feat: Improved attestation verification #96
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jcabrero
force-pushed
the
feat/improved_attestation_verification
branch
from
42512e3 to
1742e2e
Compare
jcabrero
changed the title
lumasepa
approved these changes
Apr 22, 2025
Comment on lines
+12
to
+15
| @lru_cache(maxsize=1) | ||
| def load_sev_library() -> bool: | ||
| """Load the SEV library""" | ||
| return sev.init() |
Contributor
There was a problem hiding this comment.
This seems a bit hacky. I understand you are trying to load it only once. Have you tried to initialize it globally on import? It should be called only once. And you are not checking if the init failed swallowing the error and delaying it to the execution of the attestation.
Suggested change
| @lru_cache(maxsize=1) | |
| def load_sev_library() -> bool: | |
| """Load the SEV library""" | |
| return sev.init() | |
| if not sev.init(): | |
| raise Exception("Failed to load SEV") |
Member
Author
There was a problem hiding this comment.
At the moment, I aim at allowing nilAI to run on SEV and non-SEV hosts. If /dev/sev-guest is not available, the idea is that it continues to work, though with fake attestations. That's why we need to make sure an exception is not raised here.
nilai-attestation/src/nilai_attestation/attestation/nvtrust/nv_attester.py
Outdated
Show resolved
Hide resolved
nilai-attestation/src/nilai_attestation/attestation/nvtrust/nv_verifier.py
Outdated
Show resolved
Hide resolved
jcabrero
force-pushed
the
feat/improved_attestation_verification
branch
from
a7d4d0c to
c5c0c6a
Compare
jcabrero
force-pushed
the
feat/improved_attestation_verification
branch
from
c5c0c6a to
f5fe0a6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I know this PR touches way too many files, but it wasn’t possible to break it into smaller PRs while keeping everything functional.
This PR introduces support for attestation verification using the official nvtrust library instead of the default Azure library.
To avoid issues caused by the outdated dependencies of nv-trust-attestation-sdk, we have modularized the attestation logic into a separate, standalone package that runs inside a Docker container. nilai-api now interacts with this container via an internal API, ensuring a cleaner and more maintainable integration.
To make it easier to review, here’s what you need to know:
1 .We have removed
packages/verifier. This was a copy of the source from the Azure Confidential GPU library. Since the source was removed, that’s why there are so many lines of code deleted.2. There is a new directory,
nilai-attestation, which includes all the code required for attestation. It is a FastAPI server with a single endpoint at/attestation/report. It is intentionally kept completely separate from the rest of thenilaicode to avoid any dependency conflicts. It is meant to run in the attestation: container in the Docker Compose setup and has its own attestation.Dockerfile.3. Now
nilai-apisimply forwards attestations to the attestation container. It no longer needs to handle any verification itself, so it no longer has any GPU-related dependencies. Thus all the changes tonilai_api/state.py(which was in charge of the attestations before), and now there isnilai_api/attestation/__init__.pywhich forwards a GET request.4. There are other QoL improvements, such as removing the two port bindings from the nilai-api gunicorn.conf.