CVM Image and Model Lifecycle

The model provider builds the guest image through a controlled pipeline. The image contains the inference server, attestation client, startup logic, GPU user-space libraries, certificate bootstrap, and health endpoints — nothing else. SSH and interactive login are disabled. Any break-glass path is approved separately.

The boot chain is measured. Changes to the bootloader, kernel, initrd, drivers, systemd units, inference server, or any policy-relevant configuration change the attestation measurements — and therefore the released keys. New measurements get recorded and approved before production keys come back online.

Model weights stay encrypted outside the CVM. They can reside inside the image as encrypted files, mount from encrypted storage, or fetch from an artifact service after boot. Model weights are readable only inside protected CPU/GPU memory. They are never exposed to the host as plaintext and may be written to encrypted in-guest storage only when policy allows.

Model artifacts never exist in host-readable form. Any temporary readable artifacts stay inside confidential guest temporary storage and are cleaned up at shutdown.

Lifecycle controls are listed in Appendix D.