Dstack-TEE · kvinwang · Mar 14, 2026 · Mar 13, 2026
diff --git a/cert-client/src/lib.rs b/cert-client/src/lib.rs
@@ -102,7 +102,10 @@ impl CertRequestClient {
         let pubkey = key.public_key_der();
         let report_data = QuoteContentType::RaTlsCert.to_report_data(&pubkey);
         let attestation = match attestation_override {
-            Some(attestation) => attestation,
+            Some(mut attestation) => {
+                attestation.set_report_data(report_data);
+                attestation
+            }
             None => ra_rpc::Attestation::quote(&report_data)
                 .context("Failed to get quote for cert pubkey")?
                 .into_versioned(),

diff --git a/dstack-attest/src/attestation.rs b/dstack-attest/src/attestation.rs
@@ -267,6 +267,19 @@ impl VersionedAttestation {
         }
     }
 
+    /// Set the report_data field in the attestation and in the raw TDX quote bytes (offset 568..632).
+    /// This is used by the simulator to patch a canned attestation with the correct report_data
+    /// that binds to the actual TLS public key.
+    pub fn set_report_data(&mut self, report_data: [u8; 64]) {
+        let VersionedAttestation::V0 { attestation } = self;
+        attestation.report_data = report_data;
+        if let Some(tdx_quote) = attestation.tdx_quote_mut() {
+            if tdx_quote.quote.len() >= 632 {
+                tdx_quote.quote[568..632].copy_from_slice(&report_data);
+            }
+        }
+    }
+
     /// Strip data for certificate embedding (e.g. keep RTMR3 event logs only).
     pub fn into_stripped(mut self) -> Self {
         let VersionedAttestation::V0 { attestation } = &mut self;