Skip to main content
The DstackTdxPolicy configures Intel TDX attestation verification for Dstack-based TEE deployments.

Configuration fields

Runtime verification fields

These fields are required by default for production security:
expected_bootchain
object
Expected bootchain measurements (MRTD and RTMR0-2). Required unless disable_runtime_verification is true.
os_image_hash
string
SHA256 hash of the Dstack image’s sha256sum.txt file. Required unless disable_runtime_verification is true. Must be lowercase hex.
app_compose
object
Expected application configuration. Required unless disable_runtime_verification is true. The verifier computes the hash of this JSON value and compares it against the hash in the event log.

TCB verification fields

allowed_tcb_status
string[]
default:"[\"UpToDate\"]"
List of acceptable TCB (Trusted Computing Base) status values. See TCB status values for details.Valid values: UpToDate, SWHardeningNeeded, ConfigurationNeeded, OutOfDate, Revoked
grace_period
number
Grace period in seconds for OutOfDate TCB status. Only applies when OutOfDate is in allowed_tcb_status.
  • A value of 0 means no grace window
  • If set, platforms with OutOfDate status are accepted only if tcb_date + grace_period >= current_time
  • Requires OutOfDate in allowed_tcb_status or configuration will fail

Optional verification settings

disable_runtime_verification
boolean
default:false
Skip bootchain, app_compose, and os_image_hash verification. Not recommended for production.When true, the runtime verification fields become optional. DstackTdxPolicy::dev() sets this to true.
pccs_url
string
default:"https://pccs.phala.network/tdx/certification/v4"
Intel PCCS (Provisioning Certificate Caching Service) URL for fetching attestation collateral. Defaults to Phala’s public PCCS.
cache_collateral
boolean
default:false
Cache Intel collateral to avoid repeated network fetches. When enabled, collateral is cached per verification session.

Examples

Development policy

Relaxed verification for testing: 
use atlas_rs::{Policy, DstackTdxPolicy};

// Convenience method - disables runtime verification
let policy = Policy::DstackTdx(DstackTdxPolicy::dev());

Production policy with strict TCB

Only accept fully patched platforms: 
use atlas_rs::{Policy, DstackTdxPolicy, ExpectedBootchain};
use serde_json::json;

let policy = Policy::DstackTdx(DstackTdxPolicy {
    expected_bootchain: Some(ExpectedBootchain {
        mrtd: "b24d3b24e9e3c16012376b52362ca09856c4adecb709d5fac33addf1c47e193da075b125b6c364115771390a5461e217".into(),
        rtmr0: "24c15e08c07aa01c531cbd7e8ba28f8cb62e78f6171bf6a8e0800714a65dd5efd3a06bf0cf5433c02bbfac839434b418".into(),
        rtmr1: "6e1afb7464ed0b941e8f5bf5b725cf1df9425e8105e3348dca52502f27c453f3018a28b90749cf05199d5a17820101a7".into(),
        rtmr2: "89e73cedf48f976ffebe8ac1129790ff59a0f52d54d969cb73455b1a79793f1dc16edc3b1fccc0fd65ea5905774bbd57".into(),
    }),
    os_image_hash: Some("86b181377635db21c415f9ece8cc8505f7d4936ad3be7043969005a8c4690c1a".into()),
    app_compose: Some(json!({
        "runner": "docker-compose",
        "docker_compose_file": "version: '3'\nservices:\n  vllm:\n    image: vllm/vllm-openai:latest\n    ..."
    })),
    allowed_tcb_status: vec!["UpToDate".into()],
    ..Default::default()
});

Production policy with grace period

Accept OutOfDate platforms within a 30-day grace period: 
use atlas_rs::{Policy, DstackTdxPolicy, ExpectedBootchain};
use serde_json::json;

let policy = Policy::DstackTdx(DstackTdxPolicy {
    expected_bootchain: Some(ExpectedBootchain {
        mrtd: "b24d3b24e9e3c16012376b52362ca09856c4adecb709d5fac33addf1c47e193da075b125b6c364115771390a5461e217".into(),
        rtmr0: "24c15e08c07aa01c531cbd7e8ba28f8cb62e78f6171bf6a8e0800714a65dd5efd3a06bf0cf5433c02bbfac839434b418".into(),
        rtmr1: "6e1afb7464ed0b941e8f5bf5b725cf1df9425e8105e3348dca52502f27c453f3018a28b90749cf05199d5a17820101a7".into(),
        rtmr2: "89e73cedf48f976ffebe8ac1129790ff59a0f52d54d969cb73455b1a79793f1dc16edc3b1fccc0fd65ea5905774bbd57".into(),
    }),
    os_image_hash: Some("86b181377635db21c415f9ece8cc8505f7d4936ad3be7043969005a8c4690c1a".into()),
    app_compose: Some(json!({
        "runner": "docker-compose",
        "docker_compose_file": "..."
    })),
    allowed_tcb_status: vec!["UpToDate".into(), "OutOfDate".into()],
    grace_period: Some(30 * 24 * 60 * 60), // 30 days
    ..Default::default()
});
Grace periods should be used sparingly. They allow temporarily outdated platforms to operate during patch cycles, but extended grace periods may expose your system to known vulnerabilities.

Validation rules

The policy performs validation before creating a verifier:
  1. TCB status values - All values in allowed_tcb_status must be valid TCB status strings
  2. Hex strings - All measurement hashes must be lowercase hexadecimal
  3. Grace period - If grace_period is set, allowed_tcb_status must include OutOfDate
  4. Runtime fields - If disable_runtime_verification is false (default), all runtime fields are required:
    • expected_bootchain must be provided
    • os_image_hash must be provided
    • app_compose must be provided

Example validation errors

// Invalid TCB status
let policy = DstackTdxPolicy {
    allowed_tcb_status: vec!["InvalidStatus".into()],
    disable_runtime_verification: true,
    ..Default::default()
};
assert!(policy.validate().is_err());
// Error: invalid TCB status 'InvalidStatus'

// Grace period without OutOfDate
let policy = DstackTdxPolicy {
    grace_period: Some(86400),
    allowed_tcb_status: vec!["UpToDate".into()],
    disable_runtime_verification: true,
    ..Default::default()
};
assert!(policy.validate().is_err());
// Error: grace_period requires allowed_tcb_status to include OutOfDate

// Missing runtime fields
let policy = DstackTdxPolicy::default();
assert!(policy.into_verifier().is_err());
// Error: Configuration - expected_bootchain is required

TCB status values

Understanding TCB security levels

Computing measurements

Generate bootchain measurements

Build docs developers (and LLMs) love

Get started for freeTalk to us