Cosmian · Manuthor · Jan 18, 2025 · Jan 13, 2025 · Jan 14, 2025 · Jan 14, 2025
diff --git a/.devcontainer/.dockerignore b/.devcontainer/.dockerignore
@@ -0,0 +1,5 @@
+.dockerignore
+devcontainer.json
+docker-compose.yml
+Dockerfile
+README.md
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -0,0 +1,25 @@
+FROM ghcr.io/cosmian/intel-sgx:2.24
+
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+RUN rustup default stable
+
+RUN rustup component add clippy rustfmt
+
+RUN apt-get update && apt-get install --no-install-recommends -qq -y \
+    build-essential \
+    pkg-config \
+    libssl-dev \
+    python3 \
+    python3-pip \
+    tpm2-tools \
+    libtss2-dev \
+    libtdx-attest-dev \
+    && apt-get -y -q upgrade \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && python3 -m pip install "maturin"
+
+RUN sed -i 's,https://localhost:8081/sgx/certification/v4/,https://pccs.staging.mse.cosmian.com/sgx/certification/v4/,' /etc/sgx_default_qcnl.conf
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,12 @@
+{
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
+  "customizations": {
+    "vscode": {
+      "settings": {},
+      "extensions": ["rust-lang.rust-analyzer", "serayuzgur.crates"]
+    }
+  },
+  "remoteUser": "root"
+}
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -0,0 +1,22 @@
+---
+version: '3.7'
+
+services:
+  vscode:
+    build: .
+    volumes:
+      - ../:/workspace
+      # Docker socket to access Docker server
+      - /var/run/docker.sock:/var/run/docker.sock
+      # SSH directory for Linux, OSX and WSL
+      # On Linux and OSX, a symlink /mnt/ssh <-> ~/.ssh is
+      # created in the container. On Windows, files are copied
+      # from /mnt/ssh to ~/.ssh to fix permissions.
+      - ~/.ssh:/mnt/ssh
+      # Shell history persistence
+      # - ~/.zsh_history:/root/.zsh_history
+      # Git config
+      - $HOME/.gitconfig:/root/.gitconfig
+    environment:
+      - TZ=
+    entrypoint: bash -c "while sleep 1000; do :; done"
diff --git a/.github/scripts/aws-packer-build.sh b/.github/scripts/aws-packer-build.sh
@@ -4,10 +4,10 @@
 # DISTRIBUTION=rhel
 # PRODUCT=cosmian-vm
 # VERSION=0.1.10 # Optional
-# KMS_VERSION=4.19.3 # Provided by Github workflow
+# KMS_VERSION=4.21.1 # Provided by Github workflow
 # AI_RUNNER_VERSION=0.3.0 # Provided by Github workflow
-# GITHUB_REF=refs/tags/1.3.1 # Provided by Github Actions
-# GITHUB_REF_NAME=1.3.1 # Provided by Github Actions
+# GITHUB_REF=refs/tags/1.3.2 # Provided by Github Actions
+# GITHUB_REF_NAME=1.3.2 # Provided by Github Actions
 # IMAGE_NAME="cosmian-vm-${GITHUB_REF_NAME}-sev-${DISTRIBUTION}" # Only for testing
 
 set -ex

diff --git a/.github/scripts/azure-delete-instance.sh b/.github/scripts/azure-delete-instance.sh
@@ -2,15 +2,22 @@
 
 set -x
 
-
 # Assign default values if parameters are not provided
 TECHNO="${1:-sev}"
 DISTRIB="${2:-ubuntu}"
 WHO="$(whoami)"
 DEFAULT_NAME="$WHO-$TECHNO-$DISTRIB"
 NAME="${3:-$DEFAULT_NAME}"
 
-
 az vm delete -g packer-snp -n "$NAME" --yes
-az network public-ip delete -g packer-snp -n "${NAME}PublicIP"
+az snapshot delete -g packer-snp --name "snapshot-$NAME"
+az image delete -g packer-snp --name "$NAME-image"
+az disk delete -g packer-snp --name "$NAME-OSDisk" --yes
+az disk delete -g packer-snp --name "disk-$NAME" --yes
+az network nsg delete --resource-group packer-snp -n "${NAME}-nsg"
 az network nsg delete --resource-group packer-snp -n "${NAME}NSG"
+az network nsg delete --resource-group packer-snp -n "${NAME}"
+az network nic delete -g packer-snp --name "${NAME}"
+az network public-ip delete -g packer-snp -n "${NAME}PublicIP"
+az network public-ip delete -g packer-snp -n "${NAME}"
+az network vnet delete -g packer-snp --name "${NAME}"
diff --git a/.github/scripts/azure-new-instance.sh b/.github/scripts/azure-new-instance.sh
@@ -28,7 +28,8 @@ if [ "$TECHNO" = "tdx" ]; then
     --ssh-key-values "$SSH_PUB_KEY"
 else
   IMAGE_NAME="/subscriptions/bc07f5de-3498-43b8-94aa-34b4a34a89b8/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/base-image-${DISTRIB}-${TECHNO}/versions/0.1.10"
-  IMAGE_NAME="/subscriptions/bc07f5de-3498-43b8-94aa-34b4a34a89b8/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/cosmian-vm-${DISTRIB}-${TECHNO}/versions/1.3.1"
+  IMAGE_NAME="/subscriptions/bc07f5de-3498-43b8-94aa-34b4a34a89b8/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/cosmian-vm-${DISTRIB}-${TECHNO}/versions/1.3.2"
+  IMAGE_NAME="/subscriptions/bc07f5de-3498-43b8-94aa-34b4a34a89b8/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/kms-${DISTRIB}-${TECHNO}/versions/4.21.1"
 
   if [ "$DISTRIB" = "ubuntu" ]; then
     # Ubuntu SEV

diff --git a/.github/scripts/push_packages.sh b/.github/scripts/push_packages.sh
@@ -2,7 +2,7 @@
 
 set -ex
 
-VERSION=1.3.1
+VERSION=1.3.2
 
 set -x
 if [[ "${GITHUB_REF}" =~ 'refs/tags/' ]]; then

diff --git a/.github/workflows/build_all.yml b/.github/workflows/build_all.yml
@@ -30,6 +30,6 @@ jobs:
       - name: Run ansible-lint
         uses: ansible/ansible-lint@main
         with:
-          setup_python: "true"
-          working_directory: "./ansible"
-          requirements_file: "requirements.yml"
+          setup_python: 'true'
+          working_directory: ./ansible
+          requirements_file: requirements.yml
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -15,7 +15,7 @@ jobs:
     uses: ./.github/workflows/azure_main.yml
     with:
       product: cosmian-vm
-      kms-version: 4.19.3
+      kms-version: 4.21.1
       ai-runner-version: 0.3.0
       techno: sev
     secrets: inherit
@@ -25,7 +25,7 @@ jobs:
     uses: ./.github/workflows/gcp_main.yml
     with:
       product: cosmian-vm
-      kms-version: 4.19.3
+      kms-version: 4.21.1
       ai-runner-version: 0.3.0
       techno: sev
     secrets: inherit
@@ -36,7 +36,7 @@ jobs:
   #   uses: ./.github/workflows/aws_main.yml
   #   with:
   #     product: cosmian-vm
-  #     kms-version: 4.19.3
+  #     kms-version: 4.21.1
   #     ai-runner-version: 0.3.0
   #     techno: sev
   #   secrets: inherit

diff --git a/.github/workflows/release_main.yml b/.github/workflows/release_main.yml
@@ -21,7 +21,7 @@ jobs:
     uses: ./.github/workflows/release_azure_main.yml
     with:
       base-version: 0.1.10
-      kms-version: 4.19.3
+      kms-version: 4.21.1
       ai-runner-version: 0.3.0
     secrets: inherit
 
@@ -30,7 +30,7 @@ jobs:
     uses: ./.github/workflows/release_gcp_main.yml
     with:
       base-version: 0.1.10
-      kms-version: 4.19.3
+      kms-version: 4.21.1
       ai-runner-version: 0.3.0
     secrets: inherit
 
@@ -39,7 +39,7 @@ jobs:
     uses: ./.github/workflows/release_aws_main.yml
     with:
       base-version: 0.1.10
-      kms-version: 4.19.3
+      kms-version: 4.21.1
       ai-runner-version: 0.3.0
     secrets: inherit
 

diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@
 /ima.binary
 *.swp
 TODO
+/node_modules
diff --git a/.markdown-link-check.json b/.markdown-link-check.json
@@ -0,0 +1,10 @@
+{
+  "ignorePatterns": [
+    {
+      "pattern": "packercosmian"
+    },
+    {
+      "pattern": "public_documentation"
+    }
+  ]
+}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -16,27 +16,17 @@ repos:
         stages: [commit-msg]
         args: [] # optional: list of Conventional Commits types to allow e.g. [feat, fix, ci, chore, test]
 
-  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v4.0.0-alpha.8
-    hooks:
-      - id: prettier
-        stages: [commit]
-        exclude_types:
-          - yaml
-          - markdown
-
   - repo: https://github.com/igorshubovych/markdownlint-cli
     rev: v0.41.0
     hooks:
       - id: markdownlint-fix
         args: [--disable=MD004, --disable=MD013, --disable=MD024, --disable=MD029, --disable=MD033, --disable=MD041, --disable=MD046]
-        exclude: documentation/docs
 
   - repo: https://github.com/tcort/markdown-link-check
     rev: v3.12.2
     hooks:
       - id: markdown-link-check
-        args: [-q]
+        args: [-q, --config, .markdown-link-check.json]
 
   - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt
     rev: 0.2.3

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.3.2] - 2025-01-18
+
+### 🚀 Features
+
+- Bump KMS from 4.19.3 to 4.21.1 ([#167](https://github.com/Cosmian/cosmian_vm/pull/167))
+
+### 🐛 Bug Fixes
+
+- List of bug fixes in ([#167](https://github.com/Cosmian/cosmian_vm/pull/167)):
+  - About KMS systemd service:
+    - service must wait for mount_luks service but using `Requires` argument
+    - Also `StandardOutput` to `syslog+console` to display `stdout`
+  - Make `9998` the default local `Nginx` port for KMS. No extra conf to do anymore on `cosmian` CLI side
+  - Fix CVE of `idna` crate by upgrading it from `0.5.0` to `1.0.3`.
+
+### 🧪 Testing
+
+- Test in Ansible if KMS service is up:
+  - after first boot, first reboot and after a `cosmian_vm app init` configuration
+- Display TPM PCR-7 before and after first reboot
+
+### ⚙️ Miscellaneous Tasks
+
+- Add `dev-container` files for VSCode
+
 ## [1.3.1] - 2024-10-30
 
 ### 🚀 Features
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,7 @@ @@
     set -ex
-    VERSION=1.3.1
+    VERSION=1.3.2
     set -x
     if [[ "${GITHUB_REF}" =~ 'refs/tags/' ]]; then
@@ Expand Down @@