chore(deps): update rust crate shadow-rs to 0.38.0 - abandoned #119
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![red-hat-konflux[bot]](https://avatars.githubusercontent.com/in/296509?s=80&v=4){kind=small}
Git history will be rewritten to a fresh start Next backport will be done as a rebase operation (with "git push --force-with-lease" on the main downstream branch) Note: Prometheus first PR has been cherry-picked Signed-off-by: Leonardo Milleri <[email protected]>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Updated the VIRTEE SEV crate dependency in the verifier to version 6.1.0. This release adds support for newer versions of the AMD attestation report. Starting with version 3 of the report, we can identify the EPYC processor generation used by the host, allowing us to select the correct certificate chain for attestation verification. Additional TCB fields introduced with the Turin generation are now supported. We’ve also added logic to request the VCEK from the KDS for all supported generations. To prevent ambiguity during attestation, we have bumped the minimum supported attestation report version to 3. Reports from earlier versions lack the necessary information to determine the correct certificate chain. We removed some of the previous custom verification logic and now use the built-in verification methods provided by the SEV crate. This allows us to offload maintenance of verification logic and simplifies future updates—just a dependency bump should suffice. Lastly, we refactored the certificate chain logic. Previously, we carried two chains—one from stored certs and another from user-provided input. We’ve now simplified this to use a single chain: if the user provides certs via extended attestation, those are used; otherwise, the verifier defaults to the stored certificates. Vendored Certs are still being loaded using a static lazylock as a hashmap when SNP is initialized, that way the verifier can grab the appropriate cert chain when needed for attestation without the need of additional memory copies. Can just reference it whenever it's needed. Signed-off-by: DGonzalezVillal <[email protected]>
Since the az_snp_vtpm verifier depends on both the az_snp_vtpm crate and the VIRTEE SEV crate, bumping the VIRTEE SEV version introduces a mismatch between the attestation report types generated by the Azure crate and the SEV crate. This commit updates the az_snp_vtpm verifier to rely solely on the report and certificates provided by the Azure SNP crate to avoid this mismatch. Note: This change restores compatibility between az_snp_vtpm and the updated SEV crate, but does not add support for newer processor generations. To support those, the az_snp_vtpm crate will need to be updated to handle the newer attestation reports and integrate with the latest VIRTEE SEV release. Signed-off-by: DGonzalezVillal <[email protected]>
Bumping the guest components dependency to support the latest snp attestation. Also fixed async dependency issue between latest guest components and Trustee. Fixed attestation-service evidence.json for Generate Evidence Dynamically=False test. Added a rust test for that json evidence to confirm it's working without having to launch e2e testing. Also updated the test VLEK report and the test VLEK certificate to a supported version. Signed-off-by: DGonzalezVillal <[email protected]>
Update `az-snp-vtpm` and `az-tdx-vtpm` from `0.7.1` to `0.7.4` and fix attestation report verification. The key changes include: - Replaced the signature verification logic that used `offset_of` and `bincode::serialize` with the new `report.write_bytes()` method provided by sev 6.2.1. - Fixed report.chip_id usage by dereferencing array Signed-off-by: Yan Fu <[email protected]>
Co-authored-by: Magnus Kulke <[email protected]> Signed-off-by: Yan Fu <[email protected]>
Bumped sev version to 6.2.1. guest-components uses crate https://github.com/virtee/sev for interacting with the snp HW. guest-components v0.12.0 and v0.13.0 use sev version = "4.0.0" guest-components v0.14.0 uses sev version = "6.2.1" sev 6.2.1 introduces a fix for attestation report version >=3 Signed-off-by: Leonardo Milleri <[email protected]>
Backport SNP upstream PRs and fix attestation genoa cpu
Signed-off-by: Leonardo Milleri <[email protected]>
chore(deps): update dependency go to v1.25.0
…org-x-sys-0.x chore(deps): update module golang.org/x/sys to v0.36.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
red-hat-konflux
bot
changed the title
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.19.0->0.38.0Release Notes
baoyachi/shadow-rs (shadow-rs)
v0.38.1Compare Source
What's Changed
New Contributors
Full Changelog: baoyachi/shadow-rs@v0.38.0...v0.38.1
v0.38.0Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.37.0...v0.38.0
v0.37.0Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.36.1...v0.37.0
v0.36.1Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.36.0...v0.36.1
v0.36.0Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.35.2...v0.36.0
v0.35.2Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.35.1...v0.35.2
v0.35.1Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.35.0...v0.35.1
v0.35.0Compare Source
What's Changed
New Contributors
Full Changelog: baoyachi/shadow-rs@v0.34.0...v0.35.0
v0.34.0Compare Source
What's Changed
Full Changelog: baoyachi/shadow-rs@v0.33.0...v0.34.0
v0.33.0Compare Source
What's Changed
New Contributors
Full Changelog: baoyachi/shadow-rs@v0.32.0...v0.33.0
v0.32.0: Changing Git CLI is not necessaryCompare Source
ref: #174
fix #173
v0.31.1: [Improvement] Correct git command directoryCompare Source
ref: #170
Thx @MichaelScofield
v0.31.0: Make build_with function publicCompare Source
ref:#169
Thx @MichaelScofield
v0.30.0: Fix git generated value to be emptyCompare Source
v0.29.0: Bump git2 versionCompare Source
#161
Thx @jewlexx
v0.28.0: fix cargo clippyCompare Source
#160
Thx @qartik
v0.27.1: Enhance Document ReadabilityCompare Source
fix #150
v0.27.0: fix cargo clippyCompare Source
#154 #159
Thx @thinkgos
v0.26.1: improve test caseCompare Source
#148
v0.26.0: Update tzdb to 0.6.0Compare Source
Thx @Kijewski #146
v0.25.0: wasm supported.Compare Source
v0.24.1: allow cargo clippy all checkCompare Source
fix #143
v0.24.0: cargo clippy checkCompare Source
#142 #141
v0.23.0: remove cargo metadataCompare Source
v0.22.0: Overhaul documentationCompare Source
#134 #136
Thx @kleinesfilmroellchen
v0.21.0: add last tagCompare Source
#130
v0.20.1: Optimization: fix cargo clippy warningCompare Source
#128 #129
v0.20.0: Add deny constCompare Source
fix #114
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.This PR has been generated by MintMaker (powered by Renovate Bot).