Breaking Changes:

[launcher/cmd] Refactor verifier for issue #419

• Unexport cmd.Instance, cmd.MetadataServer, cmd.NewMetadataServer.
• Move package verifier from launcher to go-tpm-tools.
  • verifier.Client, verifier.Challenge, etc.
• Move package fake from launcher to go-tpm-tools.
  • fake.Claims, fake.NewClient, etc.
• Move package rest from launcher to go-tpm-tools.
  • rest.NewClient, rest.BadRegionError, etc.

New Features:

[cmd] Add new command token in the CLI tool #375 [cmd] add records to cloud logging when fetching token from attestation verifier #417

Bug Fixes:

Statically link binaries built by goreleaser #425

Other Changes:

Update readme to gotpm CLI instructions. #424, #426

New Contributors: @Ruide in #375 @qinkunbao in #424

New Features:

[launcher] Add TEE server IPC implementation #367 [launcher] Enable memory monitoring in CS #391 Use TDX quote provider to attest and verify #405 Integrate nonce verification as part of the TDX quote validation procedure. #395 Add RISC V support #407 [launcher] Use resizable integrity-fs with in-memory tags #412

Bug Fixes:

[launcher] Fix launcher exit code #384 [launcher] Handle exit code checking during deferral evaluation #392 [cmd] Skip tests that call setGCEAKTemplate #402 [launcher] Fix teeserver context reset issue & add container signature cache #397 Set all unused parameters as _ to fix CI lint failure #411 [launcher] Make customtoken test sleep to mitigate clock skew #413

Other Changes:

Add eventlog parse logics for memory monitoring #404 [launcher]: Add memory monitor measurement logics #408 Update go-tdx-guest version to v0.3.1 #414

New Contributors:

@KeithMoyer in #392 @vbalain in #405 @aimixsaka in #407

New Features:

[launcher] Add experiment support #352 [launcher] Integrate signature discovery client into attestation agent #343

Bug Fixes:

Make launcher host tmp directory before experiment fetch #363

Other Changes:

[launcher] Print kernel cmdline on builds #268 Import latest version of go-tdx-guest #373 [launcher] Print signature details instead of signature object #374 [launcher] Add image tests for the experiments binary #378 Update go-sev-guest to v0.9.3 #381

New Features:

[launcher] Verify FS and mount before launch #311 Integration of go-tpm-tools with go-tdx-guest #347

Intra-release Breaking Changes:

Add launcherfile package for path and file consts #356 breaks #333

Bug Fixes:

[launcher] Update the token refresh logic #325 [launcher] Fix logging blocking issue #338

Other Changes:

[launcher] Add a new metadata flag of signedImageRepos #320 Update go-sev-guest to v0.7.0 #329 [launcher] Add SSH test for image. #314 Add supported architectures to ci.yml #330 Fix the go version number error #326 [launcher] Signature discovery: fetch a signed image manifest at for parsing #324 [launcher] Export attestation token filepath and filename #333 [launcher] Increase the max file descriptor #339 [launcher] Add a signature interface and a library to parse signature from image manifest #328 Rename TdxVerify function to TdxQuote in server package. #353 [launcher] Use V1 SDK in launcher verifier client #305 Update and tidy dependencies #344

New Contributors

@yawangwang in #320 @Jingshui1037 and @hustliyilin in #326 @jrjatin in #353

New Features:

[launcher] Add capability to open ports #294 Allow loading of cached keys #313

Other Changes:

Use legacy tpm2 at its new path #318 Add GoReleaser release action for gotpm CLI #319 Update go-tpm dependency to 0.9.0 #321

New Contributors

@3u13r in #313

New Features:

Add attest and verify command to gotpm #293 Add tee_technology flag and test for tee_technology flag #307 (intra-release breaking change)

Other Changes:

Add OS Policy assignment tests for both debug and hardened. #301 Add a wrapper for ExternalTPM #302 Update to go-sev-guest v0.6.0 #304 Update base image family to use cos-dev #306 Update go-sev-guest to v0.6.1 #308

New Contributors

@Pranjali-2501 in #293 @michael-pregman in #301

New Features:

Use region in spec to create attestation service rest client #281 Parse EFI App state from the TCG event log #277

Bug Fixes:

Increase default systemd wait timeout to 900s #276 Use same env var formatting logic on the launcher as server #253 Fix image pulling in launcher #282 Bump version and fix a kernel cmd issue #291 Return the actual number of bytes written to through command buffer #287 Fix lint issues after using golangci-lint-1.52.2 #296

Other Changes:

Add image tests and test automation #275 Update go-sev-guest to v0.4.2 #278 Update to go-sev-guest v0.4.5 #279 Add proper debug license and logging to launcher #280 Upgrade to go-sev-guest v0.5.0 #283 Import go-sev-guest v0.5.2 #284 Add override test for workload env vars and cmd #286 Add test workload code, check OIDC claims, and validate launch policy checks #288 Bump golang.org/x/net in /launcher #290 Add RELEASING instructions #187

New Contributors:

@hslatman in #287

Diff

https://github.com/google/go-tpm-tools/compare/53cab1a...5dd1056?expand=1

New Features:

• Add IsHardened in launch spec: #244
• Add container logging redirect policy: #249
• Add SEV-SNP attestation support: #240
• Integrity-protect stateful partition on CS image: #251
• Retry launcher OIDC token refresh with backoff: #261
• Change restart policy behavior to reboot: #260
• Add ability to GetGCEInstanceInfo from a certificate: #267

Bug Fixes:

• COS event log: require CEL events to use PCR13, add a launch separator, and don't skip unknown events: #246
• Measure LaunchSeparator event: #247
• Skip unallocated PCR selections when reading all PCRs: #258
• Remove gRPC client and use of insecure credentials: #262
• Fix server.VerifyAttestation proto merging(#263) and defer of os.Exit(#264): #265

Other Changes:

• Add fake verifier client: #234
• Update CI Go Version to 1.19: #241
• Add launcher integration testing support: #255
• Test multi-writer PD creation disabled: #256
• Update go-sev-guest dependency to v0.2.6: #259
• Change OIDC retry policy to hourly and add jitter to refresh time: #266
• Add wrapper cloudbuild workflow to trigger image build and testing: #269

New Contributors:

• @JoshuaKrstic in #234
• @deeglaze in #240
• @daniel-weisse in #258

Breaking Changes

New Features

• Add cloudbuild config and scripts by @jkl73 in https://github.com/google/go-tpm-tools/pull/189
• Add task/container restartability by @jkl73 in https://github.com/google/go-tpm-tools/pull/194
• Add support for fetching impersonated tokens to launcher by @jessieqliu in https://github.com/google/go-tpm-tools/pull/193
• Add Cloud Logging; Update the service file for launcher by @jkl73 in https://github.com/google/go-tpm-tools/pull/196
• Write the container output to both stdout/err and the logger by @jkl73 in https://github.com/google/go-tpm-tools/pull/199
• Introduce shim verifier client to the launcher by @alexmwu in https://github.com/google/go-tpm-tools/pull/203
• Add overridden_args and overridden_env_vars by @jkl73 in https://github.com/google/go-tpm-tools/pull/208
• Add GrubState to ParseMachineState by @alexmwu in https://github.com/google/go-tpm-tools/pull/143
• Add REST-based verifier.Client by @josephlr in https://github.com/google/go-tpm-tools/pull/216
• Update launcher flags and launcher_spec by @jkl73 in https://github.com/google/go-tpm-tools/pull/220
• Update ContainerRunner to use REST verifier by @alexmwu in https://github.com/google/go-tpm-tools/pull/219
• Add security-hardened Confidential Space image by @alexmwu in https://github.com/google/go-tpm-tools/pull/232
• Add Kernel cmdline parser by @alexmwu in https://github.com/google/go-tpm-tools/pull/144

Bug Fixes

• Fix golint issues and typos by @alexmwu in https://github.com/google/go-tpm-tools/pull/207
• Properly handle empty TCG Eventlog by @josephlr in https://github.com/google/go-tpm-tools/pull/211
• Update VerifyAttestation logic by @jkl73 in https://github.com/google/go-tpm-tools/pull/209
• Fix new test with parsePCClientEventLog change by @alexmwu in https://github.com/google/go-tpm-tools/pull/213

Other Changes

• Add launch policy for cmd and env vars by @jkl73 in https://github.com/google/go-tpm-tools/pull/195
• Upgrade containerd and other OCI dependencies by @jkl73 in https://github.com/google/go-tpm-tools/pull/201
• Add gopkg.in/yaml.v3 dependency by @jkl73 in https://github.com/google/go-tpm-tools/pull/202
• Update keys.go documentation by @alexmwu in https://github.com/google/go-tpm-tools/pull/204
• Bump github.com/containerd/containerd from 1.6.4 to 1.6.6 in /launcher by @dependabot in https://github.com/google/go-tpm-tools/pull/205
• Add licenses to the final image by @jkl73 in https://github.com/google/go-tpm-tools/pull/206
• Hex encode PCR values in error by @brandonweeks in https://github.com/google/go-tpm-tools/pull/210
• Move AttestationAgent code to its own package by @josephlr in https://github.com/google/go-tpm-tools/pull/212
• Move verifier from internal and grpc to subpackage by @alexmwu in https://github.com/google/go-tpm-tools/pull/214
• Improve rest.NewClient error handling. by @josephlr in https://github.com/google/go-tpm-tools/pull/218
• Print OIDC token payload by @jkl73 in https://github.com/google/go-tpm-tools/pull/222
• Pin golangci-lint by @josephlr in https://github.com/google/go-tpm-tools/pull/227

New Contributors

• @brandonweeks made their first contribution in https://github.com/google/go-tpm-tools/pull/210

Full Changelog: https://github.com/google/go-tpm-tools/compare/v0.3.8...v0.3.9