feat: confidential compute by cloud-j-luna · Pull Request #396 · akash-network/provider
Confidential compute is currently surfaced in Akash via placement attributes that select nodes with SEV-SNP and Kata runtime support. What's missing is a per-service knob to control whether the provider injects an attestation sidecar into the resulting confidential VM. The default needs to be sensible if a tenant placed a workload on confidential-compute hardware via placement attributes, they almost certainly want attestation while leaving an opt-out for tenants bringing their own attestation tooling.
Implementation
Adds per-pod attestation sidecar support for confidential compute workloads using AMD SEV-SNP and Intel TDX, with NVIDIA GPU confidential compute (VFIO passthrough). Tenants request CC via the existing confidential-compute: true placement attribute, no SDL version bump required. The provider automatically selects the appropriate Kata runtime class (kata-qemu-snp, kata-qemu-nvidia-gpu-snp, kata-qemu-tdx, kata-qemu-nvidia-gpu-tdx), applies CC-specific node selectors, switches GPU resources to nvidia.com/pgpu for VFIO, and injects an attestation sidecar into the pod via a fail-closed mutating admission webhook. The sidecar serves an HTTP endpoint inside the Kata VM that collects raw hardware-signed attestation reports (configfs-tsm or /dev/sev-guest) and returns them as is, the provider never produces, inspects or signs attestation evidence. Tenants verify reports independently against trusted parties.
New provider REST endpoints (GET /attestation/directory and POST /lease/.../attestation/quote) and a lease-attestation CLI command enable the full attestation flow. Tenants can opt out of sidecar injection via params.attestation.enabled: false in the SDL.
Local development is supported with CONFIDENTIAL_COMPUTE=true a single variable that configures Kind with mock runtime handlers, node labels, and a mock TEE provider that produces synthetic reports with correct nonce echo for end-to-end testing without hardware.
feat: confidential compute by cloud-j-luna · Pull Request #396 · akash-network/provider
Confidential compute is currently surfaced in Akash via placement attributes that select nodes with SEV-SNP and Kata runtime support. What's missing is a per-service knob to control whether the provider injects an attestation sidecar into the resulting confidential VM. The default needs to be sensible if a tenant placed a workload on confidential-compute hardware via placement attributes, they almost certainly want attestation while leaving an opt-out for tenants bringing their own attestation tooling.
Implementation
Adds per-pod attestation sidecar support for confidential compute workloads using AMD SEV-SNP and Intel TDX, with NVIDIA GPU confidential compute (VFIO passthrough). Tenants request CC via the existing
confidential-compute: trueplacement attribute, no SDL version bump required. The provider automatically selects the appropriate Kata runtime class (kata-qemu-snp,kata-qemu-nvidia-gpu-snp,kata-qemu-tdx,kata-qemu-nvidia-gpu-tdx), applies CC-specific node selectors, switches GPU resources tonvidia.com/pgpufor VFIO, and injects an attestation sidecar into the pod via a fail-closed mutating admission webhook. The sidecar serves an HTTP endpoint inside the Kata VM that collects raw hardware-signed attestation reports (configfs-tsmor/dev/sev-guest) and returns them as is, the provider never produces, inspects or signs attestation evidence. Tenants verify reports independently against trusted parties.New provider REST endpoints (GET
/attestation/directoryand POST/lease/.../attestation/quote) and a lease-attestation CLI command enable the full attestation flow. Tenants can opt out of sidecar injection viaparams.attestation.enabled: falsein the SDL.Local development is supported with
CONFIDENTIAL_COMPUTE=truea single variable that configures Kind with mock runtime handlers, node labels, and a mock TEE provider that produces synthetic reports with correct nonce echo for end-to-end testing without hardware.