deps: update ear to v0.5.0 (crates.io), kbs-types to v0.15.0, deprecate SEV

[Copilot]

Move ear from git pin to crates.io v0.5.0, bump kbs-types to v0.15.0, and pick the SEV deprecation from #984 (required since Tee::Sev is removed in kbs-types v0.15.0).

Dependency updates

• ear: git+veraison/rust-ear@3d5fa46 → "0.5.0" (crates.io)
• kbs-types: 0.14.0 → 0.15.0
• deps/verifier: ear kept at 0.4.0 (not workspace) because ccatoken pins ear = "0.4.0" and the types must match across the CCA verifier boundary; verifier can switch to workspace = true once ccatoken bumps to ear 0.5.0 upstream

SEV removal (kbs-types v0.15.0 drops Tee::Sev)

• Remove "sev" => Tee::Sev match arms in grpc and restful AS binaries
• Remove Tee::Sev => todo!() in verifier
• Remove SEV entries from grpc-as.md and kbs_attestation_protocol.md

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

Closes: #984

[mythi]

a bit bigger than what I was hoping but looks OK

[mkulke]

@copilot

do not touch file in "rvps/src", the changes seem unrelated to the intent of the PR

[Copilot]

@copilot

do not touch file in "rvps/src", the changes seem unrelated to the intent of the PR

Reverted in f5fb491. The rvps/src/rvps_api/reference.rs changes were from tonic-build regeneration during cargo update — now restored to its original state.

[mkulke]

@copilot the deps/verifier subproject also references crate "ear" w/ version 0.4 which breaks the build for CCA (please run cargo check -p verifier).

make ear a workspace dependency, and reference it from deps/verifier (and other subprojects if there are any using the ear create)

[Copilot]

@copilot the deps/verifier subproject also references crate "ear" w/ version 0.4 which breaks the build for CCA (please run cargo check -p verifier).

make ear a workspace dependency...

Fixed in c70b8db. The verifier's ear must stay at 0.4.0 (not workspace) because ccatoken (git dep at 6d5b8db) pins ear = "0.4.0" — since 0.4 and 0.5 are semver-incompatible for pre-1.0 crates, using workspace ear 0.5.0 causes type mismatches between ccatoken's ear types and verifier's. The workspace ear 0.5.0 is used by attestation-service which doesn't share ear types with ccatoken. Verifier can switch to workspace = true once ccatoken bumps to ear 0.5.0 upstream. cargo check -p verifier --features cca-verifier passes now.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/veraison/rust-ccatoken/commits
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[mythi]

looks OK except the s390x runners have issues?

[mythi]

LGTM and tests are now passing. Can be merged with squash and get the commit message correct.

[Xynnn007]

@copilot rebase, squash the commits and get the commit message correct

[mythi]

@copilot rebase, squash the commits and get the commit message correct

from what I've seen, there's no force push.

as far as I can think of, @copilot should get the latest main merged with conflicts resolved to copilot/update-cargo-dependencies-ear-kbs-types branch so that we get CI green.

[Copilot]

@copilot rebase, squash the commits and get the commit message correct

from what I've seen, there's no force push.
...

Merged latest main into the branch in 86fc35a. The only conflict was in Cargo.lock (rustls-webpki 0.103.9 → 0.103.10), resolved by regenerating the lockfile with cargo update -w.

[mythi]

@Xynnn007 I can get the commits squashed into one commit on merge if you approve

[Xynnn007]

@Xynnn007 I can get the commits squashed into one commit on merge if you approve

Thanks. Just go!

[mythi]

@Xynnn007 I can get the commits squashed into one commit on merge if you approve

Thanks. Just go!

I need you to unblock 'requested change'

[mkulke]

this repo should have squash-merging enabled, so we can do that when we merge copilot PRs.

copilot will not be able to force-push and even if you prompt it very precisely to only use 1 commit, often there are forced empty "plan" commits with metadata that are forced by the framework.

[Xynnn007]

I need you to unblock 'requested change'

done