Skip to content

Merge dstack-cloud: GCP TDX + AWS Nitro attestation (Apache-2.0) #701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kvinwang merged 140 commits into from
Jun 4, 2026
+13,004 −1,363
Merged

Merge dstack-cloud: GCP TDX + AWS Nitro attestation (Apache-2.0) #701

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
140 commits
Select commit Hold shift + click to select a range
3b27f14
Update serde-human-bytes to 0.1.2
kvinwang Dec 19, 2025
e533464
Update dcap-qvl 0.3.4
kvinwang Dec 19, 2025
b53de04
dstack-util: Refactor remove orphans
kvinwang Dec 19, 2025
e3fa46f
cvm: dstack-prepare depends on network-online.target
kvinwang Dec 19, 2025
a1ae983
cvm: re-structure the volatile dirs
kvinwang Dec 19, 2025
6334726
dstack-mr: Support for vvfat/vhd shared volume
kvinwang Dec 19, 2025
7fff019
cvm: Support for alternative host share modes
kvinwang Dec 19, 2025
8aab28f
Remove tdx-attest-sys
kvinwang Dec 19, 2025
4382970
tpm: Add tpm crates
kvinwang Dec 19, 2025
9ef4609
vmm: Support for config product info
kvinwang Dec 19, 2025
e9d2a73
Add key-provider kind tpm
kvinwang Dec 19, 2025
ab49844
vmm: Support for key-provider tpm (it doesn't work)
kvinwang Dec 19, 2025
f40384b
vmm: Support for quote_generation_socket
kvinwang Dec 19, 2025
4502f62
vmm-cli: Support for key provider
kvinwang Dec 19, 2025
9f771a1
eventlog: Refactor cc-eventlog
kvinwang Dec 19, 2025
b6deccb
eventlog: Add tpm in cc-eventlog
kvinwang Dec 19, 2025
c9fad02
cvm: Detect data disk by label
kvinwang Dec 19, 2025
85d4539
cvm: Skip loading tdx_guest if already exists
kvinwang Dec 19, 2025
609c43c
cvm: Mount tsm configfs in boot script
kvinwang Dec 19, 2025
ce639ea
cvm: Support for TPM key provider
kvinwang Dec 19, 2025
f47bd9f
kms: Use attestation v2
kvinwang Dec 19, 2025
d5a5856
gw: Use attestation v2
kvinwang Dec 19, 2025
d308c08
guest-agent: AttestationV2
kvinwang Dec 19, 2025
1600846
ratls: Attestation V2
kvinwang Dec 19, 2025
704364c
sdk: Add GetAttestation
kvinwang Dec 19, 2025
6f837a7
verifier: Attestation V2
kvinwang Dec 19, 2025
c56c5da
dstack-util: Add debug commands
kvinwang Dec 19, 2025
01f7c5f
mod tdx_guest: Compile on kernel 6.17
kvinwang Dec 19, 2025
8a186cd
Update Cargo.lock
kvinwang Dec 19, 2025
2bb190e
dstack-util: add attest subcommand
kvinwang Dec 20, 2025
6d35ba3
guest-agent: Implement fn attest
kvinwang Dec 19, 2025
f5d4aad
simulate Attestation
kvinwang Dec 20, 2025
83da3f2
Add tests for fn attest to sdk
kvinwang Dec 20, 2025
9dc7ce4
Remove unused code
kvinwang Dec 20, 2025
c221551
ra-tls: Refactor add_ext and strip code
kvinwang Dec 20, 2025
f4e4f48
dstack-util: add attest info subcommand
kvinwang Dec 20, 2025
bde5002
dstack-util: Add attest-json and attest-strip subcommands
kvinwang Dec 20, 2025
f5d4a23
Refactor cc eventlog
kvinwang Dec 20, 2025
25f68eb
Link tdx quote to tpm quote
kvinwang Dec 20, 2025
4ee124f
Fix cargo clippy
kvinwang Dec 20, 2025
3c75b2a
Use ppid hash as device_id
kvinwang Dec 20, 2025
a32f2fc
Remove tdx mrs from AppInfo and BootInfo
kvinwang Dec 20, 2025
a308135
Add back rtmrs in GetInfo api
kvinwang Dec 21, 2025
2d7d07c
Fix some tests
kvinwang Dec 21, 2025
4a8263e
eventlog: Encode runtime event payload to base64
kvinwang Dec 21, 2025
432d555
ra-tls: Change Attestation oid to .8
kvinwang Dec 21, 2025
5b3c7c7
Use PcrHandle::try_from for PCR Handle
kvinwang Dec 21, 2025
7718200
Fix unit tests
kvinwang Dec 21, 2025
2b885a3
Update attestation.bin
kvinwang Dec 21, 2025
76086bb
verifier: use hex_literal
kvinwang Dec 21, 2025
72ffe34
vmm-ui: Default to zfs in clone config
kvinwang Dec 22, 2025
678226c
cvm: Skip host notify on GCP
kvinwang Dec 22, 2025
328273a
Create containerd dir and let containerd start after dstack-prepare
kvinwang Dec 22, 2025
2361081
cvm: Print df -h on start
kvinwang Dec 22, 2025
bccc20d
remove-orphans: Don't print Docker containers directory does not exist
kvinwang Dec 22, 2025
7427b78
Update rust to 1.92.0
kvinwang Dec 22, 2025
26e4f0a
Fix reuse lint
kvinwang Dec 22, 2025
c613616
vmm: Minor comment update
kvinwang Dec 22, 2025
31def02
Pure Rust tpmp2 crate implementation
kvinwang Dec 22, 2025
39e1cd6
tpm: Add some tests
kvinwang Dec 23, 2025
585f10e
Remove unused field
kvinwang Dec 23, 2025
687af3c
tpm: Use scale codec to seal data
kvinwang Dec 23, 2025
805b554
Remove mod-tdx-guest
kvinwang Dec 23, 2025
b4a94a8
optional host_api_url
kvinwang Dec 24, 2025
8d2e2c5
verifier: Allow missing cpus and mem in vm_config for GCPP
kvinwang Dec 24, 2025
f1a49f0
Update path of user-config in docs
kvinwang Dec 24, 2025
448e606
Update simulator configs
kvinwang Dec 24, 2025
5f05fbb
Fix unit tests
kvinwang Dec 24, 2025
fb232ee
Add nitro TPM support (step 1)
kvinwang Dec 24, 2025
a153bc0
Add nsm-attest
kvinwang Dec 25, 2025
c2849c4
attestation: Use enum rather than option
kvinwang Dec 25, 2025
440d592
Add nsm-qvl
kvinwang Dec 26, 2025
349595a
Add nitro enclave attestation
kvinwang Dec 26, 2025
0fc0fde
Put crates in workspace
kvinwang Dec 26, 2025
7e3fb1a
Fix REUSE warn
kvinwang Dec 26, 2025
e7d5a94
nsm-qvl: More restriction verification
kvinwang Dec 26, 2025
1e5159d
nsm-qvl: Add optional crl check
kvinwang Dec 26, 2025
013be17
Align workspace deps
kvinwang Dec 26, 2025
ffb41d9
Add attestation doc for gpc and nitro
kvinwang Jan 4, 2026
cec804b
Update comment
kvinwang Jan 14, 2026
db8356a
Update dcap-qvl to 0.3.8
kvinwang Jan 14, 2026
23ccf00
Update docs for agent.Attest
kvinwang Jan 15, 2026
841ff6e
Merge branch 'nitro-dev' into nitro
kvinwang Jan 15, 2026
709339c
Fix unit tests
kvinwang Jan 15, 2026
9df8aa1
Merge branch 'refactor-for-cloud-providers' into nitro
kvinwang Jan 15, 2026
0605259
dstack-util: Add --root-ca to get-key
kvinwang Jan 15, 2026
68558a9
kms: Fix the quote display in onboard page
kvinwang Jan 15, 2026
425ae9c
Switch LICENSE to BUSL-1.1
kvinwang Jan 19, 2026
8fae522
Replace some links
kvinwang Jan 19, 2026
4c9d2a8
Remove sdk from this repo
kvinwang Jan 19, 2026
84163fa
Fix more links
kvinwang Jan 19, 2026
4854ccc
Remove foundry submodules
kvinwang Jan 19, 2026
271d998
Fix vm_config reading
kvinwang Jan 20, 2026
a30e298
Update LICENSE
kvinwang Jan 20, 2026
0f47221
Remove useless mkdir -p /sys/kernel/config
kvinwang Jan 20, 2026
00999f0
vmm: default to 9p shared
kvinwang Jan 20, 2026
2eb5264
Set custom CI runners
kvinwang Jan 20, 2026
01e2684
Update dcap-qvl to 0.3.10
kvinwang Jan 21, 2026
fbbc049
Merge remote-tracking branch 'ds/master' into pha-master
kvinwang Jan 21, 2026
6ed539c
Add back simulator
kvinwang Jan 21, 2026
90dcdd0
Fix unit test
kvinwang Jan 21, 2026
590b8f3
Update console_v1.html
kvinwang Jan 21, 2026
6e211f6
Merge branch 'master' into cloud
kvinwang Jan 22, 2026
e95a1e6
Merge remote-tracking branch 'ds/master'
kvinwang Jan 23, 2026
d317906
Merge remote-tracking branch 'origin/master'
kvinwang Jan 23, 2026
7d02e11
Merge remote-tracking branch 'ds/master'
kvinwang Jan 23, 2026
702740d
Merge remote-tracking branch 'ds/master'
kvinwang Jan 24, 2026
8cdae66
Merge remote-tracking branch 'ds/master'
kvinwang Jan 26, 2026
460ee17
Add Apache-2.0 license text for REUSE compliance (#6)
kvinwang Jan 26, 2026
969b5dd
Merge remote-tracking branch 'ds/master'
kvinwang Jan 27, 2026
5b3fa9a
Merge remote-tracking branch 'origin/master'
kvinwang Jan 27, 2026
cd158f1
Merge remote-tracking branch 'ds/master'
kvinwang Jan 27, 2026
f4f7800
docs: separate cloud and self-hosted documentation
h4x3rotab Jan 27, 2026
be54dd7
Merge pull request #7 from Phala-Network/docs/separate-cloud-and-self…
h4x3rotab Jan 27, 2026
e3fa971
Merge remote-tracking branch 'ds/master'
kvinwang Jan 29, 2026
a046ae9
Merge remote-tracking branch 'origin/master'
kvinwang Jan 29, 2026
17c23e2
Merge remote-tracking branch 'ds/master'
kvinwang Feb 5, 2026
135346b
Merge remote-tracking branch 'ds/master'
kvinwang Feb 8, 2026
489136f
Merge remote-tracking branch 'ds/master'
kvinwang Feb 10, 2026
7e0260e
Fix dir in kms Dockerfile
kvinwang Feb 11, 2026
fc6a43f
Merge remote-tracking branch 'ds/master'
kvinwang Feb 12, 2026
ecbc9e0
fix(kms): auto-append /prpc to onboard source_url if missing
kvinwang Feb 13, 2026
6054b84
Merge remote-tracking branch 'ds/master'
kvinwang Feb 13, 2026
76a1993
Merge remote-tracking branch 'ds/master'
kvinwang Feb 13, 2026
14963a2
Merge upstream/master (nonce race fix)
kvinwang Feb 13, 2026
b3e2026
Merge remote-tracking branch 'upstream/master'
kvinwang Apr 7, 2026
6bdf7bc
fix: remove duplicate --key-provider arg from merge
kvinwang Apr 7, 2026
d52a09e
fix: clone into explicit 'dstack' dir, fix ruff formatting
kvinwang Apr 7, 2026
6d96560
fix: adapt PlatformEvidence for GcpTdx/NitroEnclave data and fix to_s…
kvinwang Apr 8, 2026
5d93eb2
Merge remote-tracking branch 'upstream/master'
kvinwang Apr 9, 2026
2083e43
fix: adapt nitro_verify test to upstream V1 attestation refactor
kvinwang Apr 10, 2026
603c6ee
fix: implement GcpTdx and NitroEnclave support in V1 attestation (#10)
kvinwang Apr 13, 2026
b051018
Merge remote-tracking branch 'upstream/master'
kvinwang Apr 30, 2026
2f96ed2
merge: bring dstack-cloud (GCP TDX + AWS Nitro attestation) into main…
kvinwang May 31, 2026
1929bf3
license: revert BUSL-1.1 back to Apache-2.0
kvinwang May 31, 2026
7162285
review: point KMS app build + README at Dstack-TEE/dstack; fix prek
kvinwang Jun 1, 2026
ec18d6a
review: harden attestation verification (nsm freshness, tpm async + P…
kvinwang Jun 1, 2026
2e47b66
fix: vendor dstack-cloud CLI into scripts/bin; fix prek checks
kvinwang Jun 4, 2026
48da24c
review: use verified nitro PCRs and reject debug-mode enclaves
kvinwang Jun 4, 2026
bde0d03
merge: resolve spdx-check.yml conflict (keep CI_RUNNER override + che…
kvinwang Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,21 +15,21 @@

jobs:
rust-checks:
runs-on: ubuntu-latest
runs-on: ${{ vars.CI_RUNNER || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@v5

- name: Install Rust
uses: dtolnay/rust-toolchain@1.86
with:
toolchain: 1.92.0
components: clippy, rustfmt

- name: Run Clippy
run: cargo clippy -- -D warnings -D clippy::expect_used -D clippy::unwrap_used --allow unused_variables

- name: Cargo fmt check
run: cargo fmt --check --all

- name: Run tests
run: ./run-tests.sh

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
2 changes: 1 addition & 1 deletion .github/workflows/spdx-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@

jobs:
reuse-lint:
runs-on: ubuntu-latest
runs-on: ${{ vars.CI_RUNNER || 'ubuntu-latest' }}

steps:
- name: Checkout repository
uses: actions/checkout@v5

- name: REUSE Compliance Check
uses: fsfe/reuse-action@v5
with:
args: lint

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
2 changes: 1 addition & 1 deletion .github/workflows/vmm-ui.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ on:

jobs:
build:
runs-on: ubuntu-latest
runs-on: ${{ vars.CI_RUNNER || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@v5

Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ node_modules/
__pycache__
.planning/
/vmm/src/console_v1.html
.claude/worktrees/
Loading
Loading