Merge dstack-cloud: GCP TDX + AWS Nitro attestation (Apache-2.0)#701
Merged
Conversation
# Conflicts: # Cargo.lock # dstack-attest/Cargo.toml # gateway/dstack-app/builder/Dockerfile # gateway/dstack-app/builder/shared/pin-packages.sh # key-provider-build/Dockerfile.key-provider # kms/dstack-app/builder/shared/pin-packages.sh # mod-tdx-guest/mod.c # python/ct_monitor/ct_monitor.py # scripts/add-spdx-attribution.py # sdk/README.md # sdk/go/README.md # sdk/go/dstack/client.go # sdk/go/dstack/client_test.go # sdk/go/go.mod # sdk/go/go.sum # sdk/go/tappd/client.go # sdk/python/test_outputs.py # sdk/python/tests/test_client.py # sdk/run-tests.sh # sdk/rust/examples/dstack_client_usage.rs # verifier/builder/shared/config-qemu.sh # verifier/builder/shared/pin-packages.sh # vmm/src/console_v1.html # vmm/src/vmm-cli.py # vmm/ui/build.mjs
- git clone ${DSTACK_SRC_URL} dstack: ensure consistent directory name
regardless of the repo URL (dstack vs dstack-cloud)
- reformat --key-provider arg to satisfy ruff-format
…cale() callers Extend PlatformEvidence in v1.rs to carry GcpTdx (quote, event_log, tpm_quote) and NitroEnclave (nsm_quote) data matching dstack-cloud's AttestationQuote variants. Fix conversion functions and all pattern matches across dstack-util, dstack-kms. Handle to_scale() returning Result after upstream change.
# Conflicts: # Cargo.lock # Cargo.toml
* fix: implement GcpTdx and NitroEnclave support in V1 attestation The upstream merge left V1 AttestationV1's decode_app_info_ex and verify_with_time with bail!() stubs for GcpTdx and NitroEnclave, since upstream only has empty placeholders for these platforms. This commit adds full implementations: - decode_app_info_ex: GcpTdx uses TPM PCR-based MR computation, NitroEnclave uses NSM PCR-based MR computation - verify_with_time: GcpTdx performs TDX quote + TPM quote verification with PCR replay, NitroEnclave performs COSE signature + cert chain verification All callers (guest-agent, KMS, verifier, ra-rpc) use into_v1() and were broken on these platforms without this fix. * fix: mark vsock listener bind test as ignored in CI The test requires vsock kernel support which is not available in GitHub Actions runners.
…line Full merge of Phala-Network/dstack-cloud master into Dstack-TEE/dstack. Restores mainline sdk/ and no_std_check/ (cloud had removed them); drops the obsolete out-of-tree mod-tdx-guest/ (in-tree ConfigFS TSM replaces it). LICENSE/SPDX still BUSL-1.1 here; reverted to Apache-2.0 in the next commit.
- flip 310 source files' SPDX headers BUSL-1.1 -> Apache-2.0 - restore Apache-2.0 LICENSE and REUSE.toml from upstream; drop LICENSES/BUSL-1.1.txt - re-add CC0-1.0 annotations for new nitro/tpm test fixtures - drop mod-tdx-guest GPL annotation (recipe removed; in-tree TSM replaces it) - de-BUSL README license section reuse lint: compliant (Apache-2.0, CC0-1.0, MIT only).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges downstream cloud attestation support into the mainline dstack workspace, adding GCP TDX+TPM and AWS Nitro Enclave attestation paths, TPM-backed key support, updated verifier/KMS integration, documentation, and license cleanup.
Changes:
- Adds new TPM/NSM crates and integrates GCP TDX and Nitro Enclave evidence into
dstack-attest, verifier, guest utilities, and RA-TLS. - Updates KMS onboarding, VMM/UI key-provider options, build/deployment artifacts, CI runner configuration, and REUSE/license annotations.
- Adds cloud attestation documentation and removes the old out-of-tree
mod-tdx-guestkernel module.
Reviewed changes
Copilot reviewed 84 out of 92 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/rust.yml |
Allows CI runner override via repository variable. |
.github/workflows/spdx-check.yml |
Allows CI runner override via repository variable. |
.github/workflows/vmm-ui.yml |
Allows CI runner override via repository variable. |
.gitignore |
Ignores Claude worktree directory. |
Cargo.toml |
Adds TPM/NSM crates to workspace and dependencies. |
LICENSES/Apache-2.0.txt |
Restores Apache license file content. |
LICENSES/GPL-2.0-only.txt |
Removes GPL license text after module deletion. |
LICENSES/Linux-syscall-note.txt |
Removes Linux syscall note after module deletion. |
README.md |
Reworks README for cloud deployment positioning. |
REUSE.toml |
Updates license annotations for new fixtures/certs and removed module. |
attestation.md |
Updates build repository reference. |
cc-eventlog/src/lib.rs |
Exposes TPM event log module. |
cc-eventlog/src/tpm.rs |
Adds TPM event log parsing and tests. |
cert-client/Cargo.toml |
Adds TDX attestation dependency. |
docs/attestation-gcp.md |
Adds GCP TDX+TPM attestation flow docs. |
docs/attestation-nitro-enclave.md |
Adds AWS Nitro NSM attestation flow docs. |
docs/auth-simple-operations.md |
Marks guide as self-hosted focused. |
docs/deployment.md |
Updates deployment docs and repository references. |
docs/dstack-gateway.md |
Marks guide as self-hosted focused. |
docs/onchain-governance.md |
Marks guide as self-hosted focused. |
docs/quickstart.md |
Adds cloud quickstart guide. |
docs/usage.md |
Clarifies self-hosted usage scope. |
docs/verification.md |
Updates verifier repository link. |
docs/vmm-cli-user-guide.md |
Clarifies self-hosted VMM CLI scope. |
dstack-attest/Cargo.toml |
Adds TPM and NSM attestation dependencies. |
dstack-attest/src/lib.rs |
Extends runtime events into TPM PCR for GCP mode. |
dstack-attest/src/v1.rs |
Makes GCP/Nitro platform evidence carry quote data. |
dstack-attest/tests/nitro_verify.rs |
Adds Nitro attestation verification test. |
dstack-attest/tests/snapshots/nitro_verify__app_info.snap |
Adds Nitro app info snapshot. |
dstack-attest/tests/snapshots/nitro_verify__nitro_report.snap |
Adds Nitro report snapshot. |
dstack-util/Cargo.toml |
Adds TPM attestation/verifier dependencies. |
dstack-util/src/system_setup.rs |
Adds TPM-backed app key generation and provider info. |
gateway/dstack-app/builder/Dockerfile |
Clones repository into deterministic dstack directory. |
guest-agent/Cargo.toml |
Adds TPM attestation dependency. |
kms/dstack-app/builder/Dockerfile |
Updates KMS builder source defaults and clone path. |
kms/dstack-app/deploy-to-vmm.sh |
Updates default deployment repository. |
kms/dstack-app/docker-compose.yaml |
Updates embedded KMS build repository references. |
kms/src/onboard_service.rs |
Handles data-carrying GCP/Nitro evidence variants. |
kms/src/www/onboard.html |
Displays unified serialized attestation output. |
mod-tdx-guest/Kconfig |
Removes old out-of-tree TDX guest module config. |
mod-tdx-guest/Makefile |
Removes old out-of-tree TDX guest module build file. |
mod-tdx-guest/mod.c |
Removes old out-of-tree TDX guest driver. |
mod-tdx-guest/tdcall.S |
Removes old TDX call assembly helper. |
mod-tdx-guest/tdx-guest.h |
Removes old userspace TDX guest interface header. |
mod-tdx-guest/tdx.h |
Removes old shared TDX definitions. |
nsm-attest/Cargo.toml |
Adds AWS NSM attestation crate manifest. |
nsm-attest/src/lib.rs |
Adds NSM device wrapper and attestation helpers. |
nsm-attest/src/types.rs |
Adds NSM attestation document parsing types. |
nsm-attest/tests/attestation_test.rs |
Adds NSM attestation parsing tests. |
nsm-qvl/Cargo.toml |
Adds Nitro verifier crate manifest. |
nsm-qvl/certs/AWS_NitroEnclaves_Root-G1.pem |
Adds AWS Nitro root certificate fixture. |
nsm-qvl/src/collateral.rs |
Adds CRL collateral fetching for Nitro chains. |
nsm-qvl/src/lib.rs |
Adds COSE/attestation document parsing and exports. |
nsm-qvl/src/verify.rs |
Adds Nitro COSE signature and certificate verification. |
nsm-qvl/tests/verify_test.rs |
Adds Nitro verification tests. |
ra-tls/Cargo.toml |
Adds dependencies for expanded attestation support. |
rocket-vsock-listener/src/lib.rs |
Marks vsock bind test ignored in CI. |
tpm-attest/Cargo.toml |
Adds TPM attestation crate manifest. |
tpm-attest/src/esapi.rs |
Adds TPM context wrapper over raw TPM commands. |
tpm-attest/src/gcp_ak.rs |
Adds GCP vTPM AK loading and quote generation. |
tpm-attest/src/lib.rs |
Adds TPM attestation, sealing, PCR, and quote APIs. |
tpm-qvl/Cargo.toml |
Adds TPM verifier crate manifest. |
tpm-qvl/certs/AWS_NitroEnclaves_Root-G1.pem |
Adds AWS root cert copy. |
tpm-qvl/certs/gcp-root-ca.pem |
Adds GCP TPM root CA. |
tpm-qvl/src/collateral.rs |
Adds TPM certificate chain and CRL collateral retrieval. |
tpm-qvl/src/lib.rs |
Adds TPM QVL exports, root CA selection, and status types. |
tpm-types/Cargo.toml |
Adds shared TPM types crate manifest. |
tpm-types/src/lib.rs |
Adds shared TPM quote, PCR, and event types. |
tpm2/Cargo.toml |
Adds pure-Rust TPM2 crate manifest. |
tpm2/src/commands.rs |
Implements high-level TPM command operations. |
tpm2/src/constants.rs |
Adds TPM constants, handles, algorithms, and attributes. |
tpm2/src/device.rs |
Adds TPM device transport and command/response helpers. |
tpm2/src/lib.rs |
Adds TPM2 crate module structure and exports. |
tpm2/src/marshal.rs |
Adds TPM marshalling/unmarshalling utilities. |
tpm2/src/session.rs |
Adds TPM auth/policy session support. |
verifier/Cargo.toml |
Adds TPM/NSM verifier dependencies. |
verifier/builder/Dockerfile |
Clones verifier source into deterministic dstack path. |
verifier/src/verification.rs |
Adds GCP TDX and Nitro OS image hash verification. |
vmm/src/vmm-cli.py |
Adds tpm key-provider CLI option. |
vmm/ui/src/components/CreateVmDialog.ts |
Adds TPM key-provider option to UI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| /// Verify Nitro attestation with custom root CA and custom time (for testing) | ||
| /// | ||
| /// This enforces digest/PCR consistency and a freshness window based on `now`. |
Comment on lines
+7
to
+9
| [](https://github.com/Phala-Network/dstack-cloud/stargazers) | ||
| [](https://github.com/Phala-Network/dstack-cloud/blob/master/LICENSE) | ||
| [](https://api.reuse.software/info/github.com/Phala-Network/dstack-cloud) |
| COPY ./shared/*-pinned-packages.txt /build/ | ||
| ARG DSTACK_REV | ||
| ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git | ||
| ARG DSTACK_SRC_URL=https://github.com/Phala-Network/dstack-cloud.git |
|
|
||
| RUN apk add --no-cache git | ||
| RUN git clone https://github.com/Dstack-TEE/dstack.git && \ | ||
| RUN git clone https://github.com/Phala-Network/dstack-cloud.git && \ |
| --no-install-recommends \ | ||
| && rm -rf /var/lib/apt/lists/* | ||
| RUN git clone https://github.com/Dstack-TEE/dstack.git && \ | ||
| RUN git clone https://github.com/Phala-Network/dstack-cloud.git && \ |
|
|
||
| # The Git repository to deploy | ||
| GIT_REPOSITORY=https://github.com/Dstack-TEE/dstack.git | ||
| GIT_REPOSITORY=https://github.com/Phala-Network/dstack-cloud.git |
Comment on lines
+158
to
+159
| let response = | ||
| reqwest::blocking::get(url).context(format!("failed to download CRL from {url}"))?; |
Comment on lines
+245
to
+246
| let response = reqwest::blocking::get(url) | ||
| .context(format!("failed to download certificate from {url}"))?; |
Comment on lines
+99
to
+100
| let computed_pcr_digest = | ||
| compute_pcr_digest("e.pcr_values).map_err(|e| VerificationError { |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- kms/dstack-app builder Dockerfile, docker-compose, deploy-to-vmm.sh: clone Dstack-TEE/dstack instead of the Phala-Network/dstack-cloud fork - README badges/verifier link -> mainline - spdx-check.yml: trim trailing whitespace + final newline - deploy-to-vmm.sh: shellcheck (quote vars, source hint, useless cat)
…CR bank) - nsm-qvl: enforce a freshness window on the attestation document timestamp (reject stale/future-dated docs) in addition to cert-chain validity - tpm-qvl: run blocking collateral/CRL HTTP via tokio spawn_blocking so it doesn't stall/panic the async runtime worker - tpm-qvl: reject non-SHA-256 PCR banks explicitly instead of silently failing with a confusing PCR digest mismatch All nsm/tpm/dstack-attest tests pass.
Comment on lines
+696
to
+702
| let event_28_digest = { | ||
| if pcr0.value != EXPECTED_PCR0 { | ||
| bail!( | ||
| "PCR 0 mismatch: expected GCP OVMF v2, got {}", | ||
| hex::encode(&pcr0.value) | ||
| ); | ||
| } |
Comment on lines
799
to
804
| pub fn mode(&self) -> AttestationMode { | ||
| match self { | ||
| AttestationQuote::DstackTdx { .. } => AttestationMode::DstackTdx, | ||
| AttestationQuote::DstackGcpTdx => AttestationMode::DstackGcpTdx, | ||
| AttestationQuote::DstackNitroEnclave => AttestationMode::DstackNitroEnclave, | ||
| AttestationQuote::DstackGcpTdx { .. } => AttestationMode::DstackGcpTdx, | ||
| AttestationQuote::DstackNitroEnclave { .. } => AttestationMode::DstackNitroEnclave, | ||
| } |
kvinwang
force-pushed
the
merge/cloud-into-mainline
branch
from
c4a4c95 to
ec18d6a
Compare
- move the dstack-cloud CLI from meta-dstack-cloud into scripts/bin and point the quickstart install steps at Dstack-TEE/dstack - exclude the vendored script from the ruff hooks (it follows its own style) - add missing trailing newlines flagged by end-of-file-fixer - regenerate Cargo.lock (tokio added for tpm-qvl spawn_blocking)
- build NitroVerifiedReport from the signature-verified PCRs returned by
nsm_qvl, not a re-parse of the raw COSE document
- route boot_info MR derivation (decode_mr_nitro_nsm) through the verified
PCRs so on-chain authorization no longer depends on an unauthenticated parse
- reject debug-mode nitro enclaves (zeroed PCR0/1/2) at the verifier gate,
matching the TDX path; the prover side still tolerates debug for dev
- add unit tests for NitroPcrs::{from_verified,is_debug,image_hash}
…ckout@v5) Merge origin/master into merge/cloud-into-mainline to clear the PR conflict. Only conflict was .github/workflows/spdx-check.yml: kept the branch's vars.CI_RUNNER runner override and adopted master's actions/checkout@v5 bump. master's emit_runtime_event hardening (EMIT_LOCK) auto-merged cleanly with the cloud TPM PCR-extend path; the lock now covers both TDX and TPM extension.
kvinwang
added a commit
to Dstack-TEE/meta-dstack
that referenced
this pull request
Jun 4, 2026
Point the dstack submodule at the current merge/cloud-into-mainline head (PR Dstack-TEE/dstack#701): GCP TDX + AWS Nitro attestation, verified-PCR hardening, and the vendored dstack-cloud CLI.
kvinwang
added a commit
to Dstack-TEE/meta-dstack
that referenced
this pull request
Jun 4, 2026
Follow-up to #64: advance the dstack submodule from the early cloud-merge commit to the current Dstack-TEE/dstack#701 head (bde0d038) — GCP TDX + AWS Nitro attestation, verified-PCR hardening, vendored dstack-cloud CLI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merges the downstream dstack-cloud fork back into mainline, bringing GCP TDX and AWS Nitro Enclave support while restoring the Apache-2.0 license.
What's included
nsm-attest/nsm-qvlcrates (NSM attestation + quote verification, AWS Nitro Enclaves Root G1).tpm-attest/tpm2/tpm-types/tpm-qvlcrates;cc-eventlogTPM event log;dstack-attestgains data-carryingGcpTdx/NitroEnclavePlatformEvidencevariants;dstack-utilvTPM/TPM subcommands.source_urlauto-append/prpc; vmm defaulthost_share_mode = "9p"; GCP/Nitro attestation docs.License
Full git merge of
dstack-cloud/master, then the BUSL-1.1 relicense is reverted back to Apache-2.0 in a single follow-up commit:BUSL-1.1→Apache-2.0LICENSE/REUSE.tomlrestored to Apache-2.0;LICENSES/BUSL-1.1.txtremovedreuse lintis compliant (Apache-2.0, CC0-1.0, MIT only)sdk/andno_std_check/restored (cloud had deleted them); obsolete out-of-treemod-tdx-guest/dropped (replaced by in-tree ConfigFS TSM).Verification
cargo build --workspaceclean;nsm-qvl/nsm-attest/dstack-attest::nitro_verifytests pass. Built into a Yocto image and booted on a TDX host: in-tree TDX quote, KMS/prpconboard, and a docker workload all succeed.