Skip to content

feat: add lite OS image verification mode for TDX#742

Merged
kvinwang merged 25 commits into
masterfrom
feat/tdx-measurement-attestation
Jun 30, 2026
Merged

feat: add lite OS image verification mode for TDX#742
kvinwang merged 25 commits into
masterfrom
feat/tdx-measurement-attestation

Conversation

@kvinwang

@kvinwang kvinwang commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds a lightweight OS-image verification path for dstack TDX and AMD SEV-SNP while preserving the existing legacy TDX verifier behavior.

TDX lite verification

  • Keep the existing DstackTdx quote/attestation mode; select the verifier path from vm_config.tdx_attestation_variant (legacy vs lite).
  • Add vm_config.tdx_measurement, carrying:
    • the image sha256sum.txt bytes (checksum_file), and
    • the raw measurement.tdx.cbor bytes (measurement).
  • Verify TDX lite without downloading the image and without running QEMU-derived ACPI table generation:
    • verify os_image_hash = sha256(sha256sum.txt);
    • verify the measurement.tdx.cbor entry in sha256sum.txt matches the supplied CBOR bytes;
    • replay MRTD/RTMR0/RTMR1/RTMR2 from vm_config, measurement.tdx.cbor, and the three named RTMR0 ACPI DATA digests from the quote-bound event log;
    • compare the result with the hardware-signed TDX quote.
  • Preserve the legacy TDX path unchanged for legacy: download/cache the image, verify the image checksum manifest, recompute full expected measurements, and compare against the quote.
  • Keep TDX lite constrained to memory sizes where the precomputed QEMU-patched kernel Authenticode digest is valid: exactly 2 GiB or >= 0xB0000000 bytes.

Unified image identity and measurement material

  • Unify the public OS image identity as digest.txt = sha256(sha256sum.txt).
  • Treat measurement.tdx.cbor and measurement.snp.cbor as normal entries committed by sha256sum.txt, instead of introducing separate top-level image hashes.
  • Encode measurement material in vm_config as JSON fields with base64 byte strings (checksum_file, measurement) so JSON stays compatible while avoiding hex bloat.
  • Add dstack-mr support for generating and inspecting split TDX/SNP measurement CBOR materials.

AMD SEV-SNP measurement binding

  • Add the SNP no-image-download material path using measurement.snp.cbor plus sha256sum.txt.
  • Recompute the SNP launch MEASUREMENT from the self-contained launch inputs and require it to match the hardware-verified report.
  • Verify HOST_DATA binds the mr_config document used for app identity, compose hash, instance id, and key-provider identity.
  • Share the SNP launch/image binding code between KMS and dstack-verifier so both paths derive the same os_image_hash and boot identity.

VMM / attestation plumbing

  • Let the VMM load split measurement material from image directories and embed the relevant TDX/SNP material into vm_config.
  • Auto-select TDX lite when configured and supported by the image; fail closed if requested material is missing.
  • Label the three TDX lite ACPI events (acpi-loader, acpi-rsdp, acpi-tables) so verification does not depend on event order.
  • Keep TDX GetQuote responses compact by not returning the full attestation payload there.
  • Keep attestation verification inputs disjoint: when an embedded attestation is supplied, top-level quote, event_log, and vm_config are ignored to avoid mixed trusted/untrusted inputs.

Documentation and fixtures

  • Add TDX lite and SEV-SNP verifier fixtures and READMEs.
  • Document why TDX lite does not byte-compare ACPI table contents and how os_image_hash becomes trusted only after quote/measurement binding.

Security notes

  • vm_config, sha256sum.txt, and measurement.*.cbor are treated as untrusted until their hashes and recomputed measurements are bound to the hardware quote/report.
  • The verifier checks the hash of the supplied measurement.*.cbor against the corresponding sha256sum.txt entry before using it.
  • TDX lite uses only the ACPI event digests needed to reproduce RTMR0. It intentionally does not trust ACPI/AML as guest code; dstack kernels include the BadAML sandbox patch that prevents AML from accessing encrypted/private guest RAM.

Validation

  • cargo fmt --check --all
  • cargo clippy -p sev-snp-qvl -p dstack-attest -p dstack-verifier -- -D warnings -D clippy::expect_used -D clippy::unwrap_used --allow unused_variables
  • cargo test -p dstack-types
  • cargo test -p dstack-mr
  • cargo test -p dstack-attest --test sev_snp_verify
  • cargo test -p dstack-verifier
  • Verified TDX lite and SEV-SNP fixture paths without image download.

Copilot AI review requested due to automatic review settings June 26, 2026 01:08

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch from 17569c2 to 06b5b0c Compare June 26, 2026 02:02
@kvinwang kvinwang changed the title feat: add TDX measurement attestation variant feat: add TDX measurement verification mode Jun 26, 2026
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch 6 times, most recently from 6f8bb74 to 521ce24 Compare June 26, 2026 04:08
@kvinwang kvinwang changed the title feat: add TDX measurement verification mode feat: add TDX qemu-free verification mode Jun 26, 2026
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch 3 times, most recently from 4402211 to 8f47481 Compare June 26, 2026 05:57
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch from 8f47481 to 05bc741 Compare June 29, 2026 02:29
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch from ab70662 to c6ff79c Compare June 30, 2026 03:42
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch from c6ff79c to 2a30f8e Compare June 30, 2026 03:52
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch from a1f588a to 4885b99 Compare June 30, 2026 14:24
@kvinwang kvinwang force-pushed the feat/tdx-measurement-attestation branch from 4885b99 to 6b9344b Compare June 30, 2026 14:39
@kvinwang kvinwang changed the title feat: add TDX qemu-free verification mode feat: add lite OS image verification for TDX and SNP Jun 30, 2026
@kvinwang kvinwang requested a review from Copilot June 30, 2026 15:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

…t-attestation

# Conflicts:
#	dstack-attest/src/attestation.rs
#	verifier/src/verification.rs
@kvinwang kvinwang enabled auto-merge June 30, 2026 15:55
@kvinwang kvinwang changed the title feat: add lite OS image verification for TDX and SNP feat: add lite OS image verification mode for TDX Jun 30, 2026
@kvinwang kvinwang merged commit 4380a54 into master Jun 30, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants