v0.5.1 DO NOT USE

This bug release fixes a defect in the testclient in v0.5.0. The change to AMDRootCerts to use ProductCerts did not get carried into the testclient implementation.

EDIT: Also includes a defect with testclient's badroot accidentally verifying.

v0.5.0 DO NOT USE

AMDRootCerts has changed to collect the x509 certificates into a pair type ProductCerts. This is backwards-incompatible with existing constructions of AMDRootCerts, so this release has bumped the "pre-1.0 major version", to 0.5.0. This refactor is paired with a fix to FakeKDS to fetch the product certs on construction since the default root certificates do not carry x509 certificates.

Internal testing of the go-tpm-tools integration on SEV-SNP hardware exposed this bug.

EDIT: Missed a couple changes that makes this a defective release.

v0.4.5

This is a minor bugfix release.

The only change is to how SevFirmwareErr and SevEsErr are defined, so they are idiomatic error types.

v0.4.4

Re-release of v0.4.3 since PR#34 was not included.

This release includes initial support for a VM-specific additional certificate that is possible to add with SEV-SNP host patch series v7's KVM_SEV_SNP_SET_CERTS command. The GUID here is what we chose to identify the GCE firmware endorsement document. More details about the endorsement document are coming later, perhaps in a different repository.

v0.4.3

This release includes initial support for a VM-specific additional certificate that is possible to add with SEV-SNP host patch series v7's KVM_SEV_SNP_SET_CERTS command. The GUID here is what we chose to identify the GCE firmware endorsement document. More details about the endorsement document are coming later, perhaps in a different repository.

v0.4.2

This patch release includes improved testing capabilities and default HTTPSGetter behavior.

v0.4.1

This patch release is to fix an omission from v0.4.0: how to reliably test without a cache of KDS results for a small set of machines.
The default fetch behavior now accounts for AMD KDS rate-limiting behavior by retrying on failure after waiting a short duration.
This new default should also help early adopters use the check tool with fewer network failures.

v0.4.0

Testing capability additions:

• Generic test client that allows a test to use a real or fake device depending on whether to the test is given a non-default --sev_guest_device_path flag. The flag's default value is interpreted differently across contexts. For tools, "default" is interpreted as the platform default (e.g., Linux is /dev/sev-guest). For tests, "default" is interpreted as a fake.
• AMD KDS certificate caching library for making hardware tests more reliable by not constantly connecting to AMD's server. Intended only for small machine clusters that haven't had certificates installed through the host /dev/sev device.

v0.3.0

This release includes CLI tools for collecting a SEV-SNP attestation and checking it in turn. By providing these tools, we don't require that users use Go to benefit from the library.

• attest
• check

v0.2.6

This release is for one change, for the klog dependency to use logger. The klog dependency is only meant for Terraform projects.