Skip to content

switchboard-xyz/sail-spec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

Switchboard SAIL

Switchboard SAIL is a generalized attestation environment that lets anyone run a Docker container inside an AMD SEV-SNP–secured TEE, without worrying about the underlying complexity.

SAIL builds on top of Kata Containers to deliver a turnkey VM image that launches your container with hardware attestation guarantees.

Overview

Switchboard’s own oracles run inside AMD SEV-SNP–attested environments. SAIL generalizes this tooling so users can run any Docker container in an attested VM.

SAIL’s design goals:

  • Simple user experience: "Bring your own Docker image"
  • Strong AMD SEV-SNP attestation
  • Verifiable outputs via attestation reports

Architecture

  • Base VM: Kata Containers for hardware-enforced isolation
  • Attestation: AMD SEV-SNP
  • Delivery: Prebuilt VM image (ISO) that boots into a "SAIL" environment
  • Runtime flow:
    1. User specifies their Docker container image/tag
    2. VM boots and runs the user’s container
    3. Container includes the SAIL SDK + CLI to:
      • Expose an attestation endpoint
      • Generate attestation reports
    4. Reports can be verified against a public GitHub repo (verification flow to be finalized later)

Features

✅ Lightweight VM isolation via Kata Containers
✅ AMD SEV-SNP attestation support
✅ User-defined Docker container
✅ SDK/CLI for attestation reporting

Dynamic Container Selection

Previous work (by Lele) implemented a dynamic initd file in the Kata image to allow specifying which Docker container image/tag to boot, without recompiling the entire VM.

We plan to maintain and improve this approach so that:

  • Users can set their desired container tag at deploy time
  • The base image remains static for easier distribution and attestation

Goals for this Milestone

We are focused on these deliverables first:

  1. Base Image Delivery
    • Publish the ISO/VM image needed to boot SAIL
  2. Setup Guide
    • How to download and start the VM
    • How to set the user’s Docker container image/tag
  3. Example Flow
    • Running the user’s container
    • Generating an attestation report via the SDK/CLI

⚠️ The verification flow (checking reports against GitHub or other public infra) will be scoped and implemented later.

Roadmap

✅ Build & release base image
✅ Dynamic container configuration (initd-based)
🟡 Write setup guide
🟡 Build example attestation flow
⬜ Define/implement public verification flow

Contributing

We welcome help on:

  • Improving the base image build
  • Enhancing the initd dynamic container selection
  • Writing documentation and setup guides
  • Building the verification infrastructure

References

  • Nautilus: image

Contact

For questions or contributions, please open an issue or PR on this repo.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published