feat: stage AMD SEV-SNP attestation support

[clawdbot-glitch003]

Summary

• Adds staged AMD SEV-SNP attestation support and KMS dry-run authorization plumbing while preserving existing TDX/Nitro/GCP behavior.
• Verifies SNP reports/cert chains, recomputes SNP launch measurement from trusted launch inputs, and builds SNP-aware KMS BootInfo from verified evidence.
• Keeps SNP key/cert release fail-closed: app keys, KMS keys, signing certs, and temp CA material are explicitly blocked for SNP until production release policy is finalized.
• Replaces the staged SNP TCB placeholder with verifier-derived TCB status from the signed AMD report and propagates advisory IDs through auth policy.

Security posture

• SNP authorization is dry-run/staged only.
• tcbStatus defaults remain strict (UpToDate only); advisory IDs are denied unless explicitly allowlisted.
• Non-SNP paths continue through the existing boot-info and auth flow.

Validation

• cargo fmt --all
• cargo test -p dstack-kms --all-features
• cargo test -p dstack-attest --all-features
• cargo check --workspace --all-features
• git diff --check
• cd kms/auth-simple && npx oxlint . && npx vitest run
• Independent security-focused review of the SNP TCB/advisory diff: no blockers.

Notes

• AMD report/VCEK evidence does not carry a direct advisory-list field, so verifier-emitted advisory_ids is currently explicit and empty; the field is propagated fail-closed for future revocation/advisory collateral integration.
• One ignored live golden-vector test remains available for SNP-capable hosts: cargo test -p dstack-kms --all-features recomputation_matches_sev_snp_measure_live_golden_vector -- --ignored --nocapture.

Review-readiness note

• See docs/amd-sev-snp-review-readiness.md for the fail-closed review boundary, live sev-snp-measure golden-vector proof, guest attestation proof summary, and validation checklist.

[clawdbot-glitch003]

SEV-SNP TCB/advisory policy slice is pushed.

What changed:

• VerifiedAmdSnpReport now carries verifier-derived AMD SNP TCB info from the signed report (current_tcb, reported_tcb, committed_tcb, launch_tcb).
• KMS SNP BootInfo.tcb_status now comes from that verified report data instead of the old snp-verified-basic-policy placeholder.
  • maps to UpToDate only when current/reported/committed/launch TCB all match;
  • maps to OutOfDate otherwise, which stays denied by default.
• VerifiedAmdSnpReport.advisory_ids is now explicit and propagated into KMS BootInfo; it is currently empty because the AMD report/VCEK evidence does not carry a direct advisory-list field.
• The direct fake/default UpToDate SNP boot-info helper is now test-only; production goes through verified attestation.
• auth-simple docs/tests now describe verifier-derived statuses instead of the placeholder and keep defaults strict: allowedTcbStatuses = ["UpToDate"], allowedAdvisoryIds = [].

Still fail-closed:

• SNP key/cert release remains blocked for app keys, KMS keys, signing certs, and temp CA material.
• Any non-UpToDate status or any advisory ID remains denied unless explicitly allowlisted.

Validation:

• cargo fmt --all
• cargo test -p dstack-kms --all-features
• cargo test -p dstack-attest --all-features
• cargo check --workspace --all-features
• git diff --check
• cd kms/auth-simple && npx oxlint . && npx vitest run
• independent review: no blockers

[clawdbot-glitch003]

Continued with the next quality-gate slice and pushed a small clippy cleanup commit.

Commit:

• a0ff6efa chore: satisfy sev-snp workspace clippy

What changed:

• removed a needless return in dstack attestation-mode detection without changing TDX/SNP selection semantics;
• simplified KMS onboarding response error propagation (Ok(...?) -> direct Result return), preserving behavior;
• derived Default for TeePlatform with Auto as the default variant, preserving the conservative default.

Validation now passing:

• cargo fmt --all
• cargo test -p dstack-kms --all-features
• cargo test -p dstack-attest --all-features
• cargo test -p dstack-vmm --all-features
• cargo check --workspace --all-features
• cargo clippy --workspace --all-features -- -D warnings --allow unused_variables
• git diff --check
• prior auth-simple validation remains: cd kms/auth-simple && npx oxlint . && npx vitest run

Independent review of the cleanup diff found no behavior/security regressions.

[clawdbot-glitch003]

Milestone 1 is done: PR #703 is now review-ready staging for AMD SEV-SNP, still without production key release.

New commit:

• 93354eb6 docs: add sev-snp review readiness note

What changed:

• Added docs/amd-sev-snp-review-readiness.md documenting:
  • exact review boundary;
  • fail-closed SNP key/cert release posture;
  • strict TCB/advisory defaults;
  • live sev-snp-measure golden-vector proof;
  • prior SNP guest attestation proof summary;
  • local validation commands.
• Refreshed live golden-vector proof on dedicated-m24-fork at 2026-06-02T19:49:14Z:
  • ignored live test passed: cargo test -p dstack-kms --all-features recomputation_matches_sev_snp_measure_live_golden_vector -- --ignored --nocapture
  • measurement remains 6497fb9f90dc4a322228a8a5eb14742e09067bc44c184c2068d583ef628b5bae8c6cf15d91fe1bc0b7a8cbcc575be370

Validation passed after doc/proof refresh:

• cargo fmt --all
• cargo test -p dstack-kms --all-features
• cargo test -p dstack-attest --all-features
• cargo test -p dstack-vmm --all-features
• cargo check --workspace --all-features
• cargo clippy --workspace --all-features -- -D warnings --allow unused_variables
• git diff --check
• cd kms/auth-simple && npx oxlint . && npx vitest run
• independent review of the review-ready doc/code posture: no blockers

I am marking the PR ready for review now. Milestone 2 remains separate: production SNP key release policy + revocation/advisory collateral + guarded release enablement.

[clawdbot-glitch003]

Milestone 2 is now implemented and pushed.

Commit: 6cb351f9 feat: enable guarded sev-snp key release

What changed:

• Added local KMS [core.sev_snp_key_release] gate for AMD SEV-SNP key/cert material.
• Default remains fail-closed: enabled = false, allowed_tcb_statuses = ["UpToDate"], allowed_advisory_ids = [].
• Release requires both:
  1. verified SNP attestation + recomputed launch measurement + external auth API allow, and
  2. explicit local KMS release opt-in with acceptable TCB/advisory state.
• Guarded all sensitive SNP release surfaces:
  • GetAppKey
  • GetKmsKey
  • SignCert
  • self-authorized GetTempCaCert
• Added startup safety: KMS rejects sev_snp_key_release.enabled = true unless enforce_self_authorization = true, so temp-CA self-release cannot bypass SNP release checks in production config.
• Updated kms/kms.toml and docs/amd-sev-snp-review-readiness.md with the opt-in release policy.

Validation passed:

cargo fmt --all
cargo test -p dstack-kms --all-features
cargo test -p dstack-attest --all-features
cargo test -p dstack-vmm --all-features
cargo check --workspace --all-features
cargo clippy --workspace --all-features -- -D warnings --allow unused_variables
git diff --check
cd kms/auth-simple && npx oxlint . && npx vitest run

Independent security review: no release-gate blockers found after the self-authorization startup-safety fix.