6.0.16

Fixed

• Stop passing nullptr to curl_multi_socket_action (#7371)

Changed

• When GET /node/snapshot/{snapshot_name} requests a Range that extends beyond the snapshot's end, the node will now respond with the available sub-range rather than a Bad Request error.

6.0.15

Added

• Improved logging of snapshot digests (#7300)
• Node will now retry when fetching snapshots. This is controlled with command.join.fetch_snapshot_max_attempts and command.join.fetch_snapshot_retry_interval. (#7317)
• Remove pyopenssl (#7297)
• Fix missing -devel package dependencies (#7345)

Changed

• The submit_recovery_share.sh script will no longer try to create a virtual environment and install the CCF Python package on every call. Instead it will return an error if the package is not installed (specifically if the ccf_cose_sign1 tool it relies on cannot be found) (#7306)
• Snapshot fetching attempts to re-use the TLS sessions whenever possible (#7321)

7.0.0-dev4

Added

• Added verify_uvm_attestation_and_endorsements binary. This tests that the authentication of the startup files during start and join would succeed. Usage on C-ACI: verify_uvm_attestation_and_endorsements /security-context-xxxx/host-amd-cert-base64 /security-context-xxxx/reference-info-base64 /security-context-xxxx/security-policy-base64

6.0.14

Added

• Improved handling of socket errors in curlm callbacks (#7308)
• Accept UVM endorsements with SVNs encoded as integers, and use integer comparison for UVM (#7316)

7.0.0-dev3

Added

• Added ccf.gov.validateConstitution function to JS API, which can be used to confirm some basic properties of a proposed constitution (it is a string, parseable by our JS interpreter, exporting functions named validate, resolve and apply with the correct number of arguments). This is called in the default sample constitution's set_constitution.validate.
• Added logging of the initial node attestation value ("Initial node attestation...") (#7256).
• Improved handling of socket errors in curlm callbacks (#7308)
• Accept UVM endorsements with SVNs encoded as integers (#7316)

Fixed

• Correctly validate the full AMD ASK endorsement chain (#7233)
• Validate endorsement metadata (tcb version and chip id) against attestation (#7240)

Changed

• The submit_recovery_share.sh script will no longer try to create a virtual environment and install the CCF Python package on every call. Instead it will return an error if the package is not installed (specifically if the ccf_cose_sign1 tool it relies on cannot be found) (#7306)

Removed

• Removed ccf::crypt::openssl_sha256_init() and ccf::crypt::openssl_sha256_shutdown() interface, as it's now implicitly called by the crypto implementation (#7251).
• Removed support for v2 attestations as the corresponding firmware is know to be insecure (#7282)

6.0.13

Added

• Better logging of invalid snapshots (#7302)
• Improved handling of socket errors in curlm callbacks (#7308)

5.0.23

Added

• Better logging of invalid snapshots (#7302)
• Logging of snapshot digests

6.0.12

Added

• Validate endorsement metadata (tcb version and chip id) against attestation (#7240)
• Curl multi based fetching of quote endorsements and snapshots

Fixed

• Fixed quote endorsements retry logic

Removed

• Removed support for v2 attestations as the corresponding firmware is know to be insecure (#7282)

6.0.11

Added

• Added ccf.gov.validateConstitution function to JS API, which can be used to confirm some basic properties of a proposed constitution (it is a string, parseable by our JS interpreter, exporting functions named validate, resolve and apply with the correct number of arguments). This is called in the default sample constitution's set_constitution.validate.
• Added logging of the initial node attestation value ("Initial node attestation...") (#7256).

Fixed

• Correctly validate the full AMD ASK endorsement chain (#7233)

5.0.22

Added

• Added support for validating Genoa attestations (#7051).
• Added support for fetching Genoa endorsements (#7054).