feat: amd-sev-snp draft and feature flags for confidential computing

.env.example

@@ -89,6 +89,9 @@ IMAGE_GENERATIONS_ARCHITECTURE=flux
 MISTRALRS_IMAGE=ghcr.io/ericlbuehler/mistral.rs:cuda-80-0.3.1
 
 # ----------------------------------------------------------------------------------
-# TDX configuration
+# CC configuration - note that only one of the following can be enabled at a time
+# TODO?
 # Enable TDX by setting ENABLE_TDX=true for confidential compute, otherwise it will be disabled
 ENABLE_TDX=false
+# Enable SEV-SNP by setting ENABLE_SEV_SNP=true for ADM SEV-SNP, otherwise it will be disabled
+ENABLE_SEV_SNP=false

Cargo.toml

@@ -26,6 +26,7 @@ atoma-sui = { path = "./atoma-sui" }
 atoma-utils = { path = "./atoma-utils" }
 axum = "0.7.5"
 base64 = "0.22.1"
+bincode = "1.3.3"
 blake2 = "0.10.6"
 clap = "4.5.4"
 config = "0.14.0"
@@ -45,15 +46,18 @@ lazy_static = "1.5.0"
 metrics = "0.23"
 metrics-exporter-prometheus = "0.14.0"
 once_cell = "1.20.2"
+p384 = "0.13.0"
 prometheus = "0.13.4"
 rand = "0.8.5"
 reqwest = "0.12.1"
 rs_merkle = "1.4.2"
+sev = "5.0.0"
 serde = "1.0.217"
 serde_json = "1.0.138"
 serde_yaml = "0.9.34"
 serial_test = "3.1.1"
 sha2 = "0.10.8"
+strum = "0.26.3"
 sqlx = "0.8.2"
 sui-keys = { git = "https://github.com/mystenlabs/sui", package = "sui-keys", tag = "testnet-v1.41.1" }
 sui-sdk = { git = "https://github.com/mystenlabs/sui", package = "sui-sdk", tag = "testnet-v1.41.1" }

Dockerfile

@@ -6,6 +6,7 @@ ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 ARG TARGETARCH
 ARG ENABLE_TDX
+ARG ENABLE_SEV_SNP
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y \
@@ -14,7 +15,7 @@ RUN apt-get update && apt-get install -y \
     curl \
     libssl-dev \
     libssl1.1 \
-    && if [ "$ENABLE_TDX" = "true" ]; then \
+    && if [ "$ENABLE_TDX" = "true" ] || [ "$ENABLE_SEV_SNP" = "true" ]; then \
        apt-get install -y libtss2-dev; \
     fi \
     && rm -rf /var/lib/apt/lists/*
@@ -24,8 +25,10 @@ WORKDIR /usr/src/atoma-node
 COPY . .
 
 # Compile
-RUN if [ "$ENABLE_TDX" = "true" ]; then \
+RUN if [ "$ENABLE_TDX" = "true" ] && [ "$ENABLE_SEV_SNP" = "false" ]; then \
         RUST_LOG=${TRACE_LEVEL} cargo build --release --bin atoma-node --features tdx; \
+    elif [ "$ENABLE_SEV_SNP" = "true" ] && [ "$ENABLE_TDX" = "false" ]; then \
+        RUST_LOG=${TRACE_LEVEL} cargo build --release --bin atoma-node --features sev-snp; \
     else \
         RUST_LOG=${TRACE_LEVEL} cargo build --release --bin atoma-node; \
     fi

atoma-bin/atoma_node.rs

@@ -5,7 +5,7 @@ use std::{
 };
 
 use anyhow::{Context, Result};
-use atoma_confidential::AtomaConfidentialCompute;
+use atoma_confidential::{service::AtomaConfidentialComputeProvider, AtomaConfidentialCompute};
 use atoma_daemon::{AtomaDaemonConfig, DaemonState};
 use atoma_service::{
     config::AtomaServiceConfig,
@@ -266,13 +266,20 @@ async fn main() -> Result<()> {
     let (compute_shared_secret_sender, compute_shared_secret_receiver) =
         tokio::sync::mpsc::unbounded_channel();
 
+    let confidential_compute_provider = config
+        .service
+        .confidential_compute_provider
+        .as_ref()
+        .and_then(|provider| AtomaConfidentialComputeProvider::from_str(provider).ok());
+
     let confidential_compute_service_handle = spawn_with_shutdown(
         AtomaConfidentialCompute::start_confidential_compute_service(
             client.clone(),
             subscriber_confidential_compute_receiver,
             app_state_decryption_receiver,
             app_state_encryption_receiver,
             compute_shared_secret_receiver,
+            confidential_compute_provider,
             shutdown_receiver.clone(),
         ),
         shutdown_sender.clone(),

atoma-confidential/Cargo.toml

@@ -9,16 +9,22 @@ aes-gcm = { workspace = true }
 anyhow = { workspace = true }
 atoma-sui = { workspace = true }
 atoma-utils = { workspace = true }
+bincode = { workspace = true }
 blake2 = { workspace = true }
 dcap-rs = { workspace = true, optional = true }
 flume = { workspace = true }
+p384 = { workspace = true, optional = true }
 rand = { workspace = true }
-tokio = { workspace = true }
+sev = { workspace = true, optional = true, features = ["crypto_nossl"]}
+sha2 = { workspace = true }
+strum = { workspace = true, features = ["derive"] }
 tdx = { workspace = true, optional = true }
 thiserror = { workspace = true }
+tokio = { workspace = true }
 tracing = { workspace = true }
 x25519-dalek = { workspace = true, features = ["static_secrets"] }
 
 [features]
 default = []
 tdx = ["dep:dcap-rs", "dep:tdx" ]
+sev-snp = [ "dep:p384", "dep:sev" ]

atoma-confidential/src/lib.rs

@@ -3,6 +3,8 @@
 
 pub mod key_management;
 pub mod service;
+#[cfg(feature = "sev-snp")]
+pub mod sev_snp;
 #[cfg(feature = "tdx")]
 pub mod tdx;
 pub mod types;