feat: add lite OS image verification mode for TDX

[kvinwang]

Summary

Adds a lightweight OS-image verification path for dstack TDX and AMD SEV-SNP while preserving the existing legacy TDX verifier behavior.

TDX lite verification

• Keep the existing DstackTdx quote/attestation mode; select the verifier path from vm_config.tdx_attestation_variant (legacy vs lite).
• Add vm_config.tdx_measurement, carrying:
  • the image sha256sum.txt bytes (checksum_file), and
  • the raw measurement.tdx.cbor bytes (measurement).
• Verify TDX lite without downloading the image and without running QEMU-derived ACPI table generation:
  • verify os_image_hash = sha256(sha256sum.txt);
  • verify the measurement.tdx.cbor entry in sha256sum.txt matches the supplied CBOR bytes;
  • replay MRTD/RTMR0/RTMR1/RTMR2 from vm_config, measurement.tdx.cbor, and the three named RTMR0 ACPI DATA digests from the quote-bound event log;
  • compare the result with the hardware-signed TDX quote.
• Preserve the legacy TDX path unchanged for legacy: download/cache the image, verify the image checksum manifest, recompute full expected measurements, and compare against the quote.
• Keep TDX lite constrained to memory sizes where the precomputed QEMU-patched kernel Authenticode digest is valid: exactly 2 GiB or >= 0xB0000000 bytes.

Unified image identity and measurement material

• Unify the public OS image identity as digest.txt = sha256(sha256sum.txt).
• Treat measurement.tdx.cbor and measurement.snp.cbor as normal entries committed by sha256sum.txt, instead of introducing separate top-level image hashes.
• Encode measurement material in vm_config as JSON fields with base64 byte strings (checksum_file, measurement) so JSON stays compatible while avoiding hex bloat.
• Add dstack-mr support for generating and inspecting split TDX/SNP measurement CBOR materials.

AMD SEV-SNP measurement binding

• Add the SNP no-image-download material path using measurement.snp.cbor plus sha256sum.txt.
• Recompute the SNP launch MEASUREMENT from the self-contained launch inputs and require it to match the hardware-verified report.
• Verify HOST_DATA binds the mr_config document used for app identity, compose hash, instance id, and key-provider identity.
• Share the SNP launch/image binding code between KMS and dstack-verifier so both paths derive the same os_image_hash and boot identity.

VMM / attestation plumbing

• Let the VMM load split measurement material from image directories and embed the relevant TDX/SNP material into vm_config.
• Auto-select TDX lite when configured and supported by the image; fail closed if requested material is missing.
• Label the three TDX lite ACPI events (acpi-loader, acpi-rsdp, acpi-tables) so verification does not depend on event order.
• Keep TDX GetQuote responses compact by not returning the full attestation payload there.
• Keep attestation verification inputs disjoint: when an embedded attestation is supplied, top-level quote, event_log, and vm_config are ignored to avoid mixed trusted/untrusted inputs.

Documentation and fixtures

• Add TDX lite and SEV-SNP verifier fixtures and READMEs.
• Document why TDX lite does not byte-compare ACPI table contents and how os_image_hash becomes trusted only after quote/measurement binding.

Security notes

• vm_config, sha256sum.txt, and measurement.*.cbor are treated as untrusted until their hashes and recomputed measurements are bound to the hardware quote/report.
• The verifier checks the hash of the supplied measurement.*.cbor against the corresponding sha256sum.txt entry before using it.
• TDX lite uses only the ACPI event digests needed to reproduce RTMR0. It intentionally does not trust ACPI/AML as guest code; dstack kernels include the BadAML sandbox patch that prevents AML from accessing encrypted/private guest RAM.

Validation

• cargo fmt --check --all
• cargo clippy -p sev-snp-qvl -p dstack-attest -p dstack-verifier -- -D warnings -D clippy::expect_used -D clippy::unwrap_used --allow unused_variables
• cargo test -p dstack-types
• cargo test -p dstack-mr
• cargo test -p dstack-attest --test sev_snp_verify
• cargo test -p dstack-verifier
• Verified TDX lite and SEV-SNP fixture paths without image download.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.