This document describes how dstack produces and verifies attestation on GCP using
TDX plus a TPM quote. It follows the implementation in dstack-attest.
- TDX quote generator:
tdx-attest::get_quote - TDX event log reader:
cc-eventlog::tdx::read_event_log - TPM quote generator:
tpm-attest::TpmContext::create_quote - Verifier:
dstack-attest+dcap-qvl+tpm-qvl
- Collect report_data (64 bytes), optionally bound to RA TLS pubkey.
- Generate TDX quote via
tdx-attest::get_quote(report_data). - Read TDX event log via
cc-eventlog::tdx::read_event_log(). - Compute TPM qualifying data as
sha256(tdx_quote). - Create TPM quote with qualifying data and dstack PCR policy:
tpm_attest::TpmContext::create_quote(qualifying_data, policy). - Bundle into
DstackGcpTdxQuote { tdx_quote, tpm_quote }. - Include config from
/dstack/.host-shared/.sys-config.json.
Verification runs in Attestation::verify_with_time and splits into TDX + TPM.
- Fetch TDX collateral and verify quote:
dcap_qvl::collateral::get_collateral_and_verify(quote, pccs_url). - Validate TCB:
- Debug mode must be off.
mr_signer_seammust be all-zero.
- Replay runtime events to compute RTMR3 and compare with quote RTMR3.
- Check report_data in TD report equals the attestation
report_data.
- Fetch TPM collateral and verify quote:
tpm_qvl::get_collateral_and_verify(tpm_quote). - Replay runtime events to compute runtime PCR and compare with quoted PCR.
- Check qualifying data equals
sha256(tdx_quote).
If the verifier provides a RA TLS pubkey, it enforces:
report_data == QuoteContentType::RaTlsCert.to_report_data(pubkey).
The verifier returns DstackVerifiedReport::DstackGcpTdx containing:
tdx_report(verified TDX report and collateral info)tpm_report(verified TPM quote and PCRs)
dstack-attest/src/attestation.rs