More for the rename

Author: kvinwang

docs/deployment.md

@@ -97,7 +97,7 @@ GUEST_AGENT_ADDR=127.0.0.1:9205
 ETH_RPC_URL=https://rpc.phala.network
 GIT_REV=HEAD
 OS_IMAGE=dstack-0.5.1
-IMAGE_DOWNLOAD_URL=https://files.kvin.wang/images/mr_{MR_IMAGE}.tar.gz
+IMAGE_DOWNLOAD_URL=https://files.kvin.wang/images/mr_{OS_IMAGE_HASH}.tar.gz
 ```
 
 Then run the script again.
@@ -149,18 +149,16 @@ The KMS instance is now ready to use.
 ## Deploy dstack-gateway in CVM
 dstack-gateway can be deployed as a dstack app in the same host as the KMS or in a different host.
 
-### Add base image MRs to the KMS whitelist
-In order to run user workloads that use the KMS, the OS image MRs must be added to the KMS whitelist.
+### Add OS image hash to the KMS whitelist
+In order to run user workloads that use the KMS, the OS image hash must be added to the KMS whitelist.
 
-The `mrSystem` is calculated from the MRTD, RTMR0, RTMR1, and key provider. It varies with the same image given different CPU/MEM configurations.
+The `os_image_hash` is generated during the image build process. It is stored in the `digest.txt` file.
 
-You can calculate the `mrSystem` by running `dstack-mr` or simply try deploying an App with the OS image and see it in the serial logs.
-
-After you get the `mrSystem`, you can register it to the KMS whitelist by running the following command:
+After you get the `os_image_hash`, you can register it to the KMS whitelist by running the following command:
 
 ```bash
 cd dstack/kms/auth-eth
-npx hardhat kms:add-system --network phala --mr <mr-value>
+npx hardhat kms:add-image --network phala --mr <os-image-hash>
 ```
 
 ### Register dstack-gateway in KMS

guest-agent/rpc/proto/agent_rpc.proto

@@ -191,7 +191,7 @@ message WorkerInfo {
   bytes device_id = 8;
   // MR Aggregated
   bytes mr_aggregated = 9;
-  // MR Image
+  // OS Image hash
   bytes os_image_hash = 10;
   // MR Key Provider
   bytes mr_key_provider = 11;

kms/README.md

@@ -38,7 +38,7 @@ CVMs running in dstack support three boot modes:
    - Quote verification and boot info validation
    - Asks `dstack-kms-auth-eth` for permission
    - Builtin Replicator for root keys
-   
+
 2. **dstack-kms-auth-eth**
    - Chain interface for permission checks
    - Two-step validation:
@@ -49,7 +49,7 @@ CVMs running in dstack support three boot modes:
    - `KmsAuth.sol`
       - Maintains a registry for all Applications
       - Maintains the allowed KMS Instance MRs
-      - Maintains the allowed App Base Image MRs
+      - Maintains the allowed OS Images
       - Registers KMS root keys
    - `AppAuth.sol`
       - Apps can have either a dedicated `AppAuth` contract or share one with multiple apps

kms/auth-eth/src/server.ts

@@ -21,7 +21,7 @@ export async function build(): Promise<FastifyInstance> {
     required: ['mrAggregated', 'osImageHash', 'appId', 'composeHash', 'instanceId', 'deviceId'],
     properties: {
       mrAggregated: { type: 'string', description: 'Aggregated MR measurement' },
-      osImageHash: { type: 'string', description: 'MR Image measurement' },
+      osImageHash: { type: 'string', description: 'OS Image hash' },
       appId: { type: 'string', description: 'Application ID' },
       composeHash: { type: 'string', description: 'Compose hash' },
       instanceId: { type: 'string', description: 'Instance ID' },

kms/dstack-app/deploy-to-vmm.sh

@@ -30,7 +30,7 @@ else
 # GUEST_AGENT_ADDR=127.0.0.1:9205
 
 # The URL of the dstack app image download URL
-# IMAGE_DOWNLOAD_URL=https://files.kvin.wang/images/mr_{MR_IMAGE}.tar.gz
+# IMAGE_DOWNLOAD_URL=https://files.kvin.wang/images/mr_{OS_IMAGE_HASH}.tar.gz
 
 # The URL of the Ethereum RPC service
 ETH_RPC_URL=https://rpc.phala.network

kms/kms.toml

@@ -25,7 +25,7 @@ subject_postfix = ".dstack"
 [core.image]
 verify = true
 cache_dir = "/usr/share/dstack/images"
-download_url = "http://localhost:8000/{MR_IMAGE}.tar.gz"
+download_url = "http://localhost:8000/{OS_IMAGE_HASH}.tar.gz"
 download_timeout = "2m"
 
 [core.auth_api]

kms/rpc/proto/kms_rpc.proto

@@ -33,7 +33,7 @@ message AppKeyResponse {
   string tproxy_app_id = 6;
   // Reverse proxy app ID from KmsAuth contract.
   string gateway_app_id = 7;
-  // MR Image
+  // OS Image hash 
   bytes os_image_hash = 8;
 }
 

kms/src/main_service.rs

@@ -250,7 +250,7 @@ impl RpcHandler {
             .config
             .image
             .download_url
-            .replace("{MR_IMAGE}", hex_os_image_hash);
+            .replace("{OS_IMAGE_HASH}", hex_os_image_hash);
 
         // Create a temporary directory for extraction within the cache directory
         let cache_dir = self.state.config.image.cache_dir.join("tmp");
@@ -413,7 +413,7 @@ impl RpcHandler {
         }
         self.verify_os_image_hash(&vm_config, &boot_info)
             .await
-            .context("Failed to verify image MR")?;
+            .context("Failed to verify os image hash")?;
         Ok(BootConfig {
             boot_info,
             gateway_app_id: response.gateway_app_id,