v0.4.5

Breaking Changes

Populate the SNP/TDX Machine State field with the verified SNP/TDX attestation data + use a stable COS image version #463

• Removes verifyGceTechnology export
  Support health monitoring mode for NPD #479
• Changes signature of spec.GetLaunchPolicy

New Features

Add event-log flag to cmd package #423
add custom nonce flag to cmd package token subcommand #451

Bug Fixes

Fix bug dropping CEL in launcher attestations #438
fix invalid check and restore workaround from #72 #435
Error message should return length of digest #436
[launcher] Fix a concurrent TPM access issue #434
Fix releaser.yaml and ci.yml file on macos #444
Refresh SA auth token in signaturediscovery client before fetching container image signatures #449
Fix an uint conversion #452
[launcher] Try to fix cloudbuild for launcher #458
Release lock if generating attestation returns error #475
Add mutex to failing client to prevent concurrent writes #494

Other Changes

Add PKI and LIMITED_AWS token types for VerifyAttestation. #430
Move verifier package to its own submodule #447
Delte files used for AUR packaging #457
Add version information and fix cloudbuild #455
Update go-sev-guest version and API use #445
Update typo in README.md #459
Add SEV-SNP policy for signed UEFI measurements #446
Update gce-tcb-verifier version. #468
[launcher] Optimize serial read in test #470
[launcher] Switch base image to 113 cos #467
Use confidentialcomputing api v1.6.0 to send SEVSNP attestation #472
Adding EV_EVENT_TAG support for PCR9 #471
Update gce-tcb-verifier dependency #485
remove duplicate error check #488
Log detailed errors if refreshing SA credential goes wrong #481
Use confidentialcomputing api v1.6.0 to send TDX attestation #477
Removed experiment flags that we would no longer consider rolling back #483
Add retry to container signature fetch in agent #489
Export function to extract and validate AK from server #492
Override /dev/shm size only when specified #493
Add tempfs experiment and gate mounting behind it #490
Instantiate backoff strategy per goroutine #496
Remove EnableSignedContainerCache + EnableMeasureMemoryMonitor from container launcher #498
Refactor CEL AppendEvent, to support RTMR #486
Change ParseCosCEL* to return an AttestedCosState #501
[launcher] launcher can expose IPv6 ports as well #505
Add the location of the service we are calling to the API error logs #506
Start NPD after LaunchSpec Verification #507
Send client logs with the cloud logging library #474
[launcher] Add DA lockout params when launching #469
[launcher] Merge upstream/tdx_rtmr #513
Bump the go_modules group across 3 directories with 1 update #512
Bump the go_modules group across 4 directories with 1 update #514
Revert "[launcher] Merge upstream/tdx_rtmr (#513)" #516
Apply retry logics in confidential computing API + workload image puller #511
Change container workload's default OOM Score #522
Reduce NPD full config #520
Add client-side experiment for NPD Health Monitoring config #525
Bump go-sev-guest to v0.12.1 #527
Add AWS Principal Tag type to launcher #515

New Contributors

@savely-krasovsky in #435
@hkolvenbach in #436
@liamjm in #459

v0.4.4

Breaking Changes:

[launcher/cmd] Refactor verifier for issue #419

• Unexport cmd.Instance, cmd.MetadataServer, cmd.NewMetadataServer.
• Move package verifier from launcher to go-tpm-tools.
  • verifier.Client, verifier.Challenge, etc.
• Move package fake from launcher to go-tpm-tools.
  • fake.Claims, fake.NewClient, etc.
• Move package rest from launcher to go-tpm-tools.
  • rest.NewClient, rest.BadRegionError, etc.

New Features:

[cmd] Add new command token in the CLI tool #375
[cmd] add records to cloud logging when fetching token from attestation verifier #417

Bug Fixes:

Statically link binaries built by goreleaser #425

Other Changes:

Update readme to gotpm CLI instructions. #424, #426

New Contributors:
@Ruide in #375
@qinkunbao in #424

v0.4.3

New Features:

[launcher] Add TEE server IPC implementation #367
[launcher] Enable memory monitoring in CS #391
Use TDX quote provider to attest and verify #405
Integrate nonce verification as part of the TDX quote validation procedure. #395
Add RISC V support #407
[launcher] Use resizable integrity-fs with in-memory tags #412

Bug Fixes:

[launcher] Fix launcher exit code #384
[launcher] Handle exit code checking during deferral evaluation #392
[cmd] Skip tests that call setGCEAKTemplate #402
[launcher] Fix teeserver context reset issue & add container signature cache #397
Set all unused parameters as _ to fix CI lint failure #411
[launcher] Make customtoken test sleep to mitigate clock skew #413

Other Changes:

Add eventlog parse logics for memory monitoring #404
[launcher]: Add memory monitor measurement logics #408
Update go-tdx-guest version to v0.3.1 #414

New Contributors:

@KeithMoyer in #392
@vbalain in #405
@aimixsaka in #407

Release v0.4.2

New Features:

[launcher] Add experiment support #352
[launcher] Integrate signature discovery client into attestation agent #343

Bug Fixes:

Make launcher host tmp directory before experiment fetch #363

Other Changes:

[launcher] Print kernel cmdline on builds #268
Import latest version of go-tdx-guest #373
[launcher] Print signature details instead of signature object #374
[launcher] Add image tests for the experiments binary #378
Update go-sev-guest to v0.9.3 #381

Release v0.4.1

New Features:

[launcher] Verify FS and mount before launch #311
Integration of go-tpm-tools with go-tdx-guest #347

Intra-release Breaking Changes:

Add launcherfile package for path and file consts #356 breaks #333

Bug Fixes:

[launcher] Update the token refresh logic #325
[launcher] Fix logging blocking issue #338

Other Changes:

[launcher] Add a new metadata flag of signedImageRepos #320
Update go-sev-guest to v0.7.0 #329
[launcher] Add SSH test for image. #314
Add supported architectures to ci.yml #330
Fix the go version number error #326
[launcher] Signature discovery: fetch a signed image manifest at for parsing #324
[launcher] Export attestation token filepath and filename #333
[launcher] Increase the max file descriptor #339
[launcher] Add a signature interface and a library to parse signature from image manifest #328
Rename TdxVerify function to TdxQuote in server package. #353
[launcher] Use V1 SDK in launcher verifier client #305
Update and tidy dependencies #344

New Contributors

@yawangwang in #320
@Jingshui1037 and @hustliyilin in #326
@jrjatin in #353

test release

Merge pull request #338 from alexmwu/logging-fix

Fix logging blocking issue

v0.4.0

New Features:

[launcher] Add capability to open ports #294
Allow loading of cached keys #313

Other Changes:

Use legacy tpm2 at its new path #318
Add GoReleaser release action for gotpm CLI #319
Update go-tpm dependency to 0.9.0 #321

New Contributors

@3u13r in #313

Release v0.3.12

New Features:

Add attest and verify command to gotpm #293
Add tee_technology flag and test for tee_technology flag #307 (intra-release breaking change)

Other Changes:

Add OS Policy assignment tests for both debug and hardened. #301 Add a wrapper for ExternalTPM #302
Update to go-sev-guest v0.6.0 #304
Update base image family to use cos-dev #306
Update go-sev-guest to v0.6.1 #308

New Contributors

@Pranjali-2501 in #293
@michael-pregman in #301

Release v0.3.11

New Features:

Use region in spec to create attestation service rest client #281
Parse EFI App state from the TCG event log #277

Bug Fixes:

Increase default systemd wait timeout to 900s #276
Use same env var formatting logic on the launcher as server #253
Fix image pulling in launcher #282
Bump version and fix a kernel cmd issue #291
Return the actual number of bytes written to through command buffer #287
Fix lint issues after using golangci-lint-1.52.2 #296

Other Changes:

Add image tests and test automation #275
Update go-sev-guest to v0.4.2 #278
Update to go-sev-guest v0.4.5 #279
Add proper debug license and logging to launcher #280
Upgrade to go-sev-guest v0.5.0 #283
Import go-sev-guest v0.5.2 #284
Add override test for workload env vars and cmd #286
Add test workload code, check OIDC claims, and validate launch policy checks #288
Bump golang.org/x/net in /launcher #290
Add RELEASING instructions #187

New Contributors:

@hslatman in #287

Diff

https://github.com/google/go-tpm-tools/compare/53cab1a...5dd1056?expand=1

Release v0.3.10

New Features:

• Add IsHardened in launch spec: #244
• Add container logging redirect policy: #249
• Add SEV-SNP attestation support: #240
• Integrity-protect stateful partition on CS image: #251
• Retry launcher OIDC token refresh with backoff: #261
• Change restart policy behavior to reboot: #260
• Add ability to GetGCEInstanceInfo from a certificate: #267

Bug Fixes:

• COS event log: require CEL events to use PCR13, add a launch separator, and don't skip unknown events: #246
• Measure LaunchSeparator event: #247
• Skip unallocated PCR selections when reading all PCRs: #258
• Remove gRPC client and use of insecure credentials: #262
• Fix server.VerifyAttestation proto merging(#263) and defer of os.Exit(#264): #265

Other Changes:

• Add fake verifier client: #234
• Update CI Go Version to 1.19: #241
• Add launcher integration testing support: #255
• Test multi-writer PD creation disabled: #256
• Update go-sev-guest dependency to v0.2.6: #259
• Change OIDC retry policy to hourly and add jitter to refresh time: #266
• Add wrapper cloudbuild workflow to trigger image build and testing: #269

New Contributors:

• @JoshuaKrstic in #234
• @deeglaze in #240
• @daniel-weisse in #258