fix(deps): update rust crate ear to 0.4.0 #126
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![red-hat-konflux[bot]](https://avatars.githubusercontent.com/in/296509?s=80&v=4){kind=small}
Git history will be rewritten to a fresh start Next backport will be done as a rebase operation (with "git push --force-with-lease" on the main downstream branch) Note: Prometheus first PR has been cherry-picked Signed-off-by: Leonardo Milleri <[email protected]>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Updated the VIRTEE SEV crate dependency in the verifier to version 6.1.0. This release adds support for newer versions of the AMD attestation report. Starting with version 3 of the report, we can identify the EPYC processor generation used by the host, allowing us to select the correct certificate chain for attestation verification. Additional TCB fields introduced with the Turin generation are now supported. We’ve also added logic to request the VCEK from the KDS for all supported generations. To prevent ambiguity during attestation, we have bumped the minimum supported attestation report version to 3. Reports from earlier versions lack the necessary information to determine the correct certificate chain. We removed some of the previous custom verification logic and now use the built-in verification methods provided by the SEV crate. This allows us to offload maintenance of verification logic and simplifies future updates—just a dependency bump should suffice. Lastly, we refactored the certificate chain logic. Previously, we carried two chains—one from stored certs and another from user-provided input. We’ve now simplified this to use a single chain: if the user provides certs via extended attestation, those are used; otherwise, the verifier defaults to the stored certificates. Vendored Certs are still being loaded using a static lazylock as a hashmap when SNP is initialized, that way the verifier can grab the appropriate cert chain when needed for attestation without the need of additional memory copies. Can just reference it whenever it's needed. Signed-off-by: DGonzalezVillal <[email protected]>
Since the az_snp_vtpm verifier depends on both the az_snp_vtpm crate and the VIRTEE SEV crate, bumping the VIRTEE SEV version introduces a mismatch between the attestation report types generated by the Azure crate and the SEV crate. This commit updates the az_snp_vtpm verifier to rely solely on the report and certificates provided by the Azure SNP crate to avoid this mismatch. Note: This change restores compatibility between az_snp_vtpm and the updated SEV crate, but does not add support for newer processor generations. To support those, the az_snp_vtpm crate will need to be updated to handle the newer attestation reports and integrate with the latest VIRTEE SEV release. Signed-off-by: DGonzalezVillal <[email protected]>
Bumping the guest components dependency to support the latest snp attestation. Also fixed async dependency issue between latest guest components and Trustee. Fixed attestation-service evidence.json for Generate Evidence Dynamically=False test. Added a rust test for that json evidence to confirm it's working without having to launch e2e testing. Also updated the test VLEK report and the test VLEK certificate to a supported version. Signed-off-by: DGonzalezVillal <[email protected]>
Update `az-snp-vtpm` and `az-tdx-vtpm` from `0.7.1` to `0.7.4` and fix attestation report verification. The key changes include: - Replaced the signature verification logic that used `offset_of` and `bincode::serialize` with the new `report.write_bytes()` method provided by sev 6.2.1. - Fixed report.chip_id usage by dereferencing array Signed-off-by: Yan Fu <[email protected]>
Co-authored-by: Magnus Kulke <[email protected]> Signed-off-by: Yan Fu <[email protected]>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Bumped sev version to 6.2.1. guest-components uses crate https://github.com/virtee/sev for interacting with the snp HW. guest-components v0.12.0 and v0.13.0 use sev version = "4.0.0" guest-components v0.14.0 uses sev version = "6.2.1" sev 6.2.1 introduces a fix for attestation report version >=3 Signed-off-by: Leonardo Milleri <[email protected]>
Backport SNP upstream PRs and fix attestation genoa cpu
Signed-off-by: Leonardo Milleri <[email protected]>
chore(deps): update dependency go to v1.25.0
…org-x-sys-0.x chore(deps): update module golang.org/x/sys to v0.36.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
…s-0.x chore(deps): update rust crate serde_qs to 0.15.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
chore(deps): update rust crate rstest to 0.26.0
chore(deps): update konflux references
Restored a Pr from mintmaker Signed-off-by: Leonardo Milleri <[email protected]>
…-0.x Update regorus version
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
…ger-0.x chore(deps): update rust crate env_logger to 0.11.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
chore(deps): update rust crate config to 0.15.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.3.0->0.4.00.3.0->0.4.0Release Notes
veraison/rust-ear (ear)
v0.4.0Compare Source
What's Changed
clippy/fmtfixes by @setrofim in #42Full Changelog: veraison/rust-ear@v0.3.0...v0.4.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
To execute skipped test pipelines write comment
/ok-to-test.This PR has been generated by MintMaker (powered by Renovate Bot).