The rise of LLM-as-a-Service and other confidential cloud workloads demands cryptographic proof that user data is processed in a trusted, untampered environment. Existing solutions, notably Confidential Containers (CoCo), enforce a strict "one Pod per VM" model that attests only the Guest OS stack, leaving container-level identity unverified and incurring prohibitive per-VM resource overhead. We present dstack-capsule, a Kubernetes platform that enables Pod-level remote attestation on Intel TDX by allowing multiple Pods to share a single Confidential VM while each retains independent, hardware-backed proof of identity. Our key insight is a two-layer attestation architecture: static platform measurements are frozen in RTMR[3] via an irreversible privilege fuse, while dynamic Pod identities (pod_uid, pod_spec_hash, workload_id) are embedded in the TDX Quote's report_data field and signed by hardware on every request. dstack-capsule introduces (1) a Pod-level attestation protocol binding Pod spec digests to hardware-signed Quotes; (2) a privilege fuse mechanism that atomically transitions a node from setup mode to secure mode; (3) a multi-layer sandbox spanning storage, runtime, admission, API, and network isolation layers; and (4) a complete open-source implementation based on Kubernetes 1.32, Intel TDX, and Sysbox. We evaluate the security properties, attestation correctness, and performance characteristics of dstack-capsule, demonstrating that it achieves Pod-granularity verification without the resource overhead of per-VM isolation.

翻译：LLM即服务及其他机密云工作负载的兴起，要求以密码学方式证明用户数据在可信且未被篡改的环境中处理。现有解决方案（特别是Confidential Containers，简称CoCo）强制执行严格的"每Pod单虚拟机"模型，仅对客户机操作系统栈进行证明，导致容器级身份未被验证，并产生高昂的每虚拟机资源开销。我们提出dstack-capsule——一个支持在Intel TDX上实现Pod级远程证明的Kubernetes平台，允许多个Pod共享单个机密虚拟机，同时每个Pod保留独立的、基于硬件的身份证明。我们的核心见解是一种双层证明架构：静态平台测量值通过不可逆的特权熔断机制冻结在RTMR[3]中，而动态Pod身份（pod_uid、pod_spec_hash、workload_id）嵌入TDX引用的report_data字段，并在每次请求时由硬件签名。dstack-capsule引入了以下组件：(1) Pod级证明协议，将Pod规格摘要绑定到硬件签名的引用；(2) 特权熔断机制，原子性地将节点从设置模式转换到安全模式；(3) 多层沙箱，涵盖存储、运行时、准入、API和网络隔离层；(4) 基于Kubernetes 1.32、Intel TDX和Sysbox的完整开源实现。我们评估了dstack-capsule的安全属性、证明正确性及性能特征，证明其能在无每虚拟机隔离资源开销的前提下实现Pod粒度的验证。