microsoft
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎doc/audit/builtin_maps.rst‎
Lines changed: 1 addition & 1 deletion b/‎doc/audit/builtin_maps.rst‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎doc/build_apps/migration_5_x_to_6_0.rst‎
Lines changed: 5 additions & 0 deletions b/‎doc/build_apps/migration_5_x_to_6_0.rst‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎doc/operations/platforms/snp.rst‎
Lines changed: 87 additions & 1 deletion b/‎doc/operations/platforms/snp.rst‎
Lines changed: 87 additions & 1 deletion
diff --git a/‎doc/schemas/gov_openapi.json‎
Lines changed: 19 additions & 19 deletions b/‎doc/schemas/gov_openapi.json‎
Lines changed: 19 additions & 19 deletions
diff --git a/‎include/ccf/js/extensions/ccf/converters.h‎
Lines changed: 1 addition & 0 deletions b/‎include/ccf/js/extensions/ccf/converters.h‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎include/ccf/pal/attestation.h‎
Lines changed: 5 additions & 4 deletions b/‎include/ccf/pal/attestation.h‎
Lines changed: 5 additions & 4 deletions
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.0.9]
+
+[6.0.9]: https://github.com/microsoft/CCF/releases/tag/ccf-6.0.9
+
+## Added
+
+- Add governance action that supports specifying minimum TCB versions in hexstring format. This is intended to be the default format going forward. (#7078)
+
 ## [6.0.8]
 
 [6.0.8]: https://github.com/microsoft/CCF/releases/tag/ccf-6.0.8
 
@@ -216,7 +216,7 @@ The minimum trusted TCB version for new nodes allowed to join the network (:doc`
    * - CPUID
      - TCB Version
    * - ``00a00f11``
-     - ``{boot_loader: 4, tee: 0, snp: 24, microcode: 219}``
+     - ``{"hexstring": "d315000000000004", "boot_loader": 4, "tee": 0, "snp": 21, "microcode": 211}``
 
 ``service.info``
 ~~~~~~~~~~~~~~~~
 
@@ -23,6 +23,11 @@ This introduced a new table, ``nodes.snp.tcb_versions``, which is the minimum TC
 Old networks which are migrating to 6.0 will need to populate this table manually, using the ``set_snp_minimum_tcb_version`` governance action.
 If they are not populated then new nodes may fail to join the network.
 
+.. note:: 
+  In 6.0.9 we introduced ``set_minimum_tcb_version_hex``, a more ergonomic governance action to set the minimum TCB version.
+  This action takes a CPUID and the hex-string format of a TCB version, as you would find it in an attestation, and stores the parsed fields of the TCB version in the ``nodes.snp.tcb_versions`` table, alongside the original hex-string.
+  We strongly recommend using this action as we can transparently add support for new CPU models which change the TCB version format, such as Turin.
+
 For example to set the minimum TCB version on Milan CPUs the following proposal can be submitted:
 
 .. code-block:: json
 
@@ -77,7 +77,93 @@ The following governance proposals can be issued to add/remove these trusted val
 - ``add_snp_host_data``/``remove_snp_host_data``: To add/remove a trusted security policy, e.g. when adding a new trusted container image as part of the code upgrade procedure. 
 - ``add_snp_uvm_endorsement``/``add_snp_uvm_endorsement``: To add remove a trusted UVM endorsement (Azure deployment only).
 - ``add_snp_measurement``/``remove_snp_measurement``: To add/remove a trusted measurement.
-- ``set_snp_minimum_tcb_version``/``remove_snp_minimum_tcb_version``: To add/remove a minimum trusted TCB version.
+- ``set_snp_minimum_tcb_version_hex``/``remove_snp_minimum_tcb_version``: To add/remove a minimum trusted TCB version.
+  - ``set_snp_minimum_tcb_version`` was deprecated in CCF 6.0.9 and replaced by ``set_snp_minimum_tcb_version_hex``.
+
+Setting the minimum TCB Version using ``set_snp_minimum_tcb_version_hex``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The `set_snp_minimum_tcb_version_hex` governance action was introduced in CCF 6.0.9 to simplify the process of setting the minimum TCB version for a specific CPU model. This action allows you to specify the CPUID and the TCB version as hex-strings, which are then parsed and stored in the :ref:`audit/builtin_maps:``nodes.snp.tcb_versions``` table.
+To set the minimum TCB version for a specific CPU model, you can use the following governance action:
+.. code-block:: json
+
+    {
+      "actions": [
+        {
+          "name": "set_snp_minimum_tcb_version_hex",
+          "args": {
+            "cpuid": "00a00f11",
+            "tcb_version": "d315000000000004"
+          }
+        }
+      ]
+    }
+
+The parsed TCB version mapped to that cpuid in the :ref:`audit/builtin_maps:``nodes.snp.tcb_versions``` table, which is used to validate the TCB version of joining nodes.
+
+.. note::
+    The CPUID and TCB version must be input as lower-case hex-strings. The values in the above example are for Milan CPUs, and can be expanded as follows:
+
+    +-----------------+------------+
+    |                 |    Value   |
+    |   CPUID Field   +-----+------+
+    |                 | dec |  hex |
+    +=================+=====+======+
+    | Reserved        | 0   |  0x0 |
+    +-----------------+-----+------+
+    | Extended Family | 10  | 0x0a |
+    +-----------------+-----+------+
+    | Extended Model  | 0   |  0x0 |
+    +-----------------+-----+------+
+    | Reserved        | 0   |  0x0 |
+    +-----------------+-----+------+
+    | Base Family     | 15  |  0xf |
+    +-----------------+-----+------+
+    | Base Model      | 1   |  0x1 |
+    +-----------------+-----+------+
+    | Stepping        | 1   |  0x1 |
+    +-----------------+-----+------+
+
+    SNP attestation structures contain the combined Family (``Extended Family + Base Family``) and Model (``Extended Model : Base Model``) values, so 25 (0x19) and 1 (0x01) respectively for the above Milan example.
+
+    The above TCB version ``d315000000000004`` is for a Milan CPU. 
+    It, and also TCB versions for Genoa CPUs, can be expanded as follows:
+
+    +-------------------+------------------+
+    |                   |      Value       |
+    | TCB Version Field +-----+------------+
+    |                   | dec |        hex |
+    +===================+=====+============+
+    | Microcode         | 211 |       0xd3 |
+    +-------------------+-----+------------+
+    | SNP               | 21  |       0x15 |
+    +-------------------+-----+------------+
+    | Reserved          | 0   | 0x00000000 |
+    +-------------------+-----+------------+
+    | TEE               | 0   |       0x00 |
+    +-------------------+-----+------------+
+    | Boot Loader       | 4   |       0x04 |
+    +-------------------+-----+------------+
+
+    The TCB version for Turin CPUs have a different format with, for example, ``1100000022334455`` having the following expanded fields:
+
+    +-------------------+------------------+
+    |                   |      Value       |
+    | TCB Version Field +-----+------------+
+    |                   | dec |        hex |
+    +===================+=====+============+
+    | Microcode         | 17  |       0x11 |
+    +-------------------+-----+------------+
+    | Reserved          | 0   |   0x000000 |
+    +-------------------+-----+------------+
+    | SNP               | 34  |       0x22 |
+    +-------------------+-----+------------+
+    | TEE               | 51  |       0x33 |
+    +-------------------+-----+------------+
+    | Boot Loader       | 68  |       0x44 |
+    +-------------------+-----+------------+
+    | FMC               | 85  |       0x55 |
+    +-------------------+-----+------------+
 
 .. rubric:: Footnotes
 
 
@@ -1175,27 +1175,27 @@
         ],
         "type": "object"
       },
-      "TcbVersion": {
+      "TcbVersionPolicy": {
         "properties": {
           "boot_loader": {
-            "$ref": "#/components/schemas/uint8"
+            "$ref": "#/components/schemas/uint32"
+          },
+          "fmc": {
+            "$ref": "#/components/schemas/uint32"
+          },
+          "hexstring": {
+            "$ref": "#/components/schemas/string"
           },
           "microcode": {
-            "$ref": "#/components/schemas/uint8"
+            "$ref": "#/components/schemas/uint32"
           },
           "snp": {
-            "$ref": "#/components/schemas/uint8"
+            "$ref": "#/components/schemas/uint32"
           },
           "tee": {
-            "$ref": "#/components/schemas/uint8"
+            "$ref": "#/components/schemas/uint32"
           }
         },
-        "required": [
-          "boot_loader",
-          "tee",
-          "snp",
-          "microcode"
-        ],
         "type": "object"
       },
       "TransactionId": {
@@ -1310,9 +1310,9 @@
         },
         "type": "object"
       },
-      "string_to_TcbVersion": {
+      "string_to_TcbVersionPolicy": {
         "additionalProperties": {
-          "$ref": "#/components/schemas/TcbVersion"
+          "$ref": "#/components/schemas/TcbVersionPolicy"
         },
         "type": "object"
       },
@@ -1340,13 +1340,13 @@
         },
         "type": "object"
       },
-      "uint64": {
-        "maximum": 18446744073709551615,
+      "uint32": {
+        "maximum": 4294967295,
         "minimum": 0,
         "type": "integer"
       },
-      "uint8": {
-        "maximum": 255,
+      "uint64": {
+        "maximum": 18446744073709551615,
         "minimum": 0,
         "type": "integer"
       }
@@ -1376,7 +1376,7 @@
   "info": {
     "description": "This API is used to submit and query proposals which affect CCF's public governance tables.",
     "title": "CCF Governance API",
-    "version": "4.7.3"
+    "version": "4.7.4"
   },
   "openapi": "3.0.0",
   "paths": {
@@ -2182,7 +2182,7 @@
             "content": {
               "application/json": {
                 "schema": {
-                  "$ref": "#/components/schemas/string_to_TcbVersion"
+                  "$ref": "#/components/schemas/string_to_TcbVersionPolicy"
                 }
               }
             },
 
@@ -15,6 +15,7 @@ namespace ccf::js::extensions
    * - ccf.bufToJsonCompatible
    *
    * - ccf.pemToId
+   * - ccf.tcbHexToPolicy
    *
    * - ccf.enableUntrustedDateTime
    * - ccf.enableMetricsLogging
 
@@ -221,16 +221,17 @@ namespace ccf::pal
       const auto& endorsed_tcb = quote_info.endorsed_tcb.value();
       auto raw_tcb = ds::from_hex(quote_info.endorsed_tcb.value());
 
-      if (raw_tcb.size() != sizeof(snp::TcbVersion))
+      if (raw_tcb.size() != sizeof(snp::TcbVersionRaw))
       {
         throw std::logic_error(fmt::format(
           "SEV-SNP: TCB of size {}, expected {}",
           raw_tcb.size(),
-          sizeof(snp::TcbVersion)));
+          sizeof(snp::TcbVersionRaw)));
       }
 
-      snp::TcbVersion tcb = *reinterpret_cast<snp::TcbVersion*>(raw_tcb.data());
-      if (tcb != quote.reported_tcb)
+      if (
+        memcmp(
+          raw_tcb.data(), &quote.reported_tcb, sizeof(snp::TcbVersionRaw)) != 0)
       {
         auto* reported_tcb = reinterpret_cast<uint8_t*>(&quote.reported_tcb);
         throw std::logic_error(fmt::format(
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ namespace ccf::js::extensions`
`15`	`15`	`* - ccf.bufToJsonCompatible`
`16`	`16`	`*`
`17`	`17`	`* - ccf.pemToId`
	`18`	`+ * - ccf.tcbHexToPolicy`
`18`	`19`	`*`
`19`	`20`	`* - ccf.enableUntrustedDateTime`
`20`	`21`	`* - ccf.enableMetricsLogging`