The customer is a major European bank with over 100,000 employees. The company’s blockchain division identified confidential computing as the ideal solution for securing a decentralized asset platform.
Blockchain consortia bring together companies to utilize blockchain technology for a collective goal. However, setting up and managing blockchain nodes across different organizations is extremely complex due to varying security protocols, integration capabilities, and project management approaches. In addition, having a blockchain network operated by a central party goes against the fundamental principles of blockchain.
Ensuring the integrity of a node is both a basic use case for confidential computing, and a critical requirement for a blockchain network. Thus, the customer wanted to explore whether confidential computing can address these obstacles by simplifying the integration of new members into a distributed system, excluding the network provider from the network, and to verifying the network’s integrity.
The proposed architecture based on confidential computing allows for the shared management of infrastructure and applications by a lead service provider, while transferring node ownership and control to the individual members.
For this project, we utilized secure enclaves based on Intel SGX to enhance security. The bank’s blockchain system, built with Node.JS and packaged into containers, needed to operate easily within these secure enclaves. To achieve this, we used Gramine, an open-source tool that allows to run unmodified containers in SGX. (Gramine is similar to EGo, which is designed to run Go applications in SGX.)
Next, we tackled deployment and scaling within a Kubernetes environment. Each participant was given access to their own blockchain node, along with a service to confirm their node's integrity and authenticity. This was accomplished by integrating MarbleRun, an open-source solution designed to handle and verify distributed SGX applications, with native integration for the Gramine runtime. MarbleRun allows participants to confirm the validity of the entire system via a simple remote attestation API. Each node's ownership can be defined in a central manifest. This setup not only maintains the integrity of the system but also enables secure and simplified management. It ensures that even as the bank leads service provision and application orchestration, they are restricted from accessing individual blockchain nodes. This preserves autonomy and security for all consortium members, allowing for trustless participation in the distributed ledger.
Confidential computing was the perfect solution to secure the bank’s blockchain system. With the architecture and integration support of Edgeless Systems, setting the application running in a trusted execution environment, powered by confidential computing, took only 3 weeks. MarbleRun made attesting the entire blockchain network extremely easy and efficient.
Confidential computing should be the solution of choice for use cases involving decentralized attestation of a blockchain network. If you have any questions, please reach out to us!
