Thanks to visit codestin.com
Credit goes to docs.phala.com

Skip to main content

Code Walkthrough and KT Materials

This page is an internal knowledge-transfer resource. It maps the codebase structure, traces the key request path from application to KMS, and highlights the files you’ll need to understand when contributing to dstack-cloud.
Note: This document is an internal deliverable for new contributors and team members.

Guide for New Contributors

If you’re new to dstack-cloud, here’s the recommended reading order:
  1. Understand the architecture β€” Read overview first to get the big picture
  2. Set up the development environment β€” Follow the README in the repository root
  3. Start with a simple workload β€” Deploy a basic nginx container on GCP using the Quick Start
  4. Explore the KMS β€” Deploy KMS and observe the bootstrap flow
  5. Read the attestation code β€” Understand how measurements are generated and verified
  6. Review the contracts β€” Understand the governance model and on-chain authorization

Repository Structure

The codebase is organized into these key areas:
dstack-cloud/
β”œβ”€β”€ cli/                    # dstack-cloud CLI tool
β”œβ”€β”€ kms/                    # dstack-kms service
β”œβ”€β”€ packages/
β”‚   β”œβ”€β”€ attestation/        # Attestation modules (TDX, NSM, TPM)
β”‚   β”œβ”€β”€ guest-agent/        # Guest Agent (runs inside CVM)
β”‚   β”œβ”€β”€ gateway/            # TLS termination and RA-TLS gateway
β”‚   └── vmm/                # Virtual Machine Monitor
β”œβ”€β”€ contracts/              # Smart contracts (DstackKms, DstackApp)
β”œβ”€β”€ scripts/                # Build and deployment scripts
└── docs/                   # Documentation

Core Request Paths

Understanding how a key request flows through the system is the best way to learn the codebase. Here’s what happens when an application asks KMS for a key:

Key Request Flow

GCP (via Guest Agent):
Application (in CVM)
  β†’ dstack SDK (via /var/run/dstack.sock)
  β†’ Guest Agent
  β†’ RA-TLS connection
  β†’ dstack-kms (in separate TEE)
  β†’ Attestation verification
  β†’ On-chain measurement check
  β†’ Key derivation and dispatch
  β†’ RA-TLS response
  β†’ Guest Agent
  β†’ Application receives key
AWS Nitro (via dstack-util):
dstack-util (in Enclave)
  β†’ NSM attestation document obtained
  β†’ VSOCK β†’ VSOCK Proxy β†’ dstack-kms (in separate TEE)
  β†’ Attestation verification (NSM + OS_IMAGE_HASH)
  β†’ On-chain measurement check
  β†’ Key derivation and dispatch
  β†’ Key returned to dstack-util
  β†’ Application receives key (user decides usage)
Key Request Flow

CVM Deployment Flow

When you run dstack-cloud deploy, the CLI parses your configuration and orchestrates the creation of a TEE environment. The flow differs by platform: GCP (dstack CVM):
dstack-cloud deploy
  β†’ Parse docker-compose.yaml
  β†’ Build CVM image (dstack-os + containers)
  β†’ Generate measurements (RTMR values)
  β†’ Create Confidential VM with TDX
  β†’ Guest Agent starts inside CVM
  β†’ Attestation obtained from hardware
AWS Nitro (Enclave):
dstack-cloud deploy
  β†’ Build Docker image from Dockerfile
  β†’ Run nitro-cli build-enclave β†’ generates EIF
  β†’ 3 PCRs (PCR0-2) produced at build time
  β†’ Combine 3 PCRs into 1 OS_IMAGE_HASH
  β†’ Register OS_IMAGE_HASH on-chain (via governance)
  β†’ Launch Enclave on EC2 instance
  β†’ dstack-util handles attestation and key retrieval
CVM Deployment Flow

Attestation Module

The attestation module abstracts platform-specific hardware attestation behind a common interface. Each platform has its own module:
PlatformModuleInputOutput
GCP (TDX)tdx-attestTDX hardwareTDX Quote
AWS Nitronsm-attestNSM deviceAttestation Document
GCP (TPM)tpm-attestTPM deviceTPM Quote

Key Files

These are the files you’ll spend the most time in when contributing:
FilePurpose
kms/src/main.rsKMS service entry point, RPC handlers, bootstrap logic
packages/guest-agent/src/main.rsGuest Agent entry point, local API server
packages/attestation/src/lib.rsPlatform-agnostic attestation interface
cli/src/main.rsCLI entry point, deploy/status/logs commands
contracts/contracts/DstackKms.solKMS policy contract
contracts/contracts/DstackApp.solApplication contract

Resources