search

integritee-network / worker

Integritee off-chain worker and sidechain validateer
Apache License 2.0
90 stars 47 forks source link

Storage in TEE #1435

Open amiyatulu opened 1 year ago

amiyatulu commented 1 year ago 
A trusted execution environment (TEE) is a secure area of a main processor. It helps code and data loaded inside it to be protected with respect to confidentiality and integrity. Data integrity prevents unauthorized entities from outside the TEE from altering data,

Although computation is performed within secure enclaves, the question arises: How can I store confidential data? In blockchain, large data is typically stored in IPFS. Is there a method for storing confidential data in IPFS, such as encrypting and storing it in IPFS, and then decrypting it within Trusted Execution Environments (TEEs) for computation? If this is possible, how should private encryption keys be managed in such a scenario? Furthermore, can this approach be scaled to handle large amounts of data, such as in machine learning?

Regarding sidechain storage example in TEE from docs. How is data stored in nodes or sidechain? Is it stored in every running node, or is it only stored in a few nodes?

// This should be put in the `ExecuteCall` implementation block.
TrustedCall::set_magic_value(value) => {
    // All the code here is executed in the scope of the `state.with` function, see:
    //
    //     https://github.com/integritee-network/worker/blob/master/app-libs/stf/src/stf_sgx.rs#L130
    // 
    // This gives you access to the underlying database via the `sp_io::storage` module.

    // Write value to state, which will be encrypted afterwards
    sp_io::storage::set(
        &storage_value_key("MyModule", "MyMagicValue"),
        &value.encode(),
    );

    Ok(())
},

// This should be put in the `ExecuteGetter` implementation block.
TrustedGetter::magic_value => {
    // All the code here is executed in the scope of the `state.with` function, see:
    //
    //     https://github.com/integritee-network/worker/blob/master/app-libs/stf/src/stf_sgx.rs#L146
    // 
    // This gives you access to the underlying database via the `sp_io::storage` module.

    // Read value from state, which has been dencrypted before the trusted getter execution.
    let maybe_value_encoded =
    sp_io::storage::get(&storage_value_key("MyModule", "MyMagicValue"));

    match maybe_value_encoded {
        Some(ref value) => debug!("Found Magic Value: {:?}", value),
    None => debug!("Magic Value not found!"),
    };

    maybe_value_encoded
},

If storing confidential data through IPFS possible, than it needs to be directly done in pallet node using iroh, instead of relying on third party services.

Also substrate do require a database surrealdb for offchain handling of data.

brenzi commented 1 year ago

The way to do encrypted storage is to encrypt data using a symmetric key which only the TEEs know. That key should be generated inside the enclave - in the best case using a distributed key generation among a set of enclaves. To access the data, the TEEs will perform the authentication and authorization. How you do this depends very much on your use case

IPFS is supported by our SDK (however, the feature may be a but dusty...) You can write and read encrypted data to IPFS and the blob is checked against the IPFS cid hash to guarantee integrity

Sidechain storage must be kept minimal and works differently. there, we use Intel SGX data sealing which makes sure that only the same enclave can access the data.

Please reach out to us to explore the best design for your use case