This work addresses the limitations of existing confidential computing solutions based on the “one-Pod-one-VM” model—such as Confidential Containers—which can only attest the guest OS, lack container-level identity attestation, and incur high resource overhead. We propose a two-layer remote attestation architecture on Intel TDX that enables multiple Pods to share a single confidential VM while each retains a distinct, hardware-backed identity. This is achieved through an irreversible privilege-fusing mechanism and dynamic Pod identity binding. Built atop Kubernetes 1.32, Sysbox, and TDX, our system integrates multi-layer sandboxing and attestation protocols spanning storage, runtime, admission control, APIs, and networking. Our approach significantly reduces resource overhead while preserving security and attestation correctness, achieving for the first time fine-grained, Pod-level remote attestation without requiring VM exclusivity.

The rise of LLM-as-a-Service and other confidential cloud workloads demands cryptographic proof that user data is processed in a trusted, untampered environment. Existing solutions, notably Confidential Containers (CoCo), enforce a strict "one Pod per VM" model that attests only the Guest OS stack, leaving container-level identity unverified and incurring prohibitive per-VM resource overhead. We present dstack-capsule, a Kubernetes platform that enables Pod-level remote attestation on Intel TDX by allowing multiple Pods to share a single Confidential VM while each retains independent, hardware-backed proof of identity. Our key insight is a two-layer attestation architecture: static platform measurements are frozen in RTMR[3] via an irreversible privilege fuse, while dynamic Pod identities (pod_uid, pod_spec_hash, workload_id) are embedded in the TDX Quote's report_data field and signed by hardware on every request. dstack-capsule introduces (1) a Pod-level attestation protocol binding Pod spec digests to hardware-signed Quotes; (2) a privilege fuse mechanism that atomically transitions a node from setup mode to secure mode; (3) a multi-layer sandbox spanning storage, runtime, admission, API, and network isolation layers; and (4) a complete open-source implementation based on Kubernetes 1.32, Intel TDX, and Sysbox. We evaluate the security properties, attestation correctness, and performance characteristics of dstack-capsule, demonstrating that it achieves Pod-granularity verification without the resource overhead of per-VM isolation.