Skip to content

MigTD v0.7.0 Release

Latest

Choose a tag to compare

@sgrams sgrams released this 24 Apr 10:47

What's Changed

  • Fix cargo deny check error on rustls-pemfile crate by @gaojiaqi7 in #669
  • build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #666
  • build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 by @dependabot[bot] in #667
  • gh: add weekly cargo update action by @gaojiaqi7 in #671
  • gh: add weekly collateral and policy v1 update action by @gaojiaqi7 in #672
  • Add VmmLoggerBackend by @agokarn in #635
  • build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #674
  • build(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @dependabot[bot] in #676
  • build(deps): bump peter-evans/create-pull-request from 5 to 8 by @dependabot[bot] in #677
  • build(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in #675
  • Add logging to xtask/src/build.rs by @agokarn in #670
  • Change features by @agokarn in #673
  • build(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @dependabot[bot] in #681
  • Avoid use vdm payload struct with slices by @IntelCaisui in #679
  • remove bincode by @haitaohuang in #687
  • build(deps): bump github/codeql-action from 4.31.9 to 4.31.10 by @dependabot[bot] in #684
  • build(deps): bump EmbarkStudios/cargo-deny-action from 2.0.14 to 2.0.15 by @dependabot[bot] in #685
  • migtd: refactor and split the session module by @gaojiaqi7 in #686
  • build(deps): bump ubuntu from c35e29c to 7a39814 in /container by @dependabot[bot] in #688
  • build(deps): bump ubuntu from 7a39814 to cd1dba6 in /container by @dependabot[bot] in #691
  • Enable unified logging for Rust logging and memory logging for vmcall-raw. by @agokarn in #678
  • build(deps): bump github/codeql-action from 4.31.10 to 4.32.0 by @dependabot[bot] in #694
  • build(deps): bump KyleMayes/install-llvm-action from 2.0.8 to 2.0.9 by @dependabot[bot] in #693
  • MigTD CVMEmu: support the unified logger by @haitaohuang in #692
  • MigTD: correlate more error logs with request id by @haitaohuang in #696
  • Fix github weekly actions by @gaojiaqi7 in #697
  • migtd: clean up msk with zeroize by @gaojiaqi7 in #698
  • build(deps): bump github/codeql-action from 4.32.0 to 4.32.1 by @dependabot[bot] in #699
  • Initial support for rebinding by @gaojiaqi7 in #682
  • Update cargo.lock to fix CI cargo deny by @IntelCaisui in #703
  • Fix Migtd attestation doesn't close transport by @IntelCaisui in #701
  • Add initial spdm attestation support for rebinding by @IntelCaisui in #689
  • build(deps): bump github/codeql-action from 4.32.1 to 4.32.2 by @dependabot[bot] in #704
  • tools/migtd-collateral-generator: add retry for intel collaterals by @haitaohuang in #705
  • Cargo.lock: bump bytes and time to address vulnerability by @gaojiaqi7 in #700
  • migtd: extract peer cert after tls handshake by @gaojiaqi7 in #706
  • migtd: correct the migtd-old tls config in rebinding by @gaojiaqi7 in #707
  • migtd: remove target TD UUID check in rebinding-new by @gaojiaqi7 in #708
  • Fix to TDG.VM.WR tdcall write mask by @mgudaram in #709
  • Fix typo: rename MigtdDateEntry to MigtdDataEntry in rebinding.rs by @haitaohuang in #710
  • build(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #711
  • build(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @dependabot[bot] in #712
  • build(deps): bump ubuntu from cd1dba6 to d1e2e92 in /container by @dependabot[bot] in #713
  • [StepSecurity] Apply security best practices by @step-security-bot in #721
  • build(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by @dependabot[bot] in #720
  • build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by @dependabot[bot] in #719
  • MigTD: Add trace-level logs for request entry points by @haitaohuang in #718
  • build(deps): bump actions/checkout from 4.3.1 to 6.0.2 by @dependabot[bot] in #722
  • build(deps): bump clap from 4.5.50 to 4.5.60 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #723
  • build(deps): bump env_logger from 0.11.8 to 0.11.9 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #724
  • build(deps): bump anyhow from 1.0.100 to 1.0.102 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #725
  • build(deps): bump log from 0.4.28 to 0.4.29 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #727
  • build(deps): bump serde_json from 1.0.145 to 1.0.149 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #726
  • ci: set missing permissions in workflow YAML files by @gaojiaqi7 in #728
  • build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #731
  • build(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in #732
  • MigTD: Remove lock for REPORTSTATUS flags by @haitaohuang in #717
  • Policy v2: skip global types for rebinding by @haitaohuang in #730
  • Sanitize session logging. by @agokarn in #733
  • build(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.34.2 by @dependabot[bot] in #736
  • build(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @dependabot[bot] in #737
  • build(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by @dependabot[bot] in #738
  • build(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by @dependabot[bot] in #743
  • build(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0 by @dependabot[bot] in #744
  • build(deps): bump clap from 4.5.60 to 4.6.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #745
  • MigTd/spdm: fall back to local init data for rebind by @haitaohuang in #739
  • Use effective TCB date and status for QE and Platform TCBs by @haitaohuang in #746
  • Implement rebind for AzCVMEmu by @haitaohuang in #734
  • ghci/igvm_attest: handle quote error in notification path by @haitaohuang in #741
  • build(deps): bump ubuntu from d1e2e92 to 0d39fcc in /container by @dependabot[bot] in #749
  • build(deps): bump tokio from 1.48.0 to 1.50.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #750
  • build(deps): bump bitflags from 2.10.0 to 2.11.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #751
  • SPDM: bind session with REPORT_DATA and add emulation tests by @haitaohuang in #748
  • build(deps): bump spin from 0.9.8 to 0.10.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #752
  • Update quinn-proto from 0.11.13 to 0.11.14 by @jyao1 in #755
  • changes to support provisional logs by @mgudaram in #742
  • build(deps): bump zerocopy from 0.7.35 to 0.8.27 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #753
  • build(deps): bump github/codeql-action from 4.32.6 to 4.33.0 by @dependabot[bot] in #756
  • build(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by @dependabot[bot] in #757
  • build(deps): bump ubuntu from 0d39fcc to 186072b in /container by @dependabot[bot] in #758
  • build(deps): bump zerocopy from 0.8.27 to 0.8.47 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #760
  • build(deps): bump env_logger from 0.11.9 to 0.11.10 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #761
  • Fix to rebind order of repeated functions for finalize phase by @mgudaram in #763
  • Fixes to SERVTD_EXT w.r.t padding and zeroing by @mgudaram in #762
  • build(deps): bump sha2 from 0.10.9 to 0.11.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #764
  • build(deps): bump github/codeql-action from 4.33.0 to 4.34.1 by @dependabot[bot] in #767
  • build(deps): bump zerocopy from 0.8.47 to 0.8.48 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #768
  • Fix RatlsError to MigrationResult conversion in RATLS setup by @haitaohuang in #766
  • build(deps): bump dtolnay/rust-toolchain from efa25f7f19611383d5b0ccf2d1c8914531636bf9 to 3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 by @dependabot[bot] in #773
  • build(deps): bump github/codeql-action from 4.34.1 to 4.35.1 by @dependabot[bot] in #774
  • build(deps): bump step-security/harden-runner from 2.16.0 to 2.16.1 by @dependabot[bot] in #775
  • MigTD/policy: add missed eval of the common policy by @haitaohuang in #772
  • fix(migtd): correct cfg gate in data.rs for logging tests by @MichalTarnacki in #776
  • build(deps): bump tokio from 1.50.0 to 1.51.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #785
  • refactor(rebinding)!: remove two-phase prepare/finalize model by @MichalTarnacki in #777
  • feat(rebinding): update MIGTD_DATA to GHCI 1.5 TDINFO format by @MichalTarnacki in #778
  • Fix to GetMigTDData optional reportdata size by @mgudaram in #787
  • build(deps): bump ubuntu from 186072b to 84e77de in /container by @dependabot[bot] in #786
  • build(deps): bump step-security/harden-runner from 2.16.1 to 2.17.0 by @dependabot[bot] in #789
  • build(deps): bump bitflags from 2.11.0 to 2.11.1 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #790
  • build(deps): bump tokio from 1.51.0 to 1.52.0 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #791
  • build(deps): bump clap from 4.6.0 to 4.6.1 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #792
  • build(deps): bump EmbarkStudios/cargo-deny-action from 2.0.15 to 2.0.17 by @dependabot[bot] in #793
  • build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #794
  • build(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in #795
  • build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @dependabot[bot] in #796
  • build(deps): bump ubuntu from 84e77de to c4a8d55 in /container by @dependabot[bot] in #797
  • build(deps): bump step-security/harden-runner from 2.17.0 to 2.18.0 by @dependabot[bot] in #798
  • chore(.github): add codeowner by @sgrams in #800
  • fix(.github): fix codeowners to always add jyao1 and sgrams by @sgrams in #802
  • build(deps): bump tokio from 1.52.0 to 1.52.1 in /deps/td-shim-AzCVMEmu/azcvm-extract-report by @dependabot[bot] in #801
  • Bump rustls-webpki to 0.103.12 to Cargo deny by @haitaohuang in #803
  • ci: make TDX Integration Test optional (workflow_dispatch only) by @sgrams in #804
  • refactor(attestation): verify policy against TDINFO_STRUCT by @MichalTarnacki in #780
  • fix(Cargo.lock): upgrade rustls-webpki to 0.103.13 to resolve RUSTSEC-2026-0104 by @sgrams in #806
  • test(rebinding): add unit tests for InitData and RebindingInfo by @MichalTarnacki in #781
  • feat(td-shim): implement FatalError TdVmcall during panic() by @MichalTarnacki in #782
  • feat(migtd): verify SERVTD_ATTR using SERVTD.RD api by @MichalTarnacki in #783
  • build(deps): bump step-security/harden-runner from 2.18.0 to 2.19.0 by @dependabot[bot] in #808
  • build(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 by @dependabot[bot] in #807
  • feat(migtd): ensure SERVTD_EXT is accounted in migration flow similar to rebind flow by @MichalTarnacki in #784
  • build(migtd): bump version to 0.7.0 and update CONTRIBUTING.md by @sgrams in #809

New Contributors

Full Changelog: v0.6.0...v0.7.0

Breaking Changes

  • Remove two-phase prepare/finalize rebinding model — replaced with single-phase model

Features

  • Update MIGTD_DATA to GHCI 1.5 TDINFO format
  • Verify SERVTD_ATTR using SERVTD.RD API
  • Account for SERVTD_EXT in migration flow (consistent with rebind flow)
  • Verify policy against TDINFO_STRUCT
  • Implement FatalError TdVmcall during panic()
  • Add SPDM attestation initial flow for rebinding
  • Refactor v1/v2 attestation into separate functions

Bug Fixes

  • Fix SERVTD_EXT padding and zeroing
  • Fix multiple mutable borrow of reader in SPDM migration flow
  • Fix RatlsError to MigrationResult conversion in RATLS setup
  • Fix attestation transport not being closed
  • Fix TDG.VM.WR tdcall write mask
  • Fix GetMigTDData optional reportdata size
  • Fix rebind order of repeated functions for finalize phase
  • Fix missed eval of the common policy

Testing & CI

  • Add unit tests for InitData and RebindingInfo
  • Add SPDM attestation emulation tests and rebind-prepare tests to CI
  • Make TDX Integration Test optional (workflow_dispatch only)
  • Update CONTRIBUTING.md with commit message conventions

Dependencies

  • Upgrade spdm-rs to v0.5.2
  • Upgrade rustls-webpki to 0.103.13 (RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104)
  • Upgrade zerocopy to 0.8.27
  • Upgrade td-shim submodule
  • Dependency bumps: bitflags, env_logger, serde_json, tokio, sha2, clap

Validation

CI Emulation Tests (55/55 checks passed)

Integration tests (8/8 passed):

Test Transport Policy Attestation Status
Build and Test (Skip RA) TLS Skipped PASS
Policy v2 with Mock Report TLS v2 Mock PASS
Policy v2 with Mock Report + IGVM Attest TLS v2 Mock + IGVM PASS
Rebind Prepare (Skip RA) TLS v2 Skipped PASS
Rebind Prepare (Mock Report) TLS v2 Mock PASS
SPDM Migration (Skip RA) SPDM Skipped PASS
SPDM Policy v2 with Mock Report SPDM v2 Mock PASS
SPDM Rebind Prepare (Skip RA) SPDM v2 Skipped PASS

Build matrix (24/24 passed): All combinations of transport (virtio-vsock, virtio-serial, vmcall-vsock, vmcall-raw) × policy (v1, v2) × attestation (TLS, SPDM) × profile (Release, Debug).

Quality & security checks (all passed): Format, Clippy, CodeQL, Trivy, cargo-deny (advisories, bans, sources), Dependency Review, Fuzzing, CIFuzz, Library Crates.

TDX Hardware Validation

All pull requests merged since v0.6.0 were individually validated on TDX hardware in the developer's environment prior to merge. Hardware-validated features:

  • GHCI 1.5 TDINFO format (MIGTD_DATA update)
  • SERVTD_ATTR verification via SERVTD.RD API
  • SERVTD_EXT in migration flow
  • Rebinding flow (single-phase model)
  • Policy verification against TDINFO_STRUCT
  • FatalError TdVmcall during panic()