Teerex Pallet


Teerex pallet is the remote attestation registry and verification pallet for integritee blockchains and parachains. Attestation is the means for a remote user to ascertain that an application runs on real hardware in an updated Trusted Execution Environment (TEE) with the expected initial state. It proves the trustworthiness of the SGX enclave and remote attestation is defined when a user certifies a TEE running on a remote physical machine.

The Teerex pallet is a pallet for Integritee that acts as a verified registry for SGX enclaves. Its goal is to provide public auditability of remote attestation of SGX enclaves. Given deterministic builds of enclave code, this pallet closes the trust gap from source code to the MRENCLAVE of an enclave running on a genuine Intel SGX platform.

Without the need for a license with Intel, everyone can verify what code is executed by registered service providers and that it is executed with confidentiality. Since Litentry integrates this pallet, it, therefore, acts as a public registry of remote-attested services.

The Teerex pallet also supports the upgrade of enclaves. A new enclave can be upgraded at a specified height while preserving the integrity of the original data. Apart from this, it supports Enhanced Privacy Identifier (EPID) and Data Center Attestation Primitives (DCAP) remote attestation.

EPID is the attestation protocol originally shipped with SGX where the user application runs in an SGX enclave on a remote untrusted machine whereas the end user waits for the attestation evidence from this enclave on a trusted machine. The DCAP is a software infrastructure provided by Intel as a reference implementation for remote attestation. It is a special SDK that allows for launching enclaves with Intel’s remote infrastructure and it is backed by the DCAP-enabled SGX driver.

The pallet also functions as an indirect-invocation proxy for calls to the confidential state transition function executed in SGX enclaves off-chain.

Overall, the Teerex pallet is mainly responsible for packing the payload into trustedCall in call_worker e.g calling link_eth, which is extrinsic from the SGX account linker pallet. Or query the encrypted data in SGX.

For each extrinsic call in the Identity Management Pallet (IMP), a trustedCall needs to be constructed with the caller’s address and payload, e.g.

call_worker([TrustedCallSigned::Identitylink(caller-address, payload)])

The caller-address is the caller’s parachain account address, it’s:

  • used as the primary key for storing ID-graph in TEE

  • used to verify the web2/web3validationData as the correct owner when verifying identities

It is important to note that payload is already encrypted, so it’s double-encrypted (but with the same TEE’s shielding key)

The IMP has extrinsics/pub functions that only serve the purpose of broadcasting events. For every such method, an extrinsic in the Teerex pallet is required to call it. This extrinsic should have identical parameters and internally it only calls its counterpart in the IMP. However, it should only allow privileged origin, which is the enclave signing origin.

This means that only the enclave calls these methods even if they are declared as “extrinsics”. These extrinsics include:

  • codeGenerated(<user-account>, <code>)

  • identityLinked(<user-account>, <identity-type>, <identity-address>)

  • identityUnlinked(<user-account>, <identity-type>, <identity-address>)

  • identityVerified(<user-account>, <identity-type>, <identity-address>)

In conclusion, the Teerex pallet in Parachain enables TEE workers to register, discover, and communicate with one another. Its main features are:

  • Acting as a verified registry that allows remote verification of SGX enclaves — providing public auditability.

  • Designed with confidentiality at its core to bridge the trust gap between the enclave and enable anyone to verify the codes that are executed.

  • Acting as an indirect proxy for off-chain confidential state transition calls executed by SGX enclaves.

  • Supports upgrade of enclaves

  • Supports EPID and DCAP remote attestations.

Last updated