v0.11.1

The AMD KDS produces an incorrect productName extension for Milan and Genoa machines.
While we wait for it to be fixed, any verification that fails due to productName mismatch should set -workaround_kds_productname.

What's Changed

• Update handling of productName and add a temporary workaround by @deeglaze in #116
• Clean up internal deprecated interface uses by @deeglaze in #117
• Skip negative cpuid test when on SNP hardware by @deeglaze in #118
• Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #121
• Add fake signer support for extra certs by @deeglaze in #122
• Add some nil checking to validate.go by @deeglaze in #119

Full Changelog: v0.11.0...v0.11.1

v0.11.0

The new QuoteProvider interface will automatically extend the auxblob to include an entry that details the machine's product information. This is useful when the cached VCEK is missing, since that certificate's productName extension is the only other place that information could be found from the AMD-generated artifacts (report and cert).

The other change here is minor with respect to CertTableOptions in validate. A required entry must have its verification function fail on an empty blob for the requirement to be fatal. This allows for a missing blob to drive a network-based fallback before the option fails entirely.

Full Changelog: v0.10.2...v0.11.0

What's Changed

• Add SevProduct raw cert representation. by @deeglaze in #110
• Allow certentry Validate to fail before error by @deeglaze in #111
• Only add extra product info if vcek cert missing by @deeglaze in #112
• Use protocmp for binary proto comparison by @deeglaze in #113

Full Changelog: v0.10.2...v0.11.0

v0.10.2

Minor changes and a bug fix for ioctl-based guests.

What's Changed

• Allow Ioctl quote provider to have empty certs. by @deeglaze in #104
• Add a 'show' tool and more abi functions by @deeglaze in #105
• Fix tools/lib/report issues by @deeglaze in #106
• Add a warning about default product use by @deeglaze in #107

Full Changelog: v0.10.1...v0.10.2

v0.10.1

Minor patch release to fix deprecation notices for tooling and to fix a bug with GetLeveledQuoteProvider's return type.

v0.10.0

The main change for this release is the added support for the configfs-tsm API for collecting the attestation report.

This is the last release to support the ioctl-based attestation report commands, though MSG_KEY_REQ will still use the Device interface. The new interfaces are now QuoteProvider and LeveledQuoteProvider, which return the raw attestation report concatenated with the certificate table. The abi.ReportCertsToProto function can translate the result into an SnpAttestation protocol buffer.

The following types and functions are marked for deletion

• GetRawReport
• GetRawReportAtVmpl
• GetReport
• GetRawExtendedReportAtVmpl
• GetExtendedReportAtVmpl
• GetExtendedReport

The SEV-SNP MSG_REPORT_REQ flexibility for selecting your attestation key is not supported by configfs-tsm, so you have to use the default key choice.

What's Changed

• Bump golang.org/x/crypto from 0.13.0 to 0.17.0 by @dependabot in #96
• Remove embedded cert warning. by @deeglaze in #98
• Add configfs-tsm support for attestation reports by @deeglaze in #99

New Contributors

• @dependabot made their first contribution in #96

Full Changelog: v0.9.3...v0.10.0

v0.9.3

Minor change to testing defaults to make updating go-tpm-tools smoother.

What's Changed

• Fix SevProduct defaults for downstring testclient by @deeglaze in #95
• Add product utility unit tests by @deeglaze in #94

Full Changelog: v0.9.2...v0.9.3

v0.9.2

Mostly changes to tests, but some behavior changes related to machine stepping.
This release deprecates the stepping field of the SevProduct in favor of the optional UInt32Value type. The new field is machine_stepping.

What's Changed

• Return after t.Skip() by @deeglaze in #86
• Remove debug println by @deeglaze in #87
• Actually skip skipped test by @deeglaze in #88
• Fix check tool product behavior on hardware by @deeglaze in #92
• Add DisableCertFetching verify_test mode by @deeglaze in #93

Full Changelog: v0.9.1...v0.9.2

v0.9.1

Bug fix update, including a protobuf field name change to SevProduct: ModelStepping is now just Stepping.

What's Changed

• Fix internal linter error by @deeglaze in #82
• fix: function asmCpuid missing Go declaration by @Laisky in #83
• Fix "modelstepping" handling in verification by @deeglaze in #85

New Contributors

• @Laisky made their first contribution in #83

Full Changelog: v0.9.0...v0.9.1

v0.9.0 [Broken, use v0.9.1]

This release adds a new option for validation, CertTableOptions, that is more open-ended to add extra validation for specified GUID strings. With this change, we deprecate the CertificateChain message's firmware_cert in favor of a general "extras" map.

The extras map contains any "unknown" GUID entries (i.e., unspecified by the GHCB specification) in the certificate table returned by GetExtendedReport. The ASVK remains a special circumstance that AMD's kernel department needs to clarify with AMD's KDS department.

In order for this library to continue to be general purpose, the gce.go constant definition is removed in favor of separating that logic into a different repository that can provide a validation function and GUID constant to pass in as validation options when the user knows to expect GCE-specific certificates.

What's Changed

• Use len(...) == 0 instead of == nil by @deeglaze in #78
• Add CertTableOptions for "extra" certs by @deeglaze in #81

Full Changelog: v0.8.0...v0.9.0

v0.8.0 [Broken, use v0.9.1]

Biggest change is VLEK support in the verifier and validator.

What's Changed

• client: fix Windows builds by @msanft in #74
• Make test KDS tri-value, deprecate --test_use_kds. by @deeglaze in #75
• Update dependencies and CI's protobuf version by @deeglaze in #76
• Add support for validating VLEK certificates by @deeglaze in #67

Full Changelog: v0.7.1...v0.8.0