v0.8.2

What's Changed

• NOISSUE - Add AllowEFIAppBeforeCallingEvent flag to vTPM verification by @danko-miladinovic in #542
• NOISSUE - Add vTPM AK hash to SEV-SNP report by @danko-miladinovic in #543
• NOISSUE - Update certs and smq versions by @SammyOina in #544

Full Changelog: v0.8.1...v0.8.2

v0.8.1

What's Changed

• NOISSSUE - Fix SEV-SNP attestation policy validation by @WashingtonKK in #541
• COCOS 492 - Fixes bug from 492, fetch certificates only for SEV-SNP cvms by @jovan-djukic in #536
• Bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @dependabot[bot] in #537
• Bump github.com/docker/docker from 28.5.0+incompatible to 28.5.1+incompatible by @dependabot[bot] in #540
• Bump google.golang.org/grpc from 1.75.1 to 1.76.0 by @dependabot[bot] in #538

Full Changelog: v0.8.0...v0.8.1

🎉 Cocos v0.8.0 Release Notes

We're excited to announce the release of Cocos v0.8.0! This release brings significant improvements to attestation handling, enhanced security features, and better code reusability.

🌟 Highlights

Enhanced Attestation Policy

• Improved CLI attestation policy tools for better developer experience
• Updated attestation policy configurations for both AMD and Intel platforms
• Added reported TCB support to attestation policy for more comprehensive security validation
• SEV version bump ensuring compatibility with the latest security standards

Performance & Security Improvements

• VCEK caching on aTLS verification - significantly improves performance by caching VCEK certificates during attestation TLS verification
• Refactored attestation handling - renamed AttestationResult to AzureAttestationToken for better clarity and consistency

Architecture Enhancements

• Refactored HTTP and gRPC clients for improved reusability with Cube
• Enhanced aTLS and gRPC server architecture - now uses CertificateProvider interface for better abstraction and flexibility
• Updated certificate handling to align with the latest certs library changes

📦 Dependency Updates

Major Updates

• github.com/absmach/supermq: 0.16.0 → 0.18.1
• github.com/absmach/certs: 0.0.0-20250707105817 → 0.18.0
• github.com/docker/docker: 28.3.2 → 28.5.0
• google.golang.org/grpc: 1.74.2 → 1.75.0
• google.golang.org/protobuf: 1.36.6 → 1.36.10
• cloud.google.com/go/storage: 1.55.0 → 1.57.0
• sev (attestation policy): 6.2.1 → 7.0.0

Other Updates

• github.com/golang-jwt/jwt/v5: 5.2.2 → 5.3.0
• github.com/stretchr/testify: 1.10.0 → 1.11.0
• github.com/spf13/cobra: 1.9.1 → 1.10.1
• github.com/spf13/pflag: 1.0.9 → 1.0.10
• github.com/google/go-tpm: 0.9.5 → 0.9.6
• golang.org/x/term: 0.33.0 → 0.35.0

🔧 Technical Improvements

• Downgraded Golang version for HAL to improve compatibility
• Refactored codebase for better maintainability and reusability
• Enhanced attestation policy JSON configurations

👥 Contributors

A huge thank you to everyone who contributed to this release:

• @SammyOina
• @danko-miladinovic
• @jovan-djukic
• @WashingtonKK
• @dependabot[bot]

📝 Full Changelog

For a complete list of changes, see the [full changelog](v0.7.0...v0.8.0)

---

Ready to upgrade? Check out our documentation for migration guidelines and new feature usage examples.

Cocos AI v0.7.0 Release Notes

We're excited to announce the release of Cocos AI v0.7.0, a major update that introduces Intel TDX support, enhanced attestation capabilities, and significant architectural improvements.

🚀 Major Features

Intel TDX Support

• Full Intel TDX Integration: Added comprehensive support for Intel Trust Domain Extensions (TDX), enabling secure computation in Intel's confidential computing environment
• TDX Attestation: Implemented complete TDX attestation support for enhanced security verification
• Buildroot TDX Support: Modified Buildroot configuration to fully support Intel TDX environments

Enhanced Attestation & Security

• New aTLS Implementation: Completely redesigned attestation-based TLS (aTLS) for improved security and performance
• mTLS Integration: Enabled mutual TLS when using aTLS for enhanced authentication
• PCR16 Extensions: Extended PCR16 register with computation manifest JSON hash for better integrity verification
• Azure Attestation Improvements: Fixed Azure attestation token fetching to be platform-conditional

🔧 Infrastructure & Performance

Service Management

• Graceful Shutdown: Implemented graceful shutdown mechanisms for all services
• TTL Management: Added Time-To-Live management for virtual machines with improved context handling
• Agent Restart Policy: Introduced restart policies for better agent reliability

Architecture Improvements

• gRPC Handler Refactoring: Reorganized gRPC server handlers using map-based architecture for better maintainability
• Data Path Flexibility: Made data paths optional for more flexible deployment scenarios
• Nonce Validation: Added proper validation for nonce lengths in attestation requests

🐛 Bug Fixes & Stability

Critical Fixes

• Computation Panic Resolution: Fixed panic where computations would stop after a failed run
• Context Handling: Improved context handling to resolve failing TTL applications
• Platform Detection: Enhanced SEV-SNP and TDX detection to properly check kernel parameters
• Error Handling: Improved error handling in VM removal commands with proper connection checks

Quality Improvements

• Test Coverage: Restored and improved test coverage to 65%
• Log Message Clarity: Enhanced log messages throughout the system for better debugging
• JSON Marshaling: Fixed attestation policy JSON marshaling issues

🔄 Dependency Updates

This release includes updates to numerous dependencies for enhanced security and performance:

• Google gRPC updated to v1.73.0
• OpenTelemetry libraries updated to latest versions
• Docker engine updated to v28.2.2
• Go crypto libraries updated to v0.38.0
• Google Cloud Storage updated to v1.55.0

🗑️ Deprecations

• SEV Support Removal: Removed legacy SEV support from the repository to focus on more modern confidential computing technologies

🛠️ CLI Enhancements

• PCR16 Calculation: Added CLI option to calculate PCR16 register values
• Improved VM Management: Enhanced VM removal commands with better error handling

🔗 Resources

• Full Changelog: [v0.6.0...v0.7.0](v0.6.0...v0.7.0)
• Documentation: Visit our documentation for updated installation and usage guides

🙏 Contributors

Special thanks to all contributors who made this release possible:

• @jovan-djukic
• @danko-miladinovic
• @SammyOina
• @dorcaslitunya
• @drasko
• And all the dependabot contributions keeping our dependencies secure and up-to-date

---

Support: For questions or issues, please visit our [GitHub issues page](https://github.com/ultravioletrs/cocos/issues)

Cocos v0.6.0 Release Notes

We're excited to announce Cocos v0.6.0, bringing significant improvements to cloud attestation, security hardening, and agent functionality. This release focuses on enhanced cloud provider integration and improved security measures for confidential computing environments.

🚀 Major Features

Cloud Provider Integration

• Azure CVM Attestation Support: Enhanced attestation policy handling for Azure Confidential Virtual Machines with improved validation and verification processes
• GCP Attestation Policy: Comprehensive attestation policy implementation for Google Cloud Platform environments
• Cloud Provider Firmware Integration: Native integration with cloud provider firmware for enhanced security and validation
• Multi-Cloud Attestation Service: Unified attestation service that works seamlessly across different cloud providers

Agent Certificate Management

• CA Service Integration: Agents can now generate certificates directly through the Certificate Authority service, improving security and simplifying deployment
• Enhanced Agent Security: Improved certificate lifecycle management for secure communication

Security Hardening

• Linux IMA Integration: Integrated Linux Integrity Measurement Architecture for enhanced system integrity verification
• SSH Service Hardening: Disabled SSH service by default and updated user shell configurations in cloud deployments for improved security posture
• vTPM Enhancements: Removed legacy go-tpm-tools TEE verification and streamlined vTPM handling with updated documentation

🔧 Improvements

Agent Functionality

• Simplified Local Development: Streamlined agent execution in non-SEV-SNP environments for easier local testing and development
• Enhanced State Management:
  • Fixed nil pointer dereference issues in agent server stop methods
  • Implemented automatic state machine reset when computations are stopped
  • Improved logging with adjusted log levels for better debugging experience

VM Management

• TTL Support: Added Time-To-Live support for VM creation, enabling automatic cleanup of resources
• Disconnect Messaging: Introduced DisconnectReq message handling for cleaner connection management
• PCR Value Handling: Added proper path handling for expected Platform Configuration Register values

🐛 Bug Fixes

• Fixed critical nil pointer dereference in agent server and service stop methods
• Resolved state management issues with automatic reset functionality
• Improved error handling in attestation policy validation
• Enhanced stability in multi-cloud environments

📦 Dependency Updates

This release includes updates to several key dependencies for improved security and performance:

• golang.org/x/crypto updated to v0.36.0
• go.opentelemetry.io/otel/trace updated to v1.35.0
• go.opentelemetry.io/contrib/instrumentation updated to v0.60.0
• github.com/docker/docker updated to v28.0.4+incompatible
• google.golang.org/protobuf updated to v1.36.6

🔄 Breaking Changes

• SSH service is now disabled by default in cloud configurations
• Legacy go-tpm-tools TEE verification has been removed
• Agent state machine behavior has changed to automatically reset on computation stop

📖 Documentation

• Updated documentation for vTPM changes and new attestation flows
• Enhanced cloud provider integration guides
• Improved agent configuration documentation

🙏 Contributors

Special thanks to all contributors who made this release possible:

• @danko-miladinovic
• @SammyOina
• @jovan-djukic
• @dorcaslitunya
• @dependabot

📋 Migration Guide

When upgrading to v0.6.0:

1. Cloud Configurations: Review your cloud configurations as SSH is now disabled by default
2. Agent Certificates: Consider migrating to the new CA service integration for certificate management
3. Attestation Policies: Update attestation policies to leverage the new cloud provider-specific implementations
4. State Management: Be aware that agent state machines now automatically reset when computations stop

---

Full Changelog: [v0.5.0...v0.6.0](v0.5.0...v0.6.0)

v0.5.2

What's Changed

• NOISSUE - Remove go-tpm-tools TEE verification by @danko-miladinovic in #406
• Bump golang.org/x/crypto from 0.35.0 to 0.36.0 by @dependabot in #400
• Bump go.opentelemetry.io/otel/trace from 1.34.0 to 1.35.0 by @dependabot in #402
• Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.59.0 to 0.60.0 by @dependabot in #401
• NOISSUE - Fix nil pointer dereference in Stop methods for agentServer and agentService by @SammyOina in #409
• NOISSUE - Simplify local agent running in non sev-snp environment by @SammyOina in #411
• Bump github.com/docker/docker from 28.0.1+incompatible to 28.0.4+incompatible by @dependabot in #416
• Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 by @dependabot in #412
• COCOS-393 - Disable SSH service and update user shell in cloud config by @SammyOina in #396
• NOISSUE - Reset agent statemachine when computation is stopped by @SammyOina in #417
• COCOS - 397 - Agent certificate generation via CA service by @jovan-djukic in #410
• NOISSUE - Change logging level from Info to Debug for State method in LoggingMiddleware by @SammyOina in #422
• NOISSUE - Add DisconnectReq message and TTL support for VM creation by @SammyOina in #428

Full Changelog: v0.5.1...v0.5.2

v0.5.1

What's Changed

• NOISSUE - Add path to expected PCR values by @danko-miladinovic in #398
• NOISSUE - Update documentation for vTPM changes by @danko-miladinovic in #408
• COCOS-391- GCP Attestation policy by @SammyOina in #405

Full Changelog: v0.5.0...v0.5.1

COCOS v0.5.0 Release Notes

Major Features

Trusted Platform Module (TPM) Support

• Added vTPM support for enhanced security (#376)
• Modified buildroot configuration to enable vTPM attestations (#370)
• Added verification of vTPM attestation to CLI (#363)

Agent and Manager Improvements

• Implemented new agent structure (#350)
• Simplified manager to VM provision only (#353)
• Made agent more resilient to gRPC disconnection on CVMs cloud server (#375)
• Created manager service client mocks (#359)

Attestation and Measurements

• Added IGVM measurement capabilities (#379)
• Added IGVM measurement on manager (#404)
• Added launch TCB info to VM information (#333)

Cloud Integration

• Explored cloud-init for cloud setup (#357)
• Updated environment for new manager deployment (#367)

Bug Fixes

• Fixed aTLS bug (#332)
• Fixed returned VM config type (#334)
• Fixed failing test (#335)
• Updated dependency for sev-snp-measure-go to fix failing EOS build (#358)
• Updated agent CVM gRPC certificate keys for consistency (#361)

Documentation

• Updated README.md (#341, #348)

Development Improvements

• Enabled compiling gRPC clients without cGo (#372)
• Set environment automatically (#355)
• Downgraded Go for buildroot supported version (#380)
• Updated Dependabot configuration (#378)
• Fixed Dependabot docker configuration (#386)

Dependency Updates

• Updated sev requirement from 4.0.0 to 5.0.0 (#330)
• Multiple Go dependency updates (#331, #366, #373)
• Updated specific dependencies:
  • github.com/spf13/cobra from 1.8.1 to 1.9.1 (#384)
  • golang.org/x/term from 0.28.0 to 0.29.0 (#382)
  • golang.org/x/crypto from 0.32.0 to 0.35.0 (#383)
  • github.com/docker/docker from 28.0.0+incompatible to 28.0.1+incompatible (#387)

New Contributors

• @dorcaslitunya made their first contribution in #341
• @jovan-djukic made their first contribution in #404

For a complete list of changes, see the full changelog.

COCOS v0.4.0 Release Notes

Highlights

We're excited to announce the release of COCOS v0.4.0, featuring significant improvements in stability, security, and performance. This release includes enhanced VM management, improved networking resilience, and new attestation capabilities.

Key Improvements

• Enhanced Reliability: Significantly improved manager resilience with VM tracking on restart, streamlined message processing, and graceful handling of disconnections
• Security Enhancements: Added support for attested TLS, implemented host data verification, and improved attestation policy management
• Performance Optimizations: Improved file streaming, efficient CID assignment, and reduced message loss with vsock acknowledgments
• SEV-SNP Support: Added support for SEV-SNP with kernel 6.11 and updated guest to kernel version 6.12-rc6
• Improved Observability: Enhanced logging with syslog integration, better formatting, and consistent log levels
• Developer Experience: CLI enhancements, progress bars for downloads, and expanded test coverage to over 65%

Stability & Reliability

• Improved manager resilience by tracking VMs on restart (#219)
• Streamlined message processing to prevent potential message loss (#228)
• Implemented vsock reconnection for agent (#215)
• Cache and retry message sending (#222)
• Added events for agent disconnection (#233)
• Enhanced state machine implementation and testing (#280, #260)
• Fixed race conditions in various components (#221, #248, #316)
• Improved error handling in CLI and services (#277)

Security

• Added support for attested TLS (#279)
• Implemented host data verification (#275)
• Renamed backend info to attestation policy (#314)
• Human-readable attestation output (#289)
• Added checksum verification for manifests (#306)

Performance

• Improved file streaming (#295)
• Implemented efficient CID assignment (#300)
• Reduced message loss via vsock with acknowledgments (#252)
• Removed blocking on vsock operations (#301)
• Fixed handling of run request chunks (#234)

Infrastructure

• Added systemd support for manager (#213)
• Improved SDK initialization (#302)
• Added Docker support for IRIS example (#220)
• Improved manager service architecture (#287)
• Added health check capability (#288)

User Experience

• Enhanced CLI functionality and error handling (#250, #277)
• Added progress bar for downloads (#290)
• Improved command line argument handling (#304)
• Added support for returning correct port on run (#315)
• Updated buildroot configuration (#320)

Observability

• Integrated with syslog (#237)
• Standardized constants for log levels (#240)
• Improved log message formatting from agent (#244)
• Fixed redundant logs (#247)
• Enhanced event status reporting (#235)
• Added VM state machine with filtered QEMU logs (#272)

Developer Experience

• Improved test coverage to 65% (#310)
• Added comprehensive tests across multiple packages (#170, #266, #269, #271, #273, #274)
• Fixed HAL release pipeline (#254)
• Added mockery configuration (#323)

Hardware Support

• Added SEV-SNP support for kernel 6.11 (#298)
• Updated guest to kernel version 6.12-rc6 (#299)
• Added information on OVMF version, CPU type, CPU number, and EOS version (#307)
• Removed ramfs requirement (#322)

Dependency Updates

• Multiple Go dependency updates via Dependabot
• Updated SEV requirement from 3.1.1 to 4.0.0

Breaking Changes

• Removed VNC support (#259)
• Removed CID tracking (#218)
• Restructured agent and manager gRPC configuration (#297)

For a complete list of changes, please see the [full changelog](v0.3.1...v0.4.0).

v0.3.1

What's Changed

• NOISSUE - Fix Algo Path by @rodneyosodo in #216

Full Changelog: v0.3.0...v0.3.1