Worker Confidence Level
Test your Intelยฎ SGX Capability
The confidence level impacts your workerโs score. Before configuring your worker, the necessary drivers are required, and the sgx-test
option determines your Intelยฎ SGX Capability alongside the confidence level.
This command will install ๐ณ Docker, the required Intelยฎ SGX drivers, and pull all the necessary Docker images for your Phala worker ๐ชจโ๏ธ.
Please follow the instruction during installation.
Information about the checks conducted during execution of the command:
SGX system software โ Able to launch enclaves โ
Production Mode
Flexible launch control โ
Able to launch production mode enclave
isvEnclaveQuoteStatus
andadvisoryIDs
(explained in the next section)
Among them, the first one is a must to run Phala Network pRuntime. If itโs not supported (tagged as โ in the report example below), we are afraid you canโt mine PHA with this setup. You may want to replace the motherboard and/or the CPU.
The latter two are not a must, though it is suggested to be checked as it would be essential to install the DCAP driver.
The example below shows a positive result:
If you can not run Phala pRuntime with both of them tagged as โ, you may have to check whether your BIOS is the latest version with latest security patches. If you still canโt run Phala pRuntime docker with the latest BIOS of your motherboard manufacturer, we are afraid you canโt mine PHA for now with this motherboard.
Your confidence level, referred to as the โTierโ in the table below, will appear in the last line of the report after executing sudo phala sgx-test
.
Confidence Level of a Worker
Tier 1
OK
None
Tier 2
SW_HARDENING_NEEDED
None
Tier 3
CONFIGURATION_NEEDED, CONFIGURATION_AND_SW_HARDENING_NEEDED
Whitelisted*
Tier 4
CONFIGURATION_NEEDED, CONFIGURATION_AND_SW_HARDENING_NEEDED
Some beyond the whitelist
Tier 5
GROUP_OUT_OF_DATE
Any value
The confidence level measures how secure the SGX Enclave execution environment is. Itโs determined by the Remote Attestation report from Intel. Among them, isvEnclaveQuoteStatus
indicates if the platform is vulnerable to some known problems, and advisoryIDs
indicates the actual affected problems.
Not all the advisoryIDs
are problematic. Some advisories doesnโt affect Phalaโs security assumption, and therefore are whitelisted:
INTEL-SA-00219
INTEL-SA-00334
INTEL-SA-00381
INTEL-SA-00389
Tier 1, 2, 3 are considered with the best security level because they are either not affected by any known vulnerability, or the adversary is known trivial. Itโs good to run highest valuable apps on these workers, for instance:
Financial apps: privacy-preserving DEX, DeFi ,etc
Secret key management: wallet, node KMS, password manager
Phala Gatekeeper
Tier 4, 5 are considered with reduced security, because these machines requires some configuration fix in the BIOS or BIOS firmware (CONFIGURATION_NEEDED, CONFIGURATION_AND_SW_HARDENING_NEEDED), or their microcode or the corresponding BIOS firmware are out-of-date (GROUP_OUT_OF_DATE). Therefore we cannot assume the platform is suitable for highest security scenarios. However itโs still good to run batch processing jobs, apps dealing with ephemeral privacy data, and traditional blockchain apps:
Data analysis jobs (e.g. Web3 Analytics)
On-chain PvP games
VPN
Web2.0 apps
Blockchain Oracle
DApps
Once Phala is open for developers to deploy their apps, there will be an option for them to choose which tiers they will accept. Since Tier 1, 2, 3 have better security, they can potentially get higher chance to win the confidential contract assignment. However, Tier 4, 5 are useful in other use cases, and therefore can be a more economic choice for the developers.
If your worker is in tier 4 or 5, please check the FAQ page for potential fixes.
Last updated