Intel® SGX SDK/PSW 2.28

Intel® Software Guard Extensions SDK (Intel® SGX SDK)

• Removed deprecated functionality based on EPID (Enhanced Privacy ID), including EPID remote attestation.
  • • Note support remains for ECDSA-based attestation and universal quoting APIs (i.e. sgx_get_quote_ex()).
    • The following definitions have been removed from libsgx-headers:
      • sgx_calc_quote_size()
      • sgx_check_update_status()
      • sgx_get_extended_epid_group_id()
      • sgx_get_quote()
        • note: sgx_get_quote_ex() remains supported
      • sgx_get_quote_size()
        • note: sgx_get_quote_size_ex() remains supported
      • sgx_init_quote()
        • note: sgx_init_quote_ex() remains supported
      • sgx_report_attestation_status()
    • The following dev header has been removed: sgx_uae_epid.h
    • Removed libsgx_epid_sim.so, following the removal of EPID-based Provisioning Enclave (PVE), and EPID-based Quoting Enclave (QE) in SGX PSW.
• Removed code supporting the deprecated Launch Enclave, whitelist management and out-of-tree driver.
  • • The recommended launch mechanism continues to be the Flexible Launch Control via the in-kernel SGX driver.
    • The following launch-related UAE APIs are deprecated and will now return SGX_ERROR_FEATURE_NOT_SUPPORTED:
      • get_launch_token()
      • sgx_get_whitelist()
      • sgx_get_whitelist_size()
      • sgx_register_wl_cert_chain()
    • The following dev header has been deprecated: sgx_uae_launch.h
    • The following parameters of sgx_create_enclave() URTS API: *launch_token and *launch_token_updated are now RESERVED and ignored by the implementation. Implementers may choose to continue passing an empty/initialized launch_token_t placeholder or pass a nullptr in their place.
    • Removed libsgx_launch_sim.so following the removal of Launch Enclave (LE) in SGX PSW.
• Enclave creation no longer fails when the Enclave Dynamic Memory Management (EDMM) and AEX-Notify are both enabled.
• Upgraded to OpenSSL 3.0.19.
• Added support for CentOS* Stream 10 and Red Hat* Enterprise Linux* 10.
• Bug fixes.

Note

Intel® Software Guard Extensions (Intel® SGX) Eclipse plugin will be removed in the next release of Intel® SGX SDK.

---

Intel® Software Guard Extensions Platform Software (Intel® SGX PSW)

• Removed deprecated functionality based on EPID (Enhanced Privacy ID), including EPID remote attestation.
  • • The libsgx_epid.so library is removed, including its simulation counterpart in the SGX SDK.
    • Note support remains for ECDSA-based attestation and universal quoting APIs (i.e. sgx_get_quote_ex()).
    • Supporting architectural enclaves: EPID-based Provisioning Enclave (PVE) and EPID-based Quoting Enclave (QE) are no longer distributed.
• Removed code supporting the deprecated Launch Enclave, whitelist management, and out-of-tree driver.
  • • The recommended launch mechanism continues to be the Flexible Launch Control via the in-kernel SGX driver.
    • The libsgx_launch.so library is removed, including its simulation counterpart in the SGX SDK.
    • The libsgx-aesm-launch-plugin as well as the le_launch_service_bundle are removed.
    • Supporting architectural enclave: Launch Enclave (LE), is no longer distributed.
    • Launch whitelist files (white_list_cert*.bin) and signature files (le_prod_css.bin) are removed as well.
• Upgraded to OpenSSL 3.0.19.
• Added support for CentOS* Stream 10 and Red Hat* Enterprise Linux* 10.
• Bug fixes.

Intel® SGX SDK/PSW 2.27

Intel® Software Guard Extensions SDK includes the following changes in version 2.27.100.1:

• Upgraded to OpenSSL 3.0.17.
• Added support for Azure Linux 3.0, Debian 12 and Anolis 8.10.
• Improved logging output.
• Bug fixes.

Linux 2.26 Open Source Gold Release

Upgraded to OpenSSL 3.1.6.

Removed support for the MbedTLS Trusted Library.

Added support for Red Hat Enterprise Linux Server 9.4 (for x86_64) and SUSE Linux Enterprise Server 15.6 64-bits.

Added support for the FIPS 140-3 Certifiable OpenSSL Provider as an experimental feature.

Bug fixes.

Linux 2.25 Open Source Gold Release

Upgraded to OpenSSL 3.0.14.

Upgraded Intel(R) Integrated Performance Primitives (IPP) Cryptography library to version 2021.12.1.

Supported FIPS 140-3 Certifiable IPP Crypto based Trusted Library.

Upgraded Intel SGX Architecture Enclaves based on new IPP crypto library.

Upgraded Intel DCAP Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.14.

Removed Intel DCAP PCCS from repository.

Added Ubuntu* 24.04 LTS 64-bit Server support.
Fixed bug.

Note that PCCS is not available from this release. Please follow DCAP installation guide to use PCCSAdminTool to retrieve the attestation collaterals or use old version PCCS.

Linux 2.24 Open Source Gold Release

Upgraded to OpenSSL 3.0.13.

Upgraded to Intel(R) Integrated Performance Primitives (IPP) Cryptography library version 2021.11.

Upgraded to Protobuf 3.23.2.

Upgraded MbedTLS to 3.5.2.

Upgraded Intel DCAP Ring3 Abstraction Layer (R3AAL) library to support ConfigFS-TSM as communication channel between host and guest for TDX remote attestation.

Upgraded Intel DCAP Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.13.

Upgraded new TDX attestation result “TD_RELAUNCH_ADVISED” in Intel DCAP Quote Verification Library (QVL) and Appraisal Engine.

Fixed bugs.

Linux 2.23 Open Source Gold Release

Supported new OS: Ubuntu* 23.10 64-bit Server version.

Upgraded to OpenSSL 3.0.12.

Upgraded MbedTLS to 3.5.0.

Added SM2 encrypt/decrypt algorithm to the GM/SM (PRC National Commercialr Cryptographic Algorithms) sample code.

Introduced the Intel® DCAP Appraisal Engine within quote verification library, empowering users to evaluate verification results against diverse policies.

Upgraded Intel SGX Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.12.

Added Rust wrapper for quote provider library APIs.

Fixed bugs.

Linux 2.22 Open Source Gold Release

Upgraded to OpenSSL 3.0.10.

Added interoperable RA-TLS support which follows CCC design.

Enhanced Protect File System performance and added additional dependency libsgx_pthread.a.

Added the Constant Time instruction Decoder (CTD) into the default AEX-Notify mitigation handler in order to prevent the introduction of any additional subtle side channel leakages within the default handler.

Added Mistletoe 3 mitigations to the IPP Cryptography Library to the AES-ECB, AESGCM, and AES-CMAC algorithms. These have been incorporated transparently into the sgx_tcrypto library.

Resigned all Intel(R) SGX Architecture Enclaves.

Upgraded Intel SGX Quote Verification Enclave to integrate OpenSSL/SgxSSL 3.0.10.

Added Attestation Library support for Intel(R) TDX Migration TD.

Added Rust wrapper for low-level Quote Generation APIs.

Enabled SE_TRACE log in release binary.

Updated Rust QVL wrapper to use native Rust structure for quote verification collateral.

Added a limitation in the DCAP QVL to only allow the user to set the QvE load policy once.

Fixed bugs.

Linux 2.21 Open Source Gold Release

Upgraded to OpenSSL 1.1.1u.

Introduced Intel(R) TDX 1.4 and 1.5 support.

Upgraded Ring3 Abstraction Layer (R3AAL) library to support Intel(R) TDX MVP 6.2 kernel.

Enhanced quote verification performance in multi-thread scenarios.

Fixed bugs.

Linux 2.20 Open Source Gold Release

Supported the AEX (Asynchronous Enclave Exit) Notify feature.

Supported Mbed-TLS Cryptography library (excluding SSL/TLS portion) in Enclave.

Applied CVE-2023-1255, CVE-2023-0465, and CVE-2023-0466 patches to SgxSSL/OpenSSL 1.1.1t.

Upgraded to Intel(R) Integrated Performance Primitives (IPP) Cryptography library version 2021.7.

Upgraded Intel SGX Quote Verification Enclave to integrate updated SgxSSL.

Enhanced the attestation local cache functionality by giving users the option to provide their own cache file.

Enabled QPL/QCNL log in DCAP samples.

Fixed bugs.

Linux 2.19 Open Source Gold Release

Supported the Key Separation and Sharing (KSS) feature in Simulation mode.

Upgraded to OpenSSL 1.1.1t.

Upgraded Intel(R) SGX Quote Verification Enclave to integrate SgxSSL/OpenSSL version 1.1.1t.

Added new API in quote verification library to extract FMSPC (Family-Model-Stepping-Platform-CustomSKU) value from ECDSA quote.

Added Rust support for SGX ECDSA quote generation.

Added Linux kernel 5.19 support in TDX R3AAL (Ring 3 Attestation Abstraction Layer).

Removed Protobuf in TDX QGS (Quote Generation Service) and R3AAL (Ring 3 Attestation Abstraction Layer).

Fixed bugs.