A protocol for allowing any TDX device to prove its output onchain
Its first use case will be for proving that blocks on the Unichain L2 were built using fair and transparent ordering rules
- TEE Devices
- TEE Public Keys (these are used to identify and verify TEEs and their outputs)
- TEE Attestations (also called Quotes)
- Block Signature Transaction
- Governance Values
-
Registering a TEE Device (also referred to as a block builder)
a. Should only be callable from a TEE-controlled address
b. Verify TEE Quote
c. extract and store TEE address and workload info
d. set liveness (we want a way to indicate that a TEE device has not been active for a long period of time, and for that we use liveness)
-
Verify Flashtestation transaction
a. Check signature of transactions against registry of live builder keys
b. update TEE device liveness
-
Deregistering a TEE Device
b. Mark TEE device as "retired"
Setup your .env env vars first, so that you can successfully run the various deploy scripts described in detail below
# fill in the necessary values for your .env. If confused, you can reference
# https://getfoundry.sh/guides/scripting-with-solidity
# to see what the values mean
cp env.sample .env
source .envThis is the primary contract of this repository. It allows TDX v4 devices to register themselves onchain with an Ethereum address/public key, such that later transactions from that address can be trusted to originate from a TEE.
source .env
forge script --chain 1301 script/FlashtestationRegistry.s.sol:FlashtestationRegistryScript --rpc-url $UNICHAIN_SEPOLIA_RPC_URL --broadcast --verify --interactives 1 -vvvv
A simple contract that allows your organization (e.g. Flashbots) to permission TEE's and their registered Ethereum addresses + workloadIds
source .env
forge script --chain 1301 script/BlockBuilderPolicy.s.sol:BlockBuilderPolicyScript --rpc-url $UNICHAIN_SEPOLIA_RPC_URL --broadcast --verify --interactives 1 -vvvv
RegisterTEEScript
This registers a TEE-controlled address using a quote generated by a v4 TDX device
source .env
# Note: we pass '--skip-simulation' because of a bug where the forge EVM does not contain the precompiles necessary
# to execute the FlashtestationRegistry.registerTEEService, and so we need to skip simulating it locally
#
# Note: we need to use a RPC provider like Alchemy for the $UNICHAIN_SEPOLIA_RPC_URL argument, and we can't
# use https://sepolia.unichain.org, because this script makes so many gas-heavy calls that it will last
# longer than 128 blocks worth of time, at which point the full nodes at sepolia.unichain.org will start
# to return errors. We must use RPC provider like Alchemy because they can service calls to archive nodes,
# which get around this problem.
forge script --chain 1301 script/Interactions.s.sol:RegisterTEEScript --rpc-url $UNICHAIN_SEPOLIA_RPC_URL --broadcast --verify --interactives 1 -vvvv --skip-simulation
AddWorkloadToPolicyScript
Add a workloadId that was previously registered with the RegisterTEEScript script above
source .env
forge script --chain 1301 script/Interactions.s.sol:AddWorkloadToPolicyScript --rpc-url $UNICHAIN_SEPOLIA_RPC_URL --broadcast --verify --interactives 1 -vvvv