Voting is open for a new IC release - 999f7cc, with verity system integrity protection

Hello there!

we are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 78693.

There are lots of exciting new features and bugfixes.
A particular highlight is the enablement of verity for an additional security protection.

With verity, the entire IC-OS system is now cryptographically integrity-protected. This covers the entire running code (both IC software as well as underlying operating system) as well as deployed configuration. Integrity is continuously checked at runtime, and any attempt at tampering is detected.

Here is a more complete list of changes:

* Consensus: Add signature_request_timeout_ns configuration field
* Consensus: Handle ECDSA signature timeout
* Consensus: Limit number of HttpResponses in block
* Crypto: Add batch verification for ed25519 basic sig
* Crypto: Add faster multiplication for G1 and G2 groups
* Crypto: Consistently use lazy_static for NIDKG system parameters
* Crypto: Convert dec_chunks to use zkcrypto's implementation
* Crypto: Introduce KeyCounts struct to handle key counts for crypto metrics
* Crypto: Modify dealing verification API to get a signed dealing as input
* Crypto: Remove MIRACL from the codebase
* Crypto: Remove last uses of MIRACL from NIDKG
* Crypto: Remove obsolete CLIB OpenSSL TLS implementation
* Crypto: Remove obsolete OpenSSL TLS implementation in CSP
* Crypto: Remove unused IDKM OpenSSL client and server handshake implementations
* Crypto: Remove unused standalone OpenSSL TLS client
* Crypto: Remove unused with_rustls method variants from TlsHandshake trait
* Crypto: Return bls12_381 types' identities and generators as static references
* Execution: Update code according to spec for http requests
* Message Routing: Defragment canister states
* Message Routing: Extend state tool with command to recompute manifest root hash from its textual representation
* Message Routing: Put back executed canisters into canister map
* Networking: Add checks for before accepting the root delegation from the nns..
* Networking: Make the FlowState into PeerState and remove the unneeded flow map.
* Networking: Make the accept_ports into Option
* Networking: Mock the TlsHandshake trait
* Networking: Rename flow_label to more appropriate name peer_label
* Node: Build bootloader without docker and move to common directory
* Node: Use DNS based NNS_URL instead of hard-coded node addresses
* Node: verity-protected rootfs for ic-os
* Orchestrator: Add every_n_seconds to spammy logs
* Orchestrator: Check subnet readiness
* Orchestrator: Increase WaitForCUP timeout
* Orchestrator: Registry Replicator Binary
* Orchestrator: Remove shortcuts from orchestrator
* Orchestrator: Retry curl
* Orchestrator: Terminate the orchestrator dashboard on an exit signal
* Orchestrator: Use a generic name for image files
* Orchestrator: Use channels to watch for exit signal and cancel sleeping tasks
* Runtime: Implement DTS Scheduler
* Runtime: Improve IC00 routing errors
* Runtime: Put compute allocation in round limits
* Runtime: Reduce the heap delta limit

And a complete list of changes can of course be found on GitHub.
Please reply to this message if you have any questions or comments.

2 Likes