Contributing · Security · Changelog

Flare TEE server node

Flare TEE server node is a secure server implementation running inside a Trusted Execution Environment (TEE). It provides protocol managed wallets as well as a base for extensions.

Features

• Secure policy management within TEE
• Policy signature verification and validation
• Remote attestation with Google Cloud verification

Requirements

• Go 1.25.1 or higher
• Google Cloud Platform account (for attestation verification) (gcp confidential space)

Local Setup and Installation

1. Clone the repository:

git clone https://gitlab.com/flarenetwork/tee/tee-node
cd tee-node

2. Install dependencies:

go mod download

3. Build the server:

go build -o tee-node cmd/main.go

Usage

1. Start the server:

./tee-node

Deploying the server in Google TEE

This guide explains how to deploy the Flare TEE server node on Google Cloud Platform (GCP) using Confidential Computing.

Prerequisites

• Google Cloud CLI installed and configured
• Appropriate GCP project permissions (should be done by default in flare-sandbox)
• Service account with necessary permissions (should be done by default in flare-sandbox)

Hardware Options

The server supports two types of Confidential Computing hardware:

• SEV: AMD SEV-SNP technology
• TDX: Intel TDX technology

Build Docker container

On Intel/AMD arm64 based machines:

docker build -t us-docker.pkg.dev/flare-network-sandbox/flare-tee/tee-node:latest --no-cache

On Apple silicon (M1, M2, M3 processors):

docker buildx create --use
docker buildx build --platform linux/amd64 -t us-docker.pkg.dev/flare-network-sandbox/flare-tee/tee-node:latest . --no-cache --load

Set up Docker authetication for artifact registry

gcloud auth configure-docker us-docker.pkg.dev

Add image to Artifact Registry

docker push us-docker.pkg.dev/flare-network-sandbox/flare-tee/tee-node:latest

Deployment Steps

0. Delete the previous instance (*if you had one running)

gcloud compute instances delete <INSTANCE-NAME> --zone us-central1-a

1. Create Confidential Computing Instance

gcloud compute instances create <INSTANCE-NAME> \
    --confidential-compute-type=<COMPUTE-TYPE> \
    --shielded-secure-boot \
    --scopes=cloud-platform \
    --zone=us-central1-a \
    --maintenance-policy=TERMINATE \
    --image-project=confidential-space-images \
    --image-family=<IMAGE-FAMILY> \
    --service-account=confidential-sa@flare-network-sandbox.iam.gserviceaccount.com \
    --tags=rpc-server,tee-ws \
    --metadata="^~^tee-image-reference=us-docker.pkg.dev/flare-network-sandbox/flare-tee/tee-node:latest"

Parameter Explanation

Parameter	Description	Example Value
<INSTANCE-NAME>	Unique instance identifier (preferably tied to you)	jure-test-tee1
<COMPUTE-TYPE>	Hardware type for Confidential Computing	SEV or TDX
<IMAGE-FAMILY>	must match what you chose for COMPUTE-TYPE	confidential-space-debug

Important Flags

• --confidential-compute-type: Specifies the TEE hardware type
• --shielded-secure-boot: Enables secure boot for additional security
• --scopes=cloud-platform: Grants necessary GCP API access
• --service-account: Specifies the service account for the instance
• --tags: Used for firewall rules targeting
• --metadata: Specifies the container image to deploy

2. Configure Firewall Rules

The following command creates a firewall rule to allow gRPC traffic on port 50051. This needs to be executed only once per project.

gcloud compute firewall-rules create allow-port-8545 \
    --network=default \
    --priority=1000 \
    --direction=INGRESS \
    --action=ALLOW \
    --rules=tcp:8545 \
    --source-ranges=0.0.0.0/0 \
    --target-tags=<CUSTOM_TAG>

⚠️ Security Note: The current firewall rule allows access from any IP (0.0.0.0/0). For production environments, we would restrict this to only specific IPs (data provider or other TEEs).

Run tests

Run all tests with

go test ./...