mkimage: emit digest.sev.txt (AMD SEV-SNP os_image_hash)#71
Open
kvinwang wants to merge 1 commit into
Open
Conversation
When the SEV firmware is shipped, run `dstack-vmm sev-os-image-hash` over the output image to produce digest.sev.txt: the AMD SEV-SNP os_image_hash computed from the SEV firmware (ovmf-sev.fd) + kernel/initrd/cmdline/rootfs. Unlike the TDX digest.txt (a content hash that includes the TDX firmware and is vCPU-independent by construction), the SEV os_image_hash is the image-invariant projection of the SNP launch measurement, so it matches what the KMS verifier derives at attestation time. Gracefully skipped (with a warning) when the SEV firmware is absent or the dstack-vmm tool is not available; build.sh's build_host stage builds it to the repo root. The tool path can be overridden with DSTACK_VMM_BIN. Verified: digest.sev.txt is produced and equals the dstack-vmm output and the KMS-derived os_image_hash (cross-checked by a unit test in dstack).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the image build tooling to emit an additional digest file for AMD SEV-SNP images (digest.sev.txt), representing the SEV-SNP os_image_hash identity used for SEV attestation / allow-listing, alongside the existing TDX-focused digest.txt.
Changes:
- Add SEV-specific digest generation (
digest.sev.txt) viadstack-vmm sev-os-image-hashwhenovmf-sev.fdis present. - Add best-effort discovery of the
dstack-vmmbinary (with optional override viaDSTACK_VMM_BIN) and conditionally includedigest.sev.txtin the bare-metal tarball.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+317
to
+322
| echo "Generating digest.sev.txt via ${DSTACK_VMM_BIN}" | ||
| "${DSTACK_VMM_BIN}" sev-os-image-hash "${OUTPUT_DIR}" > "${OUTPUT_DIR}/digest.sev.txt" | ||
| HAVE_DIGEST_SEV=1 | ||
| else | ||
| echo "Warning: dstack-vmm not found; skipping digest.sev.txt (set DSTACK_VMM_BIN)" >&2 | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Emit
digest.sev.txtnext todigest.txtwhen the image ships the AMD SEV firmware (ovmf-sev.fd). It is the AMD SEV-SNPos_image_hash— the image identity used for SEV attestation / on-chain allow-listing.Why a separate digest
digest.txt(TDX) issha256(sha256sum.txt)over the artifacts incl.ovmf.fd(the TDX firmware) — wrong firmware for SEV. For SEV, the meaningful identity is the image-invariant projection of the SNP launch measurement:ovmf-sev.fdlaunch digest + kernel/initrd/cmdline/rootfs hashes, excluding per-deployment params (vCPUs, etc.).So
digest.sev.txtis computed bydstack-vmm sev-os-image-hash <image-dir>and matches theos_image_hashthe KMS verifier derives from a launch measurement (both go through the shareddstack_types::SevOsImageMeasurement; a unit test in dstack cross-checks the two paths).Changes
mkimage.sh: whenHAVE_OVMF_SEV, rundstack-vmm sev-os-image-hash→digest.sev.txt, and add it to the bare-metal tarball. Gracefully skipped (warning) if the SEV firmware is absent or the tool isn't built; path overridable viaDSTACK_VMM_BIN.Depends on
The dstack-side tooling (shared
SevOsImageMeasurement+sev-os-image-hashsubcommand + the os_image_hash vCPU-independence fix) in Dstack-TEE/dstack PR #728.build.sh'sbuild_hostalready buildsdstack-vmmto the repo root.Verification
make dist(dev flavor) produced:digest.sev.txtequals the standalonedstack-vmm sev-os-image-hashoutput and (per the dstack cross-check test) the KMS-derivedos_image_hash.