Defines a mesh network of Trusted Execution Environments (TEEs) across Lux validators. Each participating validator runs an enclave (Intel SGX, AMD SEV-SNP, or ARM TrustZone) that performs confidential computation. Enclaves attest to each other via remote attestation, forming a trust mesh. The mesh executes privacy-sensitive operations (key generation, FHE computations, private state transitions) without exposing plaintext data to the host OS.
1. Each enclave generates an attestation report binding its identity to its TEE measurement.
2. Reports are submitted to the on-chain TEERegistry contract.
3. The registry verifies the report against known platform root keys (Intel/AMD/ARM CA certs stored on-chain).
4. Verified enclaves are added to the active mesh.
Enclaves establish pairwise encrypted channels using RA-TLS (Remote Attestation TLS). Each channel verifies the peer's attestation before completing the handshake. Communication uses Noise_XX protocol over QUIC.
Validators opt into the TEE mesh by:
1. Running the enclave binary alongside their validator node.
2. Submitting an attestation transaction to TEERegistry.
3. The registry verifies and adds the enclave to the mesh roster.
1. TEE side-channel attacks (Spectre, Foreshadow) are mitigated by microcode updates and enclave hardening.
2. Attestation reports expire after 24 hours and must be refreshed.
3. A compromised host cannot read enclave memory but can deny service. Mesh redundancy (t-of-n) tolerates f failures.
4. Platform root keys are updated via governance when Intel/AMD/ARM rotate their CA certificates.
github.com/luxfi/tee/ |github.com/luxfi/standard/contracts/tee/TEERegistry.sol |github.com/luxfi/tee/ratls/ |Copyright (C) 2024-2026, Lux Partners Limited. All rights reserved.
Licensed under the MIT License.