You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the full Chutes inventory bring-up on cloud-stg-api, 12 of 13 TEE models run on the v1.3.0 software release and serve over attested E2EE after #773 (the v1.3.0 hardware-family golden-measurement expansion). The one exception:
mistralai/mistral-nemo (chute slug unsloth/Mistral-Nemo-Instruct-2407-TEE) is currently scheduled on 8xRTX_PRO_6000 v1.2.0. Its live, DCAP-signature-verified quote presents:
This matches the published 8xRTX_PRO_6000 v1.2.0 row byte-for-byte — including RTMR3 = all-zeros. In v1.2.0 the app/IMA layer is not extended into RTMR3, so the running software identity is unmeasured.
Why it (correctly) fails closed
vetted_golden_measurements() pins only the v1.3.0 family (#773), where RTMR3 authenticates the full software stack. Accepting the v1.2.0 row would mean attesting only the boot chain (MRTD + RTMR0-2) while the running app is unverified — a real attestation downgrade. Per the verifiable-never-degraded principle, the register-pin refuses mistral-nemo rather than serve it under weaker attestation. This is the fail-closed policy working as designed, not a bug.
Impact / options
mistralai/mistral-nemo returns 502 (masked) until it can be securely served.
Recommended: deactivate its catalog row (PATCH /v1/admin/models is_active=false) so it isn't advertised/502-ing, and re-activate once Chutes runs it on v1.3.0 (RTMR3-extended) — at which point the existing feat(chutes): accept the full v1.3.0 hardware family in golden measurements #773 allowlist already covers it (the RTX_PRO_6000 v1.3.0 row is pinned).
Alternative (NOT recommended): add the v1.2.0 row to the allowlist — rejected, because RTMR3=0 means no running-software authentication.
Track
Re-check after Chutes upgrades mistral-nemo's chute to v1.3.0; no cloud-api change needed then (already covered by #773).
Finding
During the full Chutes inventory bring-up on
cloud-stg-api, 12 of 13 TEE models run on the v1.3.0 software release and serve over attested E2EE after #773 (the v1.3.0 hardware-family golden-measurement expansion). The one exception:mistralai/mistral-nemo(chute slugunsloth/Mistral-Nemo-Instruct-2407-TEE) is currently scheduled on8xRTX_PRO_6000 v1.2.0. Its live, DCAP-signature-verified quote presents:This matches the published
8xRTX_PRO_6000 v1.2.0row byte-for-byte — including RTMR3 = all-zeros. In v1.2.0 the app/IMA layer is not extended into RTMR3, so the running software identity is unmeasured.Why it (correctly) fails closed
vetted_golden_measurements()pins only the v1.3.0 family (#773), where RTMR3 authenticates the full software stack. Accepting the v1.2.0 row would mean attesting only the boot chain (MRTD + RTMR0-2) while the running app is unverified — a real attestation downgrade. Per the verifiable-never-degraded principle, the register-pin refuses mistral-nemo rather than serve it under weaker attestation. This is the fail-closed policy working as designed, not a bug.Impact / options
mistralai/mistral-nemoreturns 502 (masked) until it can be securely served.PATCH /v1/admin/models is_active=false) so it isn't advertised/502-ing, and re-activate once Chutes runs it on v1.3.0 (RTMR3-extended) — at which point the existing feat(chutes): accept the full v1.3.0 hardware family in golden measurements #773 allowlist already covers it (the RTX_PRO_6000 v1.3.0 row is pinned).Track
Re-check after Chutes upgrades mistral-nemo's chute to v1.3.0; no cloud-api change needed then (already covered by #773).