🚨 Important: This example is a PoC intended to illustrate the principles only; it is not optimized for production use.
For a streamlined, production-ready workflow, use the Dstack Verifier: https://github.com/Dstack-TEE/dstack/tree/master/verifier
This example illustrates the remote attestation process for every component of the Dstack Applications. It encompasses everything from the CPU microcode to the TDVF, VM configuration, kernel, kernel parameters and application code. For further details, please refer to our attestation guide.
The verify.py script demonstrates how to:
- Verify TDX quotes using Intel's DCAP
- Parse and validate event logs
- Replay and verify Runtime Measurement Registers (RTMRs)
- Validate application integrity through compose hash verification
Before running the example, ensure you have the following installed:
-
Python 3.10+
- Required for executing
verify.py
- Required for executing
-
Dstack OS Image
- Either build from source or download from Dstack Releases
-
dcap-qvl
- A TDX/SGX quote verification tool from Phala
- Install with:
cargo install dcap-qvl-cli
-
dstack-mr
- A tool to calculate expected measurement values for Dstack Base Images
- Install with:
go install github.com/kvinwang/dstack-mr@latest
-
Generate the Application Report:
- Run your Dstack application to produce a
report.jsonfile containing the attestation data
- Run your Dstack application to produce a
-
Prepare the Compose File:
- Create and properly configure the
app-compose.jsonfile to match your application's settings
- Create and properly configure the
Run the verification process simply by executing:
python verify.py