# Release Notes for v0.6.0
Release Date: June 7th, 2023

Please see the [quickstart guide](../quickstart.md) for details on how to try out Confidential
Containers.

Please refer to our [Acronyms](https://github.com/confidential-containers/documentation/wiki/Acronyms)
and [Glossary](https://github.com/confidential-containers/documentation/wiki/Glossary) pages for a
definition of the acronyms used in this document.

## What's new
- Support for attesting pod VMs with Azure vTPMs on SEV-SNP
- Support for using Project Amber as an attestation service
- Support for Cosign signature validation with s390x
- Pulling guest images with many layers can no longer cause guest CPU starvation.
- Attestation Service upgraded to avoid several security issues in Go packages.
- CC-KBC & KBS support with SGX attester/verifier for Occlum and CI for enclave-cc

## Hardware Support
Confidential Containers is tested with attestation on the following platforms:
- Intel TDX
- AMD SEV(-ES)
- Intel SGX

The following platforms are untested or partially supported:
- IBM Secure Execution (SE) on IBM zSystems (s390x) running LinuxONE
- AMD SEV-SNP

The following platforms are in development:
- ARM CCA

## Limitations
The following are known limitations of this release:

- Platform support is rapidly changing
  * Image signature validation with AMD SEV-ES is not covered by CI.
- SELinux is not supported on the host and must be set to permissive if in use.
- The generic KBS does not yet supported all platforms. 
- The format of encrypted container images is still subject to change
  * The [oci-crypt](https://github.com/containers/ocicrypt) container image format itself may still change
  * The tools to generate images are not in their final form
  * The image format itself is subject to change in upcoming releases
  * Not all image repositories support encrypted container images. 
- CoCo currently requires a custom build of `containerd`, which is installed by the operator.
  * Codepath for pulling images will change significantly in future releases.
  * `crio` is only supported with `cloud-api-adaptor`.
- Complete integration with Kubernetes is still in progress. 
  * OpenShift support is not yet complete.
  * Existing APIs do not fully support the CoCo security and threat model. [More info](https://github.com/confidential-containers/confidential-containers/issues/53)
  * Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host
  * Container images must be downloaded separately (inside guest) for each pod. [More info](https://github.com/confidential-containers/confidential-containers/issues/66)
- The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
  * We track our status with the OpenSSF Best Practices Badge, which remained at 64% at the time of this release.
  * Vulnerability reporting mechanisms still need to be created. Public github issues are still appropriate for this release until private reporting is established.


## CVE Fixes

None