Skip to content

[codex] Add AWS NitroTPM attestation platform support#753

Draft
h4x3rotab wants to merge 1 commit into
masterfrom
aws-attestation-platform-spec
Draft

[codex] Add AWS NitroTPM attestation platform support#753
h4x3rotab wants to merge 1 commit into
masterfrom
aws-attestation-platform-spec

Conversation

@h4x3rotab

Copy link
Copy Markdown
Contributor

Summary

Adds the AWS EC2 NitroTPM platform path for dstack under the account-admin-untrusted threat model.

This includes:

  • AWS NitroTPM attestation parsing, verification, PCR replay, and platform-specific API output.
  • AWS-aware KMS/key-release checks, including measured config/app binding and attested recipient-key handling without relying on AWS KMS.
  • PCR14 launch measurement design and PCR23 runtime/app measurement support.
  • freshness/replay policy checks and endpoint identity verification support.
  • auth-simple and auth-eth policy handling for AWS attestation modes.
  • production verifier docs, reproducibility manifests, AMI promotion helpers, EC2 live-smoke helpers, and committed AWS evidence.

Final live evidence records an Attestable AMI smoke test:

  • AMI: ami-015b720d2e3e9dd9c
  • root snapshot: snap-022c271b9790aebf3
  • shared snapshot: snap-0efa19b7528e14142
  • live smoke instance: i-00ad5b777c394914d
  • result: passed

Validation

  • cargo test -p dstack-attest aws_nitro_tpm
  • cargo test -p dstack-kms aws_nitro_tpm
  • cargo test -p dstack-verifier aws
  • RA-TLS endpoint identity tests
  • npm run test:run and npm run lint in kms/auth-simple
  • forge test --ffi and Jest tests for kms/auth-eth
  • bash -n and shellcheck for AWS helper scripts
  • JSON manifest validation with jq
  • committed console SHA256 check
  • live EC2 smoke test against the promoted Attestable AMI

Notes

The AWS live-smoke path uses NitroTPM as the measurement/attestation provider and local key provider. It does not use AWS KMS.

salt_public_key: &RsaPublicKey,
) -> Result<Self> {
let mut nonce_caller = [0u8; NONCE_SIZE];
let mut salt = [0u8; SALT_SIZE];
@h4x3rotab h4x3rotab force-pushed the aws-attestation-platform-spec branch 5 times, most recently from 500705a to d6fb1cd Compare July 8, 2026 02:29
Adds the AWS EC2 NitroTPM platform path for dstack under the
account-admin-untrusted threat model, integrated the same way AMD SEV-SNP is
rather than with AWS-specific contract/auth/systemd surface.

- NitroTPM attestation-document parsing, verification against the AWS Nitro
  PKI, PCR replay, PCR14 launch measurement and PCR23 runtime measurement, and
  platform-specific verifier/API output.
- Reuses the on-chain authorization contract unchanged: a verified NitroTPM
  attestation has no TDX/SNP-style TCB surface, so the KMS and verifier
  normalize it to tcbStatus="UpToDate" (the same way SEV-SNP normalizes its own
  status) and it passes the standard gate. No AWS-specific on-chain fields.
- Optional allowed_attestation_modes kms.toml allowlist for SNP-style
  per-platform operator control (empty allows every verified mode).
- Attested recipient-key handling for app-key release without relying on AWS
  KMS; freshness/replay policy checks and RA-TLS endpoint identity verification.
- auth-simple and auth-eth policy support, production verifier runbook,
  reproducibility manifests, AMI promotion + EC2 live-smoke helpers, and
  committed AWS live-smoke evidence.
- App trust model matches TDX/SEV-SNP: app code (init_script, pre_launch_script,
  docker-compose) is measured into the on-chain-whitelisted identity and
  replayed into non-resettable PCR14, so no compose filter or device sandbox is
  used.

Rebased onto master (squashed); integrates with the tdx-measurement-attestation
changes in #742.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants