Merge pull request #341 from Dstack-TEE/verifier

Add rust implementation of dstack-verifier

Author: kvinwang

.github/workflows/verifier-release.yml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <[email protected]>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Verifier Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'verifier-v*'
+permissions:
+  attestations: write
+  id-token: write
+  contents: write
+  packages: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse version from tag
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/verifier-v}
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "Parsed version: $VERSION"
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get Git commit timestamps
+        run: |
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+          echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+        with:
+          context: verifier
+          file: verifier/builder/Dockerfile
+          push: true
+          tags: ${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier:${{ env.VERSION }}
+          platforms: linux/amd64
+          provenance: false
+          build-args: |
+            DSTACK_REV=${{ env.GIT_REV }}
+            DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}.git
+            SOURCE_DATE_EPOCH=${{ env.TIMESTAMP }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier"
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "Verifier Release v${{ env.VERSION }}"
+          body: |
+            ## Docker Image Information
+
+            **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier:${{ env.VERSION }}`
+
+            **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
+
+            **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }})

Cargo.lock

@@ -49,6 +49,7 @@ members = [
     "serde-duration",
     "dstack-mr",
     "dstack-mr/cli",
+    "verifier",
     "no_std_check",
 ]
 resolver = "2"

Cargo.toml

@@ -162,3 +162,13 @@ SPDX-License-Identifier = "CC0-1.0"
 path = "dstack-util/tests/fixtures/*"
 SPDX-FileCopyrightText = "NONE"
 SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "verifier/fixtures/*"
+SPDX-FileCopyrightText = "NONE"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "verifier/builder/shared/*.txt"
+SPDX-FileCopyrightText = "NONE"
+SPDX-License-Identifier = "CC0-1.0"

REUSE.toml

@@ -13,6 +13,7 @@ use crate::Machine;
 const LDR_LENGTH: usize = 4096;
 const FIXED_STRING_LEN: usize = 56;
 
+#[derive(Debug, Clone)]
 pub struct Tables {
     pub tables: Vec<u8>,
     pub rsdp: Vec<u8>,

dstack-mr/src/acpi.rs

@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-use crate::{measure_log, measure_sha384, num::read_le, utf16_encode, util::debug_print_log};
+use crate::{measure_sha384, num::read_le, utf16_encode};
 use anyhow::{bail, Context, Result};
 use object::pe;
 use sha2::{Digest, Sha384};
@@ -201,24 +201,22 @@ fn patch_kernel(
 }
 
 /// Measures a QEMU-patched TDX kernel image.
-pub(crate) fn measure_kernel(
+pub(crate) fn rtmr1_log(
     kernel_data: &[u8],
     initrd_size: u32,
     mem_size: u64,
     acpi_data_size: u32,
-) -> Result<Vec<u8>> {
+) -> Result<Vec<Vec<u8>>> {
     let kd = patch_kernel(kernel_data, initrd_size, mem_size, acpi_data_size)
         .context("Failed to patch kernel")?;
     let kernel_hash = authenticode_sha384_hash(&kd).context("Failed to compute kernel hash")?;
-    let rtmr1_log = vec![
+    Ok(vec![
         kernel_hash,
         measure_sha384(b"Calling EFI Application from Boot Option"),
         measure_sha384(&[0x00, 0x00, 0x00, 0x00]), // Separator
         measure_sha384(b"Exit Boot Services Invocation"),
         measure_sha384(b"Exit Boot Services Returned with Success"),
-    ];
-    debug_print_log("RTMR1", &rtmr1_log);
-    Ok(measure_log(&rtmr1_log))
+    ])
 }
 
 /// Measures the kernel command line by converting to UTF-16LE and hashing.

dstack-mr/src/kernel.rs

@@ -5,10 +5,13 @@
 use serde::{Deserialize, Serialize};
 use serde_human_bytes as hex_bytes;
 
-pub use machine::Machine;
+pub use machine::{Machine, TdxMeasurementDetails};
 
 use util::{measure_log, measure_sha384, utf16_encode};
 
+pub type RtmrLog = Vec<Vec<u8>>;
+pub type RtmrLogs = [RtmrLog; 3];
+
 mod acpi;
 mod kernel;
 mod machine;

dstack-mr/src/lib.rs

@@ -2,9 +2,10 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
+use crate::acpi::Tables;
 use crate::tdvf::Tdvf;
 use crate::util::debug_print_log;
-use crate::{kernel, TdxMeasurements};
+use crate::{kernel, RtmrLogs, TdxMeasurements};
 use crate::{measure_log, measure_sha384};
 use anyhow::{bail, Context, Result};
 use fs_err as fs;
@@ -78,21 +79,41 @@ pub struct VersionedOptions {
     pub two_pass_add_pages: bool,
 }
 
+#[derive(Debug, Clone)]
+pub struct TdxMeasurementDetails {
+    pub measurements: TdxMeasurements,
+    pub rtmr_logs: RtmrLogs,
+    pub acpi_tables: Tables,
+}
+
 impl Machine<'_> {
     pub fn measure(&self) -> Result<TdxMeasurements> {
+        self.measure_with_logs().map(|details| details.measurements)
+    }
+
+    pub fn measure_with_logs(&self) -> Result<TdxMeasurementDetails> {
         debug!("measuring machine: {self:#?}");
         let fw_data = fs::read(self.firmware)?;
         let kernel_data = fs::read(self.kernel)?;
         let initrd_data = fs::read(self.initrd)?;
         let tdvf = Tdvf::parse(&fw_data).context("Failed to parse TDVF metadata")?;
+
         let mrtd = tdvf.mrtd(self).context("Failed to compute MR TD")?;
-        let rtmr0 = tdvf.rtmr0(self).context("Failed to compute RTMR0")?;
-        let rtmr1 = kernel::measure_kernel(
+
+        let (rtmr0_log, acpi_tables) = tdvf
+            .rtmr0_log(self)
+            .context("Failed to compute RTMR0 log")?;
+        debug_print_log("RTMR0", &rtmr0_log);
+        let rtmr0 = measure_log(&rtmr0_log);
+
+        let rtmr1_log = kernel::rtmr1_log(
             &kernel_data,
             initrd_data.len() as u32,
             self.memory_size,
             0x28000,
         )?;
+        debug_print_log("RTMR1", &rtmr1_log);
+        let rtmr1 = measure_log(&rtmr1_log);
 
         let rtmr2_log = vec![
             kernel::measure_cmdline(self.kernel_cmdline),
@@ -101,11 +122,15 @@ impl Machine<'_> {
         debug_print_log("RTMR2", &rtmr2_log);
         let rtmr2 = measure_log(&rtmr2_log);
 
-        Ok(TdxMeasurements {
-            mrtd,
-            rtmr0,
-            rtmr1,
-            rtmr2,
+        Ok(TdxMeasurementDetails {
+            measurements: TdxMeasurements {
+                mrtd,
+                rtmr0,
+                rtmr1,
+                rtmr2,
+            },
+            rtmr_logs: [rtmr0_log, rtmr1_log, rtmr2_log],
+            acpi_tables,
         })
     }
 }

dstack-mr/src/machine.rs

@@ -6,9 +6,9 @@ use anyhow::{anyhow, bail, Context, Result};
 use hex_literal::hex;
 use sha2::{Digest, Sha384};
 
+use crate::acpi::Tables;
 use crate::num::read_le;
-use crate::util::debug_print_log;
-use crate::{measure_log, measure_sha384, utf16_encode, Machine};
+use crate::{measure_log, measure_sha384, utf16_encode, Machine, RtmrLog};
 
 const PAGE_SIZE: u64 = 0x1000;
 const MR_EXTEND_GRANULARITY: usize = 0x100;
@@ -233,7 +233,13 @@ impl<'a> Tdvf<'a> {
         })
     }
 
+    #[allow(dead_code)]
     pub fn rtmr0(&self, machine: &Machine) -> Result<Vec<u8>> {
+        let (rtmr0_log, _) = self.rtmr0_log(machine)?;
+        Ok(measure_log(&rtmr0_log))
+    }
+
+    pub fn rtmr0_log(&self, machine: &Machine) -> Result<(RtmrLog, Tables)> {
         let td_hob_hash = self.measure_td_hob(machine.memory_size)?;
         let cfv_image_hash = hex!("344BC51C980BA621AAA00DA3ED7436F7D6E549197DFE699515DFA2C6583D95E6412AF21C097D473155875FFD561D6790");
         let boot000_hash = hex!("23ADA07F5261F12F34A0BD8E46760962D6B4D576A416F1FEA1C64BC656B1D28EACF7047AE6E967C58FD2A98BFA74C298");
@@ -245,23 +251,24 @@ impl<'a> Tdvf<'a> {
 
         // RTMR0 calculation
 
-        let rtmr0_log = vec![
-            td_hob_hash,
-            cfv_image_hash.to_vec(),
-            measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "SecureBoot")?,
-            measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "PK")?,
-            measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "KEK")?,
-            measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "db")?,
-            measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "dbx")?,
-            measure_sha384(&[0x00, 0x00, 0x00, 0x00]), // Separator
-            acpi_loader_hash,
-            acpi_rsdp_hash,
-            acpi_tables_hash,
-            measure_sha384(&[0x00, 0x00]), // BootOrder
-            boot000_hash.to_vec(),
-        ];
-        debug_print_log("RTMR0", &rtmr0_log);
-        Ok(measure_log(&rtmr0_log))
+        Ok((
+            vec![
+                td_hob_hash,
+                cfv_image_hash.to_vec(),
+                measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "SecureBoot")?,
+                measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "PK")?,
+                measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "KEK")?,
+                measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "db")?,
+                measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "dbx")?,
+                measure_sha384(&[0x00, 0x00, 0x00, 0x00]), // Separator
+                acpi_loader_hash,
+                acpi_rsdp_hash,
+                acpi_tables_hash,
+                measure_sha384(&[0x00, 0x00]), // BootOrder
+                boot000_hash.to_vec(),
+            ],
+            tables,
+        ))
     }
 
     fn measure_td_hob(&self, memory_size: u64) -> Result<Vec<u8>> {

dstack-mr/src/tdvf.rs

@@ -27,7 +27,7 @@ RUN cd dstack && cargo build --release -p dstack-kms --target x86_64-unknown-lin
 FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe
 COPY ./shared /build
 WORKDIR /build
-ARG QEMU_REV=d98440811192c08eafc07c7af110593c6b3758ff
+ARG QEMU_REV=dbcec07c0854bf873d346a09e87e4c993ccf2633
 RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
@@ -43,7 +43,7 @@ RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \
     flex \
     bison && \
     rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
-RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch passthrough-dump-acpi --single-branch && \
+RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch dstack-qemu-9.2.1 --single-branch && \
     cd qemu-tdx && git fetch --depth 1 origin ${QEMU_REV} && \
     git checkout ${QEMU_REV} && \
     ../config-qemu.sh ./build /usr/local && \