Skip to content

Refactor 703 #728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kvinwang wants to merge 67 commits into
base: master
Choose a base branch
from
Draft

Refactor 703 #728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
67 commits
Select commit Hold shift + click to select a range
77aa2c2
feat: add amd sev-snp attestation support
May 26, 2026
87c78d7
fix: harden sev-snp report data binding
May 26, 2026
0701e63
fix: address sev-snp draft review findings
May 26, 2026
ce4aa6d
feat: add sev-snp verifier core
May 26, 2026
c0b442b
fix: normalize sev-snp cert collateral
May 26, 2026
1adfa2b
fix: add fail-closed sev-snp measurement binding
May 26, 2026
0e9f586
fix: recompute sev-snp launch measurement
May 26, 2026
5755441
fix: add sev-snp boot info helper
May 26, 2026
4b31c97
test: add sev-snp measurement golden vector
May 26, 2026
7dda8ff
fix: add sev-snp auth policy helper
May 26, 2026
6c2d817
fix: bind sev-snp app id into measurement
May 29, 2026
be054d8
fix: connect sev-snp verified attestation to boot info
May 29, 2026
ace8753
fix: parse sev-snp measurement inputs from vm config
May 29, 2026
2b73095
fix: route kms snp attestation through dry-run auth
May 29, 2026
922afd7
fix: report sev-snp onboarding attestation info
May 29, 2026
5b36b4c
fix: use sev-snp boot info for kms self auth
May 29, 2026
a8f0e88
fix: make auth-simple tcb policy explicit
May 29, 2026
058fd29
fix: block sev-snp temp ca release
Jun 1, 2026
73d857b
fix: derive sev-snp tcb policy from report
Jun 1, 2026
52d3fac
chore: satisfy sev-snp workspace clippy
Jun 1, 2026
0077ec9
docs: add sev-snp review readiness note
Jun 2, 2026
3792eb1
feat: enable guarded sev-snp key release
Jun 2, 2026
027077b
fix: bind sev-snp vm launch inputs
Jun 3, 2026
cfe476b
fix: complete sev-snp key release smoke path
Jun 3, 2026
40396b7
fix: satisfy ci lint checks
Jun 3, 2026
5cb4566
fix: satisfy prek shellcheck
Jun 3, 2026
409c4c5
test: add sev-snp e2e smoke script
Jun 3, 2026
2aa70e8
test: harden sev-snp smoke script
Jun 4, 2026
fc22673
docs: document sev-snp smoke host matrix
Jun 4, 2026
0303256
docs: clarify sev-snp smoke image requirements
Jun 4, 2026
1850e37
docs: clarify sev-snp fresh-box smoke
Jun 4, 2026
2e88b58
docs: record sev-snp smoke gate boundary
Jun 4, 2026
ac5fbf5
fix: complete sev-snp smoke proxy path
Jun 5, 2026
1660d98
docs: clarify sev-snp proxy smoke state
Jun 5, 2026
e00bdd4
Remove fallback DNS override in prepare script
kvinwang Jun 15, 2026
91267dc
Remove AMD KDS proxy from CVM boot path
kvinwang Jun 15, 2026
57d0f02
Keep SEV-SNP attestation variants last
kvinwang Jun 15, 2026
93d07ea
Use imported AMD SNP report type
kvinwang Jun 15, 2026
6361168
Split SEV-SNP attestation crates
kvinwang Jun 15, 2026
8bbade4
Bind SNP app config via HOST_DATA
kvinwang Jun 15, 2026
3f71e7d
Select SEV-SNP KDS product from report
kvinwang Jun 16, 2026
c5d4910
Use self-contained SNP measurement input
kvinwang Jun 16, 2026
48fa211
Detect SEV-SNP C-bit position from CPUID
kvinwang Jun 16, 2026
02865d0
Detect SEV-SNP launch params from QEMU
kvinwang Jun 16, 2026
74dbd0c
vmm: select SEV firmware (bios-sev) for AMD SEV-SNP guests
kvinwang Jun 17, 2026
b3b8390
vmm: auto-detect host TEE platform from /proc/cpuinfo
kvinwang Jun 17, 2026
59a33fd
kms: make SEV-SNP os_image_hash independent of per-deployment params
kvinwang Jun 17, 2026
1d907c4
vmm/kms: shared SevOsImageMeasurement + sev-os-image-hash tool
kvinwang Jun 17, 2026
9830dce
dstack-types: return [u8; 32] from SevOsImageMeasurement::os_image_hash
kvinwang Jun 17, 2026
4b412d3
fix rust-checks CI: drop expect_used, satisfy clippy gates
kvinwang Jun 17, 2026
9d808d7
kms: fix SNP tests for image-invariant os_image_hash
kvinwang Jun 17, 2026
2553ab9
dstack-types: single source of truth for host-shared dir & mr_config
kvinwang Jun 18, 2026
8413966
guest: read SEV mr_config from the real host-shared copy dir
kvinwang Jun 18, 2026
e0f1fe4
vmm: use launch-measurement os_image_hash for SEV-SNP
kvinwang Jun 18, 2026
b085a52
dstack-util: report real mr_system/mr_aggregated for SEV in show-mrs
kvinwang Jun 18, 2026
3642d08
kms: drop SNP key-release self-authorization config gate
kvinwang Jun 18, 2026
ae5f561
dstack-attest: offline SEV-SNP attestation verification test
kvinwang Jun 18, 2026
2e3aca5
dstack-mr: add shared AMD SEV-SNP launch-measurement module
kvinwang Jun 18, 2026
81379af
kms: source SEV-SNP measurement from dstack-mr::sev
kvinwang Jun 18, 2026
678bb8a
verifier: verify AMD SEV-SNP os_image_hash
kvinwang Jun 18, 2026
59b7220
guest, dstack-util: platform-adaptive quote (incl. AMD SEV-SNP)
kvinwang Jun 18, 2026
b2dc95a
dstack-attest: offline end-to-end SEV-SNP os_image_hash test
kvinwang Jun 18, 2026
d80daeb
reuse: license SEV-SNP test fixtures (CC0-1.0)
kvinwang Jun 18, 2026
719370a
test: AMD SEV-SNP forged-quote / tampered-input coverage
kvinwang Jun 18, 2026
776f2ab
dstack-mr: own SEV os_image_hash CLI; vmm reads digest.sev.txt
kvinwang Jun 18, 2026
a9f4b36
vmm: reuse dstack-mr OVMF measurement for sev_snp_measurement
kvinwang Jun 18, 2026
52f277f
vmm: drop TeePlatform::Auto, model auto as Option<TeePlatform>
kvinwang Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
175 changes: 171 additions & 4 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,12 @@ members = [
"ra-tls",
"tdx-attest",
"tpm-attest",
"sev-snp-attest",
"nsm-attest",
"tpm2",
"tpm-types",
"tpm-qvl",
"sev-snp-qvl",
"nsm-qvl",
"dstack-attest",
"dstack-util",
Expand Down Expand Up @@ -78,11 +80,13 @@ supervisor = { path = "supervisor" }
supervisor-client = { path = "supervisor/client" }
tdx-attest = { path = "tdx-attest" }
tpm-attest = { path = "tpm-attest" }
sev-snp-attest = { path = "sev-snp-attest" }
nsm-attest = { path = "nsm-attest" }
tpm2 = { path = "tpm2" }
tpm-types = { path = "tpm-types" }
dstack-attest = { path = "dstack-attest" }
tpm-qvl = { path = "tpm-qvl" }
sev-snp-qvl = { path = "sev-snp-qvl" }
nsm-qvl = { path = "nsm-qvl" }
certbot = { path = "certbot" }
rocket-vsock-listener = { path = "rocket-vsock-listener" }
Expand Down Expand Up @@ -135,11 +139,13 @@ hex_fmt = "0.3.0"
hex-literal = "1.0.0"
prost = "0.13.5"
prost-types = "0.13.5"
sev = { version = "=6.0.0", default-features = false, features = ["snp", "crypto_nossl"] }
scale = { version = "3.7.4", package = "parity-scale-codec", features = [
"derive",
] }
serde = { version = "1.0.228", features = ["derive"], default-features = false }
serde-human-bytes = "0.1.2"
serde_jcs = "0.2.0"
rmp-serde = "1.3.1"
serde_json = { version = "1.0.140", default-features = false }
serde_ini = "0.2.0"
Expand Down
3 changes: 3 additions & 0 deletions REUSE.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ path = [
"tpm-qvl/certs/gcp-root-ca.pem",
"dstack-attest/tests/nitro_attestation.bin",
"dstack-attest/tests/nitro_attestation_dbg.bin",
"dstack-attest/tests/sev_snp_attestation.bin",
"dstack-attest/tests/sev_snp_ask.pem",
"dstack-attest/tests/sev_snp_vcek.pem",
"nsm-attest/tests/nitro_attestation.bin",
"nsm-qvl/tests/nitro_attestation.bin",
"nsm-qvl/certs/AWS_NitroEnclaves_Root-G1.pem",
Expand Down
Loading
Loading