go
Original file line number Diff line number Diff line change
@@ -19,8 +19,11 @@ import (
)

// recoverV2 performs recovery of the Coordinator using the v2 API.
func recoverV2(ctx context.Context, client *rest.Client, recoverySecret []byte) (remaining int, err error) {
recoverySecretJSON, err := json.Marshal(apiv2.RecoveryRequest{RecoverySecret: recoverySecret})
func recoverV2(ctx context.Context, client *rest.Client, recoverySecret, recoverySecretSignature []byte) (remaining int, err error) {
recoverySecretJSON, err := json.Marshal(apiv2.RecoveryRequest{
RecoverySecret: recoverySecret,
RecoverySecretSignature: recoverySecretSignature,
})
if err != nil {
return -1, fmt.Errorf("marshalling request: %w", err)
}
4 changes: 2 additions & 2 deletions charts/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: v1.6.0
appVersion: v1.7.0
description: The control plane for confidential computing.
home: https://edgeless.systems
keywords:
@@ -9,7 +9,7 @@ kubeVersion: ">=1.13.0-0"
name: marblerun
sources:
- https://github.com/edgelesssys/marblerun
version: 1.6.0
version: 1.7.0
maintainers:
- name: Edgeless Systems
email: contact@edgeless.systems
4 changes: 2 additions & 2 deletions charts/README.md
Original file line number Diff line number Diff line change
@@ -46,7 +46,7 @@ their default values.
| `coordinator.sealDir` | string | Path to the directory used for sealing data. Needs to be consistent with the persisten storage setup | `"/coordinator/data/"` |
| `coordinator.simulation` | bool | SGX simulation settings, set to `true` if your not running on an SGX capable cluster | `false` |
| `coordinator.storageClass` | string | Kubernetes [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for creating the Coordinator PVC. Leave empty to use the default StorageClass | |
| `coordinator.version` | string | Version of the coordinator container image to pull | `"v1.6.0"` |
| `coordinator.version` | string | Version of the coordinator container image to pull | `"v1.7.0"` |
| `global.coordinatorComponentLabel` | string | Control plane label. Do not edit | `"edgeless.systems/control-plane-component"` |
| `global.coordinatorNamespaceLabel` | string | Control plane label. Do not edit | `"edgeless.systems/control-plane-ns"` |
| `global.podAnnotations` | object | Additional annotations to add to all pods | `{}`|
@@ -56,7 +56,7 @@ their default values.
| `marbleInjector.start` | bool | Start the marbleInjector webhook | `false` |
| `marbleInjector.replicas` | int | Replicas of the marbleInjector webhook | `1` |
| `marbleInjector.repository` | string | Name of the container registry to pull the marbleInjector image from | `"ghcr.io/edgelesssys/marblerun"` |
| `marbleInjector.version` | string | Version of the marbleInjector container image to pull | `"v1.6.0"` |
| `marbleInjector.version` | string | Version of the marbleInjector container image to pull | `"v1.7.0"` |
| `marbleInjector.useCertManager` | bool | Set to use cert-manager for certificate provisioning. Required when using standalone helm chart for installation | `false` |
| `marbleInjector.objectSelector` | object | ObjectSelector to trigger marble-injector mutation, See the [K8S documentation](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector) for more information | `{matchExpressions:[{key:"marblerun/marbletype",operator:"Exists"}]}` |
| `marbleInjector.namespaceSelector` | object | NamespaceSelector to trigger marble-injector mutation, See the [K8S documentation](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) for more information | `{}` |
2 changes: 1 addition & 1 deletion charts/templates/coordinator.yaml
Original file line number Diff line number Diff line change
@@ -121,7 +121,7 @@ spec:
- ReadWriteOnce
resources:
requests:
storage: 10Mi
storage: {{ .Values.coordinator.storageSize }}
{{- end }}
---
apiVersion: v1
13 changes: 7 additions & 6 deletions charts/values.yaml
Original file line number Diff line number Diff line change
@@ -2,7 +2,6 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.


# Values that are passed along to sub-charts
global:
# Additional annotations to add to all pods
@@ -22,14 +21,13 @@ global:
# pullSecret:
# pullSecret: my-private-docker-registry-login-secret


# webhook configuration
marbleInjector:
replicas: 1
repository: ghcr.io/edgelesssys/marblerun
image: marble-injector
pullPolicy: IfNotPresent
version: v1.6.0
version: v1.7.0

# Set to true to install the injection webhook
start: false
@@ -54,14 +52,13 @@ marbleInjector:
# Customize to limit injection to specific namespaces
namespaceSelector: {}


# coordinator configuration
coordinator:
replicas: 1
repository: ghcr.io/edgelesssys/marblerun
image: coordinator
pullPolicy: IfNotPresent
version: v1.6.0
version: v1.7.0

# Environment configuration for the coordinator control-plane
# meshServerPort needs to be configured to the same port as in the data-plane marbles
@@ -105,11 +102,15 @@ coordinator:
# Set the storage class to use for creating the Coordinator's PVC
# Leave empty to use the default storage class
storageClass: ""

# Set the storage size for the Coordinator's PVC
# The Coordinator requires a minimum of 10Mi but some storageClasses don't allow such small sizes
storageSize: "10Mi"

# Set to use an existing PVC for Coordinator storage
# Leave empty to create a new one using the configured storage class
pvcName: ""


# Tolerations constraints for control-plane components
# https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
tolerations:
Loading