Share Logs
API Name: Kira2
Model: deepseek/deepseek-r12025-07-02 09:15:37
Context:
[
{
"role": "user",
"content": "docker compose up -d可以指定cpu个数吗,如何查看up -d之后的日志"
},
{
"role": "assistant",
"content": "以下是针对您的问题的详细解答:\n\n---\n\n### **1. 在 `docker-compose up -d` 中指定 CPU 个数**\n\nDocker Compose 允许通过配置文件限制容器的 CPU 资源。具体配置方式如下:\n\n#### **方法一:使用 `cpus` 直接限制**\n在 `docker-compose.yml` 文件中,为服务添加 `cpus` 字段,指定容器可以使用的 CPU 核心数(支持小数,如 `1.5` 表示 1.5 个核心)。\n\n```yaml\nversion: '3.8'\nservices:\n your_service:\n image: your_image\n deploy: # 适用于 Swarm 模式\n resources:\n limits:\n cpus: '2' # 限制最多使用 2 个 CPU 核心\n # 单机模式(非 Swarm)使用以下配置:\n # resources:\n # limits:\n # cpus: '2'\n```\n\n#### **方法二:使用 `cpu_quota` 和 `cpu_period`**\n通过调整时间配额更精细地控制 CPU 时间(适用于高级场景):\n\n```yaml\nservices:\n your_service:\n image: your_image\n cpu_quota: 100000 # 每周期分配的 CPU 时间(单位:微秒)\n cpu_period: 100000 # CPU 周期长度(默认 100000,即 100ms)\n # 表示 CPU 使用率为 quota/period = 100000/100000 = 1 个核心\n```\n\n#### **验证配置是否生效**\n运行以下命令查看容器的 CPU 限制:\n```bash\ndocker inspect <容器ID> | grep -i Cpu\n```\n\n---\n\n### **2. 查看 `docker-compose up -d` 后的日志**\n\n#### **查看所有服务的日志**\n```bash\ndocker compose logs\n```\n\n#### **查看特定服务的日志**\n```bash\ndocker compose logs <服务名>\n```\n\n#### **实时跟踪日志输出(类似 `tail -f`)**\n```bash\ndocker compose logs -f <服务名>\n```\n\n#### **查看最近 N 条日志**\n```bash\ndocker compose logs --tail=100 <服务名> # 查看最后 100 行\n```\n\n#### **查看指定时间范围内的日志**\n```bash\ndocker compose logs --since=10m <服务名> # 查看过去 10 分钟的日志\n```\n\n---\n\n### **常见问题及解决**\n\n1. **权限问题导致无法查看日志** \n 确保当前用户有权限访问 Docker 守护进程(通常需要加入 `docker` 用户组):\n ```bash\n sudo usermod -aG docker $USER && newgrp docker\n ```\n\n2. **日志过多或滚动太快** \n - 使用 `docker compose logs --tail=100` 限制输出行数。\n - 结合 `grep` 过滤关键字:\n ```bash\n docker compose logs | grep \"ERROR\"\n ```\n\n3. **Compose 版本差异** \n - 确认 `docker-compose.yml` 的版本与 Docker 兼容(使用 `docker compose version` 检查)。\n - 旧版本可能不支持 `resources.limits`,需升级 Docker 和 Compose。\n\n---\n\n### **完整示例**\n\n假设 `docker-compose.yml` 内容如下:\n```yaml\nversion: '3.8'\nservices:\n web:\n image: nginx\n ports:\n - \"80:80\"\n resources:\n limits:\n cpus: '1.5' # 限制使用 1.5 个 CPU 核心\n```\n\n操作步骤:\n1. 启动服务:\n ```bash\n docker compose up -d\n ```\n2. 查看实时日志:\n ```bash\n docker compose logs -f web\n ```\n3. 验证 CPU 限制:\n ```bash\n docker inspect $(docker ps -q --filter name=web) | grep -i Cpu\n ```\n\n---\n\n通过上述配置和命令,您可以灵活控制容器的 CPU 资源并查看运行日志。如果遇到其他问题,欢迎继续提问!"
},
{
"role": "user",
"content": "我发现直接在服务器上跑docker测试,速度就很快,11s左右,并且随着cpu核数增加,执行时间也在缩短。但是只要用compose file部署到CVM上,就会变成28-36s,无论加多少cpu,都是这个时间,所以我理解这个gap不在于核的多少,而在于CVM docker就是和裸机跑docker有区别?但我要怎么验证这个事呢"
},
{
"role": "assistant",
"content": "以下是分步验证和排查方案,以确定 CVM 上 Docker Compose 性能问题的根本原因:\n\n---\n\n### **第一步:排除 Docker Compose 配置干扰**\n#### **1. 在 CVM 上直接运行裸机 Docker 命令**\n部署完全相同的容器到 CVM,**不使用 Docker Compose**(避开 Compose 层面的干扰):\n```bash\n# 直接运行裸机 Docker 命令(参数与 Compose 中的配置完全一致)\ndocker run -d --name test_container --cpus=4 -v /data:/app/data your_image your_command\n\n# 记录执行时间(确保命令、挂载卷等与 Compose 配置相同)\ntime docker run ...\n```\n- **分析结果**:\n - 如果裸机 Docker 在 CVM 上的执行时间**接近 11 秒** → 说明问题出在 Docker Compose 配置。\n - 如果执行时间**依然 28-36 秒** → 问题根源是 CVM 环境本身。\n\n#### **2. 检查 Compose 文件中的资源限制**\n确保 Compose 文件**未隐式限制资源**(如 CPU、内存、IO):\n```yaml\nservices:\n your_service:\n image: your_image\n # 删除或注释资源限制部分(避免错误配置导致无法利用多核)\n # deploy:\n # resources:\n # limits:\n # cpus: '1'\n```\n重新部署并测试执行时间:\n```bash\ndocker compose down && docker compose up -d\n```\n\n---\n\n### **第二步:对比 CVM 与裸机的硬件性能**\n#### **1. 运行基础性能基准测试**\n在 CVM 和裸机上分别运行以下测试,**直接对比硬件性能**:\n\n- **CPU 性能**(计算密集型任务):\n ```bash\n sysbench cpu --cpu-max-prime=20000 run\n ```\n 记录结果中的 `total time`,对比两者的计算速度差异。\n\n- **磁盘 I/O 性能**(尤其关注写入延迟):\n ```bash\n # 测试顺序写入速度\n fio --name=test --filename=/tmp/fio-test.file --rw=write \\\n --size=1G --bs=128k --direct=1 --numjobs=1 --runtime=60 --time_based\n ```\n 观察 `bw (MiB/s)` 和 `iops`。\n\n- **网络带宽与延迟**:\n ```bash\n # 在 CVM 和裸机之间互测网络\n iperf3 -c <对方IP> -t 10 # 带宽测试\n ping <对方IP> # 延迟测试\n ```\n\n#### **2. 检查 CVM 实例类型**\n- **确认 CVM 实例类型**是否为**计算优化型**(如 AWS C5/GCP C2/Tencent Cloud CVM 的计算型)。\n- 避免使用 **共享型实例**(如 AWS T 系列/GCP E2)→ 这些实例可能因 CPU 积分耗尽导致性能下降。\n\n---\n\n### **第三步:验证虚拟化层开销**\n#### **1. 检查 CVM 的 Hypervisor 和虚拟化驱动**\n- 查看 CVM 使用的虚拟化技术:\n ```bash\n lscpu | grep Hypervisor\n ```\n - 如果输出 `KVM` 或 `Xen`(且带有硬件虚拟化支持),理论上性能接近裸机。\n- 确认启用了 **virtio 驱动**(提升磁盘/网络性能):\n ```bash\n # 检查块设备是否使用 virtio-blk\n lsblk -d -o NAME,TRAN | grep virtio\n\n # 检查网卡是否使用 virtio-net\n ethtool -i eth0 | grep driver | grep virtio\n ```\n\n#### **2. 测试虚拟化层的 CPU 性能隔离**\n- **运行 CPU 隔离性测试**:\n ```bash\n # 在一个窗口运行 CPU 压力测试(占用 2 核)\n stress -c 2\n\n # 在另一个窗口测试任务执行时间\n time your_command\n ```\n - 如果在压力测试下任务时间显著增加 → CVM 的虚拟化层可能未隔离 CPU 资源。\n\n---\n\n### **第四步:检查系统与 Docker 配置差异**\n#### **1. 核对系统内核与 Docker 版本**\n- **对比 CVM 和裸机的系统环境一致性**:\n ```bash\n uname -a # 内核版本\n docker version # Docker 版本\n docker info | grep Driver # 存储驱动(如 overlay2)\n ```\n\n#### **2. 优化 Docker 存储驱动与日志配置**\n- **调整 Docker 日志驱动**(避免默认的 `json-file` 产生额外开销):\n ```bash\n # 临时测试:改用 journald 或禁止日志\n docker run --log-driver=journald your_image\n ```\n- **确保使用高性能存储驱动**(如 `overlay2`):\n ```bash\n # 检查 Docker 存储驱动\n docker info | grep \"Storage Driver\"\n ```\n\n---\n\n### **第五步:动态监控性能瓶颈**\n#### **1. 使用性能分析工具实时监控**\n在任务执行期间,**分别在 CVM 和裸机上运行以下监控命令**:\n\n- **CPU 使用情况**:\n ```bash\n htop # 按 1 查看各核心利用率(观察是否满负荷)\n pidstat -u 1 # 统计进程级的 CPU 使用\n ```\n\n- **磁盘 I/O 分析**:\n ```bash\n iotop -o # 实时查看高 IO 进程\n ```\n\n- **网络流量监控**:\n ```bash\n nload eth0 # 实时查看带宽占用\n ```\n\n#### **2. 生成火焰图(FlameGraph)定位代码热点**\n如果任务涉及自定义程序,生成 CPU 火焰图分析延迟:\n```bash\n# 安装 perf 工具\napt-get install linux-perf\n\n# 采集性能数据(替换为你的进程 ID)\nperf record -F 99 -p <PID> -g -- sleep 60\n\n# 生成火焰图\nperf script | ./FlameGraph/stackcollapse-perf.pl | ./FlameGraph/flamegraph.pl > output.svg\n```\n对比裸机和 CVM 的火焰图,观察热点是否不同。\n\n---\n\n### **关键结论与建议**\n根据上述测试结果,可能的原因及解决方案如下:\n\n| **问题根源** | **验证方法** | **解决方案** |\n|-------------------------------|--------------------------------------------------|------------------------------------------------------------|\n| **CPU 调度差异** | CVM 上 `htop` 显示 CPU 未完全利用,或核心负载不均 | 优化进程 CPU 亲和性(`taskset` 或 Docker `--cpuset-cpus`) |\n| **存储 I/O 瓶颈** | CVM 的 `fio` 磁盘写入速度显著低于裸机 | 更换 CVM 实例类型(选择 SSD 或本地 NVMe 机型) |\n| **虚拟化层限制** | CPU 压力测试导致任务时间显著变长 | 改用支持 **嵌套虚拟化** 或 **裸金属云服务器** |\n| **Docker Compose 配置限制** | 裸 Docker 命令在 CVM 上正常,Compose 部署慢 | 排查 Compose 中的服务依赖、网络模式(如 `host` vs `bridge`)|\n| **日志或存储驱动拖累性能** | 更改日志驱动后性能提升 | 永久配置 Docker 使用 `journald` 或禁用不必要的日志 |\n\n---\n\n### **快速验证案例**\n假设在 CVM 上直接运行裸机 Docker 命令后,时间仍为 28 秒:\n1. **运行 CPU 基准测试**:发现 CVM 的 `sysbench` 结果明显慢于裸机 → **确认是 CVM 的虚拟化层性能问题**。\n2. **更换高性能实例类型**:选择计算优化型(如 AWS c5.4xlarge),重新测试 → 如果时间缩短至裸机水平,则为实例类型问题。\n3. **存储优化**:如果磁盘 I/O 低 → 更换为本地 NVMe 实例或调整挂载选项(`direct-io`)。\n\n---\n\n通过逐层排除和环境比对,你最终可以定位到具体的性能瓶颈。如果测试后仍有疑问,可以提供更详细的监控数据(如火焰图、sysbench 结果等),我会进一步协助分析!"
},
{
"role": "user",
"content": "我目前裸跑docker也是用的docker compose,所以我认为问题应该不出在compose这里。我推测有一种可能,是因为CVM的docker和直接跑一个在虚拟机内,一个在虚拟机外,所以自然会有一定时间上的损耗,但我想具体评估这个原因带来的损耗有多少,我该怎么验证?"
}
]Response:
---
为了精确量化 CVM(云虚拟机)虚拟化层对 Docker 性能的影响(尤其是对比物理裸机),可以通过以下步骤设计和执行验证实验:
---
### **1. 设计对比实验的环境和指标**
#### **(1) 环境准备**
- **控制变量**:
- **物理机(对照组)**:Direct Machine,无虚拟化层,直接运行 Docker。
- **CVM(实验组)**:虚拟机运行 Docker,其余软硬件条件尽量相同(如 CPU 代数、内存容量、磁盘类型)。
- **代码和配置**:两套环境中使用**完全相同的 Docker 镜像、Compose 文件**。
- **关键建议**:
- **选择相同硬件代际**:例如物理机和 CVM 均使用 Intel Cascade Lake 架构 CPU。
- **禁用不必要的后台进程**:在两台机器上关闭安全软件、监控代理等干扰进程。
#### **(2) 定义性能测试指标**
| 指标类型 | 工具或方法 | 说明 |
|------------------|-----------------------------------|-------------------------------------------------------------|
| **CPU 性能** | `sysbench cpu` | 检测每秒可处理的事件数(Events per Second)。 |
| **内存延迟** | `memtester` + `lat_ops` | 测量内存读写延迟(单位为纳秒)。 |
| **磁盘 I/O** | `fio` | 测试顺序/随机读写的带宽、IOPS、延迟。 |
| **网络延迟** | `ping` / `iperf3` | 带宽、RTT(往返延迟)、UDP 丢包率。 |
| **端到端任务** | **用户实际业务的耗时** | 例如启动容器的时间、应用处理一批数据的耗时等关键业务指标。 |
---
### **2. 执行分阶段基准测试**
#### **(1) 阶段一:原生系统性能测试(无 Docker)**
**目的**:**排除宿主系统差异的影响**,单独测量物理机和 CVM 原生硬件性能。
- **CPU 测试**:
```bash
sysbench cpu --cpu-max-prime=20000 run
```
记录输出中的 `events per second`,对比物理机和 CVM 的差异。
**示例**:
物理机:`800 events/s`,CVM:`600 events/s` → **虚拟化层 CPU 损耗约 25%**。
- **内存延迟测试**:
```bash
latency MEMORY_OPERATIONS
```
使用 `/dev/mem` 测试内存存取延迟差别。
- **磁盘测试**:
```bash
# 顺序写入性能测试(块大小 1M)
fio --name=seq_write --filename=./testfile --rw=write --bs=1M --size=1G --direct=1
```
对比 `bw (MiB/s)` 差异,云盘往往低于本地 NVMe SSD。
#### **(2) 阶段二:直接运行 Docker 容器**
**目的**:**测试 Docker 在隔离环境下的性能损耗**,避免 Compose 复杂性的干扰。
- **测试无 Compose 的裸 Docker 命令**:
```bash
# 物理机运行
time docker run --rm -it --cpus=4 your_image your_command
# CVM 运行(要求镜像、命令、参数完全一致)
time docker run --rm -it --cpus=4 your_image your_command
```
记录两个环境中命令的执行时间差异。
- **采集运行时数据**:
```bash
# 监控 CPU、内存、磁盘使用率
docker stats --no-stream <CONTAINER_ID>
# 在另一个终端观察虚拟化层 CPU 开销(物理机 vs CVM)
top -p $(pgrep dockerd)
```
#### **(3) 阶段三:完整 Compose 部署测试**
**目的**:**验证多容器编排的实际业务场景差异**,覆盖网络、依赖链的潜在瓶颈。
- **部署完全相同的 Compose 栈**:
```bash
docker compose up -d
time docker compose exec your_service your_business_task
```
- **分析网络与存储差异**:
- **网络模式**:Compose 默认使用 `bridge` 网络,可能引入 NAT 转发延迟。
物理机如使用 `host` 网络模式会更高效,但 CVM 的网络虚拟化层可能增加延迟。
- **存储挂载**:CVM 的持久化存储如果基于网络(如云盘)会低于物理机本地磁盘的 IOPS。
---
### **3. 详细对比并量化虚拟化损耗**
#### **(1) 计算各测试项的损耗百分比**
- **基准公式**:
**损耗 (%) = (物理机指标 - CVM 指标) / 物理机指标 × 100%**
例如:在阶段一的 CPU 测试中,物理机 `events/sec=800`,CVM `events/sec=600` → **损耗 = (800-600)/800 × 100% = 25%**。
#### **(2) 重点关注分层损耗**
| 分层 | 影响因素 | 可量化工具 |
|---------------------|-------------------------------------------------|-----------------------------------|
| **原生硬件性能** | 云厂商超卖资源、隔离性差 | `sysbench`、`fio`、`iperf3` |
| **虚拟化层开销** | Hypervisor(KVM/Xen)的指令翻译和中断模拟 | `perf kvm stat` (需开启虚拟化支持)|
| **Docker 运行时** | cgroup 隔离、OverlayFS 文件系统的读写放大 | `docker stats`、`dmesg` 日志 |
| **网络虚拟化** | bridge/iptables/SDN 转发延迟 | `ping`、`tcpdump` |
#### **(3) 针对 Hypervisor 的微观性能剖析**
- **使用 `perf kvm` 分析 KVM 事件**(需 root 权限且宿主机支持):
```bash
# 在 CVM 宿主机或嵌套虚拟化环境中运行
perf kvm stat record -a sleep 10 # 记录 10 秒内的 KVM 事件
perf kvm stat report # 查看 CPU 退出原因分析
```
关注 `%VM-EXIT` 事件:
- 高比例的 `HLT`(CPU 休眠等待)说明因虚拟化调度导致空闲浪费。
- 频繁 `IO_INSTRUCTION` 或 `EPT_VIOLATION` 表明设备模拟开销大。
---
### **4. 典型案例与优化建议**
#### **(1) 情景:CPU 密集型任务虚拟化损耗 25%**
- **证据**:`sysbench` 显示虚拟化导致 CPU 性能下降。
- **优化方案**:
- 选择支持 **CPU 直通(PCIe Pass-through)** 的云实例(如 AWS 裸金属实例)。
- 在 CVM 内启用 **KVM 嵌套虚拟化**(仅适合测试环境):
```bash
# 对于 Intel CPU
echo "options kvm-intel nested=Y" > /etc/modprobe.d/kvm-intel.conf
```
#### **(2) 情景:云磁盘 IOPS 低下导致任务延迟**
- **证据**:`fio` 测试显示 CVM 的顺序读写带宽仅为物理机的 10%。
- **优化方案**:
- 升级为本地 NVMe SSD 云盘(如 GCP local SSD、阿里云本地盘)。
- 调整挂载参数使用 `direct-io`(避免双缓存):
```yaml
volumes:
- type: volume
source: my_vol
target: /data
volume:
nocopy: true
device: tmpfs # 或绑定宿主机 SSD 目录
```
#### **(3) 情景:Docker OverlayFS 导致文件操作变慢**
- **证据**:在容器内执行文件遍历任务时间远长于物理机。
- **优化方案**:
- 改用高性能存储驱动(如 `overlay2` + `xfs`):
```bash
mkfs.xfs /dev/sdb -n ftype=1 # 确保 XFS 支持 OverlayFS
```
- 减少 Overlay 层数:避免多层 `COPY` 操作。
---
### **5. 自动化验证脚本示例**
创建统一执行的测试脚本,确保两环境操作一致性:
```bash
#!/bin/bash
# perf-test.sh
# 1. 基础性能测试
echo "Running sysbench CPU test..."
sysbench cpu --cpu-max-prime=20000 run
# 2. Docker 容器内计算任务耗时测试
echo "Running Docker command timing..."
time docker run --rm -it --cpus=4 your_image /app/your_task
# 3. 网络延迟测试(假设目标 IP 为另一台物理机)
echo "Testing network latency to physical host..."
ping -c 10 <PHYSICAL_HOST_IP>
```
在两台机器上**同时运行脚本**并对比日志:
```bash
# 物理机(对照组)
./perf-test.sh > physical.log
# CVM(实验组)
./perf-test.sh > cvm.log
# 生成对比报告
diff physical.log cvm.log
```
---
### **最终结论与行动建议**
1. **损耗可接受范围**:
- **CPU/Memory**:**10%~25%** 属于公有云常规虚拟化损耗,若业务对此敏感则需升级实例类型。
- **Disk/Network**:**性能下降 50% 以上** 通常需要调整存储或网络架构(如本地 SSD、SR-IOV 网卡)。
2. **决策路径**:
- **损耗 ≤15%** → 优化 Docker 配置和应用逻辑,可能无需更换基础设施。
- **损耗 >30%** → 选择裸金属云服务器或调整业务架构(如拆分微服务减少单任务负载)。
3. **云厂商差异**:
- **AWS**:测试 EC2(虚拟化) vs Bare Metal(裸金属)。
- **Google Cloud**:对比普通 VM 和基于 Compute Engine 的裸金属方案。
通过上述方法,你可以精确量化 CVM 虚拟化层对 Docker 的性能影响,并做出数据驱动的优化决策。
Model: deepseek/deepseek-r12025-07-02 09:08:56
Context:
[
{
"role": "user",
"content": "我在用grafana,我希望能看到dashboard展示以下内容解答我的疑惑,请你给我一个dashboard的配置让我可以看到这些信息\n为什么我在grafana上看到cpu usage在8cpu的时候是60%,16核cpu的时候上升到130%甚至200%"
},
{
"role": "assistant",
"content": "你在Grafana看到的CPU使用率超过100%是正常的现象,因为 **CPU使用率的计算方式是基于核心数**(比如16核CPU的100%代表单核满载,1600%则是所有核心满载)。以下是帮助你排查问题的Grafana Dashboard配置建议:\n\n---\n\n### **Dashboard 核心指标配置**\n#### 1. **总CPU使用率(标准化百分比)**\n - **目标**:统一查看不同核心数的CPU使用率(按百分比标准化)\n - **查询表达式**(假设使用Prometheus数据源):\n ```promql\n 100 * (1 - avg(rate(node_cpu_seconds_total{mode=\"idle\"}[$interval])) by (instance))\n ```\n - **说明**:无论CPU核心数是多少,此查询会将使用率压缩到0%~100%范围,便于对比。\n\n#### 2. **分核心CPU使用率(原始值)**\n - **目标**:查看每个物理核心的实际使用量(帮助识别是否某个核心满载)\n - **查询表达式**:\n ```promql\n sum by (cpu) (rate(node_cpu_seconds_total{mode!=\"idle\"}[$interval]))\n ```\n - **可视化**:堆叠柱状图或分面图(每个核心独立显示)。\n\n#### 3. **用户态 vs 内核态CPU时间**\n - **目标**:确认CPU时间消耗在用户程序还是内核调用(如系统调用)\n - **查询表达式**:\n ```promql\n # 用户态\n sum(rate(node_cpu_seconds_total{mode=\"user\"}[$interval])) by (instance)\n # 内核态\n sum(rate(node_cpu_seconds_total{mode=\"system\"}[$interval])) by (instance)\n ```\n\n#### 4. **上下文切换(Context Switches)**\n - **目标**:高频率上下文切换可能导致CPU效率下降\n - **查询表达式**:\n ```promql\n rate(node_context_switches_total[$interval])\n ```\n\n#### 5. **运行队列长度(Load Average)**\n - **目标**:观察系统的负载压力是否超过CPU处理能力\n - **查询表达式**:\n ```promql\n node_load1 # 1分钟平均负载\n node_load5 # 5分钟平均负载\n node_load15 # 15分钟平均负载\n ```\n\n---\n\n### **可能的问题原因**\n1. **CPU核心数计算方式差异**:\n - 如果仪表盘未将多核CPU的用量标准化(例如直接累加所有核心的利用率),16核CPU的200%仅表示平均每核12.5%的负载,属于正常范围。\n\n2. **突发的进程竞争**:\n - 多核环境下,某些进程可能集中在少量核心运行(如单线程程序),导致部分核心满载而其他空闲。\n\n3. **内核资源争用**:\n - 高频率的系统调用、中断或锁竞争可能导致内核态CPU使用率激增。\n\n4. **监控数据采集间隔**:\n - 如果数据采集间隔(如Prometheus的`scrape_interval`)过长,可能导致瞬时峰值被错误放大。\n\n---\n\n### **Dashboard配置示例**\n- **面板类型**:混合使用Stat(总览)、Graph(趋势)、Heatmap(核心分布)。\n- **变量(Variables)**:\n - 添加`instance`变量(如果监控多台主机)。\n - 添加`interval`变量(动态调整时间范围)。\n\n---\n\n### **下一步排查建议**\n1. **检查具体进程**:\n - 在主机上运行 `top` 或 `htop`,观察哪些进程占用CPU最高。\n - 使用`pidstat -u 1`查看进程级的CPU使用率。\n\n2. **分析系统调用**:\n - 使用 `perf top` 或 `strace` 跟踪高CPU进程的系统调用。\n\n3. **优化多核负载均衡**:\n - 如果发现单个核心负载过高,尝试优化进程的CPU亲和性(CPU affinity)。\n\n---\n\n通过以上Dashboard配置,你可以更清晰地看到CPU使用率的分布和潜在瓶颈。如果问题依然存在,可以进一步提供监控数据的截图或查询表达式,我会帮你分析具体原因!"
},
{
"role": "user",
"content": "docker compose up -d可以指定cpu个数吗,如何查看up -d之后的日志"
},
{
"role": "assistant",
"content": "以下是针对您的问题的详细解答:\n\n---\n\n### **1. 在 `docker-compose up -d` 中指定 CPU 个数**\n\nDocker Compose 允许通过配置文件限制容器的 CPU 资源。具体配置方式如下:\n\n#### **方法一:使用 `cpus` 直接限制**\n在 `docker-compose.yml` 文件中,为服务添加 `cpus` 字段,指定容器可以使用的 CPU 核心数(支持小数,如 `1.5` 表示 1.5 个核心)。\n\n```yaml\nversion: '3.8'\nservices:\n your_service:\n image: your_image\n deploy: # 适用于 Swarm 模式\n resources:\n limits:\n cpus: '2' # 限制最多使用 2 个 CPU 核心\n # 单机模式(非 Swarm)使用以下配置:\n # resources:\n # limits:\n # cpus: '2'\n```\n\n#### **方法二:使用 `cpu_quota` 和 `cpu_period`**\n通过调整时间配额更精细地控制 CPU 时间(适用于高级场景):\n\n```yaml\nservices:\n your_service:\n image: your_image\n cpu_quota: 100000 # 每周期分配的 CPU 时间(单位:微秒)\n cpu_period: 100000 # CPU 周期长度(默认 100000,即 100ms)\n # 表示 CPU 使用率为 quota/period = 100000/100000 = 1 个核心\n```\n\n#### **验证配置是否生效**\n运行以下命令查看容器的 CPU 限制:\n```bash\ndocker inspect <容器ID> | grep -i Cpu\n```\n\n---\n\n### **2. 查看 `docker-compose up -d` 后的日志**\n\n#### **查看所有服务的日志**\n```bash\ndocker compose logs\n```\n\n#### **查看特定服务的日志**\n```bash\ndocker compose logs <服务名>\n```\n\n#### **实时跟踪日志输出(类似 `tail -f`)**\n```bash\ndocker compose logs -f <服务名>\n```\n\n#### **查看最近 N 条日志**\n```bash\ndocker compose logs --tail=100 <服务名> # 查看最后 100 行\n```\n\n#### **查看指定时间范围内的日志**\n```bash\ndocker compose logs --since=10m <服务名> # 查看过去 10 分钟的日志\n```\n\n---\n\n### **常见问题及解决**\n\n1. **权限问题导致无法查看日志** \n 确保当前用户有权限访问 Docker 守护进程(通常需要加入 `docker` 用户组):\n ```bash\n sudo usermod -aG docker $USER && newgrp docker\n ```\n\n2. **日志过多或滚动太快** \n - 使用 `docker compose logs --tail=100` 限制输出行数。\n - 结合 `grep` 过滤关键字:\n ```bash\n docker compose logs | grep \"ERROR\"\n ```\n\n3. **Compose 版本差异** \n - 确认 `docker-compose.yml` 的版本与 Docker 兼容(使用 `docker compose version` 检查)。\n - 旧版本可能不支持 `resources.limits`,需升级 Docker 和 Compose。\n\n---\n\n### **完整示例**\n\n假设 `docker-compose.yml` 内容如下:\n```yaml\nversion: '3.8'\nservices:\n web:\n image: nginx\n ports:\n - \"80:80\"\n resources:\n limits:\n cpus: '1.5' # 限制使用 1.5 个 CPU 核心\n```\n\n操作步骤:\n1. 启动服务:\n ```bash\n docker compose up -d\n ```\n2. 查看实时日志:\n ```bash\n docker compose logs -f web\n ```\n3. 验证 CPU 限制:\n ```bash\n docker inspect $(docker ps -q --filter name=web) | grep -i Cpu\n ```\n\n---\n\n通过上述配置和命令,您可以灵活控制容器的 CPU 资源并查看运行日志。如果遇到其他问题,欢迎继续提问!"
},
{
"role": "user",
"content": "我发现直接在服务器上跑docker测试,速度就很快,11s左右,并且随着cpu核数增加,执行时间也在缩短。但是只要用compose file部署到CVM上,就会变成28-36s,无论加多少cpu,都是这个时间,所以我理解这个gap不在于核的多少,而在于CVM docker就是和裸机跑docker有区别?但我要怎么验证这个事呢"
}
]Response:
以下是分步验证和排查方案,以确定 CVM 上 Docker Compose 性能问题的根本原因:
---
### **第一步:排除 Docker Compose 配置干扰**
#### **1. 在 CVM 上直接运行裸机 Docker 命令**
部署完全相同的容器到 CVM,**不使用 Docker Compose**(避开 Compose 层面的干扰):
```bash
# 直接运行裸机 Docker 命令(参数与 Compose 中的配置完全一致)
docker run -d --name test_container --cpus=4 -v /data:/app/data your_image your_command
# 记录执行时间(确保命令、挂载卷等与 Compose 配置相同)
time docker run ...
```
- **分析结果**:
- 如果裸机 Docker 在 CVM 上的执行时间**接近 11 秒** → 说明问题出在 Docker Compose 配置。
- 如果执行时间**依然 28-36 秒** → 问题根源是 CVM 环境本身。
#### **2. 检查 Compose 文件中的资源限制**
确保 Compose 文件**未隐式限制资源**(如 CPU、内存、IO):
```yaml
services:
your_service:
image: your_image
# 删除或注释资源限制部分(避免错误配置导致无法利用多核)
# deploy:
# resources:
# limits:
# cpus: '1'
```
重新部署并测试执行时间:
```bash
docker compose down && docker compose up -d
```
---
### **第二步:对比 CVM 与裸机的硬件性能**
#### **1. 运行基础性能基准测试**
在 CVM 和裸机上分别运行以下测试,**直接对比硬件性能**:
- **CPU 性能**(计算密集型任务):
```bash
sysbench cpu --cpu-max-prime=20000 run
```
记录结果中的 `total time`,对比两者的计算速度差异。
- **磁盘 I/O 性能**(尤其关注写入延迟):
```bash
# 测试顺序写入速度
fio --name=test --filename=/tmp/fio-test.file --rw=write \
--size=1G --bs=128k --direct=1 --numjobs=1 --runtime=60 --time_based
```
观察 `bw (MiB/s)` 和 `iops`。
- **网络带宽与延迟**:
```bash
# 在 CVM 和裸机之间互测网络
iperf3 -c <对方IP> -t 10 # 带宽测试
ping <对方IP> # 延迟测试
```
#### **2. 检查 CVM 实例类型**
- **确认 CVM 实例类型**是否为**计算优化型**(如 AWS C5/GCP C2/Tencent Cloud CVM 的计算型)。
- 避免使用 **共享型实例**(如 AWS T 系列/GCP E2)→ 这些实例可能因 CPU 积分耗尽导致性能下降。
---
### **第三步:验证虚拟化层开销**
#### **1. 检查 CVM 的 Hypervisor 和虚拟化驱动**
- 查看 CVM 使用的虚拟化技术:
```bash
lscpu | grep Hypervisor
```
- 如果输出 `KVM` 或 `Xen`(且带有硬件虚拟化支持),理论上性能接近裸机。
- 确认启用了 **virtio 驱动**(提升磁盘/网络性能):
```bash
# 检查块设备是否使用 virtio-blk
lsblk -d -o NAME,TRAN | grep virtio
# 检查网卡是否使用 virtio-net
ethtool -i eth0 | grep driver | grep virtio
```
#### **2. 测试虚拟化层的 CPU 性能隔离**
- **运行 CPU 隔离性测试**:
```bash
# 在一个窗口运行 CPU 压力测试(占用 2 核)
stress -c 2
# 在另一个窗口测试任务执行时间
time your_command
```
- 如果在压力测试下任务时间显著增加 → CVM 的虚拟化层可能未隔离 CPU 资源。
---
### **第四步:检查系统与 Docker 配置差异**
#### **1. 核对系统内核与 Docker 版本**
- **对比 CVM 和裸机的系统环境一致性**:
```bash
uname -a # 内核版本
docker version # Docker 版本
docker info | grep Driver # 存储驱动(如 overlay2)
```
#### **2. 优化 Docker 存储驱动与日志配置**
- **调整 Docker 日志驱动**(避免默认的 `json-file` 产生额外开销):
```bash
# 临时测试:改用 journald 或禁止日志
docker run --log-driver=journald your_image
```
- **确保使用高性能存储驱动**(如 `overlay2`):
```bash
# 检查 Docker 存储驱动
docker info | grep "Storage Driver"
```
---
### **第五步:动态监控性能瓶颈**
#### **1. 使用性能分析工具实时监控**
在任务执行期间,**分别在 CVM 和裸机上运行以下监控命令**:
- **CPU 使用情况**:
```bash
htop # 按 1 查看各核心利用率(观察是否满负荷)
pidstat -u 1 # 统计进程级的 CPU 使用
```
- **磁盘 I/O 分析**:
```bash
iotop -o # 实时查看高 IO 进程
```
- **网络流量监控**:
```bash
nload eth0 # 实时查看带宽占用
```
#### **2. 生成火焰图(FlameGraph)定位代码热点**
如果任务涉及自定义程序,生成 CPU 火焰图分析延迟:
```bash
# 安装 perf 工具
apt-get install linux-perf
# 采集性能数据(替换为你的进程 ID)
perf record -F 99 -p <PID> -g -- sleep 60
# 生成火焰图
perf script | ./FlameGraph/stackcollapse-perf.pl | ./FlameGraph/flamegraph.pl > output.svg
```
对比裸机和 CVM 的火焰图,观察热点是否不同。
---
### **关键结论与建议**
根据上述测试结果,可能的原因及解决方案如下:
| **问题根源** | **验证方法** | **解决方案** |
|-------------------------------|--------------------------------------------------|------------------------------------------------------------|
| **CPU 调度差异** | CVM 上 `htop` 显示 CPU 未完全利用,或核心负载不均 | 优化进程 CPU 亲和性(`taskset` 或 Docker `--cpuset-cpus`) |
| **存储 I/O 瓶颈** | CVM 的 `fio` 磁盘写入速度显著低于裸机 | 更换 CVM 实例类型(选择 SSD 或本地 NVMe 机型) |
| **虚拟化层限制** | CPU 压力测试导致任务时间显著变长 | 改用支持 **嵌套虚拟化** 或 **裸金属云服务器** |
| **Docker Compose 配置限制** | 裸 Docker 命令在 CVM 上正常,Compose 部署慢 | 排查 Compose 中的服务依赖、网络模式(如 `host` vs `bridge`)|
| **日志或存储驱动拖累性能** | 更改日志驱动后性能提升 | 永久配置 Docker 使用 `journald` 或禁用不必要的日志 |
---
### **快速验证案例**
假设在 CVM 上直接运行裸机 Docker 命令后,时间仍为 28 秒:
1. **运行 CPU 基准测试**:发现 CVM 的 `sysbench` 结果明显慢于裸机 → **确认是 CVM 的虚拟化层性能问题**。
2. **更换高性能实例类型**:选择计算优化型(如 AWS c5.4xlarge),重新测试 → 如果时间缩短至裸机水平,则为实例类型问题。
3. **存储优化**:如果磁盘 I/O 低 → 更换为本地 NVMe 实例或调整挂载选项(`direct-io`)。
---
通过逐层排除和环境比对,你最终可以定位到具体的性能瓶颈。如果测试后仍有疑问,可以提供更详细的监控数据(如火焰图、sysbench 结果等),我会进一步协助分析!
Model: deepseek/deepseek-r12025-07-02 06:48:16
Context:
[
{
"role": "user",
"content": "我在用grafana,我希望能看到dashboard展示以下内容解答我的疑惑,请你给我一个dashboard的配置让我可以看到这些信息\n为什么我在grafana上看到cpu usage在8cpu的时候是60%,16核cpu的时候上升到130%甚至200%"
},
{
"role": "assistant",
"content": "你在Grafana看到的CPU使用率超过100%是正常的现象,因为 **CPU使用率的计算方式是基于核心数**(比如16核CPU的100%代表单核满载,1600%则是所有核心满载)。以下是帮助你排查问题的Grafana Dashboard配置建议:\n\n---\n\n### **Dashboard 核心指标配置**\n#### 1. **总CPU使用率(标准化百分比)**\n - **目标**:统一查看不同核心数的CPU使用率(按百分比标准化)\n - **查询表达式**(假设使用Prometheus数据源):\n ```promql\n 100 * (1 - avg(rate(node_cpu_seconds_total{mode=\"idle\"}[$interval])) by (instance))\n ```\n - **说明**:无论CPU核心数是多少,此查询会将使用率压缩到0%~100%范围,便于对比。\n\n#### 2. **分核心CPU使用率(原始值)**\n - **目标**:查看每个物理核心的实际使用量(帮助识别是否某个核心满载)\n - **查询表达式**:\n ```promql\n sum by (cpu) (rate(node_cpu_seconds_total{mode!=\"idle\"}[$interval]))\n ```\n - **可视化**:堆叠柱状图或分面图(每个核心独立显示)。\n\n#### 3. **用户态 vs 内核态CPU时间**\n - **目标**:确认CPU时间消耗在用户程序还是内核调用(如系统调用)\n - **查询表达式**:\n ```promql\n # 用户态\n sum(rate(node_cpu_seconds_total{mode=\"user\"}[$interval])) by (instance)\n # 内核态\n sum(rate(node_cpu_seconds_total{mode=\"system\"}[$interval])) by (instance)\n ```\n\n#### 4. **上下文切换(Context Switches)**\n - **目标**:高频率上下文切换可能导致CPU效率下降\n - **查询表达式**:\n ```promql\n rate(node_context_switches_total[$interval])\n ```\n\n#### 5. **运行队列长度(Load Average)**\n - **目标**:观察系统的负载压力是否超过CPU处理能力\n - **查询表达式**:\n ```promql\n node_load1 # 1分钟平均负载\n node_load5 # 5分钟平均负载\n node_load15 # 15分钟平均负载\n ```\n\n---\n\n### **可能的问题原因**\n1. **CPU核心数计算方式差异**:\n - 如果仪表盘未将多核CPU的用量标准化(例如直接累加所有核心的利用率),16核CPU的200%仅表示平均每核12.5%的负载,属于正常范围。\n\n2. **突发的进程竞争**:\n - 多核环境下,某些进程可能集中在少量核心运行(如单线程程序),导致部分核心满载而其他空闲。\n\n3. **内核资源争用**:\n - 高频率的系统调用、中断或锁竞争可能导致内核态CPU使用率激增。\n\n4. **监控数据采集间隔**:\n - 如果数据采集间隔(如Prometheus的`scrape_interval`)过长,可能导致瞬时峰值被错误放大。\n\n---\n\n### **Dashboard配置示例**\n- **面板类型**:混合使用Stat(总览)、Graph(趋势)、Heatmap(核心分布)。\n- **变量(Variables)**:\n - 添加`instance`变量(如果监控多台主机)。\n - 添加`interval`变量(动态调整时间范围)。\n\n---\n\n### **下一步排查建议**\n1. **检查具体进程**:\n - 在主机上运行 `top` 或 `htop`,观察哪些进程占用CPU最高。\n - 使用`pidstat -u 1`查看进程级的CPU使用率。\n\n2. **分析系统调用**:\n - 使用 `perf top` 或 `strace` 跟踪高CPU进程的系统调用。\n\n3. **优化多核负载均衡**:\n - 如果发现单个核心负载过高,尝试优化进程的CPU亲和性(CPU affinity)。\n\n---\n\n通过以上Dashboard配置,你可以更清晰地看到CPU使用率的分布和潜在瓶颈。如果问题依然存在,可以进一步提供监控数据的截图或查询表达式,我会帮你分析具体原因!"
},
{
"role": "user",
"content": "docker compose up -d可以指定cpu个数吗,如何查看up -d之后的日志"
}
]Response:
以下是针对您的问题的详细解答:
---
### **1. 在 `docker-compose up -d` 中指定 CPU 个数**
Docker Compose 允许通过配置文件限制容器的 CPU 资源。具体配置方式如下:
#### **方法一:使用 `cpus` 直接限制**
在 `docker-compose.yml` 文件中,为服务添加 `cpus` 字段,指定容器可以使用的 CPU 核心数(支持小数,如 `1.5` 表示 1.5 个核心)。
```yaml
version: '3.8'
services:
your_service:
image: your_image
deploy: # 适用于 Swarm 模式
resources:
limits:
cpus: '2' # 限制最多使用 2 个 CPU 核心
# 单机模式(非 Swarm)使用以下配置:
# resources:
# limits:
# cpus: '2'
```
#### **方法二:使用 `cpu_quota` 和 `cpu_period`**
通过调整时间配额更精细地控制 CPU 时间(适用于高级场景):
```yaml
services:
your_service:
image: your_image
cpu_quota: 100000 # 每周期分配的 CPU 时间(单位:微秒)
cpu_period: 100000 # CPU 周期长度(默认 100000,即 100ms)
# 表示 CPU 使用率为 quota/period = 100000/100000 = 1 个核心
```
#### **验证配置是否生效**
运行以下命令查看容器的 CPU 限制:
```bash
docker inspect <容器ID> | grep -i Cpu
```
---
### **2. 查看 `docker-compose up -d` 后的日志**
#### **查看所有服务的日志**
```bash
docker compose logs
```
#### **查看特定服务的日志**
```bash
docker compose logs <服务名>
```
#### **实时跟踪日志输出(类似 `tail -f`)**
```bash
docker compose logs -f <服务名>
```
#### **查看最近 N 条日志**
```bash
docker compose logs --tail=100 <服务名> # 查看最后 100 行
```
#### **查看指定时间范围内的日志**
```bash
docker compose logs --since=10m <服务名> # 查看过去 10 分钟的日志
```
---
### **常见问题及解决**
1. **权限问题导致无法查看日志**
确保当前用户有权限访问 Docker 守护进程(通常需要加入 `docker` 用户组):
```bash
sudo usermod -aG docker $USER && newgrp docker
```
2. **日志过多或滚动太快**
- 使用 `docker compose logs --tail=100` 限制输出行数。
- 结合 `grep` 过滤关键字:
```bash
docker compose logs | grep "ERROR"
```
3. **Compose 版本差异**
- 确认 `docker-compose.yml` 的版本与 Docker 兼容(使用 `docker compose version` 检查)。
- 旧版本可能不支持 `resources.limits`,需升级 Docker 和 Compose。
---
### **完整示例**
假设 `docker-compose.yml` 内容如下:
```yaml
version: '3.8'
services:
web:
image: nginx
ports:
- "80:80"
resources:
limits:
cpus: '1.5' # 限制使用 1.5 个 CPU 核心
```
操作步骤:
1. 启动服务:
```bash
docker compose up -d
```
2. 查看实时日志:
```bash
docker compose logs -f web
```
3. 验证 CPU 限制:
```bash
docker inspect $(docker ps -q --filter name=web) | grep -i Cpu
```
---
通过上述配置和命令,您可以灵活控制容器的 CPU 资源并查看运行日志。如果遇到其他问题,欢迎继续提问!
Model: gpt-4o-mini-2024-07-182025-07-02 03:14:05
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"什么是jwt\"},{\"role\":\"assistant\",\"mainText\":\"# JWT (JSON Web Token)\\n\\nJWT是一种开放标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间以JSON对象安全地传输信息。\\n\\n## 主要特点\\n\\n1. **紧凑**:JWT可以通过URL、POST参数或HTTP Header发送,体积小,传输速度快。\\n\\n2. **自包含**:JWT包含了所有用户所需的信息,避免了多次查询数据库。\\n\\n3. **安全性**:JWT可以使用数字签名(如HMAC算法、RSA或ECDSA)进行签名,确保内容不被篡改。\\n\\n## JWT结构\\n\\nJWT由三部分组成,以点(.)分隔:\\n- **Header**(头部):指定签名算法和令牌类型\\n- **Payload**(负载):包含声明(claims)信息\\n- **Signature**(签名):用于验证消息未被篡改\\n\\n## 常见用途\\n\\n- **身份认证**:用户登录后,服务器生成JWT,后续请求携带此令牌进行身份验证\\n- **信息交换**:安全地在各方之间传输信息\\n\\n## 优缺点\\n\\n**优点**:\\n- 无状态,减轻服务器负担\\n- 跨域认证方便\\n- 自包含用户信息,减少数据库查询\\n\\n**缺点**:\\n- 一旦签发无法撤销(除非设置较短的过期时间)\\n- Payload部分仅编码不加密,不应存放敏感信息\\n- 令牌体积可能较大\\n\\nJWT已成为现代Web应用程序和微服务架构中常用的身份验证和授权机制。\"}]"
}
]Response:
Learn - JWT Info
Model: claude-3-7-sonnet-202502192025-07-02 03:14:04
Context:
[
{
"role": "user",
"content": "什么是jwt"
}
]Response:
# JWT (JSON Web Token)
JWT是一种开放标准(RFC 7519),它定义了一种紧凑且自包含的方式,用于在各方之间以JSON对象安全地传输信息。
## 主要特点
1. **紧凑**:JWT可以通过URL、POST参数或HTTP Header发送,体积小,传输速度快。
2. **自包含**:JWT包含了所有用户所需的信息,避免了多次查询数据库。
3. **安全性**:JWT可以使用数字签名(如HMAC算法、RSA或ECDSA)进行签名,确保内容不被篡改。
## JWT结构
JWT由三部分组成,以点(.)分隔:
- **Header**(头部):指定签名算法和令牌类型
- **Payload**(负载):包含声明(claims)信息
- **Signature**(签名):用于验证消息未被篡改
## 常见用途
- **身份认证**:用户登录后,服务器生成JWT,后续请求携带此令牌进行身份验证
- **信息交换**:安全地在各方之间传输信息
## 优缺点
**优点**:
- 无状态,减轻服务器负担
- 跨域认证方便
- 自包含用户信息,减少数据库查询
**缺点**:
- 一旦签发无法撤销(除非设置较短的过期时间)
- Payload部分仅编码不加密,不应存放敏感信息
- 令牌体积可能较大
JWT已成为现代Web应用程序和微服务架构中常用的身份验证和授权机制。
Model: deepseek/deepseek-r12025-07-02 03:05:56
Context:
[
{
"role": "system",
"content": "你是一名擅长会话的助理,你需要将用户的会话总结为 10 个字以内的标题,标题语言与用户的首要语言一致,不要使用标点符号和其他特殊符号"
},
{
"role": "user",
"content": "User: 我在用grafana,我希望能看到dashboard展示以下内容解答我的疑惑,请你给我一个dashboard的配置让我可以看到这些信息\n为什么我在grafana上看到cpu usage在8cpu的时候是60%,16核cpu的时候上升到130%甚至200%\nAssistant: 你在Grafana看到的CPU使用率超过100%是正常的现象,因为 **CPU使用率的计算方式是基于核心数**(比如16核CPU的100%代表单核满载,1600%则是所有核心满载)。以下是帮助你排查问题的Grafana Dashboard配置建议:\n\n---\n\n### **Dashboard 核心指标配置**\n#### 1. **总CPU使用率(标准化百分比)**\n - **目标**:统一查看不同核心数的CPU使用率(按百分比标准化)\n - **查询表达式**(假设使用Prometheus数据源):\n ```promql\n 100 * (1 - avg(rate(node_cpu_seconds_total{mode=\"idle\"}[$interval])) by (instance))\n ```\n - **说明**:无论CPU核心数是多少,此查询会将使用率压缩到0%~100%范围,便于对比。\n\n#### 2. **分核心CPU使用率(原始值)**\n - **目标**:查看每个物理核心的实际使用量(帮助识别是否某个核心满载)\n - **查询表达式**:\n ```promql\n sum by (cpu) (rate(node_cpu_seconds_total{mode!=\"idle\"}[$interval]))\n ```\n - **可视化**:堆叠柱状图或分面图(每个核心独立显示)。\n\n#### 3. **用户态 vs 内核态CPU时间**\n - **目标**:确认CPU时间消耗在用户程序还是内核调用(如系统调用)\n - **查询表达式**:\n ```promql\n # 用户态\n sum(rate(node_cpu_seconds_total{mode=\"user\"}[$interval])) by (instance)\n # 内核态\n sum(rate(node_cpu_seconds_total{mode=\"system\"}[$interval])) by (instance)\n ```\n\n#### 4. **上下文切换(Context Switches)**\n - **目标**:高频率上下文切换可能导致CPU效率下降\n - **查询表达式**:\n ```promql\n rate(node_context_switches_total[$interval])\n ```\n\n#### 5. **运行队列长度(Load Average)**\n - **目标**:观察系统的负载压力是否超过CPU处理能力\n - **查询表达式**:\n ```promql\n node_load1 # 1分钟平均负载\n node_load5 # 5分钟平均负载\n node_load15 # 15分钟平均负载\n ```\n\n---\n\n### **可能的问题原因**\n1. **CPU核心数计算方式差异**:\n - 如果仪表盘未将多核CPU的用量标准化(例如直接累加所有核心的利用率),16核CPU的200%仅表示平均每核12.5%的负载,属于正常范围。\n\n2. **突发的进程竞争**:\n - 多核环境下,某些进程可能集中在少量核心运行(如单线程程序),导致部分核心满载而其他空闲。\n\n3. **内核资源争用**:\n - 高频率的系统调用、中断或锁竞争可能导致内核态CPU使用率激增。\n\n4. **监控数据采集间隔**:\n - 如果数据采集间隔(如Prometheus的`scrape_interval`)过长,可能导致瞬时峰值被错误放大。\n\n---\n\n### **Dashboard配置示例**\n- **面板类型**:混合使用Stat(总览)、Graph(趋势)、Heatmap(核心分布)。\n- **变量(Variables)**:\n - 添加`instance`变量(如果监控多台主机)。\n - 添加`interval`变量(动态调整时间范围)。\n\n---\n\n### **下一步排查建议**\n1. **检查具体进程**:\n - 在主机上运行 `top` 或 `htop`,观察哪些进程占用CPU最高。\n - 使用`pidstat -u 1`查看进程级的CPU使用率。\n\n2. **分析系统调用**:\n - 使用 `perf top` 或 `strace` 跟踪高CPU进程的系统调用。\n\n3. **优化多核负载均衡**:\n - 如果发现单个核心负载过高,尝试优化进程的CPU亲和性(CPU affinity)。\n\n---\n\n通过以上Dashboard配置,你可以更清晰地看到CPU使用率的分布和潜在瓶颈。如果问题依然存在,可以进一步提供监控数据的截图或查询表达式,我会帮你分析具体原因!"
}
]Response:
CPU核心数与使用率百分比关系
Model: deepseek/deepseek-r12025-07-02 03:05:46
Context:
[
{
"role": "user",
"content": "我在用grafana,我希望能看到dashboard展示以下内容解答我的疑惑,请你给我一个dashboard的配置让我可以看到这些信息\n为什么我在grafana上看到cpu usage在8cpu的时候是60%,16核cpu的时候上升到130%甚至200%"
}
]Response:
你在Grafana看到的CPU使用率超过100%是正常的现象,因为 **CPU使用率的计算方式是基于核心数**(比如16核CPU的100%代表单核满载,1600%则是所有核心满载)。以下是帮助你排查问题的Grafana Dashboard配置建议:
---
### **Dashboard 核心指标配置**
#### 1. **总CPU使用率(标准化百分比)**
- **目标**:统一查看不同核心数的CPU使用率(按百分比标准化)
- **查询表达式**(假设使用Prometheus数据源):
```promql
100 * (1 - avg(rate(node_cpu_seconds_total{mode="idle"}[$interval])) by (instance))
```
- **说明**:无论CPU核心数是多少,此查询会将使用率压缩到0%~100%范围,便于对比。
#### 2. **分核心CPU使用率(原始值)**
- **目标**:查看每个物理核心的实际使用量(帮助识别是否某个核心满载)
- **查询表达式**:
```promql
sum by (cpu) (rate(node_cpu_seconds_total{mode!="idle"}[$interval]))
```
- **可视化**:堆叠柱状图或分面图(每个核心独立显示)。
#### 3. **用户态 vs 内核态CPU时间**
- **目标**:确认CPU时间消耗在用户程序还是内核调用(如系统调用)
- **查询表达式**:
```promql
# 用户态
sum(rate(node_cpu_seconds_total{mode="user"}[$interval])) by (instance)
# 内核态
sum(rate(node_cpu_seconds_total{mode="system"}[$interval])) by (instance)
```
#### 4. **上下文切换(Context Switches)**
- **目标**:高频率上下文切换可能导致CPU效率下降
- **查询表达式**:
```promql
rate(node_context_switches_total[$interval])
```
#### 5. **运行队列长度(Load Average)**
- **目标**:观察系统的负载压力是否超过CPU处理能力
- **查询表达式**:
```promql
node_load1 # 1分钟平均负载
node_load5 # 5分钟平均负载
node_load15 # 15分钟平均负载
```
---
### **可能的问题原因**
1. **CPU核心数计算方式差异**:
- 如果仪表盘未将多核CPU的用量标准化(例如直接累加所有核心的利用率),16核CPU的200%仅表示平均每核12.5%的负载,属于正常范围。
2. **突发的进程竞争**:
- 多核环境下,某些进程可能集中在少量核心运行(如单线程程序),导致部分核心满载而其他空闲。
3. **内核资源争用**:
- 高频率的系统调用、中断或锁竞争可能导致内核态CPU使用率激增。
4. **监控数据采集间隔**:
- 如果数据采集间隔(如Prometheus的`scrape_interval`)过长,可能导致瞬时峰值被错误放大。
---
### **Dashboard配置示例**
- **面板类型**:混合使用Stat(总览)、Graph(趋势)、Heatmap(核心分布)。
- **变量(Variables)**:
- 添加`instance`变量(如果监控多台主机)。
- 添加`interval`变量(动态调整时间范围)。
---
### **下一步排查建议**
1. **检查具体进程**:
- 在主机上运行 `top` 或 `htop`,观察哪些进程占用CPU最高。
- 使用`pidstat -u 1`查看进程级的CPU使用率。
2. **分析系统调用**:
- 使用 `perf top` 或 `strace` 跟踪高CPU进程的系统调用。
3. **优化多核负载均衡**:
- 如果发现单个核心负载过高,尝试优化进程的CPU亲和性(CPU affinity)。
---
通过以上Dashboard配置,你可以更清晰地看到CPU使用率的分布和潜在瓶颈。如果问题依然存在,可以进一步提供监控数据的截图或查询表达式,我会帮你分析具体原因!
Model: claude-3-7-sonnet-202502192025-07-02 01:46:02
Context:
[
{
"role": "user",
"content": "在上海 实线变道 变道不打灯 逆向行驶分别怎么处罚"
},
{
"role": "assistant",
"content": "# 上海交通违规处罚规定\n\n根据上海市交通管理规定,以下是各类违规行为的处罚标准:\n\n## 实线变道\n- 罚款:200元\n- 记分:3分\n- 法律依据:《道路交通安全法》第38条,违反道路交通安全法律、法规的规定,越过道路中心实线行驶的\n\n## 变道不打转向灯\n- 罚款:50元\n- 记分:1分\n- 法律依据:《道路交通安全法》第45条,转弯、变更车道、超车等行为不按规定使用转向灯的\n\n## 逆向行驶\n- 罚款:200元\n- 记分:12分(属于严重交通违法行为)\n- 法律依据:《道路交通安全法》第38条,在道路上逆向行驶的\n\n请注意,上述处罚标准可能会根据具体情况和法规更新而有所调整,建议遵守交通规则,安全驾驶。"
},
{
"role": "user",
"content": "逆向行驶和借道超车怎么区别"
}
]Response:
# 逆向行驶与借道超车的区别
## 逆向行驶
- **定义**:机动车在道路上行驶时,驶入有明确标识的相对方向的车道上行驶
- **特点**:
- 完全进入对向车道
- 与规定的行驶方向相反
- 通常持续一段距离
- **处罚**:罚款200元,记12分(属于严重交通违法行为)
## 借道超车
- **定义**:在超越前方车辆时,临时借用对向车道完成超车动作后立即返回原车道
- **特点**:
- 临时性使用对向车道
- 目的是超越前方车辆
- 完成超车后立即返回原车道
- 在确保安全且路况允许的情况下进行
- **处罚**:
- 如在禁止超车的路段(如实线区域)借道超车:罚款200元,记3分
- 如在允许超车的路段(如虚线区域)不按规定借道超车:罚款50元,记3分
## 主要区别
1. **目的不同**:逆向行驶是违规行为;借道超车是在特定条件下允许的驾驶操作
2. **持续时间**:逆向行驶通常持续较长时间;借道超车是短暂的、临时性的
3. **行为性质**:逆向行驶完全违反交通规则;借道超车在特定条件下是允许的
4. **处罚力度**:逆向行驶处罚更严重(12分);借道超车违规处罚相对较轻
需要注意,在实线区域、桥梁、隧道、弯道、坡道等危险路段都禁止借道超车,此时的借道超车行为可能会被认定为违规。
Model: gpt-4o-mini-2024-07-182025-07-02 01:45:32
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"在上海 实线变道 变道不打灯 逆向行驶分别怎么处罚\"},{\"role\":\"assistant\",\"mainText\":\"# 上海交通违规处罚规定\\n\\n根据上海市交通管理规定,以下是各类违规行为的处罚标准:\\n\\n## 实线变道\\n- 罚款:200元\\n- 记分:3分\\n- 法律依据:《道路交通安全法》第38条,违反道路交通安全法律、法规的规定,越过道路中心实线行驶的\\n\\n## 变道不打转向灯\\n- 罚款:50元\\n- 记分:1分\\n- 法律依据:《道路交通安全法》第45条,转弯、变更车道、超车等行为不按规定使用转向灯的\\n\\n## 逆向行驶\\n- 罚款:200元\\n- 记分:12分(属于严重交通违法行为)\\n- 法律依据:《道路交通安全法》第38条,在道路上逆向行驶的\\n\\n请注意,上述处罚标准可能会根据具体情况和法规更新而有所调整,建议遵守交通规则,安全驾驶。\"}]"
}
]Response:
Inquire - Traffic Penalties
Model: claude-3-7-sonnet-202502192025-07-02 01:45:30
Context:
[
{
"role": "user",
"content": "在上海 实线变道 变道不打灯 逆向行驶分别怎么处罚"
}
]Response:
# 上海交通违规处罚规定
根据上海市交通管理规定,以下是各类违规行为的处罚标准:
## 实线变道
- 罚款:200元
- 记分:3分
- 法律依据:《道路交通安全法》第38条,违反道路交通安全法律、法规的规定,越过道路中心实线行驶的
## 变道不打转向灯
- 罚款:50元
- 记分:1分
- 法律依据:《道路交通安全法》第45条,转弯、变更车道、超车等行为不按规定使用转向灯的
## 逆向行驶
- 罚款:200元
- 记分:12分(属于严重交通违法行为)
- 法律依据:《道路交通安全法》第38条,在道路上逆向行驶的
请注意,上述处罚标准可能会根据具体情况和法规更新而有所调整,建议遵守交通规则,安全驾驶。
Model: gpt-4o-mini-2024-07-182025-07-01 07:44:20
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"按照10000的基数 按照7%公积金,计算上海这边的实际到手工资和公司实际支出\"},{\"role\":\"assistant\",\"mainText\":\"# 上海公积金缴纳与工资计算\\n\\n基于您提供的信息,我将计算上海地区按照10000元基数、7%公积金比例的实际到手工资和公司支出情况。\\n\\n## 公积金缴纳情况\\n\\n- 基数:10000元\\n- 缴纳比例:7%\\n- 个人缴纳部分:10000 × 7% = 700元\\n- 公司缴纳部分:10000 × 7% = 700元\\n\\n## 社保缴纳情况(上海2024年标准)\\n\\n假设同样按10000元基数计算社保:\\n\\n| 项目 | 个人比例 | 个人金额 | 单位比例 | 单位金额 |\\n|------|---------|---------|---------|---------|\\n| 养老保险 | 8% | 800元 | 16% | 1600元 |\\n| 医疗保险 | 2% | 200元 | 10.5% | 1050元 |\\n| 失业保险 | 0.5% | 50元 | 0.5% | 50元 |\\n| 工伤保险 | 0% | 0元 | 0.16%-1.52% | 约16-152元 |\\n| 生育保险 | 0% | 0元 | 1% | 100元 |\\n| 公积金 | 7% | 700元 | 7% | 700元 |\\n| **合计** | **17.5%** | **1750元** | **约35.16%** | **约3516元** |\\n\\n## 个税计算(假设税前工资为10000元)\\n\\n- 应纳税所得额 = 10000 - 1750(五险一金个人部分) - 5000(起征点) = 3250元\\n- 适用税率:3%(月应纳税所得额不超过36000元)\\n- 应缴个税 = 3250 × 3% = 97.5元\\n\\n## 实际到手工资\\n\\n- 税前工资:10000元\\n- 个人缴纳五险一金:1750元\\n- 个人所得税:97.5元\\n- **实际到手工资 = 10000 - 1750 - 97.5 = 8152.5元**\\n\\n## 公司实际支出\\n\\n- 员工税前工资:10000元\\n- 公司缴纳五险一金:约3516元\\n- **公司总支出 = 10000 + 3516 = 13516元**\\n\\n注意:实际计算可能因具体政策调整、个人情况(如是否有专项附加扣除)以及工伤保险费率的不同而有所差异。\"}]"
}
]Response:
Calculate - Salary
Model: claude-3-7-sonnet-202502192025-07-01 07:44:17
Context:
[
{
"role": "user",
"content": "按照10000的基数 按照7%公积金,计算上海这边的实际到手工资和公司实际支出"
}
]Response:
# 上海公积金缴纳与工资计算
基于您提供的信息,我将计算上海地区按照10000元基数、7%公积金比例的实际到手工资和公司支出情况。
## 公积金缴纳情况
- 基数:10000元
- 缴纳比例:7%
- 个人缴纳部分:10000 × 7% = 700元
- 公司缴纳部分:10000 × 7% = 700元
## 社保缴纳情况(上海2024年标准)
假设同样按10000元基数计算社保:
| 项目 | 个人比例 | 个人金额 | 单位比例 | 单位金额 |
|------|---------|---------|---------|---------|
| 养老保险 | 8% | 800元 | 16% | 1600元 |
| 医疗保险 | 2% | 200元 | 10.5% | 1050元 |
| 失业保险 | 0.5% | 50元 | 0.5% | 50元 |
| 工伤保险 | 0% | 0元 | 0.16%-1.52% | 约16-152元 |
| 生育保险 | 0% | 0元 | 1% | 100元 |
| 公积金 | 7% | 700元 | 7% | 700元 |
| **合计** | **17.5%** | **1750元** | **约35.16%** | **约3516元** |
## 个税计算(假设税前工资为10000元)
- 应纳税所得额 = 10000 - 1750(五险一金个人部分) - 5000(起征点) = 3250元
- 适用税率:3%(月应纳税所得额不超过36000元)
- 应缴个税 = 3250 × 3% = 97.5元
## 实际到手工资
- 税前工资:10000元
- 个人缴纳五险一金:1750元
- 个人所得税:97.5元
- **实际到手工资 = 10000 - 1750 - 97.5 = 8152.5元**
## 公司实际支出
- 员工税前工资:10000元
- 公司缴纳五险一金:约3516元
- **公司总支出 = 10000 + 3516 = 13516元**
注意:实际计算可能因具体政策调整、个人情况(如是否有专项附加扣除)以及工伤保险费率的不同而有所差异。
Model: deepseek/deepseek-r12025-07-01 07:43:16
Context:
[
{
"role": "user",
"content": "Hey, xxx, thanks for the review. As for the milestone 3, I have some questions about the exact deliveries we need to provide. Firstly, the SOW mentioned the TEE<->external service messaging, I think this is now available in the previous demo. You can run any docker inside TEE, and use API to interact with the docker from outside. We can provide a detailed demo about how to derive key from dstack-based TEE, therefore you can also encrypt the cross-boundary data and decrypt the message inside TEE. Furthermore, I think there is a scenario which users may register their own dataset on the Sahara App, we can provide an upload API inside TEE which accepts the users' dataset. I don't know if my understanding is right, or do you want something related to the MCP server and on-chain economical models? Like the user should first top-up on chain, and it will return a token or something to represent the usage rights of the user, the user can then use MCP as well when the limited times is done?\n\n我要在telegram群里给客户发英文消息,帮我润色一下"
},
{
"role": "assistant",
"content": "以下是润色后的英文版本,调整了结构和表达方式,更专业简洁:\n\nHi Team, \n\nThank you for the feedback on previous milestones. To ensure clarity on **Milestone 3 deliverables**, I’d like to confirm a few points: \n\n1️⃣ **TEE <-> External Service Messaging** \n - Our existing demo already demonstrates core capabilities: \n ✔️ Running Docker containers within TEE. \n ✔️ Secure API interactions between external services and TEE. \n - We propose expanding this with: \n ▶️ A detailed workflow for generating dstack-based TEE keys, enabling encrypted cross-boundary data decryption. \n ▶️ Development of a secure dataset upload API inside TEE for user-registered datasets via the Sahara App. \n\n2️⃣ **MCP Server & On-chain Economics** \n - For scenarios involving resource allocation/usage tracking (e.g., computational quotas), should we integrate mechanisms like: \n 🔸 On-chain user deposits triggering token-based access rights. \n 🔸 MCP Server coordination for consumption tracking and permission management. \n\nPlease let us know if this aligns with expectations, or if additional use cases/technical priorities need emphasis. We aim to finalize the delivery scope promptly. \n\nBest regards, \n[Your Name] \n\n**优化亮点:** \n1. 信息分层:使用符号和分段增强可读性 \n2. 逻辑重组:将技术方案与待确认问题分离,避免混淆 \n3. 指向性提问:针对经济模型部分提出具体实现方案选项供确认 \n4. 简洁专业术语:TEE/dstack/MCP 首提保留缩写,上下文自然解释 \n5. 行动导向结尾:推动客户明确答复,避免开放式收尾"
},
{
"role": "user",
"content": "我现在要委婉的拒绝客户的offer,请帮我组织语言,用英文\nHere's what we are looking for, let me know your thoughts?\n- 10 hours a week\n- Manage oracle to maintain uptime and optimize performance interacting with Gacha\n- $1k usdt for 1 mth\n上面是客户的offer,我主要想表达拒绝,首先感谢share这个机会,不过具体工作内容上,一方面我不太了解与oracle相关的业务,另一方面这份工作与我目前在phala的本职工作交集不大,我个人目前还是想以phala这边的工作为主,如果有vrf相关的需求或者与phala产品相关的需求我们都可以积极在群里支持"
},
{
"role": "assistant",
"content": "以下是为您优化的英文拒绝模板,兼顾职业礼貌和立场澄清:\n\n--- \n\n**Subject:** Appreciation for Opportunity & Project Alignment \n\nHi [Client Name], \n\nThank you for considering me for this collaborative opportunity – I truly value the trust you've placed in our team. \n\nAfter carefully reviewing the proposed scope (*oracle system maintenance + Gacha performance optimization, 10h/week*), I must respectfully decline at this stage due to two critical alignment factors: \n\n1️⃣ **Expertise Specialization** \n My current technical focus within Phala Network revolves around [VRF implementations/TEE security protocols/other relevant领域], which doesn’t intersect directly with Oracle operations. To ensure deliverables meet your quality standards, this role would be better suited to a specialist with proven oracle maintenance track records. \n\n2️⃣ **Strategic Priority Synergy** \n My bandwidth is prioritized for accelerating Phala’s core product roadmap (e.g. [mention specific tasks/features if applicable]). Redirecting effort to external system management risks compromising commitments to our mutual success in Web3 infrastructure development. \n\nThat said, I remain fully available to advise on **Phala-native use cases**, such as: \n- Custom VRF solutions integration \n- Privacy-preserving smart contract architecture \n- TEE-based security audits \n\nLet’s schedule a sync if you’d like to brainstorm partnership models that leverage Phala’s unique technical advantages. Always here to explore win-win opportunities! \n\nBest regards, \n[Your Name] \n\n--- \n\n**关键策略解析:** \n1. **价值认同先行** - 强调重视合作关系,弱化拒绝的负面性 \n2. **客观理由支持** - 聚焦\"专业领域不匹配\"和\"战略优先级冲突\",避免主观色彩 \n3. **转化商机** - 引导对话至Phala核心技术强项,保持合作窗口 \n4. **责任暗示** - 通过提及现有产品线义务,展现职业原则性 \n\n可根据实际工作内容调整方括号中的技术术语,保持与您日常职责的一致性。"
},
{
"role": "user",
"content": "你的这个拒绝太长了,我希望就两三句话能搞定"
}
]Response:
以下为精简后的2-3句英文回复模板,保持礼貌但直接:
---
**Hi [Name],**
Thank you for the opportunity! While I’m honored by the offer, my expertise currently centers on Phala-specific areas like VRF and TEE development, and I’d prefer to focus entirely on those priorities for now. That said, if Phala-related integration needs arise with Gacha/Oracle down the line, I’d be glad to help!
Best,
[Your Name]
---
**精简策略:**
1. **单层逻辑** - 合并两个拒绝原因为一句模糊化表达(只需暗示领域不匹配+精力聚焦)
2. **行动替换解释** - 不强调"拒绝",转而用"prefer to focus"弱化负面性
3. **未来导向收尾** - 强调对客户关键业务的持续性支持意愿
Model: deepseek/deepseek-r12025-07-01 07:41:52
Context:
[
{
"role": "user",
"content": "Hey, xxx, thanks for the review. As for the milestone 3, I have some questions about the exact deliveries we need to provide. Firstly, the SOW mentioned the TEE<->external service messaging, I think this is now available in the previous demo. You can run any docker inside TEE, and use API to interact with the docker from outside. We can provide a detailed demo about how to derive key from dstack-based TEE, therefore you can also encrypt the cross-boundary data and decrypt the message inside TEE. Furthermore, I think there is a scenario which users may register their own dataset on the Sahara App, we can provide an upload API inside TEE which accepts the users' dataset. I don't know if my understanding is right, or do you want something related to the MCP server and on-chain economical models? Like the user should first top-up on chain, and it will return a token or something to represent the usage rights of the user, the user can then use MCP as well when the limited times is done?\n\n我要在telegram群里给客户发英文消息,帮我润色一下"
},
{
"role": "assistant",
"content": "以下是润色后的英文版本,调整了结构和表达方式,更专业简洁:\n\nHi Team, \n\nThank you for the feedback on previous milestones. To ensure clarity on **Milestone 3 deliverables**, I’d like to confirm a few points: \n\n1️⃣ **TEE <-> External Service Messaging** \n - Our existing demo already demonstrates core capabilities: \n ✔️ Running Docker containers within TEE. \n ✔️ Secure API interactions between external services and TEE. \n - We propose expanding this with: \n ▶️ A detailed workflow for generating dstack-based TEE keys, enabling encrypted cross-boundary data decryption. \n ▶️ Development of a secure dataset upload API inside TEE for user-registered datasets via the Sahara App. \n\n2️⃣ **MCP Server & On-chain Economics** \n - For scenarios involving resource allocation/usage tracking (e.g., computational quotas), should we integrate mechanisms like: \n 🔸 On-chain user deposits triggering token-based access rights. \n 🔸 MCP Server coordination for consumption tracking and permission management. \n\nPlease let us know if this aligns with expectations, or if additional use cases/technical priorities need emphasis. We aim to finalize the delivery scope promptly. \n\nBest regards, \n[Your Name] \n\n**优化亮点:** \n1. 信息分层:使用符号和分段增强可读性 \n2. 逻辑重组:将技术方案与待确认问题分离,避免混淆 \n3. 指向性提问:针对经济模型部分提出具体实现方案选项供确认 \n4. 简洁专业术语:TEE/dstack/MCP 首提保留缩写,上下文自然解释 \n5. 行动导向结尾:推动客户明确答复,避免开放式收尾"
},
{
"role": "user",
"content": "我现在要委婉的拒绝客户的offer,请帮我组织语言,用英文\nHere's what we are looking for, let me know your thoughts?\n- 10 hours a week\n- Manage oracle to maintain uptime and optimize performance interacting with Gacha\n- $1k usdt for 1 mth\n上面是客户的offer,我主要想表达拒绝,首先感谢share这个机会,不过具体工作内容上,一方面我不太了解与oracle相关的业务,另一方面这份工作与我目前在phala的本职工作交集不大,我个人目前还是想以phala这边的工作为主,如果有vrf相关的需求或者与phala产品相关的需求我们都可以积极在群里支持"
}
]Response:
以下是为您优化的英文拒绝模板,兼顾职业礼貌和立场澄清:
---
**Subject:** Appreciation for Opportunity & Project Alignment
Hi [Client Name],
Thank you for considering me for this collaborative opportunity – I truly value the trust you've placed in our team.
After carefully reviewing the proposed scope (*oracle system maintenance + Gacha performance optimization, 10h/week*), I must respectfully decline at this stage due to two critical alignment factors:
1️⃣ **Expertise Specialization**
My current technical focus within Phala Network revolves around [VRF implementations/TEE security protocols/other relevant领域], which doesn’t intersect directly with Oracle operations. To ensure deliverables meet your quality standards, this role would be better suited to a specialist with proven oracle maintenance track records.
2️⃣ **Strategic Priority Synergy**
My bandwidth is prioritized for accelerating Phala’s core product roadmap (e.g. [mention specific tasks/features if applicable]). Redirecting effort to external system management risks compromising commitments to our mutual success in Web3 infrastructure development.
That said, I remain fully available to advise on **Phala-native use cases**, such as:
- Custom VRF solutions integration
- Privacy-preserving smart contract architecture
- TEE-based security audits
Let’s schedule a sync if you’d like to brainstorm partnership models that leverage Phala’s unique technical advantages. Always here to explore win-win opportunities!
Best regards,
[Your Name]
---
**关键策略解析:**
1. **价值认同先行** - 强调重视合作关系,弱化拒绝的负面性
2. **客观理由支持** - 聚焦"专业领域不匹配"和"战略优先级冲突",避免主观色彩
3. **转化商机** - 引导对话至Phala核心技术强项,保持合作窗口
4. **责任暗示** - 通过提及现有产品线义务,展现职业原则性
可根据实际工作内容调整方括号中的技术术语,保持与您日常职责的一致性。
Model: gpt-4o-mini-2024-07-182025-07-01 07:15:26
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"tdx中的event log digest是怎么计算的\"},{\"role\":\"assistant\",\"mainText\":\"# TDX 中的 Event Log Digest 计算方式\\n\\n在 Intel Trust Domain Extensions (TDX) 中,Event Log Digest 是一个重要的安全组件,用于记录和验证 TD(Trust Domain)启动过程中的关键事件。\\n\\n## Event Log Digest 计算原理\\n\\nEvent Log Digest 的计算基于以下原则:\\n\\n1. **累积哈希计算**:Event Log Digest 是通过对每个事件记录进行累积哈希计算得到的\\n2. **使用的哈希算法**:通常使用 SHA-384 哈希算法\\n3. **增量更新**:每当有新事件发生时,会将该事件与之前的 digest 值组合后重新计算哈希值\\n\\n## 计算过程\\n\\nEvent Log Digest 的具体计算过程如下:\\n\\n1. **初始化**:初始 Digest 值为全零或特定的初始值\\n2. **更新过程**:\\n ```\\n 新的Digest = Hash(旧的Digest || 事件数据)\\n ```\\n 其中 `||` 表示连接操作\\n\\n3. **事件数据**:通常包括事件类型、时间戳、数据内容等\\n\\n## 在 TDX 中的应用\\n\\n在 TDX 架构中,Event Log Digest 主要用于:\\n\\n1. **远程认证**:作为 TD 完整性的证明\\n2. **RTMR (Runtime Measurement Registers) 更新**:TDX 中的测量寄存器会存储这些 digest 值\\n3. **安全启动验证**:验证 TD 启动过程中加载的组件是否被篡改\\n\\n## 安全意义\\n\\nEvent Log Digest 的计算机制确保了:\\n\\n- TD 内部状态的完整性证明\\n- 提供可验证的启动和运行时事件记录\\n- 支持远程证明(Remote Attestation)机制\\n\\n这种机制使得云服务提供商或其他第三方能够验证 TD 的完整性,而无需访问 TD 内部的敏感数据。\"}]"
}
]Response:
Compute - Digest
Model: claude-3-7-sonnet-202502192025-07-01 07:15:25
Context:
[
{
"role": "user",
"content": "tdx中的event log digest是怎么计算的"
}
]Response:
# TDX 中的 Event Log Digest 计算方式
在 Intel Trust Domain Extensions (TDX) 中,Event Log Digest 是一个重要的安全组件,用于记录和验证 TD(Trust Domain)启动过程中的关键事件。
## Event Log Digest 计算原理
Event Log Digest 的计算基于以下原则:
1. **累积哈希计算**:Event Log Digest 是通过对每个事件记录进行累积哈希计算得到的
2. **使用的哈希算法**:通常使用 SHA-384 哈希算法
3. **增量更新**:每当有新事件发生时,会将该事件与之前的 digest 值组合后重新计算哈希值
## 计算过程
Event Log Digest 的具体计算过程如下:
1. **初始化**:初始 Digest 值为全零或特定的初始值
2. **更新过程**:
```
新的Digest = Hash(旧的Digest || 事件数据)
```
其中 `||` 表示连接操作
3. **事件数据**:通常包括事件类型、时间戳、数据内容等
## 在 TDX 中的应用
在 TDX 架构中,Event Log Digest 主要用于:
1. **远程认证**:作为 TD 完整性的证明
2. **RTMR (Runtime Measurement Registers) 更新**:TDX 中的测量寄存器会存储这些 digest 值
3. **安全启动验证**:验证 TD 启动过程中加载的组件是否被篡改
## 安全意义
Event Log Digest 的计算机制确保了:
- TD 内部状态的完整性证明
- 提供可验证的启动和运行时事件记录
- 支持远程证明(Remote Attestation)机制
这种机制使得云服务提供商或其他第三方能够验证 TD 的完整性,而无需访问 TD 内部的敏感数据。
Model: claude-3-7-sonnet-202502192025-07-01 03:14:05
Context:
[
{
"role": "user",
"content": "参照输出格式,把输入转换为输出。在references这一栏,只需要填写event之间的关联即可\n\n样例输出\n```\n// Event Log Entry 0\n {\n id: 'event_log_0',\n name: 'Event Log 0',\n description: 'TDX Table event',\n fields: {\n imr: 0,\n event_type: 2147483659,\n digest:\n '0e35f1b315ba6c912cf791e5c79dd9d3a2b8704516aa27d4e5aa78fb09ede04aef2bbd02ac7a8734c48562b9c26ba35d',\n event: '',\n event_payload:\n '095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000',\n },\n layer: 5,\n type: 'event_entry',\n references: [\n {\n objectId: 'tcb',\n fieldName: 'rtmr0',\n },\n ],\n },\n\n // collapsed events\n\n // Event Log Entry 20\n {\n id: 'event_log_20',\n name: 'Event Log 20',\n description: 'Event type 134217729',\n fields: {\n imr: 3,\n event_type: 134217729,\n digest:\n '9d4a360a35b2c6829a320647fd599f8ef9075b2ea7fd25ffe7a47674bc758d7acfe6834982f6bbaa23167c8dcb184427',\n event: 'rootfs-hash',\n event_payload:\n '87a8feba454b8b655c701c7ddce79208b8d43628af19c86f31ff5539d94fc84f',\n },\n layer: 5,\n type: 'event_entry',\n references: [\n {\n objectId: 'event_log_0',\n fieldName: 'digest',\n },\n {\n objectId: 'app_info',\n fieldName: 'os_version',\n },\n ],\n },\n\n // Event Log Entry 21\n {\n id: 'event_log_21',\n name: 'Event Log 21',\n description: 'Event type 134217729',\n fields: {\n imr: 3,\n event_type: 134217729,\n digest:\n '5ea757c81b73801665c64b0bf011e6a001c14b2b664a479d1378ee55d10b76134bc6a63b6e3ae17f4c6060a8e1346587',\n event: 'app-id',\n event_payload: 'ccc93eb85c8a3b5a9a920518b45667ca147abb4e',\n },\n layer: 5,\n type: 'event_entry',\n references: [\n {\n objectId: 'event_log_20',\n fieldName: 'digest',\n },\n {\n objectId: 'app_info',\n fieldName: 'app_id',\n },\n ],\n },\n\n // Event Log Entry 22\n {\n id: 'event_log_22',\n name: 'Event Log 22',\n description: 'Event type 134217729',\n fields: {\n imr: 5,\n event_type: 134217729,\n digest:\n '6b5f89e776a3b03be6fee14c559851a509a1d286a005dfe853b5e17fa0e1818ea4b97b6aeed0c600a00d3170c610b1b9',\n event: 'compose-hash',\n event_payload:\n 'ccc93eb85c8a3b5a9a920518b45667ca147abb4ec79312423684264ff7267c6d',\n },\n layer: 5,\n type: 'event_entry',\n references: [\n {\n objectId: 'event_log_21',\n fieldName: 'digest',\n },\n {\n objectId: 'app_info',\n fieldName: 'app_compose',\n },\n {\n objectId: 'proof_report',\n fieldName: 'mrseam',\n },\n ],\n },\n\n // Event Log Entry 23\n {\n id: 'event_log_23',\n name: 'Event Log 23',\n description: 'Event type 134217729',\n fields: {\n imr: 3,\n event_type: 134217729,\n digest:\n '5b6a576d1da40f04179ad469e00f90a1c0044bc9e8472d0da2776acb108dc98a73560d42cea6b8b763eb4a0e6d4d82d5',\n event: 'ca-cert-hash',\n event_payload:\n 'd2d9c7c29e3f18e69cba87438cef21eea084c2110858230cd39c5decc629a958',\n },\n layer: 5,\n type: 'event_entry',\n references: [\n {\n objectId: 'event_log_22',\n fieldName: 'digest',\n },\n {\n objectId: 'app_info',\n fieldName: 'cert_chain',\n },\n ],\n },\n\n // Event Log Entry 24\n {\n id: 'event_log_24',\n name: 'Event Log 24',\n description: 'Event type 134217729',\n fields: {\n imr: 3,\n event_type: 134217729,\n digest:\n '8c2bb6807bea4a1157c7c8d16847f6e24331697de10d6a047c55c21c2cddba32bf9bae287618ac2c6d2c5387f7b641e2',\n event: 'instance-id',\n event_payload: 'da6ab99fbf3e76635f49be90322dd67782e039f4',\n },\n layer: 5,\n type: 'event_entry',\n references: [\n {\n objectId: 'event_log_23',\n fieldName: 'digest',\n },\n {\n objectId: 'app_info',\n fieldName: 'instance_id',\n },\n ],\n },\n```\n\n输入\n```\n[\n {\n \"imr\": 0,\n \"event_type\": 2147483659,\n \"digest\": \"0e35f1b315ba6c912cf791e5c79dd9d3a2b8704516aa27d4e5aa78fb09ede04aef2bbd02ac7a8734c48562b9c26ba35d\",\n \"event\": \"\",\n \"event_payload\": \"095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483658,\n \"digest\": \"344bc51c980ba621aaa00da3ed7436f7d6e549197dfe699515dfa2c6583d95e6412af21c097d473155875ffd561d6790\",\n \"event\": \"\",\n \"event_payload\": \"2946762858585858585858582d585858582d585858582d585858582d58585858585858585858585829000000c0ff000000000040080000000000\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483649,\n \"digest\": \"9dc3a1f80bcec915391dcda5ffbb15e7419f77eab462bbf72b42166fb70d50325e37b36f93537a863769bcf9bedae6fb\",\n \"event\": \"\",\n \"event_payload\": \"61dfe48bca93d211aa0d00e098032b8c0a00000000000000000000000000000053006500630075007200650042006f006f007400\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483649,\n \"digest\": \"6f2e3cbc14f9def86980f5f66fd85e99d63e69a73014ed8a5633ce56eca5b64b692108c56110e22acadcef58c3250f1b\",\n \"event\": \"\",\n \"event_payload\": \"61dfe48bca93d211aa0d00e098032b8c0200000000000000000000000000000050004b00\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483649,\n \"digest\": \"d607c0efb41c0d757d69bca0615c3a9ac0b1db06c557d992e906c6b7dee40e0e031640c7bfd7bcd35844ef9edeadc6f9\",\n \"event\": \"\",\n \"event_payload\": \"61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483649,\n \"digest\": \"08a74f8963b337acb6c93682f934496373679dd26af1089cb4eaf0c30cf260a12e814856385ab8843e56a9acea19e127\",\n \"event\": \"\",\n \"event_payload\": \"cbb219d73a3d9645a3bcdad00e67656f0200000000000000000000000000000064006200\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483649,\n \"digest\": \"18cc6e01f0c6ea99aa23f8a280423e94ad81d96d0aeb5180504fc0f7a40cb3619dd39bd6a95ec1680a86ed6ab0f9828d\",\n \"event\": \"\",\n \"event_payload\": \"cbb219d73a3d9645a3bcdad00e67656f03000000000000000000000000000000640062007800\"\n },\n {\n \"imr\": 0,\n \"event_type\": 4,\n \"digest\": \"394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0\",\n \"event\": \"\",\n \"event_payload\": \"00000000\"\n },\n {\n \"imr\": 0,\n \"event_type\": 10,\n \"digest\": \"39740da2ea1e7e6c69e5e6569755b2ad6d622a8a9983a2c5b32d5574659dbdc4ca8b95b1c766bd610bc5c26dcde842f8\",\n \"event\": \"\",\n \"event_payload\": \"414350492044415441\"\n },\n {\n \"imr\": 0,\n \"event_type\": 10,\n \"digest\": \"6385b89d2decb3de678d51faba0ff3506835915818fd3ee53a739aa678cd9c76bdd755adfa0aa714cf35a1abe062b253\",\n \"event\": \"\",\n \"event_payload\": \"414350492044415441\"\n },\n {\n \"imr\": 0,\n \"event_type\": 10,\n \"digest\": \"05705c3ca9d71e908d5ce70d4331b6aadce5331b9a6a546f222f017fb0e1797b951a3dac72f59cb197a0c897a201ca07\",\n \"event\": \"\",\n \"event_payload\": \"414350492044415441\"\n },\n {\n \"imr\": 1,\n \"event_type\": 2147483651,\n \"digest\": \"fc45f4eb3bf1b0109d1c3486f172dbe60d6a87d1bc3cc23aee46ba3055572815f2d254b3b6950882d6fb4476a66349f5\",\n \"event\": \"\",\n \"event_payload\": \"18b04f7c000000000044b4000000000000000000000000002a000000000000000403140072f728144ab61e44b8c39ebdd7f893c7040412006b00650072006e0065006c0000007fff0400\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483650,\n \"digest\": \"1dd6f7b457ad880d840d41c961283bab688e94e4b59359ea45686581e90feccea3c624b1226113f824f315eb60ae0a7c\",\n \"event\": \"\",\n \"event_payload\": \"61dfe48bca93d211aa0d00e098032b8c0900000000000000020000000000000042006f006f0074004f0072006400650072000000\"\n },\n {\n \"imr\": 0,\n \"event_type\": 2147483650,\n \"digest\": \"23ada07f5261f12f34a0bd8e46760962d6b4d576a416f1fea1c64bc656b1d28eacf7047ae6e967c58fd2a98bfa74c298\",\n \"event\": \"\",\n \"event_payload\": \"61dfe48bca93d211aa0d00e098032b8c08000000000000003e0000000000000042006f006f0074003000300030003000090100002c0055006900410070007000000004071400c9bdb87cebf8344faaea3ee4af6516a10406140021aa2c4614760345836e8ab6f46623317fff0400\"\n },\n {\n \"imr\": 1,\n \"event_type\": 2147483655,\n \"digest\": \"77a0dab2312b4e1e57a84d865a21e5b2ee8d677a21012ada819d0a98988078d3d740f6346bfe0abaa938ca20439a8d71\",\n \"event\": \"\",\n \"event_payload\": \"43616c6c696e6720454649204170706c69636174696f6e2066726f6d20426f6f74204f7074696f6e\"\n },\n {\n \"imr\": 1,\n \"event_type\": 4,\n \"digest\": \"394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0\",\n \"event\": \"\",\n \"event_payload\": \"00000000\"\n },\n {\n \"imr\": 2,\n \"event_type\": 6,\n \"digest\": \"5c9f4f7956d2c8e3ec8f310d25d2e8290248a3b99fd8dae0a1f2f810b715ac6071c0d349c764f80b1da8f0b885d9aaf7\",\n \"event\": \"\",\n \"event_payload\": \"ed223b8f1a0000004c4f414445445f494d4147453a3a4c6f61644f7074696f6e7300\"\n },\n {\n \"imr\": 2,\n \"event_type\": 6,\n \"digest\": \"2d51b8c599af60dec27528cd25456c4764d50d119629d5d42b845813cb24936d4895df272e9b79c5a1adddb65822f5e6\",\n \"event\": \"\",\n \"event_payload\": \"ec223b8f0d0000004c696e757820696e6974726400\"\n },\n {\n \"imr\": 1,\n \"event_type\": 2147483655,\n \"digest\": \"214b0bef1379756011344877743fdc2a5382bac6e70362d624ccf3f654407c1b4badf7d8f9295dd3dabdef65b27677e0\",\n \"event\": \"\",\n \"event_payload\": \"4578697420426f6f7420536572766963657320496e766f636174696f6e\"\n },\n {\n \"imr\": 1,\n \"event_type\": 2147483655,\n \"digest\": \"0a2e01c85deae718a530ad8c6d20a84009babe6c8989269e950d8cf440c6e997695e64d455c4174a652cd080f6230b74\",\n \"event\": \"\",\n \"event_payload\": \"4578697420426f6f742053657276696365732052657475726e656420776974682053756363657373\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"f9974020ef507068183313d0ca808e0d1ca9b2d1ad0c61f5784e7157c362c06536f5ddacdad4451693f48fcc72fff624\",\n \"event\": \"system-preparing\",\n \"event_payload\": \"\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"d76d6762eabbb167c9e629765171be7e1d734adcb20e59da4c04da6bbec5af09714088939a51843acb198e1182b28213\",\n \"event\": \"app-id\",\n \"event_payload\": \"6bb6c81181b3b978547c8e0c8096ce1165a0920a\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"0c03dc0fbbfc727499bce85def87555a1568613bdc11b4a4e6fc3a33384f0b78b122da488a17b692c897760ffc8eb3a3\",\n \"event\": \"compose-hash\",\n \"event_payload\": \"83fb42f057856f08a452733fbde6058877da3a82c03b2835527a9f4c1804acb8\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"1a32ab9553a74d74de1126fd443164708a36b7fd22855edba0076b2fd59551fc44e5e4fc84c84fd82198eb7231fb514e\",\n \"event\": \"instance-id\",\n \"event_payload\": \"746f2ba17dd7ac4d00e377c32e8760925e0a715b\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"98bd7e6bd3952720b65027fd494834045d06b4a714bf737a06b874638b3ea00ff402f7f583e3e3b05e921c8570433ac6\",\n \"event\": \"boot-mr-done\",\n \"event_payload\": \"\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"eb6508fe194b5dfa04efad892f507ef92bc24fa1988c00b8a7ec0476b80acce80b197fb44073e3753d2fc523fce912b7\",\n \"event\": \"mr-kms\",\n \"event_payload\": \"c6d0cc8008a564760ccb0ca63f574f000fce4ae2fa1a9265e7522f6889e82aab\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"da7226c6addbb7a3d244191bab7b190ec16854158e4534abbf1d017826060ee4a10d71f4d45c08129f1020f42e07bf85\",\n \"event\": \"os-image-hash\",\n \"event_payload\": \"4ed916a047daceeba658948c7a249d0faf26dd82608ff028bd3e9b4b67ff8cae\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"a7179594e816a60a9caa0f8c6dcd25e86459b99ec8733767c81f106768b42cfe2215fab852adf53687215afd950ab749\",\n \"event\": \"key-provider\",\n \"event_payload\": \"7b226e616d65223a226b6d73222c226964223a223330353933303133303630373261383634386365336430323031303630383261383634386365336430333031303730333432303030346161366639616564343239306231323061626461323933373136303638393835373534343835303234636435306263306236376331383032626466306536323530656464663333613164353931633161323537633734353938636536633437353666393664633335393736323564656365313834313930386663306438616339227d\"\n },\n {\n \"imr\": 3,\n \"event_type\": 134217729,\n \"digest\": \"1a76b2a80a0be71eae59f80945d876351a7a3fb8e9fd1ff1cede5734aa84ea11fd72b4edfbb6f04e5a85edd114c751bd\",\n \"event\": \"system-ready\",\n \"event_payload\": \"\"\n }\n]\n```"
}
]Response:
根据输入的事件日志,我将按照样例输出格式转换为所需的输出格式,并填写events之间的关联关系:
```
// Event Log Entry 0
{
id: 'event_log_0',
name: 'Event Log 0',
description: 'TDX Table event',
fields: {
imr: 0,
event_type: 2147483659,
digest: '0e35f1b315ba6c912cf791e5c79dd9d3a2b8704516aa27d4e5aa78fb09ede04aef2bbd02ac7a8734c48562b9c26ba35d',
event: '',
event_payload: '095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000',
},
layer: 5,
type: 'event_entry',
references: [
{
objectId: 'tcb',
fieldName: 'rtmr0',
},
],
},
// collapsed events
// Event Log Entry 20
{
id: 'event_log_20',
name: 'Event Log 20',
description: 'Event type 134217729',
fields: {
imr: 3,
event_type: 134217729,
digest: 'f9974020ef507068183313d0ca808e0d1ca9b2d1ad0c61f5784e7157c362c06536f5ddacdad4451693f48fcc72fff624',
event: 'system-preparing',
event_payload: '',
},
layer: 5,
type: 'event_entry',
references: [
{
objectId: 'event_log_0',
fieldName: 'digest',
},
{
objectId: 'app_info',
fieldName: 'system_status',
},
],
},
// Event Log Entry 21
{
id: 'event_log_21',
name: 'Event Log 21',
description: 'Event type 134217729',
fields: {
imr: 3,
event_type: 134217729,
digest: 'd76d6762eabbb167c9e629765171be7e1d734adcb20e59da4c04da6bbec5af09714088939a51843acb198e1182b28213',
event: 'app-id',
event_payload: '6bb6c81181b3b978547c8e0c8096ce1165a0920a',
},
layer: 5,
type: 'event_entry',
references: [
{
objectId: 'event_log_20',
fieldName: 'digest',
},
{
objectId: 'app_info',
fieldName: 'app_id',
},
],
},
// Event Log Entry 22
{
id: 'event_log_22',
name: 'Event Log 22',
description: 'Event type 134217729',
fields: {
imr: 3,
event_type: 134217729,
digest: '0c03dc0fbbfc727499bce85def87555a1568613bdc11b4a4e6fc3a33384f0b78b122da488a17b692c897760ffc8eb3a3',
event: 'compose-hash',
event_payload: '83fb42f057856f08a452733fbde6058877da3a82c03b2835527a9f4c1804acb8',
},
layer: 5,
type: 'event_entry',
references: [
{
objectId: 'event_log_21',
fieldName: 'digest',
},
{
objectId: 'app_info',
fieldName: 'app_compose',
},
{
objectId: 'proof_report',
fieldName: 'mrseam',
},
],
},
// Event Log Entry 23
{
id: 'event_log_23',
name: 'Event Log 23',
description: 'Event type 134217729',
fields: {
imr: 3,
event_type: 134217729,
digest: '1a32ab9553a74d74de1126fd443164708a36b7fd22855edba0076b2fd59551fc44e5e4fc84c84fd82198eb7231fb514e',
event: 'instance-id',
event_payload: '746f2ba17dd7ac4d00e377c32e8760925e0a715b',
},
layer: 5,
type: 'event_entry',
references: [
{
objectId: 'event_log_22',
fieldName: 'digest',
},
{
objectId: 'app_info',
fieldName: 'instance_id',
},
],
},
// Event Log Entry 24
{
id: 'event_log_24',
name: 'Event Log 24',
description: 'Event type 134217729',
fields: {
imr: 3,
event_type: 134217729,
digest: '98bd7e6bd3952720b65027fd494834045d06b4a714bf737a06b874638b3ea00ff402f7f583e3e3b05e921c8570433ac6',
event: 'boot-mr-done',
event_payload: '',
},
layer: 5,
type: 'event_entry',
references: [
{
objectId: 'event_log_23',
fieldName: 'digest',
},
{
objectId: 'app_info',
fieldName: 'boot_status',
},
],
},
```
Model: gpt-4o-mini-2024-07-182025-07-01 03:12:56
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"参照输出格式,把输入转换为输出\\n\\n样例输出\\n```\\n// Event Log Entry 0\\n {\\n id: 'event_log_0',\\n name: 'Event Log 0',\\n description: 'TDX Table event',\\n fields: {\\n imr: 0,\\n event_type: 2147483659,\\n digest:\\n '0e35f1b315ba6c912cf791e5c79dd9d3a2b8704516aa27d4e5aa78fb09ede04aef2bbd02ac7a8734c48562b9c26ba35d',\\n event: '',\\n event_payload:\\n '095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'tcb',\\n fieldName: 'rtmr0',\\n },\\n ],\\n },\\n\\n // collapsed events\\n\\n // Event Log Entry 20\\n {\\n id: 'event_log_20',\\n name: 'Event Log 20',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n '9d4a360a35b2c6829a320647fd599f8ef9075b2ea7fd25ffe7a47674bc758d7acfe6834982f6bbaa23167c8dcb184427',\\n event: 'rootfs-hash',\\n event_payload:\\n '87a8feba454b8b655c701c7ddce79208b8d43628af19c86f31ff5539d94fc84f',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_0',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'os_version',\\n },\\n ],\\n },\\n\\n // Event Log Entry 21\\n {\\n id: 'event_log_21',\\n name: 'Event Log 21',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n '5ea757c81b73801665c64b0bf011e6a001c14b2b664a479d1378ee55d10b76134bc6a63b6e3ae17f4c6060a8e1346587',\\n event: 'app-id',\\n event_payload: 'ccc93eb85c8a3b5a9a920518b45667ca147abb4e',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_20',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'app_id',\\n },\\n ],\\n },\\n\\n // Event Log Entry 22\\n {\\n id: 'event_log_22',\\n name: 'Event Log 22',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 5,\\n event_type: 134217729,\\n digest:\\n '6b5f89e776a3b03be6fee14c559851a509a1d286a005dfe853b5e17fa0e1818ea4b97b6aeed0c600a00d3170c610b1b9',\\n event: 'compose-hash',\\n event_payload:\\n 'ccc93eb85c8a3b5a9a920518b45667ca147abb4ec79312423684264ff7267c6d',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_21',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'app_compose',\\n },\\n {\\n objectId: 'proof_report',\\n fieldName: 'mrseam',\\n },\\n ],\\n },\\n\\n // Event Log Entry 23\\n {\\n id: 'event_log_23',\\n name: 'Event Log 23',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n '5b6a576d1da40f04179ad469e00f90a1c0044bc9e8472d0da2776acb108dc98a73560d42cea6b8b763eb4a0e6d4d82d5',\\n event: 'ca-cert-hash',\\n event_payload:\\n 'd2d9c7c29e3f18e69cba87438cef21eea084c2110858230cd39c5decc629a958',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_22',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'cert_chain',\\n },\\n ],\\n },\\n\\n // Event Log Entry 24\\n {\\n id: 'event_log_24',\\n name: 'Event Log 24',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n '8c2bb6807bea4a1157c7c8d16847f6e24331697de10d6a047c55c21c2cddba32bf9bae287618ac2c6d2c5387f7b641e2',\\n event: 'instance-id',\\n event_payload: 'da6ab99fbf3e76635f49be90322dd67782e039f4',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_23',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'instance_id',\\n },\\n ],\\n },\\n```\\n\\n输入\\n```\\n[\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483659,\\n \\\"digest\\\": \\\"0e35f1b315ba6c912cf791e5c79dd9d3a2b8704516aa27d4e5aa78fb09ede04aef2bbd02ac7a8734c48562b9c26ba35d\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483658,\\n \\\"digest\\\": \\\"344bc51c980ba621aaa00da3ed7436f7d6e549197dfe699515dfa2c6583d95e6412af21c097d473155875ffd561d6790\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"2946762858585858585858582d585858582d585858582d585858582d58585858585858585858585829000000c0ff000000000040080000000000\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483649,\\n \\\"digest\\\": \\\"9dc3a1f80bcec915391dcda5ffbb15e7419f77eab462bbf72b42166fb70d50325e37b36f93537a863769bcf9bedae6fb\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"61dfe48bca93d211aa0d00e098032b8c0a00000000000000000000000000000053006500630075007200650042006f006f007400\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483649,\\n \\\"digest\\\": \\\"6f2e3cbc14f9def86980f5f66fd85e99d63e69a73014ed8a5633ce56eca5b64b692108c56110e22acadcef58c3250f1b\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"61dfe48bca93d211aa0d00e098032b8c0200000000000000000000000000000050004b00\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483649,\\n \\\"digest\\\": \\\"d607c0efb41c0d757d69bca0615c3a9ac0b1db06c557d992e906c6b7dee40e0e031640c7bfd7bcd35844ef9edeadc6f9\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483649,\\n \\\"digest\\\": \\\"08a74f8963b337acb6c93682f934496373679dd26af1089cb4eaf0c30cf260a12e814856385ab8843e56a9acea19e127\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"cbb219d73a3d9645a3bcdad00e67656f0200000000000000000000000000000064006200\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483649,\\n \\\"digest\\\": \\\"18cc6e01f0c6ea99aa23f8a280423e94ad81d96d0aeb5180504fc0f7a40cb3619dd39bd6a95ec1680a86ed6ab0f9828d\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"cbb219d73a3d9645a3bcdad00e67656f03000000000000000000000000000000640062007800\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 4,\\n \\\"digest\\\": \\\"394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"00000000\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 10,\\n \\\"digest\\\": \\\"39740da2ea1e7e6c69e5e6569755b2ad6d622a8a9983a2c5b32d5574659dbdc4ca8b95b1c766bd610bc5c26dcde842f8\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"414350492044415441\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 10,\\n \\\"digest\\\": \\\"6385b89d2decb3de678d51faba0ff3506835915818fd3ee53a739aa678cd9c76bdd755adfa0aa714cf35a1abe062b253\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"414350492044415441\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 10,\\n \\\"digest\\\": \\\"05705c3ca9d71e908d5ce70d4331b6aadce5331b9a6a546f222f017fb0e1797b951a3dac72f59cb197a0c897a201ca07\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"414350492044415441\\\"\\n },\\n {\\n \\\"imr\\\": 1,\\n \\\"event_type\\\": 2147483651,\\n \\\"digest\\\": \\\"fc45f4eb3bf1b0109d1c3486f172dbe60d6a87d1bc3cc23aee46ba3055572815f2d254b3b6950882d6fb4476a66349f5\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"18b04f7c000000000044b4000000000000000000000000002a000000000000000403140072f728144ab61e44b8c39ebdd7f893c7040412006b00650072006e0065006c0000007fff0400\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483650,\\n \\\"digest\\\": \\\"1dd6f7b457ad880d840d41c961283bab688e94e4b59359ea45686581e90feccea3c624b1226113f824f315eb60ae0a7c\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"61dfe48bca93d211aa0d00e098032b8c0900000000000000020000000000000042006f006f0074004f0072006400650072000000\\\"\\n },\\n {\\n \\\"imr\\\": 0,\\n \\\"event_type\\\": 2147483650,\\n \\\"digest\\\": \\\"23ada07f5261f12f34a0bd8e46760962d6b4d576a416f1fea1c64bc656b1d28eacf7047ae6e967c58fd2a98bfa74c298\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"61dfe48bca93d211aa0d00e098032b8c08000000000000003e0000000000000042006f006f0074003000300030003000090100002c0055006900410070007000000004071400c9bdb87cebf8344faaea3ee4af6516a10406140021aa2c4614760345836e8ab6f46623317fff0400\\\"\\n },\\n {\\n \\\"imr\\\": 1,\\n \\\"event_type\\\": 2147483655,\\n \\\"digest\\\": \\\"77a0dab2312b4e1e57a84d865a21e5b2ee8d677a21012ada819d0a98988078d3d740f6346bfe0abaa938ca20439a8d71\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"43616c6c696e6720454649204170706c69636174696f6e2066726f6d20426f6f74204f7074696f6e\\\"\\n },\\n {\\n \\\"imr\\\": 1,\\n \\\"event_type\\\": 4,\\n \\\"digest\\\": \\\"394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"00000000\\\"\\n },\\n {\\n \\\"imr\\\": 2,\\n \\\"event_type\\\": 6,\\n \\\"digest\\\": \\\"5c9f4f7956d2c8e3ec8f310d25d2e8290248a3b99fd8dae0a1f2f810b715ac6071c0d349c764f80b1da8f0b885d9aaf7\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"ed223b8f1a0000004c4f414445445f494d4147453a3a4c6f61644f7074696f6e7300\\\"\\n },\\n {\\n \\\"imr\\\": 2,\\n \\\"event_type\\\": 6,\\n \\\"digest\\\": \\\"2d51b8c599af60dec27528cd25456c4764d50d119629d5d42b845813cb24936d4895df272e9b79c5a1adddb65822f5e6\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"ec223b8f0d0000004c696e757820696e6974726400\\\"\\n },\\n {\\n \\\"imr\\\": 1,\\n \\\"event_type\\\": 2147483655,\\n \\\"digest\\\": \\\"214b0bef1379756011344877743fdc2a5382bac6e70362d624ccf3f654407c1b4badf7d8f9295dd3dabdef65b27677e0\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"4578697420426f6f7420536572766963657320496e766f636174696f6e\\\"\\n },\\n {\\n \\\"imr\\\": 1,\\n \\\"event_type\\\": 2147483655,\\n \\\"digest\\\": \\\"0a2e01c85deae718a530ad8c6d20a84009babe6c8989269e950d8cf440c6e997695e64d455c4174a652cd080f6230b74\\\",\\n \\\"event\\\": \\\"\\\",\\n \\\"event_payload\\\": \\\"4578697420426f6f742053657276696365732052657475726e656420776974682053756363657373\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"f9974020ef507068183313d0ca808e0d1ca9b2d1ad0c61f5784e7157c362c06536f5ddacdad4451693f48fcc72fff624\\\",\\n \\\"event\\\": \\\"system-preparing\\\",\\n \\\"event_payload\\\": \\\"\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"d76d6762eabbb167c9e629765171be7e1d734adcb20e59da4c04da6bbec5af09714088939a51843acb198e1182b28213\\\",\\n \\\"event\\\": \\\"app-id\\\",\\n \\\"event_payload\\\": \\\"6bb6c81181b3b978547c8e0c8096ce1165a0920a\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"0c03dc0fbbfc727499bce85def87555a1568613bdc11b4a4e6fc3a33384f0b78b122da488a17b692c897760ffc8eb3a3\\\",\\n \\\"event\\\": \\\"compose-hash\\\",\\n \\\"event_payload\\\": \\\"83fb42f057856f08a452733fbde6058877da3a82c03b2835527a9f4c1804acb8\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"1a32ab9553a74d74de1126fd443164708a36b7fd22855edba0076b2fd59551fc44e5e4fc84c84fd82198eb7231fb514e\\\",\\n \\\"event\\\": \\\"instance-id\\\",\\n \\\"event_payload\\\": \\\"746f2ba17dd7ac4d00e377c32e8760925e0a715b\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"98bd7e6bd3952720b65027fd494834045d06b4a714bf737a06b874638b3ea00ff402f7f583e3e3b05e921c8570433ac6\\\",\\n \\\"event\\\": \\\"boot-mr-done\\\",\\n \\\"event_payload\\\": \\\"\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"eb6508fe194b5dfa04efad892f507ef92bc24fa1988c00b8a7ec0476b80acce80b197fb44073e3753d2fc523fce912b7\\\",\\n \\\"event\\\": \\\"mr-kms\\\",\\n \\\"event_payload\\\": \\\"c6d0cc8008a564760ccb0ca63f574f000fce4ae2fa1a9265e7522f6889e82aab\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"da7226c6addbb7a3d244191bab7b190ec16854158e4534abbf1d017826060ee4a10d71f4d45c08129f1020f42e07bf85\\\",\\n \\\"event\\\": \\\"os-image-hash\\\",\\n \\\"event_payload\\\": \\\"4ed916a047daceeba658948c7a249d0faf26dd82608ff028bd3e9b4b67ff8cae\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"a7179594e816a60a9caa0f8c6dcd25e86459b99ec8733767c81f106768b42cfe2215fab852adf53687215afd950ab749\\\",\\n \\\"event\\\": \\\"key-provider\\\",\\n \\\"event_payload\\\": \\\"7b226e616d65223a226b6d73222c226964223a223330353933303133303630373261383634386365336430323031303630383261383634386365336430333031303730333432303030346161366639616564343239306231323061626461323933373136303638393835373534343835303234636435306263306236376331383032626466306536323530656464663333613164353931633161323537633734353938636536633437353666393664633335393736323564656365313834313930386663306438616339227d\\\"\\n },\\n {\\n \\\"imr\\\": 3,\\n \\\"event_type\\\": 134217729,\\n \\\"digest\\\": \\\"1a76b2a80a0be71eae59f80945d876351a7a3fb8e9fd1ff1cede5734aa84ea11fd72b4edfbb6f04e5a85edd114c751bd\\\",\\n \\\"event\\\": \\\"system-ready\\\",\\n \\\"event_payload\\\": \\\"\\\"\\n }\\n]\\n```\"},{\"role\":\"assistant\",\"mainText\":\"根据输入的事件日志数据,我将按照样例输出格式进行转换:\\n\\n```\\n// Event Log Entry 0\\n{\\n id: 'event_log_0',\\n name: 'Event Log 0',\\n description: 'TDX Table event',\\n fields: {\\n imr: 0,\\n event_type: 2147483659,\\n digest:\\n '0e35f1b315ba6c912cf791e5c79dd9d3a2b8704516aa27d4e5aa78fb09ede04aef2bbd02ac7a8734c48562b9c26ba35d',\\n event: '',\\n event_payload:\\n '095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'tcb',\\n fieldName: 'rtmr0',\\n },\\n ],\\n},\\n\\n// collapsed events\\n\\n// Event Log Entry 20\\n{\\n id: 'event_log_20',\\n name: 'Event Log 20',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n 'f9974020ef507068183313d0ca808e0d1ca9b2d1ad0c61f5784e7157c362c06536f5ddacdad4451693f48fcc72fff624',\\n event: 'system-preparing',\\n event_payload: '',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_0',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'os_version',\\n },\\n ],\\n},\\n\\n// Event Log Entry 21\\n{\\n id: 'event_log_21',\\n name: 'Event Log 21',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n 'd76d6762eabbb167c9e629765171be7e1d734adcb20e59da4c04da6bbec5af09714088939a51843acb198e1182b28213',\\n event: 'app-id',\\n event_payload: '6bb6c81181b3b978547c8e0c8096ce1165a0920a',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_20',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'app_id',\\n },\\n ],\\n},\\n\\n// Event Log Entry 22\\n{\\n id: 'event_log_22',\\n name: 'Event Log 22',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n '0c03dc0fbbfc727499bce85def87555a1568613bdc11b4a4e6fc3a33384f0b78b122da488a17b692c897760ffc8eb3a3',\\n event: 'compose-hash',\\n event_payload: '83fb42f057856f08a452733fbde6058877da3a82c03b2835527a9f4c1804acb8',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_21',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'app_compose',\\n },\\n {\\n objectId: 'proof_report',\\n fieldName: 'mrseam',\\n },\\n ],\\n},\\n\\n// Event Log Entry 23\\n{\\n id: 'event_log_23',\\n name: 'Event Log 23',\\n description: 'Event type 134217729',\\n fields: {\\n imr: 3,\\n event_type: 134217729,\\n digest:\\n '1a32ab9553a74d74de1126fd443164708a36b7fd22855edba0076b2fd59551fc44e5e4fc84c84fd82198eb7231fb514e',\\n event: 'instance-id',\\n event_payload: '746f2ba17dd7ac4d00e377c32e8760925e0a715b',\\n },\\n layer: 5,\\n type: 'event_entry',\\n references: [\\n {\\n objectId: 'event_log_22',\\n fieldName: 'digest',\\n },\\n {\\n objectId: 'app_info',\\n fieldName: 'instance_id',\\n },\\n ],\\n},\\n\\n// Event Log Entry 24\\n{\\n id: 'event_log_24',\\n name: 'Event Log\"}]"
}
]Response:
Convert - Log Data
Model: gpt-4o-mini-2024-07-182025-06-26 07:35:28
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "User: chrome有什么好用的ai插件可以支持基于网页内容回答问题的吗\nAssistant: # Chrome 支持基于网页内容回答问题的AI插件\n\n以下是几款优秀的Chrome AI插件,可以帮助你基于网页内容回答问题:\n\n1. **WebChatGPT** - 允许ChatGPT访问网页内容,能够根据当前浏览的网页提供回答\n\n2. **Merlin** - 可以在任何网页上调用AI助手,支持基于当前页面内容回答问题\n\n3. **ChatGPT for Google** - 在搜索结果旁边显示ChatGPT回答,能够分析网页内容\n\n4. **HARPA AI** - 强大的网页内容分析工具,可以总结网页、回答相关问题\n\n5. **Glasp** - 网页高亮和笔记工具,集成AI可以基于高亮内容回答问题\n\n6. **Sider AI** - 侧边栏AI助手,可以基于当前浏览的网页内容提供回答\n\n7. **Monica** - 网页内容分析助手,可以回答关于网页内容的问题\n\n这些插件大多数都是免费的或提供免费版本,可以在Chrome网上应用店搜索并安装。"
}
]Response:
Explore - AI插件
Model: claude-3-7-sonnet-202502192025-06-26 07:35:27
Context:
[
{
"role": "user",
"content": "chrome有什么好用的ai插件可以支持基于网页内容回答问题的吗"
}
]Response:
# Chrome 支持基于网页内容回答问题的AI插件
以下是几款优秀的Chrome AI插件,可以帮助你基于网页内容回答问题:
1. **WebChatGPT** - 允许ChatGPT访问网页内容,能够根据当前浏览的网页提供回答
2. **Merlin** - 可以在任何网页上调用AI助手,支持基于当前页面内容回答问题
3. **ChatGPT for Google** - 在搜索结果旁边显示ChatGPT回答,能够分析网页内容
4. **HARPA AI** - 强大的网页内容分析工具,可以总结网页、回答相关问题
5. **Glasp** - 网页高亮和笔记工具,集成AI可以基于高亮内容回答问题
6. **Sider AI** - 侧边栏AI助手,可以基于当前浏览的网页内容提供回答
7. **Monica** - 网页内容分析助手,可以回答关于网页内容的问题
这些插件大多数都是免费的或提供免费版本,可以在Chrome网上应用店搜索并安装。
Model: gpt-4o-mini-2024-07-182025-06-26 05:03:01
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "User: 翻译成英文:不受控的代码管理\nAssistant: Translation to English: Uncontrolled Code Management"
}
]Response:
Translate - Code Mngmt
Model: claude-3-7-sonnet-202502192025-06-26 05:03:00
Context:
[
{
"role": "user",
"content": "翻译成英文:不受控的代码管理"
}
]Response:
Translation to English: Uncontrolled Code Management
Model: claude-3-7-sonnet-202502192025-06-26 02:46:33
Context:
[
{
"role": "user",
"content": "AI论文这么多 怎么筛选出最有价值的一些文章来阅读"
},
{
"role": "assistant",
"content": "# 如何筛选有价值的AI论文\n\n在AI领域论文数量爆炸式增长的今天,高效筛选有价值的论文确实是一个挑战。以下是一些实用策略:\n\n## 关注权威来源\n- **顶级会议论文**:CVPR, ICLR, NeurIPS, ICML, ACL等顶会论文通常质量较高\n- **知名实验室/公司**:关注Google DeepMind, OpenAI, Microsoft Research等机构发布的论文\n- **高引用论文**:使用Google Scholar查看引用次数较高的论文\n\n## 利用聚合工具\n- **Papers with Code**:展示附带代码实现的论文,且按任务分类\n- **arXiv Sanity Preserver**:提供个性化推荐和论文筛选\n- **Semantic Scholar**:利用AI帮助查找影响力高的论文\n\n## 关注综述性文章\n- 领域综述论文通常会总结近期重要进展\n- 年度技术回顾类文章可以快速了解重要突破\n\n## 建立个人筛选系统\n- **明确你的研究兴趣**:聚焦特定子领域而非泛泛阅读\n- **关注方法创新**:寻找提出新方法而非仅做小改进的论文\n- **实验验证充分**:检查论文是否有扎实的实验设计和充分的对比\n\n## 利用专家观点\n- 关注领域专家在Twitter/X、知乎等平台的推荐\n- 订阅AI领域的高质量通讯,如\"The Batch\"、\"Import AI\"等\n- 参与学术社区讨论,了解同行认为重要的工作\n\n记住,阅读策略应随着你的研究深入而调整,逐渐建立自己判断论文价值的标准。\n\n希望这些建议对你有所帮助!"
},
{
"role": "user",
"content": "怎么快速筛选顶会中近2-3年的高引论文"
}
]Response:
# 如何快速筛选顶会近2-3年的高引论文
要高效筛选AI顶级会议中近2-3年的高引用论文,可以采用以下系统性方法:
## 利用学术搜索引擎
### Google Scholar
1. 使用高级搜索功能,设置时间范围为2021-2023年
2. 搜索特定会议名称(如"CVPR"、"NeurIPS"等)
3. 按引用次数排序
4. 使用关键词进一步缩小范围(如"transformer"、"diffusion model"等)
### Semantic Scholar
1. 提供更精确的筛选功能
2. 可按会议名称、年份和引用次数排序
3. 提供"Influential Citations"指标,帮助识别真正有影响力的论文
### Microsoft Academic/Connected Papers
- 可视化展示论文间的引用关系,发现高影响力工作
## 直接访问会议网站
### 会议论文库
1. 访问CVPR、ICLR、NeurIPS等会议官方网站
2. 大多数会议提供"Best Paper"和"Outstanding Paper"列表
3. 部分会议提供按主题分类的论文列表
### OpenReview平台
- 对于ICLR等使用开放评审的会议,可查看评审分数和讨论
## 使用专业工具
### Papers With Code
1. 按任务领域浏览(如计算机视觉、NLP等)
2. 查看各任务的SOTA(最先进技术)论文
3. 筛选特定年份和会议的论文
### arXiv Sanity Preserver
- 提供个性化推荐和高级筛选功能
## 跟踪引用指标
1. 计算相对引用率:考虑论文发表时间长短的引用数量
2. 关注短期内引用增长快的论文
3. 设置引用阈值(如同期论文中引用数排名前10%)
## 实用技巧
- **创建自动提醒**:设置Google Scholar提醒,追踪特定会议的高引论文
- **关注研究机构**:DeepMind、OpenAI等机构在顶会发表的论文通常影响力较大
- **利用AI工具**:使用Connected Papers等工具生成论文关系图,识别关键节点论文
通过综合运用这些方法,你可以快速定位到近2-3年内最有影响力的顶会论文,提高文献筛选效率。
Model: gpt-4o-mini-2024-07-182025-06-26 02:45:31
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"AI论文这么多 怎么筛选出最有价值的一些文章来阅读\"},{\"role\":\"assistant\",\"mainText\":\"# 如何筛选有价值的AI论文\\n\\n在AI领域论文数量爆炸式增长的今天,高效筛选有价值的论文确实是一个挑战。以下是一些实用策略:\\n\\n## 关注权威来源\\n- **顶级会议论文**:CVPR, ICLR, NeurIPS, ICML, ACL等顶会论文通常质量较高\\n- **知名实验室/公司**:关注Google DeepMind, OpenAI, Microsoft Research等机构发布的论文\\n- **高引用论文**:使用Google Scholar查看引用次数较高的论文\\n\\n## 利用聚合工具\\n- **Papers with Code**:展示附带代码实现的论文,且按任务分类\\n- **arXiv Sanity Preserver**:提供个性化推荐和论文筛选\\n- **Semantic Scholar**:利用AI帮助查找影响力高的论文\\n\\n## 关注综述性文章\\n- 领域综述论文通常会总结近期重要进展\\n- 年度技术回顾类文章可以快速了解重要突破\\n\\n## 建立个人筛选系统\\n- **明确你的研究兴趣**:聚焦特定子领域而非泛泛阅读\\n- **关注方法创新**:寻找提出新方法而非仅做小改进的论文\\n- **实验验证充分**:检查论文是否有扎实的实验设计和充分的对比\\n\\n## 利用专家观点\\n- 关注领域专家在Twitter/X、知乎等平台的推荐\\n- 订阅AI领域的高质量通讯,如\\\"The Batch\\\"、\\\"Import AI\\\"等\\n- 参与学术社区讨论,了解同行认为重要的工作\\n\\n记住,阅读策略应随着你的研究深入而调整,逐渐建立自己判断论文价值的标准。\\n\\n希望这些建议对你有所帮助!\"}]"
}
]Response:
Filter - AI文献
Model: claude-3-7-sonnet-202502192025-06-26 02:45:30
Context:
[
{
"role": "user",
"content": "AI论文这么多 怎么筛选出最有价值的一些文章来阅读"
}
]Response:
# 如何筛选有价值的AI论文
在AI领域论文数量爆炸式增长的今天,高效筛选有价值的论文确实是一个挑战。以下是一些实用策略:
## 关注权威来源
- **顶级会议论文**:CVPR, ICLR, NeurIPS, ICML, ACL等顶会论文通常质量较高
- **知名实验室/公司**:关注Google DeepMind, OpenAI, Microsoft Research等机构发布的论文
- **高引用论文**:使用Google Scholar查看引用次数较高的论文
## 利用聚合工具
- **Papers with Code**:展示附带代码实现的论文,且按任务分类
- **arXiv Sanity Preserver**:提供个性化推荐和论文筛选
- **Semantic Scholar**:利用AI帮助查找影响力高的论文
## 关注综述性文章
- 领域综述论文通常会总结近期重要进展
- 年度技术回顾类文章可以快速了解重要突破
## 建立个人筛选系统
- **明确你的研究兴趣**:聚焦特定子领域而非泛泛阅读
- **关注方法创新**:寻找提出新方法而非仅做小改进的论文
- **实验验证充分**:检查论文是否有扎实的实验设计和充分的对比
## 利用专家观点
- 关注领域专家在Twitter/X、知乎等平台的推荐
- 订阅AI领域的高质量通讯,如"The Batch"、"Import AI"等
- 参与学术社区讨论,了解同行认为重要的工作
记住,阅读策略应随着你的研究深入而调整,逐渐建立自己判断论文价值的标准。
希望这些建议对你有所帮助!
Model: claude-3-7-sonnet-202502192025-06-25 13:20:45
Context:
[
{
"role": "user",
"content": [
{
"type": "text",
"text": "Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```"
},
{
"type": "text",
"text": "README.md\n# Dstack\n\n[](https://deepwiki.com/Dstack-TEE/dstack)\n\nDstack is a **developer friendly** and **security first** SDK to simplify the deployment of arbitrary containerized apps into TEE.\n\nMain features:\n\n- 🔒 Deploy containerized apps securely in TEE in minutes\n- 🛠️ Use familiar tools - just write a docker-compose.yaml\n- 🔑 Safely manage secrets and sensitive data\n- 📡 Expose services via built-in TLS termination\n\nDstack is community driven. Open sourced and built by [Kevin Wang](https://github.com/kvinwang) and many others from [Phala Network](https://github.com/Phala-Network), inspired by [Andrew Miller](https://github.com/amiller) (Flashbots & Teleport), and contributed by [Nethermind](https://github.com/NethermindEth/nethermind) and [many others](#contributors).\n\n![Alt](https://repobeats.axiom.co/api/embed/0a001cc3c1f387fae08172a9e116b0ec367b8971.svg \"Repobeats analytics image\")\n\n# Overview\n\nComponents in Dstack:\n\n- `dstack-vmm`: A service running in bare TDX host to manage CVMs\n- `dstack-gateway`: A reverse proxy to forward TLS connections to CVMs\n- `dstack-kms`: A KMS server to generate keys for CVMs\n- `dstack-guest-agent`: A service running in CVM to serve containers' key derivation and attestation requests\n- `meta-dstack`: A Yocto meta layer to build CVM guest images\n\nThe overall architecture is shown below:\n\n\n# Directory structure\n\n```text\ndstack/\n kms/ A prototype KMS server\n guest-agent/ A service running in CVM to serve containers' key derivation and attestation requests.\n dstack-util/ A CLI tool in the guest setting up the system, getting TDX quote, extending RTMR, generating cert for RA-TLS, etc.\n vmm/ A service running in bare TDX host to manage CVMs\n gateway/ A reverse proxy to forward TLS connections to CVMs\n certbot/ A tool to automatically obtain and renew TLS certificates for dstack-gateway\n ra-rpc/ RA-TLS support for pRPC\n ra-tls/ RA-TLS support library\n tdx-attest/ Guest library for getting TDX quote and extending RTMR\n```\n\n# Build and play locally\n\n## Prerequisites\n\n- A bare metal TDX server setup following [canonical/tdx](https://github.com/canonical/tdx)\n- Public IPv4 address assigned to the machine\n- At least 16GB RAM, 100GB free disk space.\n- A domain with DNS access if you want to set up `dstack-gateway` for Zero Trust HTTPS\n\n> [!NOTE]\n>\n> This doc assumes you have access to a compatible Intel TDX Server ready to be configured with Dstack. Check the [Hardware Requirements](https://docs.phala.network/dstack/hardware-requirements) for more information on buying a bare metal server or renting a server from OVH. To start learning about Dstack check out the [docs](https://docs.phala.network/dstack/overview).\n>\n> If you are looking to deploy a CVM in minutes, go to the docs to learn how to [sign-up for a Phala Cloud Account](https://docs.phala.network/phala-cloud/getting-started/sign-up-for-cloud-account) and [deploy your first CVM on Dstack]((https://docs.phala.network/phala-cloud/getting-started/start-from-cloud-ui)).\n\n## Install dependencies\n\n```bash\n# for Ubuntu 24.04\nsudo apt install -y build-essential chrpath diffstat lz4 wireguard-tools xorriso\n# install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\n\n## Build and run for local development\n\n### Build the artifacts\n```bash\ngit clone https://github.com/Dstack-TEE/meta-dstack.git --recursive\ncd meta-dstack/\n\nmkdir build\ncd build\n../build.sh hostcfg\n# This outputs the following message:\n# Config file ../build-config.sh created, please edit it to configure the build\n\nvim ./build-config.sh\n```\n\nReview and customize the `build-config.sh` configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:\n\n```bash\n../build.sh hostcfg\n\n# If everything is okay, you should see the built artifacts in the `build` directory.\n$ ls\ncerts images dstack-kms kms.toml run dstack-vmm vmm.toml dstack-gateway gateway.toml\n```\n\n### Download guest image or build guest image from source\n\n```bash\n# This will download the guest image from the release page.\n../build.sh dl 0.5.2\n```\n\nOr build guest image from source:\n\n```bash\n# This will build the guest image from source using the yocto meta layer. This will take a while.\n../build.sh guest\n```\n\n> **Note on Reproducible Builds**: The build command above does not guarantee reproducibility. For reproducible builds across different build environments, please refer to the [reproducible build instructions](https://github.com/Dstack-TEE/meta-dstack?tab=readme-ov-file#reproducible-build-the-guest-image) in the meta-dstack repository.\n\n### Run components\nNow you can open 3 terminals to start the components:\n\n1. Run `./dstack-kms -c kms.toml`\n2. Run `sudo ./dstack-gateway -c gateway.toml`\n3. Run `./dstack-vmm -c vmm.toml`\n\n⚠️ *Warning: this is for local development, and the kms is not secure, so you should not use it in production.*\nFor production, you should follow the [deployment guide](./docs/deployment.md) and read the [security guide](./docs/security-guide/security-guide.md).\n\n## Deploy an App\nOpen the dstack-vmm webpage [http://localhost:9080](http://localhost:9080)(change the port according to your configuration) on your local machine to deploy a `docker-compose.yaml` file:\n\n\n\nAfter the container deployed, it should need some time to start the CVM and the containers. Time would be vary depending on your workload.\n\n- Click the [Logs] button to see the logs of the CVM, you can see if the container is finished starting there.\n\n- Once the container is running, you can click the [Dashboard] button to see some information of the container. And the logs of the containers can be seen in the [Dashboard] page.\n\n \n\n- You can open dstack-gateway's dashboard at [https://localhost:9070](https://localhost:9070) to see the CVM's wireguard ip address, as shown below:\n\n\n\n## Pass Secrets to Apps\nWhen deploying a new App, you can pass private data via Encrypted Environment Variables. These variables can be referenced in the docker-compose.yaml file as shown below:\n\n\n\nThe environment variables will be encrypted in the client-side and decrypted in the CVM before being passed to the containers.\n\n## Access the App\n\nOnce the app is deployed and listening on an HTTP port, you can access the HTTP service via dstack-gateway's public domain. The ingress mapping rules are:\n\n- `<id>[s].<base_domain>` maps to port `80` or `443` if with `s` in the CVM.\n- `<id>-<port>[s].<base_domain>` maps to port `<port>` in the CVM.\n\nFor example, `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` maps to port `8080` in the CVM.\n\nWhere the `<id>` can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.\nIf the `id-port` part ends with `s`, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.\n\nYou can also ssh into the CVM to inspect more information, if your deployment uses the image `dstack-x.x.x-dev`:\n\n```bash\n# The IP address of the CVM can be found in the dstack-gateway dashboard.\nssh [email protected]\n```\n\n## Getting TDX quote in docker container\n\nTo get a TDX quote within app containers:\n\n1. Mount `/var/run/dstack.sock` to the target container in `docker-compose.yaml`\n\n ```yaml\n version: '3'\n services:\n nginx:\n image: nginx:latest\n volumes:\n - /var/run/dstack.sock:/var/run/dstack.sock\n ports:\n - \"8080:80\"\n restart: always\n ```\n\n2. Execute the quote request command in the container.\n\n ```bash\n # The argument report_data accepts binary data encoding in hex string.\n # The actual report_data passing the to the underlying TDX driver is sha2_256(report_data).\n curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x1234deadbeef | jq . \n ```\n\n## Container logs\n\nContainer logs can be obtained from the CVM's `dashboard` page or by curl:\n\n```bash\ncurl 'http://<appid>.app.kvin.wang:9090/logs/<container name>?since=0&until=0&follow=true&text=true×tamps=true&bare=true'\n```\n\nReplace `<appid>` and `<container name>` with actual values. Available parameters:\n\n- since=0: Starting Unix timestamp for log retrieval\n- until=0: Ending Unix timestamp for log retrieval\n- follow: Enables continuous log streaming\n- text: Returns human-readable text instead of base64 encoding\n- timestamps: Adds timestamps to each log line\n- bare: Returns the raw log lines without json format\n\nThe response of the RPC looks like:\n```\n$ curl 'http://0.0.0.0:9190/logs/zk-provider-server?text×tamps'\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209507046Z Initializing Rust backend...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209543047Z Calling Rust function: init\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209544957Z [2024-09-29T03:05:44Z INFO rust_prover] Initializing...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209546381Z [2024-09-29T03:05:44Z INFO rust_prover::groth16] Starting setup process\\n\"}\n```\n\n## TLS Passthrough with Custom Domain\n\ndstack-gateway supports TLS passthrough for custom domains.\n\nSee the example [here](https://github.com/Dstack-TEE/dstack-examples/tree/main/custom-domain/dstack-ingress) for more details.\n\n## Upgrade an App\n\nGot to the dstack-vmm webpage, click the [Upgrade] button, select or paste the compose file you want to upgrade to, and click the [Upgrade] button again.\nThe app id does not change after the upgrade. Stop and start the app to apply the upgrade.\n\n## HTTPS Certificate Transparency\n\nIn the tutorial above, we used a TLS certificate with a private key external to the TEE. To establish trust, we need to generate and maintain the certificate's private key within the TEE and provide evidence that all TLS certificates for the domain were originate solely from dstack-gateway CVM.\n\nBy combining Certificate Transparency Logs and CAA DNS records, we can make best effort to minimize security risks. Here's our approach:\n\n- Set CAA records to allow only the account created in dstack-gateway CVM to request Certificates.\n- Launch a program to monitor Certificate Transparency Log and give alarm once any certificate issued to a pubkey that isn’t generated by dstack-gateway CVM.\n\n### Configurations\n\nTo launch Certbot, you need to own a domain hosted on Cloudflare. Obtain an API token with DNS operation permissions from the Cloudflare dashboard. Configure it in the `build-config.sh`:\n\n```bash\n# The directory to store the auto obtained TLS certificate and key\nGATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem\nGATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem\n\n# for certbot\nCF_ZONE_ID=cc0a40...\nCF_API_TOKEN=g-DwMH...\n# ACME_URL=https://acme-v02.api.letsencrypt.org/directory\nACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory\n```\n\nThen re-run the ../build.sh:\n\n```bash\n../build.sh\n```\n\n### Launch certbot\n\nThen run the certbot in the `build/` and you will see the following log:\n```text\n$ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml\n2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account\n2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\n2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records\n2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang\n2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang\n2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair\n2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang\n2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order\n2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization\n2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang\n2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A\n2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready\n2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr\n2024-10-25T07:41:38.052901Z DEBUG certbot::acme_client: order is processing, waiting for challenge to be accepted\n2024-10-25T07:41:40.088190Z DEBUG certbot::acme_client: order is valid, getting certificate\n2024-10-25T07:41:40.125988Z DEBUG certbot::acme_client: removing dns record 6ab5724e8fa7e3e8f14e93333a98866a\n2024-10-25T07:41:40.377379Z DEBUG certbot::acme_client: stored new cert in /home/kvin/codes/meta-dstack/dstack/build/run/certbot/backup/2024-10-25T07:41:40.377174477Z\n2024-10-25T07:41:40.377472Z INFO certbot::bot: checking if certificate needs to be renewed\n2024-10-25T07:41:40.377719Z DEBUG certbot::acme_client: will expire in Duration { seconds: 7772486, nanoseconds: 622281542 }\n2024-10-25T07:41:40.377752Z INFO certbot::bot: certificate /home/kvin/codes/meta-dstack/dstack/build/run/certbot/live/cert.pem is up to date\n```\n\nWhere the command did are:\n\n- Registered to letsencrypt and got a new account `https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853`\n- Auto set CAA records for the domain on cloudflare, you can open the CF dashboard to see the record:\n\n \n\n- Auto requested a new certificate from Let's Encrypt. Automatically renews the certificate to maintain its validity\n\n### Launch dstack-gateway\n\nExecute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access the web portal to check the dstack-gateway CVM managed Let's Encrypt account. The account's private key remains securely sealed within the TEE.\n\n\n\n## Certificate transparency log monitor\n\nTo enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight.\n\n`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:\n\n```text\n$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang\n2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang...\n2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc\n2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys\n2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685\n2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674\n2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: \"C=US, O=Let's Encrypt, CN=R11\", common_name: \"kvin.wang\", name_value: \"*.app.kvin.wang\", not_before: \"2024-09-24T02:23:15\", not_after: \"2024-12-23T02:23:14\", serial_number: \"03ae796f56a933c8ff7e32c7c0d662a253d4\", result_count: 1, entry_timestamp: \"2024-09-24T03:21:45.825\" }\n2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001\n```\n\n# Troubleshooting\n\n### Error from dstack-vmm: qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=<id>: vhost-vsock: unable to set guest cid: Address already in use\n\n`dstack-vmm` may throw this error when creating a new VM if the [Unix Socket CID](https://man7.org/linux/man-pages/man7/vsock.7.html) is occupied. To solve the problem, first, you should list the occupied CID:\n\n```bash\nps aux | grep 'guest-cid='\n```\n\nThen choose a new range of the CID not conflicting with the CID in use. You can change `build/vmm.toml` file and restart `dstack-vmm`. This error should disappear. For example, you may find 33000-34000 free to use:\n\n```toml\n[cvm]\ncid_start = 33000\ncid_pool_size = 1000\n```\n\nWhen building the dstack from scratch, you should change the CID configs in `build-config.sh` instead, because `vmm.toml` file is generated by `build.sh`. Its content is derived from `build-config.sh`.\n\nYou may encounter this problem when upgrading from an older version of dstack, because CID was introduced in `build-config.sh` in later versions. In such case, please follow the docs to add the missing entries in `build-config.sh` and rebuild dstack.\n\n### Error: Operation not permitted when building guest image\n\nWhen running `../build.sh guest`, you might encounter this error:\n\n```\nTraceback (most recent call last):\n File \"/meta-dstack/poky/bitbake/bin/bitbake-worker\", line 278, in child\n bb.utils.disable_network(uid, gid)\n File \"/meta-dstack/poky/bitbake/lib/bb/utils.py\", line 1696, in disable_network\n with open(\"/proc/self/uid_map\", \"w\") as f:\nPermissionError: [Errno 1] Operation not permitted\n```\n\nThis error occurs because Ubuntu 23.10 and later versions restrict unprivileged user namespaces by default. To fix this, run:\n\n```bash\nsudo sysctl kernel.apparmor_restrict_unprivileged_userns=0\n```\n\nThen try building again. For more information about this restriction, see the [Ubuntu discourse post](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626).\n\n\n# Contributors\n\nDstack is proudly built by open source and Pi-rateship contributors:\n\n- Phala Network: [Kevin Wang](https://github.com/kvinwang), [Shelven Zhou](https://github.com/shelvenzhou), [Leechael](https://github.com/leechael)\n- Teleport: [Andrew Miller](https://github.com/amiller), [Sxy Sun](https://github.com/sxysun)\n- Flashbots: [Tina](https://github.com/CarboClanC), [Mateusz](https://github.com/Ruteri), [Dmarz](https://github.com/dmarzzz), [Moe](https://github.com/MoeMahhouk)\n- Ithaca: [Georgios](https://github.com/gakonst)\n- Fabric: [@gaoist](https://x.com/gaoist)\n- And many more...\n\nThe inspiration for this work stems from [Andrew Miller](https://github.com/amiller)’s pioneering concept of a [Docker-based P2P TEE SDK](https://collective.flashbots.net/t/dstack-speedrunning-a-p2p-confidential-vm/3876).\n\nThis project cannot be built without standing on the shoulders of giants:\n\n- [konvera/meta-confidential-compute](https://github.com/konvera/meta-confidential-compute)\n\nSpecial acknowledgment to [Flashbots](https://github.com/flashbots) for building a community around TEE. The TEE Hacker House initiative, organized by [Flashbots](https://github.com/flashbots) and led by [Tina](https://github.com/CarboClanC), has brought together TEE builders to develop tools for TEE-Web3 integration. This collaborative journey has generated invaluable insights for advancing secure, confidential environments within Web3.\n\nTogether, we’re shaping the future of TEE in Web3, paving the way for more secure and developer-accessible confidential computing!\n\nFor a full list of the direct contributors to this repo, see [Contributors](https://github.com/Dstack-TEE/dstack/contributors) on GitHub.\n\n\n# License\n\nCopyright 2024 Phala Network and Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\n[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)"
},
{
"type": "text",
"text": "main.pdf\nDstack: A Zero Trust Framework for Confidential Containers\nJune 23, 2025\nAbstract\nWeb3 applications require execution platforms that maintain confidentiality and integrity with-\nout relying on centralized trust authorities. While Trusted Execution Environments (TEEs) offer\npromising capabilities for confidential computing, current implementations face significant limita-\ntions in security reliability, censorship resistance, and vendor independence when applied to Web3\ncontexts. This paper presents Dstack, a comprehensive framework that transforms raw TEE tech-\nnology into a true Zero Trust platform aligned with Web3 principles. We introduce three key\ninnovations: (1) Portable Confidential Containers that enable seamless workload migration across\nheterogeneous TEE environments while maintaining security guarantees, (2) Decentralized Code\nManagement that leverages smart contracts for transparent governance of TEE applications, and\n(3) Verifiable Domain Management that ensures secure and verifiable application identity without\ncentralized authorities. Through these innovations, implemented via Dstack-OS, Dstack-KMS, and\nDstack-Gateway components, we demonstrate how to achieve both the performance advantages of\nVM-level TEE solutions and the trustless guarantees required by Web3 applications. Our evalu-\nation shows that Dstack provides comprehensive security guarantees while maintaining practical\nusability for real-world applications.\n1 Introduction\nThe Web3 ecosystem represents a paradigm shift in digital trust models, fundamentally transforming\nthe relationship between users and application developers. Unlike traditional systems, Web3 empowers\nusers with unprecedented control over their data through the principle of ”Code is Law” - once deployed,\ncode operates autonomously and independently of external control. This transformation demands\nrobust execution platforms that maintain confidentiality and integrity without relying on centralized\ntrust authorities.\nFigure 1: The evolution of trust models from Web2 to Web3, highlighting the shift from centralized control\nto decentralized governance and execution.\nThe contrast between Web2 and Web3 architectures in Figure 1 illustrates this fundamental shift.\nIn Web2 systems, developers maintain complete control through proprietary applications and central-\nized servers, retaining administrative privileges to access and modify user data at will. Web3’s smart\n1\ncontracts, however, represent the first significant step toward true trustlessness by executing pro-\ngrams on decentralized platforms (blockchains). Once deployed, administrators cannot influence pro-\ngram execution, and lifecycle management (e.g., code updates) follows predefined agreements through\ndemocratic governance mechanisms like multi-signature wallets and Decentralized Autonomous Orga-\nnizations (DAOs). This emerging trust model extends beyond basic applications to mission-critical\nscenarios such as AI model training, where data providers and model developers often have competing\ninterests, and autonomous AI agents designed to operate independently of human intervention. In\nthese contexts, Zero Trust platforms become essential to host applications and enforce verification\nmechanisms that appropriately constrain developer authority.\nA Zero Trust platform must enforce the following key principles:\n• Code is Law: This manifests in two dimensions: (1) the application logic, once deployed, cannot\nbe changed unexpectedly; and (2) the lifecycle management of code—including deployment,\nupgrades, and deletion—follows predefined governance rules.\n• Censorship Resistance: User data remains beyond the control of any single entity, with data\navailability protected against Denial-of-Service attacks.\n• Full Chain-of-Trust: When users interact with applications on a Zero Trust platform, they\nmust be able to verify all aspects of that application, including network setup, application identity\nand code logic, underlying hardware, and execution environment.\n• Assume Breach: The platform operates under the assumption that compromises will occur,\nimplementing mechanisms for damage containment, rapid recovery, and minimization of data\nexposure during security incidents.\nConfidential Computing, particularly through Trusted Execution Environments (TEEs), has emerged\nas a promising foundation for extending blockchain capabilities to support complex computational tasks\nwith confidentiality guarantees. Recent advances in VM-level TEE solutions, including Intel TDX and\nAMD SEV, have demonstrated substantial performance improvements and developer-friendly inter-\nfaces, making them compelling candidates for Web3 deployment. The integration of GPUs within\nTEEs [?] now enables verifiable execution of both Large Language Models and AI agents, providing\ncryptographic guarantees of computational integrity.\nHowever, a significant gap exists between raw TEE technology and the requirements of a true Zero\nTrust platform. Current TEE implementations face several critical limitations when applied to Web3\ncontexts:\n• Security Reliability: Recent vulnerability discoveries in TEE systems have raised significant con-\ncerns about their effectiveness as trust anchors. The persistence of side-channel attacks and\nmicro-architectural vulnerabilities undermines confidence in TEE security guarantees, particu-\nlarly for high-value Web3 applications where a single compromise could lead to catastrophic data\nexposure.\n• Censorship Vulnerability: Conventional TEE encryption schemes bind encryption keys to spe-\ncific hardware instances, creating single points of failure that contradict Web3’s requirement\nfor censorship resistance. This architectural limitation means that data availability cannot be\nguaranteed if specific hardware instances are compromised or become unavailable.\n• Vendor Dependencies: Current trust models heavily rely on centralized hardware manufacturers\nand verification processes, introducing risks of vendor lock-in and potential censorship vectors.\nThis centralization contradicts Web3’s core principles of decentralization and trustlessness.\n• Incomplete Verifiability: While TEEs provide Remote Attestation capabilities to verify applica-\ntion and hardware identity, they fail to deliver the comprehensive chain of trust required in Zero\nTrust environments. Users need guarantees that programs will process their data as expected\nand cannot be modified without proper authorization—capabilities beyond current attestation\nmechanisms.\nTo bridge this gap between raw TEE technology and Zero Trust requirements, we present Dstack,\na comprehensive framework for confidential containers that introduces three key innovations:\n2\n• Portable Confidential Container: Our architecture enables seamless migration of confidential\nworkloads across different TEE instances and hardware vendors, significantly reducing vendor\nlock-in risks while maintaining robust security guarantees. This innovation directly addresses the\ncensorship vulnerability and vendor dependency limitations by providing hardware abstraction\nand state continuity across heterogeneous TEE environments.\n• Decentralized Code Management: We implement a comprehensive governance framework\nthat leverages smart contracts for transparent and decentralized management of TEE applica-\ntions. This system ensures verifiable deployment and upgrade processes, enforcing the “Code\nis Law” principle by binding application lifecycles to on-chain governance decisions. This inno-\nvation addresses the incomplete verifiability limitation by creating an immutable audit trail of\napplication changes.\n• Verifiable Domain Management: Our novel approach to certificate management ensures that\nconfidential containers can exclusively control domains and provide native HTTPS support to\nTEE applications without relying on centralized authorities. This system serves as a middleware\nbetween TEE applications and existing TLS-based networks, enabling users to establish end-to-\nend encrypted channels to TEE applications without modifications to client software.\nThese innovations are implemented through a cohesive system architecture comprising three core\ncomponents:\n• Dstack-OS: A hardware abstraction layer with a minimized operating system image that elimi-\nnates differences in underlying TEE hardware while reducing the attack surface. This component\nprovides a consistent, secure runtime environment across diverse TEE implementations.\n• Dstack-KMS: A blockchain-controlled key management service that replaces hardware-based\nencryption schemas with an independent service for generating and managing secret keys. This\ncomponent enables secure data migration across TEE instances and supports key rotation to\nprovide forward and backward data secrecy, mitigating the impact of potential TEE compromises.\n• Dstack-Ingress and Dstack-Gateway: Complementary systems providing TEE-controlled domain\nmanagement through different approaches—Dstack-Ingress enables applications to specify cus-\ntom domains with minimal integration requirements, while Dstack-Gateway offers pre-registered\nwildcard domains requiring no application code changes.\nBy addressing the critical limitations of current TEE implementations, Dstack establishes a compre-\nhensive framework that transforms raw TEE technology into a true Zero Trust platform aligned with\nWeb3’s fundamental principles. Our approach not only enhances the security and reliability of confi-\ndential computing but also provides a practical path toward truly decentralized, censorship-resistant\ninfrastructure for next-generation applications.\nThe remainder of this paper details the technical design of Dstack, evaluates its performance and\nsecurity characteristics, and demonstrates how our innovations collectively create a Zero Trust platform\nthat maintains the performance advantages of VM-level TEE solutions while addressing their inherent\nlimitations in Web3 contexts.\n2 System Design\n2.1 Portable Confidential Container\nContainerization has transformed cloud-native application deployment by providing unparalleled porta-\nbility and scalability through effective data separation. These capabilities are particularly critical for\nTrusted Execution Environment (TEE) applications, as they directly address the inherent limitations\noutlined in Section 1:\n• Security Reliability: Containerized applications can be efficiently transferred from compro-\nmised TEE hardware to secure instances, preserving code integrity. Together with our secure\ndata migration mechanism that ensures both forward and backward secrecy, this approach sig-\nnificantly limits privacy leakage risks even when individual TEE instances are compromised.\n3\nFigure 2: The architecture of Dstack, including Dstack-OS and Dstack-KMS. Dstack-OS provides a hardware\nabstraction layer with a minimized operating system image, while Dstack-KMS replaces the hardware-based\ndata encryption keys with a blockchain-controlled key management service. TODO: redraw this to put the\ncomponents into solutions.\n• Censorship Resistance: The architecture’s inherent scalability provides robust defense against\nDenial-of-Service attacks. Additionally, by decoupling data storage from execution environments,\nestablished data availability solutions can be readily integrated to ensure persistent access to\napplication data.\n• Vendor Independence: Our hardware abstraction layer enables confidential containers to\noperate across diverse TEE hardware platforms without modification, eliminating vendor lock-in\nwhile facilitating rapid adoption of emerging TEE technologies as they become available.\nHowever, implementing truly portable confidential containers presents substantial technical chal-\nlenges that differentiate them from conventional containerization. Two fundamental obstacles must be\novercome:\nFirst, existing TEE implementations generate data sealing keys derived from hardware-bound root\nkeys unique to each TEE instance. This architectural design creates an inherent barrier to portability\n— data encrypted by one TEE instance cannot be decrypted by any other, even when running identical\napplication code. Prior research has largely circumvented this limitation by restricting TEEs to state-\nless applications, but this approach severely constrains their utility in complex real-world scenarios.\nSecond, TEE implementations from different vendors impose disparate specifications for deploy-\nable programs. This fragmentation forces developers to create and maintain multiple artifacts across\nplatforms, each requiring separate (and expensive) code reviews to verify functional equivalence — a\nprocess that undermines the trust guarantees central to Web3 applications.\nTo address these challenges comprehensively, we introduce two complementary components: Dstack-\nKMS and Dstack-OS.\n2.1.1 Dstack-KMS: Blockchain-Controlled Secret Derivation\nDstack-KMS is a secret derivation service that fundamentally transforms how encryption keys are\nmanaged in confidential computing environments. Its primary function is to generate a unique and\nstable secret (the Root Key ) for each application based on its code and configurations. This root key\n4\nserves as the foundation for deriving additional application-specific secrets used for data encryption\nand verifiable random number generation.\nUnlike hardware-based encryption approaches, Dstack-KMS deliberately decouples key generation\nfrom specific TEE hardware instances. This architectural decision enables the critical capability of\nencrypted data migration between different TEE instances, with decryption possible after\nproper authorization. This feature is essential for achieving true censorship resistance.\nGiven its position as the root-of-trust for the entire system, the verifiability and availability of\nDstack-KMS are paramount. Unlike previous approaches [?] that assume TEE infallibility, our threat\nmodel explicitly acknowledges that TEEs can be compromised. To address this reality, Dstack-\nKMS implements comprehensive key rotation capabilities that provide both backward and forward\nsecrecy for application data. This ensures that even if a specific TEE hardware instance is compromised,\napplications can be migrated with limited data exposure.\nFigure 3: The key derivation hierarchy of Intel SGX illustrates how conventional TEE implementations bind\nencryption keys to hardware.\nTo understand the limitations of conventional approaches, Figure 3 illustrates the key derivation\nhierarchy in Intel SGX. This design uses a hardware-bound key to both identify the TEE instance (for\nRemote Attestation) and generate encryption keys for data sealing. While this approach effectively\nestablishes hardware identity, it fundamentally undermines censorship resistance:\n• The root key cannot be updated, meaning a compromised TEE with a leaked root key remains\npermanently vulnerable even after patching the underlying vulnerability.\n• Encrypted data becomes intrinsically bound to specific TEE hardware instances, creating single\npoints of failure that contradict Web3’s censorship resistance requirements.\nOur Dstack-KMS addresses these limitations by delegating secret generation to an independent\nservice that ensures encrypted data remains portable across TEE instances.\nAs illustrated in Figure 4, Dstack-KMS comprises an on-chain governance smart contract coupled\nwith an off-chain peer-to-peer network where the actual secret derivation service operates. To ensure\ncomprehensive verifiability of the Dstack-KMS program’s integrity and correctness, we implement a\nmulti-stage verification process:\n1. The Dstack-KMS codebase is fully open-sourced [?], enabling thorough code and security reviews\nto verify key management logic and ensure the absence of backdoors.\n5\nFigure 4: The architecture of Dstack-KMS combines on-chain governance through smart contracts with an\noff-chain P2P network of secret derivation service nodes. This design ensures both verifiability and resilience\nagainst compromise.\n2. Executable binaries are produced through reproducible build processes, allowing verifiers to\nconfirm that the runtime code matches the reviewed source code.\n3. The cryptographic digest of valid executables is published through the governance smart contract,\ncreating an immutable reference for verification.\n4. Each service node operates within its own TEE instance. Critically, we rely on the TEE solely for\nmeasuring the executable and ensuring it matches the on-chain digest—not for the fundamental\nsecurity of the key management process.\nThis verification framework ensures that Dstack-KMS remains trustworthy to any third-party verifier\nwhile avoiding dependency on the absolute security of any single TEE instance.\nThe core logic of each Dstack-KMS service node is intentionally minimalist, focusing exclusively on\nthe generation and secure distribution of the root key, along with deriving encryption keys for TEE\napplications. This simplicity enables the implementation of Multi-Party Computation (MPC) based\nthreshold key generation and derivation without concerning performance overhead. We have developed\ntwo complementary implementations:\n• Simple Duplication: The first node in the P2P network generates a cryptographically secure\nrandom number as the root key, then shares it with other nodes after verifying their attestation\nreports. All nodes maintain identical copies of the root key and derive consistent encryption keys\nfor applications. This approach maximizes availability—as long as at least one node remains\noperational, the root key can be recovered.\n• MPC-Based Key Generation: While simple duplication provides robust availability, it cre-\nates vulnerability to single-node compromises. Our MPC implementation uses Shamir’s Secret\nSharing scheme [?] to distribute the root key across multiple nodes, ensuring that compromising\nany individual node (or even up tot− 1 nodes, wheret is the configured threshold) does not\nexpose the root key. This approach also enables advanced features like key rotation without\nrequiring application reconfiguration.\nKey Derivation Dstack-KMS implements a comprehensive key derivation framework to generate\napplication-specific keys from the root key:\n• Application CA Key: Derived from the root CA key using the application’s unique identifier\n(calculated as the hash of the application’s code and configuration).\n• Disk Encryption Key: Derived using a combination of the application identifier and instance\nidentifier, enabling secure storage with portability.\n6\n• Environment Encryption Key: Derived using the application identifier alone, allowing secure\nenvironment variable management across instances.\n• ECDSA Key: Derived from the root ECDSA key, providing applications with consistent cryp-\ntographic identity for signing operations.\nEach derived key maintains cryptographic isolation while ensuring consistency across different TEE\ninstances running the same application.\nKey Rotation A critical security feature of Dstack-KMS is its support for key rotation, which signif-\nicantly limits the exposure window during potential attacks while ensuring both forward and backward\nsecrecy for sealed data. Key rotation procedures are initiated exclusively through the governance smart\ncontract, ensuring transparency and auditability. We discuss two distinct rotation mechanisms:\n• Root Key Share Rotation: Our MPC-based implementation enables rotation of individual\nkey shares without modifying the root key itself. This process enhances root key security by\nregularly updating the distribution mechanism while remaining transparent to applications, as\nall derived application keys remain unchanged.\n• Root Key Rotation: In scenarios where the root key may have been compromised, we support\ncomplete root key rotation. This process generates an entirely new root key and implements a\ncontrolled handover period during which both old and new keys remain valid. This transition\nwindow allows applications to re-encrypt their data with keys derived from the new root key\nbefore the old root key is permanently destroyed, minimizing service disruption while enhancing\nsecurity.\nThrough these mechanisms, Dstack-KMS provides the foundation for truly portable confidential con-\ntainers by decoupling encryption from hardware dependencies while maintaining robust security guar-\nantees.\n2.1.2 Dstack-OS: Hardware Abstraction Layer\nDstack-OS provides a comprehensive hardware abstraction layer with a minimized operating system\nimage that bridges the gap between application containers and VM-level TEE implementations. This\nlayer enables applications to deploy across diverse TEE environments without code modifications while\nmaintaining security integrity. As a shared component across all TEE applications, Dstack-OS must be\nintrinsically secure and verifiable, with no administrative backdoors that could compromise program\ncode or user data.\nVM-level TEE solutions typically require developers to provide complete system images encom-\npassing bootloader, kernel, operating system, and application components. This requirement not\nonly increases development complexity but also introduces potential security vulnerabilities through\nmisconfigured system components. A secure and properly configured operating system environment\nfundamentally determines the security baseline for all TEE applications built upon it.\nFigure 5 illustrates how Dstack-OS establishes a secure and verifiable startup chain from the TEE\nhardware foundation through to user-provided container images. Our modular design ensures that the\nmajority of the system can be reused across different TEE hardware implementations, substantially\nreducing the effort required for code review and security auditing. Combined with reproducible build\nprocesses, this approach enables comprehensive verification of Dstack-OS with minimal overhead while\nsupporting multiple TEE hardware platforms.\nUsing Intel TDX as an exemplar (with similar procedures applicable to other TEE implementa-\ntions like AMD SEV), Dstack-OS consists of the following components, presented in boot sequence\norder. During this process, each component measures the next one and records these measurements\nin hardware registers, which are ultimately incorporated into the TEE attestation report:\n• Hypervisor: When application deployment initiates, the underlying hypervisor (the TDX mod-\nule) loads the Open Virtual Machine Firmware (OVMF), enabling UEFI support for confidential\nvirtual machines. The TDX module measures the OVMF code and records its cryptographic\ndigest in the MRTD register, with the hypervisor’s integrity guaranteed by the TEE hardware\nitself.\n7\nFigure 5: The architecture of Dstack-OS establishes a secure and verifiable startup chain from TEE hardware\nthrough to user applications.\n• Open Virtual Machine Firmware (OVMF): The OVMF configures virtual machine hard-\nware specifications (CPU, memory, and device configurations) and records the configuration\nmeasurement to the RTMR0 register. It then loads the Linux kernel and records the kernel\nimage measurement to the RTMR1 register.\n• Kernel: The kernel first loads an initial ramdisk (initrd) — a temporary in-memory filesystem\ncontaining minimal command-line tools and disk encryption libraries. The initrd mounts the\nroot filesystem and records this measurement in the RTMR2 register.\n• Root Filesystem: The root filesystem (RootFs) is a read-only environment containing essential\nsystem libraries and tools. It manages the entire lifecycle of deployed applications, measuring\napplication images along with their associated key management system and storing these mea-\nsurements in the RTMR3 register. The RootFs serves two primary functions: (1) providing\nthe runtime environment for user-level container images, and (2) managing application data en-\ncryption. It interfaces with Dstack-KMS to acquire encryption secrets and implements Linux\nUnified Key Setup (LUKS) to encrypt application data in isolated volumes. Data integrity is\nensured through dm-verity, a Merkle-tree-based block-level verification tool. Finally, the RootFs\nconfigures network ingress for the application and initiates execution.\nRather than adapting existing system images, we built Dstack-OS from scratch to ensure only es-\nsential components are included in both the initrd and RootFs. A comprehensive component inventory\nis provided in Appendix ?? for transparency and review. Generally, Dstack-OS includes only basic\nutilities (busybox), filesystem support, and container runtime components. By implementing Docker\nsupport while delegating orchestration to the application level, we maintain a minimal base image\nfootprint.\nTo ensure comprehensive verifiability, Dstack-OS is fully open-sourced and supports reproducible\nbuilds, allowing anyone to review the code and generate identical artifacts for verification. This\napproach provides significant benefits for applications requiring security reviews, as evaluators need\nonly review the application code rather than the entire system image.\nData Backup and Defense against Rollback Attacks A critical challenge in confidential com-\nputing is ensuring data durability and integrity, particularly against rollback attacks where adversaries\nattempt to revert applications to previous states to bypass security checks or reuse expired secrets.\nOur architecture provides robust secure data backup support and implements robust anti-rollback\nmechanisms that application developers can integrate:\n• Secure Backup: Application data is encrypted using keys derived from Dstack-KMS and can\nbe backed up to external storage providers. Since encryption keys are not bound to specific TEE\n8\ninstances, data can be restored on any authorized TEE, supporting true portability and disaster\nrecovery.\n• Monotonic Counters: To prevent rollback attacks, developers can implement monotonic coun-\nters that increment with each critical data update, incorporating the counter value into the en-\ncrypted data. During restoration, applications verify that the counter value equals or exceeds\nthe last known value, preventing replay of outdated snapshots.\nBy combining these techniques, Dstack ensures both the recoverability and integrity of confidential\ndata across portable container migrations and backup scenarios.\nTogether, Dstack-KMS and Dstack-OS provide the foundational infrastructure for truly portable\nconfidential containers that maintain security and integrity across heterogeneous TEE environments\nwhile eliminating vendor lock-in and supporting comprehensive verifiability.\n2.2 Decentralized Code Management\nA core principle of Zero Trust platforms is the enforcement of “Code is Law”, ensuring that application\ncode operates as intended without unexpected modifications. While TEE hardware provides code\nintegrity guarantees during execution, it cannot independently prevent administrators from deploying\nmalicious code or making unauthorized modifications. Conversely, smart contracts have established\nrobust methodologies for implementing programmable governance over code lifecycle management —\nsuch as multi-signature requirements that prevent single-actor manipulation.\nOur decentralized code management framework bridges these two worlds by placing TEE ap-\nplication governance under smart contract control, creating a transparent and auditable system for\napplication deployment and updates that aligns with Web3 principles.\nFigure 6: The architecture of decentralized code management integrates on-chain governance contracts with\noff-chain TEE through Dstack-KMS.\nAs illustrated in Figure 6, our architecture consists of two complementary components: on-chain\ngovernance smart contracts and off-chain TEE execution environments connected through Dstack-\nKMS. This design establishes the on-chain contracts as the definitive root-of-trust for the entire system.\nEvery operation — from initial deployment to code upgrades — must first be initiated and authorized\nthrough the governance contracts before off-chain TEE instances can execute these operations.\nThe governance framework implements a two-tier structure:\n• KmsAuth Contract: Serves as the global authority controlling Dstack-KMS operations. This\ncontract maintains the registry of authorized applications and their governance parameters, en-\nforcing system-wide policies for TEE deployment. By controlling whether Dstack-KMS shares\n9\napplication secrets with specific TEE instances, the KmsAuth contract effectively determines\nwhether applications can decrypt their data, thus controlling their complete lifecycle.\n• AppAuth Contracts: Individual governance contracts deployed for each application that de-\nfine application-specific management rules. These contracts specify permissible code versions\n(through cryptographic hashes), authorized TEE instance identities, and upgrade approval re-\nquirements. This modular approach enables customized governance models ranging from tradi-\ntional multi-signature schemes to complex DAO voting mechanisms, allowing each application\nto implement governance appropriate to its requirements.\nThe enforcement mechanism operates through Dstack-KMS, which will only provide application\nsecrets to TEE instances running code versions explicitly authorized by the governance contracts.\nThis creates a cryptographically enforced governance system where unauthorized code versions cannot\naccess application data, regardless of administrative privileges.\nTo illustrate this mechanism, consider a code upgrade process for an application using a multi-\nsignature AppAuth contract in Figure 6:\n1. Developers publish the new code version and submit its cryptographic hash to the AppAuth\ncontract.\n2. The contract initiates the approval process, requiring signatures from designated key holders\n(e.g., core developers, security auditors, and community representatives).\n3. Each signature is recorded on-chain, creating an immutable audit trail of the approval process.\n4. Once the required signature threshold is reached, the AppAuth contract updates its registry of\nauthorized code versions.\n5. The KmsAuth contract, monitoring the AppAuth contract, updates its authorization records\naccordingly.\n6. Dstack-KMS, which continuously synchronizes with the KmsAuth contract, begins providing\napplication secrets to TEE instances running the newly approved code version.\n7. TEE instances can now deploy the new code with full access to encrypted application data.\nThis process ensures that every code change follows predefined governance rules with complete trans-\nparency. The on-chain approval records create an immutable audit trail that allows users to verify\nthe entire history of application changes, while the cryptographic enforcement through Dstack-KMS\nguarantees that only properly authorized code can access application data.\nBy combining the code integrity guarantees of TEEs with the transparent governance capabilities\nof smart contracts, our decentralized code management framework ensures that applications truly\nembody the ”Code is Law” principle. Every aspect of the application lifecycle—from initial deployment\nto version updates and potential retirement—follows predefined, transparent rules that cannot be\ncircumvented by any single entity, including the platform operators themselves.\n2.3 Verifiable Domain Management\nA complete Zero Trust platform must enable seamless verification for users across both Web3 and\ntraditional Web2 environments. Our Verifiable Domain Management system completes the chain-\nof-trust by allowing standard Web browsers to cryptographically verify TEE applications without\nrequiring any client-side modifications or specialized knowledge.\nThis capability is critical for mainstream adoption, as it allows users to interact with confiden-\ntial applications using familiar tools while maintaining the same security guarantees provided by the\nunderlying TEE infrastructure. We implement this through two complementary components—Dstack-\nIngress and Dstack-Gateway—both leveraging our novel Zero Trust TLS (ZT-TLS) protocol.\nThe fundamental innovation in ZT-TLS is establishing cryptographic proof that a specific TLS\ncertificate (and therefore a domain) is exclusively controlled by a verified TEE application. This\ncreates a verification chain extending from the blockchain to standard HTTPS connections, enabling\nusers to confirm application authenticity through familiar security indicators in their browsers.\n10\nFigure 7: The Zero Trust TLS architecture establishes a cryptographically verifiable connection between\nstandard web browsers and TEE applications through blockchain-anchored certificate management.\n2.3.1 Zero Trust TLS Protocol\nThe ZT-TLS protocol addresses a critical challenge: how to cryptographically bind a domain to a\nspecific TEE application in a way that prevents unauthorized certificate issuance or domain hijacking.\nOur solution integrates three key components:\n• TEE-Generated Certificates: The TEE application (specifically Dstack-Gateway) generates\nits TLS certificate using application secrets derived from Dstack-KMS. This ensures the private\nkey never exists outside the TEE environment and creates a cryptographic link between the\non-chain governance and the TLS certificate.\n• Certificate Authority Authorization (CAA): We leverage DNS CAA records to restrict\nwhich certificate authorities can issue certificates for managed domains. By configuring CAA\nrecords to only authorize certificates from specific issuers (which verify TEE attestation), we\nprevent unauthorized certificate issuance through alternative validation methods.\n• Certificate Transparency (CT) Monitoring: To protect against unauthorized DNS record\nmodifications, we implement continuous monitoring of Certificate Transparency logs. This allows\ndetection of any unauthorized certificates and provides an immutable audit trail of certificate\nissuance history.\n2.3.2 Implementation Components\nWe provide two complementary implementations to accommodate different application requirements:\n• Dstack-Gateway: A fully managed reverse proxy running within a TEE that provides imme-\ndiate domain verification with zero application code changes. Applications register with Dstack-\nGateway through a simple API call, during which Dstack-Gateway verifies the application’s re-\nmote attestation report. Once verified, applications receive a subdomain under a pre-registered\nwildcard domain (e.g., app-id.Dstack.com), with all TLS termination and certificate manage-\nment handled automatically.\n• Dstack-Ingress: A more flexible solution for applications requiring custom domain names.\nDstack-Ingress provides libraries and services that enable applications to manage their own TLS\ncertificates while maintaining the same verification guarantees. This approach requires minimal\nintegration work while supporting application-specific domain requirements.\n11\nBoth implementations ensure that certificates are cryptographically bound to verified TEE environ-\nments, with the verification chain extending from the blockchain governance contracts through to the\nTLS certificates presented to users’ browsers.\n2.3.3 Security Guarantees and Protections\nOur Verifiable Domain Management system provides several critical security guarantees:\n• Certificate Provenance Verification: Users can verify that the TLS certificate presented by\nan application was issued to a legitimate TEE environment by checking the certificate against\non-chain records.\n• Domain Binding Integrity: The combination of CAA records and Certificate Transparency\nmonitoring ensures that domains remain bound to their designated TEE applications, preventing\nunauthorized certificate issuance.\n• Tamper-Evident Certificate Changes: Any unauthorized attempts to modify domain con-\nfigurations or issue alternative certificates are detected through Certificate Transparency moni-\ntoring, with alerts propagated to clients.\nWhile we cannot technically prevent all attacks against centralized DNS infrastructure, our multi-\nlayered approach creates a tamper-evident system where unauthorized changes are quickly detected\nand rejected by client verification processes. This approach aligns with the ”Assume Breach” principle\nby implementing defense-in-depth strategies that maintain security even when individual components\nare compromised.\nBy extending the verification chain from blockchain governance through TEE attestation to stan-\ndard TLS certificates, our Verifiable Domain Management system enables seamless integration of Zero\nTrust applications into existing web infrastructure. This creates a practical path for mainstream\nadoption without requiring specialized knowledge or tools from end users, while maintaining the com-\nprehensive security guarantees that define true Zero Trust platforms.\n3 Verifying TEE Applications: A Practical Walkthrough\nTo demonstrate how Dstack fulfills the Zero Trust principles and addresses the challenges outlined in\nSection 1, we present a practical end-to-end verification scenario. This walkthrough illustrates how\nthe architectural components described in Section 2 work together to provide a comprehensive chain\nof trust for real-world Web3 applications.\nTraditional Zero Trust programs like smart contracts achieve verifiability through transparent\nsource code and inputs. However, extending similar verifiability to real-world applications presents\nunique challenges, particularly in maintaining privacy and compatibility with existing development\npractices. Dstack addresses these challenges through a comprehensive verification framework that\nrequires minimal code changes.\nThis section demonstrates Dstack’s complete chain of trust through a practical example: verifying\nthat a cryptographic key was genuinely generated within a TEE environment. This scenario is es-\npecially relevant for Web3 and AI Agent applications where cryptographic keys establish application\nidentity and authority.\n3.1 Threat Model\nOur verification framework assumes the correct implementation and integrity of core Dstack compo-\nnents (Dstack-OS, Dstack-KMS, Dstack-Gateway, and governance contracts). While these components’\nsecurity guarantees are detailed in later sections, we explicitly consider developers and administrators\nas potential adversaries.\nPotential attack vectors include:\n• Application-Level Attacks\n– Deployment of unauthorized or malicious code through falsified Docker images\n12\n– Introduction of malicious dependencies through supply chain attacks\n– Unauthorized application updates that bypass governance controls\n• Infrastructure-Level Attacks\n– Tampering with Dstack-OS to circumvent security controls\n– Deployment of compromised key management services\n– Operation of unpatched or vulnerable TEE firmware\n– Execution of applications on non-TEE hardware with spoofed attestation\n• Network-Level Attacks\n– DNS hijacking to redirect traffic to unauthorized applications\n– Man-in-the-middle attacks on communication channels\nDirect attacks on TEE hardware security (e.g., exploitation of hardware vulnerabilities) are con-\nsidered out of scope for this discussion and addressed separately.\n3.2 The Reproducibility Challenge\nA fundamental challenge in TEE attestation lies in bridging the gap between source code and the\nactual artifacts (binaries or container images) running inside enclaves. While TEE attestation can\nprove that a specific artifact runs within a secure environment, it cannot independently verify that the\nartifact accurately represents its claimed source code.\nThis limitation creates several security risks:\n• Source Code Manipulation: Developers could intentionally deploy artifacts that differ from\npublicly reviewed source code\n• Build Process Compromise: Supply chain attacks could inject malicious code during artifact\ncreation\n• Toolchain Vulnerabilities: As demonstrated by the Ken Thompson Hack, even compiler\ntoolchains could be compromised to inject malicious behavior\nTEE quotes only attest to measurements (cryptographic hashes) of running artifacts. Without\nguarantees that these artifacts accurately represent reviewed source code, users cannot fully trust ap-\nplications even when running in secure enclaves. This challenge affects all TEE applications, including\nDstack’s core components.\nFigure 8: Comprehensive verification chain from source code to running TEE applications\nEstablishing a complete verification chain requires three key elements:\n13\n• Source Code Verification: Open-source code or trusted third-party review ensuring no back-\ndoors exist\n• Build Process Integrity: Reproducible builds allowing independent verification of artifacts\n• Runtime Attestation: TEE quotes proving that verified artifacts are actually running\nTraditional reproducible builds, while ideal, often introduce significant complexity through special-\nized toolchains and build scripts. The following section introduces an alternative approach, In-CC\nBuild, that achieves similar guarantees with improved practicality.\n3.3 Dstack Component Verifiability\nEach core Dstack component implements specific verifiability mechanisms anchored in transparent,\nimmutable records. Table 1 summarizes these mechanisms:\nComponentSourceBuild MethodRegistryVerification\nDstack-OSOpenReproducibleKmsAuthOS Digest\nDstack-KMSOpenIn-CCKmsAuthImage Hash, Root PubKey\nDstack-GatewayOpenIn-CCAppAuthImage Hash\nTable 1: Verifiability mechanisms and trust anchors for Dstack components\nAll components maintain open-source codebases with comprehensive documentation. Dstack-OS, as\nthe foundational component, undergoes third-party security audits and implements fully reproducible\nbuilds.\nThe governance smart contracts serve as authoritative registries, anchoring each component’s trust\nbase:\n• Dstack-OS digests are registered in KmsAuth and managed through multi-signature governance\n• Dstack-KMS measurements and root public keys are recorded in KmsAuth\n• Dstack-Gateway artifacts are verified through dedicated AppAuth contracts\nIn-ConfidentialContainer Build While reproducible builds represent the gold standard for arti-\nfact verification, they often prove impractical for complex applications. Dstack addresses this through\nIn-CC Build, leveraging the verified Dstack-OS as a trusted foundation. The In-CC Build process\nexecutes entirely within Dstack-OS environment, encompassing code fetching, compilation, and arti-\nfact creation. By specifying precise source references (e.g., a snapshot of the codebase), the system\nproduces verifiable artifacts with measurements attested in TEE quotes. This approach minimizes the\ntrusted computing base while eliminating the complexity of traditional reproducible builds.\n3.4 End-to-End Verification Walkthrough\nFrom a user’s perspective, verifying a TEE application in Dstack requires validating a chain of mea-\nsurements against authoritative registries, encompassing the user application, runtime data, Dstack\ncomponents, and network infrastructure. This section walks through the verification process, demon-\nstrating how each step builds upon the previous one to create a comprehensive chain of trust.\nAs shown in Figure 9, the verification chain begins with the KmsAuth smart contract, which serves\nas the root of trust for the entire system, and concludes with the key generation application running\nin a TEE. We explain the verification steps as follows.\nFirst, the address of the Dstack-KMS governance contract (i.e., KmsAuth) is publicly available.\nThe KMS governance contract serves as the authoritative registry for (1) off-chain KMS nodes and\n(2) dedicated governance contracts (i.e., AppAuth) for TEE applications. It is worth noting that the\nDstack-Gateway can be regarded as a special TEE application that attests and forwards requests to\nother user applications while maintaining consistent verification procedures.\nThe KmsAuth contract records both the measurements of off-chain KMS node programs (KMS\ndigest, which is the hash of the docker compose file and the images used in In-CC Build) and the TDX\n14\nFigure 9: The verification chain from authoritative registries to runtime measurements\nQuote of the first KMS node, which acts as the primary key generator. The identities of subsequent\nKMS nodes must first be registered in KmsAuth and verified by the first KMS node before they\ncan participate in key generation. These data, together with the open-source Dstack-KMS codebase,\nallow users to verify the integrity of the KMS nodes and their code correctness. Subsequently, the\noff-chain KMS nodes can be considered trusted extensions and used to verify Quotes from other TEE\napplications, which cannot be achieved by the on-chain governance contract alone. The off-chain\nKMS nodes are responsible for generating and managing cryptographic keys (i.e., the root key) and\nthe corresponding certificates (explained in Section 2.3.1), which are further used to authorize TEE\napplications after they are verified, thereby avoiding redundant verification.\nSecond, users can verify the validity of Dstack-Gateway. By default, this is delegated to the off-\nchain KMS nodes during gateway registration, although users can always request the Quote of the\ngateway and check the digest of its docker compose file in its governance contract and the codebase.\nAfter the KMS nodes verify the gateway, it will generate its application root key along with a certificate\nchain ending with the root certificate.\nNext, users can access the TEE application through Dstack-Gateway forwarding. In this case, users\neffectively delegate the verification of the key generation application to the gateway. The deployment\nof the key generation application starts from the KmsAuth contract. The deployer first registers it\nand stores the digest (the hash of the docker compose file and the images) on the dedicated AppAuth\ncontract. Then, as in the previous step, the off-chain KMS nodes verify the Quote of the application\nafter it is deployed to the TEE and ensure it matches the registered digest. Only after successful\nverification will the key be generated along with the certificate chain. To be forwarded by the gateway,\nthe application must also register with it. In this case, the gateway verifies the application’s certificate\nchain and ensures it shares the same root certificate, indicating authorization by the same KMS.\nFinally, the user can invoke the application and request proof of the key it generated. The applica-\ntion can generate a Quote on demand, with the generated public key included as custom data in the\nQuote.\n15\n3.5 Security Analysis: Mitigating Threats\nOur key generation example demonstrates Dstack’s comprehensive approach to security across multiple\nattack surfaces. At the application level, the system prevents unauthorized code deployment through\nrigorous measurement verification against the AppAuth registry. The In-CC Build process ensures\nall dependencies originate from verified sources, while any updates require new registry entries and\ncomplete re-verification. It is important to note, however, that code audit and review processes remain\nessential for ensuring application code correctness, as the In-CC Build only guarantees the integrity of\nthe build process.\nInfrastructure security is maintained through multiple mechanisms. TDX Quotes verify Dstack-OS\nintegrity, preventing OS-level tampering. KMS updates require multi-signature governance approval,\nsafeguarding against unauthorized changes to key management services. The Quote verification pro-\ncess includes firmware version validation, ensuring applications run on up-to-date TEE hardware.\nHardware-backed TDX Quotes effectively prevent attestation spoofing attempts.\nNetwork-level threats are mitigated through the certificate chain validation system. This prevents\nboth DNS hijacking and man-in-the-middle attacks by ensuring authentic application identity and\nenabling end-to-end encryption with verified certificates. The combination of these security measures\nensures that cryptographic keys maintain their integrity guarantees even when confronted with sophis-\nticated attacks targeting different system layers.\nReferences\n16"
}
]
},
{
"role": "assistant",
"content": "# Project Proposal Template\n\n## General Information\n1.1. Name of Project\nDstack\n\n1.2. Project Description (what it does, why it is valuable, origin and history)\nDstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.\n\nThe project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.\n\n1.3. How does this project align with the Consortium's Mission Statement\n[blank]\n\n1.4. Project website URL\nhttps://docs.phala.network/dstack/overview (inferred from documentation references)\n\n1.5. Social media accounts\n[blank]\n\n## Legal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n[blank]\n\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\nApache License, Version 2.0\n\n2.3. Existing financial sponsorship.\n[blank]\n\n2.4. Trademark status.\n[blank]\n\n## Technical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n[blank]\n\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\nDstack's TCB includes:\n- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer\n- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications\n- Linux kernel with initial ramdisk (initrd)\n- Root filesystem with essential system libraries and tools\n- Intel TDX or equivalent TEE hardware as the foundation\n\nThe system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.\n\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n[blank]\n\n3.4. Source control URL\nhttps://github.com/Dstack-TEE/dstack\n\n3.5. Issue tracker URL\nhttps://github.com/Dstack-TEE/dstack/issues (inferred)\n\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n- Intel TDX or equivalent TEE hardware (runtime)\n- Linux kernel (runtime)\n- Docker/container runtime (runtime)\n- Busybox (runtime)\n- LUKS for encryption (runtime)\n- Wireguard-tools (build time)\n- Build-essential, chrpath, diffstat, lz4, xorriso (build time)\n- Rust (build time)\n\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n- TLS/HTTPS for secure communications\n- Certificate Transparency (CT) for certificate monitoring\n- Certificate Authority Authorization (CAA) for domain security\n- Remote Attestation for TEE verification\n\n3.8. Release methodology and mechanics\n[blank]\n\n3.9. Names of initial committers, if different from those submitting proposal\nInitial committers include:\n- Kevin Wang (kvinwang)\n- Shelven Zhou (shelvenzhou)\n- Leechael\n\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n[blank]\n\n3.11. Project Security Response Policy\n[blank]\n\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)\n[blank]\n\n3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\nDstack includes several key components:\n- dstack-vmm: Service running on bare TDX host to manage CVMs\n- dstack-gateway: Reverse proxy to forward TLS connections to CVMs\n- dstack-kms: KMS server to generate keys for CVMs\n- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests\n- meta-dstack: Yocto meta layer to build CVM guest images\n\nThe project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts."
},
{
"role": "user",
"content": "You can simplify the 3.2 answers. Just dstack code base, TDX and other TEE solutions that we will support in the future\n"
}
]Response:
## Technical Information
3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.
The TCB consists of the Dstack codebase, Intel TDX, and other TEE solutions that will be supported in the future.
Model: claude-3-7-sonnet-202502192025-06-25 13:13:07
Context:
[
{
"role": "user",
"content": [
{
"type": "text",
"text": "Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```"
},
{
"type": "text",
"text": "README.md\n# Dstack\n\n[](https://deepwiki.com/Dstack-TEE/dstack)\n\nDstack is a **developer friendly** and **security first** SDK to simplify the deployment of arbitrary containerized apps into TEE.\n\nMain features:\n\n- 🔒 Deploy containerized apps securely in TEE in minutes\n- 🛠️ Use familiar tools - just write a docker-compose.yaml\n- 🔑 Safely manage secrets and sensitive data\n- 📡 Expose services via built-in TLS termination\n\nDstack is community driven. Open sourced and built by [Kevin Wang](https://github.com/kvinwang) and many others from [Phala Network](https://github.com/Phala-Network), inspired by [Andrew Miller](https://github.com/amiller) (Flashbots & Teleport), and contributed by [Nethermind](https://github.com/NethermindEth/nethermind) and [many others](#contributors).\n\n![Alt](https://repobeats.axiom.co/api/embed/0a001cc3c1f387fae08172a9e116b0ec367b8971.svg \"Repobeats analytics image\")\n\n# Overview\n\nComponents in Dstack:\n\n- `dstack-vmm`: A service running in bare TDX host to manage CVMs\n- `dstack-gateway`: A reverse proxy to forward TLS connections to CVMs\n- `dstack-kms`: A KMS server to generate keys for CVMs\n- `dstack-guest-agent`: A service running in CVM to serve containers' key derivation and attestation requests\n- `meta-dstack`: A Yocto meta layer to build CVM guest images\n\nThe overall architecture is shown below:\n\n\n# Directory structure\n\n```text\ndstack/\n kms/ A prototype KMS server\n guest-agent/ A service running in CVM to serve containers' key derivation and attestation requests.\n dstack-util/ A CLI tool in the guest setting up the system, getting TDX quote, extending RTMR, generating cert for RA-TLS, etc.\n vmm/ A service running in bare TDX host to manage CVMs\n gateway/ A reverse proxy to forward TLS connections to CVMs\n certbot/ A tool to automatically obtain and renew TLS certificates for dstack-gateway\n ra-rpc/ RA-TLS support for pRPC\n ra-tls/ RA-TLS support library\n tdx-attest/ Guest library for getting TDX quote and extending RTMR\n```\n\n# Build and play locally\n\n## Prerequisites\n\n- A bare metal TDX server setup following [canonical/tdx](https://github.com/canonical/tdx)\n- Public IPv4 address assigned to the machine\n- At least 16GB RAM, 100GB free disk space.\n- A domain with DNS access if you want to set up `dstack-gateway` for Zero Trust HTTPS\n\n> [!NOTE]\n>\n> This doc assumes you have access to a compatible Intel TDX Server ready to be configured with Dstack. Check the [Hardware Requirements](https://docs.phala.network/dstack/hardware-requirements) for more information on buying a bare metal server or renting a server from OVH. To start learning about Dstack check out the [docs](https://docs.phala.network/dstack/overview).\n>\n> If you are looking to deploy a CVM in minutes, go to the docs to learn how to [sign-up for a Phala Cloud Account](https://docs.phala.network/phala-cloud/getting-started/sign-up-for-cloud-account) and [deploy your first CVM on Dstack]((https://docs.phala.network/phala-cloud/getting-started/start-from-cloud-ui)).\n\n## Install dependencies\n\n```bash\n# for Ubuntu 24.04\nsudo apt install -y build-essential chrpath diffstat lz4 wireguard-tools xorriso\n# install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\n\n## Build and run for local development\n\n### Build the artifacts\n```bash\ngit clone https://github.com/Dstack-TEE/meta-dstack.git --recursive\ncd meta-dstack/\n\nmkdir build\ncd build\n../build.sh hostcfg\n# This outputs the following message:\n# Config file ../build-config.sh created, please edit it to configure the build\n\nvim ./build-config.sh\n```\n\nReview and customize the `build-config.sh` configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:\n\n```bash\n../build.sh hostcfg\n\n# If everything is okay, you should see the built artifacts in the `build` directory.\n$ ls\ncerts images dstack-kms kms.toml run dstack-vmm vmm.toml dstack-gateway gateway.toml\n```\n\n### Download guest image or build guest image from source\n\n```bash\n# This will download the guest image from the release page.\n../build.sh dl 0.5.2\n```\n\nOr build guest image from source:\n\n```bash\n# This will build the guest image from source using the yocto meta layer. This will take a while.\n../build.sh guest\n```\n\n> **Note on Reproducible Builds**: The build command above does not guarantee reproducibility. For reproducible builds across different build environments, please refer to the [reproducible build instructions](https://github.com/Dstack-TEE/meta-dstack?tab=readme-ov-file#reproducible-build-the-guest-image) in the meta-dstack repository.\n\n### Run components\nNow you can open 3 terminals to start the components:\n\n1. Run `./dstack-kms -c kms.toml`\n2. Run `sudo ./dstack-gateway -c gateway.toml`\n3. Run `./dstack-vmm -c vmm.toml`\n\n⚠️ *Warning: this is for local development, and the kms is not secure, so you should not use it in production.*\nFor production, you should follow the [deployment guide](./docs/deployment.md) and read the [security guide](./docs/security-guide/security-guide.md).\n\n## Deploy an App\nOpen the dstack-vmm webpage [http://localhost:9080](http://localhost:9080)(change the port according to your configuration) on your local machine to deploy a `docker-compose.yaml` file:\n\n\n\nAfter the container deployed, it should need some time to start the CVM and the containers. Time would be vary depending on your workload.\n\n- Click the [Logs] button to see the logs of the CVM, you can see if the container is finished starting there.\n\n- Once the container is running, you can click the [Dashboard] button to see some information of the container. And the logs of the containers can be seen in the [Dashboard] page.\n\n \n\n- You can open dstack-gateway's dashboard at [https://localhost:9070](https://localhost:9070) to see the CVM's wireguard ip address, as shown below:\n\n\n\n## Pass Secrets to Apps\nWhen deploying a new App, you can pass private data via Encrypted Environment Variables. These variables can be referenced in the docker-compose.yaml file as shown below:\n\n\n\nThe environment variables will be encrypted in the client-side and decrypted in the CVM before being passed to the containers.\n\n## Access the App\n\nOnce the app is deployed and listening on an HTTP port, you can access the HTTP service via dstack-gateway's public domain. The ingress mapping rules are:\n\n- `<id>[s].<base_domain>` maps to port `80` or `443` if with `s` in the CVM.\n- `<id>-<port>[s].<base_domain>` maps to port `<port>` in the CVM.\n\nFor example, `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` maps to port `8080` in the CVM.\n\nWhere the `<id>` can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.\nIf the `id-port` part ends with `s`, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.\n\nYou can also ssh into the CVM to inspect more information, if your deployment uses the image `dstack-x.x.x-dev`:\n\n```bash\n# The IP address of the CVM can be found in the dstack-gateway dashboard.\nssh [email protected]\n```\n\n## Getting TDX quote in docker container\n\nTo get a TDX quote within app containers:\n\n1. Mount `/var/run/dstack.sock` to the target container in `docker-compose.yaml`\n\n ```yaml\n version: '3'\n services:\n nginx:\n image: nginx:latest\n volumes:\n - /var/run/dstack.sock:/var/run/dstack.sock\n ports:\n - \"8080:80\"\n restart: always\n ```\n\n2. Execute the quote request command in the container.\n\n ```bash\n # The argument report_data accepts binary data encoding in hex string.\n # The actual report_data passing the to the underlying TDX driver is sha2_256(report_data).\n curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x1234deadbeef | jq . \n ```\n\n## Container logs\n\nContainer logs can be obtained from the CVM's `dashboard` page or by curl:\n\n```bash\ncurl 'http://<appid>.app.kvin.wang:9090/logs/<container name>?since=0&until=0&follow=true&text=true×tamps=true&bare=true'\n```\n\nReplace `<appid>` and `<container name>` with actual values. Available parameters:\n\n- since=0: Starting Unix timestamp for log retrieval\n- until=0: Ending Unix timestamp for log retrieval\n- follow: Enables continuous log streaming\n- text: Returns human-readable text instead of base64 encoding\n- timestamps: Adds timestamps to each log line\n- bare: Returns the raw log lines without json format\n\nThe response of the RPC looks like:\n```\n$ curl 'http://0.0.0.0:9190/logs/zk-provider-server?text×tamps'\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209507046Z Initializing Rust backend...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209543047Z Calling Rust function: init\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209544957Z [2024-09-29T03:05:44Z INFO rust_prover] Initializing...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209546381Z [2024-09-29T03:05:44Z INFO rust_prover::groth16] Starting setup process\\n\"}\n```\n\n## TLS Passthrough with Custom Domain\n\ndstack-gateway supports TLS passthrough for custom domains.\n\nSee the example [here](https://github.com/Dstack-TEE/dstack-examples/tree/main/custom-domain/dstack-ingress) for more details.\n\n## Upgrade an App\n\nGot to the dstack-vmm webpage, click the [Upgrade] button, select or paste the compose file you want to upgrade to, and click the [Upgrade] button again.\nThe app id does not change after the upgrade. Stop and start the app to apply the upgrade.\n\n## HTTPS Certificate Transparency\n\nIn the tutorial above, we used a TLS certificate with a private key external to the TEE. To establish trust, we need to generate and maintain the certificate's private key within the TEE and provide evidence that all TLS certificates for the domain were originate solely from dstack-gateway CVM.\n\nBy combining Certificate Transparency Logs and CAA DNS records, we can make best effort to minimize security risks. Here's our approach:\n\n- Set CAA records to allow only the account created in dstack-gateway CVM to request Certificates.\n- Launch a program to monitor Certificate Transparency Log and give alarm once any certificate issued to a pubkey that isn’t generated by dstack-gateway CVM.\n\n### Configurations\n\nTo launch Certbot, you need to own a domain hosted on Cloudflare. Obtain an API token with DNS operation permissions from the Cloudflare dashboard. Configure it in the `build-config.sh`:\n\n```bash\n# The directory to store the auto obtained TLS certificate and key\nGATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem\nGATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem\n\n# for certbot\nCF_ZONE_ID=cc0a40...\nCF_API_TOKEN=g-DwMH...\n# ACME_URL=https://acme-v02.api.letsencrypt.org/directory\nACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory\n```\n\nThen re-run the ../build.sh:\n\n```bash\n../build.sh\n```\n\n### Launch certbot\n\nThen run the certbot in the `build/` and you will see the following log:\n```text\n$ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml\n2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account\n2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\n2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records\n2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang\n2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang\n2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair\n2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang\n2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order\n2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization\n2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang\n2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A\n2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready\n2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr\n2024-10-25T07:41:38.052901Z DEBUG certbot::acme_client: order is processing, waiting for challenge to be accepted\n2024-10-25T07:41:40.088190Z DEBUG certbot::acme_client: order is valid, getting certificate\n2024-10-25T07:41:40.125988Z DEBUG certbot::acme_client: removing dns record 6ab5724e8fa7e3e8f14e93333a98866a\n2024-10-25T07:41:40.377379Z DEBUG certbot::acme_client: stored new cert in /home/kvin/codes/meta-dstack/dstack/build/run/certbot/backup/2024-10-25T07:41:40.377174477Z\n2024-10-25T07:41:40.377472Z INFO certbot::bot: checking if certificate needs to be renewed\n2024-10-25T07:41:40.377719Z DEBUG certbot::acme_client: will expire in Duration { seconds: 7772486, nanoseconds: 622281542 }\n2024-10-25T07:41:40.377752Z INFO certbot::bot: certificate /home/kvin/codes/meta-dstack/dstack/build/run/certbot/live/cert.pem is up to date\n```\n\nWhere the command did are:\n\n- Registered to letsencrypt and got a new account `https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853`\n- Auto set CAA records for the domain on cloudflare, you can open the CF dashboard to see the record:\n\n \n\n- Auto requested a new certificate from Let's Encrypt. Automatically renews the certificate to maintain its validity\n\n### Launch dstack-gateway\n\nExecute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access the web portal to check the dstack-gateway CVM managed Let's Encrypt account. The account's private key remains securely sealed within the TEE.\n\n\n\n## Certificate transparency log monitor\n\nTo enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight.\n\n`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:\n\n```text\n$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang\n2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang...\n2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc\n2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys\n2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685\n2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674\n2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: \"C=US, O=Let's Encrypt, CN=R11\", common_name: \"kvin.wang\", name_value: \"*.app.kvin.wang\", not_before: \"2024-09-24T02:23:15\", not_after: \"2024-12-23T02:23:14\", serial_number: \"03ae796f56a933c8ff7e32c7c0d662a253d4\", result_count: 1, entry_timestamp: \"2024-09-24T03:21:45.825\" }\n2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001\n```\n\n# Troubleshooting\n\n### Error from dstack-vmm: qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=<id>: vhost-vsock: unable to set guest cid: Address already in use\n\n`dstack-vmm` may throw this error when creating a new VM if the [Unix Socket CID](https://man7.org/linux/man-pages/man7/vsock.7.html) is occupied. To solve the problem, first, you should list the occupied CID:\n\n```bash\nps aux | grep 'guest-cid='\n```\n\nThen choose a new range of the CID not conflicting with the CID in use. You can change `build/vmm.toml` file and restart `dstack-vmm`. This error should disappear. For example, you may find 33000-34000 free to use:\n\n```toml\n[cvm]\ncid_start = 33000\ncid_pool_size = 1000\n```\n\nWhen building the dstack from scratch, you should change the CID configs in `build-config.sh` instead, because `vmm.toml` file is generated by `build.sh`. Its content is derived from `build-config.sh`.\n\nYou may encounter this problem when upgrading from an older version of dstack, because CID was introduced in `build-config.sh` in later versions. In such case, please follow the docs to add the missing entries in `build-config.sh` and rebuild dstack.\n\n### Error: Operation not permitted when building guest image\n\nWhen running `../build.sh guest`, you might encounter this error:\n\n```\nTraceback (most recent call last):\n File \"/meta-dstack/poky/bitbake/bin/bitbake-worker\", line 278, in child\n bb.utils.disable_network(uid, gid)\n File \"/meta-dstack/poky/bitbake/lib/bb/utils.py\", line 1696, in disable_network\n with open(\"/proc/self/uid_map\", \"w\") as f:\nPermissionError: [Errno 1] Operation not permitted\n```\n\nThis error occurs because Ubuntu 23.10 and later versions restrict unprivileged user namespaces by default. To fix this, run:\n\n```bash\nsudo sysctl kernel.apparmor_restrict_unprivileged_userns=0\n```\n\nThen try building again. For more information about this restriction, see the [Ubuntu discourse post](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626).\n\n\n# Contributors\n\nDstack is proudly built by open source and Pi-rateship contributors:\n\n- Phala Network: [Kevin Wang](https://github.com/kvinwang), [Shelven Zhou](https://github.com/shelvenzhou), [Leechael](https://github.com/leechael)\n- Teleport: [Andrew Miller](https://github.com/amiller), [Sxy Sun](https://github.com/sxysun)\n- Flashbots: [Tina](https://github.com/CarboClanC), [Mateusz](https://github.com/Ruteri), [Dmarz](https://github.com/dmarzzz), [Moe](https://github.com/MoeMahhouk)\n- Ithaca: [Georgios](https://github.com/gakonst)\n- Fabric: [@gaoist](https://x.com/gaoist)\n- And many more...\n\nThe inspiration for this work stems from [Andrew Miller](https://github.com/amiller)’s pioneering concept of a [Docker-based P2P TEE SDK](https://collective.flashbots.net/t/dstack-speedrunning-a-p2p-confidential-vm/3876).\n\nThis project cannot be built without standing on the shoulders of giants:\n\n- [konvera/meta-confidential-compute](https://github.com/konvera/meta-confidential-compute)\n\nSpecial acknowledgment to [Flashbots](https://github.com/flashbots) for building a community around TEE. The TEE Hacker House initiative, organized by [Flashbots](https://github.com/flashbots) and led by [Tina](https://github.com/CarboClanC), has brought together TEE builders to develop tools for TEE-Web3 integration. This collaborative journey has generated invaluable insights for advancing secure, confidential environments within Web3.\n\nTogether, we’re shaping the future of TEE in Web3, paving the way for more secure and developer-accessible confidential computing!\n\nFor a full list of the direct contributors to this repo, see [Contributors](https://github.com/Dstack-TEE/dstack/contributors) on GitHub.\n\n\n# License\n\nCopyright 2024 Phala Network and Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\n[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)"
},
{
"type": "text",
"text": "main.pdf\nDstack: A Zero Trust Framework for Confidential Containers\nJune 23, 2025\nAbstract\nWeb3 applications require execution platforms that maintain confidentiality and integrity with-\nout relying on centralized trust authorities. While Trusted Execution Environments (TEEs) offer\npromising capabilities for confidential computing, current implementations face significant limita-\ntions in security reliability, censorship resistance, and vendor independence when applied to Web3\ncontexts. This paper presents Dstack, a comprehensive framework that transforms raw TEE tech-\nnology into a true Zero Trust platform aligned with Web3 principles. We introduce three key\ninnovations: (1) Portable Confidential Containers that enable seamless workload migration across\nheterogeneous TEE environments while maintaining security guarantees, (2) Decentralized Code\nManagement that leverages smart contracts for transparent governance of TEE applications, and\n(3) Verifiable Domain Management that ensures secure and verifiable application identity without\ncentralized authorities. Through these innovations, implemented via Dstack-OS, Dstack-KMS, and\nDstack-Gateway components, we demonstrate how to achieve both the performance advantages of\nVM-level TEE solutions and the trustless guarantees required by Web3 applications. Our evalu-\nation shows that Dstack provides comprehensive security guarantees while maintaining practical\nusability for real-world applications.\n1 Introduction\nThe Web3 ecosystem represents a paradigm shift in digital trust models, fundamentally transforming\nthe relationship between users and application developers. Unlike traditional systems, Web3 empowers\nusers with unprecedented control over their data through the principle of ”Code is Law” - once deployed,\ncode operates autonomously and independently of external control. This transformation demands\nrobust execution platforms that maintain confidentiality and integrity without relying on centralized\ntrust authorities.\nFigure 1: The evolution of trust models from Web2 to Web3, highlighting the shift from centralized control\nto decentralized governance and execution.\nThe contrast between Web2 and Web3 architectures in Figure 1 illustrates this fundamental shift.\nIn Web2 systems, developers maintain complete control through proprietary applications and central-\nized servers, retaining administrative privileges to access and modify user data at will. Web3’s smart\n1\ncontracts, however, represent the first significant step toward true trustlessness by executing pro-\ngrams on decentralized platforms (blockchains). Once deployed, administrators cannot influence pro-\ngram execution, and lifecycle management (e.g., code updates) follows predefined agreements through\ndemocratic governance mechanisms like multi-signature wallets and Decentralized Autonomous Orga-\nnizations (DAOs). This emerging trust model extends beyond basic applications to mission-critical\nscenarios such as AI model training, where data providers and model developers often have competing\ninterests, and autonomous AI agents designed to operate independently of human intervention. In\nthese contexts, Zero Trust platforms become essential to host applications and enforce verification\nmechanisms that appropriately constrain developer authority.\nA Zero Trust platform must enforce the following key principles:\n• Code is Law: This manifests in two dimensions: (1) the application logic, once deployed, cannot\nbe changed unexpectedly; and (2) the lifecycle management of code—including deployment,\nupgrades, and deletion—follows predefined governance rules.\n• Censorship Resistance: User data remains beyond the control of any single entity, with data\navailability protected against Denial-of-Service attacks.\n• Full Chain-of-Trust: When users interact with applications on a Zero Trust platform, they\nmust be able to verify all aspects of that application, including network setup, application identity\nand code logic, underlying hardware, and execution environment.\n• Assume Breach: The platform operates under the assumption that compromises will occur,\nimplementing mechanisms for damage containment, rapid recovery, and minimization of data\nexposure during security incidents.\nConfidential Computing, particularly through Trusted Execution Environments (TEEs), has emerged\nas a promising foundation for extending blockchain capabilities to support complex computational tasks\nwith confidentiality guarantees. Recent advances in VM-level TEE solutions, including Intel TDX and\nAMD SEV, have demonstrated substantial performance improvements and developer-friendly inter-\nfaces, making them compelling candidates for Web3 deployment. The integration of GPUs within\nTEEs [?] now enables verifiable execution of both Large Language Models and AI agents, providing\ncryptographic guarantees of computational integrity.\nHowever, a significant gap exists between raw TEE technology and the requirements of a true Zero\nTrust platform. Current TEE implementations face several critical limitations when applied to Web3\ncontexts:\n• Security Reliability: Recent vulnerability discoveries in TEE systems have raised significant con-\ncerns about their effectiveness as trust anchors. The persistence of side-channel attacks and\nmicro-architectural vulnerabilities undermines confidence in TEE security guarantees, particu-\nlarly for high-value Web3 applications where a single compromise could lead to catastrophic data\nexposure.\n• Censorship Vulnerability: Conventional TEE encryption schemes bind encryption keys to spe-\ncific hardware instances, creating single points of failure that contradict Web3’s requirement\nfor censorship resistance. This architectural limitation means that data availability cannot be\nguaranteed if specific hardware instances are compromised or become unavailable.\n• Vendor Dependencies: Current trust models heavily rely on centralized hardware manufacturers\nand verification processes, introducing risks of vendor lock-in and potential censorship vectors.\nThis centralization contradicts Web3’s core principles of decentralization and trustlessness.\n• Incomplete Verifiability: While TEEs provide Remote Attestation capabilities to verify applica-\ntion and hardware identity, they fail to deliver the comprehensive chain of trust required in Zero\nTrust environments. Users need guarantees that programs will process their data as expected\nand cannot be modified without proper authorization—capabilities beyond current attestation\nmechanisms.\nTo bridge this gap between raw TEE technology and Zero Trust requirements, we present Dstack,\na comprehensive framework for confidential containers that introduces three key innovations:\n2\n• Portable Confidential Container: Our architecture enables seamless migration of confidential\nworkloads across different TEE instances and hardware vendors, significantly reducing vendor\nlock-in risks while maintaining robust security guarantees. This innovation directly addresses the\ncensorship vulnerability and vendor dependency limitations by providing hardware abstraction\nand state continuity across heterogeneous TEE environments.\n• Decentralized Code Management: We implement a comprehensive governance framework\nthat leverages smart contracts for transparent and decentralized management of TEE applica-\ntions. This system ensures verifiable deployment and upgrade processes, enforcing the “Code\nis Law” principle by binding application lifecycles to on-chain governance decisions. This inno-\nvation addresses the incomplete verifiability limitation by creating an immutable audit trail of\napplication changes.\n• Verifiable Domain Management: Our novel approach to certificate management ensures that\nconfidential containers can exclusively control domains and provide native HTTPS support to\nTEE applications without relying on centralized authorities. This system serves as a middleware\nbetween TEE applications and existing TLS-based networks, enabling users to establish end-to-\nend encrypted channels to TEE applications without modifications to client software.\nThese innovations are implemented through a cohesive system architecture comprising three core\ncomponents:\n• Dstack-OS: A hardware abstraction layer with a minimized operating system image that elimi-\nnates differences in underlying TEE hardware while reducing the attack surface. This component\nprovides a consistent, secure runtime environment across diverse TEE implementations.\n• Dstack-KMS: A blockchain-controlled key management service that replaces hardware-based\nencryption schemas with an independent service for generating and managing secret keys. This\ncomponent enables secure data migration across TEE instances and supports key rotation to\nprovide forward and backward data secrecy, mitigating the impact of potential TEE compromises.\n• Dstack-Ingress and Dstack-Gateway: Complementary systems providing TEE-controlled domain\nmanagement through different approaches—Dstack-Ingress enables applications to specify cus-\ntom domains with minimal integration requirements, while Dstack-Gateway offers pre-registered\nwildcard domains requiring no application code changes.\nBy addressing the critical limitations of current TEE implementations, Dstack establishes a compre-\nhensive framework that transforms raw TEE technology into a true Zero Trust platform aligned with\nWeb3’s fundamental principles. Our approach not only enhances the security and reliability of confi-\ndential computing but also provides a practical path toward truly decentralized, censorship-resistant\ninfrastructure for next-generation applications.\nThe remainder of this paper details the technical design of Dstack, evaluates its performance and\nsecurity characteristics, and demonstrates how our innovations collectively create a Zero Trust platform\nthat maintains the performance advantages of VM-level TEE solutions while addressing their inherent\nlimitations in Web3 contexts.\n2 System Design\n2.1 Portable Confidential Container\nContainerization has transformed cloud-native application deployment by providing unparalleled porta-\nbility and scalability through effective data separation. These capabilities are particularly critical for\nTrusted Execution Environment (TEE) applications, as they directly address the inherent limitations\noutlined in Section 1:\n• Security Reliability: Containerized applications can be efficiently transferred from compro-\nmised TEE hardware to secure instances, preserving code integrity. Together with our secure\ndata migration mechanism that ensures both forward and backward secrecy, this approach sig-\nnificantly limits privacy leakage risks even when individual TEE instances are compromised.\n3\nFigure 2: The architecture of Dstack, including Dstack-OS and Dstack-KMS. Dstack-OS provides a hardware\nabstraction layer with a minimized operating system image, while Dstack-KMS replaces the hardware-based\ndata encryption keys with a blockchain-controlled key management service. TODO: redraw this to put the\ncomponents into solutions.\n• Censorship Resistance: The architecture’s inherent scalability provides robust defense against\nDenial-of-Service attacks. Additionally, by decoupling data storage from execution environments,\nestablished data availability solutions can be readily integrated to ensure persistent access to\napplication data.\n• Vendor Independence: Our hardware abstraction layer enables confidential containers to\noperate across diverse TEE hardware platforms without modification, eliminating vendor lock-in\nwhile facilitating rapid adoption of emerging TEE technologies as they become available.\nHowever, implementing truly portable confidential containers presents substantial technical chal-\nlenges that differentiate them from conventional containerization. Two fundamental obstacles must be\novercome:\nFirst, existing TEE implementations generate data sealing keys derived from hardware-bound root\nkeys unique to each TEE instance. This architectural design creates an inherent barrier to portability\n— data encrypted by one TEE instance cannot be decrypted by any other, even when running identical\napplication code. Prior research has largely circumvented this limitation by restricting TEEs to state-\nless applications, but this approach severely constrains their utility in complex real-world scenarios.\nSecond, TEE implementations from different vendors impose disparate specifications for deploy-\nable programs. This fragmentation forces developers to create and maintain multiple artifacts across\nplatforms, each requiring separate (and expensive) code reviews to verify functional equivalence — a\nprocess that undermines the trust guarantees central to Web3 applications.\nTo address these challenges comprehensively, we introduce two complementary components: Dstack-\nKMS and Dstack-OS.\n2.1.1 Dstack-KMS: Blockchain-Controlled Secret Derivation\nDstack-KMS is a secret derivation service that fundamentally transforms how encryption keys are\nmanaged in confidential computing environments. Its primary function is to generate a unique and\nstable secret (the Root Key ) for each application based on its code and configurations. This root key\n4\nserves as the foundation for deriving additional application-specific secrets used for data encryption\nand verifiable random number generation.\nUnlike hardware-based encryption approaches, Dstack-KMS deliberately decouples key generation\nfrom specific TEE hardware instances. This architectural decision enables the critical capability of\nencrypted data migration between different TEE instances, with decryption possible after\nproper authorization. This feature is essential for achieving true censorship resistance.\nGiven its position as the root-of-trust for the entire system, the verifiability and availability of\nDstack-KMS are paramount. Unlike previous approaches [?] that assume TEE infallibility, our threat\nmodel explicitly acknowledges that TEEs can be compromised. To address this reality, Dstack-\nKMS implements comprehensive key rotation capabilities that provide both backward and forward\nsecrecy for application data. This ensures that even if a specific TEE hardware instance is compromised,\napplications can be migrated with limited data exposure.\nFigure 3: The key derivation hierarchy of Intel SGX illustrates how conventional TEE implementations bind\nencryption keys to hardware.\nTo understand the limitations of conventional approaches, Figure 3 illustrates the key derivation\nhierarchy in Intel SGX. This design uses a hardware-bound key to both identify the TEE instance (for\nRemote Attestation) and generate encryption keys for data sealing. While this approach effectively\nestablishes hardware identity, it fundamentally undermines censorship resistance:\n• The root key cannot be updated, meaning a compromised TEE with a leaked root key remains\npermanently vulnerable even after patching the underlying vulnerability.\n• Encrypted data becomes intrinsically bound to specific TEE hardware instances, creating single\npoints of failure that contradict Web3’s censorship resistance requirements.\nOur Dstack-KMS addresses these limitations by delegating secret generation to an independent\nservice that ensures encrypted data remains portable across TEE instances.\nAs illustrated in Figure 4, Dstack-KMS comprises an on-chain governance smart contract coupled\nwith an off-chain peer-to-peer network where the actual secret derivation service operates. To ensure\ncomprehensive verifiability of the Dstack-KMS program’s integrity and correctness, we implement a\nmulti-stage verification process:\n1. The Dstack-KMS codebase is fully open-sourced [?], enabling thorough code and security reviews\nto verify key management logic and ensure the absence of backdoors.\n5\nFigure 4: The architecture of Dstack-KMS combines on-chain governance through smart contracts with an\noff-chain P2P network of secret derivation service nodes. This design ensures both verifiability and resilience\nagainst compromise.\n2. Executable binaries are produced through reproducible build processes, allowing verifiers to\nconfirm that the runtime code matches the reviewed source code.\n3. The cryptographic digest of valid executables is published through the governance smart contract,\ncreating an immutable reference for verification.\n4. Each service node operates within its own TEE instance. Critically, we rely on the TEE solely for\nmeasuring the executable and ensuring it matches the on-chain digest—not for the fundamental\nsecurity of the key management process.\nThis verification framework ensures that Dstack-KMS remains trustworthy to any third-party verifier\nwhile avoiding dependency on the absolute security of any single TEE instance.\nThe core logic of each Dstack-KMS service node is intentionally minimalist, focusing exclusively on\nthe generation and secure distribution of the root key, along with deriving encryption keys for TEE\napplications. This simplicity enables the implementation of Multi-Party Computation (MPC) based\nthreshold key generation and derivation without concerning performance overhead. We have developed\ntwo complementary implementations:\n• Simple Duplication: The first node in the P2P network generates a cryptographically secure\nrandom number as the root key, then shares it with other nodes after verifying their attestation\nreports. All nodes maintain identical copies of the root key and derive consistent encryption keys\nfor applications. This approach maximizes availability—as long as at least one node remains\noperational, the root key can be recovered.\n• MPC-Based Key Generation: While simple duplication provides robust availability, it cre-\nates vulnerability to single-node compromises. Our MPC implementation uses Shamir’s Secret\nSharing scheme [?] to distribute the root key across multiple nodes, ensuring that compromising\nany individual node (or even up tot− 1 nodes, wheret is the configured threshold) does not\nexpose the root key. This approach also enables advanced features like key rotation without\nrequiring application reconfiguration.\nKey Derivation Dstack-KMS implements a comprehensive key derivation framework to generate\napplication-specific keys from the root key:\n• Application CA Key: Derived from the root CA key using the application’s unique identifier\n(calculated as the hash of the application’s code and configuration).\n• Disk Encryption Key: Derived using a combination of the application identifier and instance\nidentifier, enabling secure storage with portability.\n6\n• Environment Encryption Key: Derived using the application identifier alone, allowing secure\nenvironment variable management across instances.\n• ECDSA Key: Derived from the root ECDSA key, providing applications with consistent cryp-\ntographic identity for signing operations.\nEach derived key maintains cryptographic isolation while ensuring consistency across different TEE\ninstances running the same application.\nKey Rotation A critical security feature of Dstack-KMS is its support for key rotation, which signif-\nicantly limits the exposure window during potential attacks while ensuring both forward and backward\nsecrecy for sealed data. Key rotation procedures are initiated exclusively through the governance smart\ncontract, ensuring transparency and auditability. We discuss two distinct rotation mechanisms:\n• Root Key Share Rotation: Our MPC-based implementation enables rotation of individual\nkey shares without modifying the root key itself. This process enhances root key security by\nregularly updating the distribution mechanism while remaining transparent to applications, as\nall derived application keys remain unchanged.\n• Root Key Rotation: In scenarios where the root key may have been compromised, we support\ncomplete root key rotation. This process generates an entirely new root key and implements a\ncontrolled handover period during which both old and new keys remain valid. This transition\nwindow allows applications to re-encrypt their data with keys derived from the new root key\nbefore the old root key is permanently destroyed, minimizing service disruption while enhancing\nsecurity.\nThrough these mechanisms, Dstack-KMS provides the foundation for truly portable confidential con-\ntainers by decoupling encryption from hardware dependencies while maintaining robust security guar-\nantees.\n2.1.2 Dstack-OS: Hardware Abstraction Layer\nDstack-OS provides a comprehensive hardware abstraction layer with a minimized operating system\nimage that bridges the gap between application containers and VM-level TEE implementations. This\nlayer enables applications to deploy across diverse TEE environments without code modifications while\nmaintaining security integrity. As a shared component across all TEE applications, Dstack-OS must be\nintrinsically secure and verifiable, with no administrative backdoors that could compromise program\ncode or user data.\nVM-level TEE solutions typically require developers to provide complete system images encom-\npassing bootloader, kernel, operating system, and application components. This requirement not\nonly increases development complexity but also introduces potential security vulnerabilities through\nmisconfigured system components. A secure and properly configured operating system environment\nfundamentally determines the security baseline for all TEE applications built upon it.\nFigure 5 illustrates how Dstack-OS establishes a secure and verifiable startup chain from the TEE\nhardware foundation through to user-provided container images. Our modular design ensures that the\nmajority of the system can be reused across different TEE hardware implementations, substantially\nreducing the effort required for code review and security auditing. Combined with reproducible build\nprocesses, this approach enables comprehensive verification of Dstack-OS with minimal overhead while\nsupporting multiple TEE hardware platforms.\nUsing Intel TDX as an exemplar (with similar procedures applicable to other TEE implementa-\ntions like AMD SEV), Dstack-OS consists of the following components, presented in boot sequence\norder. During this process, each component measures the next one and records these measurements\nin hardware registers, which are ultimately incorporated into the TEE attestation report:\n• Hypervisor: When application deployment initiates, the underlying hypervisor (the TDX mod-\nule) loads the Open Virtual Machine Firmware (OVMF), enabling UEFI support for confidential\nvirtual machines. The TDX module measures the OVMF code and records its cryptographic\ndigest in the MRTD register, with the hypervisor’s integrity guaranteed by the TEE hardware\nitself.\n7\nFigure 5: The architecture of Dstack-OS establishes a secure and verifiable startup chain from TEE hardware\nthrough to user applications.\n• Open Virtual Machine Firmware (OVMF): The OVMF configures virtual machine hard-\nware specifications (CPU, memory, and device configurations) and records the configuration\nmeasurement to the RTMR0 register. It then loads the Linux kernel and records the kernel\nimage measurement to the RTMR1 register.\n• Kernel: The kernel first loads an initial ramdisk (initrd) — a temporary in-memory filesystem\ncontaining minimal command-line tools and disk encryption libraries. The initrd mounts the\nroot filesystem and records this measurement in the RTMR2 register.\n• Root Filesystem: The root filesystem (RootFs) is a read-only environment containing essential\nsystem libraries and tools. It manages the entire lifecycle of deployed applications, measuring\napplication images along with their associated key management system and storing these mea-\nsurements in the RTMR3 register. The RootFs serves two primary functions: (1) providing\nthe runtime environment for user-level container images, and (2) managing application data en-\ncryption. It interfaces with Dstack-KMS to acquire encryption secrets and implements Linux\nUnified Key Setup (LUKS) to encrypt application data in isolated volumes. Data integrity is\nensured through dm-verity, a Merkle-tree-based block-level verification tool. Finally, the RootFs\nconfigures network ingress for the application and initiates execution.\nRather than adapting existing system images, we built Dstack-OS from scratch to ensure only es-\nsential components are included in both the initrd and RootFs. A comprehensive component inventory\nis provided in Appendix ?? for transparency and review. Generally, Dstack-OS includes only basic\nutilities (busybox), filesystem support, and container runtime components. By implementing Docker\nsupport while delegating orchestration to the application level, we maintain a minimal base image\nfootprint.\nTo ensure comprehensive verifiability, Dstack-OS is fully open-sourced and supports reproducible\nbuilds, allowing anyone to review the code and generate identical artifacts for verification. This\napproach provides significant benefits for applications requiring security reviews, as evaluators need\nonly review the application code rather than the entire system image.\nData Backup and Defense against Rollback Attacks A critical challenge in confidential com-\nputing is ensuring data durability and integrity, particularly against rollback attacks where adversaries\nattempt to revert applications to previous states to bypass security checks or reuse expired secrets.\nOur architecture provides robust secure data backup support and implements robust anti-rollback\nmechanisms that application developers can integrate:\n• Secure Backup: Application data is encrypted using keys derived from Dstack-KMS and can\nbe backed up to external storage providers. Since encryption keys are not bound to specific TEE\n8\ninstances, data can be restored on any authorized TEE, supporting true portability and disaster\nrecovery.\n• Monotonic Counters: To prevent rollback attacks, developers can implement monotonic coun-\nters that increment with each critical data update, incorporating the counter value into the en-\ncrypted data. During restoration, applications verify that the counter value equals or exceeds\nthe last known value, preventing replay of outdated snapshots.\nBy combining these techniques, Dstack ensures both the recoverability and integrity of confidential\ndata across portable container migrations and backup scenarios.\nTogether, Dstack-KMS and Dstack-OS provide the foundational infrastructure for truly portable\nconfidential containers that maintain security and integrity across heterogeneous TEE environments\nwhile eliminating vendor lock-in and supporting comprehensive verifiability.\n2.2 Decentralized Code Management\nA core principle of Zero Trust platforms is the enforcement of “Code is Law”, ensuring that application\ncode operates as intended without unexpected modifications. While TEE hardware provides code\nintegrity guarantees during execution, it cannot independently prevent administrators from deploying\nmalicious code or making unauthorized modifications. Conversely, smart contracts have established\nrobust methodologies for implementing programmable governance over code lifecycle management —\nsuch as multi-signature requirements that prevent single-actor manipulation.\nOur decentralized code management framework bridges these two worlds by placing TEE ap-\nplication governance under smart contract control, creating a transparent and auditable system for\napplication deployment and updates that aligns with Web3 principles.\nFigure 6: The architecture of decentralized code management integrates on-chain governance contracts with\noff-chain TEE through Dstack-KMS.\nAs illustrated in Figure 6, our architecture consists of two complementary components: on-chain\ngovernance smart contracts and off-chain TEE execution environments connected through Dstack-\nKMS. This design establishes the on-chain contracts as the definitive root-of-trust for the entire system.\nEvery operation — from initial deployment to code upgrades — must first be initiated and authorized\nthrough the governance contracts before off-chain TEE instances can execute these operations.\nThe governance framework implements a two-tier structure:\n• KmsAuth Contract: Serves as the global authority controlling Dstack-KMS operations. This\ncontract maintains the registry of authorized applications and their governance parameters, en-\nforcing system-wide policies for TEE deployment. By controlling whether Dstack-KMS shares\n9\napplication secrets with specific TEE instances, the KmsAuth contract effectively determines\nwhether applications can decrypt their data, thus controlling their complete lifecycle.\n• AppAuth Contracts: Individual governance contracts deployed for each application that de-\nfine application-specific management rules. These contracts specify permissible code versions\n(through cryptographic hashes), authorized TEE instance identities, and upgrade approval re-\nquirements. This modular approach enables customized governance models ranging from tradi-\ntional multi-signature schemes to complex DAO voting mechanisms, allowing each application\nto implement governance appropriate to its requirements.\nThe enforcement mechanism operates through Dstack-KMS, which will only provide application\nsecrets to TEE instances running code versions explicitly authorized by the governance contracts.\nThis creates a cryptographically enforced governance system where unauthorized code versions cannot\naccess application data, regardless of administrative privileges.\nTo illustrate this mechanism, consider a code upgrade process for an application using a multi-\nsignature AppAuth contract in Figure 6:\n1. Developers publish the new code version and submit its cryptographic hash to the AppAuth\ncontract.\n2. The contract initiates the approval process, requiring signatures from designated key holders\n(e.g., core developers, security auditors, and community representatives).\n3. Each signature is recorded on-chain, creating an immutable audit trail of the approval process.\n4. Once the required signature threshold is reached, the AppAuth contract updates its registry of\nauthorized code versions.\n5. The KmsAuth contract, monitoring the AppAuth contract, updates its authorization records\naccordingly.\n6. Dstack-KMS, which continuously synchronizes with the KmsAuth contract, begins providing\napplication secrets to TEE instances running the newly approved code version.\n7. TEE instances can now deploy the new code with full access to encrypted application data.\nThis process ensures that every code change follows predefined governance rules with complete trans-\nparency. The on-chain approval records create an immutable audit trail that allows users to verify\nthe entire history of application changes, while the cryptographic enforcement through Dstack-KMS\nguarantees that only properly authorized code can access application data.\nBy combining the code integrity guarantees of TEEs with the transparent governance capabilities\nof smart contracts, our decentralized code management framework ensures that applications truly\nembody the ”Code is Law” principle. Every aspect of the application lifecycle—from initial deployment\nto version updates and potential retirement—follows predefined, transparent rules that cannot be\ncircumvented by any single entity, including the platform operators themselves.\n2.3 Verifiable Domain Management\nA complete Zero Trust platform must enable seamless verification for users across both Web3 and\ntraditional Web2 environments. Our Verifiable Domain Management system completes the chain-\nof-trust by allowing standard Web browsers to cryptographically verify TEE applications without\nrequiring any client-side modifications or specialized knowledge.\nThis capability is critical for mainstream adoption, as it allows users to interact with confiden-\ntial applications using familiar tools while maintaining the same security guarantees provided by the\nunderlying TEE infrastructure. We implement this through two complementary components—Dstack-\nIngress and Dstack-Gateway—both leveraging our novel Zero Trust TLS (ZT-TLS) protocol.\nThe fundamental innovation in ZT-TLS is establishing cryptographic proof that a specific TLS\ncertificate (and therefore a domain) is exclusively controlled by a verified TEE application. This\ncreates a verification chain extending from the blockchain to standard HTTPS connections, enabling\nusers to confirm application authenticity through familiar security indicators in their browsers.\n10\nFigure 7: The Zero Trust TLS architecture establishes a cryptographically verifiable connection between\nstandard web browsers and TEE applications through blockchain-anchored certificate management.\n2.3.1 Zero Trust TLS Protocol\nThe ZT-TLS protocol addresses a critical challenge: how to cryptographically bind a domain to a\nspecific TEE application in a way that prevents unauthorized certificate issuance or domain hijacking.\nOur solution integrates three key components:\n• TEE-Generated Certificates: The TEE application (specifically Dstack-Gateway) generates\nits TLS certificate using application secrets derived from Dstack-KMS. This ensures the private\nkey never exists outside the TEE environment and creates a cryptographic link between the\non-chain governance and the TLS certificate.\n• Certificate Authority Authorization (CAA): We leverage DNS CAA records to restrict\nwhich certificate authorities can issue certificates for managed domains. By configuring CAA\nrecords to only authorize certificates from specific issuers (which verify TEE attestation), we\nprevent unauthorized certificate issuance through alternative validation methods.\n• Certificate Transparency (CT) Monitoring: To protect against unauthorized DNS record\nmodifications, we implement continuous monitoring of Certificate Transparency logs. This allows\ndetection of any unauthorized certificates and provides an immutable audit trail of certificate\nissuance history.\n2.3.2 Implementation Components\nWe provide two complementary implementations to accommodate different application requirements:\n• Dstack-Gateway: A fully managed reverse proxy running within a TEE that provides imme-\ndiate domain verification with zero application code changes. Applications register with Dstack-\nGateway through a simple API call, during which Dstack-Gateway verifies the application’s re-\nmote attestation report. Once verified, applications receive a subdomain under a pre-registered\nwildcard domain (e.g., app-id.Dstack.com), with all TLS termination and certificate manage-\nment handled automatically.\n• Dstack-Ingress: A more flexible solution for applications requiring custom domain names.\nDstack-Ingress provides libraries and services that enable applications to manage their own TLS\ncertificates while maintaining the same verification guarantees. This approach requires minimal\nintegration work while supporting application-specific domain requirements.\n11\nBoth implementations ensure that certificates are cryptographically bound to verified TEE environ-\nments, with the verification chain extending from the blockchain governance contracts through to the\nTLS certificates presented to users’ browsers.\n2.3.3 Security Guarantees and Protections\nOur Verifiable Domain Management system provides several critical security guarantees:\n• Certificate Provenance Verification: Users can verify that the TLS certificate presented by\nan application was issued to a legitimate TEE environment by checking the certificate against\non-chain records.\n• Domain Binding Integrity: The combination of CAA records and Certificate Transparency\nmonitoring ensures that domains remain bound to their designated TEE applications, preventing\nunauthorized certificate issuance.\n• Tamper-Evident Certificate Changes: Any unauthorized attempts to modify domain con-\nfigurations or issue alternative certificates are detected through Certificate Transparency moni-\ntoring, with alerts propagated to clients.\nWhile we cannot technically prevent all attacks against centralized DNS infrastructure, our multi-\nlayered approach creates a tamper-evident system where unauthorized changes are quickly detected\nand rejected by client verification processes. This approach aligns with the ”Assume Breach” principle\nby implementing defense-in-depth strategies that maintain security even when individual components\nare compromised.\nBy extending the verification chain from blockchain governance through TEE attestation to stan-\ndard TLS certificates, our Verifiable Domain Management system enables seamless integration of Zero\nTrust applications into existing web infrastructure. This creates a practical path for mainstream\nadoption without requiring specialized knowledge or tools from end users, while maintaining the com-\nprehensive security guarantees that define true Zero Trust platforms.\n3 Verifying TEE Applications: A Practical Walkthrough\nTo demonstrate how Dstack fulfills the Zero Trust principles and addresses the challenges outlined in\nSection 1, we present a practical end-to-end verification scenario. This walkthrough illustrates how\nthe architectural components described in Section 2 work together to provide a comprehensive chain\nof trust for real-world Web3 applications.\nTraditional Zero Trust programs like smart contracts achieve verifiability through transparent\nsource code and inputs. However, extending similar verifiability to real-world applications presents\nunique challenges, particularly in maintaining privacy and compatibility with existing development\npractices. Dstack addresses these challenges through a comprehensive verification framework that\nrequires minimal code changes.\nThis section demonstrates Dstack’s complete chain of trust through a practical example: verifying\nthat a cryptographic key was genuinely generated within a TEE environment. This scenario is es-\npecially relevant for Web3 and AI Agent applications where cryptographic keys establish application\nidentity and authority.\n3.1 Threat Model\nOur verification framework assumes the correct implementation and integrity of core Dstack compo-\nnents (Dstack-OS, Dstack-KMS, Dstack-Gateway, and governance contracts). While these components’\nsecurity guarantees are detailed in later sections, we explicitly consider developers and administrators\nas potential adversaries.\nPotential attack vectors include:\n• Application-Level Attacks\n– Deployment of unauthorized or malicious code through falsified Docker images\n12\n– Introduction of malicious dependencies through supply chain attacks\n– Unauthorized application updates that bypass governance controls\n• Infrastructure-Level Attacks\n– Tampering with Dstack-OS to circumvent security controls\n– Deployment of compromised key management services\n– Operation of unpatched or vulnerable TEE firmware\n– Execution of applications on non-TEE hardware with spoofed attestation\n• Network-Level Attacks\n– DNS hijacking to redirect traffic to unauthorized applications\n– Man-in-the-middle attacks on communication channels\nDirect attacks on TEE hardware security (e.g., exploitation of hardware vulnerabilities) are con-\nsidered out of scope for this discussion and addressed separately.\n3.2 The Reproducibility Challenge\nA fundamental challenge in TEE attestation lies in bridging the gap between source code and the\nactual artifacts (binaries or container images) running inside enclaves. While TEE attestation can\nprove that a specific artifact runs within a secure environment, it cannot independently verify that the\nartifact accurately represents its claimed source code.\nThis limitation creates several security risks:\n• Source Code Manipulation: Developers could intentionally deploy artifacts that differ from\npublicly reviewed source code\n• Build Process Compromise: Supply chain attacks could inject malicious code during artifact\ncreation\n• Toolchain Vulnerabilities: As demonstrated by the Ken Thompson Hack, even compiler\ntoolchains could be compromised to inject malicious behavior\nTEE quotes only attest to measurements (cryptographic hashes) of running artifacts. Without\nguarantees that these artifacts accurately represent reviewed source code, users cannot fully trust ap-\nplications even when running in secure enclaves. This challenge affects all TEE applications, including\nDstack’s core components.\nFigure 8: Comprehensive verification chain from source code to running TEE applications\nEstablishing a complete verification chain requires three key elements:\n13\n• Source Code Verification: Open-source code or trusted third-party review ensuring no back-\ndoors exist\n• Build Process Integrity: Reproducible builds allowing independent verification of artifacts\n• Runtime Attestation: TEE quotes proving that verified artifacts are actually running\nTraditional reproducible builds, while ideal, often introduce significant complexity through special-\nized toolchains and build scripts. The following section introduces an alternative approach, In-CC\nBuild, that achieves similar guarantees with improved practicality.\n3.3 Dstack Component Verifiability\nEach core Dstack component implements specific verifiability mechanisms anchored in transparent,\nimmutable records. Table 1 summarizes these mechanisms:\nComponentSourceBuild MethodRegistryVerification\nDstack-OSOpenReproducibleKmsAuthOS Digest\nDstack-KMSOpenIn-CCKmsAuthImage Hash, Root PubKey\nDstack-GatewayOpenIn-CCAppAuthImage Hash\nTable 1: Verifiability mechanisms and trust anchors for Dstack components\nAll components maintain open-source codebases with comprehensive documentation. Dstack-OS, as\nthe foundational component, undergoes third-party security audits and implements fully reproducible\nbuilds.\nThe governance smart contracts serve as authoritative registries, anchoring each component’s trust\nbase:\n• Dstack-OS digests are registered in KmsAuth and managed through multi-signature governance\n• Dstack-KMS measurements and root public keys are recorded in KmsAuth\n• Dstack-Gateway artifacts are verified through dedicated AppAuth contracts\nIn-ConfidentialContainer Build While reproducible builds represent the gold standard for arti-\nfact verification, they often prove impractical for complex applications. Dstack addresses this through\nIn-CC Build, leveraging the verified Dstack-OS as a trusted foundation. The In-CC Build process\nexecutes entirely within Dstack-OS environment, encompassing code fetching, compilation, and arti-\nfact creation. By specifying precise source references (e.g., a snapshot of the codebase), the system\nproduces verifiable artifacts with measurements attested in TEE quotes. This approach minimizes the\ntrusted computing base while eliminating the complexity of traditional reproducible builds.\n3.4 End-to-End Verification Walkthrough\nFrom a user’s perspective, verifying a TEE application in Dstack requires validating a chain of mea-\nsurements against authoritative registries, encompassing the user application, runtime data, Dstack\ncomponents, and network infrastructure. This section walks through the verification process, demon-\nstrating how each step builds upon the previous one to create a comprehensive chain of trust.\nAs shown in Figure 9, the verification chain begins with the KmsAuth smart contract, which serves\nas the root of trust for the entire system, and concludes with the key generation application running\nin a TEE. We explain the verification steps as follows.\nFirst, the address of the Dstack-KMS governance contract (i.e., KmsAuth) is publicly available.\nThe KMS governance contract serves as the authoritative registry for (1) off-chain KMS nodes and\n(2) dedicated governance contracts (i.e., AppAuth) for TEE applications. It is worth noting that the\nDstack-Gateway can be regarded as a special TEE application that attests and forwards requests to\nother user applications while maintaining consistent verification procedures.\nThe KmsAuth contract records both the measurements of off-chain KMS node programs (KMS\ndigest, which is the hash of the docker compose file and the images used in In-CC Build) and the TDX\n14\nFigure 9: The verification chain from authoritative registries to runtime measurements\nQuote of the first KMS node, which acts as the primary key generator. The identities of subsequent\nKMS nodes must first be registered in KmsAuth and verified by the first KMS node before they\ncan participate in key generation. These data, together with the open-source Dstack-KMS codebase,\nallow users to verify the integrity of the KMS nodes and their code correctness. Subsequently, the\noff-chain KMS nodes can be considered trusted extensions and used to verify Quotes from other TEE\napplications, which cannot be achieved by the on-chain governance contract alone. The off-chain\nKMS nodes are responsible for generating and managing cryptographic keys (i.e., the root key) and\nthe corresponding certificates (explained in Section 2.3.1), which are further used to authorize TEE\napplications after they are verified, thereby avoiding redundant verification.\nSecond, users can verify the validity of Dstack-Gateway. By default, this is delegated to the off-\nchain KMS nodes during gateway registration, although users can always request the Quote of the\ngateway and check the digest of its docker compose file in its governance contract and the codebase.\nAfter the KMS nodes verify the gateway, it will generate its application root key along with a certificate\nchain ending with the root certificate.\nNext, users can access the TEE application through Dstack-Gateway forwarding. In this case, users\neffectively delegate the verification of the key generation application to the gateway. The deployment\nof the key generation application starts from the KmsAuth contract. The deployer first registers it\nand stores the digest (the hash of the docker compose file and the images) on the dedicated AppAuth\ncontract. Then, as in the previous step, the off-chain KMS nodes verify the Quote of the application\nafter it is deployed to the TEE and ensure it matches the registered digest. Only after successful\nverification will the key be generated along with the certificate chain. To be forwarded by the gateway,\nthe application must also register with it. In this case, the gateway verifies the application’s certificate\nchain and ensures it shares the same root certificate, indicating authorization by the same KMS.\nFinally, the user can invoke the application and request proof of the key it generated. The applica-\ntion can generate a Quote on demand, with the generated public key included as custom data in the\nQuote.\n15\n3.5 Security Analysis: Mitigating Threats\nOur key generation example demonstrates Dstack’s comprehensive approach to security across multiple\nattack surfaces. At the application level, the system prevents unauthorized code deployment through\nrigorous measurement verification against the AppAuth registry. The In-CC Build process ensures\nall dependencies originate from verified sources, while any updates require new registry entries and\ncomplete re-verification. It is important to note, however, that code audit and review processes remain\nessential for ensuring application code correctness, as the In-CC Build only guarantees the integrity of\nthe build process.\nInfrastructure security is maintained through multiple mechanisms. TDX Quotes verify Dstack-OS\nintegrity, preventing OS-level tampering. KMS updates require multi-signature governance approval,\nsafeguarding against unauthorized changes to key management services. The Quote verification pro-\ncess includes firmware version validation, ensuring applications run on up-to-date TEE hardware.\nHardware-backed TDX Quotes effectively prevent attestation spoofing attempts.\nNetwork-level threats are mitigated through the certificate chain validation system. This prevents\nboth DNS hijacking and man-in-the-middle attacks by ensuring authentic application identity and\nenabling end-to-end encryption with verified certificates. The combination of these security measures\nensures that cryptographic keys maintain their integrity guarantees even when confronted with sophis-\nticated attacks targeting different system layers.\nReferences\n16"
}
]
},
{
"role": "assistant",
"content": "# Project Proposal Template\n\n## General Information\n1.1. Name of Project\nDstack\n\n1.2. Project Description (what it does, why it is valuable, origin and history)\nDstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.\n\nThe project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.\n\n1.3. How does this project align with the Consortium's Mission Statement\n[blank]\n\n1.4. Project website URL\nhttps://docs.phala.network/dstack/overview (inferred from documentation references)\n\n1.5. Social media accounts\n[blank]\n\n## Legal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n[blank]\n\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\nApache License, Version 2.0\n\n2.3. Existing financial sponsorship.\n[blank]\n\n2.4. Trademark status.\n[blank]\n\n## Technical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n[blank]\n\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\nDstack's TCB includes:\n- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer\n- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications\n- Linux kernel with initial ramdisk (initrd)\n- Root filesystem with essential system libraries and tools\n- Intel TDX or equivalent TEE hardware as the foundation\n\nThe system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.\n\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n[blank]\n\n3.4. Source control URL\nhttps://github.com/Dstack-TEE/dstack\n\n3.5. Issue tracker URL\nhttps://github.com/Dstack-TEE/dstack/issues (inferred)\n\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n- Intel TDX or equivalent TEE hardware (runtime)\n- Linux kernel (runtime)\n- Docker/container runtime (runtime)\n- Busybox (runtime)\n- LUKS for encryption (runtime)\n- Wireguard-tools (build time)\n- Build-essential, chrpath, diffstat, lz4, xorriso (build time)\n- Rust (build time)\n\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n- TLS/HTTPS for secure communications\n- Certificate Transparency (CT) for certificate monitoring\n- Certificate Authority Authorization (CAA) for domain security\n- Remote Attestation for TEE verification\n\n3.8. Release methodology and mechanics\n[blank]\n\n3.9. Names of initial committers, if different from those submitting proposal\nInitial committers include:\n- Kevin Wang (kvinwang)\n- Shelven Zhou (shelvenzhou)\n- Leechael\n\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n[blank]\n\n3.11. Project Security Response Policy\n[blank]\n\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)\n[blank]\n\n3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\nDstack includes several key components:\n- dstack-vmm: Service running on bare TDX host to manage CVMs\n- dstack-gateway: Reverse proxy to forward TLS connections to CVMs\n- dstack-kms: KMS server to generate keys for CVMs\n- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests\n- meta-dstack: Yocto meta layer to build CVM guest images\n\nThe project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts."
},
{
"role": "user",
"content": "This is the current project list. FIll in 3.1 with it.\n```\nCertifier Framework For Confidential Computing\nThe Certifier Framework for Confidential Computing consists of a client API called the Certifier API and server-based policy evaluation server called the Certifier Service.\n\n\nCOCONUT-SVSM\nThe COCONUT-SVSM is an implementation of a Secure VM Service Module for confidential computing virtual machines (CVMs).\n\n\nEnarx\nEnarx provides a platform abstraction for Trusted Execution Environments (TEEs) enabling creating and running “private, fungible, serverless” applications.\n\n\nGramine\nA particular use case for Gramine is Intel Software Guard Extensions (SGX), where applications do not work out-of-the-box. Gramine solves this problem, with the added security benefits. Gramine can serve as a compatibility layer on other platforms.\n\n\nIslet\nIslet is an open-source software project written in Rust that enables confidential computing on ARM architecture devices using the ARMv9 CCA. The primary objective of Islet is to enable on-device confidential computing and protect user privacy on end user devices.\n\n\nKeystone\nKeystone is an open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture. Our goal is to build a secure and trustworthy open-source secure hardware enclave, accessible to everyone in industry and academia.\n\n\nManaTEE\nManaTEE is an open-source project for easily building and deploying data collaboration framework to the cloud using trusted execution environments (TEEs). It allows users to easily collaborate on private datasets without leaking privacy of individual data.\n\n\nOcclum\nOcclum makes running applications inside enclaves easy. It allows one to run unmodified programs inside enclaves with just a few simple commands. And Occlum is open-source and free to use.\n\n\nOpen Enclave SDK\nOpen Enclave SDK is an open source framework that allows developers to build Trusted Execution Environment (TEE) applications using a single enclaving abstraction.\n\n\nSPDM Tools\nThis project provides a Rust language implementation of SPDM, IDE_KM and TDISP. These protocols are used to facilitate direct device assignment for Trusted Execution Environment I/O (TEE-I/O) in Confidential Computing.\n\n\nVeracruz\nVeracruz is a research project exploring the design of privacy-preserving distributed systems. Veracruz uses strong isolation technology and remote attestation protocols to establish a “neutral ground” within which a collaborative, multi-party computation between a group of mistrusting principals takes place.\n\n\nVeraison\nProject Veraison builds software components that can be used to build an Attestation Verification Service.\n\n\nVirTEE\nVirTEE is an open community dedicated to developing open source tools for the bring-up, attestation, and management of Trusted Execution Environments.\n```"
}
]Response:
3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.
Dstack complements several existing CCC projects while addressing unique needs in the confidential computing ecosystem:
- **Synergy with Gramine**: While Gramine provides a compatibility layer for Intel SGX applications, Dstack extends this concept by offering a higher-level abstraction focused on containerized applications. Potential harmonization could involve Dstack leveraging Gramine's compatibility layer for specific workloads while providing a more developer-friendly interface.
- **Complementary to Open Enclave SDK**: Open Enclave SDK provides a framework for building TEE applications with a single enclaving abstraction. Dstack takes a different approach by focusing on deploying existing containerized applications into TEEs without requiring code modifications. These projects could harmonize by having Dstack support applications built with Open Enclave SDK.
- **Alignment with VirTEE**: VirTEE's focus on tools for bring-up, attestation, and management of TEEs aligns well with Dstack's goals. Dstack could potentially integrate with or leverage VirTEE's attestation components to enhance its security verification capabilities.
- **Complementary to Veraison**: Veraison's attestation verification service components could be integrated with Dstack's attestation workflow to enhance the verification capabilities of Dstack's confidential containers.
- **Differentiation from Enarx**: While Enarx provides a platform abstraction for TEEs focusing on "private, fungible, serverless" applications, Dstack focuses specifically on containerized applications with familiar Docker tooling. Both projects could share insights on TEE abstraction techniques.
- **Extension beyond COCONUT-SVSM**: COCONUT-SVSM implements a Secure VM Service Module for confidential computing VMs. Dstack builds upon this concept by providing a complete framework for deploying and managing containerized applications within these secure VMs.
Dstack uniquely addresses the developer experience gap in confidential computing by providing a Docker-compose compatible interface for deploying applications in TEEs, with built-in solutions for key management, domain verification, and portable containers. This focus on developer experience and containerization complements the more foundational TEE technologies represented in the CCC.
Model: claude-3-7-sonnet-202502192025-06-25 13:10:57
Context:
[
{
"role": "user",
"content": [
{
"type": "text",
"text": "Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```"
},
{
"type": "text",
"text": "README.md\n# Dstack\n\n[](https://deepwiki.com/Dstack-TEE/dstack)\n\nDstack is a **developer friendly** and **security first** SDK to simplify the deployment of arbitrary containerized apps into TEE.\n\nMain features:\n\n- 🔒 Deploy containerized apps securely in TEE in minutes\n- 🛠️ Use familiar tools - just write a docker-compose.yaml\n- 🔑 Safely manage secrets and sensitive data\n- 📡 Expose services via built-in TLS termination\n\nDstack is community driven. Open sourced and built by [Kevin Wang](https://github.com/kvinwang) and many others from [Phala Network](https://github.com/Phala-Network), inspired by [Andrew Miller](https://github.com/amiller) (Flashbots & Teleport), and contributed by [Nethermind](https://github.com/NethermindEth/nethermind) and [many others](#contributors).\n\n![Alt](https://repobeats.axiom.co/api/embed/0a001cc3c1f387fae08172a9e116b0ec367b8971.svg \"Repobeats analytics image\")\n\n# Overview\n\nComponents in Dstack:\n\n- `dstack-vmm`: A service running in bare TDX host to manage CVMs\n- `dstack-gateway`: A reverse proxy to forward TLS connections to CVMs\n- `dstack-kms`: A KMS server to generate keys for CVMs\n- `dstack-guest-agent`: A service running in CVM to serve containers' key derivation and attestation requests\n- `meta-dstack`: A Yocto meta layer to build CVM guest images\n\nThe overall architecture is shown below:\n\n\n# Directory structure\n\n```text\ndstack/\n kms/ A prototype KMS server\n guest-agent/ A service running in CVM to serve containers' key derivation and attestation requests.\n dstack-util/ A CLI tool in the guest setting up the system, getting TDX quote, extending RTMR, generating cert for RA-TLS, etc.\n vmm/ A service running in bare TDX host to manage CVMs\n gateway/ A reverse proxy to forward TLS connections to CVMs\n certbot/ A tool to automatically obtain and renew TLS certificates for dstack-gateway\n ra-rpc/ RA-TLS support for pRPC\n ra-tls/ RA-TLS support library\n tdx-attest/ Guest library for getting TDX quote and extending RTMR\n```\n\n# Build and play locally\n\n## Prerequisites\n\n- A bare metal TDX server setup following [canonical/tdx](https://github.com/canonical/tdx)\n- Public IPv4 address assigned to the machine\n- At least 16GB RAM, 100GB free disk space.\n- A domain with DNS access if you want to set up `dstack-gateway` for Zero Trust HTTPS\n\n> [!NOTE]\n>\n> This doc assumes you have access to a compatible Intel TDX Server ready to be configured with Dstack. Check the [Hardware Requirements](https://docs.phala.network/dstack/hardware-requirements) for more information on buying a bare metal server or renting a server from OVH. To start learning about Dstack check out the [docs](https://docs.phala.network/dstack/overview).\n>\n> If you are looking to deploy a CVM in minutes, go to the docs to learn how to [sign-up for a Phala Cloud Account](https://docs.phala.network/phala-cloud/getting-started/sign-up-for-cloud-account) and [deploy your first CVM on Dstack]((https://docs.phala.network/phala-cloud/getting-started/start-from-cloud-ui)).\n\n## Install dependencies\n\n```bash\n# for Ubuntu 24.04\nsudo apt install -y build-essential chrpath diffstat lz4 wireguard-tools xorriso\n# install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\n\n## Build and run for local development\n\n### Build the artifacts\n```bash\ngit clone https://github.com/Dstack-TEE/meta-dstack.git --recursive\ncd meta-dstack/\n\nmkdir build\ncd build\n../build.sh hostcfg\n# This outputs the following message:\n# Config file ../build-config.sh created, please edit it to configure the build\n\nvim ./build-config.sh\n```\n\nReview and customize the `build-config.sh` configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:\n\n```bash\n../build.sh hostcfg\n\n# If everything is okay, you should see the built artifacts in the `build` directory.\n$ ls\ncerts images dstack-kms kms.toml run dstack-vmm vmm.toml dstack-gateway gateway.toml\n```\n\n### Download guest image or build guest image from source\n\n```bash\n# This will download the guest image from the release page.\n../build.sh dl 0.5.2\n```\n\nOr build guest image from source:\n\n```bash\n# This will build the guest image from source using the yocto meta layer. This will take a while.\n../build.sh guest\n```\n\n> **Note on Reproducible Builds**: The build command above does not guarantee reproducibility. For reproducible builds across different build environments, please refer to the [reproducible build instructions](https://github.com/Dstack-TEE/meta-dstack?tab=readme-ov-file#reproducible-build-the-guest-image) in the meta-dstack repository.\n\n### Run components\nNow you can open 3 terminals to start the components:\n\n1. Run `./dstack-kms -c kms.toml`\n2. Run `sudo ./dstack-gateway -c gateway.toml`\n3. Run `./dstack-vmm -c vmm.toml`\n\n⚠️ *Warning: this is for local development, and the kms is not secure, so you should not use it in production.*\nFor production, you should follow the [deployment guide](./docs/deployment.md) and read the [security guide](./docs/security-guide/security-guide.md).\n\n## Deploy an App\nOpen the dstack-vmm webpage [http://localhost:9080](http://localhost:9080)(change the port according to your configuration) on your local machine to deploy a `docker-compose.yaml` file:\n\n\n\nAfter the container deployed, it should need some time to start the CVM and the containers. Time would be vary depending on your workload.\n\n- Click the [Logs] button to see the logs of the CVM, you can see if the container is finished starting there.\n\n- Once the container is running, you can click the [Dashboard] button to see some information of the container. And the logs of the containers can be seen in the [Dashboard] page.\n\n \n\n- You can open dstack-gateway's dashboard at [https://localhost:9070](https://localhost:9070) to see the CVM's wireguard ip address, as shown below:\n\n\n\n## Pass Secrets to Apps\nWhen deploying a new App, you can pass private data via Encrypted Environment Variables. These variables can be referenced in the docker-compose.yaml file as shown below:\n\n\n\nThe environment variables will be encrypted in the client-side and decrypted in the CVM before being passed to the containers.\n\n## Access the App\n\nOnce the app is deployed and listening on an HTTP port, you can access the HTTP service via dstack-gateway's public domain. The ingress mapping rules are:\n\n- `<id>[s].<base_domain>` maps to port `80` or `443` if with `s` in the CVM.\n- `<id>-<port>[s].<base_domain>` maps to port `<port>` in the CVM.\n\nFor example, `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` maps to port `8080` in the CVM.\n\nWhere the `<id>` can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.\nIf the `id-port` part ends with `s`, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.\n\nYou can also ssh into the CVM to inspect more information, if your deployment uses the image `dstack-x.x.x-dev`:\n\n```bash\n# The IP address of the CVM can be found in the dstack-gateway dashboard.\nssh [email protected]\n```\n\n## Getting TDX quote in docker container\n\nTo get a TDX quote within app containers:\n\n1. Mount `/var/run/dstack.sock` to the target container in `docker-compose.yaml`\n\n ```yaml\n version: '3'\n services:\n nginx:\n image: nginx:latest\n volumes:\n - /var/run/dstack.sock:/var/run/dstack.sock\n ports:\n - \"8080:80\"\n restart: always\n ```\n\n2. Execute the quote request command in the container.\n\n ```bash\n # The argument report_data accepts binary data encoding in hex string.\n # The actual report_data passing the to the underlying TDX driver is sha2_256(report_data).\n curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x1234deadbeef | jq . \n ```\n\n## Container logs\n\nContainer logs can be obtained from the CVM's `dashboard` page or by curl:\n\n```bash\ncurl 'http://<appid>.app.kvin.wang:9090/logs/<container name>?since=0&until=0&follow=true&text=true×tamps=true&bare=true'\n```\n\nReplace `<appid>` and `<container name>` with actual values. Available parameters:\n\n- since=0: Starting Unix timestamp for log retrieval\n- until=0: Ending Unix timestamp for log retrieval\n- follow: Enables continuous log streaming\n- text: Returns human-readable text instead of base64 encoding\n- timestamps: Adds timestamps to each log line\n- bare: Returns the raw log lines without json format\n\nThe response of the RPC looks like:\n```\n$ curl 'http://0.0.0.0:9190/logs/zk-provider-server?text×tamps'\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209507046Z Initializing Rust backend...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209543047Z Calling Rust function: init\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209544957Z [2024-09-29T03:05:44Z INFO rust_prover] Initializing...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209546381Z [2024-09-29T03:05:44Z INFO rust_prover::groth16] Starting setup process\\n\"}\n```\n\n## TLS Passthrough with Custom Domain\n\ndstack-gateway supports TLS passthrough for custom domains.\n\nSee the example [here](https://github.com/Dstack-TEE/dstack-examples/tree/main/custom-domain/dstack-ingress) for more details.\n\n## Upgrade an App\n\nGot to the dstack-vmm webpage, click the [Upgrade] button, select or paste the compose file you want to upgrade to, and click the [Upgrade] button again.\nThe app id does not change after the upgrade. Stop and start the app to apply the upgrade.\n\n## HTTPS Certificate Transparency\n\nIn the tutorial above, we used a TLS certificate with a private key external to the TEE. To establish trust, we need to generate and maintain the certificate's private key within the TEE and provide evidence that all TLS certificates for the domain were originate solely from dstack-gateway CVM.\n\nBy combining Certificate Transparency Logs and CAA DNS records, we can make best effort to minimize security risks. Here's our approach:\n\n- Set CAA records to allow only the account created in dstack-gateway CVM to request Certificates.\n- Launch a program to monitor Certificate Transparency Log and give alarm once any certificate issued to a pubkey that isn’t generated by dstack-gateway CVM.\n\n### Configurations\n\nTo launch Certbot, you need to own a domain hosted on Cloudflare. Obtain an API token with DNS operation permissions from the Cloudflare dashboard. Configure it in the `build-config.sh`:\n\n```bash\n# The directory to store the auto obtained TLS certificate and key\nGATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem\nGATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem\n\n# for certbot\nCF_ZONE_ID=cc0a40...\nCF_API_TOKEN=g-DwMH...\n# ACME_URL=https://acme-v02.api.letsencrypt.org/directory\nACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory\n```\n\nThen re-run the ../build.sh:\n\n```bash\n../build.sh\n```\n\n### Launch certbot\n\nThen run the certbot in the `build/` and you will see the following log:\n```text\n$ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml\n2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account\n2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\n2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records\n2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang\n2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang\n2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair\n2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang\n2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order\n2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization\n2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang\n2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A\n2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready\n2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr\n2024-10-25T07:41:38.052901Z DEBUG certbot::acme_client: order is processing, waiting for challenge to be accepted\n2024-10-25T07:41:40.088190Z DEBUG certbot::acme_client: order is valid, getting certificate\n2024-10-25T07:41:40.125988Z DEBUG certbot::acme_client: removing dns record 6ab5724e8fa7e3e8f14e93333a98866a\n2024-10-25T07:41:40.377379Z DEBUG certbot::acme_client: stored new cert in /home/kvin/codes/meta-dstack/dstack/build/run/certbot/backup/2024-10-25T07:41:40.377174477Z\n2024-10-25T07:41:40.377472Z INFO certbot::bot: checking if certificate needs to be renewed\n2024-10-25T07:41:40.377719Z DEBUG certbot::acme_client: will expire in Duration { seconds: 7772486, nanoseconds: 622281542 }\n2024-10-25T07:41:40.377752Z INFO certbot::bot: certificate /home/kvin/codes/meta-dstack/dstack/build/run/certbot/live/cert.pem is up to date\n```\n\nWhere the command did are:\n\n- Registered to letsencrypt and got a new account `https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853`\n- Auto set CAA records for the domain on cloudflare, you can open the CF dashboard to see the record:\n\n \n\n- Auto requested a new certificate from Let's Encrypt. Automatically renews the certificate to maintain its validity\n\n### Launch dstack-gateway\n\nExecute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access the web portal to check the dstack-gateway CVM managed Let's Encrypt account. The account's private key remains securely sealed within the TEE.\n\n\n\n## Certificate transparency log monitor\n\nTo enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight.\n\n`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:\n\n```text\n$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang\n2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang...\n2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc\n2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys\n2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685\n2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674\n2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: \"C=US, O=Let's Encrypt, CN=R11\", common_name: \"kvin.wang\", name_value: \"*.app.kvin.wang\", not_before: \"2024-09-24T02:23:15\", not_after: \"2024-12-23T02:23:14\", serial_number: \"03ae796f56a933c8ff7e32c7c0d662a253d4\", result_count: 1, entry_timestamp: \"2024-09-24T03:21:45.825\" }\n2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001\n```\n\n# Troubleshooting\n\n### Error from dstack-vmm: qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=<id>: vhost-vsock: unable to set guest cid: Address already in use\n\n`dstack-vmm` may throw this error when creating a new VM if the [Unix Socket CID](https://man7.org/linux/man-pages/man7/vsock.7.html) is occupied. To solve the problem, first, you should list the occupied CID:\n\n```bash\nps aux | grep 'guest-cid='\n```\n\nThen choose a new range of the CID not conflicting with the CID in use. You can change `build/vmm.toml` file and restart `dstack-vmm`. This error should disappear. For example, you may find 33000-34000 free to use:\n\n```toml\n[cvm]\ncid_start = 33000\ncid_pool_size = 1000\n```\n\nWhen building the dstack from scratch, you should change the CID configs in `build-config.sh` instead, because `vmm.toml` file is generated by `build.sh`. Its content is derived from `build-config.sh`.\n\nYou may encounter this problem when upgrading from an older version of dstack, because CID was introduced in `build-config.sh` in later versions. In such case, please follow the docs to add the missing entries in `build-config.sh` and rebuild dstack.\n\n### Error: Operation not permitted when building guest image\n\nWhen running `../build.sh guest`, you might encounter this error:\n\n```\nTraceback (most recent call last):\n File \"/meta-dstack/poky/bitbake/bin/bitbake-worker\", line 278, in child\n bb.utils.disable_network(uid, gid)\n File \"/meta-dstack/poky/bitbake/lib/bb/utils.py\", line 1696, in disable_network\n with open(\"/proc/self/uid_map\", \"w\") as f:\nPermissionError: [Errno 1] Operation not permitted\n```\n\nThis error occurs because Ubuntu 23.10 and later versions restrict unprivileged user namespaces by default. To fix this, run:\n\n```bash\nsudo sysctl kernel.apparmor_restrict_unprivileged_userns=0\n```\n\nThen try building again. For more information about this restriction, see the [Ubuntu discourse post](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626).\n\n\n# Contributors\n\nDstack is proudly built by open source and Pi-rateship contributors:\n\n- Phala Network: [Kevin Wang](https://github.com/kvinwang), [Shelven Zhou](https://github.com/shelvenzhou), [Leechael](https://github.com/leechael)\n- Teleport: [Andrew Miller](https://github.com/amiller), [Sxy Sun](https://github.com/sxysun)\n- Flashbots: [Tina](https://github.com/CarboClanC), [Mateusz](https://github.com/Ruteri), [Dmarz](https://github.com/dmarzzz), [Moe](https://github.com/MoeMahhouk)\n- Ithaca: [Georgios](https://github.com/gakonst)\n- Fabric: [@gaoist](https://x.com/gaoist)\n- And many more...\n\nThe inspiration for this work stems from [Andrew Miller](https://github.com/amiller)’s pioneering concept of a [Docker-based P2P TEE SDK](https://collective.flashbots.net/t/dstack-speedrunning-a-p2p-confidential-vm/3876).\n\nThis project cannot be built without standing on the shoulders of giants:\n\n- [konvera/meta-confidential-compute](https://github.com/konvera/meta-confidential-compute)\n\nSpecial acknowledgment to [Flashbots](https://github.com/flashbots) for building a community around TEE. The TEE Hacker House initiative, organized by [Flashbots](https://github.com/flashbots) and led by [Tina](https://github.com/CarboClanC), has brought together TEE builders to develop tools for TEE-Web3 integration. This collaborative journey has generated invaluable insights for advancing secure, confidential environments within Web3.\n\nTogether, we’re shaping the future of TEE in Web3, paving the way for more secure and developer-accessible confidential computing!\n\nFor a full list of the direct contributors to this repo, see [Contributors](https://github.com/Dstack-TEE/dstack/contributors) on GitHub.\n\n\n# License\n\nCopyright 2024 Phala Network and Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\n[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)"
},
{
"type": "text",
"text": "main.pdf\nDstack: A Zero Trust Framework for Confidential Containers\nJune 23, 2025\nAbstract\nWeb3 applications require execution platforms that maintain confidentiality and integrity with-\nout relying on centralized trust authorities. While Trusted Execution Environments (TEEs) offer\npromising capabilities for confidential computing, current implementations face significant limita-\ntions in security reliability, censorship resistance, and vendor independence when applied to Web3\ncontexts. This paper presents Dstack, a comprehensive framework that transforms raw TEE tech-\nnology into a true Zero Trust platform aligned with Web3 principles. We introduce three key\ninnovations: (1) Portable Confidential Containers that enable seamless workload migration across\nheterogeneous TEE environments while maintaining security guarantees, (2) Decentralized Code\nManagement that leverages smart contracts for transparent governance of TEE applications, and\n(3) Verifiable Domain Management that ensures secure and verifiable application identity without\ncentralized authorities. Through these innovations, implemented via Dstack-OS, Dstack-KMS, and\nDstack-Gateway components, we demonstrate how to achieve both the performance advantages of\nVM-level TEE solutions and the trustless guarantees required by Web3 applications. Our evalu-\nation shows that Dstack provides comprehensive security guarantees while maintaining practical\nusability for real-world applications.\n1 Introduction\nThe Web3 ecosystem represents a paradigm shift in digital trust models, fundamentally transforming\nthe relationship between users and application developers. Unlike traditional systems, Web3 empowers\nusers with unprecedented control over their data through the principle of ”Code is Law” - once deployed,\ncode operates autonomously and independently of external control. This transformation demands\nrobust execution platforms that maintain confidentiality and integrity without relying on centralized\ntrust authorities.\nFigure 1: The evolution of trust models from Web2 to Web3, highlighting the shift from centralized control\nto decentralized governance and execution.\nThe contrast between Web2 and Web3 architectures in Figure 1 illustrates this fundamental shift.\nIn Web2 systems, developers maintain complete control through proprietary applications and central-\nized servers, retaining administrative privileges to access and modify user data at will. Web3’s smart\n1\ncontracts, however, represent the first significant step toward true trustlessness by executing pro-\ngrams on decentralized platforms (blockchains). Once deployed, administrators cannot influence pro-\ngram execution, and lifecycle management (e.g., code updates) follows predefined agreements through\ndemocratic governance mechanisms like multi-signature wallets and Decentralized Autonomous Orga-\nnizations (DAOs). This emerging trust model extends beyond basic applications to mission-critical\nscenarios such as AI model training, where data providers and model developers often have competing\ninterests, and autonomous AI agents designed to operate independently of human intervention. In\nthese contexts, Zero Trust platforms become essential to host applications and enforce verification\nmechanisms that appropriately constrain developer authority.\nA Zero Trust platform must enforce the following key principles:\n• Code is Law: This manifests in two dimensions: (1) the application logic, once deployed, cannot\nbe changed unexpectedly; and (2) the lifecycle management of code—including deployment,\nupgrades, and deletion—follows predefined governance rules.\n• Censorship Resistance: User data remains beyond the control of any single entity, with data\navailability protected against Denial-of-Service attacks.\n• Full Chain-of-Trust: When users interact with applications on a Zero Trust platform, they\nmust be able to verify all aspects of that application, including network setup, application identity\nand code logic, underlying hardware, and execution environment.\n• Assume Breach: The platform operates under the assumption that compromises will occur,\nimplementing mechanisms for damage containment, rapid recovery, and minimization of data\nexposure during security incidents.\nConfidential Computing, particularly through Trusted Execution Environments (TEEs), has emerged\nas a promising foundation for extending blockchain capabilities to support complex computational tasks\nwith confidentiality guarantees. Recent advances in VM-level TEE solutions, including Intel TDX and\nAMD SEV, have demonstrated substantial performance improvements and developer-friendly inter-\nfaces, making them compelling candidates for Web3 deployment. The integration of GPUs within\nTEEs [?] now enables verifiable execution of both Large Language Models and AI agents, providing\ncryptographic guarantees of computational integrity.\nHowever, a significant gap exists between raw TEE technology and the requirements of a true Zero\nTrust platform. Current TEE implementations face several critical limitations when applied to Web3\ncontexts:\n• Security Reliability: Recent vulnerability discoveries in TEE systems have raised significant con-\ncerns about their effectiveness as trust anchors. The persistence of side-channel attacks and\nmicro-architectural vulnerabilities undermines confidence in TEE security guarantees, particu-\nlarly for high-value Web3 applications where a single compromise could lead to catastrophic data\nexposure.\n• Censorship Vulnerability: Conventional TEE encryption schemes bind encryption keys to spe-\ncific hardware instances, creating single points of failure that contradict Web3’s requirement\nfor censorship resistance. This architectural limitation means that data availability cannot be\nguaranteed if specific hardware instances are compromised or become unavailable.\n• Vendor Dependencies: Current trust models heavily rely on centralized hardware manufacturers\nand verification processes, introducing risks of vendor lock-in and potential censorship vectors.\nThis centralization contradicts Web3’s core principles of decentralization and trustlessness.\n• Incomplete Verifiability: While TEEs provide Remote Attestation capabilities to verify applica-\ntion and hardware identity, they fail to deliver the comprehensive chain of trust required in Zero\nTrust environments. Users need guarantees that programs will process their data as expected\nand cannot be modified without proper authorization—capabilities beyond current attestation\nmechanisms.\nTo bridge this gap between raw TEE technology and Zero Trust requirements, we present Dstack,\na comprehensive framework for confidential containers that introduces three key innovations:\n2\n• Portable Confidential Container: Our architecture enables seamless migration of confidential\nworkloads across different TEE instances and hardware vendors, significantly reducing vendor\nlock-in risks while maintaining robust security guarantees. This innovation directly addresses the\ncensorship vulnerability and vendor dependency limitations by providing hardware abstraction\nand state continuity across heterogeneous TEE environments.\n• Decentralized Code Management: We implement a comprehensive governance framework\nthat leverages smart contracts for transparent and decentralized management of TEE applica-\ntions. This system ensures verifiable deployment and upgrade processes, enforcing the “Code\nis Law” principle by binding application lifecycles to on-chain governance decisions. This inno-\nvation addresses the incomplete verifiability limitation by creating an immutable audit trail of\napplication changes.\n• Verifiable Domain Management: Our novel approach to certificate management ensures that\nconfidential containers can exclusively control domains and provide native HTTPS support to\nTEE applications without relying on centralized authorities. This system serves as a middleware\nbetween TEE applications and existing TLS-based networks, enabling users to establish end-to-\nend encrypted channels to TEE applications without modifications to client software.\nThese innovations are implemented through a cohesive system architecture comprising three core\ncomponents:\n• Dstack-OS: A hardware abstraction layer with a minimized operating system image that elimi-\nnates differences in underlying TEE hardware while reducing the attack surface. This component\nprovides a consistent, secure runtime environment across diverse TEE implementations.\n• Dstack-KMS: A blockchain-controlled key management service that replaces hardware-based\nencryption schemas with an independent service for generating and managing secret keys. This\ncomponent enables secure data migration across TEE instances and supports key rotation to\nprovide forward and backward data secrecy, mitigating the impact of potential TEE compromises.\n• Dstack-Ingress and Dstack-Gateway: Complementary systems providing TEE-controlled domain\nmanagement through different approaches—Dstack-Ingress enables applications to specify cus-\ntom domains with minimal integration requirements, while Dstack-Gateway offers pre-registered\nwildcard domains requiring no application code changes.\nBy addressing the critical limitations of current TEE implementations, Dstack establishes a compre-\nhensive framework that transforms raw TEE technology into a true Zero Trust platform aligned with\nWeb3’s fundamental principles. Our approach not only enhances the security and reliability of confi-\ndential computing but also provides a practical path toward truly decentralized, censorship-resistant\ninfrastructure for next-generation applications.\nThe remainder of this paper details the technical design of Dstack, evaluates its performance and\nsecurity characteristics, and demonstrates how our innovations collectively create a Zero Trust platform\nthat maintains the performance advantages of VM-level TEE solutions while addressing their inherent\nlimitations in Web3 contexts.\n2 System Design\n2.1 Portable Confidential Container\nContainerization has transformed cloud-native application deployment by providing unparalleled porta-\nbility and scalability through effective data separation. These capabilities are particularly critical for\nTrusted Execution Environment (TEE) applications, as they directly address the inherent limitations\noutlined in Section 1:\n• Security Reliability: Containerized applications can be efficiently transferred from compro-\nmised TEE hardware to secure instances, preserving code integrity. Together with our secure\ndata migration mechanism that ensures both forward and backward secrecy, this approach sig-\nnificantly limits privacy leakage risks even when individual TEE instances are compromised.\n3\nFigure 2: The architecture of Dstack, including Dstack-OS and Dstack-KMS. Dstack-OS provides a hardware\nabstraction layer with a minimized operating system image, while Dstack-KMS replaces the hardware-based\ndata encryption keys with a blockchain-controlled key management service. TODO: redraw this to put the\ncomponents into solutions.\n• Censorship Resistance: The architecture’s inherent scalability provides robust defense against\nDenial-of-Service attacks. Additionally, by decoupling data storage from execution environments,\nestablished data availability solutions can be readily integrated to ensure persistent access to\napplication data.\n• Vendor Independence: Our hardware abstraction layer enables confidential containers to\noperate across diverse TEE hardware platforms without modification, eliminating vendor lock-in\nwhile facilitating rapid adoption of emerging TEE technologies as they become available.\nHowever, implementing truly portable confidential containers presents substantial technical chal-\nlenges that differentiate them from conventional containerization. Two fundamental obstacles must be\novercome:\nFirst, existing TEE implementations generate data sealing keys derived from hardware-bound root\nkeys unique to each TEE instance. This architectural design creates an inherent barrier to portability\n— data encrypted by one TEE instance cannot be decrypted by any other, even when running identical\napplication code. Prior research has largely circumvented this limitation by restricting TEEs to state-\nless applications, but this approach severely constrains their utility in complex real-world scenarios.\nSecond, TEE implementations from different vendors impose disparate specifications for deploy-\nable programs. This fragmentation forces developers to create and maintain multiple artifacts across\nplatforms, each requiring separate (and expensive) code reviews to verify functional equivalence — a\nprocess that undermines the trust guarantees central to Web3 applications.\nTo address these challenges comprehensively, we introduce two complementary components: Dstack-\nKMS and Dstack-OS.\n2.1.1 Dstack-KMS: Blockchain-Controlled Secret Derivation\nDstack-KMS is a secret derivation service that fundamentally transforms how encryption keys are\nmanaged in confidential computing environments. Its primary function is to generate a unique and\nstable secret (the Root Key ) for each application based on its code and configurations. This root key\n4\nserves as the foundation for deriving additional application-specific secrets used for data encryption\nand verifiable random number generation.\nUnlike hardware-based encryption approaches, Dstack-KMS deliberately decouples key generation\nfrom specific TEE hardware instances. This architectural decision enables the critical capability of\nencrypted data migration between different TEE instances, with decryption possible after\nproper authorization. This feature is essential for achieving true censorship resistance.\nGiven its position as the root-of-trust for the entire system, the verifiability and availability of\nDstack-KMS are paramount. Unlike previous approaches [?] that assume TEE infallibility, our threat\nmodel explicitly acknowledges that TEEs can be compromised. To address this reality, Dstack-\nKMS implements comprehensive key rotation capabilities that provide both backward and forward\nsecrecy for application data. This ensures that even if a specific TEE hardware instance is compromised,\napplications can be migrated with limited data exposure.\nFigure 3: The key derivation hierarchy of Intel SGX illustrates how conventional TEE implementations bind\nencryption keys to hardware.\nTo understand the limitations of conventional approaches, Figure 3 illustrates the key derivation\nhierarchy in Intel SGX. This design uses a hardware-bound key to both identify the TEE instance (for\nRemote Attestation) and generate encryption keys for data sealing. While this approach effectively\nestablishes hardware identity, it fundamentally undermines censorship resistance:\n• The root key cannot be updated, meaning a compromised TEE with a leaked root key remains\npermanently vulnerable even after patching the underlying vulnerability.\n• Encrypted data becomes intrinsically bound to specific TEE hardware instances, creating single\npoints of failure that contradict Web3’s censorship resistance requirements.\nOur Dstack-KMS addresses these limitations by delegating secret generation to an independent\nservice that ensures encrypted data remains portable across TEE instances.\nAs illustrated in Figure 4, Dstack-KMS comprises an on-chain governance smart contract coupled\nwith an off-chain peer-to-peer network where the actual secret derivation service operates. To ensure\ncomprehensive verifiability of the Dstack-KMS program’s integrity and correctness, we implement a\nmulti-stage verification process:\n1. The Dstack-KMS codebase is fully open-sourced [?], enabling thorough code and security reviews\nto verify key management logic and ensure the absence of backdoors.\n5\nFigure 4: The architecture of Dstack-KMS combines on-chain governance through smart contracts with an\noff-chain P2P network of secret derivation service nodes. This design ensures both verifiability and resilience\nagainst compromise.\n2. Executable binaries are produced through reproducible build processes, allowing verifiers to\nconfirm that the runtime code matches the reviewed source code.\n3. The cryptographic digest of valid executables is published through the governance smart contract,\ncreating an immutable reference for verification.\n4. Each service node operates within its own TEE instance. Critically, we rely on the TEE solely for\nmeasuring the executable and ensuring it matches the on-chain digest—not for the fundamental\nsecurity of the key management process.\nThis verification framework ensures that Dstack-KMS remains trustworthy to any third-party verifier\nwhile avoiding dependency on the absolute security of any single TEE instance.\nThe core logic of each Dstack-KMS service node is intentionally minimalist, focusing exclusively on\nthe generation and secure distribution of the root key, along with deriving encryption keys for TEE\napplications. This simplicity enables the implementation of Multi-Party Computation (MPC) based\nthreshold key generation and derivation without concerning performance overhead. We have developed\ntwo complementary implementations:\n• Simple Duplication: The first node in the P2P network generates a cryptographically secure\nrandom number as the root key, then shares it with other nodes after verifying their attestation\nreports. All nodes maintain identical copies of the root key and derive consistent encryption keys\nfor applications. This approach maximizes availability—as long as at least one node remains\noperational, the root key can be recovered.\n• MPC-Based Key Generation: While simple duplication provides robust availability, it cre-\nates vulnerability to single-node compromises. Our MPC implementation uses Shamir’s Secret\nSharing scheme [?] to distribute the root key across multiple nodes, ensuring that compromising\nany individual node (or even up tot− 1 nodes, wheret is the configured threshold) does not\nexpose the root key. This approach also enables advanced features like key rotation without\nrequiring application reconfiguration.\nKey Derivation Dstack-KMS implements a comprehensive key derivation framework to generate\napplication-specific keys from the root key:\n• Application CA Key: Derived from the root CA key using the application’s unique identifier\n(calculated as the hash of the application’s code and configuration).\n• Disk Encryption Key: Derived using a combination of the application identifier and instance\nidentifier, enabling secure storage with portability.\n6\n• Environment Encryption Key: Derived using the application identifier alone, allowing secure\nenvironment variable management across instances.\n• ECDSA Key: Derived from the root ECDSA key, providing applications with consistent cryp-\ntographic identity for signing operations.\nEach derived key maintains cryptographic isolation while ensuring consistency across different TEE\ninstances running the same application.\nKey Rotation A critical security feature of Dstack-KMS is its support for key rotation, which signif-\nicantly limits the exposure window during potential attacks while ensuring both forward and backward\nsecrecy for sealed data. Key rotation procedures are initiated exclusively through the governance smart\ncontract, ensuring transparency and auditability. We discuss two distinct rotation mechanisms:\n• Root Key Share Rotation: Our MPC-based implementation enables rotation of individual\nkey shares without modifying the root key itself. This process enhances root key security by\nregularly updating the distribution mechanism while remaining transparent to applications, as\nall derived application keys remain unchanged.\n• Root Key Rotation: In scenarios where the root key may have been compromised, we support\ncomplete root key rotation. This process generates an entirely new root key and implements a\ncontrolled handover period during which both old and new keys remain valid. This transition\nwindow allows applications to re-encrypt their data with keys derived from the new root key\nbefore the old root key is permanently destroyed, minimizing service disruption while enhancing\nsecurity.\nThrough these mechanisms, Dstack-KMS provides the foundation for truly portable confidential con-\ntainers by decoupling encryption from hardware dependencies while maintaining robust security guar-\nantees.\n2.1.2 Dstack-OS: Hardware Abstraction Layer\nDstack-OS provides a comprehensive hardware abstraction layer with a minimized operating system\nimage that bridges the gap between application containers and VM-level TEE implementations. This\nlayer enables applications to deploy across diverse TEE environments without code modifications while\nmaintaining security integrity. As a shared component across all TEE applications, Dstack-OS must be\nintrinsically secure and verifiable, with no administrative backdoors that could compromise program\ncode or user data.\nVM-level TEE solutions typically require developers to provide complete system images encom-\npassing bootloader, kernel, operating system, and application components. This requirement not\nonly increases development complexity but also introduces potential security vulnerabilities through\nmisconfigured system components. A secure and properly configured operating system environment\nfundamentally determines the security baseline for all TEE applications built upon it.\nFigure 5 illustrates how Dstack-OS establishes a secure and verifiable startup chain from the TEE\nhardware foundation through to user-provided container images. Our modular design ensures that the\nmajority of the system can be reused across different TEE hardware implementations, substantially\nreducing the effort required for code review and security auditing. Combined with reproducible build\nprocesses, this approach enables comprehensive verification of Dstack-OS with minimal overhead while\nsupporting multiple TEE hardware platforms.\nUsing Intel TDX as an exemplar (with similar procedures applicable to other TEE implementa-\ntions like AMD SEV), Dstack-OS consists of the following components, presented in boot sequence\norder. During this process, each component measures the next one and records these measurements\nin hardware registers, which are ultimately incorporated into the TEE attestation report:\n• Hypervisor: When application deployment initiates, the underlying hypervisor (the TDX mod-\nule) loads the Open Virtual Machine Firmware (OVMF), enabling UEFI support for confidential\nvirtual machines. The TDX module measures the OVMF code and records its cryptographic\ndigest in the MRTD register, with the hypervisor’s integrity guaranteed by the TEE hardware\nitself.\n7\nFigure 5: The architecture of Dstack-OS establishes a secure and verifiable startup chain from TEE hardware\nthrough to user applications.\n• Open Virtual Machine Firmware (OVMF): The OVMF configures virtual machine hard-\nware specifications (CPU, memory, and device configurations) and records the configuration\nmeasurement to the RTMR0 register. It then loads the Linux kernel and records the kernel\nimage measurement to the RTMR1 register.\n• Kernel: The kernel first loads an initial ramdisk (initrd) — a temporary in-memory filesystem\ncontaining minimal command-line tools and disk encryption libraries. The initrd mounts the\nroot filesystem and records this measurement in the RTMR2 register.\n• Root Filesystem: The root filesystem (RootFs) is a read-only environment containing essential\nsystem libraries and tools. It manages the entire lifecycle of deployed applications, measuring\napplication images along with their associated key management system and storing these mea-\nsurements in the RTMR3 register. The RootFs serves two primary functions: (1) providing\nthe runtime environment for user-level container images, and (2) managing application data en-\ncryption. It interfaces with Dstack-KMS to acquire encryption secrets and implements Linux\nUnified Key Setup (LUKS) to encrypt application data in isolated volumes. Data integrity is\nensured through dm-verity, a Merkle-tree-based block-level verification tool. Finally, the RootFs\nconfigures network ingress for the application and initiates execution.\nRather than adapting existing system images, we built Dstack-OS from scratch to ensure only es-\nsential components are included in both the initrd and RootFs. A comprehensive component inventory\nis provided in Appendix ?? for transparency and review. Generally, Dstack-OS includes only basic\nutilities (busybox), filesystem support, and container runtime components. By implementing Docker\nsupport while delegating orchestration to the application level, we maintain a minimal base image\nfootprint.\nTo ensure comprehensive verifiability, Dstack-OS is fully open-sourced and supports reproducible\nbuilds, allowing anyone to review the code and generate identical artifacts for verification. This\napproach provides significant benefits for applications requiring security reviews, as evaluators need\nonly review the application code rather than the entire system image.\nData Backup and Defense against Rollback Attacks A critical challenge in confidential com-\nputing is ensuring data durability and integrity, particularly against rollback attacks where adversaries\nattempt to revert applications to previous states to bypass security checks or reuse expired secrets.\nOur architecture provides robust secure data backup support and implements robust anti-rollback\nmechanisms that application developers can integrate:\n• Secure Backup: Application data is encrypted using keys derived from Dstack-KMS and can\nbe backed up to external storage providers. Since encryption keys are not bound to specific TEE\n8\ninstances, data can be restored on any authorized TEE, supporting true portability and disaster\nrecovery.\n• Monotonic Counters: To prevent rollback attacks, developers can implement monotonic coun-\nters that increment with each critical data update, incorporating the counter value into the en-\ncrypted data. During restoration, applications verify that the counter value equals or exceeds\nthe last known value, preventing replay of outdated snapshots.\nBy combining these techniques, Dstack ensures both the recoverability and integrity of confidential\ndata across portable container migrations and backup scenarios.\nTogether, Dstack-KMS and Dstack-OS provide the foundational infrastructure for truly portable\nconfidential containers that maintain security and integrity across heterogeneous TEE environments\nwhile eliminating vendor lock-in and supporting comprehensive verifiability.\n2.2 Decentralized Code Management\nA core principle of Zero Trust platforms is the enforcement of “Code is Law”, ensuring that application\ncode operates as intended without unexpected modifications. While TEE hardware provides code\nintegrity guarantees during execution, it cannot independently prevent administrators from deploying\nmalicious code or making unauthorized modifications. Conversely, smart contracts have established\nrobust methodologies for implementing programmable governance over code lifecycle management —\nsuch as multi-signature requirements that prevent single-actor manipulation.\nOur decentralized code management framework bridges these two worlds by placing TEE ap-\nplication governance under smart contract control, creating a transparent and auditable system for\napplication deployment and updates that aligns with Web3 principles.\nFigure 6: The architecture of decentralized code management integrates on-chain governance contracts with\noff-chain TEE through Dstack-KMS.\nAs illustrated in Figure 6, our architecture consists of two complementary components: on-chain\ngovernance smart contracts and off-chain TEE execution environments connected through Dstack-\nKMS. This design establishes the on-chain contracts as the definitive root-of-trust for the entire system.\nEvery operation — from initial deployment to code upgrades — must first be initiated and authorized\nthrough the governance contracts before off-chain TEE instances can execute these operations.\nThe governance framework implements a two-tier structure:\n• KmsAuth Contract: Serves as the global authority controlling Dstack-KMS operations. This\ncontract maintains the registry of authorized applications and their governance parameters, en-\nforcing system-wide policies for TEE deployment. By controlling whether Dstack-KMS shares\n9\napplication secrets with specific TEE instances, the KmsAuth contract effectively determines\nwhether applications can decrypt their data, thus controlling their complete lifecycle.\n• AppAuth Contracts: Individual governance contracts deployed for each application that de-\nfine application-specific management rules. These contracts specify permissible code versions\n(through cryptographic hashes), authorized TEE instance identities, and upgrade approval re-\nquirements. This modular approach enables customized governance models ranging from tradi-\ntional multi-signature schemes to complex DAO voting mechanisms, allowing each application\nto implement governance appropriate to its requirements.\nThe enforcement mechanism operates through Dstack-KMS, which will only provide application\nsecrets to TEE instances running code versions explicitly authorized by the governance contracts.\nThis creates a cryptographically enforced governance system where unauthorized code versions cannot\naccess application data, regardless of administrative privileges.\nTo illustrate this mechanism, consider a code upgrade process for an application using a multi-\nsignature AppAuth contract in Figure 6:\n1. Developers publish the new code version and submit its cryptographic hash to the AppAuth\ncontract.\n2. The contract initiates the approval process, requiring signatures from designated key holders\n(e.g., core developers, security auditors, and community representatives).\n3. Each signature is recorded on-chain, creating an immutable audit trail of the approval process.\n4. Once the required signature threshold is reached, the AppAuth contract updates its registry of\nauthorized code versions.\n5. The KmsAuth contract, monitoring the AppAuth contract, updates its authorization records\naccordingly.\n6. Dstack-KMS, which continuously synchronizes with the KmsAuth contract, begins providing\napplication secrets to TEE instances running the newly approved code version.\n7. TEE instances can now deploy the new code with full access to encrypted application data.\nThis process ensures that every code change follows predefined governance rules with complete trans-\nparency. The on-chain approval records create an immutable audit trail that allows users to verify\nthe entire history of application changes, while the cryptographic enforcement through Dstack-KMS\nguarantees that only properly authorized code can access application data.\nBy combining the code integrity guarantees of TEEs with the transparent governance capabilities\nof smart contracts, our decentralized code management framework ensures that applications truly\nembody the ”Code is Law” principle. Every aspect of the application lifecycle—from initial deployment\nto version updates and potential retirement—follows predefined, transparent rules that cannot be\ncircumvented by any single entity, including the platform operators themselves.\n2.3 Verifiable Domain Management\nA complete Zero Trust platform must enable seamless verification for users across both Web3 and\ntraditional Web2 environments. Our Verifiable Domain Management system completes the chain-\nof-trust by allowing standard Web browsers to cryptographically verify TEE applications without\nrequiring any client-side modifications or specialized knowledge.\nThis capability is critical for mainstream adoption, as it allows users to interact with confiden-\ntial applications using familiar tools while maintaining the same security guarantees provided by the\nunderlying TEE infrastructure. We implement this through two complementary components—Dstack-\nIngress and Dstack-Gateway—both leveraging our novel Zero Trust TLS (ZT-TLS) protocol.\nThe fundamental innovation in ZT-TLS is establishing cryptographic proof that a specific TLS\ncertificate (and therefore a domain) is exclusively controlled by a verified TEE application. This\ncreates a verification chain extending from the blockchain to standard HTTPS connections, enabling\nusers to confirm application authenticity through familiar security indicators in their browsers.\n10\nFigure 7: The Zero Trust TLS architecture establishes a cryptographically verifiable connection between\nstandard web browsers and TEE applications through blockchain-anchored certificate management.\n2.3.1 Zero Trust TLS Protocol\nThe ZT-TLS protocol addresses a critical challenge: how to cryptographically bind a domain to a\nspecific TEE application in a way that prevents unauthorized certificate issuance or domain hijacking.\nOur solution integrates three key components:\n• TEE-Generated Certificates: The TEE application (specifically Dstack-Gateway) generates\nits TLS certificate using application secrets derived from Dstack-KMS. This ensures the private\nkey never exists outside the TEE environment and creates a cryptographic link between the\non-chain governance and the TLS certificate.\n• Certificate Authority Authorization (CAA): We leverage DNS CAA records to restrict\nwhich certificate authorities can issue certificates for managed domains. By configuring CAA\nrecords to only authorize certificates from specific issuers (which verify TEE attestation), we\nprevent unauthorized certificate issuance through alternative validation methods.\n• Certificate Transparency (CT) Monitoring: To protect against unauthorized DNS record\nmodifications, we implement continuous monitoring of Certificate Transparency logs. This allows\ndetection of any unauthorized certificates and provides an immutable audit trail of certificate\nissuance history.\n2.3.2 Implementation Components\nWe provide two complementary implementations to accommodate different application requirements:\n• Dstack-Gateway: A fully managed reverse proxy running within a TEE that provides imme-\ndiate domain verification with zero application code changes. Applications register with Dstack-\nGateway through a simple API call, during which Dstack-Gateway verifies the application’s re-\nmote attestation report. Once verified, applications receive a subdomain under a pre-registered\nwildcard domain (e.g., app-id.Dstack.com), with all TLS termination and certificate manage-\nment handled automatically.\n• Dstack-Ingress: A more flexible solution for applications requiring custom domain names.\nDstack-Ingress provides libraries and services that enable applications to manage their own TLS\ncertificates while maintaining the same verification guarantees. This approach requires minimal\nintegration work while supporting application-specific domain requirements.\n11\nBoth implementations ensure that certificates are cryptographically bound to verified TEE environ-\nments, with the verification chain extending from the blockchain governance contracts through to the\nTLS certificates presented to users’ browsers.\n2.3.3 Security Guarantees and Protections\nOur Verifiable Domain Management system provides several critical security guarantees:\n• Certificate Provenance Verification: Users can verify that the TLS certificate presented by\nan application was issued to a legitimate TEE environment by checking the certificate against\non-chain records.\n• Domain Binding Integrity: The combination of CAA records and Certificate Transparency\nmonitoring ensures that domains remain bound to their designated TEE applications, preventing\nunauthorized certificate issuance.\n• Tamper-Evident Certificate Changes: Any unauthorized attempts to modify domain con-\nfigurations or issue alternative certificates are detected through Certificate Transparency moni-\ntoring, with alerts propagated to clients.\nWhile we cannot technically prevent all attacks against centralized DNS infrastructure, our multi-\nlayered approach creates a tamper-evident system where unauthorized changes are quickly detected\nand rejected by client verification processes. This approach aligns with the ”Assume Breach” principle\nby implementing defense-in-depth strategies that maintain security even when individual components\nare compromised.\nBy extending the verification chain from blockchain governance through TEE attestation to stan-\ndard TLS certificates, our Verifiable Domain Management system enables seamless integration of Zero\nTrust applications into existing web infrastructure. This creates a practical path for mainstream\nadoption without requiring specialized knowledge or tools from end users, while maintaining the com-\nprehensive security guarantees that define true Zero Trust platforms.\n3 Verifying TEE Applications: A Practical Walkthrough\nTo demonstrate how Dstack fulfills the Zero Trust principles and addresses the challenges outlined in\nSection 1, we present a practical end-to-end verification scenario. This walkthrough illustrates how\nthe architectural components described in Section 2 work together to provide a comprehensive chain\nof trust for real-world Web3 applications.\nTraditional Zero Trust programs like smart contracts achieve verifiability through transparent\nsource code and inputs. However, extending similar verifiability to real-world applications presents\nunique challenges, particularly in maintaining privacy and compatibility with existing development\npractices. Dstack addresses these challenges through a comprehensive verification framework that\nrequires minimal code changes.\nThis section demonstrates Dstack’s complete chain of trust through a practical example: verifying\nthat a cryptographic key was genuinely generated within a TEE environment. This scenario is es-\npecially relevant for Web3 and AI Agent applications where cryptographic keys establish application\nidentity and authority.\n3.1 Threat Model\nOur verification framework assumes the correct implementation and integrity of core Dstack compo-\nnents (Dstack-OS, Dstack-KMS, Dstack-Gateway, and governance contracts). While these components’\nsecurity guarantees are detailed in later sections, we explicitly consider developers and administrators\nas potential adversaries.\nPotential attack vectors include:\n• Application-Level Attacks\n– Deployment of unauthorized or malicious code through falsified Docker images\n12\n– Introduction of malicious dependencies through supply chain attacks\n– Unauthorized application updates that bypass governance controls\n• Infrastructure-Level Attacks\n– Tampering with Dstack-OS to circumvent security controls\n– Deployment of compromised key management services\n– Operation of unpatched or vulnerable TEE firmware\n– Execution of applications on non-TEE hardware with spoofed attestation\n• Network-Level Attacks\n– DNS hijacking to redirect traffic to unauthorized applications\n– Man-in-the-middle attacks on communication channels\nDirect attacks on TEE hardware security (e.g., exploitation of hardware vulnerabilities) are con-\nsidered out of scope for this discussion and addressed separately.\n3.2 The Reproducibility Challenge\nA fundamental challenge in TEE attestation lies in bridging the gap between source code and the\nactual artifacts (binaries or container images) running inside enclaves. While TEE attestation can\nprove that a specific artifact runs within a secure environment, it cannot independently verify that the\nartifact accurately represents its claimed source code.\nThis limitation creates several security risks:\n• Source Code Manipulation: Developers could intentionally deploy artifacts that differ from\npublicly reviewed source code\n• Build Process Compromise: Supply chain attacks could inject malicious code during artifact\ncreation\n• Toolchain Vulnerabilities: As demonstrated by the Ken Thompson Hack, even compiler\ntoolchains could be compromised to inject malicious behavior\nTEE quotes only attest to measurements (cryptographic hashes) of running artifacts. Without\nguarantees that these artifacts accurately represent reviewed source code, users cannot fully trust ap-\nplications even when running in secure enclaves. This challenge affects all TEE applications, including\nDstack’s core components.\nFigure 8: Comprehensive verification chain from source code to running TEE applications\nEstablishing a complete verification chain requires three key elements:\n13\n• Source Code Verification: Open-source code or trusted third-party review ensuring no back-\ndoors exist\n• Build Process Integrity: Reproducible builds allowing independent verification of artifacts\n• Runtime Attestation: TEE quotes proving that verified artifacts are actually running\nTraditional reproducible builds, while ideal, often introduce significant complexity through special-\nized toolchains and build scripts. The following section introduces an alternative approach, In-CC\nBuild, that achieves similar guarantees with improved practicality.\n3.3 Dstack Component Verifiability\nEach core Dstack component implements specific verifiability mechanisms anchored in transparent,\nimmutable records. Table 1 summarizes these mechanisms:\nComponentSourceBuild MethodRegistryVerification\nDstack-OSOpenReproducibleKmsAuthOS Digest\nDstack-KMSOpenIn-CCKmsAuthImage Hash, Root PubKey\nDstack-GatewayOpenIn-CCAppAuthImage Hash\nTable 1: Verifiability mechanisms and trust anchors for Dstack components\nAll components maintain open-source codebases with comprehensive documentation. Dstack-OS, as\nthe foundational component, undergoes third-party security audits and implements fully reproducible\nbuilds.\nThe governance smart contracts serve as authoritative registries, anchoring each component’s trust\nbase:\n• Dstack-OS digests are registered in KmsAuth and managed through multi-signature governance\n• Dstack-KMS measurements and root public keys are recorded in KmsAuth\n• Dstack-Gateway artifacts are verified through dedicated AppAuth contracts\nIn-ConfidentialContainer Build While reproducible builds represent the gold standard for arti-\nfact verification, they often prove impractical for complex applications. Dstack addresses this through\nIn-CC Build, leveraging the verified Dstack-OS as a trusted foundation. The In-CC Build process\nexecutes entirely within Dstack-OS environment, encompassing code fetching, compilation, and arti-\nfact creation. By specifying precise source references (e.g., a snapshot of the codebase), the system\nproduces verifiable artifacts with measurements attested in TEE quotes. This approach minimizes the\ntrusted computing base while eliminating the complexity of traditional reproducible builds.\n3.4 End-to-End Verification Walkthrough\nFrom a user’s perspective, verifying a TEE application in Dstack requires validating a chain of mea-\nsurements against authoritative registries, encompassing the user application, runtime data, Dstack\ncomponents, and network infrastructure. This section walks through the verification process, demon-\nstrating how each step builds upon the previous one to create a comprehensive chain of trust.\nAs shown in Figure 9, the verification chain begins with the KmsAuth smart contract, which serves\nas the root of trust for the entire system, and concludes with the key generation application running\nin a TEE. We explain the verification steps as follows.\nFirst, the address of the Dstack-KMS governance contract (i.e., KmsAuth) is publicly available.\nThe KMS governance contract serves as the authoritative registry for (1) off-chain KMS nodes and\n(2) dedicated governance contracts (i.e., AppAuth) for TEE applications. It is worth noting that the\nDstack-Gateway can be regarded as a special TEE application that attests and forwards requests to\nother user applications while maintaining consistent verification procedures.\nThe KmsAuth contract records both the measurements of off-chain KMS node programs (KMS\ndigest, which is the hash of the docker compose file and the images used in In-CC Build) and the TDX\n14\nFigure 9: The verification chain from authoritative registries to runtime measurements\nQuote of the first KMS node, which acts as the primary key generator. The identities of subsequent\nKMS nodes must first be registered in KmsAuth and verified by the first KMS node before they\ncan participate in key generation. These data, together with the open-source Dstack-KMS codebase,\nallow users to verify the integrity of the KMS nodes and their code correctness. Subsequently, the\noff-chain KMS nodes can be considered trusted extensions and used to verify Quotes from other TEE\napplications, which cannot be achieved by the on-chain governance contract alone. The off-chain\nKMS nodes are responsible for generating and managing cryptographic keys (i.e., the root key) and\nthe corresponding certificates (explained in Section 2.3.1), which are further used to authorize TEE\napplications after they are verified, thereby avoiding redundant verification.\nSecond, users can verify the validity of Dstack-Gateway. By default, this is delegated to the off-\nchain KMS nodes during gateway registration, although users can always request the Quote of the\ngateway and check the digest of its docker compose file in its governance contract and the codebase.\nAfter the KMS nodes verify the gateway, it will generate its application root key along with a certificate\nchain ending with the root certificate.\nNext, users can access the TEE application through Dstack-Gateway forwarding. In this case, users\neffectively delegate the verification of the key generation application to the gateway. The deployment\nof the key generation application starts from the KmsAuth contract. The deployer first registers it\nand stores the digest (the hash of the docker compose file and the images) on the dedicated AppAuth\ncontract. Then, as in the previous step, the off-chain KMS nodes verify the Quote of the application\nafter it is deployed to the TEE and ensure it matches the registered digest. Only after successful\nverification will the key be generated along with the certificate chain. To be forwarded by the gateway,\nthe application must also register with it. In this case, the gateway verifies the application’s certificate\nchain and ensures it shares the same root certificate, indicating authorization by the same KMS.\nFinally, the user can invoke the application and request proof of the key it generated. The applica-\ntion can generate a Quote on demand, with the generated public key included as custom data in the\nQuote.\n15\n3.5 Security Analysis: Mitigating Threats\nOur key generation example demonstrates Dstack’s comprehensive approach to security across multiple\nattack surfaces. At the application level, the system prevents unauthorized code deployment through\nrigorous measurement verification against the AppAuth registry. The In-CC Build process ensures\nall dependencies originate from verified sources, while any updates require new registry entries and\ncomplete re-verification. It is important to note, however, that code audit and review processes remain\nessential for ensuring application code correctness, as the In-CC Build only guarantees the integrity of\nthe build process.\nInfrastructure security is maintained through multiple mechanisms. TDX Quotes verify Dstack-OS\nintegrity, preventing OS-level tampering. KMS updates require multi-signature governance approval,\nsafeguarding against unauthorized changes to key management services. The Quote verification pro-\ncess includes firmware version validation, ensuring applications run on up-to-date TEE hardware.\nHardware-backed TDX Quotes effectively prevent attestation spoofing attempts.\nNetwork-level threats are mitigated through the certificate chain validation system. This prevents\nboth DNS hijacking and man-in-the-middle attacks by ensuring authentic application identity and\nenabling end-to-end encryption with verified certificates. The combination of these security measures\nensures that cryptographic keys maintain their integrity guarantees even when confronted with sophis-\nticated attacks targeting different system layers.\nReferences\n16"
}
]
},
{
"role": "assistant",
"content": "# Project Proposal Template\n\n## General Information\n1.1. Name of Project\nDstack\n\n1.2. Project Description (what it does, why it is valuable, origin and history)\nDstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.\n\nThe project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.\n\n1.3. How does this project align with the Consortium's Mission Statement\n[blank]\n\n1.4. Project website URL\nhttps://docs.phala.network/dstack/overview (inferred from documentation references)\n\n1.5. Social media accounts\n[blank]\n\n## Legal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n[blank]\n\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\nApache License, Version 2.0\n\n2.3. Existing financial sponsorship.\n[blank]\n\n2.4. Trademark status.\n[blank]\n\n## Technical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n[blank]\n\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\nDstack's TCB includes:\n- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer\n- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications\n- Linux kernel with initial ramdisk (initrd)\n- Root filesystem with essential system libraries and tools\n- Intel TDX or equivalent TEE hardware as the foundation\n\nThe system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.\n\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n[blank]\n\n3.4. Source control URL\nhttps://github.com/Dstack-TEE/dstack\n\n3.5. Issue tracker URL\nhttps://github.com/Dstack-TEE/dstack/issues (inferred)\n\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n- Intel TDX or equivalent TEE hardware (runtime)\n- Linux kernel (runtime)\n- Docker/container runtime (runtime)\n- Busybox (runtime)\n- LUKS for encryption (runtime)\n- Wireguard-tools (build time)\n- Build-essential, chrpath, diffstat, lz4, xorriso (build time)\n- Rust (build time)\n\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n- TLS/HTTPS for secure communications\n- Certificate Transparency (CT) for certificate monitoring\n- Certificate Authority Authorization (CAA) for domain security\n- Remote Attestation for TEE verification\n\n3.8. Release methodology and mechanics\n[blank]\n\n3.9. Names of initial committers, if different from those submitting proposal\nInitial committers include:\n- Kevin Wang (kvinwang)\n- Shelven Zhou (shelvenzhou)\n- Leechael\n\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n[blank]\n\n3.11. Project Security Response Policy\n[blank]\n\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)\n[blank]\n\n3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\nDstack includes several key components:\n- dstack-vmm: Service running on bare TDX host to manage CVMs\n- dstack-gateway: Reverse proxy to forward TLS connections to CVMs\n- dstack-kms: KMS server to generate keys for CVMs\n- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests\n- meta-dstack: Yocto meta layer to build CVM guest images\n\nThe project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts."
},
{
"role": "user",
"content": "This is the Mission Statement, fill in 1.3 with it\n\n```\nThe purpose of the Confidential Computing Consortium is to raise, budget and spend funds in support of various open source and/or open standards projects relating to:\n\ndefining confidential computing and accelerating acceptance and adoption in the market.\ndeveloping open enterprise-grade building blocks (e.g., open specifications and open source licensed projects), including a Confidential Computing portfolio and development experience, to enable easy development and management of enterprise-grade Confidential Computing applications, and\ndefining foundational services and frameworks that are Confidential Computing aware and minimize the need for trust.\n```"
},
{
"role": "assistant",
"content": "## General Information\n1.3. How does this project align with the Consortium's Mission Statement\nDstack directly aligns with the Confidential Computing Consortium's mission by providing enterprise-grade building blocks for confidential computing applications. It accelerates adoption by making TEE deployment developer-friendly through familiar tools like docker-compose, lowering the barrier to entry. Dstack defines foundational services and frameworks that are Confidential Computing aware through its comprehensive architecture (Dstack-OS, Dstack-KMS, Dstack-Gateway). The project minimizes the need for trust by implementing Zero Trust principles with portable confidential containers, decentralized code management, and verifiable domain management. By enabling seamless deployment of containerized applications in TEEs, Dstack contributes significantly to the development experience and practical adoption of confidential computing in real-world scenarios."
},
{
"role": "user",
"content": "解释下问题3.1"
}
]Response:
问题3.1要求评估项目与CCC(Confidential Computing Consortium)现有项目的协同性,包括项目如何补充或与现有项目重叠,以及随着时间推移可能的协调方式。
这个问题需要:
1. 分析Dstack与CCC现有项目的关系
2. 确定它如何补充现有项目或与之重叠
3. 提出随时间推移可能的协调方式
回答这个问题需要了解CCC当前的项目组合,以及Dstack如何与这些项目互补或重叠,以及未来可能的协作方向。由于提供的资料中没有这方面的具体信息,所以在模板中标记为"[blank]"。
如果要填写这部分,需要详细了解CCC的现有项目,然后分析Dstack的功能与这些项目的关系,以及潜在的协作机会。
Model: claude-3-7-sonnet-202502192025-06-25 13:09:02
Context:
[
{
"role": "user",
"content": [
{
"type": "text",
"text": "Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```"
},
{
"type": "text",
"text": "README.md\n# Dstack\n\n[](https://deepwiki.com/Dstack-TEE/dstack)\n\nDstack is a **developer friendly** and **security first** SDK to simplify the deployment of arbitrary containerized apps into TEE.\n\nMain features:\n\n- 🔒 Deploy containerized apps securely in TEE in minutes\n- 🛠️ Use familiar tools - just write a docker-compose.yaml\n- 🔑 Safely manage secrets and sensitive data\n- 📡 Expose services via built-in TLS termination\n\nDstack is community driven. Open sourced and built by [Kevin Wang](https://github.com/kvinwang) and many others from [Phala Network](https://github.com/Phala-Network), inspired by [Andrew Miller](https://github.com/amiller) (Flashbots & Teleport), and contributed by [Nethermind](https://github.com/NethermindEth/nethermind) and [many others](#contributors).\n\n![Alt](https://repobeats.axiom.co/api/embed/0a001cc3c1f387fae08172a9e116b0ec367b8971.svg \"Repobeats analytics image\")\n\n# Overview\n\nComponents in Dstack:\n\n- `dstack-vmm`: A service running in bare TDX host to manage CVMs\n- `dstack-gateway`: A reverse proxy to forward TLS connections to CVMs\n- `dstack-kms`: A KMS server to generate keys for CVMs\n- `dstack-guest-agent`: A service running in CVM to serve containers' key derivation and attestation requests\n- `meta-dstack`: A Yocto meta layer to build CVM guest images\n\nThe overall architecture is shown below:\n\n\n# Directory structure\n\n```text\ndstack/\n kms/ A prototype KMS server\n guest-agent/ A service running in CVM to serve containers' key derivation and attestation requests.\n dstack-util/ A CLI tool in the guest setting up the system, getting TDX quote, extending RTMR, generating cert for RA-TLS, etc.\n vmm/ A service running in bare TDX host to manage CVMs\n gateway/ A reverse proxy to forward TLS connections to CVMs\n certbot/ A tool to automatically obtain and renew TLS certificates for dstack-gateway\n ra-rpc/ RA-TLS support for pRPC\n ra-tls/ RA-TLS support library\n tdx-attest/ Guest library for getting TDX quote and extending RTMR\n```\n\n# Build and play locally\n\n## Prerequisites\n\n- A bare metal TDX server setup following [canonical/tdx](https://github.com/canonical/tdx)\n- Public IPv4 address assigned to the machine\n- At least 16GB RAM, 100GB free disk space.\n- A domain with DNS access if you want to set up `dstack-gateway` for Zero Trust HTTPS\n\n> [!NOTE]\n>\n> This doc assumes you have access to a compatible Intel TDX Server ready to be configured with Dstack. Check the [Hardware Requirements](https://docs.phala.network/dstack/hardware-requirements) for more information on buying a bare metal server or renting a server from OVH. To start learning about Dstack check out the [docs](https://docs.phala.network/dstack/overview).\n>\n> If you are looking to deploy a CVM in minutes, go to the docs to learn how to [sign-up for a Phala Cloud Account](https://docs.phala.network/phala-cloud/getting-started/sign-up-for-cloud-account) and [deploy your first CVM on Dstack]((https://docs.phala.network/phala-cloud/getting-started/start-from-cloud-ui)).\n\n## Install dependencies\n\n```bash\n# for Ubuntu 24.04\nsudo apt install -y build-essential chrpath diffstat lz4 wireguard-tools xorriso\n# install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\n\n## Build and run for local development\n\n### Build the artifacts\n```bash\ngit clone https://github.com/Dstack-TEE/meta-dstack.git --recursive\ncd meta-dstack/\n\nmkdir build\ncd build\n../build.sh hostcfg\n# This outputs the following message:\n# Config file ../build-config.sh created, please edit it to configure the build\n\nvim ./build-config.sh\n```\n\nReview and customize the `build-config.sh` configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:\n\n```bash\n../build.sh hostcfg\n\n# If everything is okay, you should see the built artifacts in the `build` directory.\n$ ls\ncerts images dstack-kms kms.toml run dstack-vmm vmm.toml dstack-gateway gateway.toml\n```\n\n### Download guest image or build guest image from source\n\n```bash\n# This will download the guest image from the release page.\n../build.sh dl 0.5.2\n```\n\nOr build guest image from source:\n\n```bash\n# This will build the guest image from source using the yocto meta layer. This will take a while.\n../build.sh guest\n```\n\n> **Note on Reproducible Builds**: The build command above does not guarantee reproducibility. For reproducible builds across different build environments, please refer to the [reproducible build instructions](https://github.com/Dstack-TEE/meta-dstack?tab=readme-ov-file#reproducible-build-the-guest-image) in the meta-dstack repository.\n\n### Run components\nNow you can open 3 terminals to start the components:\n\n1. Run `./dstack-kms -c kms.toml`\n2. Run `sudo ./dstack-gateway -c gateway.toml`\n3. Run `./dstack-vmm -c vmm.toml`\n\n⚠️ *Warning: this is for local development, and the kms is not secure, so you should not use it in production.*\nFor production, you should follow the [deployment guide](./docs/deployment.md) and read the [security guide](./docs/security-guide/security-guide.md).\n\n## Deploy an App\nOpen the dstack-vmm webpage [http://localhost:9080](http://localhost:9080)(change the port according to your configuration) on your local machine to deploy a `docker-compose.yaml` file:\n\n\n\nAfter the container deployed, it should need some time to start the CVM and the containers. Time would be vary depending on your workload.\n\n- Click the [Logs] button to see the logs of the CVM, you can see if the container is finished starting there.\n\n- Once the container is running, you can click the [Dashboard] button to see some information of the container. And the logs of the containers can be seen in the [Dashboard] page.\n\n \n\n- You can open dstack-gateway's dashboard at [https://localhost:9070](https://localhost:9070) to see the CVM's wireguard ip address, as shown below:\n\n\n\n## Pass Secrets to Apps\nWhen deploying a new App, you can pass private data via Encrypted Environment Variables. These variables can be referenced in the docker-compose.yaml file as shown below:\n\n\n\nThe environment variables will be encrypted in the client-side and decrypted in the CVM before being passed to the containers.\n\n## Access the App\n\nOnce the app is deployed and listening on an HTTP port, you can access the HTTP service via dstack-gateway's public domain. The ingress mapping rules are:\n\n- `<id>[s].<base_domain>` maps to port `80` or `443` if with `s` in the CVM.\n- `<id>-<port>[s].<base_domain>` maps to port `<port>` in the CVM.\n\nFor example, `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` maps to port `8080` in the CVM.\n\nWhere the `<id>` can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.\nIf the `id-port` part ends with `s`, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.\n\nYou can also ssh into the CVM to inspect more information, if your deployment uses the image `dstack-x.x.x-dev`:\n\n```bash\n# The IP address of the CVM can be found in the dstack-gateway dashboard.\nssh [email protected]\n```\n\n## Getting TDX quote in docker container\n\nTo get a TDX quote within app containers:\n\n1. Mount `/var/run/dstack.sock` to the target container in `docker-compose.yaml`\n\n ```yaml\n version: '3'\n services:\n nginx:\n image: nginx:latest\n volumes:\n - /var/run/dstack.sock:/var/run/dstack.sock\n ports:\n - \"8080:80\"\n restart: always\n ```\n\n2. Execute the quote request command in the container.\n\n ```bash\n # The argument report_data accepts binary data encoding in hex string.\n # The actual report_data passing the to the underlying TDX driver is sha2_256(report_data).\n curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x1234deadbeef | jq . \n ```\n\n## Container logs\n\nContainer logs can be obtained from the CVM's `dashboard` page or by curl:\n\n```bash\ncurl 'http://<appid>.app.kvin.wang:9090/logs/<container name>?since=0&until=0&follow=true&text=true×tamps=true&bare=true'\n```\n\nReplace `<appid>` and `<container name>` with actual values. Available parameters:\n\n- since=0: Starting Unix timestamp for log retrieval\n- until=0: Ending Unix timestamp for log retrieval\n- follow: Enables continuous log streaming\n- text: Returns human-readable text instead of base64 encoding\n- timestamps: Adds timestamps to each log line\n- bare: Returns the raw log lines without json format\n\nThe response of the RPC looks like:\n```\n$ curl 'http://0.0.0.0:9190/logs/zk-provider-server?text×tamps'\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209507046Z Initializing Rust backend...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209543047Z Calling Rust function: init\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209544957Z [2024-09-29T03:05:44Z INFO rust_prover] Initializing...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209546381Z [2024-09-29T03:05:44Z INFO rust_prover::groth16] Starting setup process\\n\"}\n```\n\n## TLS Passthrough with Custom Domain\n\ndstack-gateway supports TLS passthrough for custom domains.\n\nSee the example [here](https://github.com/Dstack-TEE/dstack-examples/tree/main/custom-domain/dstack-ingress) for more details.\n\n## Upgrade an App\n\nGot to the dstack-vmm webpage, click the [Upgrade] button, select or paste the compose file you want to upgrade to, and click the [Upgrade] button again.\nThe app id does not change after the upgrade. Stop and start the app to apply the upgrade.\n\n## HTTPS Certificate Transparency\n\nIn the tutorial above, we used a TLS certificate with a private key external to the TEE. To establish trust, we need to generate and maintain the certificate's private key within the TEE and provide evidence that all TLS certificates for the domain were originate solely from dstack-gateway CVM.\n\nBy combining Certificate Transparency Logs and CAA DNS records, we can make best effort to minimize security risks. Here's our approach:\n\n- Set CAA records to allow only the account created in dstack-gateway CVM to request Certificates.\n- Launch a program to monitor Certificate Transparency Log and give alarm once any certificate issued to a pubkey that isn’t generated by dstack-gateway CVM.\n\n### Configurations\n\nTo launch Certbot, you need to own a domain hosted on Cloudflare. Obtain an API token with DNS operation permissions from the Cloudflare dashboard. Configure it in the `build-config.sh`:\n\n```bash\n# The directory to store the auto obtained TLS certificate and key\nGATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem\nGATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem\n\n# for certbot\nCF_ZONE_ID=cc0a40...\nCF_API_TOKEN=g-DwMH...\n# ACME_URL=https://acme-v02.api.letsencrypt.org/directory\nACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory\n```\n\nThen re-run the ../build.sh:\n\n```bash\n../build.sh\n```\n\n### Launch certbot\n\nThen run the certbot in the `build/` and you will see the following log:\n```text\n$ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml\n2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account\n2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\n2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records\n2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang\n2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang\n2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair\n2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang\n2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order\n2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization\n2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang\n2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A\n2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready\n2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr\n2024-10-25T07:41:38.052901Z DEBUG certbot::acme_client: order is processing, waiting for challenge to be accepted\n2024-10-25T07:41:40.088190Z DEBUG certbot::acme_client: order is valid, getting certificate\n2024-10-25T07:41:40.125988Z DEBUG certbot::acme_client: removing dns record 6ab5724e8fa7e3e8f14e93333a98866a\n2024-10-25T07:41:40.377379Z DEBUG certbot::acme_client: stored new cert in /home/kvin/codes/meta-dstack/dstack/build/run/certbot/backup/2024-10-25T07:41:40.377174477Z\n2024-10-25T07:41:40.377472Z INFO certbot::bot: checking if certificate needs to be renewed\n2024-10-25T07:41:40.377719Z DEBUG certbot::acme_client: will expire in Duration { seconds: 7772486, nanoseconds: 622281542 }\n2024-10-25T07:41:40.377752Z INFO certbot::bot: certificate /home/kvin/codes/meta-dstack/dstack/build/run/certbot/live/cert.pem is up to date\n```\n\nWhere the command did are:\n\n- Registered to letsencrypt and got a new account `https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853`\n- Auto set CAA records for the domain on cloudflare, you can open the CF dashboard to see the record:\n\n \n\n- Auto requested a new certificate from Let's Encrypt. Automatically renews the certificate to maintain its validity\n\n### Launch dstack-gateway\n\nExecute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access the web portal to check the dstack-gateway CVM managed Let's Encrypt account. The account's private key remains securely sealed within the TEE.\n\n\n\n## Certificate transparency log monitor\n\nTo enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight.\n\n`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:\n\n```text\n$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang\n2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang...\n2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc\n2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys\n2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685\n2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674\n2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: \"C=US, O=Let's Encrypt, CN=R11\", common_name: \"kvin.wang\", name_value: \"*.app.kvin.wang\", not_before: \"2024-09-24T02:23:15\", not_after: \"2024-12-23T02:23:14\", serial_number: \"03ae796f56a933c8ff7e32c7c0d662a253d4\", result_count: 1, entry_timestamp: \"2024-09-24T03:21:45.825\" }\n2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001\n```\n\n# Troubleshooting\n\n### Error from dstack-vmm: qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=<id>: vhost-vsock: unable to set guest cid: Address already in use\n\n`dstack-vmm` may throw this error when creating a new VM if the [Unix Socket CID](https://man7.org/linux/man-pages/man7/vsock.7.html) is occupied. To solve the problem, first, you should list the occupied CID:\n\n```bash\nps aux | grep 'guest-cid='\n```\n\nThen choose a new range of the CID not conflicting with the CID in use. You can change `build/vmm.toml` file and restart `dstack-vmm`. This error should disappear. For example, you may find 33000-34000 free to use:\n\n```toml\n[cvm]\ncid_start = 33000\ncid_pool_size = 1000\n```\n\nWhen building the dstack from scratch, you should change the CID configs in `build-config.sh` instead, because `vmm.toml` file is generated by `build.sh`. Its content is derived from `build-config.sh`.\n\nYou may encounter this problem when upgrading from an older version of dstack, because CID was introduced in `build-config.sh` in later versions. In such case, please follow the docs to add the missing entries in `build-config.sh` and rebuild dstack.\n\n### Error: Operation not permitted when building guest image\n\nWhen running `../build.sh guest`, you might encounter this error:\n\n```\nTraceback (most recent call last):\n File \"/meta-dstack/poky/bitbake/bin/bitbake-worker\", line 278, in child\n bb.utils.disable_network(uid, gid)\n File \"/meta-dstack/poky/bitbake/lib/bb/utils.py\", line 1696, in disable_network\n with open(\"/proc/self/uid_map\", \"w\") as f:\nPermissionError: [Errno 1] Operation not permitted\n```\n\nThis error occurs because Ubuntu 23.10 and later versions restrict unprivileged user namespaces by default. To fix this, run:\n\n```bash\nsudo sysctl kernel.apparmor_restrict_unprivileged_userns=0\n```\n\nThen try building again. For more information about this restriction, see the [Ubuntu discourse post](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626).\n\n\n# Contributors\n\nDstack is proudly built by open source and Pi-rateship contributors:\n\n- Phala Network: [Kevin Wang](https://github.com/kvinwang), [Shelven Zhou](https://github.com/shelvenzhou), [Leechael](https://github.com/leechael)\n- Teleport: [Andrew Miller](https://github.com/amiller), [Sxy Sun](https://github.com/sxysun)\n- Flashbots: [Tina](https://github.com/CarboClanC), [Mateusz](https://github.com/Ruteri), [Dmarz](https://github.com/dmarzzz), [Moe](https://github.com/MoeMahhouk)\n- Ithaca: [Georgios](https://github.com/gakonst)\n- Fabric: [@gaoist](https://x.com/gaoist)\n- And many more...\n\nThe inspiration for this work stems from [Andrew Miller](https://github.com/amiller)’s pioneering concept of a [Docker-based P2P TEE SDK](https://collective.flashbots.net/t/dstack-speedrunning-a-p2p-confidential-vm/3876).\n\nThis project cannot be built without standing on the shoulders of giants:\n\n- [konvera/meta-confidential-compute](https://github.com/konvera/meta-confidential-compute)\n\nSpecial acknowledgment to [Flashbots](https://github.com/flashbots) for building a community around TEE. The TEE Hacker House initiative, organized by [Flashbots](https://github.com/flashbots) and led by [Tina](https://github.com/CarboClanC), has brought together TEE builders to develop tools for TEE-Web3 integration. This collaborative journey has generated invaluable insights for advancing secure, confidential environments within Web3.\n\nTogether, we’re shaping the future of TEE in Web3, paving the way for more secure and developer-accessible confidential computing!\n\nFor a full list of the direct contributors to this repo, see [Contributors](https://github.com/Dstack-TEE/dstack/contributors) on GitHub.\n\n\n# License\n\nCopyright 2024 Phala Network and Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\n[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)"
},
{
"type": "text",
"text": "main.pdf\nDstack: A Zero Trust Framework for Confidential Containers\nJune 23, 2025\nAbstract\nWeb3 applications require execution platforms that maintain confidentiality and integrity with-\nout relying on centralized trust authorities. While Trusted Execution Environments (TEEs) offer\npromising capabilities for confidential computing, current implementations face significant limita-\ntions in security reliability, censorship resistance, and vendor independence when applied to Web3\ncontexts. This paper presents Dstack, a comprehensive framework that transforms raw TEE tech-\nnology into a true Zero Trust platform aligned with Web3 principles. We introduce three key\ninnovations: (1) Portable Confidential Containers that enable seamless workload migration across\nheterogeneous TEE environments while maintaining security guarantees, (2) Decentralized Code\nManagement that leverages smart contracts for transparent governance of TEE applications, and\n(3) Verifiable Domain Management that ensures secure and verifiable application identity without\ncentralized authorities. Through these innovations, implemented via Dstack-OS, Dstack-KMS, and\nDstack-Gateway components, we demonstrate how to achieve both the performance advantages of\nVM-level TEE solutions and the trustless guarantees required by Web3 applications. Our evalu-\nation shows that Dstack provides comprehensive security guarantees while maintaining practical\nusability for real-world applications.\n1 Introduction\nThe Web3 ecosystem represents a paradigm shift in digital trust models, fundamentally transforming\nthe relationship between users and application developers. Unlike traditional systems, Web3 empowers\nusers with unprecedented control over their data through the principle of ”Code is Law” - once deployed,\ncode operates autonomously and independently of external control. This transformation demands\nrobust execution platforms that maintain confidentiality and integrity without relying on centralized\ntrust authorities.\nFigure 1: The evolution of trust models from Web2 to Web3, highlighting the shift from centralized control\nto decentralized governance and execution.\nThe contrast between Web2 and Web3 architectures in Figure 1 illustrates this fundamental shift.\nIn Web2 systems, developers maintain complete control through proprietary applications and central-\nized servers, retaining administrative privileges to access and modify user data at will. Web3’s smart\n1\ncontracts, however, represent the first significant step toward true trustlessness by executing pro-\ngrams on decentralized platforms (blockchains). Once deployed, administrators cannot influence pro-\ngram execution, and lifecycle management (e.g., code updates) follows predefined agreements through\ndemocratic governance mechanisms like multi-signature wallets and Decentralized Autonomous Orga-\nnizations (DAOs). This emerging trust model extends beyond basic applications to mission-critical\nscenarios such as AI model training, where data providers and model developers often have competing\ninterests, and autonomous AI agents designed to operate independently of human intervention. In\nthese contexts, Zero Trust platforms become essential to host applications and enforce verification\nmechanisms that appropriately constrain developer authority.\nA Zero Trust platform must enforce the following key principles:\n• Code is Law: This manifests in two dimensions: (1) the application logic, once deployed, cannot\nbe changed unexpectedly; and (2) the lifecycle management of code—including deployment,\nupgrades, and deletion—follows predefined governance rules.\n• Censorship Resistance: User data remains beyond the control of any single entity, with data\navailability protected against Denial-of-Service attacks.\n• Full Chain-of-Trust: When users interact with applications on a Zero Trust platform, they\nmust be able to verify all aspects of that application, including network setup, application identity\nand code logic, underlying hardware, and execution environment.\n• Assume Breach: The platform operates under the assumption that compromises will occur,\nimplementing mechanisms for damage containment, rapid recovery, and minimization of data\nexposure during security incidents.\nConfidential Computing, particularly through Trusted Execution Environments (TEEs), has emerged\nas a promising foundation for extending blockchain capabilities to support complex computational tasks\nwith confidentiality guarantees. Recent advances in VM-level TEE solutions, including Intel TDX and\nAMD SEV, have demonstrated substantial performance improvements and developer-friendly inter-\nfaces, making them compelling candidates for Web3 deployment. The integration of GPUs within\nTEEs [?] now enables verifiable execution of both Large Language Models and AI agents, providing\ncryptographic guarantees of computational integrity.\nHowever, a significant gap exists between raw TEE technology and the requirements of a true Zero\nTrust platform. Current TEE implementations face several critical limitations when applied to Web3\ncontexts:\n• Security Reliability: Recent vulnerability discoveries in TEE systems have raised significant con-\ncerns about their effectiveness as trust anchors. The persistence of side-channel attacks and\nmicro-architectural vulnerabilities undermines confidence in TEE security guarantees, particu-\nlarly for high-value Web3 applications where a single compromise could lead to catastrophic data\nexposure.\n• Censorship Vulnerability: Conventional TEE encryption schemes bind encryption keys to spe-\ncific hardware instances, creating single points of failure that contradict Web3’s requirement\nfor censorship resistance. This architectural limitation means that data availability cannot be\nguaranteed if specific hardware instances are compromised or become unavailable.\n• Vendor Dependencies: Current trust models heavily rely on centralized hardware manufacturers\nand verification processes, introducing risks of vendor lock-in and potential censorship vectors.\nThis centralization contradicts Web3’s core principles of decentralization and trustlessness.\n• Incomplete Verifiability: While TEEs provide Remote Attestation capabilities to verify applica-\ntion and hardware identity, they fail to deliver the comprehensive chain of trust required in Zero\nTrust environments. Users need guarantees that programs will process their data as expected\nand cannot be modified without proper authorization—capabilities beyond current attestation\nmechanisms.\nTo bridge this gap between raw TEE technology and Zero Trust requirements, we present Dstack,\na comprehensive framework for confidential containers that introduces three key innovations:\n2\n• Portable Confidential Container: Our architecture enables seamless migration of confidential\nworkloads across different TEE instances and hardware vendors, significantly reducing vendor\nlock-in risks while maintaining robust security guarantees. This innovation directly addresses the\ncensorship vulnerability and vendor dependency limitations by providing hardware abstraction\nand state continuity across heterogeneous TEE environments.\n• Decentralized Code Management: We implement a comprehensive governance framework\nthat leverages smart contracts for transparent and decentralized management of TEE applica-\ntions. This system ensures verifiable deployment and upgrade processes, enforcing the “Code\nis Law” principle by binding application lifecycles to on-chain governance decisions. This inno-\nvation addresses the incomplete verifiability limitation by creating an immutable audit trail of\napplication changes.\n• Verifiable Domain Management: Our novel approach to certificate management ensures that\nconfidential containers can exclusively control domains and provide native HTTPS support to\nTEE applications without relying on centralized authorities. This system serves as a middleware\nbetween TEE applications and existing TLS-based networks, enabling users to establish end-to-\nend encrypted channels to TEE applications without modifications to client software.\nThese innovations are implemented through a cohesive system architecture comprising three core\ncomponents:\n• Dstack-OS: A hardware abstraction layer with a minimized operating system image that elimi-\nnates differences in underlying TEE hardware while reducing the attack surface. This component\nprovides a consistent, secure runtime environment across diverse TEE implementations.\n• Dstack-KMS: A blockchain-controlled key management service that replaces hardware-based\nencryption schemas with an independent service for generating and managing secret keys. This\ncomponent enables secure data migration across TEE instances and supports key rotation to\nprovide forward and backward data secrecy, mitigating the impact of potential TEE compromises.\n• Dstack-Ingress and Dstack-Gateway: Complementary systems providing TEE-controlled domain\nmanagement through different approaches—Dstack-Ingress enables applications to specify cus-\ntom domains with minimal integration requirements, while Dstack-Gateway offers pre-registered\nwildcard domains requiring no application code changes.\nBy addressing the critical limitations of current TEE implementations, Dstack establishes a compre-\nhensive framework that transforms raw TEE technology into a true Zero Trust platform aligned with\nWeb3’s fundamental principles. Our approach not only enhances the security and reliability of confi-\ndential computing but also provides a practical path toward truly decentralized, censorship-resistant\ninfrastructure for next-generation applications.\nThe remainder of this paper details the technical design of Dstack, evaluates its performance and\nsecurity characteristics, and demonstrates how our innovations collectively create a Zero Trust platform\nthat maintains the performance advantages of VM-level TEE solutions while addressing their inherent\nlimitations in Web3 contexts.\n2 System Design\n2.1 Portable Confidential Container\nContainerization has transformed cloud-native application deployment by providing unparalleled porta-\nbility and scalability through effective data separation. These capabilities are particularly critical for\nTrusted Execution Environment (TEE) applications, as they directly address the inherent limitations\noutlined in Section 1:\n• Security Reliability: Containerized applications can be efficiently transferred from compro-\nmised TEE hardware to secure instances, preserving code integrity. Together with our secure\ndata migration mechanism that ensures both forward and backward secrecy, this approach sig-\nnificantly limits privacy leakage risks even when individual TEE instances are compromised.\n3\nFigure 2: The architecture of Dstack, including Dstack-OS and Dstack-KMS. Dstack-OS provides a hardware\nabstraction layer with a minimized operating system image, while Dstack-KMS replaces the hardware-based\ndata encryption keys with a blockchain-controlled key management service. TODO: redraw this to put the\ncomponents into solutions.\n• Censorship Resistance: The architecture’s inherent scalability provides robust defense against\nDenial-of-Service attacks. Additionally, by decoupling data storage from execution environments,\nestablished data availability solutions can be readily integrated to ensure persistent access to\napplication data.\n• Vendor Independence: Our hardware abstraction layer enables confidential containers to\noperate across diverse TEE hardware platforms without modification, eliminating vendor lock-in\nwhile facilitating rapid adoption of emerging TEE technologies as they become available.\nHowever, implementing truly portable confidential containers presents substantial technical chal-\nlenges that differentiate them from conventional containerization. Two fundamental obstacles must be\novercome:\nFirst, existing TEE implementations generate data sealing keys derived from hardware-bound root\nkeys unique to each TEE instance. This architectural design creates an inherent barrier to portability\n— data encrypted by one TEE instance cannot be decrypted by any other, even when running identical\napplication code. Prior research has largely circumvented this limitation by restricting TEEs to state-\nless applications, but this approach severely constrains their utility in complex real-world scenarios.\nSecond, TEE implementations from different vendors impose disparate specifications for deploy-\nable programs. This fragmentation forces developers to create and maintain multiple artifacts across\nplatforms, each requiring separate (and expensive) code reviews to verify functional equivalence — a\nprocess that undermines the trust guarantees central to Web3 applications.\nTo address these challenges comprehensively, we introduce two complementary components: Dstack-\nKMS and Dstack-OS.\n2.1.1 Dstack-KMS: Blockchain-Controlled Secret Derivation\nDstack-KMS is a secret derivation service that fundamentally transforms how encryption keys are\nmanaged in confidential computing environments. Its primary function is to generate a unique and\nstable secret (the Root Key ) for each application based on its code and configurations. This root key\n4\nserves as the foundation for deriving additional application-specific secrets used for data encryption\nand verifiable random number generation.\nUnlike hardware-based encryption approaches, Dstack-KMS deliberately decouples key generation\nfrom specific TEE hardware instances. This architectural decision enables the critical capability of\nencrypted data migration between different TEE instances, with decryption possible after\nproper authorization. This feature is essential for achieving true censorship resistance.\nGiven its position as the root-of-trust for the entire system, the verifiability and availability of\nDstack-KMS are paramount. Unlike previous approaches [?] that assume TEE infallibility, our threat\nmodel explicitly acknowledges that TEEs can be compromised. To address this reality, Dstack-\nKMS implements comprehensive key rotation capabilities that provide both backward and forward\nsecrecy for application data. This ensures that even if a specific TEE hardware instance is compromised,\napplications can be migrated with limited data exposure.\nFigure 3: The key derivation hierarchy of Intel SGX illustrates how conventional TEE implementations bind\nencryption keys to hardware.\nTo understand the limitations of conventional approaches, Figure 3 illustrates the key derivation\nhierarchy in Intel SGX. This design uses a hardware-bound key to both identify the TEE instance (for\nRemote Attestation) and generate encryption keys for data sealing. While this approach effectively\nestablishes hardware identity, it fundamentally undermines censorship resistance:\n• The root key cannot be updated, meaning a compromised TEE with a leaked root key remains\npermanently vulnerable even after patching the underlying vulnerability.\n• Encrypted data becomes intrinsically bound to specific TEE hardware instances, creating single\npoints of failure that contradict Web3’s censorship resistance requirements.\nOur Dstack-KMS addresses these limitations by delegating secret generation to an independent\nservice that ensures encrypted data remains portable across TEE instances.\nAs illustrated in Figure 4, Dstack-KMS comprises an on-chain governance smart contract coupled\nwith an off-chain peer-to-peer network where the actual secret derivation service operates. To ensure\ncomprehensive verifiability of the Dstack-KMS program’s integrity and correctness, we implement a\nmulti-stage verification process:\n1. The Dstack-KMS codebase is fully open-sourced [?], enabling thorough code and security reviews\nto verify key management logic and ensure the absence of backdoors.\n5\nFigure 4: The architecture of Dstack-KMS combines on-chain governance through smart contracts with an\noff-chain P2P network of secret derivation service nodes. This design ensures both verifiability and resilience\nagainst compromise.\n2. Executable binaries are produced through reproducible build processes, allowing verifiers to\nconfirm that the runtime code matches the reviewed source code.\n3. The cryptographic digest of valid executables is published through the governance smart contract,\ncreating an immutable reference for verification.\n4. Each service node operates within its own TEE instance. Critically, we rely on the TEE solely for\nmeasuring the executable and ensuring it matches the on-chain digest—not for the fundamental\nsecurity of the key management process.\nThis verification framework ensures that Dstack-KMS remains trustworthy to any third-party verifier\nwhile avoiding dependency on the absolute security of any single TEE instance.\nThe core logic of each Dstack-KMS service node is intentionally minimalist, focusing exclusively on\nthe generation and secure distribution of the root key, along with deriving encryption keys for TEE\napplications. This simplicity enables the implementation of Multi-Party Computation (MPC) based\nthreshold key generation and derivation without concerning performance overhead. We have developed\ntwo complementary implementations:\n• Simple Duplication: The first node in the P2P network generates a cryptographically secure\nrandom number as the root key, then shares it with other nodes after verifying their attestation\nreports. All nodes maintain identical copies of the root key and derive consistent encryption keys\nfor applications. This approach maximizes availability—as long as at least one node remains\noperational, the root key can be recovered.\n• MPC-Based Key Generation: While simple duplication provides robust availability, it cre-\nates vulnerability to single-node compromises. Our MPC implementation uses Shamir’s Secret\nSharing scheme [?] to distribute the root key across multiple nodes, ensuring that compromising\nany individual node (or even up tot− 1 nodes, wheret is the configured threshold) does not\nexpose the root key. This approach also enables advanced features like key rotation without\nrequiring application reconfiguration.\nKey Derivation Dstack-KMS implements a comprehensive key derivation framework to generate\napplication-specific keys from the root key:\n• Application CA Key: Derived from the root CA key using the application’s unique identifier\n(calculated as the hash of the application’s code and configuration).\n• Disk Encryption Key: Derived using a combination of the application identifier and instance\nidentifier, enabling secure storage with portability.\n6\n• Environment Encryption Key: Derived using the application identifier alone, allowing secure\nenvironment variable management across instances.\n• ECDSA Key: Derived from the root ECDSA key, providing applications with consistent cryp-\ntographic identity for signing operations.\nEach derived key maintains cryptographic isolation while ensuring consistency across different TEE\ninstances running the same application.\nKey Rotation A critical security feature of Dstack-KMS is its support for key rotation, which signif-\nicantly limits the exposure window during potential attacks while ensuring both forward and backward\nsecrecy for sealed data. Key rotation procedures are initiated exclusively through the governance smart\ncontract, ensuring transparency and auditability. We discuss two distinct rotation mechanisms:\n• Root Key Share Rotation: Our MPC-based implementation enables rotation of individual\nkey shares without modifying the root key itself. This process enhances root key security by\nregularly updating the distribution mechanism while remaining transparent to applications, as\nall derived application keys remain unchanged.\n• Root Key Rotation: In scenarios where the root key may have been compromised, we support\ncomplete root key rotation. This process generates an entirely new root key and implements a\ncontrolled handover period during which both old and new keys remain valid. This transition\nwindow allows applications to re-encrypt their data with keys derived from the new root key\nbefore the old root key is permanently destroyed, minimizing service disruption while enhancing\nsecurity.\nThrough these mechanisms, Dstack-KMS provides the foundation for truly portable confidential con-\ntainers by decoupling encryption from hardware dependencies while maintaining robust security guar-\nantees.\n2.1.2 Dstack-OS: Hardware Abstraction Layer\nDstack-OS provides a comprehensive hardware abstraction layer with a minimized operating system\nimage that bridges the gap between application containers and VM-level TEE implementations. This\nlayer enables applications to deploy across diverse TEE environments without code modifications while\nmaintaining security integrity. As a shared component across all TEE applications, Dstack-OS must be\nintrinsically secure and verifiable, with no administrative backdoors that could compromise program\ncode or user data.\nVM-level TEE solutions typically require developers to provide complete system images encom-\npassing bootloader, kernel, operating system, and application components. This requirement not\nonly increases development complexity but also introduces potential security vulnerabilities through\nmisconfigured system components. A secure and properly configured operating system environment\nfundamentally determines the security baseline for all TEE applications built upon it.\nFigure 5 illustrates how Dstack-OS establishes a secure and verifiable startup chain from the TEE\nhardware foundation through to user-provided container images. Our modular design ensures that the\nmajority of the system can be reused across different TEE hardware implementations, substantially\nreducing the effort required for code review and security auditing. Combined with reproducible build\nprocesses, this approach enables comprehensive verification of Dstack-OS with minimal overhead while\nsupporting multiple TEE hardware platforms.\nUsing Intel TDX as an exemplar (with similar procedures applicable to other TEE implementa-\ntions like AMD SEV), Dstack-OS consists of the following components, presented in boot sequence\norder. During this process, each component measures the next one and records these measurements\nin hardware registers, which are ultimately incorporated into the TEE attestation report:\n• Hypervisor: When application deployment initiates, the underlying hypervisor (the TDX mod-\nule) loads the Open Virtual Machine Firmware (OVMF), enabling UEFI support for confidential\nvirtual machines. The TDX module measures the OVMF code and records its cryptographic\ndigest in the MRTD register, with the hypervisor’s integrity guaranteed by the TEE hardware\nitself.\n7\nFigure 5: The architecture of Dstack-OS establishes a secure and verifiable startup chain from TEE hardware\nthrough to user applications.\n• Open Virtual Machine Firmware (OVMF): The OVMF configures virtual machine hard-\nware specifications (CPU, memory, and device configurations) and records the configuration\nmeasurement to the RTMR0 register. It then loads the Linux kernel and records the kernel\nimage measurement to the RTMR1 register.\n• Kernel: The kernel first loads an initial ramdisk (initrd) — a temporary in-memory filesystem\ncontaining minimal command-line tools and disk encryption libraries. The initrd mounts the\nroot filesystem and records this measurement in the RTMR2 register.\n• Root Filesystem: The root filesystem (RootFs) is a read-only environment containing essential\nsystem libraries and tools. It manages the entire lifecycle of deployed applications, measuring\napplication images along with their associated key management system and storing these mea-\nsurements in the RTMR3 register. The RootFs serves two primary functions: (1) providing\nthe runtime environment for user-level container images, and (2) managing application data en-\ncryption. It interfaces with Dstack-KMS to acquire encryption secrets and implements Linux\nUnified Key Setup (LUKS) to encrypt application data in isolated volumes. Data integrity is\nensured through dm-verity, a Merkle-tree-based block-level verification tool. Finally, the RootFs\nconfigures network ingress for the application and initiates execution.\nRather than adapting existing system images, we built Dstack-OS from scratch to ensure only es-\nsential components are included in both the initrd and RootFs. A comprehensive component inventory\nis provided in Appendix ?? for transparency and review. Generally, Dstack-OS includes only basic\nutilities (busybox), filesystem support, and container runtime components. By implementing Docker\nsupport while delegating orchestration to the application level, we maintain a minimal base image\nfootprint.\nTo ensure comprehensive verifiability, Dstack-OS is fully open-sourced and supports reproducible\nbuilds, allowing anyone to review the code and generate identical artifacts for verification. This\napproach provides significant benefits for applications requiring security reviews, as evaluators need\nonly review the application code rather than the entire system image.\nData Backup and Defense against Rollback Attacks A critical challenge in confidential com-\nputing is ensuring data durability and integrity, particularly against rollback attacks where adversaries\nattempt to revert applications to previous states to bypass security checks or reuse expired secrets.\nOur architecture provides robust secure data backup support and implements robust anti-rollback\nmechanisms that application developers can integrate:\n• Secure Backup: Application data is encrypted using keys derived from Dstack-KMS and can\nbe backed up to external storage providers. Since encryption keys are not bound to specific TEE\n8\ninstances, data can be restored on any authorized TEE, supporting true portability and disaster\nrecovery.\n• Monotonic Counters: To prevent rollback attacks, developers can implement monotonic coun-\nters that increment with each critical data update, incorporating the counter value into the en-\ncrypted data. During restoration, applications verify that the counter value equals or exceeds\nthe last known value, preventing replay of outdated snapshots.\nBy combining these techniques, Dstack ensures both the recoverability and integrity of confidential\ndata across portable container migrations and backup scenarios.\nTogether, Dstack-KMS and Dstack-OS provide the foundational infrastructure for truly portable\nconfidential containers that maintain security and integrity across heterogeneous TEE environments\nwhile eliminating vendor lock-in and supporting comprehensive verifiability.\n2.2 Decentralized Code Management\nA core principle of Zero Trust platforms is the enforcement of “Code is Law”, ensuring that application\ncode operates as intended without unexpected modifications. While TEE hardware provides code\nintegrity guarantees during execution, it cannot independently prevent administrators from deploying\nmalicious code or making unauthorized modifications. Conversely, smart contracts have established\nrobust methodologies for implementing programmable governance over code lifecycle management —\nsuch as multi-signature requirements that prevent single-actor manipulation.\nOur decentralized code management framework bridges these two worlds by placing TEE ap-\nplication governance under smart contract control, creating a transparent and auditable system for\napplication deployment and updates that aligns with Web3 principles.\nFigure 6: The architecture of decentralized code management integrates on-chain governance contracts with\noff-chain TEE through Dstack-KMS.\nAs illustrated in Figure 6, our architecture consists of two complementary components: on-chain\ngovernance smart contracts and off-chain TEE execution environments connected through Dstack-\nKMS. This design establishes the on-chain contracts as the definitive root-of-trust for the entire system.\nEvery operation — from initial deployment to code upgrades — must first be initiated and authorized\nthrough the governance contracts before off-chain TEE instances can execute these operations.\nThe governance framework implements a two-tier structure:\n• KmsAuth Contract: Serves as the global authority controlling Dstack-KMS operations. This\ncontract maintains the registry of authorized applications and their governance parameters, en-\nforcing system-wide policies for TEE deployment. By controlling whether Dstack-KMS shares\n9\napplication secrets with specific TEE instances, the KmsAuth contract effectively determines\nwhether applications can decrypt their data, thus controlling their complete lifecycle.\n• AppAuth Contracts: Individual governance contracts deployed for each application that de-\nfine application-specific management rules. These contracts specify permissible code versions\n(through cryptographic hashes), authorized TEE instance identities, and upgrade approval re-\nquirements. This modular approach enables customized governance models ranging from tradi-\ntional multi-signature schemes to complex DAO voting mechanisms, allowing each application\nto implement governance appropriate to its requirements.\nThe enforcement mechanism operates through Dstack-KMS, which will only provide application\nsecrets to TEE instances running code versions explicitly authorized by the governance contracts.\nThis creates a cryptographically enforced governance system where unauthorized code versions cannot\naccess application data, regardless of administrative privileges.\nTo illustrate this mechanism, consider a code upgrade process for an application using a multi-\nsignature AppAuth contract in Figure 6:\n1. Developers publish the new code version and submit its cryptographic hash to the AppAuth\ncontract.\n2. The contract initiates the approval process, requiring signatures from designated key holders\n(e.g., core developers, security auditors, and community representatives).\n3. Each signature is recorded on-chain, creating an immutable audit trail of the approval process.\n4. Once the required signature threshold is reached, the AppAuth contract updates its registry of\nauthorized code versions.\n5. The KmsAuth contract, monitoring the AppAuth contract, updates its authorization records\naccordingly.\n6. Dstack-KMS, which continuously synchronizes with the KmsAuth contract, begins providing\napplication secrets to TEE instances running the newly approved code version.\n7. TEE instances can now deploy the new code with full access to encrypted application data.\nThis process ensures that every code change follows predefined governance rules with complete trans-\nparency. The on-chain approval records create an immutable audit trail that allows users to verify\nthe entire history of application changes, while the cryptographic enforcement through Dstack-KMS\nguarantees that only properly authorized code can access application data.\nBy combining the code integrity guarantees of TEEs with the transparent governance capabilities\nof smart contracts, our decentralized code management framework ensures that applications truly\nembody the ”Code is Law” principle. Every aspect of the application lifecycle—from initial deployment\nto version updates and potential retirement—follows predefined, transparent rules that cannot be\ncircumvented by any single entity, including the platform operators themselves.\n2.3 Verifiable Domain Management\nA complete Zero Trust platform must enable seamless verification for users across both Web3 and\ntraditional Web2 environments. Our Verifiable Domain Management system completes the chain-\nof-trust by allowing standard Web browsers to cryptographically verify TEE applications without\nrequiring any client-side modifications or specialized knowledge.\nThis capability is critical for mainstream adoption, as it allows users to interact with confiden-\ntial applications using familiar tools while maintaining the same security guarantees provided by the\nunderlying TEE infrastructure. We implement this through two complementary components—Dstack-\nIngress and Dstack-Gateway—both leveraging our novel Zero Trust TLS (ZT-TLS) protocol.\nThe fundamental innovation in ZT-TLS is establishing cryptographic proof that a specific TLS\ncertificate (and therefore a domain) is exclusively controlled by a verified TEE application. This\ncreates a verification chain extending from the blockchain to standard HTTPS connections, enabling\nusers to confirm application authenticity through familiar security indicators in their browsers.\n10\nFigure 7: The Zero Trust TLS architecture establishes a cryptographically verifiable connection between\nstandard web browsers and TEE applications through blockchain-anchored certificate management.\n2.3.1 Zero Trust TLS Protocol\nThe ZT-TLS protocol addresses a critical challenge: how to cryptographically bind a domain to a\nspecific TEE application in a way that prevents unauthorized certificate issuance or domain hijacking.\nOur solution integrates three key components:\n• TEE-Generated Certificates: The TEE application (specifically Dstack-Gateway) generates\nits TLS certificate using application secrets derived from Dstack-KMS. This ensures the private\nkey never exists outside the TEE environment and creates a cryptographic link between the\non-chain governance and the TLS certificate.\n• Certificate Authority Authorization (CAA): We leverage DNS CAA records to restrict\nwhich certificate authorities can issue certificates for managed domains. By configuring CAA\nrecords to only authorize certificates from specific issuers (which verify TEE attestation), we\nprevent unauthorized certificate issuance through alternative validation methods.\n• Certificate Transparency (CT) Monitoring: To protect against unauthorized DNS record\nmodifications, we implement continuous monitoring of Certificate Transparency logs. This allows\ndetection of any unauthorized certificates and provides an immutable audit trail of certificate\nissuance history.\n2.3.2 Implementation Components\nWe provide two complementary implementations to accommodate different application requirements:\n• Dstack-Gateway: A fully managed reverse proxy running within a TEE that provides imme-\ndiate domain verification with zero application code changes. Applications register with Dstack-\nGateway through a simple API call, during which Dstack-Gateway verifies the application’s re-\nmote attestation report. Once verified, applications receive a subdomain under a pre-registered\nwildcard domain (e.g., app-id.Dstack.com), with all TLS termination and certificate manage-\nment handled automatically.\n• Dstack-Ingress: A more flexible solution for applications requiring custom domain names.\nDstack-Ingress provides libraries and services that enable applications to manage their own TLS\ncertificates while maintaining the same verification guarantees. This approach requires minimal\nintegration work while supporting application-specific domain requirements.\n11\nBoth implementations ensure that certificates are cryptographically bound to verified TEE environ-\nments, with the verification chain extending from the blockchain governance contracts through to the\nTLS certificates presented to users’ browsers.\n2.3.3 Security Guarantees and Protections\nOur Verifiable Domain Management system provides several critical security guarantees:\n• Certificate Provenance Verification: Users can verify that the TLS certificate presented by\nan application was issued to a legitimate TEE environment by checking the certificate against\non-chain records.\n• Domain Binding Integrity: The combination of CAA records and Certificate Transparency\nmonitoring ensures that domains remain bound to their designated TEE applications, preventing\nunauthorized certificate issuance.\n• Tamper-Evident Certificate Changes: Any unauthorized attempts to modify domain con-\nfigurations or issue alternative certificates are detected through Certificate Transparency moni-\ntoring, with alerts propagated to clients.\nWhile we cannot technically prevent all attacks against centralized DNS infrastructure, our multi-\nlayered approach creates a tamper-evident system where unauthorized changes are quickly detected\nand rejected by client verification processes. This approach aligns with the ”Assume Breach” principle\nby implementing defense-in-depth strategies that maintain security even when individual components\nare compromised.\nBy extending the verification chain from blockchain governance through TEE attestation to stan-\ndard TLS certificates, our Verifiable Domain Management system enables seamless integration of Zero\nTrust applications into existing web infrastructure. This creates a practical path for mainstream\nadoption without requiring specialized knowledge or tools from end users, while maintaining the com-\nprehensive security guarantees that define true Zero Trust platforms.\n3 Verifying TEE Applications: A Practical Walkthrough\nTo demonstrate how Dstack fulfills the Zero Trust principles and addresses the challenges outlined in\nSection 1, we present a practical end-to-end verification scenario. This walkthrough illustrates how\nthe architectural components described in Section 2 work together to provide a comprehensive chain\nof trust for real-world Web3 applications.\nTraditional Zero Trust programs like smart contracts achieve verifiability through transparent\nsource code and inputs. However, extending similar verifiability to real-world applications presents\nunique challenges, particularly in maintaining privacy and compatibility with existing development\npractices. Dstack addresses these challenges through a comprehensive verification framework that\nrequires minimal code changes.\nThis section demonstrates Dstack’s complete chain of trust through a practical example: verifying\nthat a cryptographic key was genuinely generated within a TEE environment. This scenario is es-\npecially relevant for Web3 and AI Agent applications where cryptographic keys establish application\nidentity and authority.\n3.1 Threat Model\nOur verification framework assumes the correct implementation and integrity of core Dstack compo-\nnents (Dstack-OS, Dstack-KMS, Dstack-Gateway, and governance contracts). While these components’\nsecurity guarantees are detailed in later sections, we explicitly consider developers and administrators\nas potential adversaries.\nPotential attack vectors include:\n• Application-Level Attacks\n– Deployment of unauthorized or malicious code through falsified Docker images\n12\n– Introduction of malicious dependencies through supply chain attacks\n– Unauthorized application updates that bypass governance controls\n• Infrastructure-Level Attacks\n– Tampering with Dstack-OS to circumvent security controls\n– Deployment of compromised key management services\n– Operation of unpatched or vulnerable TEE firmware\n– Execution of applications on non-TEE hardware with spoofed attestation\n• Network-Level Attacks\n– DNS hijacking to redirect traffic to unauthorized applications\n– Man-in-the-middle attacks on communication channels\nDirect attacks on TEE hardware security (e.g., exploitation of hardware vulnerabilities) are con-\nsidered out of scope for this discussion and addressed separately.\n3.2 The Reproducibility Challenge\nA fundamental challenge in TEE attestation lies in bridging the gap between source code and the\nactual artifacts (binaries or container images) running inside enclaves. While TEE attestation can\nprove that a specific artifact runs within a secure environment, it cannot independently verify that the\nartifact accurately represents its claimed source code.\nThis limitation creates several security risks:\n• Source Code Manipulation: Developers could intentionally deploy artifacts that differ from\npublicly reviewed source code\n• Build Process Compromise: Supply chain attacks could inject malicious code during artifact\ncreation\n• Toolchain Vulnerabilities: As demonstrated by the Ken Thompson Hack, even compiler\ntoolchains could be compromised to inject malicious behavior\nTEE quotes only attest to measurements (cryptographic hashes) of running artifacts. Without\nguarantees that these artifacts accurately represent reviewed source code, users cannot fully trust ap-\nplications even when running in secure enclaves. This challenge affects all TEE applications, including\nDstack’s core components.\nFigure 8: Comprehensive verification chain from source code to running TEE applications\nEstablishing a complete verification chain requires three key elements:\n13\n• Source Code Verification: Open-source code or trusted third-party review ensuring no back-\ndoors exist\n• Build Process Integrity: Reproducible builds allowing independent verification of artifacts\n• Runtime Attestation: TEE quotes proving that verified artifacts are actually running\nTraditional reproducible builds, while ideal, often introduce significant complexity through special-\nized toolchains and build scripts. The following section introduces an alternative approach, In-CC\nBuild, that achieves similar guarantees with improved practicality.\n3.3 Dstack Component Verifiability\nEach core Dstack component implements specific verifiability mechanisms anchored in transparent,\nimmutable records. Table 1 summarizes these mechanisms:\nComponentSourceBuild MethodRegistryVerification\nDstack-OSOpenReproducibleKmsAuthOS Digest\nDstack-KMSOpenIn-CCKmsAuthImage Hash, Root PubKey\nDstack-GatewayOpenIn-CCAppAuthImage Hash\nTable 1: Verifiability mechanisms and trust anchors for Dstack components\nAll components maintain open-source codebases with comprehensive documentation. Dstack-OS, as\nthe foundational component, undergoes third-party security audits and implements fully reproducible\nbuilds.\nThe governance smart contracts serve as authoritative registries, anchoring each component’s trust\nbase:\n• Dstack-OS digests are registered in KmsAuth and managed through multi-signature governance\n• Dstack-KMS measurements and root public keys are recorded in KmsAuth\n• Dstack-Gateway artifacts are verified through dedicated AppAuth contracts\nIn-ConfidentialContainer Build While reproducible builds represent the gold standard for arti-\nfact verification, they often prove impractical for complex applications. Dstack addresses this through\nIn-CC Build, leveraging the verified Dstack-OS as a trusted foundation. The In-CC Build process\nexecutes entirely within Dstack-OS environment, encompassing code fetching, compilation, and arti-\nfact creation. By specifying precise source references (e.g., a snapshot of the codebase), the system\nproduces verifiable artifacts with measurements attested in TEE quotes. This approach minimizes the\ntrusted computing base while eliminating the complexity of traditional reproducible builds.\n3.4 End-to-End Verification Walkthrough\nFrom a user’s perspective, verifying a TEE application in Dstack requires validating a chain of mea-\nsurements against authoritative registries, encompassing the user application, runtime data, Dstack\ncomponents, and network infrastructure. This section walks through the verification process, demon-\nstrating how each step builds upon the previous one to create a comprehensive chain of trust.\nAs shown in Figure 9, the verification chain begins with the KmsAuth smart contract, which serves\nas the root of trust for the entire system, and concludes with the key generation application running\nin a TEE. We explain the verification steps as follows.\nFirst, the address of the Dstack-KMS governance contract (i.e., KmsAuth) is publicly available.\nThe KMS governance contract serves as the authoritative registry for (1) off-chain KMS nodes and\n(2) dedicated governance contracts (i.e., AppAuth) for TEE applications. It is worth noting that the\nDstack-Gateway can be regarded as a special TEE application that attests and forwards requests to\nother user applications while maintaining consistent verification procedures.\nThe KmsAuth contract records both the measurements of off-chain KMS node programs (KMS\ndigest, which is the hash of the docker compose file and the images used in In-CC Build) and the TDX\n14\nFigure 9: The verification chain from authoritative registries to runtime measurements\nQuote of the first KMS node, which acts as the primary key generator. The identities of subsequent\nKMS nodes must first be registered in KmsAuth and verified by the first KMS node before they\ncan participate in key generation. These data, together with the open-source Dstack-KMS codebase,\nallow users to verify the integrity of the KMS nodes and their code correctness. Subsequently, the\noff-chain KMS nodes can be considered trusted extensions and used to verify Quotes from other TEE\napplications, which cannot be achieved by the on-chain governance contract alone. The off-chain\nKMS nodes are responsible for generating and managing cryptographic keys (i.e., the root key) and\nthe corresponding certificates (explained in Section 2.3.1), which are further used to authorize TEE\napplications after they are verified, thereby avoiding redundant verification.\nSecond, users can verify the validity of Dstack-Gateway. By default, this is delegated to the off-\nchain KMS nodes during gateway registration, although users can always request the Quote of the\ngateway and check the digest of its docker compose file in its governance contract and the codebase.\nAfter the KMS nodes verify the gateway, it will generate its application root key along with a certificate\nchain ending with the root certificate.\nNext, users can access the TEE application through Dstack-Gateway forwarding. In this case, users\neffectively delegate the verification of the key generation application to the gateway. The deployment\nof the key generation application starts from the KmsAuth contract. The deployer first registers it\nand stores the digest (the hash of the docker compose file and the images) on the dedicated AppAuth\ncontract. Then, as in the previous step, the off-chain KMS nodes verify the Quote of the application\nafter it is deployed to the TEE and ensure it matches the registered digest. Only after successful\nverification will the key be generated along with the certificate chain. To be forwarded by the gateway,\nthe application must also register with it. In this case, the gateway verifies the application’s certificate\nchain and ensures it shares the same root certificate, indicating authorization by the same KMS.\nFinally, the user can invoke the application and request proof of the key it generated. The applica-\ntion can generate a Quote on demand, with the generated public key included as custom data in the\nQuote.\n15\n3.5 Security Analysis: Mitigating Threats\nOur key generation example demonstrates Dstack’s comprehensive approach to security across multiple\nattack surfaces. At the application level, the system prevents unauthorized code deployment through\nrigorous measurement verification against the AppAuth registry. The In-CC Build process ensures\nall dependencies originate from verified sources, while any updates require new registry entries and\ncomplete re-verification. It is important to note, however, that code audit and review processes remain\nessential for ensuring application code correctness, as the In-CC Build only guarantees the integrity of\nthe build process.\nInfrastructure security is maintained through multiple mechanisms. TDX Quotes verify Dstack-OS\nintegrity, preventing OS-level tampering. KMS updates require multi-signature governance approval,\nsafeguarding against unauthorized changes to key management services. The Quote verification pro-\ncess includes firmware version validation, ensuring applications run on up-to-date TEE hardware.\nHardware-backed TDX Quotes effectively prevent attestation spoofing attempts.\nNetwork-level threats are mitigated through the certificate chain validation system. This prevents\nboth DNS hijacking and man-in-the-middle attacks by ensuring authentic application identity and\nenabling end-to-end encryption with verified certificates. The combination of these security measures\nensures that cryptographic keys maintain their integrity guarantees even when confronted with sophis-\nticated attacks targeting different system layers.\nReferences\n16"
}
]
},
{
"role": "assistant",
"content": "# Project Proposal Template\n\n## General Information\n1.1. Name of Project\nDstack\n\n1.2. Project Description (what it does, why it is valuable, origin and history)\nDstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.\n\nThe project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.\n\n1.3. How does this project align with the Consortium's Mission Statement\n[blank]\n\n1.4. Project website URL\nhttps://docs.phala.network/dstack/overview (inferred from documentation references)\n\n1.5. Social media accounts\n[blank]\n\n## Legal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n[blank]\n\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\nApache License, Version 2.0\n\n2.3. Existing financial sponsorship.\n[blank]\n\n2.4. Trademark status.\n[blank]\n\n## Technical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n[blank]\n\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\nDstack's TCB includes:\n- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer\n- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications\n- Linux kernel with initial ramdisk (initrd)\n- Root filesystem with essential system libraries and tools\n- Intel TDX or equivalent TEE hardware as the foundation\n\nThe system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.\n\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n[blank]\n\n3.4. Source control URL\nhttps://github.com/Dstack-TEE/dstack\n\n3.5. Issue tracker URL\nhttps://github.com/Dstack-TEE/dstack/issues (inferred)\n\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n- Intel TDX or equivalent TEE hardware (runtime)\n- Linux kernel (runtime)\n- Docker/container runtime (runtime)\n- Busybox (runtime)\n- LUKS for encryption (runtime)\n- Wireguard-tools (build time)\n- Build-essential, chrpath, diffstat, lz4, xorriso (build time)\n- Rust (build time)\n\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n- TLS/HTTPS for secure communications\n- Certificate Transparency (CT) for certificate monitoring\n- Certificate Authority Authorization (CAA) for domain security\n- Remote Attestation for TEE verification\n\n3.8. Release methodology and mechanics\n[blank]\n\n3.9. Names of initial committers, if different from those submitting proposal\nInitial committers include:\n- Kevin Wang (kvinwang)\n- Shelven Zhou (shelvenzhou)\n- Leechael\n\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n[blank]\n\n3.11. Project Security Response Policy\n[blank]\n\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)\n[blank]\n\n3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\nDstack includes several key components:\n- dstack-vmm: Service running on bare TDX host to manage CVMs\n- dstack-gateway: Reverse proxy to forward TLS connections to CVMs\n- dstack-kms: KMS server to generate keys for CVMs\n- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests\n- meta-dstack: Yocto meta layer to build CVM guest images\n\nThe project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts."
},
{
"role": "user",
"content": "This is the Mission Statement, fill in 1.3 with it\n\n```\nThe purpose of the Confidential Computing Consortium is to raise, budget and spend funds in support of various open source and/or open standards projects relating to:\n\ndefining confidential computing and accelerating acceptance and adoption in the market.\ndeveloping open enterprise-grade building blocks (e.g., open specifications and open source licensed projects), including a Confidential Computing portfolio and development experience, to enable easy development and management of enterprise-grade Confidential Computing applications, and\ndefining foundational services and frameworks that are Confidential Computing aware and minimize the need for trust.\n```"
},
{
"role": "assistant",
"content": "## General Information\n1.3. How does this project align with the Consortium's Mission Statement\nDstack directly aligns with the Confidential Computing Consortium's mission by providing enterprise-grade building blocks for confidential computing applications. It accelerates adoption by making TEE deployment developer-friendly through familiar tools like docker-compose, lowering the barrier to entry. Dstack defines foundational services and frameworks that are Confidential Computing aware through its comprehensive architecture (Dstack-OS, Dstack-KMS, Dstack-Gateway). The project minimizes the need for trust by implementing Zero Trust principles with portable confidential containers, decentralized code management, and verifiable domain management. By enabling seamless deployment of containerized applications in TEEs, Dstack contributes significantly to the development experience and practical adoption of confidential computing in real-world scenarios."
},
{
"role": "user",
"content": "Trademark status.一般的候选项有哪些"
}
]Response:
## Legal Information
2.4. Trademark status.
Common options for trademark status include:
- Registered Trademark (®)
- Unregistered/Common Law Trademark (™)
- Trademark Application Pending
- No Trademark Protection
- Trademark Owned by Third Party
- Shared Trademark (through license agreement)
- Trademark Under Review
- Not Applicable (No trademark claims)
Model: claude-3-7-sonnet-202502192025-06-25 13:06:25
Context:
[
{
"role": "user",
"content": [
{
"type": "text",
"text": "Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```"
},
{
"type": "text",
"text": "README.md\n# Dstack\n\n[](https://deepwiki.com/Dstack-TEE/dstack)\n\nDstack is a **developer friendly** and **security first** SDK to simplify the deployment of arbitrary containerized apps into TEE.\n\nMain features:\n\n- 🔒 Deploy containerized apps securely in TEE in minutes\n- 🛠️ Use familiar tools - just write a docker-compose.yaml\n- 🔑 Safely manage secrets and sensitive data\n- 📡 Expose services via built-in TLS termination\n\nDstack is community driven. Open sourced and built by [Kevin Wang](https://github.com/kvinwang) and many others from [Phala Network](https://github.com/Phala-Network), inspired by [Andrew Miller](https://github.com/amiller) (Flashbots & Teleport), and contributed by [Nethermind](https://github.com/NethermindEth/nethermind) and [many others](#contributors).\n\n![Alt](https://repobeats.axiom.co/api/embed/0a001cc3c1f387fae08172a9e116b0ec367b8971.svg \"Repobeats analytics image\")\n\n# Overview\n\nComponents in Dstack:\n\n- `dstack-vmm`: A service running in bare TDX host to manage CVMs\n- `dstack-gateway`: A reverse proxy to forward TLS connections to CVMs\n- `dstack-kms`: A KMS server to generate keys for CVMs\n- `dstack-guest-agent`: A service running in CVM to serve containers' key derivation and attestation requests\n- `meta-dstack`: A Yocto meta layer to build CVM guest images\n\nThe overall architecture is shown below:\n\n\n# Directory structure\n\n```text\ndstack/\n kms/ A prototype KMS server\n guest-agent/ A service running in CVM to serve containers' key derivation and attestation requests.\n dstack-util/ A CLI tool in the guest setting up the system, getting TDX quote, extending RTMR, generating cert for RA-TLS, etc.\n vmm/ A service running in bare TDX host to manage CVMs\n gateway/ A reverse proxy to forward TLS connections to CVMs\n certbot/ A tool to automatically obtain and renew TLS certificates for dstack-gateway\n ra-rpc/ RA-TLS support for pRPC\n ra-tls/ RA-TLS support library\n tdx-attest/ Guest library for getting TDX quote and extending RTMR\n```\n\n# Build and play locally\n\n## Prerequisites\n\n- A bare metal TDX server setup following [canonical/tdx](https://github.com/canonical/tdx)\n- Public IPv4 address assigned to the machine\n- At least 16GB RAM, 100GB free disk space.\n- A domain with DNS access if you want to set up `dstack-gateway` for Zero Trust HTTPS\n\n> [!NOTE]\n>\n> This doc assumes you have access to a compatible Intel TDX Server ready to be configured with Dstack. Check the [Hardware Requirements](https://docs.phala.network/dstack/hardware-requirements) for more information on buying a bare metal server or renting a server from OVH. To start learning about Dstack check out the [docs](https://docs.phala.network/dstack/overview).\n>\n> If you are looking to deploy a CVM in minutes, go to the docs to learn how to [sign-up for a Phala Cloud Account](https://docs.phala.network/phala-cloud/getting-started/sign-up-for-cloud-account) and [deploy your first CVM on Dstack]((https://docs.phala.network/phala-cloud/getting-started/start-from-cloud-ui)).\n\n## Install dependencies\n\n```bash\n# for Ubuntu 24.04\nsudo apt install -y build-essential chrpath diffstat lz4 wireguard-tools xorriso\n# install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\n\n## Build and run for local development\n\n### Build the artifacts\n```bash\ngit clone https://github.com/Dstack-TEE/meta-dstack.git --recursive\ncd meta-dstack/\n\nmkdir build\ncd build\n../build.sh hostcfg\n# This outputs the following message:\n# Config file ../build-config.sh created, please edit it to configure the build\n\nvim ./build-config.sh\n```\n\nReview and customize the `build-config.sh` configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:\n\n```bash\n../build.sh hostcfg\n\n# If everything is okay, you should see the built artifacts in the `build` directory.\n$ ls\ncerts images dstack-kms kms.toml run dstack-vmm vmm.toml dstack-gateway gateway.toml\n```\n\n### Download guest image or build guest image from source\n\n```bash\n# This will download the guest image from the release page.\n../build.sh dl 0.5.2\n```\n\nOr build guest image from source:\n\n```bash\n# This will build the guest image from source using the yocto meta layer. This will take a while.\n../build.sh guest\n```\n\n> **Note on Reproducible Builds**: The build command above does not guarantee reproducibility. For reproducible builds across different build environments, please refer to the [reproducible build instructions](https://github.com/Dstack-TEE/meta-dstack?tab=readme-ov-file#reproducible-build-the-guest-image) in the meta-dstack repository.\n\n### Run components\nNow you can open 3 terminals to start the components:\n\n1. Run `./dstack-kms -c kms.toml`\n2. Run `sudo ./dstack-gateway -c gateway.toml`\n3. Run `./dstack-vmm -c vmm.toml`\n\n⚠️ *Warning: this is for local development, and the kms is not secure, so you should not use it in production.*\nFor production, you should follow the [deployment guide](./docs/deployment.md) and read the [security guide](./docs/security-guide/security-guide.md).\n\n## Deploy an App\nOpen the dstack-vmm webpage [http://localhost:9080](http://localhost:9080)(change the port according to your configuration) on your local machine to deploy a `docker-compose.yaml` file:\n\n\n\nAfter the container deployed, it should need some time to start the CVM and the containers. Time would be vary depending on your workload.\n\n- Click the [Logs] button to see the logs of the CVM, you can see if the container is finished starting there.\n\n- Once the container is running, you can click the [Dashboard] button to see some information of the container. And the logs of the containers can be seen in the [Dashboard] page.\n\n \n\n- You can open dstack-gateway's dashboard at [https://localhost:9070](https://localhost:9070) to see the CVM's wireguard ip address, as shown below:\n\n\n\n## Pass Secrets to Apps\nWhen deploying a new App, you can pass private data via Encrypted Environment Variables. These variables can be referenced in the docker-compose.yaml file as shown below:\n\n\n\nThe environment variables will be encrypted in the client-side and decrypted in the CVM before being passed to the containers.\n\n## Access the App\n\nOnce the app is deployed and listening on an HTTP port, you can access the HTTP service via dstack-gateway's public domain. The ingress mapping rules are:\n\n- `<id>[s].<base_domain>` maps to port `80` or `443` if with `s` in the CVM.\n- `<id>-<port>[s].<base_domain>` maps to port `<port>` in the CVM.\n\nFor example, `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` maps to port `8080` in the CVM.\n\nWhere the `<id>` can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.\nIf the `id-port` part ends with `s`, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.\n\nYou can also ssh into the CVM to inspect more information, if your deployment uses the image `dstack-x.x.x-dev`:\n\n```bash\n# The IP address of the CVM can be found in the dstack-gateway dashboard.\nssh [email protected]\n```\n\n## Getting TDX quote in docker container\n\nTo get a TDX quote within app containers:\n\n1. Mount `/var/run/dstack.sock` to the target container in `docker-compose.yaml`\n\n ```yaml\n version: '3'\n services:\n nginx:\n image: nginx:latest\n volumes:\n - /var/run/dstack.sock:/var/run/dstack.sock\n ports:\n - \"8080:80\"\n restart: always\n ```\n\n2. Execute the quote request command in the container.\n\n ```bash\n # The argument report_data accepts binary data encoding in hex string.\n # The actual report_data passing the to the underlying TDX driver is sha2_256(report_data).\n curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x1234deadbeef | jq . \n ```\n\n## Container logs\n\nContainer logs can be obtained from the CVM's `dashboard` page or by curl:\n\n```bash\ncurl 'http://<appid>.app.kvin.wang:9090/logs/<container name>?since=0&until=0&follow=true&text=true×tamps=true&bare=true'\n```\n\nReplace `<appid>` and `<container name>` with actual values. Available parameters:\n\n- since=0: Starting Unix timestamp for log retrieval\n- until=0: Ending Unix timestamp for log retrieval\n- follow: Enables continuous log streaming\n- text: Returns human-readable text instead of base64 encoding\n- timestamps: Adds timestamps to each log line\n- bare: Returns the raw log lines without json format\n\nThe response of the RPC looks like:\n```\n$ curl 'http://0.0.0.0:9190/logs/zk-provider-server?text×tamps'\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209507046Z Initializing Rust backend...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209543047Z Calling Rust function: init\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209544957Z [2024-09-29T03:05:44Z INFO rust_prover] Initializing...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209546381Z [2024-09-29T03:05:44Z INFO rust_prover::groth16] Starting setup process\\n\"}\n```\n\n## TLS Passthrough with Custom Domain\n\ndstack-gateway supports TLS passthrough for custom domains.\n\nSee the example [here](https://github.com/Dstack-TEE/dstack-examples/tree/main/custom-domain/dstack-ingress) for more details.\n\n## Upgrade an App\n\nGot to the dstack-vmm webpage, click the [Upgrade] button, select or paste the compose file you want to upgrade to, and click the [Upgrade] button again.\nThe app id does not change after the upgrade. Stop and start the app to apply the upgrade.\n\n## HTTPS Certificate Transparency\n\nIn the tutorial above, we used a TLS certificate with a private key external to the TEE. To establish trust, we need to generate and maintain the certificate's private key within the TEE and provide evidence that all TLS certificates for the domain were originate solely from dstack-gateway CVM.\n\nBy combining Certificate Transparency Logs and CAA DNS records, we can make best effort to minimize security risks. Here's our approach:\n\n- Set CAA records to allow only the account created in dstack-gateway CVM to request Certificates.\n- Launch a program to monitor Certificate Transparency Log and give alarm once any certificate issued to a pubkey that isn’t generated by dstack-gateway CVM.\n\n### Configurations\n\nTo launch Certbot, you need to own a domain hosted on Cloudflare. Obtain an API token with DNS operation permissions from the Cloudflare dashboard. Configure it in the `build-config.sh`:\n\n```bash\n# The directory to store the auto obtained TLS certificate and key\nGATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem\nGATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem\n\n# for certbot\nCF_ZONE_ID=cc0a40...\nCF_API_TOKEN=g-DwMH...\n# ACME_URL=https://acme-v02.api.letsencrypt.org/directory\nACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory\n```\n\nThen re-run the ../build.sh:\n\n```bash\n../build.sh\n```\n\n### Launch certbot\n\nThen run the certbot in the `build/` and you will see the following log:\n```text\n$ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml\n2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account\n2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\n2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records\n2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang\n2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang\n2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair\n2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang\n2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order\n2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization\n2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang\n2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A\n2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready\n2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr\n2024-10-25T07:41:38.052901Z DEBUG certbot::acme_client: order is processing, waiting for challenge to be accepted\n2024-10-25T07:41:40.088190Z DEBUG certbot::acme_client: order is valid, getting certificate\n2024-10-25T07:41:40.125988Z DEBUG certbot::acme_client: removing dns record 6ab5724e8fa7e3e8f14e93333a98866a\n2024-10-25T07:41:40.377379Z DEBUG certbot::acme_client: stored new cert in /home/kvin/codes/meta-dstack/dstack/build/run/certbot/backup/2024-10-25T07:41:40.377174477Z\n2024-10-25T07:41:40.377472Z INFO certbot::bot: checking if certificate needs to be renewed\n2024-10-25T07:41:40.377719Z DEBUG certbot::acme_client: will expire in Duration { seconds: 7772486, nanoseconds: 622281542 }\n2024-10-25T07:41:40.377752Z INFO certbot::bot: certificate /home/kvin/codes/meta-dstack/dstack/build/run/certbot/live/cert.pem is up to date\n```\n\nWhere the command did are:\n\n- Registered to letsencrypt and got a new account `https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853`\n- Auto set CAA records for the domain on cloudflare, you can open the CF dashboard to see the record:\n\n \n\n- Auto requested a new certificate from Let's Encrypt. Automatically renews the certificate to maintain its validity\n\n### Launch dstack-gateway\n\nExecute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access the web portal to check the dstack-gateway CVM managed Let's Encrypt account. The account's private key remains securely sealed within the TEE.\n\n\n\n## Certificate transparency log monitor\n\nTo enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight.\n\n`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:\n\n```text\n$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang\n2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang...\n2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc\n2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys\n2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685\n2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674\n2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: \"C=US, O=Let's Encrypt, CN=R11\", common_name: \"kvin.wang\", name_value: \"*.app.kvin.wang\", not_before: \"2024-09-24T02:23:15\", not_after: \"2024-12-23T02:23:14\", serial_number: \"03ae796f56a933c8ff7e32c7c0d662a253d4\", result_count: 1, entry_timestamp: \"2024-09-24T03:21:45.825\" }\n2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001\n```\n\n# Troubleshooting\n\n### Error from dstack-vmm: qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=<id>: vhost-vsock: unable to set guest cid: Address already in use\n\n`dstack-vmm` may throw this error when creating a new VM if the [Unix Socket CID](https://man7.org/linux/man-pages/man7/vsock.7.html) is occupied. To solve the problem, first, you should list the occupied CID:\n\n```bash\nps aux | grep 'guest-cid='\n```\n\nThen choose a new range of the CID not conflicting with the CID in use. You can change `build/vmm.toml` file and restart `dstack-vmm`. This error should disappear. For example, you may find 33000-34000 free to use:\n\n```toml\n[cvm]\ncid_start = 33000\ncid_pool_size = 1000\n```\n\nWhen building the dstack from scratch, you should change the CID configs in `build-config.sh` instead, because `vmm.toml` file is generated by `build.sh`. Its content is derived from `build-config.sh`.\n\nYou may encounter this problem when upgrading from an older version of dstack, because CID was introduced in `build-config.sh` in later versions. In such case, please follow the docs to add the missing entries in `build-config.sh` and rebuild dstack.\n\n### Error: Operation not permitted when building guest image\n\nWhen running `../build.sh guest`, you might encounter this error:\n\n```\nTraceback (most recent call last):\n File \"/meta-dstack/poky/bitbake/bin/bitbake-worker\", line 278, in child\n bb.utils.disable_network(uid, gid)\n File \"/meta-dstack/poky/bitbake/lib/bb/utils.py\", line 1696, in disable_network\n with open(\"/proc/self/uid_map\", \"w\") as f:\nPermissionError: [Errno 1] Operation not permitted\n```\n\nThis error occurs because Ubuntu 23.10 and later versions restrict unprivileged user namespaces by default. To fix this, run:\n\n```bash\nsudo sysctl kernel.apparmor_restrict_unprivileged_userns=0\n```\n\nThen try building again. For more information about this restriction, see the [Ubuntu discourse post](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626).\n\n\n# Contributors\n\nDstack is proudly built by open source and Pi-rateship contributors:\n\n- Phala Network: [Kevin Wang](https://github.com/kvinwang), [Shelven Zhou](https://github.com/shelvenzhou), [Leechael](https://github.com/leechael)\n- Teleport: [Andrew Miller](https://github.com/amiller), [Sxy Sun](https://github.com/sxysun)\n- Flashbots: [Tina](https://github.com/CarboClanC), [Mateusz](https://github.com/Ruteri), [Dmarz](https://github.com/dmarzzz), [Moe](https://github.com/MoeMahhouk)\n- Ithaca: [Georgios](https://github.com/gakonst)\n- Fabric: [@gaoist](https://x.com/gaoist)\n- And many more...\n\nThe inspiration for this work stems from [Andrew Miller](https://github.com/amiller)’s pioneering concept of a [Docker-based P2P TEE SDK](https://collective.flashbots.net/t/dstack-speedrunning-a-p2p-confidential-vm/3876).\n\nThis project cannot be built without standing on the shoulders of giants:\n\n- [konvera/meta-confidential-compute](https://github.com/konvera/meta-confidential-compute)\n\nSpecial acknowledgment to [Flashbots](https://github.com/flashbots) for building a community around TEE. The TEE Hacker House initiative, organized by [Flashbots](https://github.com/flashbots) and led by [Tina](https://github.com/CarboClanC), has brought together TEE builders to develop tools for TEE-Web3 integration. This collaborative journey has generated invaluable insights for advancing secure, confidential environments within Web3.\n\nTogether, we’re shaping the future of TEE in Web3, paving the way for more secure and developer-accessible confidential computing!\n\nFor a full list of the direct contributors to this repo, see [Contributors](https://github.com/Dstack-TEE/dstack/contributors) on GitHub.\n\n\n# License\n\nCopyright 2024 Phala Network and Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\n[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)"
},
{
"type": "text",
"text": "main.pdf\nDstack: A Zero Trust Framework for Confidential Containers\nJune 23, 2025\nAbstract\nWeb3 applications require execution platforms that maintain confidentiality and integrity with-\nout relying on centralized trust authorities. While Trusted Execution Environments (TEEs) offer\npromising capabilities for confidential computing, current implementations face significant limita-\ntions in security reliability, censorship resistance, and vendor independence when applied to Web3\ncontexts. This paper presents Dstack, a comprehensive framework that transforms raw TEE tech-\nnology into a true Zero Trust platform aligned with Web3 principles. We introduce three key\ninnovations: (1) Portable Confidential Containers that enable seamless workload migration across\nheterogeneous TEE environments while maintaining security guarantees, (2) Decentralized Code\nManagement that leverages smart contracts for transparent governance of TEE applications, and\n(3) Verifiable Domain Management that ensures secure and verifiable application identity without\ncentralized authorities. Through these innovations, implemented via Dstack-OS, Dstack-KMS, and\nDstack-Gateway components, we demonstrate how to achieve both the performance advantages of\nVM-level TEE solutions and the trustless guarantees required by Web3 applications. Our evalu-\nation shows that Dstack provides comprehensive security guarantees while maintaining practical\nusability for real-world applications.\n1 Introduction\nThe Web3 ecosystem represents a paradigm shift in digital trust models, fundamentally transforming\nthe relationship between users and application developers. Unlike traditional systems, Web3 empowers\nusers with unprecedented control over their data through the principle of ”Code is Law” - once deployed,\ncode operates autonomously and independently of external control. This transformation demands\nrobust execution platforms that maintain confidentiality and integrity without relying on centralized\ntrust authorities.\nFigure 1: The evolution of trust models from Web2 to Web3, highlighting the shift from centralized control\nto decentralized governance and execution.\nThe contrast between Web2 and Web3 architectures in Figure 1 illustrates this fundamental shift.\nIn Web2 systems, developers maintain complete control through proprietary applications and central-\nized servers, retaining administrative privileges to access and modify user data at will. Web3’s smart\n1\ncontracts, however, represent the first significant step toward true trustlessness by executing pro-\ngrams on decentralized platforms (blockchains). Once deployed, administrators cannot influence pro-\ngram execution, and lifecycle management (e.g., code updates) follows predefined agreements through\ndemocratic governance mechanisms like multi-signature wallets and Decentralized Autonomous Orga-\nnizations (DAOs). This emerging trust model extends beyond basic applications to mission-critical\nscenarios such as AI model training, where data providers and model developers often have competing\ninterests, and autonomous AI agents designed to operate independently of human intervention. In\nthese contexts, Zero Trust platforms become essential to host applications and enforce verification\nmechanisms that appropriately constrain developer authority.\nA Zero Trust platform must enforce the following key principles:\n• Code is Law: This manifests in two dimensions: (1) the application logic, once deployed, cannot\nbe changed unexpectedly; and (2) the lifecycle management of code—including deployment,\nupgrades, and deletion—follows predefined governance rules.\n• Censorship Resistance: User data remains beyond the control of any single entity, with data\navailability protected against Denial-of-Service attacks.\n• Full Chain-of-Trust: When users interact with applications on a Zero Trust platform, they\nmust be able to verify all aspects of that application, including network setup, application identity\nand code logic, underlying hardware, and execution environment.\n• Assume Breach: The platform operates under the assumption that compromises will occur,\nimplementing mechanisms for damage containment, rapid recovery, and minimization of data\nexposure during security incidents.\nConfidential Computing, particularly through Trusted Execution Environments (TEEs), has emerged\nas a promising foundation for extending blockchain capabilities to support complex computational tasks\nwith confidentiality guarantees. Recent advances in VM-level TEE solutions, including Intel TDX and\nAMD SEV, have demonstrated substantial performance improvements and developer-friendly inter-\nfaces, making them compelling candidates for Web3 deployment. The integration of GPUs within\nTEEs [?] now enables verifiable execution of both Large Language Models and AI agents, providing\ncryptographic guarantees of computational integrity.\nHowever, a significant gap exists between raw TEE technology and the requirements of a true Zero\nTrust platform. Current TEE implementations face several critical limitations when applied to Web3\ncontexts:\n• Security Reliability: Recent vulnerability discoveries in TEE systems have raised significant con-\ncerns about their effectiveness as trust anchors. The persistence of side-channel attacks and\nmicro-architectural vulnerabilities undermines confidence in TEE security guarantees, particu-\nlarly for high-value Web3 applications where a single compromise could lead to catastrophic data\nexposure.\n• Censorship Vulnerability: Conventional TEE encryption schemes bind encryption keys to spe-\ncific hardware instances, creating single points of failure that contradict Web3’s requirement\nfor censorship resistance. This architectural limitation means that data availability cannot be\nguaranteed if specific hardware instances are compromised or become unavailable.\n• Vendor Dependencies: Current trust models heavily rely on centralized hardware manufacturers\nand verification processes, introducing risks of vendor lock-in and potential censorship vectors.\nThis centralization contradicts Web3’s core principles of decentralization and trustlessness.\n• Incomplete Verifiability: While TEEs provide Remote Attestation capabilities to verify applica-\ntion and hardware identity, they fail to deliver the comprehensive chain of trust required in Zero\nTrust environments. Users need guarantees that programs will process their data as expected\nand cannot be modified without proper authorization—capabilities beyond current attestation\nmechanisms.\nTo bridge this gap between raw TEE technology and Zero Trust requirements, we present Dstack,\na comprehensive framework for confidential containers that introduces three key innovations:\n2\n• Portable Confidential Container: Our architecture enables seamless migration of confidential\nworkloads across different TEE instances and hardware vendors, significantly reducing vendor\nlock-in risks while maintaining robust security guarantees. This innovation directly addresses the\ncensorship vulnerability and vendor dependency limitations by providing hardware abstraction\nand state continuity across heterogeneous TEE environments.\n• Decentralized Code Management: We implement a comprehensive governance framework\nthat leverages smart contracts for transparent and decentralized management of TEE applica-\ntions. This system ensures verifiable deployment and upgrade processes, enforcing the “Code\nis Law” principle by binding application lifecycles to on-chain governance decisions. This inno-\nvation addresses the incomplete verifiability limitation by creating an immutable audit trail of\napplication changes.\n• Verifiable Domain Management: Our novel approach to certificate management ensures that\nconfidential containers can exclusively control domains and provide native HTTPS support to\nTEE applications without relying on centralized authorities. This system serves as a middleware\nbetween TEE applications and existing TLS-based networks, enabling users to establish end-to-\nend encrypted channels to TEE applications without modifications to client software.\nThese innovations are implemented through a cohesive system architecture comprising three core\ncomponents:\n• Dstack-OS: A hardware abstraction layer with a minimized operating system image that elimi-\nnates differences in underlying TEE hardware while reducing the attack surface. This component\nprovides a consistent, secure runtime environment across diverse TEE implementations.\n• Dstack-KMS: A blockchain-controlled key management service that replaces hardware-based\nencryption schemas with an independent service for generating and managing secret keys. This\ncomponent enables secure data migration across TEE instances and supports key rotation to\nprovide forward and backward data secrecy, mitigating the impact of potential TEE compromises.\n• Dstack-Ingress and Dstack-Gateway: Complementary systems providing TEE-controlled domain\nmanagement through different approaches—Dstack-Ingress enables applications to specify cus-\ntom domains with minimal integration requirements, while Dstack-Gateway offers pre-registered\nwildcard domains requiring no application code changes.\nBy addressing the critical limitations of current TEE implementations, Dstack establishes a compre-\nhensive framework that transforms raw TEE technology into a true Zero Trust platform aligned with\nWeb3’s fundamental principles. Our approach not only enhances the security and reliability of confi-\ndential computing but also provides a practical path toward truly decentralized, censorship-resistant\ninfrastructure for next-generation applications.\nThe remainder of this paper details the technical design of Dstack, evaluates its performance and\nsecurity characteristics, and demonstrates how our innovations collectively create a Zero Trust platform\nthat maintains the performance advantages of VM-level TEE solutions while addressing their inherent\nlimitations in Web3 contexts.\n2 System Design\n2.1 Portable Confidential Container\nContainerization has transformed cloud-native application deployment by providing unparalleled porta-\nbility and scalability through effective data separation. These capabilities are particularly critical for\nTrusted Execution Environment (TEE) applications, as they directly address the inherent limitations\noutlined in Section 1:\n• Security Reliability: Containerized applications can be efficiently transferred from compro-\nmised TEE hardware to secure instances, preserving code integrity. Together with our secure\ndata migration mechanism that ensures both forward and backward secrecy, this approach sig-\nnificantly limits privacy leakage risks even when individual TEE instances are compromised.\n3\nFigure 2: The architecture of Dstack, including Dstack-OS and Dstack-KMS. Dstack-OS provides a hardware\nabstraction layer with a minimized operating system image, while Dstack-KMS replaces the hardware-based\ndata encryption keys with a blockchain-controlled key management service. TODO: redraw this to put the\ncomponents into solutions.\n• Censorship Resistance: The architecture’s inherent scalability provides robust defense against\nDenial-of-Service attacks. Additionally, by decoupling data storage from execution environments,\nestablished data availability solutions can be readily integrated to ensure persistent access to\napplication data.\n• Vendor Independence: Our hardware abstraction layer enables confidential containers to\noperate across diverse TEE hardware platforms without modification, eliminating vendor lock-in\nwhile facilitating rapid adoption of emerging TEE technologies as they become available.\nHowever, implementing truly portable confidential containers presents substantial technical chal-\nlenges that differentiate them from conventional containerization. Two fundamental obstacles must be\novercome:\nFirst, existing TEE implementations generate data sealing keys derived from hardware-bound root\nkeys unique to each TEE instance. This architectural design creates an inherent barrier to portability\n— data encrypted by one TEE instance cannot be decrypted by any other, even when running identical\napplication code. Prior research has largely circumvented this limitation by restricting TEEs to state-\nless applications, but this approach severely constrains their utility in complex real-world scenarios.\nSecond, TEE implementations from different vendors impose disparate specifications for deploy-\nable programs. This fragmentation forces developers to create and maintain multiple artifacts across\nplatforms, each requiring separate (and expensive) code reviews to verify functional equivalence — a\nprocess that undermines the trust guarantees central to Web3 applications.\nTo address these challenges comprehensively, we introduce two complementary components: Dstack-\nKMS and Dstack-OS.\n2.1.1 Dstack-KMS: Blockchain-Controlled Secret Derivation\nDstack-KMS is a secret derivation service that fundamentally transforms how encryption keys are\nmanaged in confidential computing environments. Its primary function is to generate a unique and\nstable secret (the Root Key ) for each application based on its code and configurations. This root key\n4\nserves as the foundation for deriving additional application-specific secrets used for data encryption\nand verifiable random number generation.\nUnlike hardware-based encryption approaches, Dstack-KMS deliberately decouples key generation\nfrom specific TEE hardware instances. This architectural decision enables the critical capability of\nencrypted data migration between different TEE instances, with decryption possible after\nproper authorization. This feature is essential for achieving true censorship resistance.\nGiven its position as the root-of-trust for the entire system, the verifiability and availability of\nDstack-KMS are paramount. Unlike previous approaches [?] that assume TEE infallibility, our threat\nmodel explicitly acknowledges that TEEs can be compromised. To address this reality, Dstack-\nKMS implements comprehensive key rotation capabilities that provide both backward and forward\nsecrecy for application data. This ensures that even if a specific TEE hardware instance is compromised,\napplications can be migrated with limited data exposure.\nFigure 3: The key derivation hierarchy of Intel SGX illustrates how conventional TEE implementations bind\nencryption keys to hardware.\nTo understand the limitations of conventional approaches, Figure 3 illustrates the key derivation\nhierarchy in Intel SGX. This design uses a hardware-bound key to both identify the TEE instance (for\nRemote Attestation) and generate encryption keys for data sealing. While this approach effectively\nestablishes hardware identity, it fundamentally undermines censorship resistance:\n• The root key cannot be updated, meaning a compromised TEE with a leaked root key remains\npermanently vulnerable even after patching the underlying vulnerability.\n• Encrypted data becomes intrinsically bound to specific TEE hardware instances, creating single\npoints of failure that contradict Web3’s censorship resistance requirements.\nOur Dstack-KMS addresses these limitations by delegating secret generation to an independent\nservice that ensures encrypted data remains portable across TEE instances.\nAs illustrated in Figure 4, Dstack-KMS comprises an on-chain governance smart contract coupled\nwith an off-chain peer-to-peer network where the actual secret derivation service operates. To ensure\ncomprehensive verifiability of the Dstack-KMS program’s integrity and correctness, we implement a\nmulti-stage verification process:\n1. The Dstack-KMS codebase is fully open-sourced [?], enabling thorough code and security reviews\nto verify key management logic and ensure the absence of backdoors.\n5\nFigure 4: The architecture of Dstack-KMS combines on-chain governance through smart contracts with an\noff-chain P2P network of secret derivation service nodes. This design ensures both verifiability and resilience\nagainst compromise.\n2. Executable binaries are produced through reproducible build processes, allowing verifiers to\nconfirm that the runtime code matches the reviewed source code.\n3. The cryptographic digest of valid executables is published through the governance smart contract,\ncreating an immutable reference for verification.\n4. Each service node operates within its own TEE instance. Critically, we rely on the TEE solely for\nmeasuring the executable and ensuring it matches the on-chain digest—not for the fundamental\nsecurity of the key management process.\nThis verification framework ensures that Dstack-KMS remains trustworthy to any third-party verifier\nwhile avoiding dependency on the absolute security of any single TEE instance.\nThe core logic of each Dstack-KMS service node is intentionally minimalist, focusing exclusively on\nthe generation and secure distribution of the root key, along with deriving encryption keys for TEE\napplications. This simplicity enables the implementation of Multi-Party Computation (MPC) based\nthreshold key generation and derivation without concerning performance overhead. We have developed\ntwo complementary implementations:\n• Simple Duplication: The first node in the P2P network generates a cryptographically secure\nrandom number as the root key, then shares it with other nodes after verifying their attestation\nreports. All nodes maintain identical copies of the root key and derive consistent encryption keys\nfor applications. This approach maximizes availability—as long as at least one node remains\noperational, the root key can be recovered.\n• MPC-Based Key Generation: While simple duplication provides robust availability, it cre-\nates vulnerability to single-node compromises. Our MPC implementation uses Shamir’s Secret\nSharing scheme [?] to distribute the root key across multiple nodes, ensuring that compromising\nany individual node (or even up tot− 1 nodes, wheret is the configured threshold) does not\nexpose the root key. This approach also enables advanced features like key rotation without\nrequiring application reconfiguration.\nKey Derivation Dstack-KMS implements a comprehensive key derivation framework to generate\napplication-specific keys from the root key:\n• Application CA Key: Derived from the root CA key using the application’s unique identifier\n(calculated as the hash of the application’s code and configuration).\n• Disk Encryption Key: Derived using a combination of the application identifier and instance\nidentifier, enabling secure storage with portability.\n6\n• Environment Encryption Key: Derived using the application identifier alone, allowing secure\nenvironment variable management across instances.\n• ECDSA Key: Derived from the root ECDSA key, providing applications with consistent cryp-\ntographic identity for signing operations.\nEach derived key maintains cryptographic isolation while ensuring consistency across different TEE\ninstances running the same application.\nKey Rotation A critical security feature of Dstack-KMS is its support for key rotation, which signif-\nicantly limits the exposure window during potential attacks while ensuring both forward and backward\nsecrecy for sealed data. Key rotation procedures are initiated exclusively through the governance smart\ncontract, ensuring transparency and auditability. We discuss two distinct rotation mechanisms:\n• Root Key Share Rotation: Our MPC-based implementation enables rotation of individual\nkey shares without modifying the root key itself. This process enhances root key security by\nregularly updating the distribution mechanism while remaining transparent to applications, as\nall derived application keys remain unchanged.\n• Root Key Rotation: In scenarios where the root key may have been compromised, we support\ncomplete root key rotation. This process generates an entirely new root key and implements a\ncontrolled handover period during which both old and new keys remain valid. This transition\nwindow allows applications to re-encrypt their data with keys derived from the new root key\nbefore the old root key is permanently destroyed, minimizing service disruption while enhancing\nsecurity.\nThrough these mechanisms, Dstack-KMS provides the foundation for truly portable confidential con-\ntainers by decoupling encryption from hardware dependencies while maintaining robust security guar-\nantees.\n2.1.2 Dstack-OS: Hardware Abstraction Layer\nDstack-OS provides a comprehensive hardware abstraction layer with a minimized operating system\nimage that bridges the gap between application containers and VM-level TEE implementations. This\nlayer enables applications to deploy across diverse TEE environments without code modifications while\nmaintaining security integrity. As a shared component across all TEE applications, Dstack-OS must be\nintrinsically secure and verifiable, with no administrative backdoors that could compromise program\ncode or user data.\nVM-level TEE solutions typically require developers to provide complete system images encom-\npassing bootloader, kernel, operating system, and application components. This requirement not\nonly increases development complexity but also introduces potential security vulnerabilities through\nmisconfigured system components. A secure and properly configured operating system environment\nfundamentally determines the security baseline for all TEE applications built upon it.\nFigure 5 illustrates how Dstack-OS establishes a secure and verifiable startup chain from the TEE\nhardware foundation through to user-provided container images. Our modular design ensures that the\nmajority of the system can be reused across different TEE hardware implementations, substantially\nreducing the effort required for code review and security auditing. Combined with reproducible build\nprocesses, this approach enables comprehensive verification of Dstack-OS with minimal overhead while\nsupporting multiple TEE hardware platforms.\nUsing Intel TDX as an exemplar (with similar procedures applicable to other TEE implementa-\ntions like AMD SEV), Dstack-OS consists of the following components, presented in boot sequence\norder. During this process, each component measures the next one and records these measurements\nin hardware registers, which are ultimately incorporated into the TEE attestation report:\n• Hypervisor: When application deployment initiates, the underlying hypervisor (the TDX mod-\nule) loads the Open Virtual Machine Firmware (OVMF), enabling UEFI support for confidential\nvirtual machines. The TDX module measures the OVMF code and records its cryptographic\ndigest in the MRTD register, with the hypervisor’s integrity guaranteed by the TEE hardware\nitself.\n7\nFigure 5: The architecture of Dstack-OS establishes a secure and verifiable startup chain from TEE hardware\nthrough to user applications.\n• Open Virtual Machine Firmware (OVMF): The OVMF configures virtual machine hard-\nware specifications (CPU, memory, and device configurations) and records the configuration\nmeasurement to the RTMR0 register. It then loads the Linux kernel and records the kernel\nimage measurement to the RTMR1 register.\n• Kernel: The kernel first loads an initial ramdisk (initrd) — a temporary in-memory filesystem\ncontaining minimal command-line tools and disk encryption libraries. The initrd mounts the\nroot filesystem and records this measurement in the RTMR2 register.\n• Root Filesystem: The root filesystem (RootFs) is a read-only environment containing essential\nsystem libraries and tools. It manages the entire lifecycle of deployed applications, measuring\napplication images along with their associated key management system and storing these mea-\nsurements in the RTMR3 register. The RootFs serves two primary functions: (1) providing\nthe runtime environment for user-level container images, and (2) managing application data en-\ncryption. It interfaces with Dstack-KMS to acquire encryption secrets and implements Linux\nUnified Key Setup (LUKS) to encrypt application data in isolated volumes. Data integrity is\nensured through dm-verity, a Merkle-tree-based block-level verification tool. Finally, the RootFs\nconfigures network ingress for the application and initiates execution.\nRather than adapting existing system images, we built Dstack-OS from scratch to ensure only es-\nsential components are included in both the initrd and RootFs. A comprehensive component inventory\nis provided in Appendix ?? for transparency and review. Generally, Dstack-OS includes only basic\nutilities (busybox), filesystem support, and container runtime components. By implementing Docker\nsupport while delegating orchestration to the application level, we maintain a minimal base image\nfootprint.\nTo ensure comprehensive verifiability, Dstack-OS is fully open-sourced and supports reproducible\nbuilds, allowing anyone to review the code and generate identical artifacts for verification. This\napproach provides significant benefits for applications requiring security reviews, as evaluators need\nonly review the application code rather than the entire system image.\nData Backup and Defense against Rollback Attacks A critical challenge in confidential com-\nputing is ensuring data durability and integrity, particularly against rollback attacks where adversaries\nattempt to revert applications to previous states to bypass security checks or reuse expired secrets.\nOur architecture provides robust secure data backup support and implements robust anti-rollback\nmechanisms that application developers can integrate:\n• Secure Backup: Application data is encrypted using keys derived from Dstack-KMS and can\nbe backed up to external storage providers. Since encryption keys are not bound to specific TEE\n8\ninstances, data can be restored on any authorized TEE, supporting true portability and disaster\nrecovery.\n• Monotonic Counters: To prevent rollback attacks, developers can implement monotonic coun-\nters that increment with each critical data update, incorporating the counter value into the en-\ncrypted data. During restoration, applications verify that the counter value equals or exceeds\nthe last known value, preventing replay of outdated snapshots.\nBy combining these techniques, Dstack ensures both the recoverability and integrity of confidential\ndata across portable container migrations and backup scenarios.\nTogether, Dstack-KMS and Dstack-OS provide the foundational infrastructure for truly portable\nconfidential containers that maintain security and integrity across heterogeneous TEE environments\nwhile eliminating vendor lock-in and supporting comprehensive verifiability.\n2.2 Decentralized Code Management\nA core principle of Zero Trust platforms is the enforcement of “Code is Law”, ensuring that application\ncode operates as intended without unexpected modifications. While TEE hardware provides code\nintegrity guarantees during execution, it cannot independently prevent administrators from deploying\nmalicious code or making unauthorized modifications. Conversely, smart contracts have established\nrobust methodologies for implementing programmable governance over code lifecycle management —\nsuch as multi-signature requirements that prevent single-actor manipulation.\nOur decentralized code management framework bridges these two worlds by placing TEE ap-\nplication governance under smart contract control, creating a transparent and auditable system for\napplication deployment and updates that aligns with Web3 principles.\nFigure 6: The architecture of decentralized code management integrates on-chain governance contracts with\noff-chain TEE through Dstack-KMS.\nAs illustrated in Figure 6, our architecture consists of two complementary components: on-chain\ngovernance smart contracts and off-chain TEE execution environments connected through Dstack-\nKMS. This design establishes the on-chain contracts as the definitive root-of-trust for the entire system.\nEvery operation — from initial deployment to code upgrades — must first be initiated and authorized\nthrough the governance contracts before off-chain TEE instances can execute these operations.\nThe governance framework implements a two-tier structure:\n• KmsAuth Contract: Serves as the global authority controlling Dstack-KMS operations. This\ncontract maintains the registry of authorized applications and their governance parameters, en-\nforcing system-wide policies for TEE deployment. By controlling whether Dstack-KMS shares\n9\napplication secrets with specific TEE instances, the KmsAuth contract effectively determines\nwhether applications can decrypt their data, thus controlling their complete lifecycle.\n• AppAuth Contracts: Individual governance contracts deployed for each application that de-\nfine application-specific management rules. These contracts specify permissible code versions\n(through cryptographic hashes), authorized TEE instance identities, and upgrade approval re-\nquirements. This modular approach enables customized governance models ranging from tradi-\ntional multi-signature schemes to complex DAO voting mechanisms, allowing each application\nto implement governance appropriate to its requirements.\nThe enforcement mechanism operates through Dstack-KMS, which will only provide application\nsecrets to TEE instances running code versions explicitly authorized by the governance contracts.\nThis creates a cryptographically enforced governance system where unauthorized code versions cannot\naccess application data, regardless of administrative privileges.\nTo illustrate this mechanism, consider a code upgrade process for an application using a multi-\nsignature AppAuth contract in Figure 6:\n1. Developers publish the new code version and submit its cryptographic hash to the AppAuth\ncontract.\n2. The contract initiates the approval process, requiring signatures from designated key holders\n(e.g., core developers, security auditors, and community representatives).\n3. Each signature is recorded on-chain, creating an immutable audit trail of the approval process.\n4. Once the required signature threshold is reached, the AppAuth contract updates its registry of\nauthorized code versions.\n5. The KmsAuth contract, monitoring the AppAuth contract, updates its authorization records\naccordingly.\n6. Dstack-KMS, which continuously synchronizes with the KmsAuth contract, begins providing\napplication secrets to TEE instances running the newly approved code version.\n7. TEE instances can now deploy the new code with full access to encrypted application data.\nThis process ensures that every code change follows predefined governance rules with complete trans-\nparency. The on-chain approval records create an immutable audit trail that allows users to verify\nthe entire history of application changes, while the cryptographic enforcement through Dstack-KMS\nguarantees that only properly authorized code can access application data.\nBy combining the code integrity guarantees of TEEs with the transparent governance capabilities\nof smart contracts, our decentralized code management framework ensures that applications truly\nembody the ”Code is Law” principle. Every aspect of the application lifecycle—from initial deployment\nto version updates and potential retirement—follows predefined, transparent rules that cannot be\ncircumvented by any single entity, including the platform operators themselves.\n2.3 Verifiable Domain Management\nA complete Zero Trust platform must enable seamless verification for users across both Web3 and\ntraditional Web2 environments. Our Verifiable Domain Management system completes the chain-\nof-trust by allowing standard Web browsers to cryptographically verify TEE applications without\nrequiring any client-side modifications or specialized knowledge.\nThis capability is critical for mainstream adoption, as it allows users to interact with confiden-\ntial applications using familiar tools while maintaining the same security guarantees provided by the\nunderlying TEE infrastructure. We implement this through two complementary components—Dstack-\nIngress and Dstack-Gateway—both leveraging our novel Zero Trust TLS (ZT-TLS) protocol.\nThe fundamental innovation in ZT-TLS is establishing cryptographic proof that a specific TLS\ncertificate (and therefore a domain) is exclusively controlled by a verified TEE application. This\ncreates a verification chain extending from the blockchain to standard HTTPS connections, enabling\nusers to confirm application authenticity through familiar security indicators in their browsers.\n10\nFigure 7: The Zero Trust TLS architecture establishes a cryptographically verifiable connection between\nstandard web browsers and TEE applications through blockchain-anchored certificate management.\n2.3.1 Zero Trust TLS Protocol\nThe ZT-TLS protocol addresses a critical challenge: how to cryptographically bind a domain to a\nspecific TEE application in a way that prevents unauthorized certificate issuance or domain hijacking.\nOur solution integrates three key components:\n• TEE-Generated Certificates: The TEE application (specifically Dstack-Gateway) generates\nits TLS certificate using application secrets derived from Dstack-KMS. This ensures the private\nkey never exists outside the TEE environment and creates a cryptographic link between the\non-chain governance and the TLS certificate.\n• Certificate Authority Authorization (CAA): We leverage DNS CAA records to restrict\nwhich certificate authorities can issue certificates for managed domains. By configuring CAA\nrecords to only authorize certificates from specific issuers (which verify TEE attestation), we\nprevent unauthorized certificate issuance through alternative validation methods.\n• Certificate Transparency (CT) Monitoring: To protect against unauthorized DNS record\nmodifications, we implement continuous monitoring of Certificate Transparency logs. This allows\ndetection of any unauthorized certificates and provides an immutable audit trail of certificate\nissuance history.\n2.3.2 Implementation Components\nWe provide two complementary implementations to accommodate different application requirements:\n• Dstack-Gateway: A fully managed reverse proxy running within a TEE that provides imme-\ndiate domain verification with zero application code changes. Applications register with Dstack-\nGateway through a simple API call, during which Dstack-Gateway verifies the application’s re-\nmote attestation report. Once verified, applications receive a subdomain under a pre-registered\nwildcard domain (e.g., app-id.Dstack.com), with all TLS termination and certificate manage-\nment handled automatically.\n• Dstack-Ingress: A more flexible solution for applications requiring custom domain names.\nDstack-Ingress provides libraries and services that enable applications to manage their own TLS\ncertificates while maintaining the same verification guarantees. This approach requires minimal\nintegration work while supporting application-specific domain requirements.\n11\nBoth implementations ensure that certificates are cryptographically bound to verified TEE environ-\nments, with the verification chain extending from the blockchain governance contracts through to the\nTLS certificates presented to users’ browsers.\n2.3.3 Security Guarantees and Protections\nOur Verifiable Domain Management system provides several critical security guarantees:\n• Certificate Provenance Verification: Users can verify that the TLS certificate presented by\nan application was issued to a legitimate TEE environment by checking the certificate against\non-chain records.\n• Domain Binding Integrity: The combination of CAA records and Certificate Transparency\nmonitoring ensures that domains remain bound to their designated TEE applications, preventing\nunauthorized certificate issuance.\n• Tamper-Evident Certificate Changes: Any unauthorized attempts to modify domain con-\nfigurations or issue alternative certificates are detected through Certificate Transparency moni-\ntoring, with alerts propagated to clients.\nWhile we cannot technically prevent all attacks against centralized DNS infrastructure, our multi-\nlayered approach creates a tamper-evident system where unauthorized changes are quickly detected\nand rejected by client verification processes. This approach aligns with the ”Assume Breach” principle\nby implementing defense-in-depth strategies that maintain security even when individual components\nare compromised.\nBy extending the verification chain from blockchain governance through TEE attestation to stan-\ndard TLS certificates, our Verifiable Domain Management system enables seamless integration of Zero\nTrust applications into existing web infrastructure. This creates a practical path for mainstream\nadoption without requiring specialized knowledge or tools from end users, while maintaining the com-\nprehensive security guarantees that define true Zero Trust platforms.\n3 Verifying TEE Applications: A Practical Walkthrough\nTo demonstrate how Dstack fulfills the Zero Trust principles and addresses the challenges outlined in\nSection 1, we present a practical end-to-end verification scenario. This walkthrough illustrates how\nthe architectural components described in Section 2 work together to provide a comprehensive chain\nof trust for real-world Web3 applications.\nTraditional Zero Trust programs like smart contracts achieve verifiability through transparent\nsource code and inputs. However, extending similar verifiability to real-world applications presents\nunique challenges, particularly in maintaining privacy and compatibility with existing development\npractices. Dstack addresses these challenges through a comprehensive verification framework that\nrequires minimal code changes.\nThis section demonstrates Dstack’s complete chain of trust through a practical example: verifying\nthat a cryptographic key was genuinely generated within a TEE environment. This scenario is es-\npecially relevant for Web3 and AI Agent applications where cryptographic keys establish application\nidentity and authority.\n3.1 Threat Model\nOur verification framework assumes the correct implementation and integrity of core Dstack compo-\nnents (Dstack-OS, Dstack-KMS, Dstack-Gateway, and governance contracts). While these components’\nsecurity guarantees are detailed in later sections, we explicitly consider developers and administrators\nas potential adversaries.\nPotential attack vectors include:\n• Application-Level Attacks\n– Deployment of unauthorized or malicious code through falsified Docker images\n12\n– Introduction of malicious dependencies through supply chain attacks\n– Unauthorized application updates that bypass governance controls\n• Infrastructure-Level Attacks\n– Tampering with Dstack-OS to circumvent security controls\n– Deployment of compromised key management services\n– Operation of unpatched or vulnerable TEE firmware\n– Execution of applications on non-TEE hardware with spoofed attestation\n• Network-Level Attacks\n– DNS hijacking to redirect traffic to unauthorized applications\n– Man-in-the-middle attacks on communication channels\nDirect attacks on TEE hardware security (e.g., exploitation of hardware vulnerabilities) are con-\nsidered out of scope for this discussion and addressed separately.\n3.2 The Reproducibility Challenge\nA fundamental challenge in TEE attestation lies in bridging the gap between source code and the\nactual artifacts (binaries or container images) running inside enclaves. While TEE attestation can\nprove that a specific artifact runs within a secure environment, it cannot independently verify that the\nartifact accurately represents its claimed source code.\nThis limitation creates several security risks:\n• Source Code Manipulation: Developers could intentionally deploy artifacts that differ from\npublicly reviewed source code\n• Build Process Compromise: Supply chain attacks could inject malicious code during artifact\ncreation\n• Toolchain Vulnerabilities: As demonstrated by the Ken Thompson Hack, even compiler\ntoolchains could be compromised to inject malicious behavior\nTEE quotes only attest to measurements (cryptographic hashes) of running artifacts. Without\nguarantees that these artifacts accurately represent reviewed source code, users cannot fully trust ap-\nplications even when running in secure enclaves. This challenge affects all TEE applications, including\nDstack’s core components.\nFigure 8: Comprehensive verification chain from source code to running TEE applications\nEstablishing a complete verification chain requires three key elements:\n13\n• Source Code Verification: Open-source code or trusted third-party review ensuring no back-\ndoors exist\n• Build Process Integrity: Reproducible builds allowing independent verification of artifacts\n• Runtime Attestation: TEE quotes proving that verified artifacts are actually running\nTraditional reproducible builds, while ideal, often introduce significant complexity through special-\nized toolchains and build scripts. The following section introduces an alternative approach, In-CC\nBuild, that achieves similar guarantees with improved practicality.\n3.3 Dstack Component Verifiability\nEach core Dstack component implements specific verifiability mechanisms anchored in transparent,\nimmutable records. Table 1 summarizes these mechanisms:\nComponentSourceBuild MethodRegistryVerification\nDstack-OSOpenReproducibleKmsAuthOS Digest\nDstack-KMSOpenIn-CCKmsAuthImage Hash, Root PubKey\nDstack-GatewayOpenIn-CCAppAuthImage Hash\nTable 1: Verifiability mechanisms and trust anchors for Dstack components\nAll components maintain open-source codebases with comprehensive documentation. Dstack-OS, as\nthe foundational component, undergoes third-party security audits and implements fully reproducible\nbuilds.\nThe governance smart contracts serve as authoritative registries, anchoring each component’s trust\nbase:\n• Dstack-OS digests are registered in KmsAuth and managed through multi-signature governance\n• Dstack-KMS measurements and root public keys are recorded in KmsAuth\n• Dstack-Gateway artifacts are verified through dedicated AppAuth contracts\nIn-ConfidentialContainer Build While reproducible builds represent the gold standard for arti-\nfact verification, they often prove impractical for complex applications. Dstack addresses this through\nIn-CC Build, leveraging the verified Dstack-OS as a trusted foundation. The In-CC Build process\nexecutes entirely within Dstack-OS environment, encompassing code fetching, compilation, and arti-\nfact creation. By specifying precise source references (e.g., a snapshot of the codebase), the system\nproduces verifiable artifacts with measurements attested in TEE quotes. This approach minimizes the\ntrusted computing base while eliminating the complexity of traditional reproducible builds.\n3.4 End-to-End Verification Walkthrough\nFrom a user’s perspective, verifying a TEE application in Dstack requires validating a chain of mea-\nsurements against authoritative registries, encompassing the user application, runtime data, Dstack\ncomponents, and network infrastructure. This section walks through the verification process, demon-\nstrating how each step builds upon the previous one to create a comprehensive chain of trust.\nAs shown in Figure 9, the verification chain begins with the KmsAuth smart contract, which serves\nas the root of trust for the entire system, and concludes with the key generation application running\nin a TEE. We explain the verification steps as follows.\nFirst, the address of the Dstack-KMS governance contract (i.e., KmsAuth) is publicly available.\nThe KMS governance contract serves as the authoritative registry for (1) off-chain KMS nodes and\n(2) dedicated governance contracts (i.e., AppAuth) for TEE applications. It is worth noting that the\nDstack-Gateway can be regarded as a special TEE application that attests and forwards requests to\nother user applications while maintaining consistent verification procedures.\nThe KmsAuth contract records both the measurements of off-chain KMS node programs (KMS\ndigest, which is the hash of the docker compose file and the images used in In-CC Build) and the TDX\n14\nFigure 9: The verification chain from authoritative registries to runtime measurements\nQuote of the first KMS node, which acts as the primary key generator. The identities of subsequent\nKMS nodes must first be registered in KmsAuth and verified by the first KMS node before they\ncan participate in key generation. These data, together with the open-source Dstack-KMS codebase,\nallow users to verify the integrity of the KMS nodes and their code correctness. Subsequently, the\noff-chain KMS nodes can be considered trusted extensions and used to verify Quotes from other TEE\napplications, which cannot be achieved by the on-chain governance contract alone. The off-chain\nKMS nodes are responsible for generating and managing cryptographic keys (i.e., the root key) and\nthe corresponding certificates (explained in Section 2.3.1), which are further used to authorize TEE\napplications after they are verified, thereby avoiding redundant verification.\nSecond, users can verify the validity of Dstack-Gateway. By default, this is delegated to the off-\nchain KMS nodes during gateway registration, although users can always request the Quote of the\ngateway and check the digest of its docker compose file in its governance contract and the codebase.\nAfter the KMS nodes verify the gateway, it will generate its application root key along with a certificate\nchain ending with the root certificate.\nNext, users can access the TEE application through Dstack-Gateway forwarding. In this case, users\neffectively delegate the verification of the key generation application to the gateway. The deployment\nof the key generation application starts from the KmsAuth contract. The deployer first registers it\nand stores the digest (the hash of the docker compose file and the images) on the dedicated AppAuth\ncontract. Then, as in the previous step, the off-chain KMS nodes verify the Quote of the application\nafter it is deployed to the TEE and ensure it matches the registered digest. Only after successful\nverification will the key be generated along with the certificate chain. To be forwarded by the gateway,\nthe application must also register with it. In this case, the gateway verifies the application’s certificate\nchain and ensures it shares the same root certificate, indicating authorization by the same KMS.\nFinally, the user can invoke the application and request proof of the key it generated. The applica-\ntion can generate a Quote on demand, with the generated public key included as custom data in the\nQuote.\n15\n3.5 Security Analysis: Mitigating Threats\nOur key generation example demonstrates Dstack’s comprehensive approach to security across multiple\nattack surfaces. At the application level, the system prevents unauthorized code deployment through\nrigorous measurement verification against the AppAuth registry. The In-CC Build process ensures\nall dependencies originate from verified sources, while any updates require new registry entries and\ncomplete re-verification. It is important to note, however, that code audit and review processes remain\nessential for ensuring application code correctness, as the In-CC Build only guarantees the integrity of\nthe build process.\nInfrastructure security is maintained through multiple mechanisms. TDX Quotes verify Dstack-OS\nintegrity, preventing OS-level tampering. KMS updates require multi-signature governance approval,\nsafeguarding against unauthorized changes to key management services. The Quote verification pro-\ncess includes firmware version validation, ensuring applications run on up-to-date TEE hardware.\nHardware-backed TDX Quotes effectively prevent attestation spoofing attempts.\nNetwork-level threats are mitigated through the certificate chain validation system. This prevents\nboth DNS hijacking and man-in-the-middle attacks by ensuring authentic application identity and\nenabling end-to-end encryption with verified certificates. The combination of these security measures\nensures that cryptographic keys maintain their integrity guarantees even when confronted with sophis-\nticated attacks targeting different system layers.\nReferences\n16"
}
]
},
{
"role": "assistant",
"content": "# Project Proposal Template\n\n## General Information\n1.1. Name of Project\nDstack\n\n1.2. Project Description (what it does, why it is valuable, origin and history)\nDstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.\n\nThe project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.\n\n1.3. How does this project align with the Consortium's Mission Statement\n[blank]\n\n1.4. Project website URL\nhttps://docs.phala.network/dstack/overview (inferred from documentation references)\n\n1.5. Social media accounts\n[blank]\n\n## Legal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n[blank]\n\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\nApache License, Version 2.0\n\n2.3. Existing financial sponsorship.\n[blank]\n\n2.4. Trademark status.\n[blank]\n\n## Technical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n[blank]\n\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\nDstack's TCB includes:\n- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer\n- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications\n- Linux kernel with initial ramdisk (initrd)\n- Root filesystem with essential system libraries and tools\n- Intel TDX or equivalent TEE hardware as the foundation\n\nThe system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.\n\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n[blank]\n\n3.4. Source control URL\nhttps://github.com/Dstack-TEE/dstack\n\n3.5. Issue tracker URL\nhttps://github.com/Dstack-TEE/dstack/issues (inferred)\n\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n- Intel TDX or equivalent TEE hardware (runtime)\n- Linux kernel (runtime)\n- Docker/container runtime (runtime)\n- Busybox (runtime)\n- LUKS for encryption (runtime)\n- Wireguard-tools (build time)\n- Build-essential, chrpath, diffstat, lz4, xorriso (build time)\n- Rust (build time)\n\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n- TLS/HTTPS for secure communications\n- Certificate Transparency (CT) for certificate monitoring\n- Certificate Authority Authorization (CAA) for domain security\n- Remote Attestation for TEE verification\n\n3.8. Release methodology and mechanics\n[blank]\n\n3.9. Names of initial committers, if different from those submitting proposal\nInitial committers include:\n- Kevin Wang (kvinwang)\n- Shelven Zhou (shelvenzhou)\n- Leechael\n\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n[blank]\n\n3.11. Project Security Response Policy\n[blank]\n\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)\n[blank]\n\n3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\nDstack includes several key components:\n- dstack-vmm: Service running on bare TDX host to manage CVMs\n- dstack-gateway: Reverse proxy to forward TLS connections to CVMs\n- dstack-kms: KMS server to generate keys for CVMs\n- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests\n- meta-dstack: Yocto meta layer to build CVM guest images\n\nThe project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts."
},
{
"role": "user",
"content": "This is the Mission Statement, fill in 1.3 with it\n\n```\nThe purpose of the Confidential Computing Consortium is to raise, budget and spend funds in support of various open source and/or open standards projects relating to:\n\ndefining confidential computing and accelerating acceptance and adoption in the market.\ndeveloping open enterprise-grade building blocks (e.g., open specifications and open source licensed projects), including a Confidential Computing portfolio and development experience, to enable easy development and management of enterprise-grade Confidential Computing applications, and\ndefining foundational services and frameworks that are Confidential Computing aware and minimize the need for trust.\n```"
}
]Response:
## General Information
1.3. How does this project align with the Consortium's Mission Statement
Dstack directly aligns with the Confidential Computing Consortium's mission by providing enterprise-grade building blocks for confidential computing applications. It accelerates adoption by making TEE deployment developer-friendly through familiar tools like docker-compose, lowering the barrier to entry. Dstack defines foundational services and frameworks that are Confidential Computing aware through its comprehensive architecture (Dstack-OS, Dstack-KMS, Dstack-Gateway). The project minimizes the need for trust by implementing Zero Trust principles with portable confidential containers, decentralized code management, and verifiable domain management. By enabling seamless deployment of containerized applications in TEEs, Dstack contributes significantly to the development experience and practical adoption of confidential computing in real-world scenarios.
Model: claude-3-7-sonnet-202502192025-06-25 13:03:39
Context:
[
{
"role": "user",
"content": "翻译成中文 Expose services via built-in TLS termination\n"
},
{
"role": "assistant",
"content": "通过内置的 TLS 终止暴露服务"
},
{
"role": "user",
"content": "这里termination应该用的不对"
},
{
"role": "assistant",
"content": "您是对的,我的翻译不够准确。在网络和安全语境中,\"TLS termination\"通常翻译为\"TLS 卸载\"或\"TLS 终结\",表示在某处结束加密连接并处理解密过程。\n\n更准确的翻译应为:\n\n通过内置的 TLS 卸载暴露服务\n\n或\n\n通过内置的 TLS 终结暴露服务"
},
{
"role": "user",
"content": "换回英语"
}
]Response:
Expose services via built-in TLS termination
Model: claude-3-7-sonnet-202502192025-06-25 13:03:24
Context:
[
{
"role": "user",
"content": "翻译成中文 Expose services via built-in TLS termination\n"
},
{
"role": "assistant",
"content": "通过内置的 TLS 终止暴露服务"
},
{
"role": "user",
"content": "这里termination应该用的不对"
}
]Response:
您是对的,我的翻译不够准确。在网络和安全语境中,"TLS termination"通常翻译为"TLS 卸载"或"TLS 终结",表示在某处结束加密连接并处理解密过程。
更准确的翻译应为:
通过内置的 TLS 卸载暴露服务
或
通过内置的 TLS 终结暴露服务
Model: gpt-4o-mini-2024-07-182025-06-25 13:02:57
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "User: 翻译成中文 Expose services via built-in TLS termination\n\nAssistant: 通过内置的 TLS 终止暴露服务"
}
]Response:
Translate - TLS Termination
Model: claude-3-7-sonnet-202502192025-06-25 13:02:56
Context:
[
{
"role": "user",
"content": "翻译成中文 Expose services via built-in TLS termination\n"
}
]Response:
通过内置的 TLS 终止暴露服务
Model: gpt-4o-mini-2024-07-182025-06-25 12:57:38
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "User: Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```\nAssistant: # Project Proposal Template\n\n## General Information\n1.1. Name of Project\nDstack\n\n1.2. Project Description (what it does, why it is valuable, origin and history)\nDstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.\n\nThe project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.\n\n1.3. How does this project align with the Consortium's Mission Statement\n[blank]\n\n1.4. Project website URL\nhttps://docs.phala.network/dstack/overview (inferred from documentation references)\n\n1.5. Social media accounts\n[blank]\n\n## Legal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n[blank]\n\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\nApache License, Version 2.0\n\n2.3. Existing financial sponsorship.\n[blank]\n\n2.4. Trademark status.\n[blank]\n\n## Technical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n[blank]\n\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\nDstack's TCB includes:\n- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer\n- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications\n- Linux kernel with initial ramdisk (initrd)\n- Root filesystem with essential system libraries and tools\n- Intel TDX or equivalent TEE hardware as the foundation\n\nThe system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.\n\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n[blank]\n\n3.4. Source control URL\nhttps://github.com/Dstack-TEE/dstack\n\n3.5. Issue tracker URL\nhttps://github.com/Dstack-TEE/dstack/issues (inferred)\n\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n- Intel TDX or equivalent TEE hardware (runtime)\n- Linux kernel (runtime)\n- Docker/container runtime (runtime)\n- Busybox (runtime)\n- LUKS for encryption (runtime)\n- Wireguard-tools (build time)\n- Build-essential, chrpath, diffstat, lz4, xorriso (build time)\n- Rust (build time)\n\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n- TLS/HTTPS for secure communications\n- Certificate Transparency (CT) for certificate monitoring\n- Certificate Authority Authorization (CAA) for domain security\n- Remote Attestation for TEE verification\n\n3.8. Release methodology and mechanics\n[blank]\n\n3.9. Names of initial committers, if different from those submitting proposal\nInitial committers include:\n- Kevin Wang (kvinwang)\n- Shelven Zhou (shelvenzhou)\n- Leechael\n\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n[blank]\n\n3.11. Project Security Response Policy\n[blank]\n\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)\n[blank]\n\n3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\nDstack includes several key components:\n- dstack-vmm: Service running on bare TDX host to manage CVMs\n- dstack-gateway: Reverse proxy to forward TLS connections to CVMs\n- dstack-kms: KMS server to generate keys for CVMs\n- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests\n- meta-dstack: Yocto meta layer to build CVM guest images\n\nThe project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts."
}
]Response:
Fill - Proposal
Model: claude-3-7-sonnet-202502192025-06-25 12:57:37
Context:
[
{
"role": "user",
"content": [
{
"type": "text",
"text": "Help me fill in the follow template given the project whitepaper and README file.\n\nFor fields with not enough info, leave it \"[blank]\".\n\n```\nProject Proposal Template\n\nGeneral Information\n1.1. Name of Project\n1.2. Project Description (what it does, why it is valuable, origin and history)\n1.3. How does this project align with the Consortium's Mission Statement\n1.4. Project website URL\n1.5. Social media accounts\n\nLegal Information\n2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).\n2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.\n2.3. Existing financial sponsorship.\n2.4. Trademark status.\n\nTechnical Information\n3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.\n3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.\n3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.\n3.4. Source control URL\n3.5. Issue tracker URL\n3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)\n3.7. Standards implemented by the project, if any. Include links to any such standards.\n3.8. Release methodology and mechanics\n3.9. Names of initial committers, if different from those submitting proposal\n3.10. List of project's official communication channels (slack, irc, mailing lists)\n3.11. Project Security Response Policy\n3.12. Preferred maturity level (Incubation, Graduation, or Emeritus) 3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.\n```"
},
{
"type": "text",
"text": "README.md\n# Dstack\n\n[](https://deepwiki.com/Dstack-TEE/dstack)\n\nDstack is a **developer friendly** and **security first** SDK to simplify the deployment of arbitrary containerized apps into TEE.\n\nMain features:\n\n- 🔒 Deploy containerized apps securely in TEE in minutes\n- 🛠️ Use familiar tools - just write a docker-compose.yaml\n- 🔑 Safely manage secrets and sensitive data\n- 📡 Expose services via built-in TLS termination\n\nDstack is community driven. Open sourced and built by [Kevin Wang](https://github.com/kvinwang) and many others from [Phala Network](https://github.com/Phala-Network), inspired by [Andrew Miller](https://github.com/amiller) (Flashbots & Teleport), and contributed by [Nethermind](https://github.com/NethermindEth/nethermind) and [many others](#contributors).\n\n![Alt](https://repobeats.axiom.co/api/embed/0a001cc3c1f387fae08172a9e116b0ec367b8971.svg \"Repobeats analytics image\")\n\n# Overview\n\nComponents in Dstack:\n\n- `dstack-vmm`: A service running in bare TDX host to manage CVMs\n- `dstack-gateway`: A reverse proxy to forward TLS connections to CVMs\n- `dstack-kms`: A KMS server to generate keys for CVMs\n- `dstack-guest-agent`: A service running in CVM to serve containers' key derivation and attestation requests\n- `meta-dstack`: A Yocto meta layer to build CVM guest images\n\nThe overall architecture is shown below:\n\n\n# Directory structure\n\n```text\ndstack/\n kms/ A prototype KMS server\n guest-agent/ A service running in CVM to serve containers' key derivation and attestation requests.\n dstack-util/ A CLI tool in the guest setting up the system, getting TDX quote, extending RTMR, generating cert for RA-TLS, etc.\n vmm/ A service running in bare TDX host to manage CVMs\n gateway/ A reverse proxy to forward TLS connections to CVMs\n certbot/ A tool to automatically obtain and renew TLS certificates for dstack-gateway\n ra-rpc/ RA-TLS support for pRPC\n ra-tls/ RA-TLS support library\n tdx-attest/ Guest library for getting TDX quote and extending RTMR\n```\n\n# Build and play locally\n\n## Prerequisites\n\n- A bare metal TDX server setup following [canonical/tdx](https://github.com/canonical/tdx)\n- Public IPv4 address assigned to the machine\n- At least 16GB RAM, 100GB free disk space.\n- A domain with DNS access if you want to set up `dstack-gateway` for Zero Trust HTTPS\n\n> [!NOTE]\n>\n> This doc assumes you have access to a compatible Intel TDX Server ready to be configured with Dstack. Check the [Hardware Requirements](https://docs.phala.network/dstack/hardware-requirements) for more information on buying a bare metal server or renting a server from OVH. To start learning about Dstack check out the [docs](https://docs.phala.network/dstack/overview).\n>\n> If you are looking to deploy a CVM in minutes, go to the docs to learn how to [sign-up for a Phala Cloud Account](https://docs.phala.network/phala-cloud/getting-started/sign-up-for-cloud-account) and [deploy your first CVM on Dstack]((https://docs.phala.network/phala-cloud/getting-started/start-from-cloud-ui)).\n\n## Install dependencies\n\n```bash\n# for Ubuntu 24.04\nsudo apt install -y build-essential chrpath diffstat lz4 wireguard-tools xorriso\n# install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n```\n\n## Build and run for local development\n\n### Build the artifacts\n```bash\ngit clone https://github.com/Dstack-TEE/meta-dstack.git --recursive\ncd meta-dstack/\n\nmkdir build\ncd build\n../build.sh hostcfg\n# This outputs the following message:\n# Config file ../build-config.sh created, please edit it to configure the build\n\nvim ./build-config.sh\n```\n\nReview and customize the `build-config.sh` configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:\n\n```bash\n../build.sh hostcfg\n\n# If everything is okay, you should see the built artifacts in the `build` directory.\n$ ls\ncerts images dstack-kms kms.toml run dstack-vmm vmm.toml dstack-gateway gateway.toml\n```\n\n### Download guest image or build guest image from source\n\n```bash\n# This will download the guest image from the release page.\n../build.sh dl 0.5.2\n```\n\nOr build guest image from source:\n\n```bash\n# This will build the guest image from source using the yocto meta layer. This will take a while.\n../build.sh guest\n```\n\n> **Note on Reproducible Builds**: The build command above does not guarantee reproducibility. For reproducible builds across different build environments, please refer to the [reproducible build instructions](https://github.com/Dstack-TEE/meta-dstack?tab=readme-ov-file#reproducible-build-the-guest-image) in the meta-dstack repository.\n\n### Run components\nNow you can open 3 terminals to start the components:\n\n1. Run `./dstack-kms -c kms.toml`\n2. Run `sudo ./dstack-gateway -c gateway.toml`\n3. Run `./dstack-vmm -c vmm.toml`\n\n⚠️ *Warning: this is for local development, and the kms is not secure, so you should not use it in production.*\nFor production, you should follow the [deployment guide](./docs/deployment.md) and read the [security guide](./docs/security-guide/security-guide.md).\n\n## Deploy an App\nOpen the dstack-vmm webpage [http://localhost:9080](http://localhost:9080)(change the port according to your configuration) on your local machine to deploy a `docker-compose.yaml` file:\n\n\n\nAfter the container deployed, it should need some time to start the CVM and the containers. Time would be vary depending on your workload.\n\n- Click the [Logs] button to see the logs of the CVM, you can see if the container is finished starting there.\n\n- Once the container is running, you can click the [Dashboard] button to see some information of the container. And the logs of the containers can be seen in the [Dashboard] page.\n\n \n\n- You can open dstack-gateway's dashboard at [https://localhost:9070](https://localhost:9070) to see the CVM's wireguard ip address, as shown below:\n\n\n\n## Pass Secrets to Apps\nWhen deploying a new App, you can pass private data via Encrypted Environment Variables. These variables can be referenced in the docker-compose.yaml file as shown below:\n\n\n\nThe environment variables will be encrypted in the client-side and decrypted in the CVM before being passed to the containers.\n\n## Access the App\n\nOnce the app is deployed and listening on an HTTP port, you can access the HTTP service via dstack-gateway's public domain. The ingress mapping rules are:\n\n- `<id>[s].<base_domain>` maps to port `80` or `443` if with `s` in the CVM.\n- `<id>-<port>[s].<base_domain>` maps to port `<port>` in the CVM.\n\nFor example, `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` maps to port `8080` in the CVM.\n\nWhere the `<id>` can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.\nIf the `id-port` part ends with `s`, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.\n\nYou can also ssh into the CVM to inspect more information, if your deployment uses the image `dstack-x.x.x-dev`:\n\n```bash\n# The IP address of the CVM can be found in the dstack-gateway dashboard.\nssh [email protected]\n```\n\n## Getting TDX quote in docker container\n\nTo get a TDX quote within app containers:\n\n1. Mount `/var/run/dstack.sock` to the target container in `docker-compose.yaml`\n\n ```yaml\n version: '3'\n services:\n nginx:\n image: nginx:latest\n volumes:\n - /var/run/dstack.sock:/var/run/dstack.sock\n ports:\n - \"8080:80\"\n restart: always\n ```\n\n2. Execute the quote request command in the container.\n\n ```bash\n # The argument report_data accepts binary data encoding in hex string.\n # The actual report_data passing the to the underlying TDX driver is sha2_256(report_data).\n curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x1234deadbeef | jq . \n ```\n\n## Container logs\n\nContainer logs can be obtained from the CVM's `dashboard` page or by curl:\n\n```bash\ncurl 'http://<appid>.app.kvin.wang:9090/logs/<container name>?since=0&until=0&follow=true&text=true×tamps=true&bare=true'\n```\n\nReplace `<appid>` and `<container name>` with actual values. Available parameters:\n\n- since=0: Starting Unix timestamp for log retrieval\n- until=0: Ending Unix timestamp for log retrieval\n- follow: Enables continuous log streaming\n- text: Returns human-readable text instead of base64 encoding\n- timestamps: Adds timestamps to each log line\n- bare: Returns the raw log lines without json format\n\nThe response of the RPC looks like:\n```\n$ curl 'http://0.0.0.0:9190/logs/zk-provider-server?text×tamps'\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209507046Z Initializing Rust backend...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209543047Z Calling Rust function: init\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209544957Z [2024-09-29T03:05:44Z INFO rust_prover] Initializing...\\n\"}\n{\"channel\":\"stdout\",\"message\":\"2024-09-29T03:05:45.209546381Z [2024-09-29T03:05:44Z INFO rust_prover::groth16] Starting setup process\\n\"}\n```\n\n## TLS Passthrough with Custom Domain\n\ndstack-gateway supports TLS passthrough for custom domains.\n\nSee the example [here](https://github.com/Dstack-TEE/dstack-examples/tree/main/custom-domain/dstack-ingress) for more details.\n\n## Upgrade an App\n\nGot to the dstack-vmm webpage, click the [Upgrade] button, select or paste the compose file you want to upgrade to, and click the [Upgrade] button again.\nThe app id does not change after the upgrade. Stop and start the app to apply the upgrade.\n\n## HTTPS Certificate Transparency\n\nIn the tutorial above, we used a TLS certificate with a private key external to the TEE. To establish trust, we need to generate and maintain the certificate's private key within the TEE and provide evidence that all TLS certificates for the domain were originate solely from dstack-gateway CVM.\n\nBy combining Certificate Transparency Logs and CAA DNS records, we can make best effort to minimize security risks. Here's our approach:\n\n- Set CAA records to allow only the account created in dstack-gateway CVM to request Certificates.\n- Launch a program to monitor Certificate Transparency Log and give alarm once any certificate issued to a pubkey that isn’t generated by dstack-gateway CVM.\n\n### Configurations\n\nTo launch Certbot, you need to own a domain hosted on Cloudflare. Obtain an API token with DNS operation permissions from the Cloudflare dashboard. Configure it in the `build-config.sh`:\n\n```bash\n# The directory to store the auto obtained TLS certificate and key\nGATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem\nGATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem\n\n# for certbot\nCF_ZONE_ID=cc0a40...\nCF_API_TOKEN=g-DwMH...\n# ACME_URL=https://acme-v02.api.letsencrypt.org/directory\nACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory\n```\n\nThen re-run the ../build.sh:\n\n```bash\n../build.sh\n```\n\n### Launch certbot\n\nThen run the certbot in the `build/` and you will see the following log:\n```text\n$ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml\n2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account\n2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\n2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records\n2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang\n2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683\"\n2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild \"letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853\"\n2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang\n2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair\n2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang\n2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order\n2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization\n2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang\n2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain=\"_acme-challenge.app.kvin.wang\"\n2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A\n2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready\n2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr\n2024-10-25T07:41:38.052901Z DEBUG certbot::acme_client: order is processing, waiting for challenge to be accepted\n2024-10-25T07:41:40.088190Z DEBUG certbot::acme_client: order is valid, getting certificate\n2024-10-25T07:41:40.125988Z DEBUG certbot::acme_client: removing dns record 6ab5724e8fa7e3e8f14e93333a98866a\n2024-10-25T07:41:40.377379Z DEBUG certbot::acme_client: stored new cert in /home/kvin/codes/meta-dstack/dstack/build/run/certbot/backup/2024-10-25T07:41:40.377174477Z\n2024-10-25T07:41:40.377472Z INFO certbot::bot: checking if certificate needs to be renewed\n2024-10-25T07:41:40.377719Z DEBUG certbot::acme_client: will expire in Duration { seconds: 7772486, nanoseconds: 622281542 }\n2024-10-25T07:41:40.377752Z INFO certbot::bot: certificate /home/kvin/codes/meta-dstack/dstack/build/run/certbot/live/cert.pem is up to date\n```\n\nWhere the command did are:\n\n- Registered to letsencrypt and got a new account `https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853`\n- Auto set CAA records for the domain on cloudflare, you can open the CF dashboard to see the record:\n\n \n\n- Auto requested a new certificate from Let's Encrypt. Automatically renews the certificate to maintain its validity\n\n### Launch dstack-gateway\n\nExecute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access the web portal to check the dstack-gateway CVM managed Let's Encrypt account. The account's private key remains securely sealed within the TEE.\n\n\n\n## Certificate transparency log monitor\n\nTo enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight.\n\n`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:\n\n```text\n$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang\n2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang...\n2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc\n2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys\n2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685\n2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674\n2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: \"C=US, O=Let's Encrypt, CN=R11\", common_name: \"kvin.wang\", name_value: \"*.app.kvin.wang\", not_before: \"2024-09-24T02:23:15\", not_after: \"2024-12-23T02:23:14\", serial_number: \"03ae796f56a933c8ff7e32c7c0d662a253d4\", result_count: 1, entry_timestamp: \"2024-09-24T03:21:45.825\" }\n2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001\n```\n\n# Troubleshooting\n\n### Error from dstack-vmm: qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=<id>: vhost-vsock: unable to set guest cid: Address already in use\n\n`dstack-vmm` may throw this error when creating a new VM if the [Unix Socket CID](https://man7.org/linux/man-pages/man7/vsock.7.html) is occupied. To solve the problem, first, you should list the occupied CID:\n\n```bash\nps aux | grep 'guest-cid='\n```\n\nThen choose a new range of the CID not conflicting with the CID in use. You can change `build/vmm.toml` file and restart `dstack-vmm`. This error should disappear. For example, you may find 33000-34000 free to use:\n\n```toml\n[cvm]\ncid_start = 33000\ncid_pool_size = 1000\n```\n\nWhen building the dstack from scratch, you should change the CID configs in `build-config.sh` instead, because `vmm.toml` file is generated by `build.sh`. Its content is derived from `build-config.sh`.\n\nYou may encounter this problem when upgrading from an older version of dstack, because CID was introduced in `build-config.sh` in later versions. In such case, please follow the docs to add the missing entries in `build-config.sh` and rebuild dstack.\n\n### Error: Operation not permitted when building guest image\n\nWhen running `../build.sh guest`, you might encounter this error:\n\n```\nTraceback (most recent call last):\n File \"/meta-dstack/poky/bitbake/bin/bitbake-worker\", line 278, in child\n bb.utils.disable_network(uid, gid)\n File \"/meta-dstack/poky/bitbake/lib/bb/utils.py\", line 1696, in disable_network\n with open(\"/proc/self/uid_map\", \"w\") as f:\nPermissionError: [Errno 1] Operation not permitted\n```\n\nThis error occurs because Ubuntu 23.10 and later versions restrict unprivileged user namespaces by default. To fix this, run:\n\n```bash\nsudo sysctl kernel.apparmor_restrict_unprivileged_userns=0\n```\n\nThen try building again. For more information about this restriction, see the [Ubuntu discourse post](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626).\n\n\n# Contributors\n\nDstack is proudly built by open source and Pi-rateship contributors:\n\n- Phala Network: [Kevin Wang](https://github.com/kvinwang), [Shelven Zhou](https://github.com/shelvenzhou), [Leechael](https://github.com/leechael)\n- Teleport: [Andrew Miller](https://github.com/amiller), [Sxy Sun](https://github.com/sxysun)\n- Flashbots: [Tina](https://github.com/CarboClanC), [Mateusz](https://github.com/Ruteri), [Dmarz](https://github.com/dmarzzz), [Moe](https://github.com/MoeMahhouk)\n- Ithaca: [Georgios](https://github.com/gakonst)\n- Fabric: [@gaoist](https://x.com/gaoist)\n- And many more...\n\nThe inspiration for this work stems from [Andrew Miller](https://github.com/amiller)’s pioneering concept of a [Docker-based P2P TEE SDK](https://collective.flashbots.net/t/dstack-speedrunning-a-p2p-confidential-vm/3876).\n\nThis project cannot be built without standing on the shoulders of giants:\n\n- [konvera/meta-confidential-compute](https://github.com/konvera/meta-confidential-compute)\n\nSpecial acknowledgment to [Flashbots](https://github.com/flashbots) for building a community around TEE. The TEE Hacker House initiative, organized by [Flashbots](https://github.com/flashbots) and led by [Tina](https://github.com/CarboClanC), has brought together TEE builders to develop tools for TEE-Web3 integration. This collaborative journey has generated invaluable insights for advancing secure, confidential environments within Web3.\n\nTogether, we’re shaping the future of TEE in Web3, paving the way for more secure and developer-accessible confidential computing!\n\nFor a full list of the direct contributors to this repo, see [Contributors](https://github.com/Dstack-TEE/dstack/contributors) on GitHub.\n\n\n# License\n\nCopyright 2024 Phala Network and Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\n[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)"
},
{
"type": "text",
"text": "main.pdf\nDstack: A Zero Trust Framework for Confidential Containers\nJune 23, 2025\nAbstract\nWeb3 applications require execution platforms that maintain confidentiality and integrity with-\nout relying on centralized trust authorities. While Trusted Execution Environments (TEEs) offer\npromising capabilities for confidential computing, current implementations face significant limita-\ntions in security reliability, censorship resistance, and vendor independence when applied to Web3\ncontexts. This paper presents Dstack, a comprehensive framework that transforms raw TEE tech-\nnology into a true Zero Trust platform aligned with Web3 principles. We introduce three key\ninnovations: (1) Portable Confidential Containers that enable seamless workload migration across\nheterogeneous TEE environments while maintaining security guarantees, (2) Decentralized Code\nManagement that leverages smart contracts for transparent governance of TEE applications, and\n(3) Verifiable Domain Management that ensures secure and verifiable application identity without\ncentralized authorities. Through these innovations, implemented via Dstack-OS, Dstack-KMS, and\nDstack-Gateway components, we demonstrate how to achieve both the performance advantages of\nVM-level TEE solutions and the trustless guarantees required by Web3 applications. Our evalu-\nation shows that Dstack provides comprehensive security guarantees while maintaining practical\nusability for real-world applications.\n1 Introduction\nThe Web3 ecosystem represents a paradigm shift in digital trust models, fundamentally transforming\nthe relationship between users and application developers. Unlike traditional systems, Web3 empowers\nusers with unprecedented control over their data through the principle of ”Code is Law” - once deployed,\ncode operates autonomously and independently of external control. This transformation demands\nrobust execution platforms that maintain confidentiality and integrity without relying on centralized\ntrust authorities.\nFigure 1: The evolution of trust models from Web2 to Web3, highlighting the shift from centralized control\nto decentralized governance and execution.\nThe contrast between Web2 and Web3 architectures in Figure 1 illustrates this fundamental shift.\nIn Web2 systems, developers maintain complete control through proprietary applications and central-\nized servers, retaining administrative privileges to access and modify user data at will. Web3’s smart\n1\ncontracts, however, represent the first significant step toward true trustlessness by executing pro-\ngrams on decentralized platforms (blockchains). Once deployed, administrators cannot influence pro-\ngram execution, and lifecycle management (e.g., code updates) follows predefined agreements through\ndemocratic governance mechanisms like multi-signature wallets and Decentralized Autonomous Orga-\nnizations (DAOs). This emerging trust model extends beyond basic applications to mission-critical\nscenarios such as AI model training, where data providers and model developers often have competing\ninterests, and autonomous AI agents designed to operate independently of human intervention. In\nthese contexts, Zero Trust platforms become essential to host applications and enforce verification\nmechanisms that appropriately constrain developer authority.\nA Zero Trust platform must enforce the following key principles:\n• Code is Law: This manifests in two dimensions: (1) the application logic, once deployed, cannot\nbe changed unexpectedly; and (2) the lifecycle management of code—including deployment,\nupgrades, and deletion—follows predefined governance rules.\n• Censorship Resistance: User data remains beyond the control of any single entity, with data\navailability protected against Denial-of-Service attacks.\n• Full Chain-of-Trust: When users interact with applications on a Zero Trust platform, they\nmust be able to verify all aspects of that application, including network setup, application identity\nand code logic, underlying hardware, and execution environment.\n• Assume Breach: The platform operates under the assumption that compromises will occur,\nimplementing mechanisms for damage containment, rapid recovery, and minimization of data\nexposure during security incidents.\nConfidential Computing, particularly through Trusted Execution Environments (TEEs), has emerged\nas a promising foundation for extending blockchain capabilities to support complex computational tasks\nwith confidentiality guarantees. Recent advances in VM-level TEE solutions, including Intel TDX and\nAMD SEV, have demonstrated substantial performance improvements and developer-friendly inter-\nfaces, making them compelling candidates for Web3 deployment. The integration of GPUs within\nTEEs [?] now enables verifiable execution of both Large Language Models and AI agents, providing\ncryptographic guarantees of computational integrity.\nHowever, a significant gap exists between raw TEE technology and the requirements of a true Zero\nTrust platform. Current TEE implementations face several critical limitations when applied to Web3\ncontexts:\n• Security Reliability: Recent vulnerability discoveries in TEE systems have raised significant con-\ncerns about their effectiveness as trust anchors. The persistence of side-channel attacks and\nmicro-architectural vulnerabilities undermines confidence in TEE security guarantees, particu-\nlarly for high-value Web3 applications where a single compromise could lead to catastrophic data\nexposure.\n• Censorship Vulnerability: Conventional TEE encryption schemes bind encryption keys to spe-\ncific hardware instances, creating single points of failure that contradict Web3’s requirement\nfor censorship resistance. This architectural limitation means that data availability cannot be\nguaranteed if specific hardware instances are compromised or become unavailable.\n• Vendor Dependencies: Current trust models heavily rely on centralized hardware manufacturers\nand verification processes, introducing risks of vendor lock-in and potential censorship vectors.\nThis centralization contradicts Web3’s core principles of decentralization and trustlessness.\n• Incomplete Verifiability: While TEEs provide Remote Attestation capabilities to verify applica-\ntion and hardware identity, they fail to deliver the comprehensive chain of trust required in Zero\nTrust environments. Users need guarantees that programs will process their data as expected\nand cannot be modified without proper authorization—capabilities beyond current attestation\nmechanisms.\nTo bridge this gap between raw TEE technology and Zero Trust requirements, we present Dstack,\na comprehensive framework for confidential containers that introduces three key innovations:\n2\n• Portable Confidential Container: Our architecture enables seamless migration of confidential\nworkloads across different TEE instances and hardware vendors, significantly reducing vendor\nlock-in risks while maintaining robust security guarantees. This innovation directly addresses the\ncensorship vulnerability and vendor dependency limitations by providing hardware abstraction\nand state continuity across heterogeneous TEE environments.\n• Decentralized Code Management: We implement a comprehensive governance framework\nthat leverages smart contracts for transparent and decentralized management of TEE applica-\ntions. This system ensures verifiable deployment and upgrade processes, enforcing the “Code\nis Law” principle by binding application lifecycles to on-chain governance decisions. This inno-\nvation addresses the incomplete verifiability limitation by creating an immutable audit trail of\napplication changes.\n• Verifiable Domain Management: Our novel approach to certificate management ensures that\nconfidential containers can exclusively control domains and provide native HTTPS support to\nTEE applications without relying on centralized authorities. This system serves as a middleware\nbetween TEE applications and existing TLS-based networks, enabling users to establish end-to-\nend encrypted channels to TEE applications without modifications to client software.\nThese innovations are implemented through a cohesive system architecture comprising three core\ncomponents:\n• Dstack-OS: A hardware abstraction layer with a minimized operating system image that elimi-\nnates differences in underlying TEE hardware while reducing the attack surface. This component\nprovides a consistent, secure runtime environment across diverse TEE implementations.\n• Dstack-KMS: A blockchain-controlled key management service that replaces hardware-based\nencryption schemas with an independent service for generating and managing secret keys. This\ncomponent enables secure data migration across TEE instances and supports key rotation to\nprovide forward and backward data secrecy, mitigating the impact of potential TEE compromises.\n• Dstack-Ingress and Dstack-Gateway: Complementary systems providing TEE-controlled domain\nmanagement through different approaches—Dstack-Ingress enables applications to specify cus-\ntom domains with minimal integration requirements, while Dstack-Gateway offers pre-registered\nwildcard domains requiring no application code changes.\nBy addressing the critical limitations of current TEE implementations, Dstack establishes a compre-\nhensive framework that transforms raw TEE technology into a true Zero Trust platform aligned with\nWeb3’s fundamental principles. Our approach not only enhances the security and reliability of confi-\ndential computing but also provides a practical path toward truly decentralized, censorship-resistant\ninfrastructure for next-generation applications.\nThe remainder of this paper details the technical design of Dstack, evaluates its performance and\nsecurity characteristics, and demonstrates how our innovations collectively create a Zero Trust platform\nthat maintains the performance advantages of VM-level TEE solutions while addressing their inherent\nlimitations in Web3 contexts.\n2 System Design\n2.1 Portable Confidential Container\nContainerization has transformed cloud-native application deployment by providing unparalleled porta-\nbility and scalability through effective data separation. These capabilities are particularly critical for\nTrusted Execution Environment (TEE) applications, as they directly address the inherent limitations\noutlined in Section 1:\n• Security Reliability: Containerized applications can be efficiently transferred from compro-\nmised TEE hardware to secure instances, preserving code integrity. Together with our secure\ndata migration mechanism that ensures both forward and backward secrecy, this approach sig-\nnificantly limits privacy leakage risks even when individual TEE instances are compromised.\n3\nFigure 2: The architecture of Dstack, including Dstack-OS and Dstack-KMS. Dstack-OS provides a hardware\nabstraction layer with a minimized operating system image, while Dstack-KMS replaces the hardware-based\ndata encryption keys with a blockchain-controlled key management service. TODO: redraw this to put the\ncomponents into solutions.\n• Censorship Resistance: The architecture’s inherent scalability provides robust defense against\nDenial-of-Service attacks. Additionally, by decoupling data storage from execution environments,\nestablished data availability solutions can be readily integrated to ensure persistent access to\napplication data.\n• Vendor Independence: Our hardware abstraction layer enables confidential containers to\noperate across diverse TEE hardware platforms without modification, eliminating vendor lock-in\nwhile facilitating rapid adoption of emerging TEE technologies as they become available.\nHowever, implementing truly portable confidential containers presents substantial technical chal-\nlenges that differentiate them from conventional containerization. Two fundamental obstacles must be\novercome:\nFirst, existing TEE implementations generate data sealing keys derived from hardware-bound root\nkeys unique to each TEE instance. This architectural design creates an inherent barrier to portability\n— data encrypted by one TEE instance cannot be decrypted by any other, even when running identical\napplication code. Prior research has largely circumvented this limitation by restricting TEEs to state-\nless applications, but this approach severely constrains their utility in complex real-world scenarios.\nSecond, TEE implementations from different vendors impose disparate specifications for deploy-\nable programs. This fragmentation forces developers to create and maintain multiple artifacts across\nplatforms, each requiring separate (and expensive) code reviews to verify functional equivalence — a\nprocess that undermines the trust guarantees central to Web3 applications.\nTo address these challenges comprehensively, we introduce two complementary components: Dstack-\nKMS and Dstack-OS.\n2.1.1 Dstack-KMS: Blockchain-Controlled Secret Derivation\nDstack-KMS is a secret derivation service that fundamentally transforms how encryption keys are\nmanaged in confidential computing environments. Its primary function is to generate a unique and\nstable secret (the Root Key ) for each application based on its code and configurations. This root key\n4\nserves as the foundation for deriving additional application-specific secrets used for data encryption\nand verifiable random number generation.\nUnlike hardware-based encryption approaches, Dstack-KMS deliberately decouples key generation\nfrom specific TEE hardware instances. This architectural decision enables the critical capability of\nencrypted data migration between different TEE instances, with decryption possible after\nproper authorization. This feature is essential for achieving true censorship resistance.\nGiven its position as the root-of-trust for the entire system, the verifiability and availability of\nDstack-KMS are paramount. Unlike previous approaches [?] that assume TEE infallibility, our threat\nmodel explicitly acknowledges that TEEs can be compromised. To address this reality, Dstack-\nKMS implements comprehensive key rotation capabilities that provide both backward and forward\nsecrecy for application data. This ensures that even if a specific TEE hardware instance is compromised,\napplications can be migrated with limited data exposure.\nFigure 3: The key derivation hierarchy of Intel SGX illustrates how conventional TEE implementations bind\nencryption keys to hardware.\nTo understand the limitations of conventional approaches, Figure 3 illustrates the key derivation\nhierarchy in Intel SGX. This design uses a hardware-bound key to both identify the TEE instance (for\nRemote Attestation) and generate encryption keys for data sealing. While this approach effectively\nestablishes hardware identity, it fundamentally undermines censorship resistance:\n• The root key cannot be updated, meaning a compromised TEE with a leaked root key remains\npermanently vulnerable even after patching the underlying vulnerability.\n• Encrypted data becomes intrinsically bound to specific TEE hardware instances, creating single\npoints of failure that contradict Web3’s censorship resistance requirements.\nOur Dstack-KMS addresses these limitations by delegating secret generation to an independent\nservice that ensures encrypted data remains portable across TEE instances.\nAs illustrated in Figure 4, Dstack-KMS comprises an on-chain governance smart contract coupled\nwith an off-chain peer-to-peer network where the actual secret derivation service operates. To ensure\ncomprehensive verifiability of the Dstack-KMS program’s integrity and correctness, we implement a\nmulti-stage verification process:\n1. The Dstack-KMS codebase is fully open-sourced [?], enabling thorough code and security reviews\nto verify key management logic and ensure the absence of backdoors.\n5\nFigure 4: The architecture of Dstack-KMS combines on-chain governance through smart contracts with an\noff-chain P2P network of secret derivation service nodes. This design ensures both verifiability and resilience\nagainst compromise.\n2. Executable binaries are produced through reproducible build processes, allowing verifiers to\nconfirm that the runtime code matches the reviewed source code.\n3. The cryptographic digest of valid executables is published through the governance smart contract,\ncreating an immutable reference for verification.\n4. Each service node operates within its own TEE instance. Critically, we rely on the TEE solely for\nmeasuring the executable and ensuring it matches the on-chain digest—not for the fundamental\nsecurity of the key management process.\nThis verification framework ensures that Dstack-KMS remains trustworthy to any third-party verifier\nwhile avoiding dependency on the absolute security of any single TEE instance.\nThe core logic of each Dstack-KMS service node is intentionally minimalist, focusing exclusively on\nthe generation and secure distribution of the root key, along with deriving encryption keys for TEE\napplications. This simplicity enables the implementation of Multi-Party Computation (MPC) based\nthreshold key generation and derivation without concerning performance overhead. We have developed\ntwo complementary implementations:\n• Simple Duplication: The first node in the P2P network generates a cryptographically secure\nrandom number as the root key, then shares it with other nodes after verifying their attestation\nreports. All nodes maintain identical copies of the root key and derive consistent encryption keys\nfor applications. This approach maximizes availability—as long as at least one node remains\noperational, the root key can be recovered.\n• MPC-Based Key Generation: While simple duplication provides robust availability, it cre-\nates vulnerability to single-node compromises. Our MPC implementation uses Shamir’s Secret\nSharing scheme [?] to distribute the root key across multiple nodes, ensuring that compromising\nany individual node (or even up tot− 1 nodes, wheret is the configured threshold) does not\nexpose the root key. This approach also enables advanced features like key rotation without\nrequiring application reconfiguration.\nKey Derivation Dstack-KMS implements a comprehensive key derivation framework to generate\napplication-specific keys from the root key:\n• Application CA Key: Derived from the root CA key using the application’s unique identifier\n(calculated as the hash of the application’s code and configuration).\n• Disk Encryption Key: Derived using a combination of the application identifier and instance\nidentifier, enabling secure storage with portability.\n6\n• Environment Encryption Key: Derived using the application identifier alone, allowing secure\nenvironment variable management across instances.\n• ECDSA Key: Derived from the root ECDSA key, providing applications with consistent cryp-\ntographic identity for signing operations.\nEach derived key maintains cryptographic isolation while ensuring consistency across different TEE\ninstances running the same application.\nKey Rotation A critical security feature of Dstack-KMS is its support for key rotation, which signif-\nicantly limits the exposure window during potential attacks while ensuring both forward and backward\nsecrecy for sealed data. Key rotation procedures are initiated exclusively through the governance smart\ncontract, ensuring transparency and auditability. We discuss two distinct rotation mechanisms:\n• Root Key Share Rotation: Our MPC-based implementation enables rotation of individual\nkey shares without modifying the root key itself. This process enhances root key security by\nregularly updating the distribution mechanism while remaining transparent to applications, as\nall derived application keys remain unchanged.\n• Root Key Rotation: In scenarios where the root key may have been compromised, we support\ncomplete root key rotation. This process generates an entirely new root key and implements a\ncontrolled handover period during which both old and new keys remain valid. This transition\nwindow allows applications to re-encrypt their data with keys derived from the new root key\nbefore the old root key is permanently destroyed, minimizing service disruption while enhancing\nsecurity.\nThrough these mechanisms, Dstack-KMS provides the foundation for truly portable confidential con-\ntainers by decoupling encryption from hardware dependencies while maintaining robust security guar-\nantees.\n2.1.2 Dstack-OS: Hardware Abstraction Layer\nDstack-OS provides a comprehensive hardware abstraction layer with a minimized operating system\nimage that bridges the gap between application containers and VM-level TEE implementations. This\nlayer enables applications to deploy across diverse TEE environments without code modifications while\nmaintaining security integrity. As a shared component across all TEE applications, Dstack-OS must be\nintrinsically secure and verifiable, with no administrative backdoors that could compromise program\ncode or user data.\nVM-level TEE solutions typically require developers to provide complete system images encom-\npassing bootloader, kernel, operating system, and application components. This requirement not\nonly increases development complexity but also introduces potential security vulnerabilities through\nmisconfigured system components. A secure and properly configured operating system environment\nfundamentally determines the security baseline for all TEE applications built upon it.\nFigure 5 illustrates how Dstack-OS establishes a secure and verifiable startup chain from the TEE\nhardware foundation through to user-provided container images. Our modular design ensures that the\nmajority of the system can be reused across different TEE hardware implementations, substantially\nreducing the effort required for code review and security auditing. Combined with reproducible build\nprocesses, this approach enables comprehensive verification of Dstack-OS with minimal overhead while\nsupporting multiple TEE hardware platforms.\nUsing Intel TDX as an exemplar (with similar procedures applicable to other TEE implementa-\ntions like AMD SEV), Dstack-OS consists of the following components, presented in boot sequence\norder. During this process, each component measures the next one and records these measurements\nin hardware registers, which are ultimately incorporated into the TEE attestation report:\n• Hypervisor: When application deployment initiates, the underlying hypervisor (the TDX mod-\nule) loads the Open Virtual Machine Firmware (OVMF), enabling UEFI support for confidential\nvirtual machines. The TDX module measures the OVMF code and records its cryptographic\ndigest in the MRTD register, with the hypervisor’s integrity guaranteed by the TEE hardware\nitself.\n7\nFigure 5: The architecture of Dstack-OS establishes a secure and verifiable startup chain from TEE hardware\nthrough to user applications.\n• Open Virtual Machine Firmware (OVMF): The OVMF configures virtual machine hard-\nware specifications (CPU, memory, and device configurations) and records the configuration\nmeasurement to the RTMR0 register. It then loads the Linux kernel and records the kernel\nimage measurement to the RTMR1 register.\n• Kernel: The kernel first loads an initial ramdisk (initrd) — a temporary in-memory filesystem\ncontaining minimal command-line tools and disk encryption libraries. The initrd mounts the\nroot filesystem and records this measurement in the RTMR2 register.\n• Root Filesystem: The root filesystem (RootFs) is a read-only environment containing essential\nsystem libraries and tools. It manages the entire lifecycle of deployed applications, measuring\napplication images along with their associated key management system and storing these mea-\nsurements in the RTMR3 register. The RootFs serves two primary functions: (1) providing\nthe runtime environment for user-level container images, and (2) managing application data en-\ncryption. It interfaces with Dstack-KMS to acquire encryption secrets and implements Linux\nUnified Key Setup (LUKS) to encrypt application data in isolated volumes. Data integrity is\nensured through dm-verity, a Merkle-tree-based block-level verification tool. Finally, the RootFs\nconfigures network ingress for the application and initiates execution.\nRather than adapting existing system images, we built Dstack-OS from scratch to ensure only es-\nsential components are included in both the initrd and RootFs. A comprehensive component inventory\nis provided in Appendix ?? for transparency and review. Generally, Dstack-OS includes only basic\nutilities (busybox), filesystem support, and container runtime components. By implementing Docker\nsupport while delegating orchestration to the application level, we maintain a minimal base image\nfootprint.\nTo ensure comprehensive verifiability, Dstack-OS is fully open-sourced and supports reproducible\nbuilds, allowing anyone to review the code and generate identical artifacts for verification. This\napproach provides significant benefits for applications requiring security reviews, as evaluators need\nonly review the application code rather than the entire system image.\nData Backup and Defense against Rollback Attacks A critical challenge in confidential com-\nputing is ensuring data durability and integrity, particularly against rollback attacks where adversaries\nattempt to revert applications to previous states to bypass security checks or reuse expired secrets.\nOur architecture provides robust secure data backup support and implements robust anti-rollback\nmechanisms that application developers can integrate:\n• Secure Backup: Application data is encrypted using keys derived from Dstack-KMS and can\nbe backed up to external storage providers. Since encryption keys are not bound to specific TEE\n8\ninstances, data can be restored on any authorized TEE, supporting true portability and disaster\nrecovery.\n• Monotonic Counters: To prevent rollback attacks, developers can implement monotonic coun-\nters that increment with each critical data update, incorporating the counter value into the en-\ncrypted data. During restoration, applications verify that the counter value equals or exceeds\nthe last known value, preventing replay of outdated snapshots.\nBy combining these techniques, Dstack ensures both the recoverability and integrity of confidential\ndata across portable container migrations and backup scenarios.\nTogether, Dstack-KMS and Dstack-OS provide the foundational infrastructure for truly portable\nconfidential containers that maintain security and integrity across heterogeneous TEE environments\nwhile eliminating vendor lock-in and supporting comprehensive verifiability.\n2.2 Decentralized Code Management\nA core principle of Zero Trust platforms is the enforcement of “Code is Law”, ensuring that application\ncode operates as intended without unexpected modifications. While TEE hardware provides code\nintegrity guarantees during execution, it cannot independently prevent administrators from deploying\nmalicious code or making unauthorized modifications. Conversely, smart contracts have established\nrobust methodologies for implementing programmable governance over code lifecycle management —\nsuch as multi-signature requirements that prevent single-actor manipulation.\nOur decentralized code management framework bridges these two worlds by placing TEE ap-\nplication governance under smart contract control, creating a transparent and auditable system for\napplication deployment and updates that aligns with Web3 principles.\nFigure 6: The architecture of decentralized code management integrates on-chain governance contracts with\noff-chain TEE through Dstack-KMS.\nAs illustrated in Figure 6, our architecture consists of two complementary components: on-chain\ngovernance smart contracts and off-chain TEE execution environments connected through Dstack-\nKMS. This design establishes the on-chain contracts as the definitive root-of-trust for the entire system.\nEvery operation — from initial deployment to code upgrades — must first be initiated and authorized\nthrough the governance contracts before off-chain TEE instances can execute these operations.\nThe governance framework implements a two-tier structure:\n• KmsAuth Contract: Serves as the global authority controlling Dstack-KMS operations. This\ncontract maintains the registry of authorized applications and their governance parameters, en-\nforcing system-wide policies for TEE deployment. By controlling whether Dstack-KMS shares\n9\napplication secrets with specific TEE instances, the KmsAuth contract effectively determines\nwhether applications can decrypt their data, thus controlling their complete lifecycle.\n• AppAuth Contracts: Individual governance contracts deployed for each application that de-\nfine application-specific management rules. These contracts specify permissible code versions\n(through cryptographic hashes), authorized TEE instance identities, and upgrade approval re-\nquirements. This modular approach enables customized governance models ranging from tradi-\ntional multi-signature schemes to complex DAO voting mechanisms, allowing each application\nto implement governance appropriate to its requirements.\nThe enforcement mechanism operates through Dstack-KMS, which will only provide application\nsecrets to TEE instances running code versions explicitly authorized by the governance contracts.\nThis creates a cryptographically enforced governance system where unauthorized code versions cannot\naccess application data, regardless of administrative privileges.\nTo illustrate this mechanism, consider a code upgrade process for an application using a multi-\nsignature AppAuth contract in Figure 6:\n1. Developers publish the new code version and submit its cryptographic hash to the AppAuth\ncontract.\n2. The contract initiates the approval process, requiring signatures from designated key holders\n(e.g., core developers, security auditors, and community representatives).\n3. Each signature is recorded on-chain, creating an immutable audit trail of the approval process.\n4. Once the required signature threshold is reached, the AppAuth contract updates its registry of\nauthorized code versions.\n5. The KmsAuth contract, monitoring the AppAuth contract, updates its authorization records\naccordingly.\n6. Dstack-KMS, which continuously synchronizes with the KmsAuth contract, begins providing\napplication secrets to TEE instances running the newly approved code version.\n7. TEE instances can now deploy the new code with full access to encrypted application data.\nThis process ensures that every code change follows predefined governance rules with complete trans-\nparency. The on-chain approval records create an immutable audit trail that allows users to verify\nthe entire history of application changes, while the cryptographic enforcement through Dstack-KMS\nguarantees that only properly authorized code can access application data.\nBy combining the code integrity guarantees of TEEs with the transparent governance capabilities\nof smart contracts, our decentralized code management framework ensures that applications truly\nembody the ”Code is Law” principle. Every aspect of the application lifecycle—from initial deployment\nto version updates and potential retirement—follows predefined, transparent rules that cannot be\ncircumvented by any single entity, including the platform operators themselves.\n2.3 Verifiable Domain Management\nA complete Zero Trust platform must enable seamless verification for users across both Web3 and\ntraditional Web2 environments. Our Verifiable Domain Management system completes the chain-\nof-trust by allowing standard Web browsers to cryptographically verify TEE applications without\nrequiring any client-side modifications or specialized knowledge.\nThis capability is critical for mainstream adoption, as it allows users to interact with confiden-\ntial applications using familiar tools while maintaining the same security guarantees provided by the\nunderlying TEE infrastructure. We implement this through two complementary components—Dstack-\nIngress and Dstack-Gateway—both leveraging our novel Zero Trust TLS (ZT-TLS) protocol.\nThe fundamental innovation in ZT-TLS is establishing cryptographic proof that a specific TLS\ncertificate (and therefore a domain) is exclusively controlled by a verified TEE application. This\ncreates a verification chain extending from the blockchain to standard HTTPS connections, enabling\nusers to confirm application authenticity through familiar security indicators in their browsers.\n10\nFigure 7: The Zero Trust TLS architecture establishes a cryptographically verifiable connection between\nstandard web browsers and TEE applications through blockchain-anchored certificate management.\n2.3.1 Zero Trust TLS Protocol\nThe ZT-TLS protocol addresses a critical challenge: how to cryptographically bind a domain to a\nspecific TEE application in a way that prevents unauthorized certificate issuance or domain hijacking.\nOur solution integrates three key components:\n• TEE-Generated Certificates: The TEE application (specifically Dstack-Gateway) generates\nits TLS certificate using application secrets derived from Dstack-KMS. This ensures the private\nkey never exists outside the TEE environment and creates a cryptographic link between the\non-chain governance and the TLS certificate.\n• Certificate Authority Authorization (CAA): We leverage DNS CAA records to restrict\nwhich certificate authorities can issue certificates for managed domains. By configuring CAA\nrecords to only authorize certificates from specific issuers (which verify TEE attestation), we\nprevent unauthorized certificate issuance through alternative validation methods.\n• Certificate Transparency (CT) Monitoring: To protect against unauthorized DNS record\nmodifications, we implement continuous monitoring of Certificate Transparency logs. This allows\ndetection of any unauthorized certificates and provides an immutable audit trail of certificate\nissuance history.\n2.3.2 Implementation Components\nWe provide two complementary implementations to accommodate different application requirements:\n• Dstack-Gateway: A fully managed reverse proxy running within a TEE that provides imme-\ndiate domain verification with zero application code changes. Applications register with Dstack-\nGateway through a simple API call, during which Dstack-Gateway verifies the application’s re-\nmote attestation report. Once verified, applications receive a subdomain under a pre-registered\nwildcard domain (e.g., app-id.Dstack.com), with all TLS termination and certificate manage-\nment handled automatically.\n• Dstack-Ingress: A more flexible solution for applications requiring custom domain names.\nDstack-Ingress provides libraries and services that enable applications to manage their own TLS\ncertificates while maintaining the same verification guarantees. This approach requires minimal\nintegration work while supporting application-specific domain requirements.\n11\nBoth implementations ensure that certificates are cryptographically bound to verified TEE environ-\nments, with the verification chain extending from the blockchain governance contracts through to the\nTLS certificates presented to users’ browsers.\n2.3.3 Security Guarantees and Protections\nOur Verifiable Domain Management system provides several critical security guarantees:\n• Certificate Provenance Verification: Users can verify that the TLS certificate presented by\nan application was issued to a legitimate TEE environment by checking the certificate against\non-chain records.\n• Domain Binding Integrity: The combination of CAA records and Certificate Transparency\nmonitoring ensures that domains remain bound to their designated TEE applications, preventing\nunauthorized certificate issuance.\n• Tamper-Evident Certificate Changes: Any unauthorized attempts to modify domain con-\nfigurations or issue alternative certificates are detected through Certificate Transparency moni-\ntoring, with alerts propagated to clients.\nWhile we cannot technically prevent all attacks against centralized DNS infrastructure, our multi-\nlayered approach creates a tamper-evident system where unauthorized changes are quickly detected\nand rejected by client verification processes. This approach aligns with the ”Assume Breach” principle\nby implementing defense-in-depth strategies that maintain security even when individual components\nare compromised.\nBy extending the verification chain from blockchain governance through TEE attestation to stan-\ndard TLS certificates, our Verifiable Domain Management system enables seamless integration of Zero\nTrust applications into existing web infrastructure. This creates a practical path for mainstream\nadoption without requiring specialized knowledge or tools from end users, while maintaining the com-\nprehensive security guarantees that define true Zero Trust platforms.\n3 Verifying TEE Applications: A Practical Walkthrough\nTo demonstrate how Dstack fulfills the Zero Trust principles and addresses the challenges outlined in\nSection 1, we present a practical end-to-end verification scenario. This walkthrough illustrates how\nthe architectural components described in Section 2 work together to provide a comprehensive chain\nof trust for real-world Web3 applications.\nTraditional Zero Trust programs like smart contracts achieve verifiability through transparent\nsource code and inputs. However, extending similar verifiability to real-world applications presents\nunique challenges, particularly in maintaining privacy and compatibility with existing development\npractices. Dstack addresses these challenges through a comprehensive verification framework that\nrequires minimal code changes.\nThis section demonstrates Dstack’s complete chain of trust through a practical example: verifying\nthat a cryptographic key was genuinely generated within a TEE environment. This scenario is es-\npecially relevant for Web3 and AI Agent applications where cryptographic keys establish application\nidentity and authority.\n3.1 Threat Model\nOur verification framework assumes the correct implementation and integrity of core Dstack compo-\nnents (Dstack-OS, Dstack-KMS, Dstack-Gateway, and governance contracts). While these components’\nsecurity guarantees are detailed in later sections, we explicitly consider developers and administrators\nas potential adversaries.\nPotential attack vectors include:\n• Application-Level Attacks\n– Deployment of unauthorized or malicious code through falsified Docker images\n12\n– Introduction of malicious dependencies through supply chain attacks\n– Unauthorized application updates that bypass governance controls\n• Infrastructure-Level Attacks\n– Tampering with Dstack-OS to circumvent security controls\n– Deployment of compromised key management services\n– Operation of unpatched or vulnerable TEE firmware\n– Execution of applications on non-TEE hardware with spoofed attestation\n• Network-Level Attacks\n– DNS hijacking to redirect traffic to unauthorized applications\n– Man-in-the-middle attacks on communication channels\nDirect attacks on TEE hardware security (e.g., exploitation of hardware vulnerabilities) are con-\nsidered out of scope for this discussion and addressed separately.\n3.2 The Reproducibility Challenge\nA fundamental challenge in TEE attestation lies in bridging the gap between source code and the\nactual artifacts (binaries or container images) running inside enclaves. While TEE attestation can\nprove that a specific artifact runs within a secure environment, it cannot independently verify that the\nartifact accurately represents its claimed source code.\nThis limitation creates several security risks:\n• Source Code Manipulation: Developers could intentionally deploy artifacts that differ from\npublicly reviewed source code\n• Build Process Compromise: Supply chain attacks could inject malicious code during artifact\ncreation\n• Toolchain Vulnerabilities: As demonstrated by the Ken Thompson Hack, even compiler\ntoolchains could be compromised to inject malicious behavior\nTEE quotes only attest to measurements (cryptographic hashes) of running artifacts. Without\nguarantees that these artifacts accurately represent reviewed source code, users cannot fully trust ap-\nplications even when running in secure enclaves. This challenge affects all TEE applications, including\nDstack’s core components.\nFigure 8: Comprehensive verification chain from source code to running TEE applications\nEstablishing a complete verification chain requires three key elements:\n13\n• Source Code Verification: Open-source code or trusted third-party review ensuring no back-\ndoors exist\n• Build Process Integrity: Reproducible builds allowing independent verification of artifacts\n• Runtime Attestation: TEE quotes proving that verified artifacts are actually running\nTraditional reproducible builds, while ideal, often introduce significant complexity through special-\nized toolchains and build scripts. The following section introduces an alternative approach, In-CC\nBuild, that achieves similar guarantees with improved practicality.\n3.3 Dstack Component Verifiability\nEach core Dstack component implements specific verifiability mechanisms anchored in transparent,\nimmutable records. Table 1 summarizes these mechanisms:\nComponentSourceBuild MethodRegistryVerification\nDstack-OSOpenReproducibleKmsAuthOS Digest\nDstack-KMSOpenIn-CCKmsAuthImage Hash, Root PubKey\nDstack-GatewayOpenIn-CCAppAuthImage Hash\nTable 1: Verifiability mechanisms and trust anchors for Dstack components\nAll components maintain open-source codebases with comprehensive documentation. Dstack-OS, as\nthe foundational component, undergoes third-party security audits and implements fully reproducible\nbuilds.\nThe governance smart contracts serve as authoritative registries, anchoring each component’s trust\nbase:\n• Dstack-OS digests are registered in KmsAuth and managed through multi-signature governance\n• Dstack-KMS measurements and root public keys are recorded in KmsAuth\n• Dstack-Gateway artifacts are verified through dedicated AppAuth contracts\nIn-ConfidentialContainer Build While reproducible builds represent the gold standard for arti-\nfact verification, they often prove impractical for complex applications. Dstack addresses this through\nIn-CC Build, leveraging the verified Dstack-OS as a trusted foundation. The In-CC Build process\nexecutes entirely within Dstack-OS environment, encompassing code fetching, compilation, and arti-\nfact creation. By specifying precise source references (e.g., a snapshot of the codebase), the system\nproduces verifiable artifacts with measurements attested in TEE quotes. This approach minimizes the\ntrusted computing base while eliminating the complexity of traditional reproducible builds.\n3.4 End-to-End Verification Walkthrough\nFrom a user’s perspective, verifying a TEE application in Dstack requires validating a chain of mea-\nsurements against authoritative registries, encompassing the user application, runtime data, Dstack\ncomponents, and network infrastructure. This section walks through the verification process, demon-\nstrating how each step builds upon the previous one to create a comprehensive chain of trust.\nAs shown in Figure 9, the verification chain begins with the KmsAuth smart contract, which serves\nas the root of trust for the entire system, and concludes with the key generation application running\nin a TEE. We explain the verification steps as follows.\nFirst, the address of the Dstack-KMS governance contract (i.e., KmsAuth) is publicly available.\nThe KMS governance contract serves as the authoritative registry for (1) off-chain KMS nodes and\n(2) dedicated governance contracts (i.e., AppAuth) for TEE applications. It is worth noting that the\nDstack-Gateway can be regarded as a special TEE application that attests and forwards requests to\nother user applications while maintaining consistent verification procedures.\nThe KmsAuth contract records both the measurements of off-chain KMS node programs (KMS\ndigest, which is the hash of the docker compose file and the images used in In-CC Build) and the TDX\n14\nFigure 9: The verification chain from authoritative registries to runtime measurements\nQuote of the first KMS node, which acts as the primary key generator. The identities of subsequent\nKMS nodes must first be registered in KmsAuth and verified by the first KMS node before they\ncan participate in key generation. These data, together with the open-source Dstack-KMS codebase,\nallow users to verify the integrity of the KMS nodes and their code correctness. Subsequently, the\noff-chain KMS nodes can be considered trusted extensions and used to verify Quotes from other TEE\napplications, which cannot be achieved by the on-chain governance contract alone. The off-chain\nKMS nodes are responsible for generating and managing cryptographic keys (i.e., the root key) and\nthe corresponding certificates (explained in Section 2.3.1), which are further used to authorize TEE\napplications after they are verified, thereby avoiding redundant verification.\nSecond, users can verify the validity of Dstack-Gateway. By default, this is delegated to the off-\nchain KMS nodes during gateway registration, although users can always request the Quote of the\ngateway and check the digest of its docker compose file in its governance contract and the codebase.\nAfter the KMS nodes verify the gateway, it will generate its application root key along with a certificate\nchain ending with the root certificate.\nNext, users can access the TEE application through Dstack-Gateway forwarding. In this case, users\neffectively delegate the verification of the key generation application to the gateway. The deployment\nof the key generation application starts from the KmsAuth contract. The deployer first registers it\nand stores the digest (the hash of the docker compose file and the images) on the dedicated AppAuth\ncontract. Then, as in the previous step, the off-chain KMS nodes verify the Quote of the application\nafter it is deployed to the TEE and ensure it matches the registered digest. Only after successful\nverification will the key be generated along with the certificate chain. To be forwarded by the gateway,\nthe application must also register with it. In this case, the gateway verifies the application’s certificate\nchain and ensures it shares the same root certificate, indicating authorization by the same KMS.\nFinally, the user can invoke the application and request proof of the key it generated. The applica-\ntion can generate a Quote on demand, with the generated public key included as custom data in the\nQuote.\n15\n3.5 Security Analysis: Mitigating Threats\nOur key generation example demonstrates Dstack’s comprehensive approach to security across multiple\nattack surfaces. At the application level, the system prevents unauthorized code deployment through\nrigorous measurement verification against the AppAuth registry. The In-CC Build process ensures\nall dependencies originate from verified sources, while any updates require new registry entries and\ncomplete re-verification. It is important to note, however, that code audit and review processes remain\nessential for ensuring application code correctness, as the In-CC Build only guarantees the integrity of\nthe build process.\nInfrastructure security is maintained through multiple mechanisms. TDX Quotes verify Dstack-OS\nintegrity, preventing OS-level tampering. KMS updates require multi-signature governance approval,\nsafeguarding against unauthorized changes to key management services. The Quote verification pro-\ncess includes firmware version validation, ensuring applications run on up-to-date TEE hardware.\nHardware-backed TDX Quotes effectively prevent attestation spoofing attempts.\nNetwork-level threats are mitigated through the certificate chain validation system. This prevents\nboth DNS hijacking and man-in-the-middle attacks by ensuring authentic application identity and\nenabling end-to-end encryption with verified certificates. The combination of these security measures\nensures that cryptographic keys maintain their integrity guarantees even when confronted with sophis-\nticated attacks targeting different system layers.\nReferences\n16"
}
]
}
]Response:
# Project Proposal Template
## General Information
1.1. Name of Project
Dstack
1.2. Project Description (what it does, why it is valuable, origin and history)
Dstack is a developer-friendly and security-first SDK that simplifies the deployment of arbitrary containerized applications into Trusted Execution Environments (TEEs). It enables developers to securely deploy containerized applications in TEEs in minutes using familiar tools like docker-compose.yaml. Dstack provides safe management of secrets and sensitive data, along with built-in TLS termination for exposed services.
The project was built by Kevin Wang and others from Phala Network, inspired by Andrew Miller (Flashbots & Teleport), and has received contributions from Nethermind and many others. Dstack addresses the gap between raw TEE technology and Zero Trust platform requirements by providing portable confidential containers, decentralized code management, and verifiable domain management.
1.3. How does this project align with the Consortium's Mission Statement
[blank]
1.4. Project website URL
https://docs.phala.network/dstack/overview (inferred from documentation references)
1.5. Social media accounts
[blank]
## Legal Information
2.1. Project Logo URL or attachment (Vector Graphic: SVG, EPS).
[blank]
2.2. Project license. We recommend an OSI-approved license, so if the license is not one on the list, explain why.
Apache License, Version 2.0
2.3. Existing financial sponsorship.
[blank]
2.4. Trademark status.
[blank]
## Technical Information
3.1. High level assessment of project synergy with existing projects under the CCC, including how the project compliments/overlaps with existing projects, and potential ways to harmonize over time. Responses may be included both inline and/or in accompanying documentation.
[blank]
3.2. Describe the Trusted Computing Base (TCB) of the project. If the project supports multiple environments please describe each TCB. Also identify if dependencies of other project (both CCC or non-CCC) TCBs are taken.
Dstack's TCB includes:
- Dstack-OS: A minimized operating system image that serves as a hardware abstraction layer
- OVMF (Open Virtual Machine Firmware): Configures VM hardware specifications
- Linux kernel with initial ramdisk (initrd)
- Root filesystem with essential system libraries and tools
- Intel TDX or equivalent TEE hardware as the foundation
The system establishes a secure and verifiable startup chain from TEE hardware through to user applications, with each component measuring the next and recording measurements in hardware registers that are incorporated into TEE attestation reports.
3.3. Project Code of Conduct URL. We recommend a Contributor Covenant v2.0 based Code of Conduct, so if the Code of Conduct is not based on that, explain why.
[blank]
3.4. Source control URL
https://github.com/Dstack-TEE/dstack
3.5. Issue tracker URL
https://github.com/Dstack-TEE/dstack/issues (inferred)
3.6. External dependencies (including licenses, and indicate whether each is a build time or runtime dependency)
- Intel TDX or equivalent TEE hardware (runtime)
- Linux kernel (runtime)
- Docker/container runtime (runtime)
- Busybox (runtime)
- LUKS for encryption (runtime)
- Wireguard-tools (build time)
- Build-essential, chrpath, diffstat, lz4, xorriso (build time)
- Rust (build time)
3.7. Standards implemented by the project, if any. Include links to any such standards.
- TLS/HTTPS for secure communications
- Certificate Transparency (CT) for certificate monitoring
- Certificate Authority Authorization (CAA) for domain security
- Remote Attestation for TEE verification
3.8. Release methodology and mechanics
[blank]
3.9. Names of initial committers, if different from those submitting proposal
Initial committers include:
- Kevin Wang (kvinwang)
- Shelven Zhou (shelvenzhou)
- Leechael
3.10. List of project's official communication channels (slack, irc, mailing lists)
[blank]
3.11. Project Security Response Policy
[blank]
3.12. Preferred maturity level (Incubation, Graduation, or Emeritus)
[blank]
3.13. Any additional information the TAC and Board should take into consideration when reviewing your proposal.
Dstack includes several key components:
- dstack-vmm: Service running on bare TDX host to manage CVMs
- dstack-gateway: Reverse proxy to forward TLS connections to CVMs
- dstack-kms: KMS server to generate keys for CVMs
- dstack-guest-agent: Service in CVM to serve containers' key derivation and attestation requests
- meta-dstack: Yocto meta layer to build CVM guest images
The project provides innovative solutions for portable confidential containers, decentralized code management, and verifiable domain management, addressing critical limitations in current TEE implementations for Web3 contexts.
Model: claude-3-7-sonnet-202502192025-06-25 05:58:17
Context:
[
{
"role": "user",
"content": "我想要一个读论文时的高亮方案来帮助我后续对其中的信息进行整理。"
},
{
"role": "assistant",
"content": "# 论文阅读高亮方案\n\n为了帮助你高效阅读和整理论文信息,我设计了以下高亮方案,将不同类型的内容用不同颜色标记,便于后续整理和回顾。\n\n## 颜色编码系统\n\n### 🟨 黄色:核心观点和结论\n- 论文的主要论点\n- 研究结果和结论\n- 作者提出的新理论或模型\n\n### 🟩 绿色:方法和实验设计\n- 研究方法的描述\n- 实验设计和步骤\n- 数据收集过程\n- 分析技术\n\n### 🟦 蓝色:重要数据和证据\n- 关键数据点和统计结果\n- 图表中的重要发现\n- 支持论点的证据\n\n### 🟪 紫色:术语和定义\n- 领域特定术语\n- 作者提出的新概念\n- 重要定义\n\n### 🟧 橙色:研究背景和文献综述\n- 相关工作的引用\n- 研究领域的历史背景\n- 与其他研究的关系\n\n### 🟥 红色:局限性和未来研究方向\n- 研究的局限性\n- 作者承认的缺陷\n- 未来研究建议\n\n## 使用符号系统\n\n除了颜色标记,你还可以使用以下符号进一步细化你的笔记:\n\n- ⭐ 特别重要的信息\n- ❓ 需要进一步研究或不清楚的内容\n- 💡 启发了你自己的想法\n- 🔄 与你之前读过的论文相关联的内容\n- ⚠️ 有争议或可能有问题的观点\n\n## 整理建议\n\n1. **阅读后总结**:每篇论文阅读完成后,花5-10分钟写一个简短摘要,包含主要观点和你的思考\n\n2. **创建概念图**:将相关论文的关键点连接起来,形成概念网络\n\n3. **建立文献数据库**:使用文献管理软件(如Zotero、Mendeley)存储论文并添加带颜色编码的笔记\n\n4. **定期复习**:每周回顾你的高亮内容,加深理解并发现新联系\n\n这个高亮方案可以根据你的具体研究领域和个人习惯进行调整,希望能帮助你更有效地组织和利用论文中的信息。"
},
{
"role": "user",
"content": "太多了 控制在四种颜色"
}
]Response:
# 简化论文阅读高亮方案(四色系统)
为了保持简洁高效,以下是精简为四种颜色的论文阅读高亮方案:
## 颜色编码系统
### 🟨 黄色:核心内容
- 论文的主要论点和结论
- 研究的关键发现
- 作者提出的新理论或模型
- 重要的定义和概念
### 🟩 绿色:方法与数据
- 研究方法和实验设计
- 数据收集和分析过程
- 关键数据点和统计结果
- 重要图表中的发现
### 🟦 蓝色:背景与关联
- 研究背景和文献综述
- 与其他研究的关系
- 相关工作的引用
- 学术脉络和理论框架
### 🟥 红色:批判性内容
- 研究的局限性和缺陷
- 未来研究方向
- 有争议或可能有问题的观点
- 你自己的批判性思考和问题
## 使用技巧
1. **保持一致性**:在所有论文中使用相同的颜色系统
2. **结合笔记**:在页边空白处添加简短笔记,与高亮内容对应
3. **阅读后整理**:将高亮内容按颜色分类整理到笔记中,形成结构化知识
4. **定期回顾**:通过回顾不同颜色的高亮内容,快速重温论文要点
这个四色系统简单易用,同时仍能有效区分论文中的不同类型信息,帮助你高效整理和回顾学术内容。
Model: gpt-4o-mini-2024-07-182025-06-25 05:58:03
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"我想要一个读论文时的高亮方案来帮助我后续对其中的信息进行整理。\"},{\"role\":\"assistant\",\"mainText\":\"# 论文阅读高亮方案\\n\\n为了帮助你高效阅读和整理论文信息,我设计了以下高亮方案,将不同类型的内容用不同颜色标记,便于后续整理和回顾。\\n\\n## 颜色编码系统\\n\\n### 🟨 黄色:核心观点和结论\\n- 论文的主要论点\\n- 研究结果和结论\\n- 作者提出的新理论或模型\\n\\n### 🟩 绿色:方法和实验设计\\n- 研究方法的描述\\n- 实验设计和步骤\\n- 数据收集过程\\n- 分析技术\\n\\n### 🟦 蓝色:重要数据和证据\\n- 关键数据点和统计结果\\n- 图表中的重要发现\\n- 支持论点的证据\\n\\n### 🟪 紫色:术语和定义\\n- 领域特定术语\\n- 作者提出的新概念\\n- 重要定义\\n\\n### 🟧 橙色:研究背景和文献综述\\n- 相关工作的引用\\n- 研究领域的历史背景\\n- 与其他研究的关系\\n\\n### 🟥 红色:局限性和未来研究方向\\n- 研究的局限性\\n- 作者承认的缺陷\\n- 未来研究建议\\n\\n## 使用符号系统\\n\\n除了颜色标记,你还可以使用以下符号进一步细化你的笔记:\\n\\n- ⭐ 特别重要的信息\\n- ❓ 需要进一步研究或不清楚的内容\\n- 💡 启发了你自己的想法\\n- 🔄 与你之前读过的论文相关联的内容\\n- ⚠️ 有争议或可能有问题的观点\\n\\n## 整理建议\\n\\n1. **阅读后总结**:每篇论文阅读完成后,花5-10分钟写一个简短摘要,包含主要观点和你的思考\\n\\n2. **创建概念图**:将相关论文的关键点连接起来,形成概念网络\\n\\n3. **建立文献数据库**:使用文献管理软件(如Zotero、Mendeley)存储论文并添加带颜色编码的笔记\\n\\n4. **定期复习**:每周回顾你的高亮内容,加深理解并发现新联系\\n\\n这个高亮方案可以根据你的具体研究领域和个人习惯进行调整,希望能帮助你更有效地组织和利用论文中的信息。\"}]"
}
]Response:
Highlight - 论文方案
Model: claude-3-7-sonnet-202502192025-06-25 05:58:02
Context:
[
{
"role": "user",
"content": "我想要一个读论文时的高亮方案来帮助我后续对其中的信息进行整理。"
}
]Response:
# 论文阅读高亮方案
为了帮助你高效阅读和整理论文信息,我设计了以下高亮方案,将不同类型的内容用不同颜色标记,便于后续整理和回顾。
## 颜色编码系统
### 🟨 黄色:核心观点和结论
- 论文的主要论点
- 研究结果和结论
- 作者提出的新理论或模型
### 🟩 绿色:方法和实验设计
- 研究方法的描述
- 实验设计和步骤
- 数据收集过程
- 分析技术
### 🟦 蓝色:重要数据和证据
- 关键数据点和统计结果
- 图表中的重要发现
- 支持论点的证据
### 🟪 紫色:术语和定义
- 领域特定术语
- 作者提出的新概念
- 重要定义
### 🟧 橙色:研究背景和文献综述
- 相关工作的引用
- 研究领域的历史背景
- 与其他研究的关系
### 🟥 红色:局限性和未来研究方向
- 研究的局限性
- 作者承认的缺陷
- 未来研究建议
## 使用符号系统
除了颜色标记,你还可以使用以下符号进一步细化你的笔记:
- ⭐ 特别重要的信息
- ❓ 需要进一步研究或不清楚的内容
- 💡 启发了你自己的想法
- 🔄 与你之前读过的论文相关联的内容
- ⚠️ 有争议或可能有问题的观点
## 整理建议
1. **阅读后总结**:每篇论文阅读完成后,花5-10分钟写一个简短摘要,包含主要观点和你的思考
2. **创建概念图**:将相关论文的关键点连接起来,形成概念网络
3. **建立文献数据库**:使用文献管理软件(如Zotero、Mendeley)存储论文并添加带颜色编码的笔记
4. **定期复习**:每周回顾你的高亮内容,加深理解并发现新联系
这个高亮方案可以根据你的具体研究领域和个人习惯进行调整,希望能帮助你更有效地组织和利用论文中的信息。
Model: gpt-4o-mini-2024-07-182025-06-25 01:53:55
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"把这个docker compose file转成直接的docker command\\nservices:\\n app:\\n image: olehnemi/tee-rex:0.0.14\\n container_name: app\\n ports:\\n - \\\"80:80\\\"\\n volumes:\\n - /var/run/tappd.sock:/var/run/tappd.sock\"},{\"role\":\"assistant\",\"mainText\":\"要将这个 Docker Compose 文件转换为直接的 Docker 命令,您可以使用以下命令:\\n\\n```bash\\ndocker run -d \\\\\\n --name app \\\\\\n -p 80:80 \\\\\\n -v /var/run/tappd.sock:/var/run/tappd.sock \\\\\\n olehnemi/tee-rex:0.0.14\\n```\\n\\n这个命令的解释:\\n- `-d`: 在后台运行容器(detached 模式)\\n- `--name app`: 将容器命名为 \\\"app\\\"\\n- `-p 80:80`: 将主机的 80 端口映射到容器的 80 端口\\n- `-v /var/run/tappd.sock:/var/run/tappd.sock`: 挂载主机上的 /var/run/tappd.sock 到容器内的相同路径\\n- `olehnemi/tee-rex:0.0.14`: 使用的镜像名称和标签\"}]"
}
]Response:
Convert - Docker
Model: claude-3-7-sonnet-202502192025-06-25 01:53:54
Context:
[
{
"role": "user",
"content": "把这个docker compose file转成直接的docker command\nservices:\n app:\n image: olehnemi/tee-rex:0.0.14\n container_name: app\n ports:\n - \"80:80\"\n volumes:\n - /var/run/tappd.sock:/var/run/tappd.sock"
}
]Response:
要将这个 Docker Compose 文件转换为直接的 Docker 命令,您可以使用以下命令:
```bash
docker run -d \
--name app \
-p 80:80 \
-v /var/run/tappd.sock:/var/run/tappd.sock \
olehnemi/tee-rex:0.0.14
```
这个命令的解释:
- `-d`: 在后台运行容器(detached 模式)
- `--name app`: 将容器命名为 "app"
- `-p 80:80`: 将主机的 80 端口映射到容器的 80 端口
- `-v /var/run/tappd.sock:/var/run/tappd.sock`: 挂载主机上的 /var/run/tappd.sock 到容器内的相同路径
- `olehnemi/tee-rex:0.0.14`: 使用的镜像名称和标签
Model: gpt-4o-mini-2024-07-182025-06-25 01:42:53
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"docker run怎么限制cpu数量\"},{\"role\":\"assistant\",\"mainText\":\"# 使用Docker Run限制CPU数量\\n\\nDocker允许您在运行容器时限制其可以使用的CPU资源。以下是几种限制CPU的方法:\\n\\n## 1. 使用`--cpus`选项\\n\\n这个选项指定容器可以使用的CPU数量(可以是小数):\\n\\n```bash\\ndocker run --cpus=2 my-image\\n```\\n\\n上面的命令限制容器最多使用2个CPU核心。\\n\\n## 2. 使用`--cpu-period`和`--cpu-quota`选项\\n\\n这两个选项一起使用可以更精细地控制CPU使用率:\\n\\n```bash\\ndocker run --cpu-period=100000 --cpu-quota=200000 my-image\\n```\\n\\n这表示在每100,000微秒的周期内,容器最多可以使用200,000微秒的CPU时间,相当于2个CPU核心。\\n\\n## 3. 使用`--cpuset-cpus`选项\\n\\n如果您想指定容器可以使用哪些特定的CPU核心:\\n\\n```bash\\ndocker run --cpuset-cpus=\\\"0,1\\\" my-image\\n```\\n\\n这限制容器只能使用CPU核心0和1。\\n\\n## 4. 使用`--cpu-shares`选项\\n\\n设置容器相对权重(默认为1024):\\n\\n```bash\\ndocker run --cpu-shares=512 my-image\\n```\\n\\n这设置容器的CPU共享权重为512,当系统繁忙时,它将获得默认容器一半的CPU时间。\\n\\n## 示例组合使用\\n\\n限制容器使用1.5个CPU核心,并且只能使用CPU 0和CPU 1:\\n\\n```bash\\ndocker run --cpus=1.5 --cpuset-cpus=\\\"0,1\\\" my-image\\n```\\n\\n注意:这些限制仅在CPU资源竞争时生效,如果系统有足够的空闲CPU资源,容器可能会使用超过限制的CPU。\"}]"
}
]Response:
Limit - CPU Num
Model: claude-3-7-sonnet-202502192025-06-25 01:42:51
Context:
[
{
"role": "user",
"content": "docker run怎么限制cpu数量"
}
]Response:
# 使用Docker Run限制CPU数量
Docker允许您在运行容器时限制其可以使用的CPU资源。以下是几种限制CPU的方法:
## 1. 使用`--cpus`选项
这个选项指定容器可以使用的CPU数量(可以是小数):
```bash
docker run --cpus=2 my-image
```
上面的命令限制容器最多使用2个CPU核心。
## 2. 使用`--cpu-period`和`--cpu-quota`选项
这两个选项一起使用可以更精细地控制CPU使用率:
```bash
docker run --cpu-period=100000 --cpu-quota=200000 my-image
```
这表示在每100,000微秒的周期内,容器最多可以使用200,000微秒的CPU时间,相当于2个CPU核心。
## 3. 使用`--cpuset-cpus`选项
如果您想指定容器可以使用哪些特定的CPU核心:
```bash
docker run --cpuset-cpus="0,1" my-image
```
这限制容器只能使用CPU核心0和1。
## 4. 使用`--cpu-shares`选项
设置容器相对权重(默认为1024):
```bash
docker run --cpu-shares=512 my-image
```
这设置容器的CPU共享权重为512,当系统繁忙时,它将获得默认容器一半的CPU时间。
## 示例组合使用
限制容器使用1.5个CPU核心,并且只能使用CPU 0和CPU 1:
```bash
docker run --cpus=1.5 --cpuset-cpus="0,1" my-image
```
注意:这些限制仅在CPU资源竞争时生效,如果系统有足够的空闲CPU资源,容器可能会使用超过限制的CPU。
Model: gpt-4o-mini-2024-07-182025-06-24 12:32:35
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"帮我总结下邮件内容\\n\\n```\\nalt.hn\\n5/15/2025 at 4:19:00 PM\\n\\nLaunch HN: Tinfoil (YC X25): Verifiable Privacy for Cloud AI\\nby FrasiertheLion\\n\\n5/15/2025 at 6:52:24 PM\\n\\nLooks great. Not sure how big the market is between \\\"need max privacy, need on-prem\\\" and \\\"don't care, just use what is cheap/popular\\\" tho.\\nCan you talk about how this relates to / is different / is differentiated from what Apple claimed to do during their last WWDC? They called it \\\"private cloud compute\\\". (To be clear, after 11 months, this is still \\\"announced\\\", with no implementation anywhere, as far as I can see.)\\n\\nHere is their blog post on Apple Security, dated June 10: https://security.apple.com/blog/private-cloud-compute/\\n\\nEDIT: JUST found the tinfoil blog post on exactly this topic. https://tinfoil.sh/blog/2025-01-30-how-do-we-compare\\n\\nby sigmaisaletter\\n\\n5/16/2025 at 2:13:36 AM\\n\\nAnecdotal, but I work at a company offering an SMB product with LLM features. One of the first questions asked on any demo or sales call is what the privacy model for the LLM is, how the data is used, who has access to it, and can those features be disabled.\\nby _heimdall\\n\\n5/15/2025 at 7:10:02 PM\\n\\nPrivate Cloud Compute has been in use since iOS 18 released.\\nby davidczech\\n\\n5/15/2025 at 9:29:40 PM\\n\\nIt seems that PCC indeed went live with 18.1 - tho not in Europe (which is where I am located). Thanks for the heads up, I will look into this further.\\nby sigmaisaletter\\n\\n5/16/2025 at 12:10:54 PM\\n\\nThere are a few stories on the 'max privacy' stuff; one of the stories goes that you have two companies each with something private that needs to combine their stuff without letting the other see it; for example a bank with customer transactions and a company with analytics software they don't want to share; a system like this lets the bank put their transaction data through that analytics software without anyone being able to see the transaction data or the software. The next level on that is where two banks need to combine the transaction data to spot fraud, where you've now got three parties involved on one server.\\nby trebligdivad\\n\\n5/15/2025 at 8:19:51 PM\\n\\nCompanies like Edgeless Systems have been building open-source confidential computing for cloud and AI for years, they are open-source, and have published in 2024 how they compare to Apple Private Cloud Compute. https://www.edgeless.systems/blog/apple-private-cloud-comput...\\nby ts6000\\n\\n5/15/2025 at 8:05:14 PM\\n\\nPrivate Cloud Compute has been live in production for 8 months\\nby DrBenCarson\\n\\n5/15/2025 at 9:29:47 PM\\n\\nIt seems that PCC indeed went live with 18.1 - tho not in Europe (which is where I am located). Thanks for the heads up, I will look into this further.\\nby sigmaisaletter\\n\\n5/15/2025 at 5:58:40 PM\\n\\nHow large do you wager your moat to be? Confidential computing is something all major cloud providers either have or are about to have and from there it's a very small step to offer LLM-s under the same umbrella. First mover advantage is of course considerable, but I can't help but feel that this market will very quickly be swallowed by the hyperscalers.\\nby Etheryte\\n\\n5/15/2025 at 10:57:32 PM\\n\\nCloud providers aren't going to care too much about this.\\nI have worked for many enterprise companies e.g. banks who are trialling AI and none of them have any use for something like this. Because the entire foundation of the IT industry is based on trusting the privacy and security policies of Azure, AWS and GCP. And in the decades since they've been around not heard of a single example of them breaking this.\\n\\nThe proposition here is to tell a company that they can trust Azure with their banking websites, identity services and data engineering workloads but not for their model services. It just doesn't make any sense. And instead I should trust a YC startup who statistically is going to be gone in a year and will likely have their own unique set of security and privacy issues.\\n\\nAlso you have the issue of smaller sized open source models e.g. DeepSeek R1 lagging far behind the bigger ones and so you're giving me some unnecessary privacy attestation at the expense of a model that will give me far better accuracy and performance.\\n\\nby threeseed\\n\\n5/16/2025 at 12:48:50 PM\\n\\n> Cloud providers aren't going to care too much about this. ... [E]nterprise companies e.g. banks ... and none of them have any use for something like this.\\nAs former CTO of world's largest bank and cloud architect at world's largest hedge fund, this is exactly opposite of my experience with both regulated finance enterprises and the CSPs vying to serve them.\\n\\nThe entire foundation of the IT industry is based on trusting the privacy and security policies of Azure, AWS and GCP. And in the decades since they've been around not heard of a single example of them breaking this.\\n\\nOn the contrary, many global banks design for the assumption the \\\"CSP is hostile\\\". What happened to Coinbase's customers the past few months shows why your vendor's insider threat is your threat and your customers' threat.\\n\\nGranted, this annoys CSPs who wish regulators would just let banks \\\"adopt\\\" the CSP's controls and call it a day.\\n\\nUnfortunately for CSP sales teams — certainly this could change with recent regulator policy changes — the regulator wins. Until very recently, only one CSP offered controls sufficient to assure your own data privacy beyond a CSP's pinky-swears. AWS Nitro Enclaves can provide a key component in that assurance, using deployment models such as tinfoil.\\n\\nby Terretta\\n\\n5/15/2025 at 6:12:32 PM\\n\\nBeing gobbled by the hyperscalers may well be the plan. Reasonable bet.\\nby itsafarqueue\\n\\n5/16/2025 at 1:10:58 AM\\n\\nGCP has confidential VMs with H100 GPUs; I'm not sure if Google would be interested. And they get huge discount buying GPUs in bulk. The trade-off between cost and privacy is obvious for most users imo.\\nby kevinis\\n\\n5/15/2025 at 6:34:04 PM\\n\\nThis. Big tech providers already offer confidential inference today.\\nby ATechGuy\\n\\n5/15/2025 at 6:44:25 PM\\n\\nYes Azure has! They have very different trust assumptions though. We wrote about this here https://tinfoil.sh/blog/2025-01-30-how-do-we-compare\\nby julesdrean\\n\\n5/15/2025 at 6:52:22 PM\\n\\nLast I checked it was only Azure offering the Nvidia specific confidential compute extensions, I'm likely out of date - a quick Google was inconclusive.\\nHave GCP and AWS started offering this for GPUs?\\n\\nby mnahkies\\n\\n5/15/2025 at 7:16:55 PM\\n\\nGCP, yes: https://cloud.google.com/confidential-computing/confidential...\\nby candiddevmike\\n\\n5/15/2025 at 7:37:49 PM\\n\\nAzure and GCP offer Confidential VMs which removes trust from the cloud providers. We’re trying to also remove trust in the service provider (aka ourselves). One example is that when you use Azure or GCP, by default, the service operator can SSH into the VM. We cannot SSH into our inference server and you can check that’s true.\\nby julesdrean\\n\\n5/15/2025 at 11:03:05 PM\\n\\nBut nobody wants you as a service provider. Everyone wants to have Gemini, OpenAI etc which are significantly better than the far smaller and less capable model you will be able to afford to host.\\nAnd you make this claim that the cloud provider can SSH into the VM but (a) nobody serious exposes SSH ports in Production and (b) there is no documented evidence of this ever happening.\\n\\nby threeseed\\n\\n5/15/2025 at 11:31:53 PM\\n\\nWe're not competing with Gemini or OpenAI or the big cloud providers. For instance, Google is partnering with NVIDIA to ship Gemini on-prem to regulated industries in a CC environment to protect their model weights as well as for additional data privacy on-prem: https://blogs.nvidia.com/blog/google-cloud-next-agentic-ai-r...\\nWe're simply trying to bring similar capabilities to other companies. Inference is just our first product.\\n\\n>cloud provider can SSH into the VM\\n\\nThe point we were making was that CC was traditionally used to remove trust from cloud providers, but not the application provider. We are further removing trust from ourselves (as the application provider), and we can enable our customers (who could be other startups or neoclouds) to remove trust from themselves and prove that to their customers.\\n\\nby FrasiertheLion\\n\\n5/15/2025 at 11:55:46 PM\\n\\nYou are providing the illusion of trust though.\\nThere are a multitude of components between my app and your service. You have secured one of them arguably the least important. But you can't provide any guarantees over say your API server that my requests are going through. Or your networking stack which someone e.g. a government could MITM.\\n\\nby threeseed\\n\\n5/16/2025 at 12:19:20 AM\\n\\nI don't know anything about \\\"secure enclaves\\\" but I assume that this part is sorted out. It should be possible to use http with it I imagine. If not, yeah it is totally dumb from a conceptual standpoint.\\nby osigurdson\\n\\n5/15/2025 at 6:17:24 PM\\n\\nConfidential computing as a technology will become (and should be) commoditized, so the value add comes down to security and UX. We don’t want to be a confidential computing company, we want to use the right tool for the job of building private & verifiable AI. If that becomes FHE in a few years, then we will use that. We are starting with easy-to-use inference, but our goal of having any AI application be provably private\\nby 3s\\n\\n5/16/2025 at 12:07:29 PM\\n\\nI suspect Nvidia have done a lot of the heavy lifting to make this work; but it's not that trivial to wire the CPU and GPU confidential compute together.\\nby trebligdivad\\n\\n5/15/2025 at 6:12:16 PM\\n\\nDoes this not require one to trust the hardware? I'm not an expert in hardware root of trust, etc, but if Intel (or whatever chip maker) decides to just sign code that doesn't do what they say it does (coerced or otherwise) or someone finds a vuln; would that not defeat the whole purpose?\\nI'm not entirely sure this is different than \\\"security by contract\\\", except the contracts get bigger and have more technology around them?\\n\\nby amanda99\\n\\n5/15/2025 at 6:29:00 PM\\n\\nWe have to trust the hardware manufacturer (Intel/AMD/NVIDIA) designed their chips to execute the instructions we inspect, so we're assuming trust in vendor silicon either way.\\nThe real benefit of confidential computing is to extend that trust to the source code too (the inference server, OS, firmware).\\n\\nMaybe one day we’ll have truly open hardware ;)\\n\\nby natesales\\n\\n5/15/2025 at 8:34:37 PM\\n\\nHi Nate. Routinely your various networking-related FOSS tools. Surprising to see you now work in the AI infrastructure space let alone co-founding a startup funded by YC! Tinfoil looks über neat. All the best (:\\n> Maybe one day we'll have truly open hardware\\n\\nAt least the RoT/SE if nothing else: https://opentitan.org/\\n\\nby ignoramous\\n\\n5/15/2025 at 9:00:36 PM\\n\\nLove Open Titan! RISC-V all the way babe! The team is bunker: several of my labmates now work there\\nby julesdrean\\n\\n5/16/2025 at 4:08:20 PM\\n\\nIsn't this not the case for FHE? (I understand that FHE is not practically viable as you guys mention in the OP.)\\nby perching_aix\\n\\n5/16/2025 at 4:55:55 PM\\n\\nYeah not the case for FHE. But yes, not practically viable. We would be happy to switch as soon as it is.\\nby FrasiertheLion\\n\\n5/15/2025 at 9:04:21 PM\\n\\nI agree, it's lifting trust to the manufacturer (which could still be an improvement over the cloud status quo).\\nAnother (IMO more likely) scenario is someone finds a hardware vulnerability (or leaked signing keys) that let's them achieve a similar outcome.\\n\\nby rkagerer\\n\\n5/15/2025 at 6:38:45 PM\\n\\nThe only way to guarantee privacy in cloud computing is via homorphic encryption.\\nThis approach relies too much on trust.\\n\\nIf you have data you are seriously sensitive about, its better for you to run models locally on air gapped instances.\\n\\nIf you think this is an overkill, just see what happened to coinbase of recent. [0]\\n\\n[0]: https://www.cnbc.com/2025/05/15/coinbase-says-hackers-bribed...\\n\\nby max_\\n\\n5/15/2025 at 6:44:11 PM\\n\\nYeah, totally agree with you. We would love to use FHE as soon as it's practical. And if you have the money and infra expertise to deploy air gapped LLMs locally, you should absolutely do that. We're trying to do the best we can with today's technology, in a way that is cheap and accessible to most people.\\nby FrasiertheLion\\n\\n5/15/2025 at 11:50:47 PM\\n\\n> The only way to guarantee privacy in cloud computing is via homorphic encryption\\nNo. The only way is to not use cloud computing at all and go on-premise.\\n\\nWhich is what companies around the world do today for security or privacy critical workloads.\\n\\nby threeseed\\n\\n5/16/2025 at 12:54:35 PM\\n\\n> The only way is to not use cloud computing at all and go on-premise.\\nThis point of view may be based on a lack of information about how global finance handles security and privacy critical workloads in high-end cloud.\\n\\nGlobal banks and the CSPs that serve them have by and large solved this problem by the late 2010s - early 2020s.\\n\\nWhile much of the work is not published, you can look for presentations at AWS reInvent from e.g. Goldman Sachs or others willing to share about it, talking about cryptographic methods, enclaves, formal reasoning over not just code but things like reachability, and so on, to see the edges of what's being done in this space.\\n\\nby Terretta\\n\\n5/15/2025 at 8:44:00 PM\\n\\nTinfoil hat on: say you are compelled to execute a FISA warrant and access the LLM data, is it technically possible? What about an Australian or UK style \\\"please add a backdoor\\\".\\nI see you have to trust NVidia etc. so maybe there are such backdoors.\\n\\nby coolcase\\n\\n5/15/2025 at 10:43:47 PM\\n\\nAn attacker would need to compromise our build pipeline to publish a backdoored VM image [1] and extract key material to forge an attestation from the hardware [2]. The build process publishes a hash of the code to Sigstore’s transparency log [3], which would make the attack auditable.\\nThat said, a sufficiently resourced attacker wouldn’t need to inject a backdoor at all. If the attacker already possesses the keys (e.g. the attacker IS the hardware manufacturer, or they’ve coerced the manufacturer to hand the keys over), then they would just need to gain access to the host server (which we control) to get access to the hypervisor, then use their keys to read memory or launch a new enclave with a forged attestation. We're planning on writing a much more detailed blog post about \\\"how to hack ourselves\\\" in the future.\\n\\nWe actually plan to do an experiment at DEFCON, likely next year where we gives ssh access to a test machine running the enclave and have people try to exfiltrate data from inside the enclave while keeping the machine running.\\n\\n[1] https://github.com/tinfoilsh/cvmimage\\n\\n[2] https://arxiv.org/abs/2108.04575\\n\\n[3] https://github.com/tinfoilsh/cvmimage/attestations\\n\\nby natesales\\n\\n5/15/2025 at 9:24:19 PM\\n\\nWhat's your revenue model?\\nThe pricing page implies you're basically reselling access to confidential-wrapped AI instances.\\n\\nSince you rightly open-sourced the code (AGPL) is there anything stopping the cloud vendors from running and selling access to their own instances of your server-side magic?\\n\\nIs your secret sauce the tooling to spin up and manage instances and ease customer UX? Do you aim to attract an ecosystem of turnkey, confidential applications running on your platform?\\n\\nDo you envision an exit strategy that sells said secret sauce and customers to a cloud provider or confidential computing middleware provider?\\n\\nPs. Congrats on the launch.\\n\\nby rkagerer\\n\\n5/15/2025 at 9:51:12 PM\\n\\n>Since you rightly open-sourced the code (AGPL) is there anything stopping the cloud vendors from running and selling access to their own instances of your server-side magic?\\nSure they can do that. Despite being open source, CC-mode on GPUs is quite difficult to work with especially when you start thinking about secrets management, observability etc, so we’d actually like to work with smaller cloud providers who want to provide this as a service and become competitive with the big clouds.\\n\\n>Is your secret sauce the tooling to spin up and manage instances and ease customer UX?\\n\\nPretty much. Confidential computing has been around a while, and we still don’t see widespread adoption of it, largely because of the difficulty. If we're successful, we absolutely expect there to be a healthy ecosystem of competitors both cloud provider and startup.\\n\\n>Do you envision an exit strategy that sells that secret sauce to a cloud provider or confidential computing middleware provider?\\n\\nWe’re not really trying to be a confidential computing provider, but more so, a verifiably private layer for AI. Which means we will try to make integration points as seamless as possible. For inference, that meant OpenAI API compatible client SDKs, we will eventually do the same for training/post-training, or MCP/OpenAI Agents SDK, etc. We want our integration points to be closely compatible with existing pipelines.\\n\\nby FrasiertheLion\\n\\n5/15/2025 at 11:49:59 PM\\n\\n> Confidential computing has been around a while, and we still don’t see widespread adoption of it, largely because of the difficulty\\nThis is not the reason at all. Complexity and difficult are inherent to large companies.\\n\\nIt's because it is a very low priority in an environment where for example there are tens of thousands of libraries in use, dozens of which will be in Production with active CVEs. And there are many examples of similar security and risk management issues that companies have to deal with.\\n\\nWorrying about the integrity of the hardware or not trusting my cloud provider who has all my data in their S3 buckets anyway (which is encrypted using their keys) is not high on my list of concerns. And if it were I would be simply running on-premise anyway.\\n\\nby threeseed\\n\\n5/16/2025 at 1:15:47 AM\\n\\nJust noticed Tinfoil runs Deepseek-R1 \\\"70b\\\". Technically this is not the original 671b Deepseek R1; it's just a Llama-70b trained by Deepseek R1 (called \\\"distillation\\\").\\nby kevinis\\n\\n5/15/2025 at 4:41:04 PM\\n\\nExcited to see someone finally doing this! I can imagine folks with sensitive model weights being especially interested.\\nDo you run into rate limits or other issues with TLS cert issuance? One problem we had when doing this before is that each spinup of the enclave must generate a fresh public key, so it needs a fresh, publicly trusted TLS cert. Do you have a workaround for that, or do you just have the enclaves run for long enough that it doesn’t matter?\\n\\nby blintz\\n\\n5/15/2025 at 4:48:24 PM\\n\\nWe actually run into the rate limit issue often particularly while spinning up new enclaves while debugging. We plan on moving to HPKE: https://www.rfc-editor.org/rfc/rfc9180.html over the next couple months. This will let us generate keys inside the enclave and encrypt the payload with the enclave specific keys, while letting us terminate TLS in a proxy outside the enclave. All the data is still encrypted to the enclave using HPKE (and still verifiable).\\nThis will let us fix the rate limit issue.\\n\\nby FrasiertheLion\\n\\n5/15/2025 at 8:26:50 PM\\n\\nNVIDIA shared open-source solutions for confidential AI already in mid-2024 https://developer.nvidia.com/blog/advancing-security-for-lar...\\nby ts6000\\n\\n5/15/2025 at 11:35:11 PM\\n\\nThis is fantastic. One rarely discussed use case is avoiding overzealous \\\"alignment\\\" - you want models to help advance your goals without arbitrary refusals for benign inputs. Why would I want Anthropic or OpenAI to have filtering authority over my queries? Consider OpenRouter ToS - \\\"you agree not to use the Service [..] in violation of any applicable AI Model Terms\\\": not sure if they actually enforce it but, of course, I'd want hardware security attestations that they can't monitor or censor my inputs. Open models should be like utilities - the provider supplies the raw capability (e.g., electrons or water or inference), while usage responsibility remains entirely with the end user.\\nby madars\\n\\n5/15/2025 at 11:51:29 PM\\n\\nThat's a big reason why we started Tinfoil and why we use it ourselves. I love the utilities analogy, something that is deeply integrated in business and personal use cases (like the Internet or AI) needs to have verifiable policies and options for data confidentiality.\\nby 3s\\n\\n5/15/2025 at 5:43:20 PM\\n\\nSo impressive - cloud AI that is verifiable with zero trust assumptions is going to be game-changing regardless of the industry application. Looks like it could be used by anyone for making anything trustworthy.\\nby meelvidushi\\n\\n5/15/2025 at 6:19:33 PM\\n\\n> with zero trust assumptions\\nIt's not that though. Not close. You are trusting the chip maker, whose process is secret (actually worse, it's almost certainly shared with the state).\\n\\nby jMyles\\n\\n5/15/2025 at 6:38:06 PM\\n\\nWe do have to trust the chip maker until open hardware catches up [1].\\n[1] https://news.ycombinator.com/item?id=43997856\\n\\nby 3s\\n\\n5/15/2025 at 6:42:53 PM\\n\\nEven if you had open hardware, how would you even know a chip you have sitting in front of you was fabricated correctly?\\nby davidczech\\n\\n5/15/2025 at 6:49:47 PM\\n\\nCheck out incredible work by Bunnie to make this possible at home https://www.bunniestudios.com/blog/2024/iris-infra-red-in-si...\\nby julesdrean\\n\\n5/16/2025 at 1:05:06 AM\\n\\nGreat work! I'm interested to know where the GPU servers are located. Are they in the US; do you run your own datacenter or rent servers on the hyperscalers?\\nby kevinis\\n\\n5/16/2025 at 1:12:52 AM\\n\\nYes, in the US right now. We don't run our own datacenters, though we sometimes consider it in a moment of frustration when the provider is not able to get the correct hardware configuration and firmware versions. Currently renting bare metal servers from neoclouds. We can't use hyperscalers because we need bare metal access to the machine.\\nby FrasiertheLion\\n\\n5/16/2025 at 1:18:38 AM\\n\\nThanks that's great to know. btw does a user need to trust Neoclouds in case they install malicious hardware/firmware/software on the servers?\\nby kevinis\\n\\n5/16/2025 at 1:20:44 AM\\n\\nThat's the best part, you don't. You only need to trust NVIDIA and AMD/Intel. Modulo difficult to mount physical attacks and side channels, which we wrote more about here: https://tinfoil.sh/blog/2025-05-15-side-channels\\nby FrasiertheLion\\n\\n5/15/2025 at 8:52:57 PM\\n\\n> the client fetches a signed document from the enclave which includes a hash of the running code signed\\nWhy couldn't the enclave claim to be running an older hash?\\n\\nby internetter\\n\\n5/15/2025 at 8:59:27 PM\\n\\nThis is enforced by the hardware (that’s where the root of trust goes back to NVDIA+AMD). The hardware will only send back signed enclave hashes of the code it’s running and cannot be coerced by us (or anyone else) into responding with a fake or old measurement.\\nby 3s\\n\\n5/15/2025 at 7:28:44 PM\\n\\nThats impressive, congrats. You've taken the \\\"verifiable security\\\" concept to the next level. I'm working on a similar concept, without \\\"verifiable\\\" part... trust remains to be built, but adding RAG ad fine tuned modelds to the use of open source LLMs, deployed in the cloud: https://gptsafe.ai/\\nby SebP\\n\\n5/15/2025 at 6:55:34 PM\\n\\nIs there a frozen client that someone could audit for assurance, then repeatedly use with your TEE-hosted backend?\\nIf instead users must use your web-served client code each time, you could subtly alter that over time or per-user, in ways unlikely to be detected by casual users – who'd then again be required to trust you (Tinfoil), rather than the goal on only having to trust the design & chip-manufacturer.\\n\\nby gojomo\\n\\n5/15/2025 at 7:01:45 PM\\n\\nYes, we have a customer who is indeed interested in having a frozen client for their app, which we're making possible. We currently have not frozen our client because we're in the early days and want to be able to iterate quickly on functionality. But happy to do so on a case-by-case basis for customers.\\nby FrasiertheLion\\n\\n5/15/2025 at 7:54:07 PM\\n\\n> rather than the goal on only having to trust the design & chip-manufacturer\\nIf you'd rather self-host, then the HazyResearch Lab at Stanford recently announced a FOSS e2ee implementation (\\\"Minions\\\") for Inference: https://hazyresearch.stanford.edu/blog/2025-05-12-security / https://github.com/HazyResearch/Minions\\n\\nby ignoramous\\n\\n5/15/2025 at 7:23:27 PM\\n\\n> https://docs.tinfoil.sh/verification/attestation-architectur...\\nI tried taking a look at your documentation, but the site search is very slow and laggy in Firefox.\\n\\nby offmycloud\\n\\n5/15/2025 at 7:39:22 PM\\n\\nInteresting, we haven't noticed that (on Firefox as well). We'll look into it!\\nby 3s\\n\\n5/15/2025 at 7:41:52 PM\\n\\nIt looks like it might be the blur effect in a VM with no Firefox video acceleration. Also, email to [email protected] (from \\\"contact\\\" link) just bounced back to me.\\nby offmycloud\\n\\n5/15/2025 at 7:46:45 PM\\n\\nAh we don't have [email protected] set up yet. Can you try [email protected]?\\nby FrasiertheLion\\n\\n5/16/2025 at 4:24:44 PM\\n\\nSet up *@ and sort it later. ask an intern to monitor that box after lunch for a while. Catchall. You probably know this, but for anyone else thinking of doing email for their business.\\nFor example if you do tools or RAG you probably ought have abuse@ as well, even though only 4 people will think to email that.\\n\\nby genewitch\\n\\n5/16/2025 at 8:54:34 PM\\n\\nHa we didn't think of that, thanks for the tip!\\nby FrasiertheLion\\n\\n5/15/2025 at 4:42:28 PM\\n\\nDoes the secure enclave also perform the TLS encryption on data leaving the enclave?\\nAlso, if you're decoding TLS on the enclave, wouldn't that imply that you're parsing HTTP and JSON on the GPU itself? Very interesting if true.\\n\\nby etaioinshrdlu\\n\\n5/15/2025 at 4:53:49 PM\\n\\nThe verified trust boundary extends from the CPU to GPU [1], and TLS encrypts all data to/from the enclave and client so we can't see anything in the clear.\\nHTTP parsing and application logic happens on the CPU like normal. The GPU runs CUDA just like any other app, after it's integrity is verified by the CPU. Data on the PCIe bus is encrypted between the CPU and GPU too.\\n\\n[1] https://github.com/NVIDIA/nvtrust/blob/main/guest_tools/atte...\\n\\nby natesales\\n\\n5/15/2025 at 5:08:10 PM\\n\\nCould you talk more about how how this works? I don't think linked article doesn't given enough detail on how the trust boundary extends from CPU to GPU.\\nDoes the CPU have the ability to see unencrypted data?\\n\\nby etaioinshrdlu\\n\\n5/15/2025 at 5:33:35 PM\\n\\nThe keys are generated on the CPU and never leave the enclave, but the data is decrypted on the CPU so it hits the registers in plaintext.\\nWhen the enclave starts, the CPU does a few things:\\n\\n1. The CPU does a key exchange with the GPU (in confidential compute mode [1]) to derive a key to encrypt data over PCIe\\n\\n2. The CPU verifies the integrity of the GPU against NVIDIA's root of trust [2]\\n\\n[1] https://developer.nvidia.com/blog/confidential-computing-on-...\\n\\n[2] https://github.com/tinfoilsh/cvmimage/blob/b65ced8796e8a8687...\\n\\nedit: formatting\\n\\nby natesales\\n\\n5/15/2025 at 5:19:36 PM\\n\\nYou're not terminating the TLS connection from the client anywhere besides the enclave? How do you load balance or front end all of this effectively?\\nby candiddevmike\\n\\n5/15/2025 at 5:28:54 PM\\n\\n>You're not terminating the TLS connection from the client anywhere besides the enclave?\\nYes.\\n\\n>How do you load balance or front end all of this effectively?\\n\\nWe don't, atleast not yet. That's why all our model endpoints have different subdomains. In the next couple months, we're planning to generate a keypair inside the enclave using HPKE that will be used to encrypt the data, as I described in this comment: https://news.ycombinator.com/item?id=43996849\\n\\nby FrasiertheLion\\n\\n5/16/2025 at 5:54:10 AM\\n\\nHow is running a model onprem more expensive than on the cloud? Are you including training costs?\\nEdit: perhaps because you don’t need the model to be available all the time? In that case yeah the cloud can be cheaper\\n\\nby ed_mercer\\n\\n5/15/2025 at 7:00:25 PM\\n\\nThis is an incredibly robust solution to a really pressing problem for a lot of individuals/orgs who want to use/deploy reasonably powerful LLMs without paying through the nose for hardware. Others have mentioned the hyperscalers have solutions that make some amount of sense (Azure confidential computing, AWS nitro enclaves) but if you read a bit more about Tinfoil, it is clear they want to operate with far less explicit user trust (and thus much better security). This team is setting the standard for provably private LLM inference, and to me, it makes other solutions seem half-baked by comparison. Props to this talented group of people.\\nby computerbuster\\n\\n5/15/2025 at 5:41:31 PM\\n\\nhasn’t iexec (french co) been doing this for years? what’s your competitive advantage or moat, considering they are the first-movers?\\nby leboshkibowl\\n\\n5/15/2025 at 5:47:33 PM\\n\\nTheir GTM doesn't include a $ in front of their company acronym.\\nI think there is similarity to https://www.anjuna.io/ and https://www.opaque.co/ here. I've heard of these, never iExec.\\n\\nby ramoz\\n\\n5/15/2025 at 6:09:02 PM\\n\\nCPU-based TEEs (AWS Nitro Enclaves, AMD SEV, Intel TDX) have been around for a few years, but aren’t widely used because they are more akin to primitives than fully baked security solutions. We are trying to make this as user friendly and self serve as possible, with full verifiability by open sourcing the entire server that runs inside the enclave. So far we have not found any end to end verifiably private solution on the market that we could just sign up for to try, which was a big reason we started Tinfoil in the first place. We also strongly believe that verifiably private AI should be the norm, so the more players in the space, the better because a missing piece is market awareness and convincing folks this is actually possible and real.\\nby FrasiertheLion\\n\\n5/15/2025 at 6:17:19 PM\\n\\nBeen building something along these lines for a while. At Qbix, we call it our QBOX. Full stack, using Nix for the base, and Nitro attestation. No SSH. We have the exact same approach — cron running and only downloading signed scripts and binaries from endpoints. But there is a lot more… Would be great to connect and maybe join forces.\\nWant to connect some time next Tuesday or Wednesday? https://calendly.com/qbix/meeting\\n\\nby EGreg\\n\\n5/15/2025 at 6:28:58 PM\\n\\nYes, excited to connect, scheduled a call! We used Nitro back in December when we were prototyping but moved to NVIDIA CC because we wanted to support LLMs.\\nby FrasiertheLion\\n\\n5/15/2025 at 8:11:31 PM\\n\\nHow do you see this compare to things like Amazon Bedrock, where it runs OSS in my own infra?\\nby japborst\\n\\n5/15/2025 at 8:21:45 PM\\n\\nBedrock has strong contractual guarantees, but it's still only a legal contract and runs on AWS infra. This is certainly okay for many use cases, we're trying to build for users who want verifiable privacy guarantees beyond legal contracts.\\nWe're also doing more than pure inference, and trying to work with other companies who want to provide their users additional verifiability and confidentiality guarantees by running their entire private data processing pipeline on our platform.\\n\\nby FrasiertheLion\\n\\n5/15/2025 at 4:43:13 PM\\n\\ngreat name. good idea if it works.\\nby danr4\\n\\n5/16/2025 at 8:27:37 AM\\n\\nWould it be possible to run something like vLLM or TensortRT-llm with tinfoil?\\nby tealcod\\n\\n5/16/2025 at 3:41:44 PM\\n\\nWe’re already using vllm as our inference server for our standard models. We can run whatever inference server for custom deployments.\\nby FrasiertheLion\\n\\n5/16/2025 at 8:19:30 PM\\n\\nTechnically my wife would be a perfect customer because we literally just prototyped your solution at home. But I'm confused.\\nFor context:\\n\\nMy wife does leadership coaching and recently used vanilla GPT-4o via ChatGPT to summarize a transcript of an hour-long conversation.\\n\\nThen, last weekend we thought... \\\"Hey, let's test local LLMs for more privacy control. The open source models must be pretty good in 2025.\\\"\\n\\nSo I installed Ollama + Open WebUI plus the models on a 128GB MacBook Pro.\\n\\nI am genuinely dumbfounded about the actual results we got today of comparing ChatGPT/GPT-4o vs. Llama4, Llama3.3, Llama3.2, DeepSeekR1 and Gemma.\\n\\nIn short: Compared to our reference GPT-4o output, none (as in NONE, zero, zilch, nil) of the above-mentioned open source models were able to create even a basic summary based on the exact same prompt + text.\\n\\nThe open source summaries were offensively bad. It felt like reading the most bland, generic and idiotic SEO slop I've read since I last used Google. None of the obvious topics were part of the summary. Just blah. I tested this with 5 models to boot!\\n\\nI'm not an OpenAI fan per se, but if this is truly OS/SOTA then, we shouldn't even mention Llama4 or the others in the same breath as the newer OpenAI models.\\n\\nWhat do you think?\\n\\nby interleave\\n\\n5/16/2025 at 8:45:06 PM\\n\\nOllama does heavily quantize models and has a very short context window by default, but this has not been my experience with unquantized, full context versions of Llama3.3 70B and particularly, Deepseek R1, and that is reflected in the benchmarks. For instance I used Deepseek R1 671B as my daily driver for several months, and it was at par with o1 and unquestionably better than GPT-4o (o3 is certainly better than all but typically we've seen opensource models catch up within 6-9 months).\\nPlease shoot me an email at [email protected], would love to work through your use cases.\\n\\nby FrasiertheLion\\n\\n5/17/2025 at 4:53:05 PM\\n\\nHey Tanya! Thank you for helping me understand the results better.\\nI just posted the results of another basic interview analysis (4o vs. Llama4) here: https://x.com/SpringStreetNYC/status/1923774145633849780\\n\\nTo your point: Do I understand correctly that, for example, by running the default model of Llama4 via ollama, the context window is very short even when the model's context is, like 10M. In order to \\\"unlock\\\" the full context version, I need to get the unquantized version.\\n\\nFor reference, here's what `ollama show llama4` returns: - parameters 108.6B # llama4:scount - context length 10485760 # 10M - embedding length 5120 - quantization Q4_K_M\\n\\nby interleave\\n\\n5/16/2025 at 5:58:26 AM\\n\\nHeh. I sold Tinfoil Security to synopsys in January 2020.\\nWe should chat. :)\\n\\nby borski\\n\\n5/16/2025 at 6:20:07 AM\\n\\nAye comrade, shot you an email :)\\nby FrasiertheLion\\n\\n5/16/2025 at 12:13:11 AM\\n\\nHere is a marketing campaign for you to prove that secure enclaves work.\\nHost a machine on the internet. Allow competitors to sign up to receive root ssh credentials. Offer a $10K prize if they are able to determine plaintext inputs and outputs over a given time period (say one month).\\n\\nA bit of a strawman, but a competition like this might help build confidence.\\n\\nby osigurdson\\n\\n5/16/2025 at 12:16:57 AM\\n\\nThat's exactly our plan for Defcon next year as Nate just mentioned: https://news.ycombinator.com/item?id=44000103\\nBut making it a public competition is a fantastic idea.\\n\\nby FrasiertheLion\\n\\n5/16/2025 at 5:08:34 AM\\n\\nAs a user, can I host the attestation server myself?\\nby tealcod\\n\\n5/16/2025 at 5:56:34 AM\\n\\nAll attestation verification happens client side. We have verifiers in Python [1] and Go [2] (which FFIs to our other SDKs like WASM and Swift). We push all the verification logic to the client so the verification process is entirely transparent and auditable.\\n[1] https://github.com/tinfoilsh/tinfoil-python [2] https://github.com/tinfoilsh/verifier\\n\\nby natesales\\n\\n5/15/2025 at 8:37:21 PM\\n\\nThis is a great concept but I think \\\"Enterprise-Ready Security\\\" and your competitive comparison chart are kind of misleading. Yes, zero trust is huge. But, virtually everyone who has a use case for max privacy AI, has that use case because of compliance and IP concerns. Enterprise-Ready Security doesn't mean sigstore or zero trust, it means you have both the security at a technical level as well as certification by an auditor that you do.\\nYou aren't enterprise ready because to address those concerns you need to get the laundry list of compliance certs: SOC 2:2, ISO 27k1/2 and 9k1, HIPPA, GDPR, CMMC, FedRAMP, NIST, etc.\\n\\nby cuuupid\\n\\n5/15/2025 at 8:41:54 PM\\n\\nWe're going through the audit process for SOC2 right now and we're planning on doing HIPAA soon\\nby 3s\\n\\n5/15/2025 at 8:16:26 PM\\n\\nI love the brand and logo\\nby binary132\\n\\n5/15/2025 at 4:29:17 PM\\n\\nAre you HIPAA compliant?\\nby Onavo\\n\\n5/15/2025 at 4:32:12 PM\\n\\nNot yet, we're about one week away from SOC2, will pursue HIPAA which is arguably easier next.\\nby FrasiertheLion\\n\\n5/16/2025 at 2:33:44 AM\\n\\nAlso curious about the potential users of your product, do you target individual users, small businesses, or large enterprises? Pursuing SOC2 and HIPPA make me think about the large ones; but aren't they already happy using hyperscalers?\\nNot to mention GCP and Azure both have confidential GPU offerings. How do you compete against them, as well as some startups mentioned in other comments like Edgeless Systems and Opaque Systems?\\n\\nby kevinis\\n\\n5/15/2025 at 5:57:59 PM\\n\\n[dead]\\nby curtisszmania\\n\\n5/15/2025 at 5:59:44 PM\\n\\n[flagged]\\nby valid_user_123\\n```\"},{\"role\":\"assistant\",\"mainText\":\"# 邮件内容总结\\n\\n这是一个关于Tinfoil(YC X25)产品发布的Hacker News讨论帖,发布于2025年5月15日。Tinfoil提供可验证隐私的云AI服务,使用可信执行环境(TEE)和保密计算技术。\\n\\n## 主要产品特点\\n- 提供可验证隐私的云AI推理服务\\n- 使用NVIDIA和AMD/Intel的保密计算技术\\n- 开源了运行在安全飞地(enclave)内的服务器代码\\n- 客户端可验证服务器代码的完整性\\n- 支持DeepSeek-R1等开源大语言模型\\n\\n## 技术原理\\n- 使用CPU和GPU的保密计算功能建立可信边界\\n- TLS加密终止在安全飞地内,数据在传输中和处理中都受到保护\\n- 提供客户端验证工具,可以验证服务器代码的完整性\\n- PCIe总线上CPU和GPU之间的数据也经过加密\\n- 开源了整个验证流程\\n\\n## 竞争与市场定位\\n- 与Azure、GCP等云服务商的保密计算服务有所区别\\n- 与Apple的Private Cloud Compute等技术相比有不同的信任假设\\n- 目标不是与Gemini、OpenAI等大型模型提供商竞争\\n- 专注于为需要隐私保证的企业和用户提供服务\\n\\n## 信任模型\\n- 用户需要信任硬件制造商(NVIDIA、AMD/Intel)\\n- 不需要信任Tinfoil或云服务提供商\\n- 比纯合约保证提供更强的隐私保证\\n- 未来可能转向完全同态加密(FHE),但目前该技术尚不实用\\n\\n## 合规与安全\\n- 正在进行SOC2认证,即将完成\\n- 计划进行HIPAA合规认证\\n- 计划在DEFCON举办安全挑战,测试系统安全性\\n- 开源了验证工具,使验证过程透明可审计\\n\\n## 讨论中的主要问题\\n1. 与现有保密计算解决方案的区别\\n2. 对硬件制造商的信任问题\\n3. 开源模型与闭源模型的性能差距\\n4. 对物理攻击和侧信道攻击的防御\\n5. 商业模式和竞争策略\\n\\n讨论中许多参与者对这种可验证隐私的云AI解决方案表示兴趣,特别是在敏感数据处理和合规性要求高的行业。同时也有人质疑硬件信任链的安全性和开源模型的性能表现。\"}]"
}
]Response:
Summarize - Tinfoil AI
Model: claude-3-7-sonnet-202502192025-06-24 12:32:33
Context:
[
{
"role": "user",
"content": "帮我总结下邮件内容\n\n```\nalt.hn\n5/15/2025 at 4:19:00 PM\n\nLaunch HN: Tinfoil (YC X25): Verifiable Privacy for Cloud AI\nby FrasiertheLion\n\n5/15/2025 at 6:52:24 PM\n\nLooks great. Not sure how big the market is between \"need max privacy, need on-prem\" and \"don't care, just use what is cheap/popular\" tho.\nCan you talk about how this relates to / is different / is differentiated from what Apple claimed to do during their last WWDC? They called it \"private cloud compute\". (To be clear, after 11 months, this is still \"announced\", with no implementation anywhere, as far as I can see.)\n\nHere is their blog post on Apple Security, dated June 10: https://security.apple.com/blog/private-cloud-compute/\n\nEDIT: JUST found the tinfoil blog post on exactly this topic. https://tinfoil.sh/blog/2025-01-30-how-do-we-compare\n\nby sigmaisaletter\n\n5/16/2025 at 2:13:36 AM\n\nAnecdotal, but I work at a company offering an SMB product with LLM features. One of the first questions asked on any demo or sales call is what the privacy model for the LLM is, how the data is used, who has access to it, and can those features be disabled.\nby _heimdall\n\n5/15/2025 at 7:10:02 PM\n\nPrivate Cloud Compute has been in use since iOS 18 released.\nby davidczech\n\n5/15/2025 at 9:29:40 PM\n\nIt seems that PCC indeed went live with 18.1 - tho not in Europe (which is where I am located). Thanks for the heads up, I will look into this further.\nby sigmaisaletter\n\n5/16/2025 at 12:10:54 PM\n\nThere are a few stories on the 'max privacy' stuff; one of the stories goes that you have two companies each with something private that needs to combine their stuff without letting the other see it; for example a bank with customer transactions and a company with analytics software they don't want to share; a system like this lets the bank put their transaction data through that analytics software without anyone being able to see the transaction data or the software. The next level on that is where two banks need to combine the transaction data to spot fraud, where you've now got three parties involved on one server.\nby trebligdivad\n\n5/15/2025 at 8:19:51 PM\n\nCompanies like Edgeless Systems have been building open-source confidential computing for cloud and AI for years, they are open-source, and have published in 2024 how they compare to Apple Private Cloud Compute. https://www.edgeless.systems/blog/apple-private-cloud-comput...\nby ts6000\n\n5/15/2025 at 8:05:14 PM\n\nPrivate Cloud Compute has been live in production for 8 months\nby DrBenCarson\n\n5/15/2025 at 9:29:47 PM\n\nIt seems that PCC indeed went live with 18.1 - tho not in Europe (which is where I am located). Thanks for the heads up, I will look into this further.\nby sigmaisaletter\n\n5/15/2025 at 5:58:40 PM\n\nHow large do you wager your moat to be? Confidential computing is something all major cloud providers either have or are about to have and from there it's a very small step to offer LLM-s under the same umbrella. First mover advantage is of course considerable, but I can't help but feel that this market will very quickly be swallowed by the hyperscalers.\nby Etheryte\n\n5/15/2025 at 10:57:32 PM\n\nCloud providers aren't going to care too much about this.\nI have worked for many enterprise companies e.g. banks who are trialling AI and none of them have any use for something like this. Because the entire foundation of the IT industry is based on trusting the privacy and security policies of Azure, AWS and GCP. And in the decades since they've been around not heard of a single example of them breaking this.\n\nThe proposition here is to tell a company that they can trust Azure with their banking websites, identity services and data engineering workloads but not for their model services. It just doesn't make any sense. And instead I should trust a YC startup who statistically is going to be gone in a year and will likely have their own unique set of security and privacy issues.\n\nAlso you have the issue of smaller sized open source models e.g. DeepSeek R1 lagging far behind the bigger ones and so you're giving me some unnecessary privacy attestation at the expense of a model that will give me far better accuracy and performance.\n\nby threeseed\n\n5/16/2025 at 12:48:50 PM\n\n> Cloud providers aren't going to care too much about this. ... [E]nterprise companies e.g. banks ... and none of them have any use for something like this.\nAs former CTO of world's largest bank and cloud architect at world's largest hedge fund, this is exactly opposite of my experience with both regulated finance enterprises and the CSPs vying to serve them.\n\nThe entire foundation of the IT industry is based on trusting the privacy and security policies of Azure, AWS and GCP. And in the decades since they've been around not heard of a single example of them breaking this.\n\nOn the contrary, many global banks design for the assumption the \"CSP is hostile\". What happened to Coinbase's customers the past few months shows why your vendor's insider threat is your threat and your customers' threat.\n\nGranted, this annoys CSPs who wish regulators would just let banks \"adopt\" the CSP's controls and call it a day.\n\nUnfortunately for CSP sales teams — certainly this could change with recent regulator policy changes — the regulator wins. Until very recently, only one CSP offered controls sufficient to assure your own data privacy beyond a CSP's pinky-swears. AWS Nitro Enclaves can provide a key component in that assurance, using deployment models such as tinfoil.\n\nby Terretta\n\n5/15/2025 at 6:12:32 PM\n\nBeing gobbled by the hyperscalers may well be the plan. Reasonable bet.\nby itsafarqueue\n\n5/16/2025 at 1:10:58 AM\n\nGCP has confidential VMs with H100 GPUs; I'm not sure if Google would be interested. And they get huge discount buying GPUs in bulk. The trade-off between cost and privacy is obvious for most users imo.\nby kevinis\n\n5/15/2025 at 6:34:04 PM\n\nThis. Big tech providers already offer confidential inference today.\nby ATechGuy\n\n5/15/2025 at 6:44:25 PM\n\nYes Azure has! They have very different trust assumptions though. We wrote about this here https://tinfoil.sh/blog/2025-01-30-how-do-we-compare\nby julesdrean\n\n5/15/2025 at 6:52:22 PM\n\nLast I checked it was only Azure offering the Nvidia specific confidential compute extensions, I'm likely out of date - a quick Google was inconclusive.\nHave GCP and AWS started offering this for GPUs?\n\nby mnahkies\n\n5/15/2025 at 7:16:55 PM\n\nGCP, yes: https://cloud.google.com/confidential-computing/confidential...\nby candiddevmike\n\n5/15/2025 at 7:37:49 PM\n\nAzure and GCP offer Confidential VMs which removes trust from the cloud providers. We’re trying to also remove trust in the service provider (aka ourselves). One example is that when you use Azure or GCP, by default, the service operator can SSH into the VM. We cannot SSH into our inference server and you can check that’s true.\nby julesdrean\n\n5/15/2025 at 11:03:05 PM\n\nBut nobody wants you as a service provider. Everyone wants to have Gemini, OpenAI etc which are significantly better than the far smaller and less capable model you will be able to afford to host.\nAnd you make this claim that the cloud provider can SSH into the VM but (a) nobody serious exposes SSH ports in Production and (b) there is no documented evidence of this ever happening.\n\nby threeseed\n\n5/15/2025 at 11:31:53 PM\n\nWe're not competing with Gemini or OpenAI or the big cloud providers. For instance, Google is partnering with NVIDIA to ship Gemini on-prem to regulated industries in a CC environment to protect their model weights as well as for additional data privacy on-prem: https://blogs.nvidia.com/blog/google-cloud-next-agentic-ai-r...\nWe're simply trying to bring similar capabilities to other companies. Inference is just our first product.\n\n>cloud provider can SSH into the VM\n\nThe point we were making was that CC was traditionally used to remove trust from cloud providers, but not the application provider. We are further removing trust from ourselves (as the application provider), and we can enable our customers (who could be other startups or neoclouds) to remove trust from themselves and prove that to their customers.\n\nby FrasiertheLion\n\n5/15/2025 at 11:55:46 PM\n\nYou are providing the illusion of trust though.\nThere are a multitude of components between my app and your service. You have secured one of them arguably the least important. But you can't provide any guarantees over say your API server that my requests are going through. Or your networking stack which someone e.g. a government could MITM.\n\nby threeseed\n\n5/16/2025 at 12:19:20 AM\n\nI don't know anything about \"secure enclaves\" but I assume that this part is sorted out. It should be possible to use http with it I imagine. If not, yeah it is totally dumb from a conceptual standpoint.\nby osigurdson\n\n5/15/2025 at 6:17:24 PM\n\nConfidential computing as a technology will become (and should be) commoditized, so the value add comes down to security and UX. We don’t want to be a confidential computing company, we want to use the right tool for the job of building private & verifiable AI. If that becomes FHE in a few years, then we will use that. We are starting with easy-to-use inference, but our goal of having any AI application be provably private\nby 3s\n\n5/16/2025 at 12:07:29 PM\n\nI suspect Nvidia have done a lot of the heavy lifting to make this work; but it's not that trivial to wire the CPU and GPU confidential compute together.\nby trebligdivad\n\n5/15/2025 at 6:12:16 PM\n\nDoes this not require one to trust the hardware? I'm not an expert in hardware root of trust, etc, but if Intel (or whatever chip maker) decides to just sign code that doesn't do what they say it does (coerced or otherwise) or someone finds a vuln; would that not defeat the whole purpose?\nI'm not entirely sure this is different than \"security by contract\", except the contracts get bigger and have more technology around them?\n\nby amanda99\n\n5/15/2025 at 6:29:00 PM\n\nWe have to trust the hardware manufacturer (Intel/AMD/NVIDIA) designed their chips to execute the instructions we inspect, so we're assuming trust in vendor silicon either way.\nThe real benefit of confidential computing is to extend that trust to the source code too (the inference server, OS, firmware).\n\nMaybe one day we’ll have truly open hardware ;)\n\nby natesales\n\n5/15/2025 at 8:34:37 PM\n\nHi Nate. Routinely your various networking-related FOSS tools. Surprising to see you now work in the AI infrastructure space let alone co-founding a startup funded by YC! Tinfoil looks über neat. All the best (:\n> Maybe one day we'll have truly open hardware\n\nAt least the RoT/SE if nothing else: https://opentitan.org/\n\nby ignoramous\n\n5/15/2025 at 9:00:36 PM\n\nLove Open Titan! RISC-V all the way babe! The team is bunker: several of my labmates now work there\nby julesdrean\n\n5/16/2025 at 4:08:20 PM\n\nIsn't this not the case for FHE? (I understand that FHE is not practically viable as you guys mention in the OP.)\nby perching_aix\n\n5/16/2025 at 4:55:55 PM\n\nYeah not the case for FHE. But yes, not practically viable. We would be happy to switch as soon as it is.\nby FrasiertheLion\n\n5/15/2025 at 9:04:21 PM\n\nI agree, it's lifting trust to the manufacturer (which could still be an improvement over the cloud status quo).\nAnother (IMO more likely) scenario is someone finds a hardware vulnerability (or leaked signing keys) that let's them achieve a similar outcome.\n\nby rkagerer\n\n5/15/2025 at 6:38:45 PM\n\nThe only way to guarantee privacy in cloud computing is via homorphic encryption.\nThis approach relies too much on trust.\n\nIf you have data you are seriously sensitive about, its better for you to run models locally on air gapped instances.\n\nIf you think this is an overkill, just see what happened to coinbase of recent. [0]\n\n[0]: https://www.cnbc.com/2025/05/15/coinbase-says-hackers-bribed...\n\nby max_\n\n5/15/2025 at 6:44:11 PM\n\nYeah, totally agree with you. We would love to use FHE as soon as it's practical. And if you have the money and infra expertise to deploy air gapped LLMs locally, you should absolutely do that. We're trying to do the best we can with today's technology, in a way that is cheap and accessible to most people.\nby FrasiertheLion\n\n5/15/2025 at 11:50:47 PM\n\n> The only way to guarantee privacy in cloud computing is via homorphic encryption\nNo. The only way is to not use cloud computing at all and go on-premise.\n\nWhich is what companies around the world do today for security or privacy critical workloads.\n\nby threeseed\n\n5/16/2025 at 12:54:35 PM\n\n> The only way is to not use cloud computing at all and go on-premise.\nThis point of view may be based on a lack of information about how global finance handles security and privacy critical workloads in high-end cloud.\n\nGlobal banks and the CSPs that serve them have by and large solved this problem by the late 2010s - early 2020s.\n\nWhile much of the work is not published, you can look for presentations at AWS reInvent from e.g. Goldman Sachs or others willing to share about it, talking about cryptographic methods, enclaves, formal reasoning over not just code but things like reachability, and so on, to see the edges of what's being done in this space.\n\nby Terretta\n\n5/15/2025 at 8:44:00 PM\n\nTinfoil hat on: say you are compelled to execute a FISA warrant and access the LLM data, is it technically possible? What about an Australian or UK style \"please add a backdoor\".\nI see you have to trust NVidia etc. so maybe there are such backdoors.\n\nby coolcase\n\n5/15/2025 at 10:43:47 PM\n\nAn attacker would need to compromise our build pipeline to publish a backdoored VM image [1] and extract key material to forge an attestation from the hardware [2]. The build process publishes a hash of the code to Sigstore’s transparency log [3], which would make the attack auditable.\nThat said, a sufficiently resourced attacker wouldn’t need to inject a backdoor at all. If the attacker already possesses the keys (e.g. the attacker IS the hardware manufacturer, or they’ve coerced the manufacturer to hand the keys over), then they would just need to gain access to the host server (which we control) to get access to the hypervisor, then use their keys to read memory or launch a new enclave with a forged attestation. We're planning on writing a much more detailed blog post about \"how to hack ourselves\" in the future.\n\nWe actually plan to do an experiment at DEFCON, likely next year where we gives ssh access to a test machine running the enclave and have people try to exfiltrate data from inside the enclave while keeping the machine running.\n\n[1] https://github.com/tinfoilsh/cvmimage\n\n[2] https://arxiv.org/abs/2108.04575\n\n[3] https://github.com/tinfoilsh/cvmimage/attestations\n\nby natesales\n\n5/15/2025 at 9:24:19 PM\n\nWhat's your revenue model?\nThe pricing page implies you're basically reselling access to confidential-wrapped AI instances.\n\nSince you rightly open-sourced the code (AGPL) is there anything stopping the cloud vendors from running and selling access to their own instances of your server-side magic?\n\nIs your secret sauce the tooling to spin up and manage instances and ease customer UX? Do you aim to attract an ecosystem of turnkey, confidential applications running on your platform?\n\nDo you envision an exit strategy that sells said secret sauce and customers to a cloud provider or confidential computing middleware provider?\n\nPs. Congrats on the launch.\n\nby rkagerer\n\n5/15/2025 at 9:51:12 PM\n\n>Since you rightly open-sourced the code (AGPL) is there anything stopping the cloud vendors from running and selling access to their own instances of your server-side magic?\nSure they can do that. Despite being open source, CC-mode on GPUs is quite difficult to work with especially when you start thinking about secrets management, observability etc, so we’d actually like to work with smaller cloud providers who want to provide this as a service and become competitive with the big clouds.\n\n>Is your secret sauce the tooling to spin up and manage instances and ease customer UX?\n\nPretty much. Confidential computing has been around a while, and we still don’t see widespread adoption of it, largely because of the difficulty. If we're successful, we absolutely expect there to be a healthy ecosystem of competitors both cloud provider and startup.\n\n>Do you envision an exit strategy that sells that secret sauce to a cloud provider or confidential computing middleware provider?\n\nWe’re not really trying to be a confidential computing provider, but more so, a verifiably private layer for AI. Which means we will try to make integration points as seamless as possible. For inference, that meant OpenAI API compatible client SDKs, we will eventually do the same for training/post-training, or MCP/OpenAI Agents SDK, etc. We want our integration points to be closely compatible with existing pipelines.\n\nby FrasiertheLion\n\n5/15/2025 at 11:49:59 PM\n\n> Confidential computing has been around a while, and we still don’t see widespread adoption of it, largely because of the difficulty\nThis is not the reason at all. Complexity and difficult are inherent to large companies.\n\nIt's because it is a very low priority in an environment where for example there are tens of thousands of libraries in use, dozens of which will be in Production with active CVEs. And there are many examples of similar security and risk management issues that companies have to deal with.\n\nWorrying about the integrity of the hardware or not trusting my cloud provider who has all my data in their S3 buckets anyway (which is encrypted using their keys) is not high on my list of concerns. And if it were I would be simply running on-premise anyway.\n\nby threeseed\n\n5/16/2025 at 1:15:47 AM\n\nJust noticed Tinfoil runs Deepseek-R1 \"70b\". Technically this is not the original 671b Deepseek R1; it's just a Llama-70b trained by Deepseek R1 (called \"distillation\").\nby kevinis\n\n5/15/2025 at 4:41:04 PM\n\nExcited to see someone finally doing this! I can imagine folks with sensitive model weights being especially interested.\nDo you run into rate limits or other issues with TLS cert issuance? One problem we had when doing this before is that each spinup of the enclave must generate a fresh public key, so it needs a fresh, publicly trusted TLS cert. Do you have a workaround for that, or do you just have the enclaves run for long enough that it doesn’t matter?\n\nby blintz\n\n5/15/2025 at 4:48:24 PM\n\nWe actually run into the rate limit issue often particularly while spinning up new enclaves while debugging. We plan on moving to HPKE: https://www.rfc-editor.org/rfc/rfc9180.html over the next couple months. This will let us generate keys inside the enclave and encrypt the payload with the enclave specific keys, while letting us terminate TLS in a proxy outside the enclave. All the data is still encrypted to the enclave using HPKE (and still verifiable).\nThis will let us fix the rate limit issue.\n\nby FrasiertheLion\n\n5/15/2025 at 8:26:50 PM\n\nNVIDIA shared open-source solutions for confidential AI already in mid-2024 https://developer.nvidia.com/blog/advancing-security-for-lar...\nby ts6000\n\n5/15/2025 at 11:35:11 PM\n\nThis is fantastic. One rarely discussed use case is avoiding overzealous \"alignment\" - you want models to help advance your goals without arbitrary refusals for benign inputs. Why would I want Anthropic or OpenAI to have filtering authority over my queries? Consider OpenRouter ToS - \"you agree not to use the Service [..] in violation of any applicable AI Model Terms\": not sure if they actually enforce it but, of course, I'd want hardware security attestations that they can't monitor or censor my inputs. Open models should be like utilities - the provider supplies the raw capability (e.g., electrons or water or inference), while usage responsibility remains entirely with the end user.\nby madars\n\n5/15/2025 at 11:51:29 PM\n\nThat's a big reason why we started Tinfoil and why we use it ourselves. I love the utilities analogy, something that is deeply integrated in business and personal use cases (like the Internet or AI) needs to have verifiable policies and options for data confidentiality.\nby 3s\n\n5/15/2025 at 5:43:20 PM\n\nSo impressive - cloud AI that is verifiable with zero trust assumptions is going to be game-changing regardless of the industry application. Looks like it could be used by anyone for making anything trustworthy.\nby meelvidushi\n\n5/15/2025 at 6:19:33 PM\n\n> with zero trust assumptions\nIt's not that though. Not close. You are trusting the chip maker, whose process is secret (actually worse, it's almost certainly shared with the state).\n\nby jMyles\n\n5/15/2025 at 6:38:06 PM\n\nWe do have to trust the chip maker until open hardware catches up [1].\n[1] https://news.ycombinator.com/item?id=43997856\n\nby 3s\n\n5/15/2025 at 6:42:53 PM\n\nEven if you had open hardware, how would you even know a chip you have sitting in front of you was fabricated correctly?\nby davidczech\n\n5/15/2025 at 6:49:47 PM\n\nCheck out incredible work by Bunnie to make this possible at home https://www.bunniestudios.com/blog/2024/iris-infra-red-in-si...\nby julesdrean\n\n5/16/2025 at 1:05:06 AM\n\nGreat work! I'm interested to know where the GPU servers are located. Are they in the US; do you run your own datacenter or rent servers on the hyperscalers?\nby kevinis\n\n5/16/2025 at 1:12:52 AM\n\nYes, in the US right now. We don't run our own datacenters, though we sometimes consider it in a moment of frustration when the provider is not able to get the correct hardware configuration and firmware versions. Currently renting bare metal servers from neoclouds. We can't use hyperscalers because we need bare metal access to the machine.\nby FrasiertheLion\n\n5/16/2025 at 1:18:38 AM\n\nThanks that's great to know. btw does a user need to trust Neoclouds in case they install malicious hardware/firmware/software on the servers?\nby kevinis\n\n5/16/2025 at 1:20:44 AM\n\nThat's the best part, you don't. You only need to trust NVIDIA and AMD/Intel. Modulo difficult to mount physical attacks and side channels, which we wrote more about here: https://tinfoil.sh/blog/2025-05-15-side-channels\nby FrasiertheLion\n\n5/15/2025 at 8:52:57 PM\n\n> the client fetches a signed document from the enclave which includes a hash of the running code signed\nWhy couldn't the enclave claim to be running an older hash?\n\nby internetter\n\n5/15/2025 at 8:59:27 PM\n\nThis is enforced by the hardware (that’s where the root of trust goes back to NVDIA+AMD). The hardware will only send back signed enclave hashes of the code it’s running and cannot be coerced by us (or anyone else) into responding with a fake or old measurement.\nby 3s\n\n5/15/2025 at 7:28:44 PM\n\nThats impressive, congrats. You've taken the \"verifiable security\" concept to the next level. I'm working on a similar concept, without \"verifiable\" part... trust remains to be built, but adding RAG ad fine tuned modelds to the use of open source LLMs, deployed in the cloud: https://gptsafe.ai/\nby SebP\n\n5/15/2025 at 6:55:34 PM\n\nIs there a frozen client that someone could audit for assurance, then repeatedly use with your TEE-hosted backend?\nIf instead users must use your web-served client code each time, you could subtly alter that over time or per-user, in ways unlikely to be detected by casual users – who'd then again be required to trust you (Tinfoil), rather than the goal on only having to trust the design & chip-manufacturer.\n\nby gojomo\n\n5/15/2025 at 7:01:45 PM\n\nYes, we have a customer who is indeed interested in having a frozen client for their app, which we're making possible. We currently have not frozen our client because we're in the early days and want to be able to iterate quickly on functionality. But happy to do so on a case-by-case basis for customers.\nby FrasiertheLion\n\n5/15/2025 at 7:54:07 PM\n\n> rather than the goal on only having to trust the design & chip-manufacturer\nIf you'd rather self-host, then the HazyResearch Lab at Stanford recently announced a FOSS e2ee implementation (\"Minions\") for Inference: https://hazyresearch.stanford.edu/blog/2025-05-12-security / https://github.com/HazyResearch/Minions\n\nby ignoramous\n\n5/15/2025 at 7:23:27 PM\n\n> https://docs.tinfoil.sh/verification/attestation-architectur...\nI tried taking a look at your documentation, but the site search is very slow and laggy in Firefox.\n\nby offmycloud\n\n5/15/2025 at 7:39:22 PM\n\nInteresting, we haven't noticed that (on Firefox as well). We'll look into it!\nby 3s\n\n5/15/2025 at 7:41:52 PM\n\nIt looks like it might be the blur effect in a VM with no Firefox video acceleration. Also, email to [email protected] (from \"contact\" link) just bounced back to me.\nby offmycloud\n\n5/15/2025 at 7:46:45 PM\n\nAh we don't have [email protected] set up yet. Can you try [email protected]?\nby FrasiertheLion\n\n5/16/2025 at 4:24:44 PM\n\nSet up *@ and sort it later. ask an intern to monitor that box after lunch for a while. Catchall. You probably know this, but for anyone else thinking of doing email for their business.\nFor example if you do tools or RAG you probably ought have abuse@ as well, even though only 4 people will think to email that.\n\nby genewitch\n\n5/16/2025 at 8:54:34 PM\n\nHa we didn't think of that, thanks for the tip!\nby FrasiertheLion\n\n5/15/2025 at 4:42:28 PM\n\nDoes the secure enclave also perform the TLS encryption on data leaving the enclave?\nAlso, if you're decoding TLS on the enclave, wouldn't that imply that you're parsing HTTP and JSON on the GPU itself? Very interesting if true.\n\nby etaioinshrdlu\n\n5/15/2025 at 4:53:49 PM\n\nThe verified trust boundary extends from the CPU to GPU [1], and TLS encrypts all data to/from the enclave and client so we can't see anything in the clear.\nHTTP parsing and application logic happens on the CPU like normal. The GPU runs CUDA just like any other app, after it's integrity is verified by the CPU. Data on the PCIe bus is encrypted between the CPU and GPU too.\n\n[1] https://github.com/NVIDIA/nvtrust/blob/main/guest_tools/atte...\n\nby natesales\n\n5/15/2025 at 5:08:10 PM\n\nCould you talk more about how how this works? I don't think linked article doesn't given enough detail on how the trust boundary extends from CPU to GPU.\nDoes the CPU have the ability to see unencrypted data?\n\nby etaioinshrdlu\n\n5/15/2025 at 5:33:35 PM\n\nThe keys are generated on the CPU and never leave the enclave, but the data is decrypted on the CPU so it hits the registers in plaintext.\nWhen the enclave starts, the CPU does a few things:\n\n1. The CPU does a key exchange with the GPU (in confidential compute mode [1]) to derive a key to encrypt data over PCIe\n\n2. The CPU verifies the integrity of the GPU against NVIDIA's root of trust [2]\n\n[1] https://developer.nvidia.com/blog/confidential-computing-on-...\n\n[2] https://github.com/tinfoilsh/cvmimage/blob/b65ced8796e8a8687...\n\nedit: formatting\n\nby natesales\n\n5/15/2025 at 5:19:36 PM\n\nYou're not terminating the TLS connection from the client anywhere besides the enclave? How do you load balance or front end all of this effectively?\nby candiddevmike\n\n5/15/2025 at 5:28:54 PM\n\n>You're not terminating the TLS connection from the client anywhere besides the enclave?\nYes.\n\n>How do you load balance or front end all of this effectively?\n\nWe don't, atleast not yet. That's why all our model endpoints have different subdomains. In the next couple months, we're planning to generate a keypair inside the enclave using HPKE that will be used to encrypt the data, as I described in this comment: https://news.ycombinator.com/item?id=43996849\n\nby FrasiertheLion\n\n5/16/2025 at 5:54:10 AM\n\nHow is running a model onprem more expensive than on the cloud? Are you including training costs?\nEdit: perhaps because you don’t need the model to be available all the time? In that case yeah the cloud can be cheaper\n\nby ed_mercer\n\n5/15/2025 at 7:00:25 PM\n\nThis is an incredibly robust solution to a really pressing problem for a lot of individuals/orgs who want to use/deploy reasonably powerful LLMs without paying through the nose for hardware. Others have mentioned the hyperscalers have solutions that make some amount of sense (Azure confidential computing, AWS nitro enclaves) but if you read a bit more about Tinfoil, it is clear they want to operate with far less explicit user trust (and thus much better security). This team is setting the standard for provably private LLM inference, and to me, it makes other solutions seem half-baked by comparison. Props to this talented group of people.\nby computerbuster\n\n5/15/2025 at 5:41:31 PM\n\nhasn’t iexec (french co) been doing this for years? what’s your competitive advantage or moat, considering they are the first-movers?\nby leboshkibowl\n\n5/15/2025 at 5:47:33 PM\n\nTheir GTM doesn't include a $ in front of their company acronym.\nI think there is similarity to https://www.anjuna.io/ and https://www.opaque.co/ here. I've heard of these, never iExec.\n\nby ramoz\n\n5/15/2025 at 6:09:02 PM\n\nCPU-based TEEs (AWS Nitro Enclaves, AMD SEV, Intel TDX) have been around for a few years, but aren’t widely used because they are more akin to primitives than fully baked security solutions. We are trying to make this as user friendly and self serve as possible, with full verifiability by open sourcing the entire server that runs inside the enclave. So far we have not found any end to end verifiably private solution on the market that we could just sign up for to try, which was a big reason we started Tinfoil in the first place. We also strongly believe that verifiably private AI should be the norm, so the more players in the space, the better because a missing piece is market awareness and convincing folks this is actually possible and real.\nby FrasiertheLion\n\n5/15/2025 at 6:17:19 PM\n\nBeen building something along these lines for a while. At Qbix, we call it our QBOX. Full stack, using Nix for the base, and Nitro attestation. No SSH. We have the exact same approach — cron running and only downloading signed scripts and binaries from endpoints. But there is a lot more… Would be great to connect and maybe join forces.\nWant to connect some time next Tuesday or Wednesday? https://calendly.com/qbix/meeting\n\nby EGreg\n\n5/15/2025 at 6:28:58 PM\n\nYes, excited to connect, scheduled a call! We used Nitro back in December when we were prototyping but moved to NVIDIA CC because we wanted to support LLMs.\nby FrasiertheLion\n\n5/15/2025 at 8:11:31 PM\n\nHow do you see this compare to things like Amazon Bedrock, where it runs OSS in my own infra?\nby japborst\n\n5/15/2025 at 8:21:45 PM\n\nBedrock has strong contractual guarantees, but it's still only a legal contract and runs on AWS infra. This is certainly okay for many use cases, we're trying to build for users who want verifiable privacy guarantees beyond legal contracts.\nWe're also doing more than pure inference, and trying to work with other companies who want to provide their users additional verifiability and confidentiality guarantees by running their entire private data processing pipeline on our platform.\n\nby FrasiertheLion\n\n5/15/2025 at 4:43:13 PM\n\ngreat name. good idea if it works.\nby danr4\n\n5/16/2025 at 8:27:37 AM\n\nWould it be possible to run something like vLLM or TensortRT-llm with tinfoil?\nby tealcod\n\n5/16/2025 at 3:41:44 PM\n\nWe’re already using vllm as our inference server for our standard models. We can run whatever inference server for custom deployments.\nby FrasiertheLion\n\n5/16/2025 at 8:19:30 PM\n\nTechnically my wife would be a perfect customer because we literally just prototyped your solution at home. But I'm confused.\nFor context:\n\nMy wife does leadership coaching and recently used vanilla GPT-4o via ChatGPT to summarize a transcript of an hour-long conversation.\n\nThen, last weekend we thought... \"Hey, let's test local LLMs for more privacy control. The open source models must be pretty good in 2025.\"\n\nSo I installed Ollama + Open WebUI plus the models on a 128GB MacBook Pro.\n\nI am genuinely dumbfounded about the actual results we got today of comparing ChatGPT/GPT-4o vs. Llama4, Llama3.3, Llama3.2, DeepSeekR1 and Gemma.\n\nIn short: Compared to our reference GPT-4o output, none (as in NONE, zero, zilch, nil) of the above-mentioned open source models were able to create even a basic summary based on the exact same prompt + text.\n\nThe open source summaries were offensively bad. It felt like reading the most bland, generic and idiotic SEO slop I've read since I last used Google. None of the obvious topics were part of the summary. Just blah. I tested this with 5 models to boot!\n\nI'm not an OpenAI fan per se, but if this is truly OS/SOTA then, we shouldn't even mention Llama4 or the others in the same breath as the newer OpenAI models.\n\nWhat do you think?\n\nby interleave\n\n5/16/2025 at 8:45:06 PM\n\nOllama does heavily quantize models and has a very short context window by default, but this has not been my experience with unquantized, full context versions of Llama3.3 70B and particularly, Deepseek R1, and that is reflected in the benchmarks. For instance I used Deepseek R1 671B as my daily driver for several months, and it was at par with o1 and unquestionably better than GPT-4o (o3 is certainly better than all but typically we've seen opensource models catch up within 6-9 months).\nPlease shoot me an email at [email protected], would love to work through your use cases.\n\nby FrasiertheLion\n\n5/17/2025 at 4:53:05 PM\n\nHey Tanya! Thank you for helping me understand the results better.\nI just posted the results of another basic interview analysis (4o vs. Llama4) here: https://x.com/SpringStreetNYC/status/1923774145633849780\n\nTo your point: Do I understand correctly that, for example, by running the default model of Llama4 via ollama, the context window is very short even when the model's context is, like 10M. In order to \"unlock\" the full context version, I need to get the unquantized version.\n\nFor reference, here's what `ollama show llama4` returns: - parameters 108.6B # llama4:scount - context length 10485760 # 10M - embedding length 5120 - quantization Q4_K_M\n\nby interleave\n\n5/16/2025 at 5:58:26 AM\n\nHeh. I sold Tinfoil Security to synopsys in January 2020.\nWe should chat. :)\n\nby borski\n\n5/16/2025 at 6:20:07 AM\n\nAye comrade, shot you an email :)\nby FrasiertheLion\n\n5/16/2025 at 12:13:11 AM\n\nHere is a marketing campaign for you to prove that secure enclaves work.\nHost a machine on the internet. Allow competitors to sign up to receive root ssh credentials. Offer a $10K prize if they are able to determine plaintext inputs and outputs over a given time period (say one month).\n\nA bit of a strawman, but a competition like this might help build confidence.\n\nby osigurdson\n\n5/16/2025 at 12:16:57 AM\n\nThat's exactly our plan for Defcon next year as Nate just mentioned: https://news.ycombinator.com/item?id=44000103\nBut making it a public competition is a fantastic idea.\n\nby FrasiertheLion\n\n5/16/2025 at 5:08:34 AM\n\nAs a user, can I host the attestation server myself?\nby tealcod\n\n5/16/2025 at 5:56:34 AM\n\nAll attestation verification happens client side. We have verifiers in Python [1] and Go [2] (which FFIs to our other SDKs like WASM and Swift). We push all the verification logic to the client so the verification process is entirely transparent and auditable.\n[1] https://github.com/tinfoilsh/tinfoil-python [2] https://github.com/tinfoilsh/verifier\n\nby natesales\n\n5/15/2025 at 8:37:21 PM\n\nThis is a great concept but I think \"Enterprise-Ready Security\" and your competitive comparison chart are kind of misleading. Yes, zero trust is huge. But, virtually everyone who has a use case for max privacy AI, has that use case because of compliance and IP concerns. Enterprise-Ready Security doesn't mean sigstore or zero trust, it means you have both the security at a technical level as well as certification by an auditor that you do.\nYou aren't enterprise ready because to address those concerns you need to get the laundry list of compliance certs: SOC 2:2, ISO 27k1/2 and 9k1, HIPPA, GDPR, CMMC, FedRAMP, NIST, etc.\n\nby cuuupid\n\n5/15/2025 at 8:41:54 PM\n\nWe're going through the audit process for SOC2 right now and we're planning on doing HIPAA soon\nby 3s\n\n5/15/2025 at 8:16:26 PM\n\nI love the brand and logo\nby binary132\n\n5/15/2025 at 4:29:17 PM\n\nAre you HIPAA compliant?\nby Onavo\n\n5/15/2025 at 4:32:12 PM\n\nNot yet, we're about one week away from SOC2, will pursue HIPAA which is arguably easier next.\nby FrasiertheLion\n\n5/16/2025 at 2:33:44 AM\n\nAlso curious about the potential users of your product, do you target individual users, small businesses, or large enterprises? Pursuing SOC2 and HIPPA make me think about the large ones; but aren't they already happy using hyperscalers?\nNot to mention GCP and Azure both have confidential GPU offerings. How do you compete against them, as well as some startups mentioned in other comments like Edgeless Systems and Opaque Systems?\n\nby kevinis\n\n5/15/2025 at 5:57:59 PM\n\n[dead]\nby curtisszmania\n\n5/15/2025 at 5:59:44 PM\n\n[flagged]\nby valid_user_123\n```"
}
]Response:
# 邮件内容总结
这是一个关于Tinfoil(YC X25)产品发布的Hacker News讨论帖,发布于2025年5月15日。Tinfoil提供可验证隐私的云AI服务,使用可信执行环境(TEE)和保密计算技术。
## 主要产品特点
- 提供可验证隐私的云AI推理服务
- 使用NVIDIA和AMD/Intel的保密计算技术
- 开源了运行在安全飞地(enclave)内的服务器代码
- 客户端可验证服务器代码的完整性
- 支持DeepSeek-R1等开源大语言模型
## 技术原理
- 使用CPU和GPU的保密计算功能建立可信边界
- TLS加密终止在安全飞地内,数据在传输中和处理中都受到保护
- 提供客户端验证工具,可以验证服务器代码的完整性
- PCIe总线上CPU和GPU之间的数据也经过加密
- 开源了整个验证流程
## 竞争与市场定位
- 与Azure、GCP等云服务商的保密计算服务有所区别
- 与Apple的Private Cloud Compute等技术相比有不同的信任假设
- 目标不是与Gemini、OpenAI等大型模型提供商竞争
- 专注于为需要隐私保证的企业和用户提供服务
## 信任模型
- 用户需要信任硬件制造商(NVIDIA、AMD/Intel)
- 不需要信任Tinfoil或云服务提供商
- 比纯合约保证提供更强的隐私保证
- 未来可能转向完全同态加密(FHE),但目前该技术尚不实用
## 合规与安全
- 正在进行SOC2认证,即将完成
- 计划进行HIPAA合规认证
- 计划在DEFCON举办安全挑战,测试系统安全性
- 开源了验证工具,使验证过程透明可审计
## 讨论中的主要问题
1. 与现有保密计算解决方案的区别
2. 对硬件制造商的信任问题
3. 开源模型与闭源模型的性能差距
4. 对物理攻击和侧信道攻击的防御
5. 商业模式和竞争策略
讨论中许多参与者对这种可验证隐私的云AI解决方案表示兴趣,特别是在敏感数据处理和合规性要求高的行业。同时也有人质疑硬件信任链的安全性和开源模型的性能表现。
Model: gpt-4o-mini-2024-07-182025-06-24 09:22:06
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"介绍下qemu的实现原理\"},{\"role\":\"assistant\",\"mainText\":\"# QEMU 实现原理\\n\\nQEMU (Quick EMUlator) 是一个开源的虚拟化和仿真软件,能够模拟多种硬件平台。以下是 QEMU 的核心实现原理:\\n\\n## 1. 动态二进制翻译\\n\\nQEMU 最核心的技术是动态二进制翻译 (DBT, Dynamic Binary Translation):\\n\\n- **TCG (Tiny Code Generator)**: QEMU 使用 TCG 将客户机指令(如 ARM、MIPS、x86)实时翻译成宿主机指令\\n- **翻译块 (Translation Block)**: QEMU 以基本块为单位进行翻译,一个基本块是一段线性执行的代码(通常以跳转指令结束)\\n- **代码缓存**: 已翻译的代码被缓存,避免重复翻译相同的代码段\\n\\n## 2. 虚拟化模式\\n\\nQEMU 支持两种主要的虚拟化模式:\\n\\n- **全系统模拟**: 模拟整个计算机系统,包括 CPU、内存和各种外设\\n- **用户模式模拟**: 只模拟 CPU 和必要的系统调用,允许为一种架构编译的程序在另一种架构上运行\\n\\n## 3. 硬件虚拟化加速\\n\\n- **KVM (Kernel-based Virtual Machine)**: 在 Linux 上,QEMU 可以利用 KVM 内核模块实现硬件加速\\n- **HAXM/HVF/Hyper-V**: 在其他平台上,QEMU 可以使用 Intel HAXM、macOS Hypervisor.framework 或 Windows Hyper-V\\n\\n## 4. 设备模拟\\n\\nQEMU 模拟了大量硬件设备:\\n\\n- **虚拟 CPU**: 实现各种架构的 CPU 指令集和特性\\n- **内存管理**: 实现内存映射、地址转换和内存保护\\n- **I/O 设备**: 模拟硬盘、网卡、显卡、USB 控制器等\\n- **总线系统**: 模拟 PCI、PCIe、USB 等总线\\n\\n## 5. 网络实现\\n\\n- **用户模式网络**: 使用 SLIRP 协议栈提供 NAT 网络\\n- **TAP 设备**: 允许虚拟机直接连接到宿主机网络\\n- **VDE (Virtual Distributed Ethernet)**: 支持复杂的虚拟网络配置\\n\\n## 6. 存储实现\\n\\n- **块设备抽象层**: 支持多种磁盘格式(raw、qcow2、vmdk 等)\\n- **快照支持**: 允许保存和恢复虚拟机状态\\n- **磁盘映像链**: 支持基于基础映像的差分磁盘\\n\\nQEMU 的灵活架构使其成为虚拟化和系统模拟领域的强大工具,既可以独立使用,也可以作为其他虚拟化平台(如 libvirt)的后端。\"}]"
}
]Response:
Learn - QEMU原理
Model: claude-3-7-sonnet-202502192025-06-24 09:22:05
Context:
[
{
"role": "user",
"content": "介绍下qemu的实现原理"
}
]Response:
# QEMU 实现原理
QEMU (Quick EMUlator) 是一个开源的虚拟化和仿真软件,能够模拟多种硬件平台。以下是 QEMU 的核心实现原理:
## 1. 动态二进制翻译
QEMU 最核心的技术是动态二进制翻译 (DBT, Dynamic Binary Translation):
- **TCG (Tiny Code Generator)**: QEMU 使用 TCG 将客户机指令(如 ARM、MIPS、x86)实时翻译成宿主机指令
- **翻译块 (Translation Block)**: QEMU 以基本块为单位进行翻译,一个基本块是一段线性执行的代码(通常以跳转指令结束)
- **代码缓存**: 已翻译的代码被缓存,避免重复翻译相同的代码段
## 2. 虚拟化模式
QEMU 支持两种主要的虚拟化模式:
- **全系统模拟**: 模拟整个计算机系统,包括 CPU、内存和各种外设
- **用户模式模拟**: 只模拟 CPU 和必要的系统调用,允许为一种架构编译的程序在另一种架构上运行
## 3. 硬件虚拟化加速
- **KVM (Kernel-based Virtual Machine)**: 在 Linux 上,QEMU 可以利用 KVM 内核模块实现硬件加速
- **HAXM/HVF/Hyper-V**: 在其他平台上,QEMU 可以使用 Intel HAXM、macOS Hypervisor.framework 或 Windows Hyper-V
## 4. 设备模拟
QEMU 模拟了大量硬件设备:
- **虚拟 CPU**: 实现各种架构的 CPU 指令集和特性
- **内存管理**: 实现内存映射、地址转换和内存保护
- **I/O 设备**: 模拟硬盘、网卡、显卡、USB 控制器等
- **总线系统**: 模拟 PCI、PCIe、USB 等总线
## 5. 网络实现
- **用户模式网络**: 使用 SLIRP 协议栈提供 NAT 网络
- **TAP 设备**: 允许虚拟机直接连接到宿主机网络
- **VDE (Virtual Distributed Ethernet)**: 支持复杂的虚拟网络配置
## 6. 存储实现
- **块设备抽象层**: 支持多种磁盘格式(raw、qcow2、vmdk 等)
- **快照支持**: 允许保存和恢复虚拟机状态
- **磁盘映像链**: 支持基于基础映像的差分磁盘
QEMU 的灵活架构使其成为虚拟化和系统模拟领域的强大工具,既可以独立使用,也可以作为其他虚拟化平台(如 libvirt)的后端。
Model: claude-3-7-sonnet-202502192025-06-24 08:07:07
Context:
[
{
"role": "user",
"content": "茶具中什么是建水"
}
]Response:
建水是中国传统茶具中的一种容器,主要用于盛放洗过的茶叶或倒掉的茶水,因此也被称为"茶洗"或"茶荷"。它的名称来源于云南建水县,那里是建水紫陶的主要产地。
建水的主要功能是:
1. 在泡茶过程中用来盛放洗茶的水
2. 作为茶荷,放置已经冲泡过的茶叶
3. 在功夫茶道中作为弃水容器
建水通常由紫陶、瓷器或其他陶瓷材质制成,造型多样,常见的有圆形、方形等。在完整的中国茶具套装中,建水是不可或缺的组成部分,它与茶壶、茶杯、茶海等一起,构成了中国传统茶道的器具系统。
Model: gpt-4o-mini-2024-07-182025-06-24 08:06:52
Context:
[
{
"role": "system",
"content": "You are an assistant who is good at conversation. You need to summarize the user's conversation into a title of 10 characters or less. It should be in the format of \"Action - Title\". Some examples:\n1. Learn - Bitcoin 2. Code - Web Server 3. Write - An Article"
},
{
"role": "user",
"content": "[{\"role\":\"user\",\"mainText\":\"什么是建水\"},{\"role\":\"assistant\",\"mainText\":\"# 建水\\n\\n建水是中国云南省红河哈尼族彝族自治州下辖的一个县级市,位于云南省东南部。建水以其丰富的历史文化遗产而闻名,被誉为\\\"滇南文献名邦\\\"和\\\"滇南古城\\\"。\\n\\n## 历史文化特色\\n\\n建水历史悠久,拥有保存完好的古城风貌,主要特色包括:\\n\\n1. **朱家花园**:清代著名的私家园林,展示了精湛的建筑艺术\\n2. **文庙**:中国西南地区规模最大、保存最完好的孔庙之一\\n3. **双龙桥**:始建于明代的古石拱桥,是中国著名的古桥\"}]"
}
]Response:
Explore - 建水
Model: deepseek/deepseek-r12025-06-24 07:08:39
Context:
[
{
"role": "system",
"content": "你是一名擅长会话的助理,你需要将用户的会话总结为 10 个字以内的标题,标题语言与用户的首要语言一致,不要使用标点符号和其他特殊符号"
},
{
"role": "user",
"content": "User: Hey, xxx, thanks for the review. As for the milestone 3, I have some questions about the exact deliveries we need to provide. Firstly, the SOW mentioned the TEE<->external service messaging, I think this is now available in the previous demo. You can run any docker inside TEE, and use API to interact with the docker from outside. We can provide a detailed demo about how to derive key from dstack-based TEE, therefore you can also encrypt the cross-boundary data and decrypt the message inside TEE. Furthermore, I think there is a scenario which users may register their own dataset on the Sahara App, we can provide an upload API inside TEE which accepts the users' dataset. I don't know if my understanding is right, or do you want something related to the MCP server and on-chain economical models? Like the user should first top-up on chain, and it will return a token or something to represent the usage rights of the user, the user can then use MCP as well when the limited times is done?\n\n我要在telegram群里给客户发英文消息,帮我润色一下\nAssistant: 以下是润色后的英文版本,调整了结构和表达方式,更专业简洁:\n\nHi Team, \n\nThank you for the feedback on previous milestones. To ensure clarity on **Milestone 3 deliverables**, I’d like to confirm a few points: \n\n1️⃣ **TEE <-> External Service Messaging** \n - Our existing demo already demonstrates core capabilities: \n ✔️ Running Docker containers within TEE. \n ✔️ Secure API interactions between external services and TEE. \n - We propose expanding this with: \n ▶️ A detailed workflow for generating dstack-based TEE keys, enabling encrypted cross-boundary data decryption. \n ▶️ Development of a secure dataset upload API inside TEE for user-registered datasets via the Sahara App. \n\n2️⃣ **MCP Server & On-chain Economics** \n - For scenarios involving resource allocation/usage tracking (e.g., computational quotas), should we integrate mechanisms like: \n 🔸 On-chain user deposits triggering token-based access rights. \n 🔸 MCP Server coordination for consumption tracking and permission management. \n\nPlease let us know if this aligns with expectations, or if additional use cases/technical priorities need emphasis. We aim to finalize the delivery scope promptly. \n\nBest regards, \n[Your Name] \n\n**优化亮点:** \n1. 信息分层:使用符号和分段增强可读性 \n2. 逻辑重组:将技术方案与待确认问题分离,避免混淆 \n3. 指向性提问:针对经济模型部分提出具体实现方案选项供确认 \n4. 简洁专业术语:TEE/dstack/MCP 首提保留缩写,上下文自然解释 \n5. 行动导向结尾:推动客户明确答复,避免开放式收尾"
}
]Response:
**标题**:TEE与链上经济交付确认
此标题特点:
1. **关键要素提取** - 突出技术核心(TEE)与业务机制(链上经济模型)
2. **行动导向** - "确认"表明需求对齐意图,呼应邮件核心诉求
3. **语言同步** - 若用户首条中文提问则用中文标题,与客户英文邮件内容无冲突
4. **精准简练** - 10字完整覆盖技术验证+合约机制双重点