.

.azure-pipelines-gh-pages.yml

@@ -11,7 +11,7 @@ jobs:
     variables:
       Codeql.SkipTaskAutoInjection: true
       skipComponentGovernanceDetection: true
-    container: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+    container: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
     pool:
       vmImage: ubuntu-20.04
 

.azure-pipelines-templates/deploy_aci.yml

@@ -51,7 +51,7 @@ jobs:
       - script: |
           set -ex
           docker login -u $ACR_TOKEN_NAME -p $ACR_CI_PUSH_TOKEN_PASSWORD $ACR_REGISTRY
-          docker pull $ACR_REGISTRY/ccf/ci:05-09-2023-snp-clang15
+          docker pull $ACR_REGISTRY/ccf/ci:07-12-2023-snp-clang15
           docker build -f docker/ccf_ci_built . --build-arg="base=$BASE_IMAGE" --build-arg="platform=snp" -t $ACR_REGISTRY/ccf/ci:pr-`git rev-parse HEAD`
           docker push $ACR_REGISTRY/ccf/ci:pr-`git rev-parse HEAD`
         name: build_ci_image
@@ -60,7 +60,7 @@ jobs:
           ACR_TOKEN_NAME: ci-push-token
           ACR_CI_PUSH_TOKEN_PASSWORD: $(ACR_CI_PUSH_TOKEN_PASSWORD)
           ACR_REGISTRY: ccfmsrc.azurecr.io
-          BASE_IMAGE: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-snp-clang15
+          BASE_IMAGE: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-snp-clang15
 
       - script: |
           set -ex

.azure-pipelines.yml

@@ -29,15 +29,15 @@ schedules:
 resources:
   containers:
     - container: virtual
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
     - container: snp
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-snp-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-snp-clang15
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
     - container: sgx
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-sgx
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-sgx
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro
 
 variables:

.azure_pipelines_snp.yml

@@ -30,7 +30,7 @@ schedules:
 resources:
   containers:
     - container: virtual
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
 jobs:

.daily.yml

@@ -25,15 +25,15 @@ schedules:
 resources:
   containers:
     - container: virtual
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE
 
     - container: snp
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-snp-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-snp-clang15
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
     - container: sgx
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-sgx
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-sgx
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx
 
 jobs:

.daily_canary

@@ -1,4 +1,5 @@
    -^-     ___           ___
   (- -)   (= =)   |     Y   &  +--?
  (  V  ) /  .  \  |    +---=---'
-/--x-m- /--n-n---xXx--/--yY------>>>----<<<>>]]{{}}---||-/\
+/--x-m- /--n-n---xXx--/--yY------>>>----<<<>>]]{{}}---||-/\---..
+2024

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "CCF Development Environment",
-  "image": "ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15",
+  "image": "ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15",
   "runArgs": [],
   "extensions": [
     "eamodio.gitlens",

.github/workflows/ci-checks.yml

@@ -9,7 +9,7 @@ on:
 jobs:
   checks:
     runs-on: ubuntu-latest
-    container: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+    container: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
 
     steps:
       - run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

.github/workflows/tlaplus.yml

@@ -14,7 +14,7 @@ jobs:
     name: Model Checking - Consistency
     runs-on: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
     container:
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
 
     steps:
       - uses: actions/checkout@v3

.multi-thread.yml

@@ -16,7 +16,7 @@ pr:
 resources:
   containers:
     - container: virtual
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-virtual-clang15
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-virtual-clang15
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
 
 jobs:

.snpcc_canary

@@ -1,4 +1,5 @@
   ___         ___    ___
  (. =)     Y (0 0)  (x X)    Y
    O     \     o      |    /
-/-xXx--//-----x=x--/-xXx--/---x---->>
+/-xXx--//-----x=x--/-xXx--/---x---->>>--/
+........

.stress.yml

@@ -20,7 +20,7 @@ schedules:
 resources:
   containers:
     - container: sgx
-      image: ccfmsrc.azurecr.io/ccf/ci:26-10-2023-sgx
+      image: ccfmsrc.azurecr.io/ccf/ci:07-12-2023-sgx
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx
 
 jobs:

.threading_canary

@@ -1 +1 @@
-..........
+.............

CHANGELOG.md

@@ -5,6 +5,38 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [5.0.0-dev11]
+
+[5.0.0-dev11]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev11
+
+### Removed
+
+- `ccf::historical::adapter_v2` is removed, replaced by `ccf::historical::adapter_v3` first introduced in 2.0.0.
+- `ccf::EnclaveAttestationProvider` has been removed. It is replaced by `ccf::AttestationProvider`
+- The `attestation.environment.security_context_directory` configuration entry and `--snp-security-context-dir-var` CLI option have been removed. SNP collateral must now be provided through the `snp_security_policy_file`, `snp_uvm_endorsements_file` and `snp_endorsement_servers` configuration values. See [documentation](https://microsoft.github.io/CCF/main/operations/platforms/snp.html) for details and platform-specific configuration samples.
+
+## [5.0.0-dev10]
+
+[5.0.0-dev10]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev10
+
+- The `url` field in `snp_endorsements_servers` can now contain environment variables that will be resolved at startup, such as "$Fabric_NodeIPOrFQDN:2377" (#5862).
+- Add a new `snp_security_policy_file` configuration value under `attestation`, superseding the lookup from `$UVM_SECURITY_CONTEXT_DIR`. The value can contain environment variables, for example: `"snp_security_policy_file": "$UVM_SECURITY_CONTEXT_DIR/security-policy-base64"`.
+- Add a new `snp_uvm_endorsements_file` configuration value under `attestation`, superseding the lookup from `$UVM_SECURITY_CONTEXT_DIR`. The value can contain environment variables, for example: `"snp_uvm_endorsements_file": "$UVM_SECURITY_CONTEXT_DIR/reference-info-base64"`. This value can come from an untrusted location, like `snp_security_policy_file` and AMD endorsements (fetched from `snp_endorsements_servers`), because the CCF code contains pre-defined roots of trust.
+
+## [5.0.0-dev9]
+
+[5.0.0-dev9]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev9
+
+- `snp_endorsements_servers` now supports a `THIM` type, which is the recommended value when running in [Confidential AKS preview](https://learn.microsoft.com/en-us/azure/aks/confidential-containers-overview).
+
+## [5.0.0-dev8]
+
+[5.0.0-dev8]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev8
+
+- `ccf.crypto.generateEddsaKeyPair`, `pubEddsaPemToJwk` and `eddsaPemToJwk` now support `x25519` as well as `curve25519` (#5846).
+- `POST /recovery/members/{memberId}:recover` is now authenticated by COSE Sign1, making it consistent with the other `POST` endpoints in governance, and avoiding a potential denial of service where un-authenticated and un-authorised clients could submit invalid shares repeatedly. The `submit_recovery_share.sh` script has been amended accordingly, and now takes a `--member-id-privk` and `--member-id-cert` (#5821).
+- CCF can now fetch SEV-SNP attestations from kernel 6.0 and above (#5848).
+
 ## [5.0.0-dev7]
 
 [5.0.0-dev7]: https://github.com/microsoft/CCF/releases/tag/ccf-5.0.0-dev7

CMakeLists.txt

@@ -103,7 +103,6 @@ if(USE_NULL_ENCRYPTOR)
 endif()
 
 option(SAN "Enable Address and Undefined Behavior Sanitizers" OFF)
-option(TSAN "Enable Thread Sanitizers" OFF)
 option(BUILD_END_TO_END_TESTS "Build end to end tests" ON)
 option(COVERAGE "Enable coverage mapping" OFF)
 option(SHUFFLE_SUITE "Shuffle end to end test suite" OFF)

cmake/preproject.cmake

@@ -58,6 +58,8 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
   )
 endif()
 
+option(TSAN "Enable Thread Sanitizers" OFF)
+
 option(COLORED_OUTPUT "Always produce ANSI-colored output." ON)
 
 if(${COLORED_OUTPUT})
@@ -85,4 +87,11 @@ if("${COMPILE_TARGET}" STREQUAL "snp")
   endif()
 endif()
 
+if("${COMPILE_TARGET}" STREQUAL "snp" OR "${COMPILE_TARGET}" STREQUAL "virtual")
+  if(NOT "${CMAKE_BUILD_TYPE}" STREQUAL "Debug" AND NOT TSAN)
+    add_compile_options(-flto)
+    add_link_options(-flto)
+  endif()
+endif()
+
 set(CMAKE_CXX_STANDARD 20)

doc/architecture/raft_tla.rst

@@ -40,6 +40,8 @@ Using TLC to exhaustively check our models can take any time between minutes (fo
 Trace validation
 ----------------
 
-It is possible to produce fresh traces quickly from the driver by running the make_traces.sh`` script from the ``tla`` directory.
+It is possible to produce fresh traces quickly from the driver by running the ``make_traces.sh`` script from the ``tla`` directory.
 
-Calling the trace validation on, for example, the ``replicate`` scenario can then be done with ``JSON=../build/replicate.ndjson ./tlc.sh consensus/Traceccfraft.tla``.
+Calling the trace validation on, for example, the ``append`` scenario can then be done with ``JSON=../build/append.ndjson ./tlc.sh consensus/Traceccfraft.tla``.
+
+CCF also provides a command line trace visualizer to aid debugging, for example, the ``append`` scenario can be visualized with ``python ../tests/trace_viz.py ../build/append.ndjson``. 

doc/host_config_schema/cchost_config.json

@@ -444,17 +444,13 @@
     "attestation": {
       "type": "object",
       "properties": {
-        "environment": {
-          "type": "object",
-          "properties": {
-            "security_context_directory": {
-              "type": ["string", "null"],
-              "description": "DEPRECATED: Replaced by --snp-security-context-dir-var CLI argument. Name of environment variable (e.g. ``UVM_SECURITY_CONTEXT_DIR``) specifying the directory containing the security context files (i.e. ``host-amd-cert-base64``, ``security-policy-base64`` and ``reference-info-base64``)."
-            }
-          },
-          "description": "Environment variables required to provide best auditability and serviceability for Azure Container Instance deployments (SEV-SNP only)",
-          "required": [],
-          "additionalProperties": false
+        "snp_security_policy_file": {
+          "type": ["string", "null"],
+          "description": "Path to file containing the security policy (SEV-SNP only), can contain environment variables, such as $UVM_SECURITY_CONTEXT_DIR"
+        },
+        "snp_uvm_endorsements_file": {
+          "type": ["string", "null"],
+          "description": "Path to file containing UVM endorsements as a base64-encoded COSE Sign1 (SEV-SNP only). Can contain environment variables, such as $UVM_SECURITY_CONTEXT_DIR"
         },
         "snp_endorsements_servers": {
           "type": "array",
@@ -463,13 +459,13 @@
             "properties": {
               "type": {
                 "type": "string",
-                "enum": ["Azure", "AMD"],
+                "enum": ["Azure", "AMD", "THIM"],
                 "default": "Azure",
                 "description": "Type of server used to retrieve attestation report endorsement certificates (SEV-SNP only)"
               },
               "url": {
                 "type": "string",
-                "description": "Server URLs used to retrieve attestation report endorsement certificates, e.g. \"kdsintf.amd.com\" (SEV-SNP only)"
+                "description": "Server URLs used to retrieve attestation report endorsement certificates, e.g. \"kdsintf.amd.com\" (AMD), \"global.acccache.azure.net\" (Azure) or \"169.254.169.254\" (THIM)"
               }
             },
             "required": ["url"],
@@ -657,17 +653,17 @@
       "properties": {
         "circuit_size": {
           "type": "string",
-          "default": "4MB",
+          "default": "16MB",
           "description": "Size (size string) of the internal host-enclave ringbuffers (must be a power of 2)"
         },
         "max_msg_size": {
           "type": "string",
-          "default": "16MB",
+          "default": "64MB",
           "description": "Maximum size (size string) for a message sent over the ringbuffer. Messages may be split into multiple fragments, but this limits the total size of the sum of those fragments"
         },
         "max_fragment_size": {
           "type": "string",
-          "default": "64KB",
+          "default": "256KB",
           "description": "Maximum size (size string) of individual ringbuffer message fragments. Messages larger than this will be split into multiple fragments"
         }
       },