bkchr
commented
1 week ago We propose to add a secure collator mode, to help mitigate the risk of running untrusted runtimes.
Everything is build around the assumption that the runtime is trusted code. Changing this assumption, would probably require a lot of refactorings etc. Just running the code in some external process will not help that much. Why isn't the collator just running in some clean VM or similar to keep it isolated?
Is there an existing issue?
Experiencing problems? Have you tried our Stack Exchange first?
Motivation
Validators can already run in secure mode. This hardens the validation process making it more difficult for malicious code to cause any harm if it escapes the wasm sandbox. See #1444 for more information. But collators do not have that option, they always run the runtime in the same process.
Request
We propose to add a secure collator mode, to help mitigate the risk of running untrusted runtimes. This could be benefitial for projects like tanssi in which collators rotate between several runtimes, or for sequencers that run L2s that might not necessarily trust the runtime, or even for full nodes or RPC providers that want to harden their security.
Solution
Since validation and collation have many similarities, most of the PVF code could be reused to support secure collators. This could be implemented as a new
WasmExecutionMethodthat's similar to "Compiled" but runs the code in a new process:https://github.com/paritytech/polkadot-sdk/blob/3168ed4d6a305f22aef096e4fbf5a3622286ee61/substrate/client/cli/src/arg_enums.rs#L56
To avoid problems related to performance, this option can be disabled by default.
Are you willing to help with this request?
Yes!