feat(kms): enhance onboard page with site name, chain info, and k256 pubkey

Leechael · Leechael · commit 69d3f0bee205 · 2026-03-20T11:53:52.000+08:00
- Add configurable site_name to core config, displayed as page title
  and heading on the onboard page for operator visibility.
- Read eth_rpc_url and kms_contract_address from auth-api instead of
  duplicating in onboard config. Display chain info in a separate card.
- Return k256_pubkey in OnboardResponse so it can be compared with the
  on-chain kmsInfo.k256Pubkey after onboarding.
diff --git a/kms/auth-eth/src/server.ts b/kms/auth-eth/src/server.ts
@@ -59,6 +59,7 @@ export async function build(): Promise<FastifyInstance> {
     return {
       status: 'ok',
       kmsContractAddr: kmsContractAddr,
+      ethRpcUrl: rpcUrl,
       gatewayAppId: batch[0],
       chainId: batch[1],
       appAuthImplementation: batch[2], // NOTE: for backward compatibility
diff --git a/kms/kms.toml b/kms/kms.toml
@@ -26,6 +26,7 @@ mandatory = false
 cert_dir = "/etc/kms/certs"
 subject_postfix = ".dstack"
 admin_token_hash = ""
+site_name = ""
 
 [core.image]
 verify = true
diff --git a/kms/rpc/proto/kms_rpc.proto b/kms/rpc/proto/kms_rpc.proto
@@ -131,6 +131,8 @@ message OnboardRequest {
 }
 
 message OnboardResponse {
+  // k256 public key (secp256k1) inherited from source KMS
+  bytes k256_pubkey = 1;
 }
 
 // Attestation info needed for on-chain KMS authorization.
@@ -143,6 +145,12 @@ message AttestationInfoResponse {
   bytes os_image_hash = 3;
   // Attestation mode (e.g. "dstack-tdx", "dstack-gcp-tdx")
   string attestation_mode = 4;
+  // Custom site name for display
+  string site_name = 5;
+  // Ethereum RPC URL from auth API
+  string eth_rpc_url = 6;
+  // KMS contract address from auth API
+  string kms_contract_address = 7;
 }
 
 // The Onboard RPC service.
diff --git a/kms/src/config.rs b/kms/src/config.rs
@@ -40,6 +40,8 @@ pub(crate) struct KmsConfig {
     pub image: ImageConfig,
     #[serde(with = "serde_human_bytes")]
     pub admin_token_hash: Vec<u8>,
+    #[serde(default)]
+    pub site_name: String,
 }
 
 impl KmsConfig {
diff --git a/kms/src/main_service/upgrade_authority.rs b/kms/src/main_service/upgrade_authority.rs
@@ -99,6 +99,8 @@ pub(crate) struct BootResponse {
 pub(crate) struct AuthApiInfoResponse {
     pub status: String,
     pub kms_contract_addr: String,
+    #[serde(default)]
+    pub eth_rpc_url: String,
     pub gateway_app_id: String,
     pub chain_id: u64,
     pub app_implementation: String,
@@ -110,6 +112,7 @@ pub(crate) struct GetInfoResponse {
     pub is_dev: bool,
     pub gateway_app_id: Option<String>,
     pub kms_contract_address: Option<String>,
+    pub eth_rpc_url: Option<String>,
     pub chain_id: Option<u64>,
     pub app_implementation: Option<String>,
 }
@@ -161,15 +164,22 @@ impl AuthApi {
             AuthApi::Dev { dev } => Ok(GetInfoResponse {
                 is_dev: true,
                 kms_contract_address: None,
+                eth_rpc_url: None,
                 gateway_app_id: Some(dev.gateway_app_id.clone()),
                 chain_id: None,
                 app_implementation: None,
             }),
             AuthApi::Webhook { webhook } => {
                 let info: AuthApiInfoResponse = http_get(&webhook.url).await?;
+                let eth_rpc_url = if info.eth_rpc_url.is_empty() {
+                    None
+                } else {
+                    Some(info.eth_rpc_url.clone())
+                };
                 Ok(GetInfoResponse {
                     is_dev: false,
                     kms_contract_address: Some(info.kms_contract_addr.clone()),
+                    eth_rpc_url,
                     chain_id: Some(info.chain_id),
                     gateway_app_id: Some(info.gateway_app_id.clone()),
                     app_implementation: Some(info.app_implementation.clone()),
diff --git a/kms/src/onboard_service.rs b/kms/src/onboard_service.rs
@@ -98,9 +98,10 @@ impl OnboardRpc for OnboardHandler {
         )
         .await
         .context("Failed to onboard")?;
+        let k256_pubkey = keys.k256_key.verifying_key().to_sec1_bytes().to_vec();
         keys.store(&self.state.config)
             .context("Failed to store keys")?;
-        Ok(OnboardResponse {})
+        Ok(OnboardResponse { k256_pubkey })
     }
 
     async fn get_attestation_info(self) -> Result<AttestationInfoResponse> {
@@ -136,11 +137,26 @@ impl OnboardRpc for OnboardHandler {
             .decode_app_info_ex(false, &info.vm_config)
             .context("Failed to decode app info")?;
 
+        let (eth_rpc_url, kms_contract_address) = match self.state.config.auth_api.get_info().await
+        {
+            Ok(info) => (
+                info.eth_rpc_url.unwrap_or_default(),
+                info.kms_contract_address.unwrap_or_default(),
+            ),
+            Err(err) => {
+                tracing::warn!("failed to get auth api info: {err}");
+                (String::new(), String::new())
+            }
+        };
+
         Ok(AttestationInfoResponse {
             device_id: app_info.device_id,
             mr_aggregated: app_info.mr_aggregated.to_vec(),
             os_image_hash: app_info.os_image_hash,
             attestation_mode,
+            site_name: self.state.config.site_name.clone(),
+            eth_rpc_url,
+            kms_contract_address,
         })
     }
 
diff --git a/kms/src/www/onboard.html b/kms/src/www/onboard.html
@@ -145,6 +145,19 @@
             color: #333;
         }
 
+        .chain-info {
+            background-color: #f8f4e8;
+            border: 1px solid #ddc;
+            border-radius: 4px;
+            padding: 15px;
+            margin-bottom: 20px;
+        }
+
+        .chain-info h3 {
+            margin-top: 0;
+            color: #444;
+        }
+
         .loading {
             color: #888;
             font-style: italic;
@@ -154,7 +167,7 @@
 
 <body>
     <div id="app" class="container">
-        <h1>dstack KMS Setup</h1>
+        <h1>{{ siteName || 'dstack KMS Setup' }}</h1>
 
         <div v-if="attestationLoading" class="loading">Loading attestation info...</div>
         <div v-else-if="attestationError" class="error">Attestation info: {{ attestationError }}</div>
@@ -178,6 +191,18 @@ <h3>Attestation Info (for on-chain registration)</h3>
             </div>
         </div>
 
+        <div v-if="attestationInfo && (attestationInfo.eth_rpc_url || attestationInfo.kms_contract_address)" class="chain-info">
+            <h3>Chain Info</h3>
+            <div v-if="attestationInfo.eth_rpc_url" class="info-row">
+                <span class="info-label">ETH RPC URL:</span>
+                <span class="info-value">{{ attestationInfo.eth_rpc_url }}</span>
+            </div>
+            <div v-if="attestationInfo.kms_contract_address" class="info-row">
+                <span class="info-label">KMS Contract:</span>
+                <span class="info-value">{{ attestationInfo.kms_contract_address }}</span>
+            </div>
+        </div>
+
         <div v-if="!setupFinished">
             <div v-if="!selectedOption" class="initial-buttons">
                 <button @click="selectedOption = 'bootstrap'">Bootstrap</button>
@@ -261,7 +286,8 @@ <h2>Onboard from an Existing KMS Instance</h2>
                     setupFinished: false,
                     attestationInfo: null,
                     attestationLoading: true,
-                    attestationError: ''
+                    attestationError: '',
+                    siteName: ''
                 }
             },
             async mounted() {
@@ -271,6 +297,10 @@ <h2>Onboard from an Existing KMS Instance</h2>
                         this.attestationError = data.error;
                     } else {
                         this.attestationInfo = data;
+                        if (data.site_name) {
+                            this.siteName = data.site_name;
+                            document.title = data.site_name;
+                        }
                     }
                 } catch (err) {
                     this.attestationError = err.message;
@@ -310,6 +340,9 @@ <h2>Onboard from an Existing KMS Instance</h2>
                         if (data.error) throw new Error(data.error);
 
                         this.success = 'Onboarding successful!';
+                        this.result = JSON.stringify({
+                            k256Pubkey: '0x' + data.k256_pubkey,
+                        }, null, 2);
                         this.error = '';
                     } catch (err) {
                         this.error = err.message;

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,8 @@ message OnboardRequest {`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`message OnboardResponse {`
	`134`	`+ // k256 public key (secp256k1) inherited from source KMS`
	`135`	`+ bytes k256_pubkey = 1;`
`134`	`136`	`}`
`135`	`137`
`136`	`138`	`// Attestation info needed for on-chain KMS authorization.`
`@@ -143,6 +145,12 @@ message AttestationInfoResponse {`
`143`	`145`	`bytes os_image_hash = 3;`
`144`	`146`	`// Attestation mode (e.g. "dstack-tdx", "dstack-gcp-tdx")`
`145`	`147`	`string attestation_mode = 4;`
	`148`	`+ // Custom site name for display`
	`149`	`+ string site_name = 5;`
	`150`	`+ // Ethereum RPC URL from auth API`
	`151`	`+ string eth_rpc_url = 6;`
	`152`	`+ // KMS contract address from auth API`
	`153`	`+ string kms_contract_address = 7;`
`146`	`154`	`}`
`147`	`155`
`148`	`156`	`// The Onboard RPC service.`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,8 @@ pub(crate) struct KmsConfig {`
`40`	`40`	`pub image: ImageConfig,`
`41`	`41`	`#[serde(with = "serde_human_bytes")]`
`42`	`42`	`pub admin_token_hash: Vec<u8>,`
	`43`	`+ #[serde(default)]`
	`44`	`+ pub site_name: String,`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	`impl KmsConfig {`