Dev Letter #25 — A User Guide to iExec E2E Trusted Execution

*UPDATE 2019*

iExec V3 has now been released. Please refer to the official iExec technical documentation for an up to date guide on TEE end-to-end data encryption (with Intel SGX) using the iExec SDK.

*UPDATE 2019*

iExec V3 has now been released. Please refer to the official iExec technical documentation for an up to date guide on TEE end-to-end data encryption (with Intel SGX) using the iExec SDK.

Recently, iExec announced iExec’s End-to-End (E2E) Trusted Execution using Intel® SGX, providing full E2E data protection for blockchain-based computation. End-to-end protection means full protection of the application data, user data, embedded data as well as application output data. If a Dapp runs on a Blockchain-based decentralized cloud, all this data need to be strictly encrypted and protected. This Development letter acts as a guide introducing steps for users can get started and run an application protected by Intel® SGX, guaranteeing the security of the application data.

*Note: A demo video is given at the end of this article.

1. Prerequisites

You need to install Docker and the iExec SDK.

• Docker: Linux | Windows | MacOS
• iExec SDK: Linux/Windows/MacOS

Note: If using Linux OS, one extra post-installation step is required to get docker working without Sudo.

2. Run the iExec E2E Trusted Execution

This part guides you through how to run Intel® SGX based applications while guaranteeing the security of application data.

In order for the Intel® SGX solution to work, please use iExec SDK version 2.2.39

npm -g install iexec@2.2.39

You can now check you have installed the correct version:

iexec --version

Step 1 — iExec SDK init

Let’s start by creating an iExec project folder, and run the initializing command:

mkdir ~/iexecsgxdemo
cd ~/iexecsgxdemo
iexec init
iexec wallet getETH # ask faucet for ETH
iexec wallet getRLC # ask iExec faucet for nRLC 200 )
iexec account deposit 10000 # deposit nRLC on your iExec account, so you can buy work orders. Please ask for Kovan nRLC to the team on Slack.
iexec wallet show # show your Ethereum wallet balances
iexec account show # show your iExec account balances

Step 2 — Encryption and Data pushing

A new sgx subcommand has been added to the iExec SDK (full documentation here). Let’s use it to locally encrypt the input data + push it on a public file hosting service so that the worker can access it:

iexec tee init # create iExec trusted execution folders tree
For example, You can test with a blender input data here
cp iexec-rlc.blend ./tee/inputs # copy your input data to ./tee/inputs folder
iexec tee encryptedpush --application 0x2f3422f2805693cf741ee32707d57923ef6fa55f # encrypt input data and upload to public hosting, for a specific iExec application address which can found from the iExec Dapp Store.

Above command will return parameters string that is used in next step.

Step 3 — Trigger trusted application execution

Prepare work order and trigger the trusted application execution:

iexec order init --buy # init work order fields in iexec.json

Now open the iexec.json config file, and edit below two fields:

• “app”: “0x2f3422f2805693cf741ee32707d57923ef6fa55f” (Address of the TEE application you want to run, it can be copied from the iExec Dapp Store: click “#kovan” to copy the address)
• “cmdline”: “” (Fill here with the string returned by encryptedpush command)

Let’s list available market order IDs to buy from the iExec Marketplace ‘Orderbook’:

iexec orderbook show --category 5 # choose an order ID to buy

Select one from the above list and buy it to trigger the trusted application execution:

iexec order fill <orderID> # fill order using its ID from last command

Watch the progress of the submitted work, and download its result once completed:

iexec work show --watch --download encryptedOutputFiles.zip
mv encryptedOutputFiles.zip.none ./tee/encryptedOutputs/encryptedOutputFiles.zip

Please note that the user who triggered the task (i.e. SGX application) is the only one able to download the encrypted results.

When the application is triggered at remote Intel® SGX decentralized node, the application will automatically pull the encrypted user input data from remote file system (i.e. pushed in step-2); retrieve the secret key (based on the Session ID) from secret management server via secured Intel® SGX provision channel, which is then used to decrypt the user input data; the decrypted data can then be used to feed the application execution. The application result is encrypted by the secret key, and encrypted result is further signed by a secured private key for an attestation of the trusted execution, the signature is to be verified by Blockchain on-chain network. The procedure is done automatically in the trusted execution environment (i.e. Intel® SGX enclave) without any user intervention.

Step 4 — Decrypt results

The Last step, decrypt the result:

iexec tee decrypt # unzip + decrypt + move result into ./tee/outputs

That’s it! Your completed and secure result is now available and can be found in the ./tee/outputs folder.

Please note that only the corresponding user owns the key to decrypt the application output result.

Any questions? Feel free to join us on our slack and ask your question in the #beta-testers channel, where you will get support.