Conversation
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.42 to 4.5.48. - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](clap-rs/clap@clap_complete-v4.5.42...clap_complete-v4.5.48) --- updated-dependencies: - dependency-name: clap dependency-version: 4.5.48 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
With the move to ITA v2 appraisal API that supports composite evidence, the token claim paths got changed. The claims we used previously are now under 'tdx'. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Update the rust-ear dependency to latest version. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
CompositeEvidence, RuntimeData, and InitData were all being deserialized with each KBS attestation request. Therefore, they were further integrated into the KBS protocol and added to kbs-types. Update kbs-types and use its definitions of these structs. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
kbs-types 0.14.0 included changes in which the Azure vTPM strings were hyphenated. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
kbs-types 0.14.0 included changes in which the Azure vTPM strings were hyphenated. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
updated guest-components to a revision that is using the same kbs-types version. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Currently the docker compose deployment uses non-secure token keys. As more people use the docker compose deployment with real use cases (rather than development, as it was first intended), let's enable secure tokens. We may want to rework the setup container and move this code into a script, but for now let's just add the logic here. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
The IBM Z docs seem to have be re-organised so update the links to try and point to the new versions Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Remove the `set_default` calls when building KbsConfig from a file. Add the `#[serde(default)]` to KbsConfig to leverage the defaults already implemented for the children structs. Signed-off-by: Camilla Conte <cconte@redhat.com>
Implements two commands: - Run, to launch the API Server in the foreground. - Keygen, to generate a new admin key pair. Signed-off-by: Camilla Conte <cconte@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com> Signed-off-by: Camilla Conte <cconte@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Similar to our extractors, the verifiers can now optionally take a configuration file. This config is not used to enable/disable the verifiers. This is done by the rust features. Instead, this is to specify any configuration information that might be needed by a verifier. Currently only the nvidia verifier has any such configuration (which doesn't do anything yet). We probably should use this for the CCA verifier, which has its own separate config file. This will be left to another PR. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
Use remote NRAS service to validate NVIDIA devices. By default we will continue to use the local verifier because users are expected to enter a licensing agreement with NVIDIA to use NRAS. Once they've done that, they can switch to the remote verifier, which uses NRAS. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
The remote NVIDIA verifier handles the RIMs for the user and does not expose the raw measurements as TCB Claims. Instead, there are several claims relating to the attestation process, such as whether the cert chain is valid, whether a rim could be found for the driver version, etc. NRAS does provide an overall boolean attestation result, but rather than using this, let's use the other claims to calculate the AR4SI vector. No reference values are required to use this policy, but you can specify allowed driver and vbios versions,which will be checked. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
Add a readme desribing some of the differences between the local and remote verifier and linking to the EULA. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
It expects trusted AK public keys to be pre-configured to verify
the quote sent from the client
Example configuration:
```json
{
"verifier_config": {
"tpm_verifier": {
"trusted_ak_keys_dir": "/etc/tpm/trusted_ak_keys",
"max_trusted_ak_keys": 100
}
}
}
```
Assisted by: AI in coming up with a lazy iterator for optimally reading
the public keys from a directory
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>
Sets up TPM using swtpm emulator to run the tests You'll need root privileges to run this test. This is because setup-swtpm needs access to statedir /var/lib/swtpm-localca that is owned by swtpm:root. Likewise the tpm device created is owned by tss:root. make install-swtpm-dependencies setup-swtpm export TEE=tpm sudo -E TEE=$TEE make test-bgcheck Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Ignore the error for now. Add a FIXME note Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Builds fail with the error "Can't locate Time/Piece.pm in @inc" Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
The tdx v6 instances are available in the CoCo subscription now. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Bumps [env_logger](https://github.com/rust-cli/env_logger) from 0.10.2 to 0.11.8. - [Release notes](https://github.com/rust-cli/env_logger/releases) - [Changelog](https://github.com/rust-cli/env_logger/blob/main/CHANGELOG.md) - [Commits](rust-cli/env_logger@v0.10.2...v0.11.8) --- updated-dependencies: - dependency-name: env_logger dependency-version: 0.11.8 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Make sure that the admin endpoints cannot be accessed when using the wrong admin key. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
AR4SI trust vector names are using `-`. However, rego policy does not support variable names like `file-system`, thus we can only use `file_system` as variable names. This patch uses a map "result" to use the `file-system` like member names to align with the ar4si standard. Note that regorus does not support eval rule like ``` data.policy.result["file-system"] ``` thus we only eval rule `data.policy.result` and process it in the code logic. Fixes confidential-containers#972 Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
lmilleri
force-pushed
the
try-merge
branch
3 times, most recently
from
0cfd174 to
74d89e8
Compare
Author
|
/retest |
lmilleri
force-pushed
the
try-merge
branch
3 times, most recently
from
09ff9b3 to
20d03ce
Compare
|
Caution There are some errors in your PipelineRun template.
|
lmilleri
force-pushed
the
try-merge
branch
4 times, most recently
from
da1b239 to
4872249
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
lmilleri
commented
Feb 2, 2026
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Workaround to fix the build due to openssl incompatibility Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
Signed-off-by: Leonardo Milleri <lmilleri@redhat.com>
dbkreling
approved these changes
Feb 4, 2026
dbkreling
left a comment
dbkreling
left a comment
There was a problem hiding this comment.
I also added a comment about commenting on three revert commits that are in this PR, for the case there's a need to clarify their reasons for the future.
But that's nothing I see that prevents my approval.
I will trust the dependabot changes are working OK, supported by the test results on this PR. Approving.
kbs/docker/rhel-ubi/Dockerfile
Outdated
|
|
||
| # Package UBI image. | ||
| FROM registry.access.redhat.com/ubi9 | ||
| FROM registry.access.redhat.com/ubi10:10.1-1767602397 |
There was a problem hiding this comment.
These versions although providing more control, require more attention in case the image is affected by a CVE, an unavoidable trade-off. Just pointing out to highlight our approach.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
List of changes: