Problem: As a user we cannot create a confidential VM using the SDK.

Solution: Implement new confidential VM fields.

Author: nesitor

src/aleph/sdk/client/authenticated_http.py

@@ -29,9 +29,11 @@
 from aleph_message.models.execution.base import Encoding, Payment, PaymentType
 from aleph_message.models.execution.environment import (
     FunctionEnvironment,
+    HostRequirements,
     HypervisorType,
     InstanceEnvironment,
     MachineResources,
+    TrustedExecutionEnvironment,
 )
 from aleph_message.models.execution.instance import RootfsVolume
 from aleph_message.models.execution.program import CodeContent, FunctionRuntime
@@ -522,10 +524,13 @@ async def create_instance(
         internet: bool = True,
         aleph_api: bool = True,
         hypervisor: Optional[HypervisorType] = None,
+        confidential_firmware: Optional[ItemHash] = None,
+        confidential_policy: Optional[int] = None,
         volumes: Optional[List[Mapping]] = None,
         volume_persistence: str = "host",
         ssh_keys: Optional[List[str]] = None,
         metadata: Optional[Mapping[str, Any]] = None,
+        requirements: Optional[HostRequirements] = None,
     ) -> Tuple[InstanceMessage, MessageStatus]:
         address = address or settings.ADDRESS_TO_USE or self.account.get_address()
 
@@ -536,6 +541,14 @@ async def create_instance(
 
         payment = payment or Payment(chain=Chain.ETH, type=PaymentType.hold)
 
+        if confidential_firmware or confidential_policy:
+            confidential_options = TrustedExecutionEnvironment(
+                firmware=confidential_firmware,
+                policy=confidential_policy,
+            )
+        else:
+            confidential_options = None
+
         # Default to the QEMU hypervisor for instances.
         selected_hypervisor: HypervisorType = hypervisor or HypervisorType.qemu
 
@@ -546,6 +559,7 @@ async def create_instance(
                 internet=internet,
                 aleph_api=aleph_api,
                 hypervisor=selected_hypervisor,
+                trusted_execution=confidential_options,
             ),
             variables=environment_variables,
             resources=MachineResources(
@@ -563,6 +577,7 @@ async def create_instance(
                 use_latest=True,
             ),
             volumes=[parse_volume(volume) for volume in volumes],
+            requirements=requirements,
             time=time.time(),
             authorized_keys=ssh_keys,
             metadata=metadata,

tests/unit/test_asynchronous.py

@@ -14,7 +14,12 @@
     ProgramMessage,
     StoreMessage,
 )
-from aleph_message.models.execution.environment import HypervisorType, MachineResources
+from aleph_message.models.execution.environment import (
+    HostRequirements,
+    HypervisorType,
+    MachineResources,
+    NodeRequirements,
+)
 from aleph_message.status import MessageStatus
 
 from aleph.sdk.exceptions import InsufficientFundsError
@@ -163,6 +168,33 @@ async def test_create_instance_no_hypervisor(mock_session_with_post_success):
     assert isinstance(instance_message, InstanceMessage)
 
 
+@pytest.mark.asyncio
+async def test_create_confidential_instance(mock_session_with_post_success):
+    async with mock_session_with_post_success as session:
+        confidential_instance_message, message_status = await session.create_instance(
+            rootfs="cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe",
+            rootfs_size=1,
+            channel="TEST",
+            metadata={"tags": ["test"]},
+            payment=Payment(
+                chain=Chain.AVAX,
+                receiver="0x4145f182EF2F06b45E50468519C1B92C60FBd4A0",
+                type=PaymentType.superfluid,
+            ),
+            hypervisor=HypervisorType.qemu,
+            confidential_firmware="cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe",
+            confidential_policy=0b1,
+            requirements=HostRequirements(
+                node=NodeRequirements(
+                    node_hash="cafecafecafecafecafecafecafecafecafecafecafecafecafecafecafecafe",
+                )
+            ),
+        )
+
+    assert mock_session_with_post_success.http_session.post.assert_called_once
+    assert isinstance(confidential_instance_message, InstanceMessage)
+
+
 @pytest.mark.asyncio
 async def test_forget(mock_session_with_post_success):
     async with mock_session_with_post_success as session: