blueprint icon indicating copy to clipboard operation
blueprint copied to clipboard
Published 1 month ago verified publisher icon tangle-network

[CHECKLIST] TEE infra flow

Open drewstone opened this issue 7 months ago • 1 comments

Overview

The current flow for creating instances is to check if it's a docker source or a native binary source. If it's docker, we deploy it into a sandbox container. If it's a native binary we plan to launch it in a sandboxed hypervisor environment.

We can imagine a third flow, TEE. Let's say your blueprint has a docker-compose.yml and opts for the TEE source. We can add to the blueprint manager, 2 or more potential flows.

  1. Deploy to Phala - receive instance request which is request args + encrypted env vars. The blueprint should by definition define it's docker-compose.yml.
  2. Deploy to your own local / remote DStack-TEE - same flow as above just without any PHALA API keys.

Resources

  • https://github.com/Dstack-TEE
  • https://github.com/Dstack-TEE/dstack
  • https://github.com/canonical/tdx

Overview of TEE

Think of it as secure hardware that is hard to penetrate. TLDR The hardware has a key that you can encrypt things into. The inside can decrypt it and process with, the outside can't see it unless obvious you log it to the outside world somehow.

New TEEs called TDX can run general VMs/docker compose systems. You submit a docker-compose.yml to the dstack cloud service and supply some encrypted environment variables and the machines decrypt these env variables and run the docker services securely. This is useful for workloads that need secure, outsourced hosting and computation, wallet custody, etc.

Checklist

Blueprint

(See sub-issues below)

  • [ ] Allow blueprint manager to specify a TEE deployment target like Phala or Remote DStack
  • [ ] Deploy an MCP Blueprint Instance into TEE

Tangle

  • [ ] https://github.com/tangle-network/tangle/issues/1052

DApp

  • [x] https://github.com/tangle-network/dapp/issues/3055
  • [x] https://github.com/tangle-network/dapp/issues/3056

It is my understanding that TEE source blueprints MUST define a docker_compose.yml with a publish set of images.

drewstone avatar May 19 '25 15:05 drewstone

  • New deployment source on blueprints for TEEs
  • New path on blueprint manager for deploying TEE either into Phala or into a remote TDX machine running DStack

If everything compatible runs DStack, then it's a consistent flow.

drewstone avatar Jun 02 '25 15:06 drewstone