Recently, iExec announced iExec’s End-to-End (E2E) Trusted Execution using Intel® SGX, providing full E2E data protection for blockchain-based computation. End-to-end protection means full protection of the application data, user data, embedded data as well as application output data. If a Dapp runs on a Blockchain-based decentralized cloud, all this data need to be strictly encrypted and protected. This Development letter acts as a guide introducing steps for users can get started and run an application protected by Intel® SGX, guaranteeing the security of the application data.
*Note: A demo video is given at the end of this article.
You need to install Docker and the iExec SDK.
Note: If using Linux OS, one extra post-installation step is required to get docker working without Sudo.
2. Run the iExec E2E Trusted Execution
This part guides you through how to run Intel® SGX based applications while guaranteeing the security of application data.
In order for the Intel® SGX solution to work, please use iExec SDK version 2.2.39
npm -g install email@example.com
You can now check you have installed the correct version:
Step 1 — iExec SDK init
Let’s start by creating an iExec project folder, and run the initializing command:
mkdir ~/iexecsgxdemocd ~/iexecsgxdemoiexec initiexec wallet getETH # ask faucet for ETHiexec wallet getRLC # ask iExec faucet for nRLC 200 )iexec account deposit 10000 # deposit nRLC on your iExec account, so you can buy work orders. Please ask for Kovan nRLC to the team on Slack.iexec wallet show # show your Ethereum wallet balancesiexec account show # show your iExec account balances
Step 2 — Encryption and Data pushing
A new sgx subcommand has been added to the iExec SDK (full documentation here). Let’s use it to locally encrypt the input data + push it on a public file hosting service so that the worker can access it:
iexec tee init # create iExec trusted execution folders treeFor example, You can test with a blender input data herecp iexec-rlc.blend ./tee/inputs # copy your input data to ./tee/inputs folderiexec tee encryptedpush --application 0x2f3422f2805693cf741ee32707d57923ef6fa55f # encrypt input data and upload to public hosting, for a specific iExec application address which can found from the iExec Dapp Store.
Above command will return parameters string that is used in next step.
Step 3 — Trigger trusted application execution
Prepare work order and trigger the trusted application execution:
iexec order init --buy # init work order fields in iexec.json
Now open the iexec.json config file, and edit below two fields:
- “app”: “0x2f3422f2805693cf741ee32707d57923ef6fa55f” (Address of the TEE application you want to run, it can be copied from the iExec Dapp Store: click “#kovan” to copy the address)
- “cmdline”: “” (Fill here with the string returned by encryptedpush command)
Let’s list available market order IDs to buy from the iExec Marketplace ‘Orderbook’:
iexec orderbook show --category 5 # choose an order ID to buy
Select one from the above list and buy it to trigger the trusted application execution:
iexec order fill <orderID> # fill order using its ID from last command
Watch the progress of the submitted work, and download its result once completed:
iexec work show --watch --download encryptedOutputFiles.zipmv encryptedOutputFiles.zip.none ./tee/encryptedOutputs/encryptedOutputFiles.zip
Please note that the user who triggered the task (i.e. SGX application) is the only one able to download the encrypted results.
When the application is triggered at remote Intel® SGX decentralized node, the application will automatically pull the encrypted user input data from remote file system (i.e. pushed in step-2); retrieve the secret key (based on the Session ID) from secret management server via secured Intel® SGX provision channel, which is then used to decrypt the user input data; the decrypted data can then be used to feed the application execution. The application result is encrypted by the secret key, and encrypted result is further signed by a secured private key for an attestation of the trusted execution, the signature is to be verified by Blockchain on-chain network. The procedure is done automatically in the trusted execution environment (i.e. Intel® SGX enclave) without any user intervention.
Step 4 — Decrypt results
The Last step, decrypt the result:
iexec tee decrypt # unzip + decrypt + move result into ./tee/outputs
That’s it! Your completed and secure result is now available and can be found in the ./tee/outputs folder.
Please note that only the corresponding user owns the key to decrypt the application output result.
Any questions? Feel free to join us on our slack and ask your question in the #beta-testers channel, where you will get support.