feat: Add cl_devices parameter for mounting host devices to CL containers

[dzobbe]

Summary

This PR adds support for mounting host devices (e.g., /dev/tpm0) into Consensus Layer (CL) containers. This enables use cases such as TPM (Trusted Platform Module) access for hardware-backed security features in CL clients like Lighthouse.

Changes

Configuration (network_params.yaml)

• Added cl_devices: [] parameter to participant structure
• Accepts a list of device paths (e.g., ["/dev/tpm0"])

Input Parser (src/package_io/input_parser.star)

• Added cl_devices: [] to default participant structure
• Added cl_devices to participant struct creation

Validation (src/package_io/sanity_check.star)

• Added cl_devices to participant validation lists
• Added to both PARTICIPANT_CATEGORIES and PARTICIPANT_MATRIX_PARAMS

CL Launchers

Updated all CL client launchers to pass devices to ServiceConfig:

• src/cl/lighthouse/lighthouse_launcher.star
• src/cl/lodestar/lodestar_launcher.star
• src/cl/nimbus/nimbus_launcher.star
• src/cl/prysm/prysm_launcher.star
• src/cl/teku/teku_launcher.star
• src/cl/grandine/grandine_launcher.star

Each launcher now includes:
if len(participant.cl_devices) > 0:
config_args["devices"] = participant.cl_devices### Package Configuration (kurtosis.yml)

• Updated package name to match repository location

Usage

Users can now specify devices in their network_params.yaml:
aml
participants:

• el_type: geth
  cl_type: lighthouse
  cl_devices: ["/dev/tpm0"]

  ... other configOr for multiple devices:

cl_devices: ["/dev/tpm0", "/dev/tpm1"]

Requirements

This feature requires a patched version of Kurtosis that includes device mounting support in ServiceConfig. The standard Kurtosis release does not yet support the devices field. A PR has been opened there.

Implementation Details

• Devices are passed through to Kurtosis ServiceConfig as a list of strings
• Each device path is mounted at the same path inside the container
• Empty list (default) results in no device mounts
• Works with all supported CL clients (Lighthouse, Lodestar, Nimbus, Prysm, Teku, Grandine)

Testing

• Added parameter to configuration structure
• Updated all CL launchers
• Added validation
• Requires testing with patched Kurtosis build

Related

This change enables hardware device access for CL containers, particularly useful for:

• TPM-based key management
• Hardware security modules (HSM)
• Other device-specific use cases

[barnabasbusa]

Have you validated that it works? As far as I know, this is not yet possible.

[dzobbe]

Have you validated that it works? As far as I know, this is not yet possible.

It works only with the needed changes in Kurtosis. I opened even there a PR kurtosis-tech/kurtosis#2845

[qu0b]

you're changing all the imports in your PR to point to your FORK? @dzobbe

[dzobbe]

Yeah that's right sorry. Let me wait for the PR to get merged first in kurtosis. And once that is done I will fix the imports and test it out.

[barnabasbusa]

Could you please also add el_devices/vc_devices to make it uniform across the board? Also please add the new flags into the readme, with a few line of description of what the values do.