KMS Release v0.5.11

Highlights

This release fixes a verification regression that prevented KMS from validating CVMs running dstack OS 0.5.10 under the new OVMF (edk2-stable202505).

What broke

OVMF was upgraded from an untagged 2024-09 snapshot to edk2-stable202505 in meta-dstack@f9f11f3. The new firmware emits 17 RTMR[0] events instead of the legacy 13 under the standard -kernel boot path, so quote replay against the cached "expected" measurements failed with errors like:

MRs do not match: RTMR0 mismatch:
  expected=f8438db3…a6640
  actual  =a6d1a5ef…fbed

What changed

• dstack-types exposes a typed OvmfVariant enum (pre202505 / stable202505); VmConfig.ovmf_variant and ImageInfo.ovmf_variant carry it through the image bundle and into measurements.
• dstack-mr dispatches on the variant for RTMR[0]. The Stable202505 arm models the 4 new events plus reshaped BootOrder / Boot0000, with Boot0000 / Boot0001 / BootOrder digests derived from first principles (OVMF FV+file GUIDs, descriptions, attributes — synthesised on the fly, not hardcoded) and the bootorder fw_cfg digest derived from QEMU's linuxboot_dma.bin ROM path.
• dstack-verifier prefers vm_config.ovmf_variant; falls back to parsing the OS version suffix out of vm_config.image for legacy CVMs that pre-date the field (so already-deployed 0.5.9 / 0.5.10 instances validate without any image rebuild).
• MEASUREMENT_CACHE_VERSION bumped to v2 — stale on-disk cache entries written by the broken verifier are auto-invalidated on first request.
• dstack-mr CLI: --dstack-os-version for explicit override; also auto-detects from metadata.json's ovmf_variant (preferred) or version field (fallback).

Backward compatibility

• VmConfig adds Option<OvmfVariant> with #[serde(default, skip_serializing_if = "Option::is_none")] — old wire formats decode cleanly; old KMS instances ignore the new field.
• Verifier and CLI both fall back to image-name parsing when the field is absent — 0.5.9 / 0.5.10 CVMs already deployed continue to verify against this KMS without needing a new image build.

Verification

Re-verified end-to-end against a running 0.5.10 CVM: MRTD + RTMR[0..3] all match the on-chain quote byte-for-byte.

PR: #678

---

Docker Image Information

Image: docker.io/dstacktee/dstack-kms:0.5.11

Digest (SHA256): sha256:84b793feed825a5b5e70d04386e931e0e110461492793f17ab2128e39808d989

Verification: Verify on Sigstore

Contract ABIs

This release includes the compiled contract ABIs:

• DstackKms.json - Main KMS contract ABI
• DstackApp.json - Application contract ABI

v0.5.10

Changes since v0.5.9

• KMS: add Prometheus metrics endpoint and enable metrics by default (#657)
• VMM: disallow ISO rootfs for modern images (#663)
• SDK: drop hickory-dns from reqwest features (#659)
• CI: use fork clone_url for Docker build checks on fork PRs (#654)
• CI: pin rust-toolchain action refs (#661)
• Dependencies: bump tar, axios, fast-xml-parser, and @aws-sdk/xml-builder (#592, #660, #662)
• Bump workspace version and lockfile to 0.5.10

Full changelog

v0.5.9...v0.5.10

v0.5.9

Highlights

• Attestation v1 rewired: msgpack wire format replaces CBOR, report_data is now payload-driven, and SCALE size hints are fixed. Bridges to v2 canonical JSON are in place (#629, #637, #638, #639).
• gateway PROXY protocol: opt-in per-instance via app-compose.port_attrs, with server-side control, port-policy, lazy/retry/prewarm fetch, and admin RPC override (#361).
• VMM multi-instance discovery: cross-user / XDG_RUNTIME_DIR aware local discovery, vmm-cli subcommands, orphan-workdir preservation on restart (#584, #593, #594).
• KMS self-authorization togglable: enforcement is now configurable; the dev-mode default still warns at startup (#651, #498, #573, #579).

Features

• vmm: preserve serial logs across VM restarts (#548)
• kms: optional TCB UpToDate requirement for apps (#498)
• gateway: implement PROXY protocol with per-instance port_attrs control (#361)
• vmm: local VMM instance discovery + vmm-cli subcommands (#584, #593)
• vmm: OCI registry image discovery and pull (#589)
• kms: make self-authorization enforcement configurable (#651)
• sdk/go: refresh Go SDK; add RA-TLS certificate verification package (#308, #512)

Security

• Require attestation for all KMS flows (#579) and enforce authorization during bootstrap/onboard (#573)
• Fix path traversal in KMS remove_cache (#601)
• Redact cf_api_token in gateway ListDnsCredentials response (#578)
• Restrict runtime event log permissions (#602)
• Enforce 20-byte app_id length in CVM setup (#604)
• Cap VecOf pre-allocation to prevent OOM on malformed input (#570)
• Limit RA-TLS cert extension decompression size (#595)

Fixes

• gateway: enable cluster sync without requiring BOOTNODE_URL (#574)
• gateway: hide app URL until instance id is ready (#628)
• vmm: preserve orphan VM workdir on restart (#594)
• ra-tls: unify cert format and fix onboard os_image_hash (#585)
• ra-tls: stabilize derive_dh_secret encoding (#603)
• tdx-attest: fix infinite loop in ConfigFS generation wait (#596)
• NTS time sync: 5s retry interval for faster NTS-KE handshake (#590)

Attestation rework

• Redesign AttestationV1 with msgpack wire format and report_data payload (#629)
• Replace CBOR with msgpack in the wire format (#637)
• Avoid double serialization in VersionedAttestation SCALE size_hint (#638)
• Extract AttestationV1::with_report_data to deduplicate patching (#639)

Refactoring

• guest-agent: isolate simulator from production paths (#582)
• KMS: deduplicate auth helpers (#581)
• ra-rpc: populate Unix peer creds for UDS endpoints (#627)
• mod-tdx-guest: validate RTMR index and remove dead code (#569)

Build / CI / Docs

• Consolidate reproducible-builder scripts (#583)
• Add prek pre-commit hooks + CI (#587)
• VMM: build console UI from build.rs (#591)
• Gateway: cluster deployment guide (#577)
• SDK/go: SPDX license headers (#575)

Defaults

• vmm.cvm.networking.forward_service_enabled now defaults to false (#588)

Dependencies

Notable: rustls-webpki 0.103.9→0.103.10 (#598). Plus security bumps for axios, fastify, hono, follow-redirects, lodash, brace-expansion, handlebars, yaml, picomatch, fast-xml-parser, protobufjs, cryptography.

Reproducible build

Guest images are reproducible. Grab reproduce.sh from the companion meta-dstack v0.5.9 release and run it in a clean Docker-enabled environment — the produced dstack-*.tar.gz SHA-256s should match the release assets.

Component Docker images

• dstacktee/dstack-kms:0.5.9
• dstacktee/dstack-gateway:0.5.9
• dstacktee/dstack-verifier:0.5.9

Full Changelog: v0.5.8...v0.5.9

Verifier Release v0.5.9

Docker Image Information

Image: docker.io/dstacktee/dstack-verifier:0.5.9

Digest (SHA256): sha256:cfc06d5bdaa71a8a942c8bfa04d2d17dc30f13d92f26386c5d45d454606e8b70

Verification: Verify on Sigstore

KMS Release v0.5.9

Docker Image Information

Image: docker.io/dstacktee/dstack-kms:0.5.9

Digest (SHA256): sha256:e959bc5b4c7664d26543801073cc445d806fcea49a240881f707d1998e2d871c

Verification: Verify on Sigstore

Contract ABIs

This release includes the compiled contract ABIs:

• DstackKms.json - Main KMS contract ABI
• DstackApp.json - Application contract ABI

Gateway Release v0.5.9

Docker Image Information

Image: docker.io/dstacktee/dstack-gateway:0.5.9

Digest (SHA256): sha256:822d5f75a068f25c86dae29104916d74befd9652d5dc0dc0b282a49e177c2898

Verification: Verify on Sigstore

Gateway Release v0.5.8

Docker Image Information

Image: docker.io/dstacktee/dstack-gateway:0.5.8

Digest (SHA256): sha256:6eb1dc1a5000f37cc5b0322d3fdb71e7f2e31859b5e3a611634919278cee2411

Verification: Verify on Sigstore

v0.5.8

Changes since v0.5.7

Features

• Support wildcard custom domains in gateway TXT resolution (#545)

Fixes

• Include SNI in gateway TLS passthrough error messages (#547)
• Allow wildcard fallback in non-compat mode (#545)
• Patch report_data in simulator RA-TLS certificates to bind to actual TLS key (#541)
• Set user-agent for KMS auth API requests and improve error logging (#525)
• Pin apt package versions in key-provider Dockerfile (#533)

Refactoring

• Extract TDX quote report_data offset as a named constant (#542)
• Extract generic http_get/http_post helpers in KMS (#525)
• Switch key-provider to upstream repo and update deps (#533)

Documentation

• Add self-host tutorial series (#540)
• Add encrypted environment variables technical spec (#506)
• Add security considerations for encrypted env authenticity (#506)
• Clarify normalized app_id input and runtime file path contract (#506)

Dependencies

• Update Rust dependencies for security fixes
• Bump quinn-proto, hono, fastify, minimatch, immutable, serialize-javascript, hardhat, fast-xml-parser

Verifier Release v0.5.8

Docker Image Information

Image: docker.io/dstacktee/dstack-verifier:0.5.8

Digest (SHA256): sha256:038e6b828528fbfecccfc8f95381a83fa8be8c18ec5fee9aaee7df03c4990ac9

Verification: Verify on Sigstore

KMS Release v0.5.8

Docker Image Information

Image: docker.io/dstacktee/dstack-kms:0.5.8

Digest (SHA256): sha256:9650dcb47dad0065470f432f00e78e012912214ef1a5b1d7272918817e61a26d

Verification: Verify on Sigstore

Contract ABIs

This release includes the compiled contract ABIs:

• DstackKms.json - Main KMS contract ABI
• DstackApp.json - Application contract ABI