Open Source Confidential Computing Tools: Dstack, Kata, and the TEE Ecosystem

TL;DR: The confidential computing ecosystem is now powered by open source tools that make TEE deployment accessible to everyone. Dstack SDK (by Phala and Flashbots) converts Docker containers to confidential VMs with a few simple steps, Kata Containers provides secure, lightweight container isolation for confidential workloads, and a growing ecosystem of attestation and verification tools enables production-grade trust and compliance. This guide covers the essential open source tools, how to use them, and how they work together for confidential AI applications on Phala Cloud.

Introduction

Confidential computing was once limited to large enterprises with specialized teams and hardware knowledge. Now, thanks to open source innovation, TEE technology has become developer-friendly.

Modern tools like [Dstack SDK](https://phala.com/dstack) and Kata Containers let you launch secure workloads using familiar Docker workflows, while attestation frameworks ensure cryptographic verification of everything running in your environment.

In this guide, we’ll explore the core open source stack behind Confidential Computing, including practical tips for building and deploying Confidential AI workloads on [Phala Cloud](https://docs.phala.com/phala-cloud/getting-started/overview).

What you’ll learn:

• Dstack SDK architecture and capabilities
• Kata Containers for confidential workloads
• Attestation and verification tools
• Development and debugging tools
• Integration patterns and best practices
• Contributing to the ecosystem

The Confidential Computing Stack

Open Source Components

Why Open Source Matters

Trust and auditability:

• Anyone can inspect source code for backdoors
• Community security reviews
• Reproducible builds

Flexibility and customization:

• Modify for specific use cases
• No vendor lock-in
• Self-hosting capability

Ecosystem growth:

• Standardized interfaces
• Tool interoperability
• Community contributions

Dstack SDK: Docker to TEE

What Is Dstack?

Dstack is an open source SDK (developed jointly by Phala Network and Flashbots) that converts standard Docker containers into confidential VMs running in TEE with attestation.

Key capabilities:

• Docker container → CVM (Confidential VM) conversion
• Automatic attestation report generation
• RA-HTTPS (Remote Attestation over HTTPS)
• Decentralized Key Management System (KMS)
• Trust Center integration

GitHub: https://github.com/Dstack-TEE/dstack

Dstack Architecture

Getting Started with Dstack

Installation:

# Install Dstack CLI
curl -fsSL https://get.dstack.host | sh
# Verify installation
dstack version

Convert Docker container to CVM:

# Step 1: Write a standard Dockerfile
cat > Dockerfile <<EOF
FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY app.py .
CMD ["python", "app.py"]
EOF

# Step 2: Build Docker image
docker build -t my-confidential-ai:latest .

# Step 3: Convert to CVM with Dstack
dstack build \
  --image my-confidential-ai:latest \
  --output my-confidential-ai-cvm \
  --tee-type tdx

# Step 4: Deploy to Phala Cloud
dstack deploy \
  --image my-confidential-ai-cvm \
  --name my-app \
  --phala-cloud

Dstack configuration:

# dstack.yaml - Dstack deployment configuration
version: '1.0'
app:
  name: my-confidential-ai
  description: "Confidential AI inference service"
tee:
  type: intel-tdx
  attestation:
    enabled: true
    interval: 300
    trust_center: "https://trust-center.phala.network"
secrets:
  - name: API_KEY
    description: "External API key"
  - name: DB_PASSWORD
    description: "Database password"
storage:
  - path: /secure
    size: 10Gi
    encrypted: true
network:
  ports:
    - container: 8000
      host: 443
      protocol: https
resources:
  cpu: "4"
  memory: "16Gi"
  gpu: "1"

Kata Containers: Secure Container Isolation

What Is Kata Containers?

Kata Containers is an open source project that runs containers in lightweight VMs, providing VM-level isolation with container user experience.

Why Kata + TEE?

• Each container gets its own isolated VM
• VM runs in TEE (Intel TDX or AMD SEV-SNP)
• Better security than shared-kernel containers
• Protects against container escape attacks

GitHub: https://github.com/kata-containers/kata-containers

Using Kata with TEE

Installation:

# Install Kata Containers
bash -c "$(curl -fsSL https://raw.githubusercontent.com/kata-containers/kata-containers/main/utils/kata-manager.sh)"
# Configure for Intel TDX
sudo kata-runtime kata-env

Deploy container with Kata:

# Create a container with Kata runtime
docker run -d \
  --runtime kata-runtime \
  --name confidential-ai \
  -p 8000:8000 \
  my-confidential-ai:latest

Attestation and Verification Tools

go-tdx-guest (Intel TDX)

GitHub: https://github.com/intel/go-tdx-guest

Go library for Intel TDX attestation quote generation and verification.

sev-guest (AMD SEV-SNP)

GitHub: https://github.com/AMDESE/sev-guest

Tools for AMD SEV-SNP attestation.

DCAP (Intel Data Center Attestation Primitives)

GitHub: https://github.com/intel/SGXDataCenterAttestationPrimitives

Intel’s attestation infrastructure for SGX and TDX.

Development and Debugging Tools

TEE Simulators

QEMU with TDX emulation:

# Run QEMU with TDX simulation (for development)
qemu-system-x86_64 \
  -machine q35,accel=kvm,kernel-irqchip=split \
  -cpu host,-kvm-steal-time \
  -smp 4 \
  -m 8G \
  -object tdx-guest,id=tdx0 \
  -machine confidential-guest-support=tdx0 \
  -drive if=pflash,format=raw,unit=0,file=OVMF.fd \
  -drive file=ubuntu-tdx.qcow2,format=qcow2 \
  -nographic

Integration Patterns

Pattern 1: Dstack + Docker Compose

# docker-compose.yml - Confidential AI stack with Dstack
version: '3.8'
services:
  ai-inference:
    image: my-confidential-ai:latest
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock
    environment:
      - DSTACK_ENABLED=true
      - APP_ID=ai-inference
    ports:
      - "8000:8000"
  database:
    image: postgres:15
    volumes:
      - /var/run/dstack.sock:/var/run/dstack.sock
      - pgdata:/var/lib/postgresql/data
    environment:
      - DSTACK_ENABLED=true
      - POSTGRES_PASSWORD_SECRET=DB_PASSWORD
volumes:
  pgdata:
    driver: dstack-encrypted

Contributing to the Ecosystem

How to Contribute

Dstack SDK:

• GitHub: https://github.com/Dstack-TEE/dstack
• Contributions: New TEE platform support, KMS integrations, documentation

Kata Containers:

• GitHub: https://github.com/kata-containers/kata-containers
• Contributions: TEE hardware support, performance optimizations

Phala Trust Center:

• GitHub: https://github.com/Phala-Network/trust-center
• Contributions: Verification tools, UI improvements, API clients

Summary and Best Practices

Tool Selection Guide

Best Practices

1. Start with Dstack SDK:

• Handles 90% of TEE complexity
• Battle-tested in production
• Active community support

2. Use Kata for isolation:

• Better security than shared-kernel containers
• Especially important for multi-tenant deployments

3. Implement continuous attestation:

• Generate new quotes every 5 minutes
• Publish to Trust Center automatically
• Alert on attestation failures

4. Contribute back:

• Report bugs with detailed reproduction steps
• Share integration patterns and examples
• Improve documentation

5. Stay updated:

• Watch GitHub repositories for updates
• Join community Slack/Discord
• Test new features in development environment first

FAQ

Q: Is Dstack SDK free and open source?

A: Yes, fully open source (Apache 2.0 license). Free to use, modify, and deploy.

Q: Can I use these tools without Phala Cloud?

A: Yes! All tools work on any TEE-capable hardware:

• Your own servers with TDX/SEV-SNP
• GCP, Azure, AWS with confidential VMs
• Phala Cloud (easiest option with managed Dstack)

Q: How mature are these tools?

A: Production-ready:

• Dstack SDK: Used by Flashbots (securing $10B+ MEV)
• Kata Containers: CNCF graduated project
• Intel/AMD attestation: Official vendor tools

Q: What if I need help?

A: Community support:

• Dstack: GitHub Discussions
• Phala: Discord
• Kata: Slack

Q: Can I build commercial products with these tools?

A: Yes, all tools have permissive licenses (Apache 2.0, MIT). Build freely.

Q: How do I stay updated on new features?

A:

• Watch GitHub repositories
• Subscribe to mailing lists
• Follow Phala Network and Flashbots on Twitter
• Join community forums

What’s Next?

Now that you understand the open source TEE ecosystem, explore:

• **Secure AI Development** - Build production apps with these tools
• **Remote Attestation Deep Dive** - Understand attestation protocols
• **Cloud Provider Comparison** - Where to deploy your confidential apps

Ready to build with open source confidential computing?

Get Started with Dstack | Try Phala Cloud

Related Resources

• Phala Homepage
• Learning Hub
• Phala Cloud Documentation
• Dstack Documentation
• Success Stories

Next Steps

• Get Started with Phala Cloud
• Deploy Your First Confidential VM
• Explore Confidential AI
• Join Our Startup Program
• Contact Us