diff --git a/docs/docs/architecture/attestation.md b/docs/docs/architecture/attestation.md
index 04b85d8ad..572a8511f 100644
--- a/docs/docs/architecture/attestation.md
+++ b/docs/docs/architecture/attestation.md
@@ -217,6 +217,38 @@ The latter means that the value can be generated offline and compared to the one
| 15 | ClusterID | Constellation Bootstrapper | Yes |
| 16–23 | Unused | - | - |
+
+
+
+Constellation uses a hypervisor-based vTPM for runtime measurements.
+
+The vTPM adheres to the [TPM 2.0](https://trustedcomputinggroup.org/resource/tpm-library-specification/) specification.
+The VMs are attested by obtaining signed PCR values over the VM's boot configuration from the TPM and comparing them to a known, good state (measured boot).
+
+The following table lists all PCR values of the vTPM and the measured components.
+It also lists what components of the boot chain did the measurements and if the value is reproducible and verifiable.
+The latter means that the value can be generated offline and compared to the one in the vTPM.
+
+| PCR | Components | Measured by | Reproducible and verifiable |
+| ----------- | ---------------------------------------------------------------- | -------------------------------------- | --------------------------- |
+| 0 | Firmware | STACKIT | No |
+| 1 | Firmware | STACKIT | No |
+| 2 | Firmware | STACKIT | No |
+| 3 | Firmware | STACKIT | No |
+| 4 | Constellation Bootloader, Kernel, initramfs, Kernel command line | STACKIT, Constellation Bootloader | Yes |
+| 5 | Firmware | STACKIT | No |
+| 6 | Firmware | STACKIT | No |
+| 7 | Secure Boot Policy | STACKIT, Constellation Bootloader | No |
+| 8 | - | - | - |
+| 9 | initramfs, Kernel command line | Linux Kernel | Yes |
+| 10 | User space | Linux IMA | No[^1] |
+| 11 | Unified Kernel Image components | Constellation Bootloader | Yes |
+| 12 | Reserved | (User space, Constellation Bootloader) | Yes |
+| 13 | Reserved | (Constellation Bootloader) | Yes |
+| 14 | Secure Boot State | Constellation Bootloader | No |
+| 15 | ClusterID | Constellation Bootstrapper | Yes |
+| 16–23 | Unused | - | - |
+
@@ -251,13 +283,15 @@ You may customize certain parameters for verification of the attestation stateme
+On GCP, AMD SEV-ES is used to provide runtime encryption to the VMs.
+The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements).
There is no additional configuration available for GCP.
On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs.
-An SEV-SNP attestation report is used to establish trust in the VM and it's vTPM.
+An SEV-SNP attestation report is used to establish trust in the VM.
You may customize certain parameters for verification of the attestation statement using the Constellation config file.
* TCB versions
@@ -275,6 +309,13 @@ You may customize certain parameters for verification of the attestation stateme
This is the intermediate certificate for verifying the SEV-SNP report's signature.
If it's not specified, the CLI fetches it from the AMD key distribution server.
+
+
+
+On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs.
+The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements).
+There is no additional configuration available for STACKIT.
+
diff --git a/docs/docs/overview/clouds.md b/docs/docs/overview/clouds.md
index 8cc42a990..b2de81e4b 100644
--- a/docs/docs/overview/clouds.md
+++ b/docs/docs/overview/clouds.md
@@ -14,13 +14,13 @@ For Constellation, the ideal environment provides the following:
The following table summarizes the state of features for different infrastructures as of June 2023.
-| **Feature** | **Azure** | **GCP** | **AWS** | **OpenStack (Yoga)** |
-|-----------------------------------|-----------|---------|---------|----------------------|
-| **1. Custom images** | Yes | Yes | Yes | Yes |
-| **2. SEV-SNP or TDX** | Yes | Yes | Yes | Depends on kernel/HV |
-| **3. Raw guest attestation** | Yes | Yes | Yes | Depends on kernel/HV |
-| **4. Reviewable firmware** | No | No | Yes | Depends on kernel/HV |
-| **5. Confidential measured boot** | Yes | No | No | Depends on kernel/HV |
+| **Feature** | **Azure** | **GCP** | **AWS** | **STACKIT** | **OpenStack (Yoga)** |
+|-----------------------------------|-----------|---------|---------|--------------|----------------------|
+| **1. Custom images** | Yes | Yes | Yes | Yes | Yes |
+| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV |
+| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV |
+| **4. Reviewable firmware** | No | No | Yes | No | Depends on kernel/HV |
+| **5. Confidential measured boot** | Yes | No | No | No | Depends on kernel/HV |
## Microsoft Azure
@@ -53,6 +53,10 @@ However, regarding (5), attestation is partially based on the [NitroTPM](https:/
Hence, the hypervisor is currently part of Constellation's TCB.
Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built.
+## STACKIT
+
+[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
+
## OpenStack
OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation.
diff --git a/docs/styles/config/vocabularies/edgeless/accept.txt b/docs/styles/config/vocabularies/edgeless/accept.txt
index 6220f0553..26fa0d0c9 100644
--- a/docs/styles/config/vocabularies/edgeless/accept.txt
+++ b/docs/styles/config/vocabularies/edgeless/accept.txt
@@ -63,6 +63,7 @@ rollout
SBOM
sigstore
SSD
+STACKIT
superset
Syft
systemd
diff --git a/docs/versioned_docs/version-2.16/architecture/attestation.md b/docs/versioned_docs/version-2.16/architecture/attestation.md
index 04b85d8ad..d7e857ab5 100644
--- a/docs/versioned_docs/version-2.16/architecture/attestation.md
+++ b/docs/versioned_docs/version-2.16/architecture/attestation.md
@@ -251,13 +251,15 @@ You may customize certain parameters for verification of the attestation stateme
+On GCP, AMD SEV-ES is used to provide runtime encryption to the VMs.
+The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements).
There is no additional configuration available for GCP.
On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs.
-An SEV-SNP attestation report is used to establish trust in the VM and it's vTPM.
+An SEV-SNP attestation report is used to establish trust in the VM.
You may customize certain parameters for verification of the attestation statement using the Constellation config file.
* TCB versions
@@ -275,6 +277,13 @@ You may customize certain parameters for verification of the attestation stateme
This is the intermediate certificate for verifying the SEV-SNP report's signature.
If it's not specified, the CLI fetches it from the AMD key distribution server.
+
+
+
+On STACKIT, AMD SEV-ES is used to provide runtime encryption to the VMs.
+The hypervisor-based vTPM is used to establish trust in the VM via [runtime measurements](#runtime-measurements).
+There is no additional configuration available for STACKIT.
+
diff --git a/docs/versioned_docs/version-2.16/overview/clouds.md b/docs/versioned_docs/version-2.16/overview/clouds.md
index 8cc42a990..b2de81e4b 100644
--- a/docs/versioned_docs/version-2.16/overview/clouds.md
+++ b/docs/versioned_docs/version-2.16/overview/clouds.md
@@ -14,13 +14,13 @@ For Constellation, the ideal environment provides the following:
The following table summarizes the state of features for different infrastructures as of June 2023.
-| **Feature** | **Azure** | **GCP** | **AWS** | **OpenStack (Yoga)** |
-|-----------------------------------|-----------|---------|---------|----------------------|
-| **1. Custom images** | Yes | Yes | Yes | Yes |
-| **2. SEV-SNP or TDX** | Yes | Yes | Yes | Depends on kernel/HV |
-| **3. Raw guest attestation** | Yes | Yes | Yes | Depends on kernel/HV |
-| **4. Reviewable firmware** | No | No | Yes | Depends on kernel/HV |
-| **5. Confidential measured boot** | Yes | No | No | Depends on kernel/HV |
+| **Feature** | **Azure** | **GCP** | **AWS** | **STACKIT** | **OpenStack (Yoga)** |
+|-----------------------------------|-----------|---------|---------|--------------|----------------------|
+| **1. Custom images** | Yes | Yes | Yes | Yes | Yes |
+| **2. SEV-SNP or TDX** | Yes | Yes | Yes | No | Depends on kernel/HV |
+| **3. Raw guest attestation** | Yes | Yes | Yes | No | Depends on kernel/HV |
+| **4. Reviewable firmware** | No | No | Yes | No | Depends on kernel/HV |
+| **5. Confidential measured boot** | Yes | No | No | No | Depends on kernel/HV |
## Microsoft Azure
@@ -53,6 +53,10 @@ However, regarding (5), attestation is partially based on the [NitroTPM](https:/
Hence, the hypervisor is currently part of Constellation's TCB.
Regarding (4), the [firmware is open source](https://github.com/aws/uefi) and can be reproducibly built.
+## STACKIT
+
+[STACKIT Compute Engine](https://www.stackit.de/en/product/stackit-compute-engine/) supports AMD SEV-ES. A vTPM is used for measured boot, which is a vTPM managed by STACKIT's hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
+
## OpenStack
OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation.