Recently, we published a joint technical paper with OPPO: Implement Kubernetes Pod-Level Remote Attestation for Confidential Workloads on dstack. This is the result of months of collaboration between our engineering teams, and it’s a meaningful step toward making Private AI infrastructure practical and verifiable at production scale.
What We Built
The paper describes a Pod-level remote attestation mechanism that runs on dstack, our open-source framework for confidential computing. In plain terms: when an AI workload starts inside a Kubernetes Pod, the system generates cryptographic proof that ties together what hardware it is running on, what software is inside the Pod, and what identity the Pod carries within the cluster. An external verifier can check that proof before allowing the Pod to receive sensitive data or access protected services.
This matters because traditional Kubernetes controls like RBAC and Network Policy define what a Pod is allowed to do. They do not answer whether the Pod is actually running the code it claims to be running, on hardware that has not been tampered with. Attestation answers that question. And putting it at the Pod level, rather than at the node or VM level, makes it actionable for individual workloads.
The mechanism builds on Intel TDX and works within K8s' existing lifecycle. The attestation proof is available before the Pod's workload starts, which means policy decisions happen before any sensitive data enters the Pod. A compromised node cannot impersonate a valid Pod. A modified container image will not match the expected measurement.
Why We Worked on This
At Phala, dstack has always been about making confidential computing accessible to developers. We provide the SDKs, the attestation primitives, and the key management infrastructure so that AI teams can deploy workloads into verifiable environments without becoming security engineers themselves.
OPPO has been building in the same direction from the other side. Their Private Computing Cloud (PCC) is designed as a trusted cloud-native foundation, carrying the same conviction that personal AI workloads, from photo understanding to voice interaction from millions of mobile devices, need infrastructure-level privacy guarantees. Both teams share the same belief: the next generation of cloud workloads, especially AI services that process personal data, need a verifiable trust layer that goes beyond what traditional cloud security provides.
That shared goal brought our engineering teams together. Our contribution focused on Pod-level remote attestation, making it possible to tie hardware trust to individual Kubernetes workloads. OPPO brought deep expertise in device-to-cloud architectures and the real-world constraints of running these systems at scale. The paper is the result of that collaboration.
Through this open-source collaboration, the work advances OPPO PCC's trust infrastructure by demonstrating how Pod-level attestation can give every AI workload a verifiable identity chain from the CPU up. It does not replace existing security measures. It adds a layer that was missing: a way to confirm, before any data is processed, that the environment is genuine.
For the Broader Community
The Pod-level attestation design is documented in full on arXiv, and the implementation will be open-sourced once the necessary security audits are complete. Applications built on dstack will benefit from this work directly, gaining Pod-level attestation without introducing new infrastructure dependencies.
We see this as part of a larger shift in how infrastructure is evaluated for AI services. For years the conversation focused on performance and elasticity. AI workloads that handle personal data add a third requirement: verifiability. Users and developers should be able to confirm that the environment processing their data is trustworthy, not just take the cloud operator's word for it.
What Comes Next
Our collaboration with OPPO continues. We are working to bring Pod-level attestation closer to production readiness within OPPO PCC, and exploring applications around personal AI agents, privacy-preserving on-device intelligence, and secure multi-party computation across devices.
Phala remains committed to advancing confidential computing in open source. The tools and primitives developed through this collaboration will feed back into dstack's public roadmap, strengthening the open-source foundation for anyone building verifiable AI infrastructure.
Links: Paper on arXiv · dstack on GitHub
