Skip to content

feat(kms): add GetAttestationInfo RPC to onboard service #503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kvinwang merged 1 commit into from
Feb 13, 2026
Merged

feat(kms): add GetAttestationInfo RPC to onboard service #503

kvinwang merged 1 commit into from
Feb 13, 2026
+133 −2

Conversation

@kvinwang
Copy link
Collaborator

@kvinwang kvinwang commented Feb 12, 2026
edited
Loading

Summary

  • Adds GetAttestationInfo RPC to the Onboard service that returns the real device_id, mr_aggregated, os_image_hash, mr_system, and attestation_mode needed for on-chain KMS authorization
  • The endpoint verifies the TDX attestation quote via PCCS to obtain the real platform device identifier (ppid), producing the correct device_id = SHA256(ppid) — unlike the serial log which shows SHA256("") = e3b0c442... due to Attestation<()> having no ppid
  • Updates the onboard web UI to auto-load and display attestation info on page load

Screenshot

Onboard web UI on GCP TDX Confidential VM:

image

Motivation

When onboarding a new KMS instance, operators need to register the correct device_id, mr_aggregated, and os_image_hash on-chain before the source KMS will authorize key transfer. Previously there was no way to obtain these real values from the KMS itself — the serial log values were incorrect for device_id.

Test plan

  • cargo check -p dstack-kms compiles
  • Tested on GCP TDX Confidential VM: RPC returns correct attestation values
  • Web UI displays values with 0x prefix for easy copy to on-chain registration
  • Successfully completed onboard using real on-chain auth with values from this endpoint

@kvinwang kvinwang force-pushed the feat/onboard-attestation-info branch 4 times, most recently from c23a5c6 to 8bb6c13 Compare February 12, 2026 15:23
@kvinwang
feat(kms): add GetAttestationInfo RPC to onboard service
b5fc391 
Adds a new GetAttestationInfo RPC endpoint to the Onboard service that
returns the real device_id, mr_aggregated, os_image_hash, and mr_system
values needed for on-chain KMS authorization registration.

The endpoint verifies the TDX attestation quote via PCCS to obtain the
real platform device identifier (ppid), which is required to compute
the correct device_id (SHA256 of ppid). This differs from the serial
log values which use an empty ppid.

Also updates the onboard web UI to auto-load and display the
attestation info on page load.
@kvinwang kvinwang force-pushed the feat/onboard-attestation-info branch from 8bb6c13 to b5fc391 Compare February 12, 2026 15:23
@kvinwang kvinwang merged commit fe5f5d0 into master Feb 13, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kvinwang