Skip to content

feat: on-chain TCB policy with dcap-qvl two-phase verification #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kvinwang wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

feat: on-chain TCB policy with dcap-qvl two-phase verification #538

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bc5c574
feat: upgrade dcap-qvl to policy branch and add on-chain TCB policy s…
kvinwang Mar 12, 2026
6f22de1
fix: address PR review - separate policy API, remove tdx_report()
kvinwang Mar 12, 2026
879ba19
refactor: use upstream ppid() accessor instead of supplemental()
kvinwang Mar 12, 2026
945b330
fix: use explicit match arms instead of wildcard for DstackVerifiedRe…
kvinwang Mar 12, 2026
27c5d55
test: add auth-eth tests for IAppTcbPolicy and policy API endpoints
kvinwang Mar 12, 2026
2dab2f8
test: add KMS unit tests and cross-language serde contract tests
kvinwang Mar 13, 2026
df262e5
ci: extract tests into dedicated workflow and add auth-eth tests
kvinwang Mar 13, 2026
3d35952
test: add KMS E2E integration tests with TCB policy validation
kvinwang Mar 13, 2026
c006e36
ci: add KMS E2E tests to CI workflow
kvinwang Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,3 @@ jobs:

- name: Cargo fmt check
run: cargo fmt --check --all

- name: Run tests
run: ./run-tests.sh
73 changes: 73 additions & 0 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
#
# SPDX-License-Identifier: Apache-2.0

name: Tests

on:
push:
branches: [ master, next, dev-* ]
pull_request:
branches: [ master, next, dev-* ]

env:
CARGO_TERM_COLOR: always

jobs:
rust-tests:
name: Rust tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Install Rust
uses: dtolnay/rust-toolchain@master
with:
toolchain: 1.92.0

- name: Run tests
run: ./run-tests.sh

auth-eth-tests:
Comment on lines +18 to +31

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

Generally, to fix this issue you add an explicit permissions block either at the top level of the workflow (applies to all jobs) or per job, granting only the scopes needed. In this workflow, the jobs only need to read repository contents for actions/checkout; they don’t appear to require any write permissions or access to other privileged scopes.

The best fix without changing functionality is to add a root-level permissions block specifying contents: read. This ensures GITHUB_TOKEN is restricted to read-only repository contents for all jobs in this workflow. No job-specific overrides or additional scopes are required based on the shown steps. Concretely, in .github/workflows/tests.yml, insert:

permissions:
  contents: read

between the name: Tests line and the on: section. No imports or additional definitions are needed, as this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -4,6 +4,9 @@
 
 name: Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master, next, dev-* ]
EOF
@@ -4,6 +4,9 @@

name: Tests

permissions:
contents: read

on:
push:
branches: [ master, next, dev-* ]
Copilot is powered by AI and may make mistakes. Always verify output.
name: auth-eth tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: kms/auth-eth/package-lock.json

- name: Install dependencies
run: |
cd kms/auth-eth
npm ci

- name: Run tests
run: |
cd kms/auth-eth
npm test

kms-e2e-tests:
Comment on lines +32 to +54

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, the fix is to add an explicit permissions block that restricts the GITHUB_TOKEN to the least privileges needed. For these test jobs (rust-tests, auth-eth-tests, kms-e2e-tests), they only need to read the repository contents to run tests, so contents: read at the workflow (root) level is sufficient and will apply to all jobs.

The best fix without changing functionality is to add a single permissions block at the root of .github/workflows/tests.yml, alongside name: and on:, configuring contents: read. This documents the required access and ensures the workflow will not gain broader permissions even if repository defaults change. No other changes to steps, jobs, or actions are required.

Concretely:

  • Edit .github/workflows/tests.yml.
  • After the name: Tests line (line 5), insert: 
    permissions:
  contents: read
  • Leave all jobs (rust-tests, auth-eth-tests, kms-e2e-tests) unchanged so functionality stays identical, but with a read-only token.
Suggested changeset 1
.github/workflows/tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Tests
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -3,6 +3,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Tests
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
name: KMS E2E tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Install Rust
uses: dtolnay/rust-toolchain@master
with:
toolchain: 1.92.0

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: kms/auth-eth/package-lock.json

- name: Run KMS E2E tests
run: bash kms/e2e/run-e2e.sh
Comment on lines +55 to +73

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium test

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

To fix the problem, add an explicit permissions block that limits the GITHUB_TOKEN to the least privilege needed. Since the jobs only check out code and run tests, contents: read is sufficient. The cleanest way is to define permissions at the workflow root (top level, alongside name, on, and env), so it applies to all jobs that don’t override it. This preserves existing functionality while constraining the token.

Concretely, in .github/workflows/tests.yml, insert a permissions: section after the on: block (or before env:) with contents: read. No other changes, imports, or additional definitions are required. Individual jobs do not need their own permissions blocks unless they require different scopes.

Suggested changeset 1
.github/workflows/tests.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -10,6 +10,9 @@
   pull_request:
     branches: [ master, next, dev-* ]
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
 
EOF
@@ -10,6 +10,9 @@
pull_request:
branches: [ master, next, dev-* ]

permissions:
contents: read

env:
CARGO_TERM_COLOR: always

Copilot is powered by AI and may make mistakes. Always verify output.
102 changes: 62 additions & 40 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ members = [
"no_std_check",
"size-parser",
"port-forward",
"kms/e2e",
]
resolver = "2"

Expand Down Expand Up @@ -177,7 +178,7 @@ url = "2.5"
# Cryptography/Security
aes-gcm = "0.10.3"
curve25519-dalek = "4.1.3"
dcap-qvl = "0.3.10"
dcap-qvl = { git = "https://github.com/Phala-Network/dcap-qvl", branch = "policy" }
elliptic-curve = { version = "0.13.8", features = ["pkcs8"] }
getrandom = "0.3.1"
hkdf = "0.12.4"
Expand Down
Loading
Loading