Update to version 0.13.0

Enable tdx-attester (tsm-report) Resolves: RHEL-109116
2025-08-17 13:54:32 +03:00
24 changed files with 458 additions and 342 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
 /guest-components-0061d03.tar.gz
 /trustee-guest-components-0.10.0_124.git0061d03-vendor.tar.xz
+/guest-components-0.13.0.tar.gz
+/trustee-guest-components-0.13.0-vendor.tar.xz
--- a/0001-Fedora-Remove-workspace-members-which-are-not-built.patch
+++ b/0001-Fedora-Remove-workspace-members-which-are-not-built.patch
@ -1,22 +1,22 @@
-From 8f7ad9ce8eac9f9bb4f7fbae37f56bef3dd4f597 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Mon, 28 Oct 2024 20:00:25 +0200
-Subject: [PATCH] Fedora: Remove workspace members which are not built
-Content-type: text/plain
+From fd43874376f6866fb5c8339df4b3a4be064cb696 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Wed, 4 Jun 2025 03:51:41 -0400
+Subject: [PATCH 01/14] Fedora: Remove workspace members which are not built

 The trustee-attester is currently under kbs_protocol.
 The 2 attestation-agent's deps and attester are BuildRequired.

 Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
- Cargo.toml | 8 --------
- 1 file changed, 8 deletions(-)
+ Cargo.toml | 9 ---------
+ 1 file changed, 9 deletions(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index 4c239ae..e10cdbe 100644
+index c001449..1f6f3e6 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -1,18 +1,10 @@
+@@ -1,19 +1,10 @@
 [workspace]
 resolver = "2"
 members = [
@ -30,11 +30,12 @@ index 4c239ae..e10cdbe 100644
 -    "attestation-agent/deps/sev",
 -    "attestation-agent/coco_keyprovider",
 -    "confidential-data-hub/hub",
+-    "confidential-data-hub/kms",
 -    "image-rs",
 -    "ocicrypt-rs",
 ]
 
 [workspace.dependencies]
 -- 
-2.47.1
+2.49.0

--- a/0002-Fedora-AA-deps-crypto-default-to-openssl.patch
+++ b/0002-Fedora-AA-deps-crypto-default-to-openssl.patch
@ -1,21 +1,21 @@
-From 0ff9eeb8ffc5a88732f75a84145bb07cd2b88bfc Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Dec 2024 01:25:48 +0200
-Subject: [PATCH] Fedora: AA/deps/crypto: default to openssl
-Content-type: text/plain
+From 7827bb127a324197584abb593938df01bc579203 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Fri, 6 Jun 2025 03:24:21 -0400
+Subject: [PATCH 02/14] Fedora: AA/deps/crypto: default to openssl

 Do not use "vendored" openssl

 Remove some rust-crypto dependencies

 Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
 Cargo.toml                               |  4 ----
- attestation-agent/deps/crypto/Cargo.toml | 11 ++++-------
- 2 files changed, 4 insertions(+), 11 deletions(-)
+ attestation-agent/deps/crypto/Cargo.toml | 21 +++------------------
+ 2 files changed, 3 insertions(+), 22 deletions(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index e10cdbe..bb4a534 100644
+index 1f6f3e6..dafa03d 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
@@ -8,8 +8,6 @@ members = [
@ -27,53 +27,65 @@ index e10cdbe..bb4a534 100644
 anyhow = "1.0"
 assert-json-diff = "2.0"
 assert_cmd = "2"
-@@ -22,7 +20,6 @@ chrono = "0.4.26"
+@@ -22,7 +20,6 @@ chrono = "0.4.41"
 clap = "~4.2.7"
 config = "0.14.1"
- const_format = "0.2.33"
+ const_format = "0.2.34"
 -ctr = "0.9.2"
- env_logger = "0.11.5"
+ env_logger = "0.11.8"
 hex = "0.4.3"
 hmac = "0.12.1"
-@@ -38,7 +35,6 @@ rand = "0.8.5"
+@@ -39,7 +36,6 @@ rand = "0.9.1"
 reqwest = { version = "0.12", default-features = false }
 resource_uri = { path = "attestation-agent/deps/resource_uri" }
 ring = "0.17"
-rsa = "0.9.7"
+-rsa = "0.9.8"
 rstest = "0.17"
 serde = { version = "1.0", features = ["derive"] }
- serde_with = { version = "1.11.0", features = ["base64"] }
+ serde_with = { version = "3.12.0", features = ["base64"] }
 diff --git a/attestation-agent/deps/crypto/Cargo.toml b/attestation-agent/deps/crypto/Cargo.toml
-index 18c4143..2119bc1 100644
+index a4bdab3..f12f283 100644
 --- a/attestation-agent/deps/crypto/Cargo.toml
 +++ b/attestation-agent/deps/crypto/Cargo.toml
-@@ -6,14 +6,11 @@ publish = false
- edition = "2021"
+@@ -7,20 +7,13 @@ edition = "2021"
+ license = "Apache-2.0"
 
 [dependencies]
 -aes-gcm = { workspace = true, optional = true }
+-aes-kw = { version = "0.2.1", optional = true }
 anyhow.workspace = true
 base64.workspace = true
+-concat-kdf = { version = "0.1.0", optional = true }
 -ctr = { workspace = true, optional = true }
 kbs-types.workspace = true
-openssl = { workspace = true, features = ["vendored"], optional = true}
-+openssl = { workspace = true, optional = true}
+-openssl = { workspace = true, features = ["vendored"], optional = true }
+-p256 = { version = "0.13.1", features = ["ecdh", "pem"], optional = true }
+openssl = { workspace = true, optional = true }
 rand.workspace = true
+ 
+ # This is for API compability of p256 who is using the old version of `rand`
+-rand_08 = { package = "rand", version = "0.8", optional = true }
 -rsa = { workspace = true, optional = true }
 serde.workspace = true
 serde_json.workspace = true
 sha2.workspace = true
-@@ -24,6 +21,6 @@ zeroize.workspace = true
+@@ -31,14 +24,6 @@ zeroize.workspace = true
 rstest.workspace = true
 
 [features]
 -default = ["rust-crypto"]
-rust-crypto = ["dep:aes-gcm", "ctr", "rsa"]
-openssl = ["dep:openssl"]
-\ No newline at end of file
+-rust-crypto = [
+-    "dep:aes-gcm",
+-    "ctr",
+-    "rsa/sha2",
+-    "aes-kw",
+-    "concat-kdf",
+-    "p256",
+-    "rand_08",
+-]
 +default = ["openssl"]
 +rust-crypto = []
-+openssl = ["dep:openssl"]
+ openssl = ["dep:openssl"]
 -- 
-2.47.1
+2.49.0

--- a/0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch
+++ b/0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch
@ -1,27 +0,0 @@
-From 14e07d79ce3218f9cb52118194e1b579df55a3c2 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Mon, 28 Oct 2024 20:03:22 +0200
-Subject: [PATCH] Fedora: kbs_protocol/Cargo.toml: reqwest: use native TLS not
- vendored
-Content-type: text/plain
-
-Signed-off-by: Uri Lublin <uril@redhat.com>
---
- attestation-agent/kbs_protocol/Cargo.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
-index 667969a..92fccce 100644
--- a/attestation-agent/kbs_protocol/Cargo.toml
-+++ b/attestation-agent/kbs_protocol/Cargo.toml
-@@ -61,6 +61,6 @@ cca-attester = ["attester/cca-attester"]
- se-attester  = ["attester/se-attester"]
- 
- rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"]
-openssl = ["reqwest/native-tls-vendored", "crypto/openssl"]
-+openssl = ["reqwest/native-tls", "crypto/openssl"]
- 
- bin = ["tokio/rt", "tokio/macros", "clap", "env_logger"]
-- 
-2.47.1
-
--- a/0003-Fedora-kbs_protocol-use-openssl-instead-of-rust-cryp.patch
+++ b/0003-Fedora-kbs_protocol-use-openssl-instead-of-rust-cryp.patch
@ -0,0 +1,44 @@
+From 9c5007f14c2ed227f27dd6147d328f568229f418 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Fri, 6 Jun 2025 05:12:40 -0400
+Subject: [PATCH 03/14] Fedora: kbs_protocol: use openssl instead of
+ rust-crypto in default
+
+Replace 'rust-crypto' with 'openssl' in default
+
+Use native TLS for openssl
+
+Add "bin" to default to build trustee-attester
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ attestation-agent/kbs_protocol/Cargo.toml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
+index b75b73d..0e00122 100644
+--- a/attestation-agent/kbs_protocol/Cargo.toml
+++ b/attestation-agent/kbs_protocol/Cargo.toml
+@@ -44,7 +44,7 @@ name = "trustee-attester"
+ required-features = ["bin"]
+ 
+ [features]
+-default = ["background_check", "passport", "rust-crypto", "all-attesters"]
+default = ["background_check", "passport", "openssl", "all-attesters", "bin"]
+ 
+ passport = []
+ # Allow to connect Attestation-Agent with TTRPC to get evidence, token, etc.
+@@ -62,7 +62,7 @@ csv-attester = ["attester/csv-attester"]
+ cca-attester = ["attester/cca-attester"]
+ se-attester = ["attester/se-attester"]
+ 
+-rust-crypto = ["reqwest/rustls-tls", "crypto/rust-crypto"]
+-openssl = ["reqwest/native-tls-vendored", "crypto/openssl"]
+rust-crypto = []
+openssl = ["reqwest/native-tls", "crypto/openssl"]
+ 
+ bin = ["tokio/rt", "tokio/macros", "clap", "env_logger"]
+-- 
+2.49.0
+
--- a/0004-Fedora-attester-pick-attesters-in-all-attesters.patch
+++ b/0004-Fedora-attester-pick-attesters-in-all-attesters.patch
@ -1,37 +1,37 @@
-From 5cc40f98248d57bc203425ff994253ab4ef09b95 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Dec 2024 02:41:17 +0200
-Subject: [PATCH] Fedora: attester: pick attesters in all-attesters
-Content-type: text/plain
+From 85659c3247ba9288323e8b40ebddf3480c4e26f0 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Fri, 6 Jun 2025 07:48:21 -0400
+Subject: [PATCH 04/14] Fedora: attester: pick attesters in all-attesters

-Currently: snp, az-snp-vtpm and az-tdx-vtpm
+Currently: snp, tdx, az-snp-vtpm and az-tdx-vtpm

 Remove all dependencies of non-built attesters

 Some require additional dependencies that are not in Fedora

 Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
- attestation-agent/attester/Cargo.toml | 26 +++++---------------------
- 1 file changed, 5 insertions(+), 21 deletions(-)
+ attestation-agent/attester/Cargo.toml | 23 +++++------------------
+ 1 file changed, 5 insertions(+), 18 deletions(-)

 diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml
-index f371e3a..4e16347 100644
+index 5cb2c31..db57aa7 100644
 --- a/attestation-agent/attester/Cargo.toml
 +++ b/attestation-agent/attester/Cargo.toml
-@@ -15,22 +15,11 @@ clap = { workspace = true, features = ["derive"], optional = true }
- hex.workspace = true
+@@ -18,22 +18,13 @@ hex.workspace = true
+ iocuddle = { version = "0.1.1", optional = true }
 kbs-types.workspace = true
 log.workspace = true
 -occlum_dcap = { git = "https://github.com/occlum/occlum", tag = "v0.29.7", optional = true }
 -pv = { version = "0.10.0", package = "s390_pv", optional = true }
-scroll = { version = "0.12.0", default-features = false, features = ["derive", "std"], optional = true }
+ scroll = { version = "0.12.0", default-features = false, features = ["derive", "std"], optional = true }
 serde.workspace = true
 serde_json.workspace = true
 serde_with.workspace = true
 sev = { version = "4.0.0", default-features = false, features = ["snp"], optional = true }
 -sha2.workspace = true
-strum.workspace = true
+ strum.workspace = true
 -tdx-attest-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.22", optional = true }
 thiserror.workspace = true
 -# TODO: change it to "0.1", once released.
@ -42,11 +42,10 @@ index f371e3a..4e16347 100644
 tokio = { version = "1", features = ["full"], optional = true }
 tempfile = { workspace = true, optional = true }
 
-@@ -45,27 +34,22 @@ required-features = ["bin"]
- [features]
+@@ -49,13 +40,9 @@ required-features = ["bin"]
 default = ["all-attesters"]
 all-attesters = [
-    "tdx-attester",
+     "tdx-attester",
 -    "sgx-attester",
     "az-snp-vtpm-attester",
     "az-tdx-vtpm-attester",
@ -57,12 +56,13 @@ index f371e3a..4e16347 100644
 ]
 
 # tsm-report enables a module that helps attesters to use Linux TSM_REPORTS for generating
- # quotes. It's an unconditional dependency for tdx-attester since that is the only way to
+@@ -63,13 +50,13 @@ all-attesters = [
 # generate TDX quotes with upstream kernels.
 tsm-report = ["tempfile"]
-tdx-attester = ["scroll", "tsm-report", "tdx-attest-rs"]
+ tdx-attester = ["scroll", "tsm-report", "iocuddle"]
+-tdx-attest-dcap-ioctls = ["tdx-attest-rs"]
 -sgx-attester = ["occlum_dcap"]
-+tdx-attester = []
+tdx-attest-dcap-ioctls = []
 +sgx-attester = []
 az-snp-vtpm-attester = ["az-snp-vtpm"]
 az-tdx-vtpm-attester = ["az-snp-vtpm-attester", "az-tdx-vtpm"]
@ -76,5 +76,5 @@ index f371e3a..4e16347 100644
 
 bin = ["tokio/rt", "tokio/macros", "clap"]
 -- 
-2.47.1
+2.49.0

--- a/0005-Fedora-remove-ttrpc-dependency.patch
+++ b/0005-Fedora-remove-ttrpc-dependency.patch
@ -1,59 +1,77 @@
-From 45401917ccabca38112fb4be23193f5230e90867 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Dec 2024 01:38:24 +0200
-Subject: [PATCH] Fedora: remove ttrpc dependency
-Content-type: text/plain
+From bef1b4d73ad82d39965745c81ea4a35c59ee2527 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Fri, 6 Jun 2025 08:04:55 -0400
+Subject: [PATCH 05/14] Fedora: remove ttrpc dependency

-Not required and not in Fedora
+Not in Fedora and not required if not building aa_token
+
+Also remove protobuf, as it's only used via ttrpc.

 Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
- Cargo.toml                                | 2 --
- attestation-agent/kbs_protocol/Cargo.toml | 4 +---
- 2 files changed, 1 insertion(+), 5 deletions(-)
+ Cargo.toml                                | 3 ---
+ attestation-agent/kbs_protocol/Cargo.toml | 5 +----
+ 2 files changed, 1 insertion(+), 7 deletions(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index db72ef9..e7dc965 100644
+index dafa03d..9eea047 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -48,8 +48,6 @@ tokio = "1.42"
- toml = "0.8.19"
+@@ -31,7 +31,6 @@ log = "0.4.25"
+ nix = "0.29"
+ openssl = "0.10"
+ prost = "0.13"
+-protobuf = "=3.7.1"
+ rand = "0.9.1"
+ reqwest = { version = "0.12", default-features = false }
+ resource_uri = { path = "attestation-agent/deps/resource_uri" }
+@@ -50,8 +49,6 @@ tokio = "1.44"
+ toml = "0.8.22"
 tonic = "0.12"
 tonic-build = "0.12"
-ttrpc = "0.8.2"
-ttrpc-codegen = "0.4.2"
+-ttrpc = "0.8.4"
+-ttrpc-codegen = "0.5.0"
 url = "2.5.4"
 uuid = "1"
 zeroize = "1.5.7"
 diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
-index d012487..ab86141 100644
+index 0e00122..c498572 100644
 --- a/attestation-agent/kbs_protocol/Cargo.toml
 +++ b/attestation-agent/kbs_protocol/Cargo.toml
-@@ -23,7 +23,6 @@ serde_json.workspace = true
+@@ -17,7 +17,6 @@ env_logger = { workspace = true, optional = true }
+ jwt-simple.workspace = true
+ kbs-types.workspace = true
+ log.workspace = true
+-protobuf = { workspace = true, optional = true }
+ reqwest = { workspace = true, features = ["cookies", "json"], optional = true }
+ resource_uri.path = "../deps/resource_uri"
+ serde.workspace = true
+@@ -25,7 +24,6 @@ serde_json.workspace = true
 sha2.workspace = true
 thiserror.workspace = true
 tokio.workspace = true
-ttrpc = { workspace = true, optional = true}
+-ttrpc = { workspace = true, optional = true }
 url.workspace = true
 zeroize.workspace = true
 
-@@ -35,7 +34,6 @@ testcontainers.workspace = true
- tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]}
+@@ -37,7 +35,6 @@ testcontainers.workspace = true
+ tokio = { workspace = true, features = ["rt", "macros", "fs", "process"] }
 
 [build-dependencies]
 -ttrpc-codegen = { workspace = true, optional = true }
 
 [[bin]]
 name = "trustee-attester"
-@@ -46,7 +44,7 @@ default = ["background_check", "passport", "rust-crypto", "all-attesters"]
+@@ -48,7 +45,7 @@ default = ["background_check", "passport", "openssl", "all-attesters", "bin"]
 
 passport = []
- # use a client of attestation-agent to get token for kbs
-aa_token = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"]
-+aa_token = []
+ # Allow to connect Attestation-Agent with TTRPC to get evidence, token, etc.
+-aa_ttrpc = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"]
+aa_ttrpc = []
 
 background_check = ["tokio/time"]
 all-attesters = ["attester/all-attesters"]
 -- 
-2.47.1
+2.49.0

--- a/0006-Fedora-remove-jwt-simple-dependency.patch
+++ b/0006-Fedora-remove-jwt-simple-dependency.patch
@ -1,46 +1,48 @@
-From 5325bd8707afb0ac8504c5e845c96c62f8cd4b93 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Sep 2024 17:17:03 +0300
-Subject: [PATCH] Fedora: remove jwt-simple dependency
-Content-type: text/plain
+From 0966851f28e3a5ac103f5738761ed9d7c015900a Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Fri, 6 Jun 2025 08:16:06 -0400
+Subject: [PATCH 06/14] Fedora: remove jwt-simple dependency

-jwt-simple requires some crypto crates.
+jwt-simple is not in Fedora.

 The code checks time validity. Use std::time instead for this.

 Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
- Cargo.toml                                    |  1 -
+ Cargo.toml                                    |  3 ---
 attestation-agent/kbs_protocol/Cargo.toml     |  1 -
 .../kbs_protocol/src/token_provider/mod.rs    | 19 +++++++++----------
- 3 files changed, 9 insertions(+), 12 deletions(-)
+ 3 files changed, 9 insertions(+), 14 deletions(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index bb4a534..db72ef9 100644
+index 9eea047..d2481f8 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -23,7 +23,6 @@ const_format = "0.2.33"
- env_logger = "0.11.5"
+@@ -23,9 +23,6 @@ const_format = "0.2.34"
+ env_logger = "0.11.8"
 hex = "0.4.3"
 hmac = "0.12.1"
-jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] }
- kbs-types = "0.7.0"
- lazy_static = "1.5.0"
- log = "0.4.22"
+-jwt-simple = { version = "0.12", default-features = false, features = [
+-    "pure-rust",
+-] }
+ kbs-types = "0.10.0"
+ log = "0.4.27"
+ nix = "0.29"
 diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
-index 92fccce..d012487 100644
+index c498572..318061a 100644
 --- a/attestation-agent/kbs_protocol/Cargo.toml
 +++ b/attestation-agent/kbs_protocol/Cargo.toml
-@@ -13,7 +13,6 @@ base64.workspace = true
+@@ -14,7 +14,6 @@ base64.workspace = true
 clap = { workspace = true, features = ["derive"], optional = true }
 crypto = { path = "../deps/crypto", default-features = false }
 env_logger = { workspace = true, optional = true }
 -jwt-simple.workspace = true
 kbs-types.workspace = true
 log.workspace = true
- protobuf = { workspace = true, optional = true}
+ reqwest = { workspace = true, features = ["cookies", "json"], optional = true }
 diff --git a/attestation-agent/kbs_protocol/src/token_provider/mod.rs b/attestation-agent/kbs_protocol/src/token_provider/mod.rs
-index 8f4d7ae..844680c 100644
+index 6648e89..08d06fb 100644
 --- a/attestation-agent/kbs_protocol/src/token_provider/mod.rs
 +++ b/attestation-agent/kbs_protocol/src/token_provider/mod.rs
@@ -14,11 +14,9 @@ pub use aa::*;
@ -91,5 +93,5 @@ index 8f4d7ae..844680c 100644
             if exp < now {
                 bail!("token expired");
 -- 
-2.47.1
+2.49.0

--- a/0007-Fedora-remove-testcontainers-dependency.patch
+++ b/0007-Fedora-remove-testcontainers-dependency.patch
@ -1,13 +1,12 @@
-From c7c063bd76b9b1c8befb514b77b4524a40015066 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Dec 2024 02:50:53 +0200
-Subject: [PATCH] Fedora: remove testcontainers dependency
-Content-type: text/plain
+From 75bfc218c29f21e7beff438a707dde98e2c97d67 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Mon, 9 Jun 2025 03:55:55 -0400
+Subject: [PATCH 07/14] Fedora: remove testcontainers dependency

-Not in Fedora.
-Skip tests that use it.
+Not in Fedora, so skip tests that use it

 Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
 Cargo.toml                                               | 1 -
 attestation-agent/kbs_protocol/Cargo.toml                | 1 -
@ -15,19 +14,19 @@ Signed-off-by: Uri Lublin <uril@redhat.com>
 3 files changed, 2 insertions(+), 3 deletions(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index e7dc965..7fb9b15 100644
+index d2481f8..a971cc8 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -42,7 +42,6 @@ serial_test = "3"
- sha2 = "0.10.7"
- strum = { version = "0.26", features = ["derive"] }
- tempfile = "3.14"
-testcontainers = "0.14"
+@@ -40,7 +40,6 @@ serial_test = "3"
+ sha2 = "0.10.9"
+ strum = { version = "0.27", features = ["derive"] }
+ tempfile = "3.19"
+-testcontainers = "0.22"
 thiserror = "2.0"
- tokio = "1.42"
- toml = "0.8.19"
+ tokio = "1.44"
+ toml = "0.8.22"
 diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
-index ab86141..e29be9c 100644
+index 318061a..31d8006 100644
 --- a/attestation-agent/kbs_protocol/Cargo.toml
 +++ b/attestation-agent/kbs_protocol/Cargo.toml
@@ -30,7 +30,6 @@ zeroize.workspace = true
@ -35,7 +34,7 @@ index ab86141..e29be9c 100644
 serial_test.workspace = true
 tempfile.workspace = true
 -testcontainers.workspace = true
- tokio = { workspace = true, features = [ "rt", "macros", "fs", "process" ]}
+ tokio = { workspace = true, features = ["rt", "macros", "fs", "process"] }
 
 [build-dependencies]
 diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs
@ -53,5 +52,5 @@ index 45b194e..1059927 100644
     use crypto::HashAlgorithm;
     use rstest::rstest;
 -- 
-2.47.1
+2.49.0

--- a/0008-Fedora-kbs_protocol-default-to-openssl.patch
+++ b/0008-Fedora-kbs_protocol-default-to-openssl.patch
@ -1,29 +0,0 @@
-From 4fdedc07203138492fe5561af2fbf9868caf9407 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Mon, 28 Oct 2024 20:59:59 +0200
-Subject: [PATCH] Fedora: kbs_protocol: default to openssl
-Content-type: text/plain
-
-Also add "bin" such that trustee-attester can be built
-
-Signed-off-by: Uri Lublin <uril@redhat.com>
---
- attestation-agent/kbs_protocol/Cargo.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
-index e29be9c..82b0de8 100644
--- a/attestation-agent/kbs_protocol/Cargo.toml
-+++ b/attestation-agent/kbs_protocol/Cargo.toml
-@@ -39,7 +39,7 @@ name = "trustee-attester"
- required-features = ["bin"]
- 
- [features]
-default = ["background_check", "passport", "rust-crypto", "all-attesters"]
-+default = ["background_check", "passport", "openssl", "all-attesters", "bin"]
- 
- passport = []
- # use a client of attestation-agent to get token for kbs
-- 
-2.47.1
-
--- a/0008-Fedora-rstest-0.23.patch
+++ b/0008-Fedora-rstest-0.23.patch
@ -1,26 +1,27 @@
-From 51beb7c59fb4409c1f99b1b01e0e7ef8ae6a04a6 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Sep 2024 17:01:02 +0300
-Subject: [PATCH] Fedora: rstest 0.23
-Content-type: text/plain
+From 6ef829fbce28fd612ca353927d47eb0388d1df30 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Thu, 12 Jun 2025 03:24:48 -0400
+Subject: [PATCH 08/14] Fedora: rstest 0.23

+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
 ---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index 7fb9b15..08dca30 100644
+index a971cc8..fcbd500 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -34,7 +34,7 @@ rand = "0.8.5"
+@@ -32,7 +32,7 @@ rand = "0.9.0"
 reqwest = { version = "0.12", default-features = false }
 resource_uri = { path = "attestation-agent/deps/resource_uri" }
 ring = "0.17"
 -rstest = "0.17"
 +rstest = "0.23"
 serde = { version = "1.0", features = ["derive"] }
- serde_with = { version = "1.11.0", features = ["base64"] }
+ serde_with = { version = "3.12.0", features = ["base64"] }
 serde_json = "1.0"
 -- 
-2.47.1
+2.49.0

--- a/0009-Fedora-kbs-type-0.11.0.patch
+++ b/0009-Fedora-kbs-type-0.11.0.patch
@ -0,0 +1,27 @@
+From b90e92915f8f8eae4f94bd0dce1db274adc12177 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Thu, 12 Jun 2025 03:25:49 -0400
+Subject: [PATCH 09/14] Fedora: kbs-type 0.11.0
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ Cargo.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index fcbd500..1b7f5b2 100644
+--- a/Cargo.toml
+++ b/Cargo.toml
+@@ -23,7 +23,7 @@ const_format = "0.2.34"
+ env_logger = "0.11.8"
+ hex = "0.4.3"
+ hmac = "0.12.1"
+-kbs-types = "0.10.0"
+kbs-types = "0.11.0"
+ log = "0.4.27"
+ nix = "0.29"
+ openssl = "0.10"
+-- 
+2.49.0
+
--- a/0010-Fedora-tempfile-3.20.patch
+++ b/0010-Fedora-tempfile-3.20.patch
@ -0,0 +1,27 @@
+From 49bad3bb6eecd589c619f1a03f0ea1ba46d8615d Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Thu, 12 Jun 2025 03:27:00 -0400
+Subject: [PATCH 10/14] Fedora: tempfile 3.20
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ Cargo.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index 1b7f5b2..ac9208c 100644
+--- a/Cargo.toml
+++ b/Cargo.toml
+@@ -39,7 +39,7 @@ serde_json = "1.0"
+ serial_test = "3"
+ sha2 = "0.10.9"
+ strum = { version = "0.27", features = ["derive"] }
+-tempfile = "3.19"
+tempfile = "3.20"
+ thiserror = "2.0"
+ tokio = "1.44"
+ toml = "0.8.22"
+-- 
+2.49.0
+
--- a/0011-Fedora-kbs-types-0.8.0.patch
+++ b/0011-Fedora-kbs-types-0.8.0.patch
@ -1,27 +0,0 @@
-From fbceba028878b2e6a5f5c1ebff5a4958ddda0221 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Sun, 24 Nov 2024 23:53:51 +0200
-Subject: [PATCH] Fedora: kbs-types 0.8.0
-Content-type: text/plain
-
-Signed-off-by: Uri Lublin <uril@redhat.com>
---
- Cargo.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Cargo.toml b/Cargo.toml
-index 9f5e48c..3bc3844 100644
--- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -23,7 +23,7 @@ const_format = "0.2.33"
- env_logger = "0.11.5"
- hex = "0.4.3"
- hmac = "0.12.1"
-kbs-types = "0.7.0"
-+kbs-types = "0.8.0"
- lazy_static = "1.5.0"
- log = "0.4.22"
- nix = "0.29"
-- 
-2.47.1
-
--- a/0011-Fedora-tokio-1.45.patch
+++ b/0011-Fedora-tokio-1.45.patch
@ -0,0 +1,27 @@
+From 446e4f308ba84d9810e10dc4a07458a4179460fb Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Thu, 12 Jun 2025 03:28:55 -0400
+Subject: [PATCH 11/14] Fedora: tokio 1.45
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ Cargo.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index ac9208c..5accb4c 100644
+--- a/Cargo.toml
+++ b/Cargo.toml
+@@ -41,7 +41,7 @@ sha2 = "0.10.9"
+ strum = { version = "0.27", features = ["derive"] }
+ tempfile = "3.20"
+ thiserror = "2.0"
+-tokio = "1.44"
+tokio = "1.45"
+ toml = "0.8.22"
+ tonic = "0.12"
+ tonic-build = "0.12"
+-- 
+2.49.0
+
--- a/0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch
+++ b/0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch
@ -1,28 +0,0 @@
-From 21ea654c75d9f8adca1db33d3b2590ef94ba5af1 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Dec 2024 03:26:16 +0200
-Subject: [PATCH] Fedora: kbs_protocol/Cargo.toml: add package.license
-Content-type: text/plain
-
-Required by rust2rpm
-
-Signed-off-by: Uri Lublin <uril@redhat.com>
---
- attestation-agent/kbs_protocol/Cargo.toml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml
-index 82b0de8..982a904 100644
--- a/attestation-agent/kbs_protocol/Cargo.toml
-+++ b/attestation-agent/kbs_protocol/Cargo.toml
-@@ -4,6 +4,7 @@ version = "0.1.0"
- authors = ["The Attestation Agent Authors"]
- publish = false
- edition = "2021"
-+license = "Apache-2.0"
- 
- [dependencies]
- anyhow.workspace = true
-- 
-2.47.1
-
--- a/0012-Fedora-zeroize-1.8.1.patch
+++ b/0012-Fedora-zeroize-1.8.1.patch
@ -0,0 +1,25 @@
+From 886e38d9fa174c261dcbfb72767529da0cd97d76 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Thu, 12 Jun 2025 03:32:14 -0400
+Subject: [PATCH 12/14] Fedora: zeroize 1.8.1
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ Cargo.toml | 4 +-
+ 1 file changed, 2 insertion(+), 2 deletion(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index 5accb4c..e648459 100644
+--- a/Cargo.toml
+++ b/Cargo.toml
+@@ -47,4 +47,4 @@ tonic = "0.12"
+ tonic-build = "0.12"
+-url = "2.5.4"
+url = "2.5.2"
+ uuid = "1"
+-zeroize = "1.5.7"
+zeroize = "1.8.1"
+-- 
+2.49.0
+
--- a/0013-Fedora-url-version-is-2.5.2.patch
+++ b/0013-Fedora-url-version-is-2.5.2.patch
@ -1,26 +0,0 @@
-From 7e9550c2ec9de0974c567d5d7e0068492ec4e11e Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Tue, 10 Dec 2024 04:25:49 +0200
-Subject: [PATCH] Fedora: url version is 2.5.2
-Content-type: text/plain
-
-Signed-off-by: Uri Lublin <uril@redhat.com>
---
- Cargo.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Cargo.toml b/Cargo.toml
-index 3bc3844..100adc7 100644
--- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -47,6 +47,6 @@ tokio = "1.42"
- toml = "0.8.19"
- tonic = "0.12"
- tonic-build = "0.12"
-url = "2.5.4"
-+url = "2.5.2"
- uuid = "1"
- zeroize = "1.5.7"
-- 
-2.47.1
-
--- a/0013-Fedora-use-clap-4.2.7.patch
+++ b/0013-Fedora-use-clap-4.2.7.patch
@ -1,8 +1,7 @@
-From 266776b3c7bdc4179faa7739bb5cd92dad150380 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Mon, 28 Oct 2024 21:15:37 +0200
-Subject: [PATCH] Fedora: use clap "^4.2.7"
-Content-type: text/plain
+From 977f2a0c582fb2c63e930b07d8f0ce75c27a1732 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Thu, 12 Jun 2025 03:38:31 -0400
+Subject: [PATCH 13/14] Fedora: use clap 4.2.7

 Upstream commits 2d8dcd3 and 53ddd63 changed version from "4" to
 "~4.2.7" such that it can be built with rust 1.69.
@ -20,18 +19,18 @@ Signed-off-by: Uri Lublin <uril@redhat.com>
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/Cargo.toml b/Cargo.toml
-index 08dca30..9f5e48c 100644
+index e648459..7891215 100644
 --- a/Cargo.toml
 +++ b/Cargo.toml
@@ -17,7 +17,7 @@ base64-serde = "0.7"
 bincode = "1.3.3"
 cfg-if = "1.0.0"
- chrono = "0.4.26"
+ chrono = "0.4.41"
 -clap = "~4.2.7"
 +clap = "^4.2.7"
 config = "0.14.1"
- const_format = "0.2.33"
- env_logger = "0.11.5"
+ const_format = "0.2.34"
+ env_logger = "0.11.8"
 -- 
-2.47.1
+2.49.0

--- a/0014-Fedora-protobuf-is-2.28.patch
+++ b/0014-Fedora-protobuf-is-2.28.patch
@ -1,27 +0,0 @@
-From 1939eea90812bce32f9e8e61bd5be7330f57fda4 Mon Sep 17 00:00:00 2001
-From: Uri Lublin <uril@redhat.com>
-Date: Fri, 7 Feb 2025 01:14:00 +0200
-Subject: [PATCH] Fedora: protobuf is 2.28
-Content-type: text/plain
-
-Signed-off-by: Uri Lublin <uril@redhat.com>
---
- Cargo.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Cargo.toml b/Cargo.toml
-index 100adc7..31d4ab9 100644
--- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -29,7 +29,7 @@ log = "0.4.22"
- nix = "0.29"
- openssl = "0.10"
- prost = "0.13"
-protobuf = "3.5.1"
-+protobuf = "2.28"
- rand = "0.8.5"
- reqwest = { version = "0.12", default-features = false }
- resource_uri = { path = "attestation-agent/deps/resource_uri" }
-- 
-2.48.1
-
--- a/0014-Fedora-sev-6.2.1.patch
+++ b/0014-Fedora-sev-6.2.1.patch
@ -0,0 +1,69 @@
+From 7a3cb4eaed2a67a4b8a86cfbf521332849907ad0 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Wed, 30 Jul 2025 23:21:46 -0400
+Subject: [PATCH 15/16] Fedora: sev: 6.2.1
+
+Use sev version 6.2.1.
+
+Also update the code to adapt to the AttestationReport struct changes introduced in sev 6.2.1.
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ attestation-agent/attester/Cargo.toml          | 2 +-
+ attestation-agent/attester/src/snp/hostdata.rs | 6 ++++--
+ attestation-agent/attester/src/snp/mod.rs      | 6 +++++-
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml
+index db57aa7..59f7b7a 100644
+--- a/attestation-agent/attester/Cargo.toml
+++ b/attestation-agent/attester/Cargo.toml
+@@ -22,7 +22,7 @@ scroll = { version = "0.12.0", default-features = false, features = ["derive", "
+ serde.workspace = true
+ serde_json.workspace = true
+ serde_with.workspace = true
+-sev = { version = "4.0.0", default-features = false, features = ["snp"], optional = true }
+sev = { version = "6.2.1", default-features = false, features = ["snp"], optional = true }
+ strum.workspace = true
+ thiserror.workspace = true
+ tokio = { version = "1", features = ["full"], optional = true }
+diff --git a/attestation-agent/attester/src/snp/hostdata.rs b/attestation-agent/attester/src/snp/hostdata.rs
+index 4dce51c..e173d8b 100644
+--- a/attestation-agent/attester/src/snp/hostdata.rs
+++ b/attestation-agent/attester/src/snp/hostdata.rs
+@@ -18,7 +18,9 @@ pub enum GetHostDataError {
+ pub fn get_snp_host_data() -> Result<[u8; 32], GetHostDataError> {
+     let mut firmware = sev::firmware::guest::Firmware::open()?;
+     let report_data: [u8; 64] = [0; 64];
+-    let report = firmware.get_report(None, Some(report_data), Some(0))?;
+    let report_bytes = firmware.get_report(None, Some(report_data), Some(0))?;
+    // Use sev 6.x's from_bytes() for version-agnostic parsing
+    let report = sev::firmware::guest::AttestationReport::from_bytes(&report_bytes)?;
+ 
+-    Ok(report.host_data)
+    Ok(*report.host_data)
+ }
+diff --git a/attestation-agent/attester/src/snp/mod.rs b/attestation-agent/attester/src/snp/mod.rs
+index d931d9d..5cdb8ea 100644
+--- a/attestation-agent/attester/src/snp/mod.rs
+++ b/attestation-agent/attester/src/snp/mod.rs
+@@ -41,10 +41,14 @@ impl Attester for SnpAttester {
+         let mut firmware = Firmware::open()?;
+         let data = report_data.as_slice().try_into()?;
+ 
+-        let (report, certs) = firmware
+        let (report_bytes, certs) = firmware
+             .get_ext_report(None, Some(data), Some(0))
+             .context("Failed to get attestation report")?;
+ 
+        // Use sev 6.x's from_bytes() for version-agnostic parsing
+        let report = AttestationReport::from_bytes(&report_bytes)
+            .context("Failed to parse attestation report")?;
+
+         let evidence = SnpEvidence {
+             attestation_report: report,
+             cert_chain: certs,
+-- 
+2.49.0
+
--- a/0015-Fedora-az-snp-vtpm-az-tdx-vtpm-0.7.4.patch
+++ b/0015-Fedora-az-snp-vtpm-az-tdx-vtpm-0.7.4.patch
@ -0,0 +1,29 @@
+From f91be2b1f0a742dffaa88bd28f60a44e878eab59 Mon Sep 17 00:00:00 2001
+From: Yan Fu <yafu@redhat.com>
+Date: Wed, 30 Jul 2025 23:33:37 -0400
+Subject: [PATCH 16/16] Fedora: az-snp-vtpm/az-tdx-vtpm: 0.7.4
+
+Signed-off-by: Uri Lublin <uril@redhat.com>
+Signed-off-by: Yan Fu <yafu@redhat.com>
+---
+ attestation-agent/attester/Cargo.toml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml
+index 59f7b7a..bc39564 100644
+--- a/attestation-agent/attester/Cargo.toml
+++ b/attestation-agent/attester/Cargo.toml
+@@ -9,8 +9,8 @@ license = "Apache-2.0"
+ [dependencies]
+ anyhow.workspace = true
+ async-trait.workspace = true
+-az-snp-vtpm = { version = "0.7.1", default-features = false, features = ["attester"], optional = true }
+-az-tdx-vtpm = { version = "0.7.0", default-features = false, features = ["attester"], optional = true }
+az-snp-vtpm = { version = "0.7.4", default-features = false, features = ["attester"], optional = true }
+az-tdx-vtpm = { version = "0.7.4", default-features = false, features = ["attester"], optional = true }
+ base64.workspace = true
+ clap = { workspace = true, features = ["derive"], optional = true }
+ cfg-if.workspace = true
+-- 
+2.49.0
+
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (trustee-guest-components-0.10.0_124.git0061d03-vendor.tar.xz) = a7da3ab8a6da819a34df81695e7cbf108aec82ff6dab43b1dc4bdd7bdcdd12498278b0c255151475ccfcf02d4f1b60d483b3b2318ad860fb1ecdf0d7b243dfa2
-SHA512 (guest-components-0061d03.tar.gz) = 1003767c3ca23de625f02f883373ccc3d23a950c2fa9c02a38bc22293be04d298cd6b18ad64d8506eb5060de10e6fa00f6d7197d314d2b75cadea8223202a954
+SHA512 (guest-components-0.13.0.tar.gz) = 6c32bbc36638647394a5abd087f9cde2162fd533821ead44f4dba6352300bfab51a95dc632cc6c77721158202ba8f0fce5f08562b5329e58e8216e6ed822c6ca
+SHA512 (trustee-guest-components-0.13.0-vendor.tar.xz) = 31bcf90b418d25fff595ba883f20883ea528667539cfcd404f0439e3bf99e698476d487ace9091603a1f704b62ea8312b7410a98950f4db7e235f42e3b1b6794
--- a/trustee-guest-components.spec
+++ b/trustee-guest-components.spec
@ -1,90 +1,83 @@
 # Generated by rust2rpm 27
 %bcond check 1

-%global commit      0061d036509e451597f5f61492b41849b36a32a1          
-%global shortcommit %(c=%{commit}; echo ${c:0:7})                     
-# numcommits is taken from git describe --tags <commit> (num commits s
-%global numcommits   124                                              
-%global projectname guest-components                                  
+%global projectname guest-components

 Name:           trustee-guest-components
-Version:        0.10.0^%{numcommits}.git%{shortcommit}                
-Release:        3%{?dist}
+Version:        0.13.0
+Release:        1%{?dist}
 Summary:        Tools that run in confidential VMs, attest and get secrets from Trustee

 # License lines copied from the build
 # (MIT OR Apache-2.0) AND Unicode-DFS-2016
 # Apache-2.0
 # Apache-2.0 OR BSL-1.0
-# Apache-2.0 OR ISC OR MIT
 # Apache-2.0 OR MIT
+# Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT
 # BSD-2-Clause OR Apache-2.0 OR MIT
 # ISC
 # MIT
 # MIT OR Apache-2.0
-# MIT OR Apache-2.0 OR Zlib
 # MPL-2.0
+# Unicode-3.0
 # Unlicense OR MIT
-# Zlib OR Apache-2.0 OR MIT

 # License lines above, but sorted within and between lines
+# (MIT OR Apache-2.0) AND Unicode-DFS-2016
 # Apache-2.0
+# Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT
 # Apache-2.0 OR BSD-2-Clause OR MIT
 # Apache-2.0 OR BSL-1.0
-# Apache-2.0 OR ISC OR MIT
 # Apache-2.0 OR MIT
-# Apache-2.0 OR MIT
-# Apache-2.0 OR MIT OR Zlib
-# Apache-2.0 OR MIT OR Zlib
 # ISC
 # MIT
 # MIT OR Unlicense
 # MPL-2.0
-# (Apache-2.0 OR MIT) AND Unicode-DFS-2016
-
-
-License:        Apache-2.0 AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND ISC AND MIT AND (MIT OR Unlicense) AND MPL-2.0 AND Unicode-DFS-2016
+# Unicode-3.0
+License:        (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND Apache-2.0 AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND ISC AND MIT AND (MIT OR Unlicense) AND MPL-2.0 AND Unicode-3.0

 # LICENSE.dependencies contains a full license breakdown

 URL:            https://github.com/confidential-containers/guest-components
-Source:         https://github.com/confidential-containers/%{projectname}/archive/%{commit}/%{projectname}-%{shortcommit}.tar.gz
+Source:         https://github.com/confidential-containers/%{projectname}/archive/refs/tags/v%{version}/%{projectname}-%{version}.tar.gz


 # Creating vendor tar (on latest Fedora under a guest-components dir):
 # dnf install <all dependencies>
 # bash create_vendor_source.sh
 # mv vendor.tar.xz <dir>/<vendor-tarball-long-name>
-Source1:        %{name}-0.10.0_%{numcommits}.git%{shortcommit}-vendor.tar.xz
+Source1:        %{name}-%{version}-vendor.tar.xz
 # * adapt to RHEL
 # * Remove workspace members which are not built
 Patch1:         0001-Fedora-Remove-workspace-members-which-are-not-built.patch
 # * deps/crypto defaults to openssl
 Patch2:         0002-Fedora-AA-deps-crypto-default-to-openssl.patch
-# * use native-tls for reqwest
-Patch3:         0003-Fedora-kbs_protocol-Cargo.toml-reqwest-use-native-TL.patch
-# * remove dependency jwt-simple - not in Fedora
-Patch4:         0004-Fedora-remove-jwt-simple-dependency.patch
+# * kbs_protocol defaults to openssl
+Patch3:         0003-Fedora-kbs_protocol-use-openssl-instead-of-rust-cryp.patch
+# * pick attesters to build
+Patch4:         0004-Fedora-attester-pick-attesters-in-all-attesters.patch
 # * remove dependency ttrpc - not in Fedora
 Patch5:         0005-Fedora-remove-ttrpc-dependency.patch
-# * pick attesters to build
-Patch6:         0006-Fedora-attester-pick-attesters-in-all-attesters.patch
+# * remove dependency jwt-simple - not in Fedora
+Patch6:         0006-Fedora-remove-jwt-simple-dependency.patch
 # * remove dependency testcontainers - not in Fedora
 Patch7:         0007-Fedora-remove-testcontainers-dependency.patch
-# * kbs_protocol defaults to openssl
-Patch8:         0008-Fedora-kbs_protocol-default-to-openssl.patch
 # * rstest version is 0.23
-Patch9:         0009-Fedora-rstest-0.23.patch
-# * clap version is ^4.2.7 -- see patch for more info
-Patch10:        0010-Fedora-use-clap-4.2.7.patch
-# * kbs-types version is 0.8.0
-Patch11:        0011-Fedora-kbs-types-0.8.0.patch
-# * add package.license to kbs_protocol/Cargo.toml
-Patch12:        0012-Fedora-kbs_protocol-Cargo.toml-add-package.license.patch
-# * url version is 2.5.2
-Patch13:        0013-Fedora-url-version-is-2.5.2.patch
-# * protobuf is 2.28
-Patch14:        0014-Fedora-protobuf-is-2.28.patch
+Patch8:         0008-Fedora-rstest-0.23.patch
+# * kbs-type version is 0.11.0
+Patch9:         0009-Fedora-kbs-type-0.11.0.patch
+# * tempfile version is 3.20
+Patch10:         0010-Fedora-tempfile-3.20.patch
+# * tokio version is 1.45
+Patch11:         0011-Fedora-tokio-1.45.patch
+# * zeroize version is 1.8.1
+Patch12:         0012-Fedora-zeroize-1.8.1.patch
+# * Use clap ^4.2.7
+Patch13:         0013-Fedora-use-clap-4.2.7.patch
+# * sev version is 6.2.1
+Patch14:         0014-Fedora-sev-6.2.1.patch
+# * az-snp-vtpm/az-tdx-vtpm is 0.7.4
+Patch15:         0015-Fedora-az-snp-vtpm-az-tdx-vtpm-0.7.4.patch

 ExclusiveArch:  x86_64
 BuildRequires:  rust-toolset
@ -101,7 +94,7 @@ A part of the confidential-containers project}
 %description %{_description}

 %prep
-%autosetup -n guest-components-0061d036509e451597f5f61492b41849b36a32a1 -p1 -a1
+%autosetup -n %{projectname}-%{version} -p1 -a1
 rm -f Cargo.lock
 %cargo_prep -v vendor

@ -142,6 +135,11 @@ cd attestation-agent/kbs_protocol
 %{_bindir}/trustee-attester

 %changelog
+* Wed Aug 13 2025 Yan Fu <yafu@redhat.com> 0.13.0-1
+- Update to version 0.13.0
+  Enable tdx-attester (tsm-report)
+  Resolves: RHEL-109116
+
 * Sun Feb 09 2025 Uri Lublin <uril@redhat.com> - 0.10.0^124.git0061d03-3
 - Use cargo vendor-filterer to create vendor Source1, make rpminspect happy
  Resolves: RHEL-73770