Skip to content

simulate_quote patches report_data at hardcoded offset with no build-time guard #563

New issue
New issue
Open
Open
simulate_quote patches report_data at hardcoded offset with no build-time guard#563
@pbeza

Description

@pbeza
pbeza
opened on Mar 17, 2026

The quote simulation flag in dstack/dstack-util/src/tdx_attest.rs is controlled by a runtime environment variable rather than a compile-time feature gate, so a compromised process that sets this variable can cause the system to accept simulated (non-hardware) quotes.

Root Cause

The guest agent's simulate_quote functionality is controlled by a runtime config flag (simulator.enabled) rather than a compile-time feature gate. When enabled, the function patches report_data at a hardcoded offset within a pre-baked quote template, producing a quote that looks structurally valid but is not generated by TDX hardware.

// Controlled by runtime config, not #[cfg(feature = "simulator")]
if self.config.simulator.enabled {
    return self.simulate_quote(report_data);
}

Attack Path

  1. A production deployment is accidentally configured with simulator.enabled = true
  2. Guest agent serves simulated quotes instead of real TDX hardware quotes
  3. Simulated quotes have fixed measurements, MRTD, and RTMRs from the template
  4. If the KMS or verifier accepts these quotes (e.g., because they match expected measurements by coincidence, or if quote signature verification is also disabled), the system operates without real hardware attestation
  5. The report_data is the only part that varies — everything else is static from the template

Impact

A misconfigured production deployment could serve simulated quotes that bypass TDX hardware attestation. The runtime flag makes this a configuration error away from total attestation bypass, whereas a compile-time gate would prevent simulation code from existing in production binaries.

Suggested Fix

Gate simulation behind a compile-time feature:

#[cfg(feature = "simulator")]
if self.config.simulator.enabled {
    return self.simulate_quote(report_data);
}

Ensure the simulator feature is never enabled in production builds. Add a startup warning log if the feature is compiled in.

Note: This issue was created automatically. The vulnerability report was generated by Claude and has not been verified by a human.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions