Merge pull request #115 from nearai/feat/nv-attestation-sdk-evidence

feat: opt-in nv-attestation-sdk Rust bindings for GPU evidence

Author: Evrard-Nil

Cargo.lock

@@ -58,6 +58,19 @@ tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 metrics = "0.24"
 metrics-exporter-prometheus = "0.18"
 
+[dependencies.nv-attestation-sdk]
+git = "https://github.com/NVIDIA/attestation-sdk.git"
+tag = "2026.04.29"
+optional = true
+
+[features]
+# Enable the NVIDIA Attestation SDK Rust bindings as the GPU evidence
+# collection backend. Requires `libnvat.so.1` (and bindgen's clang) at
+# build time and the same shared library at runtime. When disabled
+# (default), evidence collection uses the existing Python subprocess
+# path. See `attestation_sdk.rs` for the runtime toggle.
+nv-attestation-sdk = ["dep:nv-attestation-sdk"]
+
 [dev-dependencies]
 wiremock = "0.6"
 tower = { version = "0.5", features = ["util"] }

Cargo.toml

@@ -1,19 +1,83 @@
+# Build args:
+#   ENABLE_NV_ATTESTATION_SDK=1  → build with the nv-attestation-sdk Cargo
+#       feature, link against libnvat.so for direct-FFI GPU evidence
+#       collection (no Python subprocess). The runtime image is also
+#       provisioned with libnvat.so. Default off until staging validates.
+#       Even at "1" the runtime path stays Python-backed unless the env
+#       var USE_NV_ATTESTATION_SDK=true is set on the container.
+#   LIBNVAT_VERSION  → exact apt-pinned version of NVIDIA's libnvat package
+#       (see https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/).
+#       The trailing ".<timestamp>-1" suffix is part of the upstream version
+#       string and changes per build; pin it so rebuilds stay reproducible.
+ARG ENABLE_NV_ATTESTATION_SDK=0
+ARG LIBNVAT_VERSION=1.2.1.1777487608-1
+
+# ─────────────────────────────────────────────────────────────────────
 # Stage 1: Build the Rust binary
-FROM rust:1.93.0-bookworm AS builder
+#
+# Switched from rust:1.93.0-bookworm (Debian 12) to ubuntu:22.04 +
+# rustup so the libnvat we link against is the same .deb the runtime
+# image installs (NVIDIA only publishes libnvat for Ubuntu 22.04/24.04;
+# no Debian 12 build). Matching distributions on both sides eliminates
+# any libssl3/libcurl4/libxml2 ABI risk.
+# ─────────────────────────────────────────────────────────────────────
+FROM ubuntu:22.04 AS builder
+ARG ENABLE_NV_ATTESTATION_SDK
+ARG LIBNVAT_VERSION
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates curl git pkg-config build-essential gcc \
+        libssl-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Rust 1.93.0 (matching the previous rust:1.93.0-bookworm base).
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
+        | sh -s -- -y --default-toolchain 1.93.0 --profile minimal --no-modify-path
+ENV PATH=/root/.cargo/bin:$PATH
 
-RUN apt-get update && apt-get install -y --no-install-recommends git pkg-config \
-    && rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
+# Install libnvat-dev (headers + .so symlink) and libclang for bindgen
+# only when the SDK feature is on. -dev pulls in libnvat (the runtime
+# .so) as a versioned dependency, plus libcurl4/libxml2/libxmlsec1-openssl
+# which libnvat dynamically links against.
+RUN if [ "$ENABLE_NV_ATTESTATION_SDK" = "1" ]; then \
+        set -e && \
+        apt-get update && apt-get install -y --no-install-recommends wget gnupg && \
+        wget -q https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb && \
+        dpkg -i cuda-keyring_1.1-1_all.deb && rm cuda-keyring_1.1-1_all.deb && \
+        apt-get update && apt-get install -y --no-install-recommends \
+            clang libclang-dev \
+            "libnvat-dev=${LIBNVAT_VERSION}" "libnvat=${LIBNVAT_VERSION}" && \
+        ldconfig && \
+        rm -rf /var/lib/apt/lists/* ; \
+    fi
+
+# Tell nv-attestation-sdk-sys's build.rs to look for the system-installed
+# libnvat (/usr/include/nvat.h + /usr/lib/.../libnvat.so) rather than
+# trying to build the C++ SDK from a sibling source directory. No-op when
+# the Cargo feature is disabled.
+ENV NVAT_USE_SYSTEM_LIB=1
 
 WORKDIR /build
 
 ARG SOURCE_DATE_EPOCH=0
 ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
 
+# Resolve the cargo feature flag once so dependency-cache and real builds
+# agree on the feature set.
+RUN if [ "$ENABLE_NV_ATTESTATION_SDK" = "1" ]; then \
+        echo "--features nv-attestation-sdk" > /tmp/cargo-features; \
+    else \
+        : > /tmp/cargo-features; \
+    fi
+
 # Cache dependencies: copy manifests first, then do a dummy build
 COPY Cargo.toml Cargo.lock ./
-RUN mkdir src && echo "fn main() {}" > src/main.rs && echo "" > src/lib.rs \
+RUN FEATURES=$(cat /tmp/cargo-features) && \
+    mkdir src && echo "fn main() {}" > src/main.rs && echo "" > src/lib.rs \
     && mkdir -p benches && echo "fn main() {}" > benches/hot_path.rs && echo "fn main() {}" > benches/e2e.rs \
-    && cargo build --release --locked 2>/dev/null || true \
+    && cargo build --release --locked $FEATURES 2>/dev/null || true \
     && rm -rf src benches \
     && rm -f target/release/deps/*vllm_proxy_rs* \
     && rm -f target/release/vllm-proxy-rs* \
@@ -22,19 +86,37 @@ RUN mkdir src && echo "fn main() {}" > src/main.rs && echo "" > src/lib.rs \
 # Copy real source and build — touch to ensure cargo detects changes
 COPY src/ src/
 COPY benches/ benches/
-RUN find src -name '*.rs' -exec touch {} + && cargo build --release --locked
+RUN FEATURES=$(cat /tmp/cargo-features) && \
+    find src -name '*.rs' -exec touch {} + && cargo build --release --locked $FEATURES
 
+# ─────────────────────────────────────────────────────────────────────
 # Stage 2: Runtime image
-# GPU attestation requires pynvml (needs CUDA), so use vllm base image
+# ─────────────────────────────────────────────────────────────────────
 FROM vllm/vllm-openai@sha256:014a95f21c9edf6abe0aea6b07353f96baa4ec291c427bb1176dc7c93a85845c
+ARG ENABLE_NV_ATTESTATION_SDK
+ARG LIBNVAT_VERSION
 
 ENV PYTHONUNBUFFERED=1
 
 # Install the verifier packages needed for GPU attestation evidence
 # nv-attestation-sdk provides the `verifier` module for GPU evidence collection
-# nv-ppcie-verifier is additionally needed for PPCIE multi-GPU systems
+# nv-ppcie-verifier is additionally needed for PPCIE multi-GPU systems.
+# When ENABLE_NV_ATTESTATION_SDK=1 these are still installed for the
+# Python fallback path (USE_NV_ATTESTATION_SDK=false at runtime); a
+# follow-up will drop them once the SDK path proves out.
 RUN pip install --no-cache-dir nv-attestation-sdk nv-ppcie-verifier
 
+# Install libnvat (runtime) when the feature is built. vllm/vllm-openai
+# already has the CUDA apt repo configured, so cuda-keyring isn't needed
+# here. apt pulls in libcurl4/libxml2/libxmlsec1-openssl as deps.
+RUN if [ "$ENABLE_NV_ATTESTATION_SDK" = "1" ]; then \
+        set -e && \
+        apt-get update && apt-get install -y --no-install-recommends \
+            "libnvat=${LIBNVAT_VERSION}" && \
+        ldconfig && \
+        rm -rf /var/lib/apt/lists/* ; \
+    fi
+
 WORKDIR /app
 
 # Copy compiled binary and GPU evidence worker from builder

Dockerfile

@@ -48,3 +48,9 @@ wildcards = "allow"
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
+allow-git = [
+    # NVIDIA's attestation SDK Rust bindings (libnvat FFI). Not yet on
+    # crates.io; pinned to release tag 2026.04.29 in Cargo.toml. Optional
+    # `nv-attestation-sdk` feature only — default builds don't pull this.
+    "https://github.com/NVIDIA/attestation-sdk.git",
+]

deny.toml

@@ -976,7 +976,18 @@ async fn collect_gpu_evidence_with_nonce_check(
             tokio::time::sleep(std::time::Duration::from_millis(delay_ms)).await;
         }
 
-        let evidence = if let Some(cache) = cache {
+        // Three backends, in priority order:
+        //   1. nv-attestation-sdk (Rust → C FFI, opt-in via env var)
+        //   2. cache's persistent Python worker (existing default)
+        //   3. one-shot Python subprocess (fallback when no cache)
+        // The self-check + retry below applies regardless of which one
+        // produced the evidence.
+        let evidence = if crate::attestation_sdk::is_active() && !gpu_no_hw_mode {
+            // SDK path doesn't support no_gpu_mode (it requires real
+            // hardware via NVML); fall back to the Python paths for
+            // dev/test environments without GPUs.
+            crate::attestation_sdk::collect_gpu_evidence_via_sdk(nonce_hex).await?
+        } else if let Some(cache) = cache {
             cache
                 .collect_gpu_evidence(nonce_hex, gpu_no_hw_mode)
                 .await?