Releases: google/go-sev-guest
v0.14.1
This is a maintenance release that addresses an issue in our automated release pipeline. There are no functional changes to the go-sev-guest library in this version.
What's Fixed
CI: Fixed the release workflow which was failing with a 403 Forbidden error. The workflow's GITHUB_TOKEN has now been granted the necessary contents: write permissions to successfully publish artifacts to GitHub Releases. This change unblocks all future releases.
v0.14.0
This release aligns the SEV-SNP attestation report structure with the latest AMD SEV-SNP ABI specification (Rev 1.58), adding support for launch mitigation vector fields. This ensures compatibility with the newest firmware and allows for correct parsing of the LAUNCH_MIT_VECTOR and CURRENT_MIT_VECTOR fields.
What's Changed
- feat: Add mitigation vector fields to SEV-SNP report
v0.13.0
What's Changed
- abi: parse PlatformInfo form v3 report and badram mitigation by @katexochen in #148
- Resolve CI runner failures for ubuntu24.04 by @deeglaze in #151
- GetCrlAndCheckRoot: always verify CRL by @3u13r in #154
- Account for version 4 report from FW 1.55.31 by @deeglaze in #158
New Contributors
Full Changelog: v0.12.1...v0.13.0
Contributors
Assets 2
v0.12.1
Contributors
Assets 4
v0.12.0
Main change is to add support for ATTESTATION_REPORT v3 added SEV-SNP firmware 1.55.22
What's Changed
- Change uuid dependency to Google's by @deeglaze in #123
- Allow an empty MinimumVersion by @deeglaze in #124
- Update protoc github action and regenerate. by @deeglaze in #128
- Skip old ABI tests for roots without them. by @deeglaze in #129
- add root certs for Genoa by @Freax13 in #127
- Remove dependency github.com/pkg/errors, minor improvements by @katexochen in #125
- Use pre-generated local private keys for default AMD keys by @yawangwang in #130
- client.GetQuoteProvider: return error if none supported by @katexochen in #132
- Reword certTableOptions log.Warning message by @JoshuaKrstic in #133
- Disambiguate SEV-SNP configfs use from other providers by @deeglaze in #135
- Remove ASK/ARK warnings by @deeglaze in #136
- Add more Genoa cert coverage by @deeglaze in #138
- Add flag for default VMPL in GetRawQuote. by @deeglaze in #139
- tools/show: set correct inform by @msanft in #140
- abi: parse v3 attestation reports by @daniel-weisse in #141
- Change FMS fields to a single CPUID_1_EAX formatted field. by @deeglaze in #143
- Revert "Change FMS fields to a single CPUID_1_EAX formatted field." by @deeglaze in #144
- Extend v3 support to KDS and change proto representation by @deeglaze in #145
New Contributors
- @Freax13 made their first contribution in #127
- @katexochen made their first contribution in #125
- @yawangwang made their first contribution in #130
- @JoshuaKrstic made their first contribution in #133
- @daniel-weisse made their first contribution in #141
Full Changelog: v0.11.1...v0.12.0
Contributors
Assets 4
v0.11.1
The AMD KDS produces an incorrect productName extension for Milan and Genoa machines.
While we wait for it to be fixed, any verification that fails due to productName mismatch should set -workaround_kds_productname.
What's Changed
- Update handling of productName and add a temporary workaround by @deeglaze in #116
- Clean up internal deprecated interface uses by @deeglaze in #117
- Skip negative cpuid test when on SNP hardware by @deeglaze in #118
- Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #121
- Add fake signer support for extra certs by @deeglaze in #122
- Add some nil checking to validate.go by @deeglaze in #119
Full Changelog: v0.11.0...v0.11.1
Contributors
Assets 4
v0.11.0
The new QuoteProvider interface will automatically extend the auxblob to include an entry that details the machine's product information. This is useful when the cached VCEK is missing, since that certificate's productName extension is the only other place that information could be found from the AMD-generated artifacts (report and cert).
The other change here is minor with respect to CertTableOptions in validate. A required entry must have its verification function fail on an empty blob for the requirement to be fatal. This allows for a missing blob to drive a network-based fallback before the option fails entirely.
Full Changelog: v0.10.2...v0.11.0
What's Changed
- Add SevProduct raw cert representation. by @deeglaze in #110
- Allow certentry Validate to fail before error by @deeglaze in #111
- Only add extra product info if vcek cert missing by @deeglaze in #112
- Use protocmp for binary proto comparison by @deeglaze in #113
Full Changelog: v0.10.2...v0.11.0
Contributors
Assets 4
v0.10.2
Minor changes and a bug fix for ioctl-based guests.
What's Changed
- Allow Ioctl quote provider to have empty certs. by @deeglaze in #104
- Add a 'show' tool and more abi functions by @deeglaze in #105
- Fix tools/lib/report issues by @deeglaze in #106
- Add a warning about default product use by @deeglaze in #107
Full Changelog: v0.10.1...v0.10.2
Contributors
Assets 4
v0.10.1
v0.10.0
The main change for this release is the added support for the configfs-tsm API for collecting the attestation report.
This is the last release to support the ioctl-based attestation report commands, though MSG_KEY_REQ will still use the Device interface. The new interfaces are now QuoteProvider and LeveledQuoteProvider, which return the raw attestation report concatenated with the certificate table. The abi.ReportCertsToProto function can translate the result into an SnpAttestation protocol buffer.
The following types and functions are marked for deletion
- GetRawReport
- GetRawReportAtVmpl
- GetReport
- GetRawExtendedReportAtVmpl
- GetExtendedReportAtVmpl
- GetExtendedReport
The SEV-SNP MSG_REPORT_REQ flexibility for selecting your attestation key is not supported by configfs-tsm, so you have to use the default key choice.
What's Changed
- Bump golang.org/x/crypto from 0.13.0 to 0.17.0 by @dependabot in #96
- Remove embedded cert warning. by @deeglaze in #98
- Add configfs-tsm support for attestation reports by @deeglaze in #99
New Contributors
- @dependabot made their first contribution in #96
Full Changelog: v0.9.3...v0.10.0