Phala Network Docs
  • Home
    • ๐Ÿ‘พPhala Network Docs
  • Overview
    • โš–๏ธPhala Network
      • ๐Ÿ’ŽPhala Cloud
      • ๐ŸฅทDstack
      • ๐Ÿ”GPU TEE
    • ๐Ÿ’ŽPHA Token
      • ๐Ÿช™Introduction
      • ๐Ÿ‘Delegation
        • Delegate to StakePool
        • What is Vault
        • What is Share
        • WrappedBalances & W-PHA
        • Examples of Delegation
        • Use Phala App to Delegate
        • Estimate Your Reward
      • ๐Ÿ—ณ๏ธGovernance
        • Governance Mechanism
        • Join the Council
        • Voting for Councillors
        • Apply for Project Funding
        • Phala Treasury
        • Phala Governance
        • Setting Up an Account Identity
  • Phala Cloud
    • ๐Ÿš€Getting Started
      • Create Your Phala Cloud Account
      • Your First CVM Deployment
      • Explore Templates
        • Launch an Eliza Agent
        • Start from Template
    • ๐ŸชจTEEs, Attestation & Zero Trust Security
      • Attestation
      • Security Architecture
    • ๐ŸฅทPhala Cloud User Guides
      • Deploy and Manage CVMs
        • Deploy CVM with Docker Compose
        • Set Secure Environment Variables
        • Deploy Private Docker Image to CVM
        • Debugging and Analyzing Logs
          • Check Logs
          • Private Log Viewer
          • Debug Your Application
        • Application Scaling & Resource Management
        • Upgrade Application
        • Deployment Cheat Sheet
      • Building with TEE
        • Access Your Applications
        • Expose Service Port
        • Setting Up Custom Domain
        • Secure Access Database
        • Create Crypto Wallet
        • Generate Remote Attestation
      • Advanced Deployment Options
        • Deploy CVM with Phala Cloud CLI
        • Deploy CVM with Phala Cloud API
        • Setup a CI/CD Pipeline
    • ๐ŸšขBe Production Ready
      • CI/CD Automation
        • Setup a CI/CD Pipeline
      • Production Checklist
      • Troubleshooting Guide
      • Glossary
    • ๐Ÿ”’Use Cases
      • TEE with AI
      • TEE with FHE and MPC
      • TEE with ZK and ZKrollup
    • ๐Ÿ“‹References
      • Phala Cloud CLI Reference
        • phala
          • auth
          • cvms
          • docker
          • simulator
      • Phala Cloud API & SDKs
        • API Endpoints & Examples
        • SDKs and Integrations
      • Phala Cloud Pricing
    • โ“FAQs
  • Dstack
    • Overview
    • Getting Started
    • Hardware Requirements
    • Design Documents
      • Decentralized Root-of-Trust
      • Key Management Service
      • Zero Trust HTTPs (TLS)
    • Acknowledgement
    • โ“FAQs
  • LLM in GPU TEE
    • ๐Ÿ‘ฉโ€๐Ÿ’ปHost LLM in GPU TEE
    • ๐Ÿ”GPU TEE Inference API
    • ๐ŸŽ๏ธGPU TEE Benchmark
    • โ“FAQs
  • Tech Specs
    • โ›“๏ธBlockchain
      • Blockchain Entities
      • Cluster of Workers
      • Secret Key Hierarchy
  • References
    • ๐Ÿ”Setting Up a Wallet on Phala
      • Acquiring PHA
    • ๐ŸŒ‰SubBridge
      • Cross-chain Transfer
      • Supported Assets
      • Asset Integration Guide
      • Technical Details
    • ๐Ÿ‘ทCommunity Builders
    • ๐ŸคนHackathon Guides
      • ETHGlobal Singapore
      • ETHGlobal San Francisco
      • ETHGlobal Bangkok
    • ๐ŸคฏAdvanced Topics
      • Cross Chain Solutions
      • System Contract and Drivers
      • Run Local Testnet
      • SideVM
    • ๐Ÿ†˜Support
      • Available Phala Chains
      • Resource Limits
      • Transaction Costs
      • Compatibility Matrix
      • Block Explorers
      • Faucet
    • โ‰๏ธFAQ
  • Compute Providers
    • ๐Ÿ™ƒBasic Info
      • Introduction
      • Gemini Tokenomics (Worker Rewards)
      • Budget balancer
      • Staking Mechanism
      • Requirements in Phala
      • Confidence Level & SGX Function
      • Rent Hardware
      • Error Summary
    • ๐ŸฆฟRun Workers on Phala
      • Solo Worker Deployment
      • PRBv3 Deployment
      • Using PRBv3 UI
      • PRB Worker Deployment
      • Switch Workers from Solo to PRB Mode
      • Headers-cache deployment
      • Archive node deployment
    • ๐Ÿ›ก๏ธGatekeeper
      • Collator
      • Gatekeeper
  • Web Directory
    • Discord
    • GitHub
    • Twitter
    • YouTube
    • Forum
    • Medium
    • Telegram
Powered by GitBook
LogoLogo

Participate

  • Compute Providers
  • Node
  • Community
  • About Us

Resources

  • Technical Whitepaper
  • Token Economics
  • Docs
  • GitHub

More

  • Testnet
  • Explorer
  • Careers
  • Responsible Disclosure

COPYRIGHT ยฉ 2024 PHALA.LTD ALL RIGHTS RESERVED. May Phala be with you!

On this page
  • Test your Intelยฎ SGX Capability
  • Confidence Level of a Worker

Was this helpful?

Edit on GitHub
  1. Compute Providers
  2. Basic Info

Confidence Level & SGX Function

Test your Intelยฎ SGX Capability

The confidence level impacts your workerโ€™s score. Before configuring your worker, the necessary drivers are required, and the sgx-test option determines your Intelยฎ SGX Capability alongside the confidence level.

sudo docker pull phalanetwork/phala-sgx_detect
sudo docker run -it --network host --device /dev/sgx_enclave --device /dev/sgx_provision  --device /dev/sgx_enclave:/dev/sgx/enclave --device /dev/sgx_provision:/dev/sgx/provision  phalanetwork/phala-sgx_detect

This command need to install ๐Ÿณ Docker, the required Intelยฎ SGX drivers, and pull all the necessary Docker images for your Phala worker ๐Ÿชจโ›๏ธ.

  • Please follow the instruction during installation.

Information about the checks conducted during execution of the command:

  1. SGX system software โ†’ Able to launch enclaves โ†’ Production Mode

  2. Flexible launch control โ†’ Able to launch production mode enclave

  3. isvEnclaveQuoteStatus and advisoryIDs (explained in the next section)

Among them, the first one is a must to run Phala Network pRuntime. If itโ€™s not supported (tagged as โœ˜ in the report example below), we are afraid you canโ€™t contribute computing power with this setup. You may need to replace the motherboard and/or the CPU.

The latter two is not a must, though it is suggested to be checked as it would be essential to install the DCAP driver.

The example below shows a positive result:

Detecting SGX, this may take a minute...
โœ”  SGX instruction set
  โœ”  CPU support
  โœ”  CPU configuration
  โœ”  Enclave attributes
  โœ”  Enclave Page Cache
  SGX features
    โœ”  SGX2  โœ”  EXINFO  โœ˜  ENCLV  โœ˜  OVERSUB  โœ˜  KSS
    Total EPC size: 94.0MiB
โœ”  Flexible launch control
  โœ”  CPU support
  ๏ผŸ CPU configuration
  โœ”  Able to launch production mode enclave
โœ”  SGX system software
  โœ”  SGX kernel device (/dev/sgx/enclave)
  โœ”  libsgx_enclave_common
  โœ”  AESM service
  โœ”  Able to launch enclaves
    โœ”  Debug mode
    โœ”  Production mode
    โœ”  Production mode (Intel whitelisted)

You are all set to start running SGX programs!
Generated machine id:
[162, 154, 220, 15, 163, 137, 184, 233, 251, 203, 145, 36, 214, 55, 32, 54]

Testing RA...
aesm_service[15]: [ADMIN]EPID Provisioning initiated
aesm_service[15]: The Request ID is 09a2bed647d24f909d4a3990f8e28b4a
aesm_service[15]: The Request ID is 8d1aa4104b304e12b7312fce06881260
aesm_service[15]: [ADMIN]EPID Provisioning successful
isvEnclaveQuoteStatus = GROUP_OUT_OF_DATE
platform_info_blob { sgx_epid_group_flags: 4, sgx_tcb_evaluation_flags: 2304, pse_evaluation_flags: 0, latest_equivalent_tcb_psvn: [15, 15, 2, 4, 1, 128, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0], latest_pse_isvsvn: [0, 11], latest_psda_svn: [0, 0, 0, 2], xeid: 0, gid: 2919956480, signature: sgx_ec256_signature_t { gx: [99, 239, 225, 171, 96, 219, 216, 210, 246, 211, 20, 101, 254, 193, 246, 66, 170, 40, 255, 197, 80, 203, 17, 34, 164, 2, 127, 95, 41, 79, 233, 58], gy: [141, 126, 227, 92, 128, 3, 10, 32, 239, 92, 240, 58, 94, 167, 203, 150, 166, 168, 180, 191, 126, 196, 107, 132, 19, 84, 217, 14, 124, 14, 245, 179] } }
advisoryURL = https://security-center.intel.com
advisoryIDs = "INTEL-SA-00219", "INTEL-SA-00289", "INTEL-SA-00320", "INTEL-SA-00329"
confidenceLevel = 5

If you can not run Phala pRuntime with both of them tagged as โœ”, you may have to check whether your BIOS is the latest version with latest security patches. If you still canโ€™t run Phala pRuntime docker with the latest BIOS of your motherboard manufacturer, we are afraid you canโ€™t contribute computing power for now with this motherboard.

Your confidence level, referred to as the โ€œTierโ€ in the table below, will appear in the last line of the report after executing sudo phala sgx-test.

Confidence Level of a Worker

Level
isvEnclaveQuoteStatus
advisoryIDs

Tier 1

OK

None

Tier 2

SW_HARDENING_NEEDED

None

Tier 3

CONFIGURATION_NEEDED, CONFIGURATION_AND_SW_HARDENING_NEEDED

Whitelisted*

Tier 4

CONFIGURATION_NEEDED, CONFIGURATION_AND_SW_HARDENING_NEEDED

Some beyond the whitelist

Tier 5

GROUP_OUT_OF_DATE

Any value

The confidence level measures how secure the SGX Enclave execution environment is. Itโ€™s determined by the Remote Attestation report from Intel. Among them, isvEnclaveQuoteStatus indicates if the platform is vulnerable to some known problems, and advisoryIDs indicates the actual affected problems.

Not all the advisoryIDs are problematic. Some advisories doesnโ€™t affect Phalaโ€™s security assumption, and therefore are whitelisted:

  • INTEL-SA-00219

  • INTEL-SA-00334

  • INTEL-SA-00381

  • INTEL-SA-00389

Tier 1, 2, 3 are considered with the best security level because they are either not affected by any known vulnerability, or the adversary is known trivial. Itโ€™s good to run highest valuable apps on these workers, for instance:

  • Financial apps: privacy-preserving DEX, DeFi ,etc

  • Secret key management: wallet, node KMS, password manager

  • Phala Gatekeeper

Tier 4, 5 are considered with reduced security, because these machines requires some configuration fix in the BIOS or BIOS firmware (CONFIGURATION_NEEDED, CONFIGURATION_AND_SW_HARDENING_NEEDED), or their microcode or the corresponding BIOS firmware are out-of-date (GROUP_OUT_OF_DATE). Therefore we cannot assume the platform is suitable for highest security scenarios. However itโ€™s still good to run batch processing jobs, apps dealing with ephemeral privacy data, and traditional blockchain apps:

  • Data analysis jobs (e.g. Web3 Analytics)

  • On-chain PvP games

  • VPN

  • Web2.0 apps

  • Blockchain Oracle

  • DApps

Once Phala is open for developers to deploy their apps, there will be an option for them to choose which tiers they will accept. Since Tier 1, 2, 3 have better security, they can potentially get higher chance to win the confidential contract assignment. However, Tier 4, 5 are useful in other use cases, and therefore can be a more economic choice for the developers.

If your worker is in tier 4 or 5, please check the FAQ page for potential fixes.

PreviousRequirements in PhalaNextRent Hardware

Last updated 1 month ago

Was this helpful?

๐Ÿ™ƒ