Policies define the verification requirements for attested TLS connections. They control what TEE measurements and security levels are acceptable.
Policy structure All policies must specify a type and verification rules:
const policy = { type: "dstack_tdx" , allowed_tcb_status: [ "UpToDate" ], expected_bootchain: { mrtd: "b24d3b24..." , rtmr0: "24c15e08..." , rtmr1: "6e1afb74..." , rtmr2: "89e73ced..." }, os_image_hash: "86b18137..." , app_compose: { runner: "docker-compose" , docker_compose_file: "..." } }
Development policy For testing and development, use a relaxed policy that skips bootchain verification:
import { createAtlsFetch } from "@concrete-security/atlas-node" // WARNING: disable_runtime_verification skips bootchain/app_compose/os_image checks // Use ONLY for development/testing, NEVER in production const devPolicy = { type: "dstack_tdx" , disable_runtime_verification: true , // DEV ONLY allowed_tcb_status: [ "UpToDate" , "SWHardeningNeeded" , "OutOfDate" ] } const fetch = createAtlsFetch ({ target: "enclave.example.com" , policy: devPolicy })
Never use disable_runtime_verification: true in production. This skips all bootchain, OS image, and application verification.
Production policy Production policies require full verification with bootchain measurements:
import { createAtlsFetch , mergeWithDefaultAppCompose } from "@concrete-security/atlas-node" import { readFileSync } from "fs" const dockerComposeFile = readFileSync ( "vllm_docker_compose.yml" , "utf-8" ) const productionPolicy = { type: "dstack_tdx" , expected_bootchain: { mrtd: "b24d3b24e9e3c16012376b52362ca09856c4adecb709d5fac33addf1c47e193da075b125b6c364115771390a5461e217" , rtmr0: "24c15e08c07aa01c531cbd7e8ba28f8cb62e78f6171bf6a8e0800714a65dd5efd3a06bf0cf5433c02bbfac839434b418" , rtmr1: "6e1afb7464ed0b941e8f5bf5b725cf1df9425e8105e3348dca52502f27c453f3018a28b90749cf05199d5a17820101a7" , rtmr2: "89e73cedf48f976ffebe8ac1129790ff59a0f52d54d969cb73455b1a79793f1dc16edc3b1fccc0fd65ea5905774bbd57" }, os_image_hash: "86b181377635db21c415f9ece8cc8505f7d4936ad3be7043969005a8c4690c1a" , app_compose: mergeWithDefaultAppCompose ({ docker_compose_file: dockerComposeFile , allowed_envs: [ "EKM_SHARED_SECRET" , "AUTH_SERVICE_TOKEN" ] }), allowed_tcb_status: [ "UpToDate" , "SWHardeningNeeded" ] } const fetch = createAtlsFetch ({ target: "vllm.concrete-security.com" , policy: productionPolicy })
JSON policies Policies can be loaded from JSON files for easier management:
Load from file
policy.json
import { readFileSync } from "fs" const policyJson = readFileSync ( "policy.json" , "utf-8" ) const policy = JSON . parse ( policyJson ) const fetch = createAtlsFetch ({ target: "enclave.example.com" , policy })
Policy fields Required fields Field Type Description typestringPolicy type ("dstack_tdx" for Intel TDX) allowed_tcb_statusstring[]Acceptable TCB statuses (e.g., ["UpToDate"])
Runtime verification fields By default, all runtime fields are required for production. Missing any field will cause a configuration error unless disable_runtime_verification is set to true.
Field Type Description expected_bootchainobjectMRTD and RTMR0-2 measurements os_image_hashstringSHA256 of Dstack image’s sha256sum.txt app_composeobjectExpected application configuration
Optional fields Field Type Default Description grace_periodnumber0Grace period (seconds) for OutOfDate TCB status disable_runtime_verificationbooleanfalseSkip runtime checks (dev only) pccs_urlstringPhala’s PCCS Intel PCCS URL for collateral cache_collateralbooleanfalseCache Intel collateral
TCB status values TCB (Trusted Computing Base) status indicates platform security posture:
Status Meaning Production Use UpToDatePlatform is fully patched ✅ Always use SWHardeningNeededSoftware requires specific mitigations ⚠️ Use if mitigations are implemented ConfigurationNeededBIOS/hardware config needs adjustment ⚠️ Use if config risk is acceptable OutOfDatePlatform TCB level is outdated ⚠️ Use only with grace period RevokedProcessor/keys are compromised ❌ Never use
Production TCB policy const strictPolicy = { type: "dstack_tdx" , allowed_tcb_status: [ "UpToDate" ], // ... other required fields }
Permissive TCB policy (with grace period) const gracefulPolicy = { type: "dstack_tdx" , allowed_tcb_status: [ "UpToDate" , "OutOfDate" ], grace_period: 30 * 24 * 60 * 60 , // 30 days // ... other required fields }
Bootchain verification Bootchain measurements verify the TEE’s boot process:
const policy = { type: "dstack_tdx" , expected_bootchain: { mrtd: "b24d3b24..." , // TD measurement root rtmr0: "24c15e08..." , // Firmware measurements rtmr1: "6e1afb74..." , // OS loader measurements rtmr2: "89e73ced..." // OS kernel measurements }, // ... other required fields }
Bootchain measurements depend on hardware configuration (CPU count, memory, GPUs). Compute measurements for your specific deployment using dstack-mr. See Bootchain Verification for details. Application verification Verify the application running inside the TEE:
import { mergeWithDefaultAppCompose } from "@concrete-security/atlas-node" const policy = { type: "dstack_tdx" , app_compose: mergeWithDefaultAppCompose ({ docker_compose_file: "version: '3' \n services: \n app: \n image: myapp:latest" , allowed_envs: [ "API_KEY" , "DATABASE_URL" ] }), // ... other required fields }
The mergeWithDefaultAppCompose helper fills in default Dstack configuration:
const merged = mergeWithDefaultAppCompose ({ docker_compose_file: "..." , allowed_envs: [ "MY_VAR" ] }) // Result includes: // - runner: "docker-compose" // - manifest_version: 2 // - features: ["kms", "docker-in-docker", "run-as-root", ...] // - Your custom fields
OS image verification Verify the Dstack OS image:
const policy = { type: "dstack_tdx" , os_image_hash: "86b181377635db21c415f9ece8cc8505f7d4936ad3be7043969005a8c4690c1a" , // ... other required fields }
The OS image hash is the SHA256 of Dstack’s sha256sum.txt file.
Grace periods Grace periods allow temporary acceptance of OutOfDate TCB status:
const policy = { type: "dstack_tdx" , allowed_tcb_status: [ "UpToDate" , "OutOfDate" ], grace_period: 30 * 24 * 60 * 60 , // 30 days in seconds // ... other required fields }
Grace period behavior:
Applies only when TCB status is OutOfDate
Requires OutOfDate in allowed_tcb_status
Value of 0 means no grace window
Use for patch cycle transitions
PCCS configuration Customize Intel PCCS (Provisioning Certification Caching Service) endpoint:
const policy = { type: "dstack_tdx" , pccs_url: "https://your-pccs.example.com" , cache_collateral: true , // Cache collateral for faster verification // ... other required fields }
Default PCCS: Phala’s public PCCS endpoint.
Verification errors Handle specific verification failures:
import { createAtlsFetch } from "@concrete-security/atlas-node" try { const fetch = createAtlsFetch ({ target: "enclave.example.com" , policy: productionPolicy }) const response = await fetch ( "/api/data" ) if ( ! response . attestation . trusted ) { console . error ( "Attestation failed!" ) } } catch ( err ) { if ( err . message . includes ( "BootchainMismatch" )) { console . error ( "Bootchain verification failed:" , err . message ) } else if ( err . message . includes ( "TcbStatusNotAllowed" )) { console . error ( "TCB status not allowed:" , err . message ) } else if ( err . message . includes ( "Configuration" )) { console . error ( "Policy configuration error:" , err . message ) } else { console . error ( "Verification error:" , err . message ) } }
Policy reuse Share policies across multiple connections:
const commonPolicy = { type: "dstack_tdx" , allowed_tcb_status: [ "UpToDate" ], expected_bootchain: { /* ... */ }, os_image_hash: "86b18137..." , app_compose: { /* ... */ } } // Use same policy for multiple targets const fetch1 = createAtlsFetch ({ target: "enclave1.example.com" , policy: commonPolicy }) const fetch2 = createAtlsFetch ({ target: "enclave2.example.com" , policy: commonPolicy })
Rust policy example For Rust applications using the core library:
use atlas_rs :: {atls_connect, Policy , DstackTdxPolicy , ExpectedBootchain }; use serde_json :: json; #[tokio :: main] async fn main () -> Result <(), Box < dyn std :: error :: Error >> { let tcp = tokio :: net :: TcpStream :: connect ( "vllm.example.com:443" ) . await ? ; let policy = Policy :: DstackTdx ( DstackTdxPolicy { expected_bootchain : Some ( ExpectedBootchain { mrtd : "b24d3b24..." . into (), rtmr0 : "24c15e08..." . into (), rtmr1 : "6e1afb74..." . into (), rtmr2 : "89e73ced..." . into (), }), os_image_hash : Some ( "86b18137..." . into ()), app_compose : Some ( json! ({ "runner" : "docker-compose" , "docker_compose_file" : "..." })), allowed_tcb_status : vec! [ "UpToDate" . into ()], .. Default :: default () }); let ( mut tls_stream , report ) = atls_connect ( tcp , "vllm.example.com" , policy , None ) . await ? ; println! ( "TEE verified!" ); Ok (()) }
Next steps