Skip to content

Tracking: AWS EC2 NitroTPM attestation platform support #758

Description

@h4x3rotab

Tracks the two PRs that add the AWS EC2 NitroTPM attestation platform to dstack (account-admin-untrusted threat model).

PRs

Status

Both are rebased onto their latest base and MERGEABLE. On #753 every functional CI job is green (rust-checks, sdk-tests, kms, verifier, gateway, prek, reuse-lint); meta#79 CI is green.

Design notes for reviewers

  • Integrates like AMD SEV-SNP, not with bespoke surface. A verified NitroTPM attestation has no TDX/SNP-style TCB surface, so it is normalized to tcbStatus = "UpToDate" and passes the unchanged on-chain contract — no AWS-specific on-chain field.
  • AWS key release is opt-in: aws_nitro_tpm_key_release = false by default in kms.toml, mirroring sev_snp_key_release (fail-closed for the new, weaker mode).
  • App is trusted post-launch, exactly as on TDX/SNP — no compose-security filter or device sandbox; integrity rests on measurement + non-resettable PCR14. Rationale in docs/aws-attested-instance-security-evaluation.md.
  • GetPlatform was folded into AppInfo.attestation rather than adding a new endpoint.

Before merge

Follow-ups (post-merge, optional)

  • Share the X25519+AES-GCM envelope (encrypt_for_x25519_recipient in KMS + dh_decrypt in the guest) via a small lib crate — deferred because dstack-util is a binary crate.
  • Confirm whether the tpm2-tss build dep in meta#79 is actually needed (the guest drives the TPM via the in-tree tpm2 crate over /dev/tpmrm0).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions