AWS Nitro Support: Attestation verification is fully implemented. For AWS deployment options, book a call with our team.
This document describes how dstack produces and verifies attestation on AWS
Nitro Enclaves using the NSM attestation document. It follows the
implementation in dstack-attest and nsm-qvl.
- NSM attestation generator:
nsm-attest::get_attestation - Verifier:
dstack-attest+nsm-qvl
- Collect report_data (64 bytes), optionally bound to RA TLS pubkey.
- Request NSM attestation with user_data = report_data:
nsm_attest::get_attestation(report_data). - Bundle into
DstackNitroQuote { nsm_quote }. - Include config derived from PCRs:
os_image_hash = sha256(PCR0 || PCR1 || PCR2)(all zeros if PCRs are zero).
The NSM attestation document (COSE_Sign1 payload) includes:
module_id,digest,timestamppcrsmap- signing
certificateandcabundle - optional
user_data,nonce,public_key
Verification runs in Attestation::verify_with_time:
- Parse COSE_Sign1 and require
alg = ES384 (-35). - Validate COSE critical headers (
crit) if present. - Parse attestation document from payload and enforce:
digest == "SHA384"- PCR lengths are 48 bytes
- freshness window against
now
- Verify cert chain to
AWS_NITRO_ENCLAVES_ROOT_G1. - Verify COSE signature using the leaf certificate P-384 key.
- Key usage sanity on leaf cert (if present):
- must allow
digitalSignature - must not allow
keyCertSignorcRLSign
- must allow
nsm-qvl exposes async CRL verification via:
verify_attestation_with_crl(..., enable_crl, ...).
This is disabled by default in dstack-attest because CRL fetch from
S3 may return 403. The caller can enable CRL explicitly.
- Match user_data to
report_data. - Decode PCRs and return verified report.
The verifier returns DstackVerifiedReport::DstackNitroEnclave containing:
module_idpcrs(PCR0/1/2)user_data(report_data)timestamp
dstack-attest/src/attestation.rsnsm-qvl/src/verify.rs