Tracks the two PRs that add the AWS EC2 NitroTPM attestation platform to dstack (account-admin-untrusted threat model).
PRs
Status
Both are rebased onto their latest base and MERGEABLE. On #753 every functional CI job is green (rust-checks, sdk-tests, kms, verifier, gateway, prek, reuse-lint); meta#79 CI is green.
Design notes for reviewers
- Integrates like AMD SEV-SNP, not with bespoke surface. A verified NitroTPM attestation has no TDX/SNP-style TCB surface, so it is normalized to
tcbStatus = "UpToDate" and passes the unchanged on-chain contract — no AWS-specific on-chain field.
- AWS key release is opt-in:
aws_nitro_tpm_key_release = false by default in kms.toml, mirroring sev_snp_key_release (fail-closed for the new, weaker mode).
- App is trusted post-launch, exactly as on TDX/SNP — no compose-security filter or device sandbox; integrity rests on measurement + non-resettable PCR14. Rationale in
docs/aws-attested-instance-security-evaluation.md.
GetPlatform was folded into AppInfo.attestation rather than adding a new endpoint.
Before merge
Follow-ups (post-merge, optional)
- Share the X25519+AES-GCM envelope (
encrypt_for_x25519_recipient in KMS + dh_decrypt in the guest) via a small lib crate — deferred because dstack-util is a binary crate.
- Confirm whether the
tpm2-tss build dep in meta#79 is actually needed (the guest drives the TPM via the in-tree tpm2 crate over /dev/tpmrm0).
Tracks the two PRs that add the AWS EC2 NitroTPM attestation platform to dstack (account-admin-untrusted threat model).
PRs
auth-simple/auth-ethsupport, and SDK updates. Basemaster, one squashed commit (504e3420).dstack-awskernel fragment (NVMe/ENA root, EFI/GPT, serial console, TPM CRB) and thetpm2-tssguest build dep. Basemain(a1aa04e). Depends on Add AWS EC2 NitroTPM attestation and guest OS support #753.Status
Both are rebased onto their latest base and MERGEABLE. On #753 every functional CI job is green (rust-checks, sdk-tests, kms, verifier, gateway, prek, reuse-lint); meta#79 CI is green.
Design notes for reviewers
tcbStatus = "UpToDate"and passes the unchanged on-chain contract — no AWS-specific on-chain field.aws_nitro_tpm_key_release = falseby default inkms.toml, mirroringsev_snp_key_release(fail-closed for the new, weaker mode).docs/aws-attested-instance-security-evaluation.md.GetPlatformwas folded intoAppInfo.attestationrather than adding a new endpoint.Before merge
sodiumbox/src/lib.rs:62"hard-coded cryptographic value" is the HSalsa20 zero nonce, i.e. the correct NaClcrypto_boxconstruction (false positive); the rest are pre-existing inra-rpc,http-client, andsdk/go/ratls.Follow-ups (post-merge, optional)
encrypt_for_x25519_recipientin KMS +dh_decryptin the guest) via a small lib crate — deferred becausedstack-utilis a binary crate.tpm2-tssbuild dep in meta#79 is actually needed (the guest drives the TPM via the in-treetpm2crate over/dev/tpmrm0).