Release Notes for CTE UserSpace
Release Note Version | Date |
---|---|
10.4.0.72 | 2025-02-14 |
New Features and Enhancements
Clarified documentation for format compatibility between CTE-U and CTE
Updated the documentation for clarity on format compatibility for AES-CBC-CS1 and AES-CBC.
- See File Systems Compatibility for more information.
Confidential Computing Support
Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs), or Trusted Domains (TDs), while it is being processed by the application, to protect it from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment.
CTE-U and CipherTrust Manager manage the attestation process to provision confidential computing on VMs running on CTE agents to provide end-to-end Data Protection. The role for CTE-U in this confidential computing model is to gather the evidence and provide that to CipherTrust Manager to have it attested for by Intel® Tiber™ Trust Services. If attestation fails, CTE-U prevents access to the encrypted data that it guards.
Caution
This feature is a technical preview for evaluation in non-production environments. Details and functionality are subject to change.
Cloud Object Storage Support
Cloud Object Storage support for CTE-U is identical to Cloud Object Storage for CipherTrust Transparent Encryption.
- CTE for Cloud Object Storage for more information.
Added support for the CIFS filesystem
CIFS is supported with Red Hat Enterprise Linux (RHEL) and Ubuntu.
Resolved Issues
-
AGT-61330 [CS1563353]: Build 10.3.0.74 generating a Readdir Segmentation fault error
The issue occurred when multi-threaded directory listing operations on FreeBSD intermittently caused system hangs. The solution was to introduce a locking mechanism to prevent crashes and ensure thread safety during directory operations.
-
AGT-61331 [CS1563353]: FREEBSD needs analysis for short hang occurred (~2 mins) when lockbox tried to use credential file
This issue was caused by a multi-threaded application that hung at startup due to a deadlock in the fuse driver. The solution was to avoid calling that driver.
-
AGT-61532 [CS1582276]: Authenticator not working
The issue occurred when
sshd
is removed as an authenticator. The CTE-U authenticator code process table had an incorrect initial (default) state, so if you removedsshd
as an authenticator, and logged in throughssh
, the authenticated user value was not valid. The solution was to correct the default state of the process table. -
AGT-61644: Agent information is not getting generated by CTE-U agent (Ubuntu) when requested by CipherTrust Manager
The issue occurred because CTE-U was using an invalid bundle to find the Certificate of Authority (CA) and the "trust store" was not valid, or up to date, so it failed. The issue was to change the code to call the proper bundle to find the CA.
Known Issues
-
AGT-44852: Cannot delete very long file names in FreeBSD
A path length longer than 1024 characters is not supported.
-
AGT-45125: Execute program from the GuardPoint
Due to the implementation of the FreeBSD kernel, executing a program inside of a GuardPoint is not supported. As a result, process sets and signature sets are not supported for programs inside of a GuardPoint in FreeBSD in CTE-U.
-
AGT-46856: FUSE protocol violation warning message
The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.
-
AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled
In the future, Thales will try to enhance this feature to reduce the logs more.
-
AGT-47230: Missing IOCTL in CTE-U causes VMSec challenge to claim that a challenge is needed
Invalid. CTE-U does not support challenge/response.
-
AGT-48249: Direct IO does not work with mmap or buffered IO
Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.
Work-around
Disable writeback cache:
-
AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access
CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.
-
AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent
In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop
secfs-fuse
. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions. -
AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once
Work-around
Run the following Data Transformation cleanup command before transforming the data:
-
AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2
If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.
Work-around
In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.
-
AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working
When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.
Work-around
See Migrating an Encryption Key for more information.
-
AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client
The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.
-
AGT-50831 [CS1526318]: Failed to run
mkdir
from NFS client after guarded by CTE-UThe issue only occurs on the HP-UX NFS client. It cannot access that problematic directory.
Work-around
Unmount the mount point and then remount it. Use the following mount options:
-
AGT-54610: Failed to create a file with only a
write
action in the key ruleWhen a policy on CipherTrust Manager has only
write
access for user/process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check forgetattr
permissions. Due to this limitation, CTE-U did not give the user thewrite permission
.Work-around
Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for
d_rd_att
,f_rd_att
andwrite
. -
AGT-55110: Switching existing MFA client profile, that used
register_host
, failed on CipherTrust Manager enrollmentWork-around
In CipherTrust Manager, change the existing Multifactor Authentication
Select MFA Exempted User Set
parameter to your new target user set. -
AGT-59525: CTE-U open() O_RDONLY fails on guarded file with append only attribute
Running
lsattr
on a guarded file with the append only attribute fails withInput/output error
. -
AGT-61084: Guarding a bucket which is not present
The issue occurred when am AWS bucket is added as a GuardPoint, but the bucket does not exist on AWS.
-
AGT-61174: AWS S3 LS operation works even after deleting credential using
voradmin cos s3 cred delete
-
AGT-61735: Garbage files being created when CTE-U opened a file in CTE Windows over CIFS
Workaround
Disable temp file creation on the CTE Windows.
-
AGT-63130: The
mkdir
andchown
commands fail with HP-UX NFS client where GuardPoint is mountedCTE-U does not support process-based access checks with the export scenario. Therefore, you must either disable the authenticator check or add the NFS process as an authenticator.
See Exporting GuardPoints over NFS for more information.
-
AGT-63195: CTE-U UID authentication not working with TMUX
Workaround
To create a TMUX session that has the authority of the user who started the TMUX session, use either of two methods:
-
Add
usr/bin/tmux
as an authenticator in the CipherTrust Manager client settings for this client. -
Run
voradmin secfs config uid_search 0
to set the CTE-U UID authentication to its previous method.
-
End of Life
-
IBM discontinued support for Red Hat Enterprise Linux (RHEL) v7.0 on June 30, 2024. Therefore, CTE-U support has been discontinued for RHEL v7.0.
-
As announced previously, in 10.3.0.74, Thales has discontinued support for Oracle 7 and SLES 11/12 starting with CTE-U v10.4.0.