Skip to content

UID2-7162 Upgrade SKR image to 2.14 (latest) for Azure CC#2559

Merged
swibi-ttd merged 1 commit into
mainfrom
swi-UID2-7162-upgrade-skr
May 28, 2026
Merged

UID2-7162 Upgrade SKR image to 2.14 (latest) for Azure CC#2559
swibi-ttd merged 1 commit into
mainfrom
swi-UID2-7162-upgrade-skr

Conversation

@swibi-ttd
Copy link
Copy Markdown
Contributor

@swibi-ttd swibi-ttd commented May 28, 2026
edited
Loading

Upgrade SKR image to latest version 2.14. Doesn't seem like there are any breaking changes since 2.3.

Summary of changes since 2.3 that may be relevant:

  ┌─────────┬────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
  │ Commit  │    Date    │                                                                       Why it might matter                                                                       │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ 3739264 │ 2024-04-01 │ Base image switched to CBL-Mariner (from Alpine). Doesn't affect our HTTP contract, but it's why the layer hash changes so dramatically between 2.3 and current │
  │         │            │  — we should expect zero overlap in the CCE policy text.                                                                                                        │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ e40a2a0 │ 2024-09-25 │ Null-reference fix + ECDSA-key support added. Bug fix, additive.                                                                                                │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ c656d7d │ 2025-01-29 │ Adds x-ms-sevsnpvm-vmpl=0 claim to key-release policies. New claim in the MAA JWT — Core's verifier needs to tolerate extra claims (it does; it parses with     │
  │         │            │ Jackson and only reads the fields it cares about). Worth confirming in attestation handshake test.                                                              │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ 94151d6 │ 2025-06-03 │ Fix SNP report serialization — affects attestation report payload.                                                                                              │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ 30c69b5 │ 2025-04-22 │ Adds ca-certificates to image — fixes TLS cert validation against MAA.                                                                                          │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ 7d82f61 │ 2025-08-19 │ Stops logging tokens/keys in debug mode. Security improvement.                                                                                                  │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ 4814b44 │ 2025-08-20 │ GetToken retry — this is the v2.12 retry-logic change. Reduces transient attestation failures from the managed-identity adapter. Real reliability win.          │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ c2470b5 │ 2025-11-03 │ Sends User-Agent header on MAA requests — transparent.                                                                                                          │
  ├─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
  │ f7a94b6 │ 2025-03-14 │ Updates SNP report structure per latest spec — transparent to us if MAA accepts both shapes (it does).                                                          │
  └─────────┴────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

https://github.com/microsoft/confidential-sidecar-containers/releases

@swibi-ttd swibi-ttd merged commit a94c55d into main May 28, 2026
9 checks passed
@swibi-ttd swibi-ttd deleted the swi-UID2-7162-upgrade-skr branch May 28, 2026 01:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cYKatherine cYKatherine cYKatherine approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swibi-ttd @cYKatherine