fix(deps): update rust crate cryptoki to 0.10.0 - abandoned#124
Open
red-hat-konflux[bot] wants to merge 27 commits intomainfrom
Open
fix(deps): update rust crate cryptoki to 0.10.0 - abandoned#124red-hat-konflux[bot] wants to merge 27 commits intomainfrom
red-hat-konflux[bot] wants to merge 27 commits intomainfrom
Conversation
Git history will be rewritten to a fresh start Next backport will be done as a rebase operation (with "git push --force-with-lease" on the main downstream branch) Note: Prometheus first PR has been cherry-picked Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Updated the VIRTEE SEV crate dependency in the verifier to version 6.1.0. This release adds support for newer versions of the AMD attestation report. Starting with version 3 of the report, we can identify the EPYC processor generation used by the host, allowing us to select the correct certificate chain for attestation verification. Additional TCB fields introduced with the Turin generation are now supported. We’ve also added logic to request the VCEK from the KDS for all supported generations. To prevent ambiguity during attestation, we have bumped the minimum supported attestation report version to 3. Reports from earlier versions lack the necessary information to determine the correct certificate chain. We removed some of the previous custom verification logic and now use the built-in verification methods provided by the SEV crate. This allows us to offload maintenance of verification logic and simplifies future updates—just a dependency bump should suffice. Lastly, we refactored the certificate chain logic. Previously, we carried two chains—one from stored certs and another from user-provided input. We’ve now simplified this to use a single chain: if the user provides certs via extended attestation, those are used; otherwise, the verifier defaults to the stored certificates. Vendored Certs are still being loaded using a static lazylock as a hashmap when SNP is initialized, that way the verifier can grab the appropriate cert chain when needed for attestation without the need of additional memory copies. Can just reference it whenever it's needed. Signed-off-by: DGonzalezVillal <Diego.GonzalezVillalobos@amd.com>
Since the az_snp_vtpm verifier depends on both the az_snp_vtpm crate and the VIRTEE SEV crate, bumping the VIRTEE SEV version introduces a mismatch between the attestation report types generated by the Azure crate and the SEV crate. This commit updates the az_snp_vtpm verifier to rely solely on the report and certificates provided by the Azure SNP crate to avoid this mismatch. Note: This change restores compatibility between az_snp_vtpm and the updated SEV crate, but does not add support for newer processor generations. To support those, the az_snp_vtpm crate will need to be updated to handle the newer attestation reports and integrate with the latest VIRTEE SEV release. Signed-off-by: DGonzalezVillal <Diego.GonzalezVillalobos@amd.com>
Bumping the guest components dependency to support the latest snp attestation. Also fixed async dependency issue between latest guest components and Trustee. Fixed attestation-service evidence.json for Generate Evidence Dynamically=False test. Added a rust test for that json evidence to confirm it's working without having to launch e2e testing. Also updated the test VLEK report and the test VLEK certificate to a supported version. Signed-off-by: DGonzalezVillal <Diego.GonzalezVillalobos@amd.com>
Update `az-snp-vtpm` and `az-tdx-vtpm` from `0.7.1` to `0.7.4` and fix attestation report verification. The key changes include: - Replaced the signature verification logic that used `offset_of` and `bincode::serialize` with the new `report.write_bytes()` method provided by sev 6.2.1. - Fixed report.chip_id usage by dereferencing array Signed-off-by: Yan Fu <yafu@redhat.com>
Co-authored-by: Magnus Kulke <mkulke@gmail.com> Signed-off-by: Yan Fu <yafu@redhat.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Bumped sev version to 6.2.1. guest-components uses crate https://github.com/virtee/sev for interacting with the snp HW. guest-components v0.12.0 and v0.13.0 use sev version = "4.0.0" guest-components v0.14.0 uses sev version = "6.2.1" sev 6.2.1 introduces a fix for attestation report version >=3 Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Backport SNP upstream PRs and fix attestation genoa cpu
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
chore(deps): update dependency go to v1.25.0
…org-x-sys-0.x chore(deps): update module golang.org/x/sys to v0.36.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
…s-0.x chore(deps): update rust crate serde_qs to 0.15.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
chore(deps): update rust crate rstest to 0.26.0
chore(deps): update konflux references
Restored a Pr from mintmaker Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
…-0.x Update regorus version
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
…ger-0.x chore(deps): update rust crate env_logger to 0.11.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
chore(deps): update rust crate config to 0.15.0
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
red-hat-konflux
bot
changed the title
Author
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.8.0->0.10.0Release Notes
parallaxsecond/rust-cryptoki (cryptoki)
v0.10.0Compare Source
Full Changelog
v0.9.0Compare Source
Full Changelog
Implemented enhancements:
Closed issues:
Result<bool>instead ofResult<()>#254is_fn_supported()always returnstrue#155Merged pull requests:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.This PR has been generated by MintMaker (powered by Renovate Bot).