Dstack-TEE · kvinwang · Jun 4, 2026 · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,5 @@
 *.qcow2
 __pycache__/
 /.target
+/.vscode
+/.claude
diff --git a/.gitmodules b/.gitmodules
@@ -1,6 +1,15 @@
-[submodule "poky"]
-	path = poky
-	url = https://github.com/yoctoproject/poky.git
+[submodule "bitbake"]
+	path = bitbake
+	url = https://git.openembedded.org/bitbake
+	branch = 2.18
+[submodule "openembedded-core"]
+	path = openembedded-core
+	url = https://git.openembedded.org/openembedded-core
+	branch = wrynose
+[submodule "meta-yocto"]
+	path = meta-yocto
+	url = https://git.yoctoproject.org/meta-yocto
+	branch = wrynose
 [submodule "meta-confidential-compute"]
 	path = meta-confidential-compute
 	url = https://github.com/Dstack-TEE/meta-confidential-compute.git
@@ -12,7 +21,7 @@
 	url = https://github.com/openembedded/meta-openembedded
 [submodule "meta-rust-bin"]
 	path = meta-rust-bin
-	url = https://github.com/rust-embedded/meta-rust-bin
+	url = https://github.com/Dstack-TEE/meta-rust-bin
 [submodule "dstack"]
 	path = dstack
 	url = https://github.com/Dstack-TEE/dstack

diff --git a/LICENSE b/LICENSE
@@ -1,21 +1,94 @@
-MIT License
-
-Copyright (c) 2024 Phala Network
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+Business Source License 1.1
+
+Parameters
+
+Licensor:               Hashforest Technology LLC
+
+Licensed Work:          dstack-cloud
+                        The Licensed Work is (c) Hashforest Technology LLC
+
+Additional Use Grant:   Notwithstanding the foregoing, the Licensor grants
+                        to certain commercial partners a license to use the
+                        Licensed Work for production and commercial purposes
+                        pursuant to separate agreements.
+
+Change Date:            Two years from the date a MINOR version (SemVer) is
+                        published.
+
+Change License:         GNU Affero General Public License Version 3 (AGPL-3.0)
+
+Notice
+
+License text copyright (c) 2023 MariaDB plc, All Rights Reserved.
+“Business Source License” is a trademark of MariaDB plc.
+
+-----------------------------------------------------------------------------
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License’s text to license
+your works, and to refer to it using the trademark “Business Source License”,
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License’s text and the “Business
+Source License” name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where “compatible” means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text “None”.
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.
diff --git a/Makefile b/Makefile
@@ -2,31 +2,45 @@ ifeq ($(BBPATH),)
 $(error BBPATH is not set. Run `source dev-setup` first)
 endif
 
-.PHONY: all dist clean-dstack clean-initrd images
+.PHONY: all dist clean-dstack clean-initrd images images-common images-flavors
 
 BB_BUILD_DIR ?= bb-build
 DIST_DIR ?= ${BB_BUILD_DIR}/dist
 export BB_BUILD_DIR
 export DIST_DIR
 
-DIST_NAMES ?= dstack dstack-dev dstack-nvidia dstack-nvidia-dev
-ROOTFS_IMAGE_NAMES = $(addsuffix -rootfs,${DIST_NAMES})
+# Flavor names map to multiconfig names: prod, dev, nvidia, nvidia-dev
+FLAVORS ?= prod dev nvidia nvidia-dev
+
+# Map flavor to dist name for mkimage.sh
+flavor_to_dist = $(if $(filter prod,$1),dstack,$(if $(filter dev,$1),dstack-dev,$(if $(filter nvidia,$1),dstack-nvidia,$(if $(filter nvidia-dev,$1),dstack-nvidia-dev,$1))))
 
 all: dist
 
 -include $(wildcard mk.d/*.mk)
 
 dist: images
-	$(foreach dist_name,${DIST_NAMES},./mkimage.sh --dist-name $(dist_name);)
+	$(foreach flavor,$(FLAVORS),./mkimage.sh --dist-name $(call flavor_to_dist,$(flavor)) --flavor $(flavor);)
+
+# Build common artifacts (shared across all flavors)
+# dstack-guest is built here first to warm sstate/downloads and avoid concurrent
+# fetch/build conflicts when the per-flavor multiconfigs build it in parallel.
+images-common:
+	bitbake virtual/kernel dstack-initramfs dstack-ovmf dstack-guest
+
+# Build flavor-specific artifacts using multiconfig (serial to avoid deadlock warnings)
+images-flavors:
+	$(foreach flavor,$(FLAVORS),bitbake mc:$(flavor):dstack-rootfs mc:$(flavor):dstack-uki;)
 
-images:
-	bitbake virtual/kernel dstack-initramfs dstack-ovmf $(ROOTFS_IMAGE_NAMES)
+images: images-common images-flavors
 
 clean:
-	bitbake -c cleansstate virtual/kernel dstack-initramfs dstack-ovmf $(ROOTFS_IMAGE_NAMES)
+	bitbake -c cleansstate virtual/kernel dstack-initramfs dstack-ovmf
+	$(foreach flavor,$(FLAVORS),bitbake -c cleansstate mc:$(flavor):dstack-rootfs mc:$(flavor):dstack-uki;)
 
 clean-dstack:
-	bitbake -c cleansstate dstack-guest $(ROOTFS_IMAGE_NAMES)
+	bitbake -c cleansstate dstack-guest
+	$(foreach flavor,$(FLAVORS),bitbake -c cleansstate mc:$(flavor):dstack-rootfs;)
 
 clean-initrd:
 	bitbake -c cleansstate dstack-initramfs
diff --git a/README.md b/README.md
@@ -1,10 +1,10 @@
-# Yocto support for DStack Guest
+# Yocto support for dstack guest OS
 
-This project implements Yocto layer and the overall build scripts for DStack Base OS image.
+This project implements Yocto layer and the overall build scripts for dstack Base OS image.
 
 ## Build
 
-See https://github.com/Dstack-TEE/dstack for more details.
+See https://github.com/Phala-Network/dstack-cloud for more details.
 
 ## Reproducible Build The Guest Image
 
@@ -22,4 +22,4 @@ cd meta-dstack/repro-build/
 
 ## License
 
-This project is licensed under the MIT License. See the LICENSE file for more details.
+See the LICENSE file for more details.
diff --git a/bitbake b/bitbake
diff --git a/build.sh b/build.sh
@@ -306,9 +306,9 @@ download_image() {
 
     TAG=v$VERSION
     if [ x"$IS_DEV" = x"1" ]; then
-        BASENAME=dstack-dev-$VERSION
+        BASENAME=dstack-cloud-dev-$VERSION
     else
-        BASENAME=dstack-$VERSION
+        BASENAME=dstack-cloud-$VERSION
     fi
     URL=https://github.com/Dstack-TEE/meta-dstack/releases/download/$TAG/$BASENAME.tar.gz
     if [ -d $IMAGES_DIR/$BASENAME ]; then

diff --git a/dev-setup b/dev-setup
@@ -16,34 +16,39 @@ fi
 THIS_SCRIPT=$(realpath "$THIS_SCRIPT")
 THIS_DIR=$(dirname "$THIS_SCRIPT")
 
-LAYERS="$THIS_DIR/meta-confidential-compute \
+LAYERS="$THIS_DIR/meta-yocto/meta-poky \
+    $THIS_DIR/meta-yocto/meta-yocto-bsp \
+    $THIS_DIR/meta-confidential-compute \
     $THIS_DIR/meta-openembedded/meta-oe \
     $THIS_DIR/meta-openembedded/meta-python \
     $THIS_DIR/meta-openembedded/meta-networking \
     $THIS_DIR/meta-openembedded/meta-filesystems \
     $THIS_DIR/meta-virtualization \
     $THIS_DIR/meta-rust-bin \
     $THIS_DIR/meta-security \
+    $THIS_DIR//meta-security/meta-tpm \
     $THIS_DIR/meta-dstack"
 
 if [ -z "$1" ]; then
     BUILD_DIR=$THIS_DIR/bb-build
 else
     BUILD_DIR=$(realpath "$1")
 fi
-if [ ! -f "$BUILD_DIR/conf/local.conf" ]; then
-    mkdir -p "$BUILD_DIR/conf"
-    cp -f "$THIS_DIR/bb-build/conf/local.conf" "$BUILD_DIR/conf/local.conf"
-fi
 
-OE_INIT=$THIS_DIR/poky/oe-init-build-env
+# Sync build config from meta-dstack/conf (always overwrite)
+CONF_SRC=$THIS_DIR/meta-dstack/conf
+mkdir -p "$BUILD_DIR/conf"
+cp -f "$CONF_SRC/local.conf" "$BUILD_DIR/conf/local.conf"
+cp -rf "$CONF_SRC/multiconfig" "$BUILD_DIR/conf/"
+
+OE_INIT=$THIS_DIR/openembedded-core/oe-init-build-env
 
 for script in $THIS_DIR/setup.d/*.sh; do
     source "$script"
 done
 
-pushd .
-source $OE_INIT $BUILD_DIR
+pushd "$BUILD_DIR"
+BDIR="." TEMPLATECONF=$THIS_DIR/openembedded-core/meta/conf/templates/default source $OE_INIT
 popd
 
 bitbake-layers add-layer $LAYERS

diff --git a/dstack b/dstack
diff --git a/meta-confidential-compute b/meta-confidential-compute
diff --git a/meta-dstack/conf/distro/dstack.conf b/meta-dstack/conf/distro/dstack.conf
@@ -1,17 +1,18 @@
+# Select systemd init before requiring poky-derived distro config, otherwise
+# poky.conf's POKY_INIT_MANAGER="sysvinit" pulls init-manager-sysvinit.inc which
+# appends sysvinit to DISTRO_FEATURES and conflicts with systemd (breaks udev).
+INIT_MANAGER = "systemd"
 require conf/distro/cvm.conf
 DISTRO = "dstack"
 DISTRO_NAME = "DStack"
 DISTRO_FEATURES:append = " virtualization seccomp systemd usrmerge security dm-verity ipv6"
-DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
 
-DISTRO_VERSION = "0.5.11"
+DISTRO_VERSION = "0.6.0"
 DISTROOVERRIDES = "poky:dstack"
 INITRAMFS_IMAGE = ""
-VOLATILE_LOG_DIR = "no"
-VOLATILE_TMP_DIR = "yes"
 
-PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
-PREFERRED_VERSION_linux-yocto-dev ?= "6.9%"
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto"
+PREFERRED_VERSION_linux-yocto ?= "6.18%"
 LINUX_KERNEL_TYPE = "tiny"
 
 MACHINE_FEATURES += "numa"
@@ -31,4 +32,14 @@ PREFERRED_VERSION_nvidia = "${NVIDIA_VERSION}"
 PREFERRED_VERSION_nvidia-fabricmanager = "${NVIDIA_VERSION}"
 PREFERRED_VERSION_libnvidia-nscq = "${NVIDIA_VERSION}"
 
-BAD_RECOMMENDATIONS = "busybox-syslog"
+BAD_RECOMMENDATIONS = "busybox-syslog systemd-compat-units"
+
+# Skip unused components that fail metadata checks
+SKIP_RECIPE[ostree] = "not required for dstack"
+
+# Suppress meta-tpm warning (we use TPM drivers directly without tpm2 DISTRO_FEATURES)
+SKIP_META_TPM_SANITY_CHECK = "1"
+
+# EFI/UKI support for GCP images
+MACHINE_FEATURES:append = " efi"
+EFI_PROVIDER = "systemd-boot"
diff --git a/meta-dstack/conf/layer.conf b/meta-dstack/conf/layer.conf
@@ -5,4 +5,4 @@ BBFILE_COLLECTIONS += "dstack"
 BBFILE_PATTERN_dstack := "^${LAYERDIR}/"
 BBFILE_PRIORITY_dstack = "20"
 LAYERVERSION_dstack = "4"
-LAYERSERIES_COMPAT_dstack = "scarthgap"
+LAYERSERIES_COMPAT_dstack = "wrynose"
diff --git a/bb-build/conf/local.conf → meta-dstack/conf/local.conf b/bb-build/conf/local.conf → meta-dstack/conf/local.conf
@@ -157,6 +157,9 @@ DISTRO ?= "dstack"
 #   - 'buildstats' collect build statistics
 USER_CLASSES ?= "buildstats"
 
+# Prefer faster GNU mirror
+GNU_MIRRORS = "https://ftpmirror.gnu.org/gnu/"
+
 #
 # Runtime testing of images
 #
@@ -293,3 +296,4 @@ SOURCE_MIRROR_URL = "https://mirrors.kernel.org/yocto-sources/"
 
 # Improve resilience for large files on unstable links
 FETCHCMD_wget = "wget --progress=dot --inet4-only -c"
+BBMULTICONFIG = "prod dev nvidia nvidia-dev"
diff --git a/meta-dstack/conf/multiconfig/dev.conf b/meta-dstack/conf/multiconfig/dev.conf
@@ -0,0 +1,7 @@
+# Development flavor configuration
+DSTACK_FLAVOR = "dev"
+DSTACK_NVIDIA = "0"
+DSTACK_DEV = "1"
+
+# Use separate TMPDIR to avoid conflicts between multiconfigs
+TMPDIR = "${TOPDIR}/tmp-mc-dev"
diff --git a/meta-dstack/conf/multiconfig/nvidia-dev.conf b/meta-dstack/conf/multiconfig/nvidia-dev.conf
@@ -0,0 +1,7 @@
+# NVIDIA development flavor configuration
+DSTACK_FLAVOR = "nvidia-dev"
+DSTACK_NVIDIA = "1"
+DSTACK_DEV = "1"
+
+# Use separate TMPDIR to avoid conflicts between multiconfigs
+TMPDIR = "${TOPDIR}/tmp-mc-nvidia-dev"
diff --git a/meta-dstack/conf/multiconfig/nvidia.conf b/meta-dstack/conf/multiconfig/nvidia.conf
@@ -0,0 +1,7 @@
+# NVIDIA production flavor configuration
+DSTACK_FLAVOR = "nvidia"
+DSTACK_NVIDIA = "1"
+DSTACK_DEV = "0"
+
+# Use separate TMPDIR to avoid conflicts between multiconfigs
+TMPDIR = "${TOPDIR}/tmp-mc-nvidia"
diff --git a/meta-dstack/conf/multiconfig/prod.conf b/meta-dstack/conf/multiconfig/prod.conf
@@ -0,0 +1,7 @@
+# Production flavor configuration
+DSTACK_FLAVOR = "prod"
+DSTACK_NVIDIA = "0"
+DSTACK_DEV = "0"
+
+# Use separate TMPDIR to avoid conflicts between multiconfigs
+TMPDIR = "${TOPDIR}/tmp-mc-prod"
diff --git a/meta-dstack/recipes-connectivity/openssh/openssh_%.bbappend b/meta-dstack/recipes-connectivity/openssh/openssh_%.bbappend
@@ -4,7 +4,7 @@ SRC_URI += "file://disable-password-auth.conf"
 
 do_install:append() {
     install -d ${D}${sysconfdir}/ssh/sshd_config.d
-    install -m 0644 ${WORKDIR}/disable-password-auth.conf ${D}${sysconfdir}/ssh/sshd_config.d/
+    install -m 0644 ${UNPACKDIR}/disable-password-auth.conf ${D}${sysconfdir}/ssh/sshd_config.d/
 }
 
 FILES:${PN}-sshd += "${sysconfdir}/ssh/sshd_config.d/"
+1 −6		conf/distro/cvm.conf
+1 −1		conf/layer.conf
+0 −0		files/wic/mkefiinitrd.wks
+3 −3		recipes-core/cvm-init/cvm-init.bb
+1 −1		recipes-core/disk-encryption/disk-encryption.bb
+6 −6		recipes-kernel/linux/linux-yocto%.bbappend