Skip to content

Latest commit

 

History

History
161 lines (121 loc) · 9.68 KB

README.md

File metadata and controls

161 lines (121 loc) · 9.68 KB

teeons

Project to explore reproducible enclave builds, in the context of TEEs (Trusted Execution Environments).

So far, in terms of implementation the focus has been on Intel SGX. Currently undergoing work is happening under the following repositories:

Resources

Nix

Guix

Bootstrappable Builds

Getting Started

From https://christine.website/blog/i-was-wrong-about-nix-2020-02-10:

Getting Help

https://nixos.org/community.html

misc

nix + rust

Nix vs Linux Standard Base

https://nixos.wiki/wiki/Nix_vs._Linux_Standard_Base

Nix Flakes

https://www.tweag.io/blog/2020-05-25-flakes/

Nix Roots

nix + docker

There are different ways to use both docker and nix. Mainly 2 approaches, as far as I know:

  • Nix all-the-way: build docker images with nix.
  • Use Nix in a docker container, such that Nix is used to set build dependencies, and to be the basis for the build environment.

Docker images with Nix:

wiki: https://nixos.wiki/wiki/Docker

nixery

Container registry which transparently builds images using the Nix package manager

SGX

https://www.phoronix.com/scan.php?page=news_item&px=GNU-Assembler-LVI-Options

Three Paper Thursday: What’s Intel SGX Good For? Interesting blog post ...

Regarding PoET:

Unfortunately, this proposal suffers from a critical security economics issue: node maintainers here have a strong incentive to break into their own SGX chips. If an adversary managed to compromise their SGX, they could win the leader election at every round by setting the timeout to 0. The more valuable the network, the stronger the incentive to compromise your own platform.

Robust Round Robin & sybil attack prevention Another approach is discussed: Efficient Blockchain Consensus with Robust Round Robin which relies on Remote Attestation for establishing identities, which are then used to form a set of candidates from which a randomly selected node will get to broadcast the next block ... The paper is at https://arxiv.org/pdf/1804.07391.pdf

Another use case discussed is EnclaveDB (https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8418608)

Remote Attestation aka "RA"

Robust Round Robin / Sybil Attack Prevention https://arxiv.org/pdf/1804.07391.pdf

PoET

See discussion on PoET in Three Paper Thursday: What’s Intel SGX Good For?.

Sawtooth PoET

The Sawtooth PoET consensus engine implements a CFT (Crash Fault Tolerant) variant of PoET which does not use a TEE. A future version of the consensus engine which also implements full BFT (Byzantine Fault Tolerant) features using an SGX enclave is in development.

REM:Resource-EfficientMining for Blockchains

https://eprint.iacr.org/2017/179.pdf

REM achieves security guarantees similar to PoW, but leverages the partially decentralized trustmodel inherent in SGX to achieve a fraction of the wasteof PoW. Its key idea, Proof-of-Useful-Work (PoUW), involves miners providing trustworthy reporting on CPU cycles they devote to inherently useful workloads. REM flexibly allows any entity to create a useful workload. REM ensures the trustworthiness of these workloads by means of a novel scheme of hierarchical attestations that may be of independent interest.

To address the risk of compromised SGX CPUs, we develop a statistics-based formal security framework, also relevant to other trusted-hardware-based approaches such as Intel's Proof of Elapsed Time (PoET). We show through economic analysis that REM achieves less waste than PoET and variant schemes.

SGX Problems & Limitations

Frameworks

Frameworks

EActors

Companies/Services

SCONE: https://scontain.com/

We enable Confidential computing of containers and host programs using Intel SGX.