Possible problems with TDX attestation and the ability to change TSS account ID / endpoint #1058

ameba23 · 2024-09-19T10:04:20Z

#1051 introduces storing provisioning certification keys (PCKs), used for on-chain attestation the the TS server is running in a trusted domain.

The PCK is tied to the physical hardware the server runs on, so if a TS server moves, the PCK will need to change.

Since we have extrinsics which allow validators to change their associated TSS account ID and IP address, we need to allow them to also change their PCK. There are a few things to think about when implementing this:

If an endpoint (IP address) changes, probably the PCK must also change, so maybe this should be enforced by having a single extrinsic to update both of them.
When the PCK is changed, the same process of validating the PCK certificate must be carried out as when the validator joins initially. This part is not yet implemented.

ameba23 · 2024-09-19T10:04:57Z

Related to #982

ameba23 · 2024-10-01T06:06:34Z

Linking to another related issue: #1072

ameba23 self-assigned this Sep 19, 2024

ameba23 mentioned this issue Sep 19, 2024

Handle Provisioning Certification Keys (PCKs) #1051

Merged

HCastano added this to the v0.4.0 milestone Oct 18, 2024

HCastano added the Feature introduces a new feature label Oct 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Possible problems with TDX attestation and the ability to change TSS account ID / endpoint #1058

Possible problems with TDX attestation and the ability to change TSS account ID / endpoint #1058

ameba23 commented Sep 19, 2024

ameba23 commented Sep 19, 2024

ameba23 commented Oct 1, 2024

Possible problems with TDX attestation and the ability to change TSS account ID / endpoint #1058

Possible problems with TDX attestation and the ability to change TSS account ID / endpoint #1058

Comments

ameba23 commented Sep 19, 2024

ameba23 commented Sep 19, 2024

ameba23 commented Oct 1, 2024