Add dstack simulator config

Author: kvinwang

cert-client/src/lib.rs

@@ -79,12 +79,23 @@ impl CertRequestClient {
         }
     }
 
-    pub async fn request_cert(&self, key: &KeyPair, config: CertConfig) -> Result<Vec<String>> {
+    pub async fn request_cert(
+        &self,
+        key: &KeyPair,
+        config: CertConfig,
+        no_ra: bool,
+    ) -> Result<Vec<String>> {
         let pubkey = key.public_key_der();
         let report_data = QuoteContentType::RaTlsCert.to_report_data(&pubkey);
-        let (_, quote) = get_quote(&report_data, None).context("Failed to get quote")?;
-        let event_log = read_event_logs().context("Failed to decode event log")?;
-        let event_log = serde_json::to_vec(&event_log).context("Failed to serialize event log")?;
+        let (quote, event_log) = if !no_ra {
+            let (_, quote) = get_quote(&report_data, None).context("Failed to get quote")?;
+            let event_log = read_event_logs().context("Failed to decode event log")?;
+            let event_log =
+                serde_json::to_vec(&event_log).context("Failed to serialize event log")?;
+            (quote, event_log)
+        } else {
+            (vec![], vec![])
+        };
 
         let csr = CertSigningRequest {
             confirm: "please sign cert:".to_string(),

guest-agent/dstack.toml

@@ -13,6 +13,11 @@ compose_file = "/tapp/.host-shared/app-compose.json"
 public_logs = true
 public_sysinfo = true
 
+[default.core.simulator]
+enabled = false
+quote_file = "quote.hex"
+event_log_file = "eventlog.json"
+
 [internal-v0]
 address = "unix:/var/run/tappd.sock"
 reuse = true

guest-agent/rpc/proto/agent_rpc.proto

@@ -193,7 +193,7 @@ message WorkerInfo {
 
 // The response to a WorkerInfo request
 message WorkerVersion {
-  // Tappd version
+  // Dstack version
   string version = 1;
   // Git revision
   string rev = 2;

guest-agent/src/config.rs

@@ -22,4 +22,12 @@ pub struct Config {
     pub compose_file: String,
     #[serde(default)]
     pub pccs_url: Option<String>,
+    pub simulator: Simulator,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct Simulator {
+    pub enabled: bool,
+    pub quote_file: String,
+    pub event_log_file: String,
 }

guest-agent/src/main.rs

@@ -124,12 +124,22 @@ async fn run_guest_api(state: AppState, figment: Figment) -> Result<()> {
         .ignite()
         .await
         .map_err(|err| anyhow!("Failed to ignite rocket: {err}"))?;
-    let listener = VsockListener::bind_rocket(&ignite)
-        .map_err(|err| anyhow!("Failed to bind guest API : {err}"))?;
-    ignite
-        .launch_on(listener)
-        .await
-        .map_err(|err| anyhow!(err.to_string()))?;
+    if DefaultListener::bind_endpoint(&ignite).is_ok() {
+        let listener = DefaultListener::bind(&ignite)
+            .await
+            .map_err(|err| anyhow!("Failed to bind guest API : {err}"))?;
+        ignite
+            .launch_on(listener)
+            .await
+            .map_err(|err| anyhow!(err.to_string()))?;
+    } else {
+        let listener = VsockListener::bind_rocket(&ignite)
+            .map_err(|err| anyhow!("Failed to bind guest API : {err}"))?;
+        ignite
+            .launch_on(listener)
+            .await
+            .map_err(|err| anyhow!(err.to_string()))?;
+    }
     Ok(())
 }
 

guest-agent/src/rpc_service.rs

@@ -58,6 +58,7 @@ impl AppState {
                     usage_client_auth: true,
                     ext_quote: true,
                 },
+                config.simulator.enabled,
             )
             .await
             .context("Failed to get app cert")?
@@ -101,7 +102,7 @@ impl DstackGuestRpc for InternalRpcHandler {
             .state
             .inner
             .cert_client
-            .request_cert(&derived_key, config)
+            .request_cert(&derived_key, config, self.state.config().simulator.enabled)
             .await
             .context("Failed to sign the CSR")?;
         Ok(GetTlsKeyResponse {
@@ -145,6 +146,9 @@ impl DstackGuestRpc for InternalRpcHandler {
             Some(padded)
         }
         let report_data = pad64(&request.report_data).context("Report data is too long")?;
+        if self.state.config().simulator.enabled {
+            return simulate_quote(self.state.config(), report_data);
+        }
         let (_, quote) =
             tdx_attest::get_quote(&report_data, None).context("Failed to get quote")?;
         let event_log = read_event_logs().context("Failed to decode event log")?;
@@ -162,6 +166,23 @@ impl DstackGuestRpc for InternalRpcHandler {
     }
 }
 
+fn simulate_quote(config: &Config, report_data: [u8; 64]) -> Result<GetQuoteResponse> {
+    let quote_file =
+        fs::read_to_string(&config.simulator.quote_file).context("Failed to read quote file")?;
+    let mut quote = hex::decode(quote_file.trim()).context("Failed to decode quote")?;
+    let event_log = fs::read_to_string(&config.simulator.event_log_file)
+        .context("Failed to read event log file")?;
+    if quote.len() < 632 {
+        return Err(anyhow::anyhow!("Quote is too short"));
+    }
+    quote[568..632].copy_from_slice(&report_data);
+    Ok(GetQuoteResponse {
+        quote,
+        event_log,
+        report_data: report_data.to_vec(),
+    })
+}
+
 impl RpcCall<AppState> for InternalRpcHandler {
     type PrpcService = DstackGuestServer<Self>;
 
@@ -201,7 +222,7 @@ impl TappdRpc for InternalRpcHandlerV0 {
             .state
             .inner
             .cert_client
-            .request_cert(&derived_key, config)
+            .request_cert(&derived_key, config, self.state.config().simulator.enabled)
             .await
             .context("Failed to sign the CSR")?;
         Ok(GetTlsKeyResponse {
@@ -221,28 +242,37 @@ impl TappdRpc for InternalRpcHandlerV0 {
     }
 
     async fn tdx_quote(self, request: TdxQuoteArgs) -> Result<TdxQuoteResponse> {
+        let hash_algorithm = if request.hash_algorithm.is_empty() {
+            DEFAULT_HASH_ALGORITHM
+        } else {
+            &request.hash_algorithm
+        };
+        let prefix = if hash_algorithm == "raw" {
+            "".into()
+        } else {
+            QuoteContentType::AppData.tag().to_string()
+        };
         let content_type = if request.prefix.is_empty() {
             QuoteContentType::AppData
         } else {
             QuoteContentType::Custom(&request.prefix)
         };
         let report_data =
             content_type.to_report_data_with_hash(&request.report_data, &request.hash_algorithm)?;
+        if self.state.config().simulator.enabled {
+            let response = simulate_quote(self.state.config(), report_data)?;
+            return Ok(TdxQuoteResponse {
+                quote: response.quote,
+                event_log: response.event_log,
+                hash_algorithm: hash_algorithm.to_string(),
+                prefix,
+            });
+        }
         let event_log = read_event_logs().context("Failed to decode event log")?;
         let event_log =
             serde_json::to_string(&event_log).context("Failed to serialize event log")?;
         let (_, quote) =
             tdx_attest::get_quote(&report_data, None).context("Failed to get quote")?;
-        let hash_algorithm = if request.hash_algorithm.is_empty() {
-            DEFAULT_HASH_ALGORITHM
-        } else {
-            &request.hash_algorithm
-        };
-        let prefix = if hash_algorithm == "raw" {
-            "".into()
-        } else {
-            QuoteContentType::AppData.tag().to_string()
-        };
         Ok(TdxQuoteResponse {
             quote,
             event_log,

sdk/simulator/.gitignore

@@ -0,0 +1,3 @@
+dstack-simulator
+dstack-guest-agent
+*.lock

sdk/simulator/app-compose.json

@@ -0,0 +1,14 @@
+{
+  "manifest_version": 2,
+  "name": "kvin-nb",
+  "runner": "docker-compose",
+  "docker_compose_file": "services:\n  jupyter:\n    image: quay.io/jupyter/base-notebook\n    user: root\n    environment:\n      - GRANT_SUDO=yes\n    ports:\n      - \"8888:8888\"\n    volumes:\n      - /:/host/\n      - /var/run/tappd.sock:/var/run/tappd.sock\n      - /var/run/dstack.sock:/var/run/dstack.sock\n    logging:\n      driver: journald\n      options:\n        tag: jupyter-notebook\n",
+  "docker_config": {},
+  "kms_enabled": true,
+  "tproxy_enabled": true,
+  "public_logs": true,
+  "public_sysinfo": true,
+  "local_key_provider_enabled": false,
+  "allowed_envs": [],
+  "no_instance_id": false
+}

sdk/simulator/appkeys.json

@@ -0,0 +1,13 @@
+{
+  "disk_crypt_key": "1122e1f340c19407adc5ec531ac98d72bcf702bf7858f6fa49b5be79b61e4d5b",
+  "env_crypt_key": "ca1a3895d9d613287fc14034d0ec60abb5089896e7c8fd7c2f02bd91fa0076aa",
+  "k256_key": "e0e5d254fb944dcc370a2e5288b336a1e809871545a73ee645368957fefa31f9",
+  "k256_signature": "2f431c7956869a4fe3e028c5f9518a935e2d01e81a3628f8b1d178fc2fac7b6d2405ace433624e5568e23c4ed291dbaf60dac79b756837c0fe745154ebfdc0a601",
+  "gateway_app_id": "any",
+  "ca_cert": "-----BEGIN CERTIFICATE-----\nMIIBmTCCAUCgAwIBAgIUU7801+krCs2OpIdne3t6OWrJ2fMwCgYIKoZIzj0EAwIw\nKTEPMA0GA1UECgwGRHN0YWNrMRYwFAYDVQQDDA1Ec3RhY2sgS01TIENBMB4XDTc1\nMDEwMTAwMDAwMFoXDTM1MDMxNzA5NDQ0MlowKTEPMA0GA1UECgwGRHN0YWNrMRYw\nFAYDVQQDDA1Ec3RhY2sgS01TIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nGbJFfdm4qmRG2YDxNv/3gS7NbHd0DusOKLENVsDAACiltuWdzqMH1YO9H3B2npwR\nbfK8+xdYqV2GE+feHISCwKNGMEQwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU\nevjJ+VZPvDxHJ2ejjeIaUYMMcEcwEgYDVR0TAQH/BAgwBgEB/wIBATAKBggqhkjO\nPQQDAgNHADBEAiAhQHQNbmyvx9BDBXRjW1eCkPCpFs/2Vt/nvbi+M69FPAIgQ13F\n3pmxicxyFeVW2iOjrbG1cxLdT9Kh+9ICF9zn8kA=\n-----END CERTIFICATE-----\n",
+  "key_provider": {
+    "Local": {
+      "key": "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1PYCFKYfDmUfv5fk\nstppasf4mPGqnz0fEoLEnGx8CnKhRANCAAQZskV92biqZEbZgPE2//eBLs1sd3QO\n6w4osQ1WwMAAKKW25Z3OowfVg70fcHaenBFt8rz7F1ipXYYT594chILA\n-----END PRIVATE KEY-----\n"
+    }
+  }
+}

sdk/simulator/build.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+cd $(dirname $0)
+cargo build --release -p dstack-guest-agent
+cp ../../target/release/dstack-guest-agent .
+ln -sf dstack-guest-agent dstack-simulator
+