feat(dstack-mr): add UEFI disk boot (UKI) measurement support#597
Open
feat(dstack-mr): add UEFI disk boot (UKI) measurement support#597
Conversation
Add --uki flag to enable UEFI disk boot measurement path:
OVMF → systemd-boot → UKI → vmlinuz (3 EFI app measurements)
When --uki is set, RTMR calculations use the UEFI disk boot event model
instead of the -kernel direct boot model:
RTMR[0]: Same TD HOB/CFV/EFI vars/ACPI, but BootOrder has 2 entries
and Boot0001 (disk device) is added. Boot variable digests
use SHA384(variable_data_bytes).
RTMR[1]: 8 events — Calling EFI App, separator, GPT event (non-empty
partition entries only), systemd-boot/UKI/vmlinuz Authenticode
hashes, ExitBootServices.
RTMR[2]: 2 events — cmdline as UTF-16LE (Linux EFI stub behavior),
initrd data hash. No "initrd=initrd" append (unlike -kernel).
Verified against TDX hardware: MRTD, RTMR[1], RTMR[2] all match.
RTMR[0] matches except ACPI tables (dstack-acpi-tables QEMU version
difference — needs matching QEMU_ACPI_COMPAT_VER).
Usage:
dstack-mr measure metadata.json -c 2 -m 4G \
--uki dstack-k8s.efi \
--bootloader BOOTX64.EFI \
--disk dstack-k8s.raw
UKI mode uses a minimal device config (single disk + net, no vsock/9p) matching the actual QEMU command for UEFI disk boot. The previous code reused the -kernel mode device list which includes vsock and 9p, causing different ACPI tables and wrong RTMR[0]. All four measurements now match TDX hardware: MRTD: ✓ (OVMF firmware) RTMR0: ✓ (14 events including ACPI tables) RTMR1: ✓ (8 events: EFI apps + boot transitions) RTMR2: ✓ (2 events: cmdline + initrd)
- Add second virtio-blk disk to ACPI table generation (data disk) - BootOrder now has 3 entries [0,1,2] matching OVMF's BDS with 2 disks - Add Boot0002 'UEFI Misc Device 2' at PCI(0x2,0x0) All RTMRs now match TDX hardware measurements exactly: MRTD ✓ RTMR[0] ✓ RTMR[1] ✓ RTMR[2] ✓
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
--ukiflag todstack-mrfor UEFI disk boot measurement, enabling pre-computation of TDX measurements for the boot path: OVMF → systemd-boot → UKI → vmlinuz.This is needed by dstack-k8s which boots from a GPT disk with systemd-boot + Unified Kernel Image, instead of QEMU's
-kerneldirect boot.Changes
Machinestruct: Adduki,bootloader,diskoptional fields. Whenukiis set, UEFI disk boot measurement path is used.uefi_boot.rs(new): RTMR[1] and RTMR[2] computation for UEFI disk boottdvf.rs: Addrtmr0_log_uefi_disk()with correct BootOrder (2 entries) and Boot0001 (disk device)acpi.rs: UKI-specific ACPI table generation (single disk + net, no vsock/9p)kernel.rs: Makeauthenticode_sha384_hashpub(crate) for reuse--uki,--bootloader,--diskflags; skipinitrd=initrdappend in UKI modeMeasurement model (verified against TDX hardware)
tdvf.rsuefi_boot.rsuefi_boot.rsKey differences from
-kernelmode:initrd=initrdappendSHA384(variable_data_bytes), notSHA384(UEFI_VARIABLE_DATA struct)Usage
Test plan
-kernelmode unchanged (no--ukiflag = original behavior)