From 1335e7b0ee57c07c0874c04b189a5e3691fdebc3 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Thu, 1 Aug 2024 16:29:56 +0200
Subject: [PATCH 1/2] treewide: change runtime-handler naming scheme

The Contrast runtime handlers are now named in the format `contrast-cc--<platform>-<hash>`, where `<hash>` is the hash of the relevant runtime components for platform and `<platform>` is the lowercase variant of the deployed platform.
---
 cli/cmd/generate.go                           |  2 +-
 cli/main.go                                   |  4 +-
 cli/telemetry/telemetry.go                    |  2 +-
 e2e/genpolicy/genpolicy_test.go               |  2 +-
 e2e/getdents/getdents_test.go                 |  2 +-
 e2e/openssl/openssl_test.go                   |  2 +-
 e2e/policy/policy_test.go                     |  2 +-
 e2e/servicemesh/servicemesh_test.go           |  2 +-
 {cli => internal}/constants/constants.go      |  0
 internal/kuberesource/parts.go                |  4 +-
 internal/kuberesource/resourcegen/main.go     |  2 +-
 internal/manifest/constants.go                | 28 +++-----
 internal/manifest/manifest.go                 | 13 ----
 internal/manifest/referencevalues.go          | 51 +++++++++++++-
 internal/manifest/runtimehandler.go           | 32 +++++++++
 internal/manifest/runtimehandler_test.go      | 24 +++++++
 nodeinstaller/README.md                       | 14 ++--
 nodeinstaller/internal/config/config.go       | 20 +-----
 nodeinstaller/internal/config/config_test.go  | 42 ------------
 nodeinstaller/internal/constants/constants.go |  3 +
 nodeinstaller/node-installer.go               | 46 ++++++++-----
 nodeinstaller/node-installer_test.go          | 16 +++--
 packages/by-name/contrast/package.nix         | 67 ++++++++++++++-----
 .../contrast-node-installer-image/package.nix | 38 ++++-------
 .../kata/runtime-class-files/package.nix      |  6 +-
 .../contrast-node-installer-image/package.nix | 18 ++---
 ...check-contrast-specific-layer-src-pr.patch |  9 ++-
 .../microsoft/runtime-class-files/package.nix | 13 ++--
 28 files changed, 264 insertions(+), 200 deletions(-)
 rename {cli => internal}/constants/constants.go (100%)
 create mode 100644 internal/manifest/runtimehandler.go
 create mode 100644 internal/manifest/runtimehandler_test.go

diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go
index 56124d156c..cb89892709 100644
--- a/cli/cmd/generate.go
+++ b/cli/cmd/generate.go
@@ -116,7 +116,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	runtimeHandler, err := mnf.RuntimeHandler(flags.referenceValuesPlatform)
+	runtimeHandler, err := manifest.RuntimeHandler(flags.referenceValuesPlatform)
 	if err != nil {
 		return fmt.Errorf("get runtime handler: %w", err)
 	}
diff --git a/cli/main.go b/cli/main.go
index 0c38efa517..9dbeba9b19 100644
--- a/cli/main.go
+++ b/cli/main.go
@@ -13,7 +13,7 @@ import (
 	"text/tabwriter"
 
 	"github.com/edgelesssys/contrast/cli/cmd"
-	"github.com/edgelesssys/contrast/cli/constants"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/spf13/cobra"
 )
@@ -43,7 +43,7 @@ func buildVersionString() string {
 			fmt.Fprintf(versionsWriter, "\t%s\n", image)
 		}
 	}
-	if refValues, err := json.MarshalIndent(manifest.EmbeddedReferenceValues(), "\t", "  "); err == nil {
+	if refValues, err := json.MarshalIndent(manifest.GetEmbeddedReferenceValues(), "\t", "  "); err == nil {
 		fmt.Fprintf(versionsWriter, "embedded reference values:\t%s\n", refValues)
 	}
 	fmt.Fprintf(versionsWriter, "genpolicy version:\t%s\n", constants.GenpolicyVersion)
diff --git a/cli/telemetry/telemetry.go b/cli/telemetry/telemetry.go
index b50252a9f9..866f2ed186 100644
--- a/cli/telemetry/telemetry.go
+++ b/cli/telemetry/telemetry.go
@@ -12,7 +12,7 @@ import (
 	"net/url"
 	"runtime"
 
-	"github.com/edgelesssys/contrast/cli/constants"
+	"github.com/edgelesssys/contrast/internal/constants"
 	"github.com/spf13/cobra"
 )
 
diff --git a/e2e/genpolicy/genpolicy_test.go b/e2e/genpolicy/genpolicy_test.go
index 25b9f940f6..477c41ef14 100644
--- a/e2e/genpolicy/genpolicy_test.go
+++ b/e2e/genpolicy/genpolicy_test.go
@@ -36,7 +36,7 @@ func TestGenpolicy(t *testing.T) {
 
 	testCases := kuberesource.GenpolicyRegressionTests()
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	for name, deploy := range testCases {
diff --git a/e2e/getdents/getdents_test.go b/e2e/getdents/getdents_test.go
index cc16d8304d..aa8a2783b7 100644
--- a/e2e/getdents/getdents_test.go
+++ b/e2e/getdents/getdents_test.go
@@ -39,7 +39,7 @@ func TestGetDEnts(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.GetDEnts()
diff --git a/e2e/openssl/openssl_test.go b/e2e/openssl/openssl_test.go
index 325c9200bc..64f587cf9b 100644
--- a/e2e/openssl/openssl_test.go
+++ b/e2e/openssl/openssl_test.go
@@ -47,7 +47,7 @@ func TestOpenSSL(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.OpenSSL()
diff --git a/e2e/policy/policy_test.go b/e2e/policy/policy_test.go
index 64e2d5b5ef..0df8dfca70 100644
--- a/e2e/policy/policy_test.go
+++ b/e2e/policy/policy_test.go
@@ -44,7 +44,7 @@ func TestPolicy(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.OpenSSL()
diff --git a/e2e/servicemesh/servicemesh_test.go b/e2e/servicemesh/servicemesh_test.go
index dbb2695bc3..6a0811dead 100644
--- a/e2e/servicemesh/servicemesh_test.go
+++ b/e2e/servicemesh/servicemesh_test.go
@@ -38,7 +38,7 @@ func TestIngressEgress(t *testing.T) {
 	// TODO(msanft): Make this configurable
 	platform := platforms.AKSCloudHypervisorSNP
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	require.NoError(t, err)
 
 	resources := kuberesource.Emojivoto(kuberesource.ServiceMeshIngressEgress)
diff --git a/cli/constants/constants.go b/internal/constants/constants.go
similarity index 100%
rename from cli/constants/constants.go
rename to internal/constants/constants.go
diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go
index 24eca42fe2..ec4f9c5c6b 100644
--- a/internal/kuberesource/parts.go
+++ b/internal/kuberesource/parts.go
@@ -19,7 +19,7 @@ import (
 
 // ContrastRuntimeClass creates a new RuntimeClassConfig.
 func ContrastRuntimeClass(platform platforms.Platform) (*RuntimeClassConfig, error) {
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	if err != nil {
 		return nil, fmt.Errorf("getting default runtime handler: %w", err)
 	}
@@ -45,7 +45,7 @@ type NodeInstallerConfig struct {
 func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstallerConfig, error) {
 	name := "contrast-node-installer"
 
-	runtimeHandler, err := manifest.DefaultPlatformHandler(platform)
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
 	if err != nil {
 		return nil, fmt.Errorf("getting default runtime handler: %w", err)
 	}
diff --git a/internal/kuberesource/resourcegen/main.go b/internal/kuberesource/resourcegen/main.go
index de3b45a428..734093fe87 100644
--- a/internal/kuberesource/resourcegen/main.go
+++ b/internal/kuberesource/resourcegen/main.go
@@ -37,7 +37,7 @@ func main() {
 			log.Fatalf("Error parsing platform: %v", err)
 		}
 
-		runtimeHandler, err = manifest.DefaultPlatformHandler(platform)
+		runtimeHandler, err = manifest.RuntimeHandler(platform)
 		if err != nil {
 			log.Fatalf("Error getting default runtime handler: %v", err)
 		}
diff --git a/internal/manifest/constants.go b/internal/manifest/constants.go
index 73daad2749..a9478b236b 100644
--- a/internal/manifest/constants.go
+++ b/internal/manifest/constants.go
@@ -12,7 +12,11 @@ import (
 
 // Default returns a default manifest with reference values for the given platform.
 func Default(platform platforms.Platform) (*Manifest, error) {
-	refValues := setReferenceValuesIfUninitialized()
+	embeddedRefValues := GetEmbeddedReferenceValues()
+	refValues, err := embeddedRefValues.ForPlatform(platform)
+	if err != nil {
+		return nil, fmt.Errorf("get reference values for platform %s: %w", platform, err)
+	}
 
 	mnfst := Manifest{}
 	switch platform {
@@ -32,23 +36,9 @@ func Default(platform platforms.Platform) (*Manifest, error) {
 	return &mnfst, nil
 }
 
-// DefaultPlatformHandler is a short-hand for getting the default runtime handler for a platform.
-func DefaultPlatformHandler(platform platforms.Platform) (string, error) {
-	mnf, err := Default(platform)
-	if err != nil {
-		return "", fmt.Errorf("generating manifest: %w", err)
-	}
-	return mnf.RuntimeHandler(platform)
-}
-
-// EmbeddedReferenceValues returns the reference values embedded in the binary.
-func EmbeddedReferenceValues() ReferenceValues {
-	return setReferenceValuesIfUninitialized()
-}
-
-// EmbeddedReferenceValuesIfUninitialized returns the reference values embedded in the binary.
-func setReferenceValuesIfUninitialized() ReferenceValues {
-	var embeddedReferenceValues *ReferenceValues
+// GetEmbeddedReferenceValues returns the reference values embedded in the binary.
+func GetEmbeddedReferenceValues() EmbeddedReferenceValues {
+	var embeddedReferenceValues EmbeddedReferenceValues
 
 	if err := json.Unmarshal(EmbeddedReferenceValuesJSON, &embeddedReferenceValues); err != nil {
 		// As this relies on a constant, predictable value (i.e. the embedded JSON), which -- in a correctly built binary -- should
@@ -56,5 +46,5 @@ func setReferenceValuesIfUninitialized() ReferenceValues {
 		panic(fmt.Errorf("failed to unmarshal embedded reference values: %w", err))
 	}
 
-	return *embeddedReferenceValues
+	return embeddedReferenceValues
 }
diff --git a/internal/manifest/manifest.go b/internal/manifest/manifest.go
index 1a9fad4d18..5c2c1c8375 100644
--- a/internal/manifest/manifest.go
+++ b/internal/manifest/manifest.go
@@ -8,7 +8,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	"github.com/edgelesssys/contrast/internal/platforms"
 	"github.com/google/go-sev-guest/abi"
 	"github.com/google/go-sev-guest/kds"
 	"github.com/google/go-sev-guest/validate"
@@ -172,15 +171,3 @@ func (m *Manifest) AKSValidateOpts() (*validate.Options, error) {
 		PermitProvisionalFirmware: true,
 	}, nil
 }
-
-// RuntimeHandler returns the runtime handler for the given platform.
-func (m *Manifest) RuntimeHandler(platform platforms.Platform) (string, error) {
-	switch platform {
-	case platforms.AKSCloudHypervisorSNP:
-		return fmt.Sprintf("contrast-cc-%s", m.ReferenceValues.AKS.TrustedMeasurement[:32]), nil
-	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
-		return fmt.Sprintf("contrast-cc-%s", m.ReferenceValues.BareMetalTDX.TrustedMeasurement[:32]), nil
-	default:
-		return "", fmt.Errorf("unsupported platform %s", platform)
-	}
-}
diff --git a/internal/manifest/referencevalues.go b/internal/manifest/referencevalues.go
index 8399be0ee3..e63503ea6a 100644
--- a/internal/manifest/referencevalues.go
+++ b/internal/manifest/referencevalues.go
@@ -9,10 +9,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
+	"strings"
+
+	"github.com/edgelesssys/contrast/internal/platforms"
 )
 
 // EmbeddedReferenceValuesJSON contains the embedded reference values in JSON format.
-// At startup, they are unmarshaled into a globally-shared ReferenceValues struct.
 //
 //go:embed assets/reference-values.json
 var EmbeddedReferenceValuesJSON []byte
@@ -25,6 +27,10 @@ type ReferenceValues struct {
 	BareMetalTDX *BareMetalTDXReferenceValues `json:"bareMetalTDX,omitempty"`
 }
 
+// EmbeddedReferenceValues is a map of runtime handler names to reference values, as
+// embedded in the binary.
+type EmbeddedReferenceValues map[string]ReferenceValues
+
 // AKSReferenceValues contains reference values for AKS.
 type AKSReferenceValues struct {
 	SNP                SNPReferenceValues
@@ -94,3 +100,46 @@ func (h HexString) String() string {
 func (h HexString) Bytes() ([]byte, error) {
 	return hex.DecodeString(string(h))
 }
+
+// ForPlatform returns the reference values for the given platform.
+func (e *EmbeddedReferenceValues) ForPlatform(platform platforms.Platform) (*ReferenceValues, error) {
+	var mapping EmbeddedReferenceValues
+	if err := json.Unmarshal(EmbeddedReferenceValuesJSON, &mapping); err != nil {
+		return nil, fmt.Errorf("unmarshal embedded reference values mapping: %w", err)
+	}
+
+	for handler, referenceValues := range mapping {
+		p, err := platformFromHandler(handler)
+		if err != nil {
+			return nil, fmt.Errorf("invalid handler name: %w", err)
+		}
+
+		if p == platform {
+			return &referenceValues, nil
+		}
+	}
+
+	return nil, fmt.Errorf("no embedded reference values found for platform: %s", platform)
+}
+
+// platformFromHandler extracts the platform from the runtime handler name.
+func platformFromHandler(handler string) (platforms.Platform, error) {
+	rest, found := strings.CutPrefix(handler, "contrast-cc-")
+	if !found {
+		return platforms.Unknown, fmt.Errorf("invalid handler name: %s", handler)
+	}
+
+	parts := strings.Split(rest, "-")
+	if len(parts) != 4 {
+		return platforms.Unknown, fmt.Errorf("invalid handler name: %s", handler)
+	}
+
+	rawPlatform := fmt.Sprintf("%s-%s-%s", parts[0], parts[1], parts[2])
+
+	platform, err := platforms.FromString(rawPlatform)
+	if err != nil {
+		return platforms.Unknown, fmt.Errorf("invalid platform in handler name: %w", err)
+	}
+
+	return platform, nil
+}
diff --git a/internal/manifest/runtimehandler.go b/internal/manifest/runtimehandler.go
new file mode 100644
index 0000000000..de8134ac89
--- /dev/null
+++ b/internal/manifest/runtimehandler.go
@@ -0,0 +1,32 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+package manifest
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/edgelesssys/contrast/internal/platforms"
+)
+
+// RuntimeHandler returns the name of the runtime handler for the given platform.
+func RuntimeHandler(platform platforms.Platform) (string, error) {
+	var mapping EmbeddedReferenceValues
+	if err := json.Unmarshal(EmbeddedReferenceValuesJSON, &mapping); err != nil {
+		return "", fmt.Errorf("unmarshal embedded reference values mapping: %w", err)
+	}
+
+	for runtimeHandler := range mapping {
+		p, err := platformFromHandler(runtimeHandler)
+		if err != nil {
+			return "", fmt.Errorf("invalid runtime handler name %s: %w", runtimeHandler, err)
+		}
+
+		if p == platform {
+			return runtimeHandler, nil
+		}
+	}
+
+	return "", fmt.Errorf("no runtime handler found for platform %s", platform)
+}
diff --git a/internal/manifest/runtimehandler_test.go b/internal/manifest/runtimehandler_test.go
new file mode 100644
index 0000000000..2fa5f81032
--- /dev/null
+++ b/internal/manifest/runtimehandler_test.go
@@ -0,0 +1,24 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+package manifest
+
+import (
+	"testing"
+
+	"github.com/edgelesssys/contrast/internal/platforms"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRuntimeHandler(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+	for _, platform := range platforms.All() {
+		runtimeHandler, err := RuntimeHandler(platform)
+		require.NoError(err)
+		assert.NotEmpty(runtimeHandler)
+		assert.Less(len(runtimeHandler), 64, "runtime handler name can be 63 characters at most")
+		assert.Regexp(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`, runtimeHandler, "runtimeHandlerName must be a lowercase RFC 1123 subdomain")
+	}
+}
diff --git a/nodeinstaller/README.md b/nodeinstaller/README.md
index c8f740c5e7..aca6c2fc56 100644
--- a/nodeinstaller/README.md
+++ b/nodeinstaller/README.md
@@ -12,9 +12,10 @@ If desired, you can replace the configuration using a Kubernetes configmap by mo
 
 - `files`: List of files to be installed.
 - `files[*].url`: Source of the file's content. Use `http://` or `https://` to download it or `file://` to copy a file from the container image.
-- `files[*].path`: Target location of the file on the host filesystem.
+- `files[*].path`: Target location of the file on the host filesystem. The `@@runtimeBase@@` placeholder can be used to get a unique per-runtime-handler path.
+    For example, `@@runtimeBase@@/foo` will resolve to `/opt/edgeless/contrast-cc-<platform>-<runtime-hash>/foo`, where `<platform>` is the platform the node-installer is deployed on,
+    and `<runtime-hash>` is a hash of all relevant runtime components, so that it's unique per-version.
 - `files[*].integrity`: Expected Subresource Integrity (SRI) digest of the file. Only required if URL starts with `http://` or `https://`.
-- `runtimeHandlerName`: Name of the container runtime.
 - `debugRuntime`: If set to true, enables [serial console access via `vsock`](/dev-docs/aks/serial-console.md). A special, debug-capable IGVM file has to be used for this to work.
 
 Consider the following example:
@@ -24,25 +25,24 @@ Consider the following example:
     "files": [
         {
             "url": "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/kata-containers.img",
-            "path": "/opt/edgeless/share/kata-containers.img",
+            "path": "@@runtimeBase@@/kata-containers.img",
             "integrity": "sha256-EdFywKAU+xD0BXmmfbjV4cB6Gqbq9R9AnMWoZFCM3A0="
         },
         {
             "url": "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/kata-containers-igvm.img",
-            "path": "/opt/edgeless/share/kata-containers-igvm.img",
+            "path": "@@runtimeBase@@/kata-containers-igvm.img",
             "integrity": "sha256-E9Ttx6f9QYwKlQonO/fl1bF2MNBoU4XG3/HHvt9Zv30="
         },
         {
             "url": "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/cloud-hypervisor-cvm",
-            "path": "/opt/edgeless/bin/cloud-hypervisor-snp",
+            "path": "@@runtimeBase@@/cloud-hypervisor-snp",
             "integrity": "sha256-coTHzd5/QLjlPQfrp9d2TJTIXKNuANTN7aNmpa8PRXo="
         },
         {
             "url": "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2",
-            "path": "/opt/edgeless/bin/containerd-shim-contrast-cc-v2",
+            "path": "@@runtimeBase@@/containerd-shim-contrast-cc-v2",
         }
     ],
-    "runtimeHandlerName": "contrast-cc",
     "debugRuntime": false
 }
 ```
diff --git a/nodeinstaller/internal/config/config.go b/nodeinstaller/internal/config/config.go
index 2e04ccf073..20b9d27798 100644
--- a/nodeinstaller/internal/config/config.go
+++ b/nodeinstaller/internal/config/config.go
@@ -8,15 +8,13 @@ import (
 	"errors"
 	"net/url"
 	"path/filepath"
-	"regexp"
+	"strings"
 )
 
 // Config is the configuration for the node-installer.
 type Config struct {
 	// Files is a list of files to download.
 	Files []File `json:"files"`
-	// RuntimeHandlerName is the name of the runtime handler (containerd runtime) to create.
-	RuntimeHandlerName string `json:"runtimeHandlerName"`
 	// DebugRuntime enables the debug mode of the runtime.
 	// This only works if the igvm file has shell access enabled
 	// and has no effect on production images.
@@ -25,19 +23,6 @@ type Config struct {
 
 // Validate validates the configuration.
 func (c Config) Validate() error {
-	if c.RuntimeHandlerName == "" {
-		return errors.New("runtimeHandlerName is required")
-	}
-	if len(c.RuntimeHandlerName) > 63 {
-		return errors.New("runtimeHandlerName must be 63 characters or fewer")
-	}
-	matched, err := regexp.Match(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`, []byte(c.RuntimeHandlerName))
-	if err != nil {
-		return err
-	}
-	if !matched {
-		return errors.New("runtimeHandlerName must be a lowercase RFC 1123 subdomain")
-	}
 	for _, file := range c.Files {
 		if err := file.Validate(); err != nil {
 			return err
@@ -79,7 +64,8 @@ func (f File) Validate() error {
 	if f.Path == "" {
 		return errors.New("path is required")
 	}
-	if !filepath.IsAbs(f.Path) {
+	effectivePath := strings.ReplaceAll(f.Path, "@@runtimeBase@@", "")
+	if !filepath.IsAbs(effectivePath) {
 		return errors.New("path must be absolute")
 	}
 	if f.Integrity == "" {
diff --git a/nodeinstaller/internal/config/config_test.go b/nodeinstaller/internal/config/config_test.go
index 45a64577b1..3aacf4f3ce 100644
--- a/nodeinstaller/internal/config/config_test.go
+++ b/nodeinstaller/internal/config/config_test.go
@@ -23,7 +23,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "valid http File",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "/path/to/file1",
@@ -35,7 +34,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "valid file File",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "file:////example.com/file1",
 					Path:      "/path/to/file1",
@@ -44,42 +42,9 @@ func TestValidate(t *testing.T) {
 			},
 			valid: true,
 		},
-		{
-			name: "missing RuntimeHandlerName",
-			config: Config{
-				Files: []File{{
-					URL:       "https://example.com/file1",
-					Path:      "/path/to/file1",
-					Integrity: "sha256-abcdef123456",
-				}},
-			},
-		},
-		{
-			name: "RuntimeHandlerName too long",
-			config: Config{
-				RuntimeHandlerName: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-				Files: []File{{
-					URL:       "https://example.com/file1",
-					Path:      "/path/to/file1",
-					Integrity: "sha256-abcdef123456",
-				}},
-			},
-		},
-		{
-			name: "RuntimeHandlerName has invalid characters",
-			config: Config{
-				RuntimeHandlerName: "invalid name=",
-				Files: []File{{
-					URL:       "https://example.com/file1",
-					Path:      "/path/to/file1",
-					Integrity: "sha256-abcdef123456",
-				}},
-			},
-		},
 		{
 			name: "missing URL",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					Path:      "/path/to/file1",
 					Integrity: "sha256-abcdef123456",
@@ -89,7 +54,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "missing Path",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Integrity: "sha256-abcdef123456",
@@ -99,7 +63,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "missing relative path",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "path/to/file1",
@@ -110,7 +73,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "missing Integrity",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:  "https://example.com/file1",
 					Path: "/path/to/file1",
@@ -120,7 +82,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid URL",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "invalid\x00url",
 					Path:      "/path/to/file1",
@@ -131,7 +92,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid scheme",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "ftp://example.com/file1",
 					Path:      "/path/to/file1",
@@ -142,7 +102,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid Integrity algorithm",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "/path/to/file1",
@@ -153,7 +112,6 @@ func TestValidate(t *testing.T) {
 		{
 			name: "invalid Integrity value",
 			config: Config{
-				RuntimeHandlerName: "contrast-cc",
 				Files: []File{{
 					URL:       "https://example.com/file1",
 					Path:      "/path/to/file1",
diff --git a/nodeinstaller/internal/constants/constants.go b/nodeinstaller/internal/constants/constants.go
index 7345a81d81..65b975539d 100644
--- a/nodeinstaller/internal/constants/constants.go
+++ b/nodeinstaller/internal/constants/constants.go
@@ -36,6 +36,9 @@ var (
 	//
 	//go:embed containerd-config.toml
 	containerdBaseConfig string
+
+	// RuntimeBasePlaceholder is the placeholder for the per-runtime path (i.e. /opt/edgeless/contrast-cc...) in the target file paths.
+	RuntimeBasePlaceholder = "@@runtimeBase@@"
 )
 
 // CRIFQDN is the fully qualified domain name of the CRI service.
diff --git a/nodeinstaller/node-installer.go b/nodeinstaller/node-installer.go
index 366b31b399..0f64831ce4 100644
--- a/nodeinstaller/node-installer.go
+++ b/nodeinstaller/node-installer.go
@@ -17,6 +17,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/edgelesssys/contrast/internal/manifest"
 	"github.com/edgelesssys/contrast/internal/platforms"
 	"github.com/edgelesssys/contrast/nodeinstaller/internal/asset"
 	"github.com/edgelesssys/contrast/nodeinstaller/internal/config"
@@ -65,24 +66,32 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 	}
 	fmt.Printf("Using config: %+v\n", config)
 
-	runtimeBase := filepath.Join("/opt", "edgeless", config.RuntimeHandlerName)
+	runtimeHandlerName, err := manifest.RuntimeHandler(platform)
+	if err != nil {
+		return fmt.Errorf("getting runtime handler name: %w", err)
+	}
+
+	runtimeBase := filepath.Join("/opt", "edgeless", runtimeHandlerName)
 
 	// Copy the files
 	for _, file := range config.Files {
-		fmt.Printf("Fetching %q to %q\n", file.URL, file.Path)
+		// Replace @@runtimeBase@@ in the target path with the actual base directory.
+		targetPath := strings.ReplaceAll(file.Path, constants.RuntimeBasePlaceholder, runtimeBase)
+
+		fmt.Printf("Fetching %q to %q\n", file.URL, targetPath)
 
-		if err := os.MkdirAll(filepath.Dir(filepath.Join(hostMount, file.Path)), os.ModePerm); err != nil {
-			return fmt.Errorf("creating directory %q: %w", filepath.Dir(file.Path), err)
+		if err := os.MkdirAll(filepath.Dir(filepath.Join(hostMount, targetPath)), os.ModePerm); err != nil {
+			return fmt.Errorf("creating directory %q: %w", filepath.Dir(targetPath), err)
 		}
 
 		var fetchErr error
 		if file.Integrity == "" {
-			_, fetchErr = fetcher.FetchUnchecked(ctx, file.URL, filepath.Join(hostMount, file.Path))
+			_, fetchErr = fetcher.FetchUnchecked(ctx, file.URL, filepath.Join(hostMount, targetPath))
 		} else {
-			_, fetchErr = fetcher.Fetch(ctx, file.URL, filepath.Join(hostMount, file.Path), file.Integrity)
+			_, fetchErr = fetcher.Fetch(ctx, file.URL, filepath.Join(hostMount, targetPath), file.Integrity)
 		}
 		if fetchErr != nil {
-			return fmt.Errorf("fetching file from %q to %q: %w", file.URL, file.Path, fetchErr)
+			return fmt.Errorf("fetching file from %q to %q: %w", file.URL, targetPath, fetchErr)
 		}
 	}
 
@@ -136,10 +145,15 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 		return fmt.Errorf("generating kata runtime configuration: %w", err)
 	}
 
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
+	if err != nil {
+		return fmt.Errorf("getting runtime handler name: %w", err)
+	}
+
 	switch platform {
 	case platforms.AKSCloudHypervisorSNP:
 		// AKS or any external-containerd based K8s distro: We can just patch the existing containerd config at /etc/containerd/config.toml
-		if err := patchContainerdConfig(config.RuntimeHandlerName, runtimeBase, containerdConfigPath, platform); err != nil {
+		if err := patchContainerdConfig(runtimeHandler, runtimeBase, containerdConfigPath, platform); err != nil {
 			return fmt.Errorf("patching containerd configuration: %w", err)
 		}
 	case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX:
@@ -147,7 +161,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 		// Therefore just write the TOML configuration fragment ourselves and append it to the template file.
 		// This assumes that the user does not yet have a runtime with the same name configured himself,
 		// but as our runtimes are hash-named, this should be a safe assumption.
-		if err := patchContainerdConfigTemplate(config.RuntimeHandlerName, runtimeBase, containerdConfigPath, platform); err != nil {
+		if err := patchContainerdConfigTemplate(runtimeHandler, runtimeBase, containerdConfigPath, platform); err != nil {
 			return fmt.Errorf("patching containerd configuration: %w", err)
 		}
 	default:
@@ -204,7 +218,7 @@ func containerdRuntimeConfig(basePath, configPath string, platform platforms.Pla
 	return os.WriteFile(configPath, rawConfig, os.ModePerm)
 }
 
-func patchContainerdConfig(runtimeName, basePath, configPath string, platform platforms.Platform) error {
+func patchContainerdConfig(runtimeHandler, basePath, configPath string, platform platforms.Platform) error {
 	existingRaw, existing, err := parseExistingContainerdConfig(configPath)
 	if err != nil {
 		existing = constants.ContainerdBaseConfig()
@@ -216,8 +230,8 @@ func patchContainerdConfig(runtimeName, basePath, configPath string, platform pl
 		if existing.ProxyPlugins == nil {
 			existing.ProxyPlugins = make(map[string]config.ProxyPlugin)
 		}
-		snapshotterName = fmt.Sprintf("tardev-%s", runtimeName)
-		socketName := fmt.Sprintf("/run/containerd/tardev-snapshotter-%s.sock", runtimeName)
+		snapshotterName = fmt.Sprintf("tardev-%s", runtimeHandler)
+		socketName := fmt.Sprintf("/run/containerd/tardev-snapshotter-%s.sock", runtimeHandler)
 		existing.ProxyPlugins[snapshotterName] = config.ProxyPlugin{
 			Type:    "snapshot",
 			Address: socketName,
@@ -230,7 +244,7 @@ func patchContainerdConfig(runtimeName, basePath, configPath string, platform pl
 	if err != nil {
 		return fmt.Errorf("generating containerd runtime config: %w", err)
 	}
-	runtimes[runtimeName] = containerdRuntimeConfig
+	runtimes[runtimeHandler] = containerdRuntimeConfig
 
 	rawConfig, err := toml.Marshal(existing)
 	if err != nil {
@@ -246,7 +260,7 @@ func patchContainerdConfig(runtimeName, basePath, configPath string, platform pl
 	return os.WriteFile(configPath, rawConfig, os.ModePerm)
 }
 
-func patchContainerdConfigTemplate(runtimeName, basePath, configTemplatePath string, platform platforms.Platform) error {
+func patchContainerdConfigTemplate(runtimeHandler, basePath, configTemplatePath string, platform platforms.Platform) error {
 	existingConfig, err := os.ReadFile(configTemplatePath)
 	if err != nil {
 		return fmt.Errorf("reading containerd config template: %w", err)
@@ -254,7 +268,7 @@ func patchContainerdConfigTemplate(runtimeName, basePath, configTemplatePath str
 	fmt.Printf("Existing containerd config template:\n%s\n", existingConfig)
 
 	// Don't add the runtime section if it already exists.
-	runtimeSection := fmt.Sprintf("[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.%s]", runtimeName)
+	runtimeSection := fmt.Sprintf("[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.%s]", runtimeHandler)
 	if bytes.Contains(existingConfig, []byte(runtimeSection)) {
 		fmt.Printf("Runtime section %q already exists\n", runtimeSection)
 		return nil
@@ -273,7 +287,7 @@ func patchContainerdConfigTemplate(runtimeName, basePath, configTemplatePath str
 	if err != nil {
 		return fmt.Errorf("generating containerd runtime config: %w", err)
 	}
-	runtimes[runtimeName] = containerdRuntimeConfig
+	runtimes[runtimeHandler] = containerdRuntimeConfig
 
 	rawNewPluginConfig, err := toml.Marshal(newConfigFragment)
 	if err != nil {
diff --git a/nodeinstaller/node-installer_test.go b/nodeinstaller/node-installer_test.go
index 53aa2ab328..00767a1533 100644
--- a/nodeinstaller/node-installer_test.go
+++ b/nodeinstaller/node-installer_test.go
@@ -68,8 +68,10 @@ func TestPatchContainerdConfig(t *testing.T) {
 
 			configPath := filepath.Join(tmpDir, "config.toml")
 
-			err = patchContainerdConfig("my-runtime", "/opt/edgeless/my-runtime",
-				configPath, tc.platform)
+			runtimeHandler := "my-runtime"
+
+			err = patchContainerdConfig(runtimeHandler,
+				filepath.Join("/opt/edgeless", runtimeHandler), configPath, tc.platform)
 			if tc.wantErr {
 				require.Error(err)
 				return
@@ -118,8 +120,10 @@ func TestPatchContainerdConfigTemplate(t *testing.T) {
 
 			// Testing patching a config template.
 
-			err = patchContainerdConfigTemplate("my-runtime", "/opt/edgeless/my-runtime",
-				configTemplatePath, tc.platform)
+			runtimeHandler := "my-runtime"
+
+			err = patchContainerdConfigTemplate(runtimeHandler,
+				filepath.Join("/opt/edgeless", runtimeHandler), configTemplatePath, tc.platform)
 			require.NoError(err)
 
 			configData, err := os.ReadFile(configTemplatePath)
@@ -128,8 +132,8 @@ func TestPatchContainerdConfigTemplate(t *testing.T) {
 
 			// Test that patching the same template twice doesn't change it.
 
-			err = patchContainerdConfigTemplate("my-runtime", "/opt/edgeless/my-runtime",
-				configTemplatePath, tc.platform)
+			err = patchContainerdConfigTemplate(runtimeHandler,
+				filepath.Join("/opt/edgeless", runtimeHandler), configTemplatePath, tc.platform)
 			require.NoError(err)
 
 			configData, err = os.ReadFile(configTemplatePath)
diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix
index 448be295d9..186f14fff4 100644
--- a/packages/by-name/contrast/package.nix
+++ b/packages/by-name/contrast/package.nix
@@ -40,28 +40,59 @@ let
 
   # Reference values that we embed into the Contrast CLI for
   # deployment generation and attestation.
-  embeddedReferenceValues = builtins.toFile "reference-values.json" (
-    builtins.toJSON {
-      aks = {
-        snp = {
-          minimumTCB = {
-            bootloaderVersion = 3;
-            teeVersion = 0;
-            snpVersion = 8;
-            microcodeVersion = 115;
+  embeddedReferenceValues =
+    let
+      runtimeHandler =
+        platform:
+        (
+          launchDigestFile:
+          "contrast-cc-${platform}-${builtins.substring 0 8 (builtins.readFile launchDigestFile)}"
+        );
+
+      aks-clh-snp-handler = runtimeHandler "aks-clh-snp" "${microsoft.runtime-class-files}/runtime-hash.hex";
+      k3s-qemu-tdx-handler = runtimeHandler "k3s-qemu-tdx" "${kata.runtime-class-files}/runtime-hash-tdx.hex";
+      rke2-qemu-tdx-handler = runtimeHandler "rke2-qemu-tdx" "${kata.runtime-class-files}/runtime-hash-tdx.hex";
+      k3s-qemu-snp-handler = runtimeHandler "k3s-qemu-snp" "${kata.runtime-class-files}/runtime-hash-snp.hex";
+
+      aksRefVals = {
+        aks = {
+          snp = {
+            minimumTCB = {
+              bootloaderVersion = 3;
+              teeVersion = 0;
+              snpVersion = 8;
+              microcodeVersion = 115;
+            };
           };
+          trustedMeasurement = lib.removeSuffix "\n" (
+            builtins.readFile "${microsoft.runtime-class-files}/launch-digest.hex"
+          );
         };
-        trustedMeasurement = lib.removeSuffix "\n" (
-          builtins.readFile "${microsoft.runtime-class-files}/launch-digest.hex"
-        );
       };
-      bareMetalTDX = {
+
+      snpRefVals = {
+        inherit (aksRefVals.aks) snp;
         trustedMeasurement = lib.removeSuffix "\n" (
-          builtins.readFile "${kata.runtime-class-files}/launch-digest.hex"
+          builtins.readFile "${kata.runtime-class-files}/launch-digest-snp.hex"
         );
       };
-    }
-  );
+
+      tdxRefVals = {
+        bareMetalTDX = {
+          trustedMeasurement = lib.removeSuffix "\n" (
+            builtins.readFile "${kata.runtime-class-files}/launch-digest-tdx.hex"
+          );
+        };
+      };
+    in
+    builtins.toFile "reference-values.json" (
+      builtins.toJSON {
+        "${aks-clh-snp-handler}" = aksRefVals;
+        "${k3s-qemu-tdx-handler}" = tdxRefVals;
+        "${rke2-qemu-tdx-handler}" = tdxRefVals;
+        "${k3s-qemu-snp-handler}" = snpRefVals;
+      }
+    );
 
   packageOutputs = [
     "coordinator"
@@ -119,8 +150,8 @@ buildGoModule rec {
   ldflags = [
     "-s"
     "-w"
-    "-X github.com/edgelesssys/contrast/cli/constants.Version=${version}"
-    "-X github.com/edgelesssys/contrast/cli/constants.GenpolicyVersion=${genpolicy.version}"
+    "-X github.com/edgelesssys/contrast/internal/constants.Version=${version}"
+    "-X github.com/edgelesssys/contrast/internal/constants.GenpolicyVersion=${genpolicy.version}"
   ];
 
   preCheck = ''
diff --git a/packages/by-name/kata/contrast-node-installer-image/package.nix b/packages/by-name/kata/contrast-node-installer-image/package.nix
index 212299fc51..3bc99b5f11 100644
--- a/packages/by-name/kata/contrast-node-installer-image/package.nix
+++ b/packages/by-name/kata/contrast-node-installer-image/package.nix
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 {
-  lib,
   ociLayerTar,
   ociImageManifest,
   ociImageLayout,
@@ -26,13 +25,6 @@ let
     ];
   };
 
-  launch-digest = lib.removeSuffix "\n" (
-    builtins.readFile "${kata.runtime-class-files}/launch-digest.hex"
-  );
-  runtime-handler = lib.removeSuffix "\n" (
-    builtins.readFile "${kata.runtime-class-files}/runtime-handler"
-  );
-
   installer-config = ociLayerTar {
     files = [
       {
@@ -40,62 +32,61 @@ let
           files = [
             {
               url = "file:///opt/edgeless/share/kata-containers.img";
-              path = "/opt/edgeless/${runtime-handler}/share/kata-containers.img";
+              path = "@@runtimeBase@@/share/kata-containers.img";
             }
             {
               url = "file:///opt/edgeless/share/kata-kernel";
-              path = "/opt/edgeless/${runtime-handler}/share/kata-kernel";
+              path = "@@runtimeBase@@/share/kata-kernel";
             }
             {
               url = "file:///opt/edgeless/snp/bin/qemu-system-x86_64";
-              path = "/opt/edgeless/${runtime-handler}/snp/bin/qemu-system-x86_64";
+              path = "@@runtimeBase@@/snp/bin/qemu-system-x86_64";
             }
             {
               url = "file:///opt/edgeless/tdx/bin/qemu-system-x86_64";
-              path = "/opt/edgeless/${runtime-handler}/tdx/bin/qemu-system-x86_64";
+              path = "@@runtimeBase@@/tdx/bin/qemu-system-x86_64";
             }
             {
               url = "file:///opt/edgeless/snp/share/OVMF.fd";
-              path = "/opt/edgeless/${runtime-handler}/snp/share/OVMF.fd";
+              path = "@@runtimeBase@@/snp/share/OVMF.fd";
             }
             {
               url = "file:///opt/edgeless/tdx/share/OVMF.fd";
-              path = "/opt/edgeless/${runtime-handler}/tdx/share/OVMF.fd";
+              path = "@@runtimeBase@@/tdx/share/OVMF.fd";
             }
             {
               url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
-              path = "/opt/edgeless/${runtime-handler}/bin/containerd-shim-contrast-cc-v2";
+              path = "@@runtimeBase@@/bin/containerd-shim-contrast-cc-v2";
             }
             {
               url = "file:///opt/edgeless/bin/kata-runtime";
-              path = "/opt/edgeless/${runtime-handler}/bin/kata-runtime";
+              path = "@@runtimeBase@@/bin/kata-runtime";
             }
             {
               url = "file:///opt/edgeless/snp/share/qemu/kvmvapic.bin";
-              path = "/opt/edgeless/${runtime-handler}/snp/share/qemu/kvmvapic.bin";
+              path = "@@runtimeBase@@/snp/share/qemu/kvmvapic.bin";
             }
             {
               url = "file:///opt/edgeless/snp/share/qemu/linuxboot_dma.bin";
-              path = "/opt/edgeless/${runtime-handler}/snp/share/qemu/linuxboot_dma.bin";
+              path = "@@runtimeBase@@/snp/share/qemu/linuxboot_dma.bin";
             }
             {
               url = "file:///opt/edgeless/snp/share/qemu/efi-virtio.rom";
-              path = "/opt/edgeless/${runtime-handler}/snp/share/qemu/efi-virtio.rom";
+              path = "@@runtimeBase@@/snp/share/qemu/efi-virtio.rom";
             }
             {
               url = "file:///opt/edgeless/tdx/share/qemu/kvmvapic.bin";
-              path = "/opt/edgeless/${runtime-handler}/tdx/share/qemu/kvmvapic.bin";
+              path = "@@runtimeBase@@/tdx/share/qemu/kvmvapic.bin";
             }
             {
               url = "file:///opt/edgeless/tdx/share/qemu/linuxboot_dma.bin";
-              path = "/opt/edgeless/${runtime-handler}/tdx/share/qemu/linuxboot_dma.bin";
+              path = "@@runtimeBase@@/tdx/share/qemu/linuxboot_dma.bin";
             }
             {
               url = "file:///opt/edgeless/tdx/share/qemu/efi-virtio.rom";
-              path = "/opt/edgeless/${runtime-handler}/tdx/share/qemu/efi-virtio.rom";
+              path = "@@runtimeBase@@/tdx/share/qemu/efi-virtio.rom";
             }
           ];
-          runtimeHandlerName = runtime-handler;
           inherit (kata.runtime-class-files) debugRuntime;
         };
         destination = "/config/contrast-node-install.json";
@@ -214,7 +205,6 @@ let
       "annotations" = {
         "org.opencontainers.image.title" = "contrast-node-installer-kata";
         "org.opencontainers.image.description" = "Contrast Node Installer (Kata)";
-        "systems.edgeless.contrast.snp-launch-digest" = launch-digest;
       };
     };
   };
diff --git a/packages/by-name/kata/runtime-class-files/package.nix b/packages/by-name/kata/runtime-class-files/package.nix
index 5c65db9f27..7f053e7512 100644
--- a/packages/by-name/kata/runtime-class-files/package.nix
+++ b/packages/by-name/kata/runtime-class-files/package.nix
@@ -54,8 +54,10 @@ stdenvNoCC.mkDerivation {
   # TODO(msanft): perform the actual launch digest calculation.
   buildPhase = ''
     mkdir -p $out
-    sha256sum ${image} ${kernel} ${qemu-snp.bin} ${qemu-tdx.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-snp} ${ovmf-tdx} | sha256sum | cut -d " " -f 1 > $out/launch-digest.hex
-    printf "contrast-cc-%s" "$(cat $out/launch-digest.hex | head -c 32)" > $out/runtime-handler
+    sha256sum ${image} ${kernel} ${qemu-tdx.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-tdx} | sha256sum | cut -d " " -f 1 > $out/launch-digest-tdx.hex
+    cp $out/launch-digest-tdx.hex $out/runtime-hash-tdx.hex
+    sha256sum ${image} ${kernel} ${qemu-snp.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-snp} | sha256sum | cut -d " " -f 1 > $out/launch-digest-snp.hex
+    cp $out/launch-digest-snp.hex $out/runtime-hash-snp.hex
   '';
 
   passthru = {
diff --git a/packages/by-name/microsoft/contrast-node-installer-image/package.nix b/packages/by-name/microsoft/contrast-node-installer-image/package.nix
index 15d5b16ed7..a7ea93fc12 100644
--- a/packages/by-name/microsoft/contrast-node-installer-image/package.nix
+++ b/packages/by-name/microsoft/contrast-node-installer-image/package.nix
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 {
-  lib,
   ociLayerTar,
   ociImageManifest,
   ociImageLayout,
@@ -26,13 +25,6 @@ let
     ];
   };
 
-  launch-digest = lib.removeSuffix "\n" (
-    builtins.readFile "${microsoft.runtime-class-files}/launch-digest.hex"
-  );
-  runtime-handler = lib.removeSuffix "\n" (
-    builtins.readFile "${microsoft.runtime-class-files}/runtime-handler"
-  );
-
   installer-config = ociLayerTar {
     files = [
       {
@@ -40,22 +32,21 @@ let
           files = [
             {
               url = "file:///opt/edgeless/share/kata-containers.img";
-              path = "/opt/edgeless/${runtime-handler}/share/kata-containers.img";
+              path = "@@runtimeBase@@/share/kata-containers.img";
             }
             {
               url = "file:///opt/edgeless/share/kata-containers-igvm.img";
-              path = "/opt/edgeless/${runtime-handler}/share/kata-containers-igvm.img";
+              path = "@@runtimeBase@@/share/kata-containers-igvm.img";
             }
             {
               url = "file:///opt/edgeless/bin/cloud-hypervisor-snp";
-              path = "/opt/edgeless/${runtime-handler}/bin/cloud-hypervisor-snp";
+              path = "@@runtimeBase@@/bin/cloud-hypervisor-snp";
             }
             {
               url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
-              path = "/opt/edgeless/${runtime-handler}/bin/containerd-shim-contrast-cc-v2";
+              path = "@@runtimeBase@@/bin/containerd-shim-contrast-cc-v2";
             }
           ];
-          runtimeHandlerName = runtime-handler;
           inherit (microsoft.runtime-class-files) debugRuntime;
         };
         destination = "/config/contrast-node-install.json";
@@ -116,7 +107,6 @@ let
       "annotations" = {
         "org.opencontainers.image.title" = "contrast-node-installer-microsoft";
         "org.opencontainers.image.description" = "Contrast Node Installer (Microsoft)";
-        "systems.edgeless.contrast.snp-launch-digest" = launch-digest;
       };
     };
   };
diff --git a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
index f7b2f4b93b..0d52d4652e 100644
--- a/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
+++ b/packages/by-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
@@ -14,13 +14,12 @@ index 25c16bada..4f622a9f7 100644
 +++ b/src/tools/genpolicy/rules.rego
 @@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
      i_count == p_count + 3
- 
+
      print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])
 -    i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers"
-+    regex.match(`io\.katacontainers\.fs-opt\.layer-src-prefix=/var/lib/containerd/io\.containerd\.snapshotter\.v1\.tardev-contrast-cc-[a-f0-9]{32}/layers`, i_storage.options[0])
- 
++    regex.match(`io\.katacontainers\.fs-opt\.layer-src-prefix=/var/lib/containerd/io\.containerd\.snapshotter\.v1\.tardev-contrast-cc-(aks|k3s|rke2)-(qemu|clh)-(snp|tdx)-[a-f0-9]{8}/layers`, i_storage.options[0])
+
      print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
      i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
--- 
+--
 2.45.1
-
diff --git a/packages/by-name/microsoft/runtime-class-files/package.nix b/packages/by-name/microsoft/runtime-class-files/package.nix
index 98303f1a9a..8938b3a20c 100644
--- a/packages/by-name/microsoft/runtime-class-files/package.nix
+++ b/packages/by-name/microsoft/runtime-class-files/package.nix
@@ -11,6 +11,8 @@
 
 let
   igvm = if debugRuntime then microsoft.kata-igvm.debug else microsoft.kata-igvm;
+  cloud-hypervisor-exe = lib.getExe microsoft.cloud-hypervisor;
+  containerd-shim-contrast-cc-v2 = lib.getExe microsoft.kata-runtime;
 in
 
 stdenvNoCC.mkDerivation {
@@ -24,13 +26,16 @@ stdenvNoCC.mkDerivation {
   buildPhase = ''
     mkdir -p $out
     igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex
-    printf "contrast-cc-%s" "$(cat $out/launch-digest.hex | head -c 32)" > $out/runtime-handler
+    sha256sum ${igvm} ${cloud-hypervisor-exe} ${containerd-shim-contrast-cc-v2}| cut -d " " -f 1 > $out/runtime-hash.hex
   '';
 
   passthru = {
-    inherit debugRuntime igvm;
+    inherit
+      debugRuntime
+      igvm
+      cloud-hypervisor-exe
+      containerd-shim-contrast-cc-v2
+      ;
     rootfs = microsoft.kata-image;
-    cloud-hypervisor-exe = lib.getExe microsoft.cloud-hypervisor;
-    containerd-shim-contrast-cc-v2 = lib.getExe microsoft.kata-runtime;
   };
 }

From 0eb46f1ba345011019ba148852e6b29479212600 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Thu, 1 Aug 2024 17:02:35 +0200
Subject: [PATCH 2/2] docs: update runtime-class references to new naming
 scheme

---
 docs/docs/examples/emojivoto.md |  2 +-
 docs/docs/troubleshooting.md    | 10 +++-------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/docs/docs/examples/emojivoto.md b/docs/docs/examples/emojivoto.md
index 55e0d355d7..d98d35f081 100644
--- a/docs/docs/examples/emojivoto.md
+++ b/docs/docs/examples/emojivoto.md
@@ -76,7 +76,7 @@ contrast generate --reference-values aks-clh-snp deployment/
 :::note[Runtime class and Initializer]
 
 The deployment YAML shipped for this demo is already configured to be used with Contrast.
-A [runtime class](https://docs.edgeless.systems/contrast/components/runtime) `contrast-cc-<VERSIONHASH>`
+A [runtime class](https://docs.edgeless.systems/contrast/components/runtime) `contrast-cc-<platform>-<runtime-hash>`
 was added to the pods to signal they should be run as Confidential Containers. During the generation process,
 the Contrast [Initializer](../components/overview.md#the-initializer) will be added as an init container to these
 workloads to facilitate the attestation and certificate pulling before the actual workload is started.
diff --git a/docs/docs/troubleshooting.md b/docs/docs/troubleshooting.md
index c9c05a4b4c..d8248eebee 100644
--- a/docs/docs/troubleshooting.md
+++ b/docs/docs/troubleshooting.md
@@ -128,10 +128,7 @@ This should give you output similar to the following one.
 
 ```sh
 NAME                                           HANDLER                                        AGE
-contrast-cc-30bfa8706b542271ec9b7762bbb400af   contrast-cc-30bfa8706b542271ec9b7762bbb400af   23d
-contrast-cc-4d70a6e266cca46dfa8e41d92874e638   contrast-cc-4d70a6e266cca46dfa8e41d92874e638   7d
-contrast-cc-b817659e094106f61bf6c178c27153ba   contrast-cc-b817659e094106f61bf6c178c27153ba   2d19h
-contrast-cc-beee79ca916b9e5dc59602788cbfb097   contrast-cc-beee79ca916b9e5dc59602788cbfb097   121m
+contrast-cc-aks-clh-snp-7173acb5               contrast-cc-aks-clh-snp-7173acb5               23h
 kata-cc-isolation                              kata-cc                                        45d
 ```
 
@@ -149,8 +146,7 @@ kubectl -n <namespace> get -o=jsonpath='{.spec.runtimeClassName}' pod/<coordinat
 The output should list the runtime class the pod is using:
 
 ```sh
-contrast-cc-beee79ca916b9e5dc59602788cbfb097
-contrast-cc-beee79ca916b9e5dc59602788cbfb097
+contrast-cc-aks-clh-snp-7173acb5
 ```
 
 Version information about the currently used CLI can be obtained via the `version` flag:
@@ -162,7 +158,7 @@ contrast --version
 ```sh
 contrast version v0.X.0
 
-    runtime handler:      contrast-cc-beee79ca916b9e5dc59602788cbfb097
+    runtime handler:      contrast-cc-aks-clh-snp-7173acb5
     launch digest:        beee79ca916b9e5dc59602788cbfb097721cde34943e1583a3918f21011a71c47f371f68e883f5e474a6d4053d931a35
     genpolicy version:    3.2.0.azl1.genpolicy0
     image versions:       ghcr.io/edgelesssys/contrast/coordinator@sha256:...