Skip to content

fix: unify RA-TLS cert format and fix onboard os_image_hash#585

Merged
kvinwang merged 2 commits intomasterfrom
docs/update-kms-test-guides
Mar 20, 2026
Merged

fix: unify RA-TLS cert format and fix onboard os_image_hash#585
kvinwang merged 2 commits intomasterfrom
docs/update-kms-test-guides

Conversation

@kvinwang
Copy link
Collaborator

@kvinwang kvinwang commented Mar 20, 2026
edited
Loading

Summary

  • RA-TLS cert format: use unified PHALA_RATLS_ATTESTATION OID for all attestation types (including TDX), replacing the legacy separate TDX_QUOTE + EVENT_LOG OIDs. The new format preserves vm_config (including os_image_hash). The reader already prefers the new OID and falls back to old OIDs for backward compat with existing certs.
  • Onboard workaround: when the remote source KMS uses the old cert format (missing vm_config), the receiver-side ensure_kms_allowed fills os_image_hash from the local KMS's own value. This is safe because mrAggregated already validates OS image integrity through the RTMR measurement chain. Marked with TODO to remove once all source KMS instances are upgraded.
  • Docs: update test guides to reflect the cert format change and remove the "0x" osImages workaround.

Test plan

  • cargo check -p ra-tls -p dstack-kms
  • cargo clippy -p ra-tls -p dstack-kms --all-targets -- -D warnings
  • Integration test on TDX host: verify new cert contains PHALA_RATLS_ATTESTATION with config populated
  • Onboard from old-format source KMS: verify workaround fills os_image_hash

@kvinwang kvinwang changed the title docs: update KMS test guides after cert format fix fix: unify RA-TLS cert format and fix onboard os_image_hash Mar 20, 2026
@kvinwang kvinwang mentioned this pull request Mar 20, 2026
Closed
4 tasks
kvinwang added 2 commits March 20, 2026 03:48
@kvinwang
fix: unify RA-TLS cert attestation format and fix onboard os_image_hash
a11ddbf 
1. ra-tls: use unified PHALA_RATLS_ATTESTATION OID for all cert types
   (including TDX) instead of the legacy separate TDX_QUOTE + EVENT_LOG
   OIDs. The new format preserves vm_config (including os_image_hash).
   The reader already prefers the new OID and falls back to old OIDs
   for backward compat with existing certs.

2. kms: when the remote source KMS uses the old cert format (missing
   vm_config), the receiver-side ensure_kms_allowed fills os_image_hash
   from the local KMS value. This is safe because mrAggregated already
   validates OS image integrity through the RTMR measurement chain.
   TODO: remove once all source KMS instances use the new cert format.
@kvinwang
docs: update KMS test guides for cert format fix
abfebc0
@kvinwang kvinwang force-pushed the docs/update-kms-test-guides branch from 100393a to abfebc0 Compare March 20, 2026 03:48
@kvinwang kvinwang merged commit 627f19a into master Mar 20, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kvinwang