Binance Square
iExec RLC
1.2k Posts

iExec RLC

Square Verified+
Programmable Privacy for Web3.
0 Following
2.8K+ Followers
2.1K+ Liked
Posts
PINNED
·
--
Nox is now live on Ethereum testnet. Programmable Privacy coming to the home of EVM. RWA issuers & DeFi builders can now integrate confidentiality at an institutional level. ➡️ Start here: docs.iex.ec $RLC
Nox is now live on Ethereum testnet.

Programmable Privacy coming to the home of EVM.

RWA issuers & DeFi builders can now integrate confidentiality at an institutional level.

➡️ Start here: docs.iex.ec

$RLC
RWAs need confidentiality, selective disclosure, and auditability to actually scale onchain. Nox delivers all three as an EVM-native programmable privacy stack. Live on @Ethereum_official testnet and Arbitrum . Composable with the tools builders already use. Start here: https://trust.noxprotocol.io/
RWAs need confidentiality, selective disclosure, and auditability to actually scale onchain.

Nox delivers all three as an EVM-native programmable privacy stack. Live on @Ethereum testnet and Arbitrum .

Composable with the tools builders already use.

Start here:
https://trust.noxprotocol.io/
Why hasn't institutional capital moved fully onchain yet? ➡️ Configurable confidentiality. Transparent ledgers can’t handle corporate treasuries or institutional trading because every balance and transaction becomes public. Read from Arbitrum what the programmable economy actually needs: https://blog.arbitrum.io/confidentiality-for-the-programmable-economy/ $RLC
Why hasn't institutional capital moved fully onchain yet?

➡️ Configurable confidentiality.

Transparent ledgers can’t handle corporate treasuries or institutional trading because every balance and transaction becomes public.

Read from Arbitrum what the programmable economy actually needs: https://blog.arbitrum.io/confidentiality-for-the-programmable-economy/

$RLC
Since 2017, iExec has been building confidential computing infrastructure.⚡ Now Nox brings that experience to onchain finance. TEE expertise. Verifiable execution. Chain of Trust. All built for institutional DeFi and RWA workflows. $RLC
Since 2017, iExec has been building confidential computing infrastructure.⚡

Now Nox brings that experience to onchain finance.

TEE expertise.
Verifiable execution.
Chain of Trust.

All built for institutional DeFi and RWA workflows.

$RLC
I support privacy because... $RLC
I support privacy because...
$RLC
Repeat after me : The next chapter of finance is programmable. $RLC
Repeat after me :
The next chapter of finance is programmable.
$RLC
Before a confidential workload can be trusted, one question comes first: How do you know the right code is running on genuine confidential hardware? Our new technical article breaks down the first layer of Nox's Chain of Trust 👇
Before a confidential workload can be trusted, one question comes first:

How do you know the right code is running on genuine confidential hardware?

Our new technical article breaks down the first layer of Nox's Chain of Trust
👇
iExec RLC
·
--
TEE foundation and boot-time attestation
Author: Aghiles Ait Messaoud, PhD, Research Software Engineer working at iExec.

Introduction

The Nox protocol performs confidential computation over encrypted user data in off-chain services. For such a system to be trustworthy, a user must be convinced of a non-trivial property: that the code processing their data is exactly the code iExec claims to deploy, that it executes on genuine confidential-computing hardware, and that neither the cloud provider nor the protocol operator can observe or tamper with the data while it is being processed. Establishing this property requires a chain of trust, a sequence of cryptographically verifiable links connecting a hardware root of trust to the running workload.
This document is the first part of a series describing that chain of trust. It establishes its foundation: the Trusted Execution Environment (TEE) layer. We describe (i) the hardware substrate, Intel Trust Domain Extensions (TDX), which provides memory-encrypted, hardware-isolated Confidential Virtual Machines (CVMs) together with a signed measurement of their boot state; (ii) dstack, the open-source orchestration layer (developed by Phala Network) that boots, supervises and gates these CVMs; and (iii) how the two are combined to deploy the Nox off-chain components so that every CVM is provably running the expected code before it is granted access to any secret. (iv) We close by discussing Proof-of-Cloud as a complementary seal that binds an attested platform to a known physical hosting environment.
Subsequent parts build on this foundation to cover runtime attestation surfaced to end users, source-code binding, and on-chain governance of the authorized measurements. The present part deliberately limits its scope to the TEE foundation and to boot-time attestation.
The remainder of this document is organised as follows. In Background, we introduce the Nox protocol, define what we mean by a chain of trust, and present the two building blocks of its foundation, Intel TDX and dstack. In Dstack deployment for Nox, we describe how these are instantiated on a TDX host and how the resulting boot-time verification gates every CVM before it receives any secret. In Proof-of-Cloud as a Hardware Provenance Seal, we discuss the complementary seal that ties an attested platform to its physical hosting environment. Finally, the Appendix details the boot sequences of the dstack-KMS, gateway and business CVMs.

Background

In this section, we establish the context and vocabulary used throughout the document. We first introduce the Nox protocol and the components that must be protected, then define the chain of trust, and finally present the two technologies its foundation builds on: Intel TDX at the hardware level and dstack at the orchestration level.

Nox protocol

Nox Protocol ( https://docs.noxprotocol.io/getting-started/welcome ) is iExec's confidential-computation protocol for decentralized finance (DeFi). It acts as a privacy layer that lets smart contracts operate on encrypted data without ever exposing plaintext on-chain, by combining on-chain smart contracts with off-chain Trusted Execution Environments based on Intel TDX. Confidential values are referenced on-chain through opaque handles while the corresponding ciphertext is processed off-chain inside enclaves, so that applications retain full composability with the existing DeFi ecosystem: confidential ERC-7984 tokens remain ERC-20-compatible, contracts are written in standard Solidity, and end users transact from ordinary Ethereum wallets.

The protocol rests on three concepts.
A handle is a 32-byte identifier that acts as a secure pointer to an encrypted value stored off-chain, rather than the ciphertext itself.
An on-chain Access Control List (ACL) governs which addresses may use a handle as a computation input or decrypt its underlying data, enabling selective disclosure to authorized parties such as auditors while privacy is preserved by default.
The computation on confidential data itself takes place inside Intel TDX enclaves, so that even the infrastructure operator cannot read the plaintext during execution.

Operationally, Nox coordinates six components: the on-chain smart contracts (notably the NoxCompute library and the ACL), an event listener (Ingestor), a message queue (NATS), a computation engine (Runner), an encrypted data store (Handle Gateway), and a key-management service (KMS). A confidential operation follows three phases: input, compute and output.
In the input phase, a user encrypts a value through the Handle Gateway (which stores the ciphertext and returns a handle with an EIP-712 proof) and calls a contract using the NoxCompute library, which validates the handles, derives a deterministic result handle and emits an event. In the compute phase, the Ingestor relays the event through NATS to a Runner, which fetches the operands, decrypts them inside the enclave via a decryption-delegation protocol with the KMS, executes the operation, and stores the re-encrypted result. In the output phase, an authorised user retrieves the ciphertext and decrypts it locally. Encryption relies on ECIES over secp256k1 with the KMS public key, and the KMS itself never handles plaintext: it only delegates decryption to the legitimate recipient by encrypting the ECDH shared secret under the requester's ephemeral key.
Several of these off-chain services handle sensitive material in clear within their address space, plaintext operands in the Runner, input plaintext and ciphertext in the Handle Gateway, and the protocol private key in the KMS. Protecting their confidentiality and integrity is the central security concern that the chain of trust addresses, which is why each is deployed as a TDX confidential workload whose boot-time verification is described in this document.

Chain of Trust

We define the chain of trust as the set of mechanisms that establishes a verifiable bridge of confidence between an end user and iExec, a sequence of links, each independently checkable, such that an external party can conclude, end to end, that a given Nox component is genuinely running the expected code on genuine confidential hardware. The foundational link, and the subject of this part, is boot-time verification: the guarantee that a CVM cannot obtain the secrets it needs to operate unless it has booted a known operating-system image and a known application stack on attested TDX hardware. The higher links of the chain, surfacing this evidence to users, binding the running images to public source code, and anchoring the set of authorized measurements on-chain, are treated in later parts.

Intel TDX

Intel Trust Domain Extensions (TDX) is a capability of recent Intel Xeon processors that lets a virtual machine run as a Trust Domain (TD), isolated from the host operating system, the hypervisor and the cloud operator. Two properties make TDX a suitable root of trust for Nox.
First, confidentiality and integrity of runtime state: the CPU transparently encrypts the memory of each TD, so that neither the host nor a privileged operator can read or undetectably modify the guest's memory. Each Nox service therefore runs inside a hardware-isolated CVM whose runtime state is opaque to the hosting provider.

Second, measured boot and remote attestation: as a TD is launched, the BIOS and the TDX module measure its initial state into a set of registers, the static measurement MRTD and the runtime-extendable registers RTMR[0..3], recorded in a signed TD-Report. From this report the platform produces a quote, signed through Intel's Data Center Attestation Primitives (DCAP) and chaining up to the Intel SGX Root CA. A remote verifier validates this quote to obtain a hardware-backed statement of which code the TD runs, and evaluates the platform's Trusted Computing Base (TCB) status against Intel collateral, accepting only an up-to-date TCB.

Running TDX in production imposes a hardware baseline. Nox runs only on bare-metal servers satisfying Intel's TDX enabling guide, summarised below.

Dstack

dstack ( Dstack ) : Open framework for confidential AI) is the open-source orchestration layer, developed by Phala Network, that operates CVMs on top of TDX. It removes the need to manage Trust Domains by hand and provides the gating mechanism on which boot-time verification rests. Its main components are a Virtual Machine Monitor (VMM) and supervisor that boot and supervise CVMs from a measured, reproducible dstack OS image; a KMS CVM that derives application keys inside the enclave and decides which workloads may boot by checking their measurements against a whitelist; and a Gateway CVM that terminates public TLS (with automatic ACME certificates) and reverse-proxies traffic to each registered CVM over an encrypted WireGuard overlay, load-balancing natively between CVMs that share the same application identifier (appId). dstack also offers an optional on-chain authorization contract (DstackKms) able to whitelist OS-image and per-application compose hashes, a capability that Nox has deliberately not yet enabled, the corresponding whitelist being held off-chain at this stage.

Dstack deployment for Nox

This section describes how the foundation above is instantiated for the Nox protocol, and how it yields the boot-time verification guarantee.

General architecture

In this section, we give an overview of how dstack is deployed on a TDX host to run the Nox components, before describing each element in turn. The diagram below shows the overall layout; the tables that follow detail the components running on the host and those composing a single Nox CVM.

dstack architecture for Nox protocol

TDX Host components

Nox CVM component

Proof-of-Cloud as a Hardware Provenance Seal

Measured boot and remote attestation establish what code a CVM runs and that it runs on genuine Intel TDX silicon. They do not, by themselves, establish where that silicon is, the physical and operational provenance of the host. Proof-of-Cloud is the complementary seal that addresses this gap: it binds an attested TDX platform to a known, reputable hosting environment, extending the hardware root of trust with evidence about the provenance of the machine itself.
In the current Nox fleet this property is tracked per node. The testnets fleet runs two TDX nodes, node1, hosted at OVH, and node2, hosted at phoenixNAP, of which node1 carries a Proof-of-Cloud seal and node2 does not. The distinction is meaningful for an external verifier: where present, Proof-of-Cloud raises the cost of a relocation or substitution attack by tying the attested platform to a provider's verified infrastructure, rather than relying on the quote alone to vouch for an otherwise anonymous host.
Concretely, Proof-of-Cloud is coordinated by the Proof of Cloud Alliance (https://proofofcloud.org/), a vendor-neutral group, of which iExec is a member, that maintains a signed, append-only registry binding TEE hardware identities (an Intel DCAP PPID , in case of TDX, extracted from the attestation quote) to independently verified physical facilities. Member organisations cross-verify each location during a dedicated whitelisting ceremony and when pushing a new entry to PPID registry so that a verifier can establish not only that a workload runs on genuine TDX silicon but also that this silicon sits in a facility multiple independent parties have vouched for.
Within the chain of trust, Proof-of-Cloud should be read as a provenance complement to, not a replacement for, TDX attestation: TDX attests the integrity and identity of the execution environment, while Proof-of-Cloud attests the integrity of its hosting context. Together they reinforce the foundational claim on which the remaining links of the chain, runtime attestation, source-code binding and on-chain governance, are built.

Appendixdstack-kms Boot Sequence

The full sequence diagram for dstack-kms boot is available at dstack/docs/kms-boot-sequence.md at master · iExec-Nox/dstack The diagram traces the boot of the dstack-KMS CVM with the local SGX key provider. In summary:
CVM boot and measurement. The VMM starts the KMS CVM under TDX; the CVM boots the dstack OS image and runs dstack-prepare.sh , which measures the application info (the compose_hash, the derived app_id and the instance_id) and emits a runtime event that extends these values into RTMR[3].
Sealing-key request. The script generates an ephemeral keypair and a TDX quote carrying its public key in report_data, then calls the host API over VSOCK, which forwards the request to the SGX key provider (gramine-sealing-key-provider) on localhost:3443.
Mutual attestation and key release. The SGX key provider verifies the KMS TDX quote, derives a sealing key bound to the KMS measurements (MRTD + RTMR[0..3]) and to the hardware, encrypts it under the CVM's public key, and returns it together with its own SGX quote. The CVM verifies that SGX quote, collateral through the PCCS, TCB status, and that report_data commits to the encrypted key, then decrypts the sealing key with its private key.
Key derivation. From the sealing key the CVM derives its application keys (the app_key used to self-sign an RA-TLS certificate, the disk_crypt_key, and a secp256k1 key) and, if a key_provider_id is pinned in app-compose.json, checks that the provider's MR enclave matches the expected value.
Disk mount and container start. The CVM mounts its encrypted disk with the disk_crypt_key, persists the derived app keys, and starts the KMS container through docker-compose.
KMS initialization. If root keys already exist on the encrypted disk they are simply reloaded. On a first boot, one of two paths is taken: Bootstrap (the first KMS): it generates fresh root keys (root CA, secp256k1 root, RPC key and a temporary CA), self-signs its certificates and persists them, no authorization check is performed, since this instance is the origin of the root keys. Onboarding (any subsequent KMS): it obtains a temporary-CA-signed RA-TLS certificate from an existing KMS and requests the root keys over mTLS. The source KMS verifies the requester's TDX attestation and calls the Boot Authorization server (POST /bootAuth/kms), which authorizes only if the TCB is up to date and the OS-image hash, the aggregated measurement and the device id match the kms entry of auth-config.json. On success the root keys are returned and stored; otherwise onboarding aborts and the KMS does not start.
Service ready. The KMS regenerates its certificates from the stored keys (with a fresh TDX attestation) and starts its HTTPS service (container port 8000, exposed as 9201 on the host).
In short, the KMS obtains its sealing key only after proving its measured identity to the SGX key provider, and a non-bootstrap KMS additionally requires Boot Authorization server approval before receiving the protocol root keys.

Business CVM boot Sequence

The full sequence diagram for business CVM (app CVM) boot is available at dstack/docs/app-boot-sequence.md at master · iExec-Nox/dstack The diagram traces the boot of a business (application) CVM, which provisions its keys like the gateway and then additionally joins the WireGuard overlay. In summary:
CVM boot and measurement. The VMM starts the app CVM under TDX; it boots the dstack OS image and runs dstack-prepare.sh, which measures the application info (compose_hash, the derived app_id, instance_id) and extends these values into RTMR[3].
App-key request with mutual attestation. The CVM obtains a temporary CA certificate (and the KMS ca_cert) from the KMS, builds an RA-TLS client certificate embedding its TDX quote, and calls GetAppKey over mTLS. It verifies the KMS server certificate (special_usage == "kms:rpc", emitting mr-kms to RTMR[3]), while the KMS verifies the CVM's attestation from the client certificate.
Authorization. The KMS extracts the boot info and calls the Boot Authorization server (POST /bootAuth/app), which applies the same five checks, tcb_status up to date, and os_image_hash, app_id, compose_hash and device id matching auth-config.json. On refusal the CVM reboots or shuts down.
Key derivation and disk mount. On success the KMS derives the per-app keys from its root keys, disk_crypt_key = HKDF(ca_key, app_id + instance_id + …), env_crypt_key = x25519(HKDF(ca_key, app_id + …)) and k256_key, and returns them with the gateway_app_id. The CVM optionally checks key_provider_id, saves the keys, mounts the encrypted disk with disk_crypt_key, and emits a system-ready event.
Post-mount setup and env decryption. Encrypted environment variables are decrypted with env_crypt_key (x25519 Diffie-Hellman + AES-256-GCM) and written to /dstack/.decrypted_env; the guest agent is configured.
Gateway registration (WireGuard). Unlike the gateway CVM, the app CVM joins the WireGuard overlay through which it is reached: it requests a KMS-signed RA-TLS client certificate (SignCert), connects to the gateway over mTLS (verifying the gateway's app_id matches the gateway_app_id returned by the KMS), and calls RegisterCvm with its WireGuard public key. The gateway verifies the app's identity, allocates a WireGuard IP and returns the peer configuration, after which the CVM brings up its dstack-wg0 interface.
Containers up. docker-compose starts the application container(s); at runtime the app can optionally use the guest agent over /var/run/dstack.sock to derive purpose-specific keys (get_key), obtain a KMS-signed TLS certificate (get_tls_key), or fetch a TDX quote for remote attestation (get_quote). In short, an application CVM follows the same attested, authorized key-provisioning path as the gateway, and then registers with the gateway to enter the encrypted WireGuard network that fronts it.

Environment variables cryptographic state

The full sequence diagram for encrypting and decrypting secret environment variables is available here : Link
Secret environment variables are encrypted by the operator before deployment and decrypted only inside the attested CVM, so that neither the VMM nor the KMS ever sees their plaintext. In summary:
Get the encryption public key. From the compose file the operator computes the app_id and calls the KMS (GetAppEnvEncryptPubKey). The KMS derives a per-app X25519 key pair deterministically, secret = HKDF(ca_key, app_id + "env-encrypt-key"), and returns the public half (env_public_key) together with a k256_root signature over it, which the operator verifies against the whitelisted signer. Encrypt the variables (operator side). The operator serialises the .env file to JSON, generates an ephemeral X25519 key pair, computes a shared secret by Diffie-Hellman with env_public_key, and encrypts the JSON with AES-256-GCM under a random 12-byte IV. The packed blob is eph_public_key (32 B) || IV (12 B) || ciphertext. Deploy. The operator passes the hex-encoded blob to the VMM (CreateVm), which stores it in host-shared/ and never decrypts it. CVM boot. The VMM starts the CVM under TDX; the CVM loads the encrypted blob from host-shared/. Get the decryption key. During key provisioning the CVM calls GetAppKey over the attested mTLS channel; after verifying attestation and authorization, the KMS derives the same key pair and returns the private half as env_crypt_key. Decrypt (CVM side). The CVM splits the blob back into eph_public_key, IV and ciphertext, recomputes the identical shared secret by Diffie-Hellman with env_crypt_key (the X25519 property guarantees both sides agree), decrypts with AES-256-GCM, filters the result against allowed_envs from app-compose.json, and writes it to /dstack/.decrypted_env for the containers.

The construction provides confidentiality (only the attested CVM holding env_crypt_key can decrypt), integrity (AES-GCM detects tampering), forward secrecy (each deployment uses a fresh ephemeral key that is then discarded), and blindness of both the VMM (which only stores the ciphertext) and the KMS (which only serves keys). The env_crypt_key is app-specific, derived from app_id alone, so every instance of the same app shares it, while different apps cannot read one another's variables.

$RLC
Verified
Article
TEE foundation and boot-time attestationAuthor: Aghiles Ait Messaoud, PhD, Research Software Engineer working at iExec. Introduction The Nox protocol performs confidential computation over encrypted user data in off-chain services. For such a system to be trustworthy, a user must be convinced of a non-trivial property: that the code processing their data is exactly the code iExec claims to deploy, that it executes on genuine confidential-computing hardware, and that neither the cloud provider nor the protocol operator can observe or tamper with the data while it is being processed. Establishing this property requires a chain of trust, a sequence of cryptographically verifiable links connecting a hardware root of trust to the running workload. This document is the first part of a series describing that chain of trust. It establishes its foundation: the Trusted Execution Environment (TEE) layer. We describe (i) the hardware substrate, Intel Trust Domain Extensions (TDX), which provides memory-encrypted, hardware-isolated Confidential Virtual Machines (CVMs) together with a signed measurement of their boot state; (ii) dstack, the open-source orchestration layer (developed by Phala Network) that boots, supervises and gates these CVMs; and (iii) how the two are combined to deploy the Nox off-chain components so that every CVM is provably running the expected code before it is granted access to any secret. (iv) We close by discussing Proof-of-Cloud as a complementary seal that binds an attested platform to a known physical hosting environment. Subsequent parts build on this foundation to cover runtime attestation surfaced to end users, source-code binding, and on-chain governance of the authorized measurements. The present part deliberately limits its scope to the TEE foundation and to boot-time attestation. The remainder of this document is organised as follows. In Background, we introduce the Nox protocol, define what we mean by a chain of trust, and present the two building blocks of its foundation, Intel TDX and dstack. In Dstack deployment for Nox, we describe how these are instantiated on a TDX host and how the resulting boot-time verification gates every CVM before it receives any secret. In Proof-of-Cloud as a Hardware Provenance Seal, we discuss the complementary seal that ties an attested platform to its physical hosting environment. Finally, the Appendix details the boot sequences of the dstack-KMS, gateway and business CVMs. Background In this section, we establish the context and vocabulary used throughout the document. We first introduce the Nox protocol and the components that must be protected, then define the chain of trust, and finally present the two technologies its foundation builds on: Intel TDX at the hardware level and dstack at the orchestration level. Nox protocol Nox Protocol ( https://docs.noxprotocol.io/getting-started/welcome ) is iExec's confidential-computation protocol for decentralized finance (DeFi). It acts as a privacy layer that lets smart contracts operate on encrypted data without ever exposing plaintext on-chain, by combining on-chain smart contracts with off-chain Trusted Execution Environments based on Intel TDX. Confidential values are referenced on-chain through opaque handles while the corresponding ciphertext is processed off-chain inside enclaves, so that applications retain full composability with the existing DeFi ecosystem: confidential ERC-7984 tokens remain ERC-20-compatible, contracts are written in standard Solidity, and end users transact from ordinary Ethereum wallets. The protocol rests on three concepts. A handle is a 32-byte identifier that acts as a secure pointer to an encrypted value stored off-chain, rather than the ciphertext itself. An on-chain Access Control List (ACL) governs which addresses may use a handle as a computation input or decrypt its underlying data, enabling selective disclosure to authorized parties such as auditors while privacy is preserved by default. The computation on confidential data itself takes place inside Intel TDX enclaves, so that even the infrastructure operator cannot read the plaintext during execution. Operationally, Nox coordinates six components: the on-chain smart contracts (notably the NoxCompute library and the ACL), an event listener (Ingestor), a message queue (NATS), a computation engine (Runner), an encrypted data store (Handle Gateway), and a key-management service (KMS). A confidential operation follows three phases: input, compute and output. In the input phase, a user encrypts a value through the Handle Gateway (which stores the ciphertext and returns a handle with an EIP-712 proof) and calls a contract using the NoxCompute library, which validates the handles, derives a deterministic result handle and emits an event. In the compute phase, the Ingestor relays the event through NATS to a Runner, which fetches the operands, decrypts them inside the enclave via a decryption-delegation protocol with the KMS, executes the operation, and stores the re-encrypted result. In the output phase, an authorised user retrieves the ciphertext and decrypts it locally. Encryption relies on ECIES over secp256k1 with the KMS public key, and the KMS itself never handles plaintext: it only delegates decryption to the legitimate recipient by encrypting the ECDH shared secret under the requester's ephemeral key. Several of these off-chain services handle sensitive material in clear within their address space, plaintext operands in the Runner, input plaintext and ciphertext in the Handle Gateway, and the protocol private key in the KMS. Protecting their confidentiality and integrity is the central security concern that the chain of trust addresses, which is why each is deployed as a TDX confidential workload whose boot-time verification is described in this document. Chain of Trust We define the chain of trust as the set of mechanisms that establishes a verifiable bridge of confidence between an end user and iExec, a sequence of links, each independently checkable, such that an external party can conclude, end to end, that a given Nox component is genuinely running the expected code on genuine confidential hardware. The foundational link, and the subject of this part, is boot-time verification: the guarantee that a CVM cannot obtain the secrets it needs to operate unless it has booted a known operating-system image and a known application stack on attested TDX hardware. The higher links of the chain, surfacing this evidence to users, binding the running images to public source code, and anchoring the set of authorized measurements on-chain, are treated in later parts. Intel TDX Intel Trust Domain Extensions (TDX) is a capability of recent Intel Xeon processors that lets a virtual machine run as a Trust Domain (TD), isolated from the host operating system, the hypervisor and the cloud operator. Two properties make TDX a suitable root of trust for Nox. First, confidentiality and integrity of runtime state: the CPU transparently encrypts the memory of each TD, so that neither the host nor a privileged operator can read or undetectably modify the guest's memory. Each Nox service therefore runs inside a hardware-isolated CVM whose runtime state is opaque to the hosting provider. Second, measured boot and remote attestation: as a TD is launched, the BIOS and the TDX module measure its initial state into a set of registers, the static measurement MRTD and the runtime-extendable registers RTMR[0..3], recorded in a signed TD-Report. From this report the platform produces a quote, signed through Intel's Data Center Attestation Primitives (DCAP) and chaining up to the Intel SGX Root CA. A remote verifier validates this quote to obtain a hardware-backed statement of which code the TD runs, and evaluates the platform's Trusted Computing Base (TCB) status against Intel collateral, accepting only an up-to-date TCB. Running TDX in production imposes a hardware baseline. Nox runs only on bare-metal servers satisfying Intel's TDX enabling guide, summarised below. Dstack dstack ( [Dstack](https://github.com/Dstack-TEE/dstack) ) : Open framework for confidential AI) is the open-source orchestration layer, developed by Phala Network, that operates CVMs on top of TDX. It removes the need to manage Trust Domains by hand and provides the gating mechanism on which boot-time verification rests. Its main components are a Virtual Machine Monitor (VMM) and supervisor that boot and supervise CVMs from a measured, reproducible dstack OS image; a KMS CVM that derives application keys inside the enclave and decides which workloads may boot by checking their measurements against a whitelist; and a Gateway CVM that terminates public TLS (with automatic ACME certificates) and reverse-proxies traffic to each registered CVM over an encrypted WireGuard overlay, load-balancing natively between CVMs that share the same application identifier (appId). dstack also offers an optional on-chain authorization contract (DstackKms) able to whitelist OS-image and per-application compose hashes, a capability that Nox has deliberately not yet enabled, the corresponding whitelist being held off-chain at this stage. Dstack deployment for Nox This section describes how the foundation above is instantiated for the Nox protocol, and how it yields the boot-time verification guarantee. General architecture In this section, we give an overview of how dstack is deployed on a TDX host to run the Nox components, before describing each element in turn. The diagram below shows the overall layout; the tables that follow detail the components running on the host and those composing a single Nox CVM. dstack architecture for Nox protocol TDX Host components Nox CVM component Proof-of-Cloud as a Hardware Provenance Seal Measured boot and remote attestation establish what code a CVM runs and that it runs on genuine Intel TDX silicon. They do not, by themselves, establish where that silicon is, the physical and operational provenance of the host. Proof-of-Cloud is the complementary seal that addresses this gap: it binds an attested TDX platform to a known, reputable hosting environment, extending the hardware root of trust with evidence about the provenance of the machine itself. In the current Nox fleet this property is tracked per node. The testnets fleet runs two TDX nodes, node1, hosted at OVH, and node2, hosted at phoenixNAP, of which node1 carries a Proof-of-Cloud seal and node2 does not. The distinction is meaningful for an external verifier: where present, Proof-of-Cloud raises the cost of a relocation or substitution attack by tying the attested platform to a provider's verified infrastructure, rather than relying on the quote alone to vouch for an otherwise anonymous host. Concretely, Proof-of-Cloud is coordinated by the Proof of Cloud Alliance (https://proofofcloud.org/), a vendor-neutral group, of which iExec is a member, that maintains a signed, append-only registry binding TEE hardware identities (an Intel DCAP PPID , in case of TDX, extracted from the attestation quote) to independently verified physical facilities. Member organisations cross-verify each location during a dedicated whitelisting ceremony and when pushing a new entry to PPID registry so that a verifier can establish not only that a workload runs on genuine TDX silicon but also that this silicon sits in a facility multiple independent parties have vouched for. Within the chain of trust, Proof-of-Cloud should be read as a provenance complement to, not a replacement for, TDX attestation: TDX attests the integrity and identity of the execution environment, while Proof-of-Cloud attests the integrity of its hosting context. Together they reinforce the foundational claim on which the remaining links of the chain, runtime attestation, source-code binding and on-chain governance, are built. Appendixdstack-kms Boot Sequence The full sequence diagram for dstack-kms boot is available at dstack/docs/kms-boot-sequence.md at master · iExec-Nox/dstack The diagram traces the boot of the dstack-KMS CVM with the local SGX key provider. In summary: CVM boot and measurement. The VMM starts the KMS CVM under TDX; the CVM boots the dstack OS image and runs dstack-prepare.sh , which measures the application info (the compose_hash, the derived app_id and the instance_id) and emits a runtime event that extends these values into RTMR[3]. Sealing-key request. The script generates an ephemeral keypair and a TDX quote carrying its public key in report_data, then calls the host API over VSOCK, which forwards the request to the SGX key provider (gramine-sealing-key-provider) on localhost:3443. Mutual attestation and key release. The SGX key provider verifies the KMS TDX quote, derives a sealing key bound to the KMS measurements (MRTD + RTMR[0..3]) and to the hardware, encrypts it under the CVM's public key, and returns it together with its own SGX quote. The CVM verifies that SGX quote, collateral through the PCCS, TCB status, and that report_data commits to the encrypted key, then decrypts the sealing key with its private key. Key derivation. From the sealing key the CVM derives its application keys (the app_key used to self-sign an RA-TLS certificate, the disk_crypt_key, and a secp256k1 key) and, if a key_provider_id is pinned in app-compose.json, checks that the provider's MR enclave matches the expected value. Disk mount and container start. The CVM mounts its encrypted disk with the disk_crypt_key, persists the derived app keys, and starts the KMS container through docker-compose. KMS initialization. If root keys already exist on the encrypted disk they are simply reloaded. On a first boot, one of two paths is taken: Bootstrap (the first KMS): it generates fresh root keys (root CA, secp256k1 root, RPC key and a temporary CA), self-signs its certificates and persists them, no authorization check is performed, since this instance is the origin of the root keys. Onboarding (any subsequent KMS): it obtains a temporary-CA-signed RA-TLS certificate from an existing KMS and requests the root keys over mTLS. The source KMS verifies the requester's TDX attestation and calls the Boot Authorization server (POST /bootAuth/kms), which authorizes only if the TCB is up to date and the OS-image hash, the aggregated measurement and the device id match the kms entry of auth-config.json. On success the root keys are returned and stored; otherwise onboarding aborts and the KMS does not start. Service ready. The KMS regenerates its certificates from the stored keys (with a fresh TDX attestation) and starts its HTTPS service (container port 8000, exposed as 9201 on the host). In short, the KMS obtains its sealing key only after proving its measured identity to the SGX key provider, and a non-bootstrap KMS additionally requires Boot Authorization server approval before receiving the protocol root keys. Business CVM boot Sequence The full sequence diagram for business CVM (app CVM) boot is available at dstack/docs/app-boot-sequence.md at master · iExec-Nox/dstack The diagram traces the boot of a business (application) CVM, which provisions its keys like the gateway and then additionally joins the WireGuard overlay. In summary: CVM boot and measurement. The VMM starts the app CVM under TDX; it boots the dstack OS image and runs dstack-prepare.sh, which measures the application info (compose_hash, the derived app_id, instance_id) and extends these values into RTMR[3]. App-key request with mutual attestation. The CVM obtains a temporary CA certificate (and the KMS ca_cert) from the KMS, builds an RA-TLS client certificate embedding its TDX quote, and calls GetAppKey over mTLS. It verifies the KMS server certificate (special_usage == "kms:rpc", emitting mr-kms to RTMR[3]), while the KMS verifies the CVM's attestation from the client certificate. Authorization. The KMS extracts the boot info and calls the Boot Authorization server (POST /bootAuth/app), which applies the same five checks, tcb_status up to date, and os_image_hash, app_id, compose_hash and device id matching auth-config.json. On refusal the CVM reboots or shuts down. Key derivation and disk mount. On success the KMS derives the per-app keys from its root keys, disk_crypt_key = HKDF(ca_key, app_id + instance_id + …), env_crypt_key = x25519(HKDF(ca_key, app_id + …)) and k256_key, and returns them with the gateway_app_id. The CVM optionally checks key_provider_id, saves the keys, mounts the encrypted disk with disk_crypt_key, and emits a system-ready event. Post-mount setup and env decryption. Encrypted environment variables are decrypted with env_crypt_key (x25519 Diffie-Hellman + AES-256-GCM) and written to /dstack/.decrypted_env; the guest agent is configured. Gateway registration (WireGuard). Unlike the gateway CVM, the app CVM joins the WireGuard overlay through which it is reached: it requests a KMS-signed RA-TLS client certificate (SignCert), connects to the gateway over mTLS (verifying the gateway's app_id matches the gateway_app_id returned by the KMS), and calls RegisterCvm with its WireGuard public key. The gateway verifies the app's identity, allocates a WireGuard IP and returns the peer configuration, after which the CVM brings up its dstack-wg0 interface. Containers up. docker-compose starts the application container(s); at runtime the app can optionally use the guest agent over /var/run/dstack.sock to derive purpose-specific keys (get_key), obtain a KMS-signed TLS certificate (get_tls_key), or fetch a TDX quote for remote attestation (get_quote). In short, an application CVM follows the same attested, authorized key-provisioning path as the gateway, and then registers with the gateway to enter the encrypted WireGuard network that fronts it. Environment variables cryptographic state The full sequence diagram for encrypting and decrypting secret environment variables is available here : [Link](https://github.com/iExec-Nox/dstack/blob/master/docs/app-boot-sequence.md) Secret environment variables are encrypted by the operator before deployment and decrypted only inside the attested CVM, so that neither the VMM nor the KMS ever sees their plaintext. In summary: Get the encryption public key. From the compose file the operator computes the app_id and calls the KMS (GetAppEnvEncryptPubKey). The KMS derives a per-app X25519 key pair deterministically, secret = HKDF(ca_key, app_id + "env-encrypt-key"), and returns the public half (env_public_key) together with a k256_root signature over it, which the operator verifies against the whitelisted signer. Encrypt the variables (operator side). The operator serialises the .env file to JSON, generates an ephemeral X25519 key pair, computes a shared secret by Diffie-Hellman with env_public_key, and encrypts the JSON with AES-256-GCM under a random 12-byte IV. The packed blob is eph_public_key (32 B) || IV (12 B) || ciphertext. Deploy. The operator passes the hex-encoded blob to the VMM (CreateVm), which stores it in host-shared/ and never decrypts it. CVM boot. The VMM starts the CVM under TDX; the CVM loads the encrypted blob from host-shared/. Get the decryption key. During key provisioning the CVM calls GetAppKey over the attested mTLS channel; after verifying attestation and authorization, the KMS derives the same key pair and returns the private half as env_crypt_key. Decrypt (CVM side). The CVM splits the blob back into eph_public_key, IV and ciphertext, recomputes the identical shared secret by Diffie-Hellman with env_crypt_key (the X25519 property guarantees both sides agree), decrypts with AES-256-GCM, filters the result against allowed_envs from app-compose.json, and writes it to /dstack/.decrypted_env for the containers. The construction provides confidentiality (only the attested CVM holding env_crypt_key can decrypt), integrity (AES-GCM detects tampering), forward secrecy (each deployment uses a fresh ephemeral key that is then discarded), and blindness of both the VMM (which only stores the ciphertext) and the KMS (which only serves keys). The env_crypt_key is app-specific, derived from app_id alone, so every instance of the same app shares it, while different apps cannot read one another's variables. $RLC

TEE foundation and boot-time attestation

Author: Aghiles Ait Messaoud, PhD, Research Software Engineer working at iExec.
Introduction
The Nox protocol performs confidential computation over encrypted user data in off-chain services. For such a system to be trustworthy, a user must be convinced of a non-trivial property: that the code processing their data is exactly the code iExec claims to deploy, that it executes on genuine confidential-computing hardware, and that neither the cloud provider nor the protocol operator can observe or tamper with the data while it is being processed. Establishing this property requires a chain of trust, a sequence of cryptographically verifiable links connecting a hardware root of trust to the running workload.
This document is the first part of a series describing that chain of trust. It establishes its foundation: the Trusted Execution Environment (TEE) layer. We describe (i) the hardware substrate, Intel Trust Domain Extensions (TDX), which provides memory-encrypted, hardware-isolated Confidential Virtual Machines (CVMs) together with a signed measurement of their boot state; (ii) dstack, the open-source orchestration layer (developed by Phala Network) that boots, supervises and gates these CVMs; and (iii) how the two are combined to deploy the Nox off-chain components so that every CVM is provably running the expected code before it is granted access to any secret. (iv) We close by discussing Proof-of-Cloud as a complementary seal that binds an attested platform to a known physical hosting environment.
Subsequent parts build on this foundation to cover runtime attestation surfaced to end users, source-code binding, and on-chain governance of the authorized measurements. The present part deliberately limits its scope to the TEE foundation and to boot-time attestation.
The remainder of this document is organised as follows. In Background, we introduce the Nox protocol, define what we mean by a chain of trust, and present the two building blocks of its foundation, Intel TDX and dstack. In Dstack deployment for Nox, we describe how these are instantiated on a TDX host and how the resulting boot-time verification gates every CVM before it receives any secret. In Proof-of-Cloud as a Hardware Provenance Seal, we discuss the complementary seal that ties an attested platform to its physical hosting environment. Finally, the Appendix details the boot sequences of the dstack-KMS, gateway and business CVMs.
Background
In this section, we establish the context and vocabulary used throughout the document. We first introduce the Nox protocol and the components that must be protected, then define the chain of trust, and finally present the two technologies its foundation builds on: Intel TDX at the hardware level and dstack at the orchestration level.
Nox protocol
Nox Protocol ( https://docs.noxprotocol.io/getting-started/welcome ) is iExec's confidential-computation protocol for decentralized finance (DeFi). It acts as a privacy layer that lets smart contracts operate on encrypted data without ever exposing plaintext on-chain, by combining on-chain smart contracts with off-chain Trusted Execution Environments based on Intel TDX. Confidential values are referenced on-chain through opaque handles while the corresponding ciphertext is processed off-chain inside enclaves, so that applications retain full composability with the existing DeFi ecosystem: confidential ERC-7984 tokens remain ERC-20-compatible, contracts are written in standard Solidity, and end users transact from ordinary Ethereum wallets.
The protocol rests on three concepts.
A handle is a 32-byte identifier that acts as a secure pointer to an encrypted value stored off-chain, rather than the ciphertext itself.
An on-chain Access Control List (ACL) governs which addresses may use a handle as a computation input or decrypt its underlying data, enabling selective disclosure to authorized parties such as auditors while privacy is preserved by default.
The computation on confidential data itself takes place inside Intel TDX enclaves, so that even the infrastructure operator cannot read the plaintext during execution.
Operationally, Nox coordinates six components: the on-chain smart contracts (notably the NoxCompute library and the ACL), an event listener (Ingestor), a message queue (NATS), a computation engine (Runner), an encrypted data store (Handle Gateway), and a key-management service (KMS). A confidential operation follows three phases: input, compute and output.
In the input phase, a user encrypts a value through the Handle Gateway (which stores the ciphertext and returns a handle with an EIP-712 proof) and calls a contract using the NoxCompute library, which validates the handles, derives a deterministic result handle and emits an event. In the compute phase, the Ingestor relays the event through NATS to a Runner, which fetches the operands, decrypts them inside the enclave via a decryption-delegation protocol with the KMS, executes the operation, and stores the re-encrypted result. In the output phase, an authorised user retrieves the ciphertext and decrypts it locally. Encryption relies on ECIES over secp256k1 with the KMS public key, and the KMS itself never handles plaintext: it only delegates decryption to the legitimate recipient by encrypting the ECDH shared secret under the requester's ephemeral key.
Several of these off-chain services handle sensitive material in clear within their address space, plaintext operands in the Runner, input plaintext and ciphertext in the Handle Gateway, and the protocol private key in the KMS. Protecting their confidentiality and integrity is the central security concern that the chain of trust addresses, which is why each is deployed as a TDX confidential workload whose boot-time verification is described in this document.
Chain of Trust
We define the chain of trust as the set of mechanisms that establishes a verifiable bridge of confidence between an end user and iExec, a sequence of links, each independently checkable, such that an external party can conclude, end to end, that a given Nox component is genuinely running the expected code on genuine confidential hardware. The foundational link, and the subject of this part, is boot-time verification: the guarantee that a CVM cannot obtain the secrets it needs to operate unless it has booted a known operating-system image and a known application stack on attested TDX hardware. The higher links of the chain, surfacing this evidence to users, binding the running images to public source code, and anchoring the set of authorized measurements on-chain, are treated in later parts.
Intel TDX
Intel Trust Domain Extensions (TDX) is a capability of recent Intel Xeon processors that lets a virtual machine run as a Trust Domain (TD), isolated from the host operating system, the hypervisor and the cloud operator. Two properties make TDX a suitable root of trust for Nox.
First, confidentiality and integrity of runtime state: the CPU transparently encrypts the memory of each TD, so that neither the host nor a privileged operator can read or undetectably modify the guest's memory. Each Nox service therefore runs inside a hardware-isolated CVM whose runtime state is opaque to the hosting provider.
Second, measured boot and remote attestation: as a TD is launched, the BIOS and the TDX module measure its initial state into a set of registers, the static measurement MRTD and the runtime-extendable registers RTMR[0..3], recorded in a signed TD-Report. From this report the platform produces a quote, signed through Intel's Data Center Attestation Primitives (DCAP) and chaining up to the Intel SGX Root CA. A remote verifier validates this quote to obtain a hardware-backed statement of which code the TD runs, and evaluates the platform's Trusted Computing Base (TCB) status against Intel collateral, accepting only an up-to-date TCB.
Running TDX in production imposes a hardware baseline. Nox runs only on bare-metal servers satisfying Intel's TDX enabling guide, summarised below.
Dstack
dstack ( Dstack ) : Open framework for confidential AI) is the open-source orchestration layer, developed by Phala Network, that operates CVMs on top of TDX. It removes the need to manage Trust Domains by hand and provides the gating mechanism on which boot-time verification rests. Its main components are a Virtual Machine Monitor (VMM) and supervisor that boot and supervise CVMs from a measured, reproducible dstack OS image; a KMS CVM that derives application keys inside the enclave and decides which workloads may boot by checking their measurements against a whitelist; and a Gateway CVM that terminates public TLS (with automatic ACME certificates) and reverse-proxies traffic to each registered CVM over an encrypted WireGuard overlay, load-balancing natively between CVMs that share the same application identifier (appId). dstack also offers an optional on-chain authorization contract (DstackKms) able to whitelist OS-image and per-application compose hashes, a capability that Nox has deliberately not yet enabled, the corresponding whitelist being held off-chain at this stage.
Dstack deployment for Nox
This section describes how the foundation above is instantiated for the Nox protocol, and how it yields the boot-time verification guarantee.
General architecture
In this section, we give an overview of how dstack is deployed on a TDX host to run the Nox components, before describing each element in turn. The diagram below shows the overall layout; the tables that follow detail the components running on the host and those composing a single Nox CVM.
dstack architecture for Nox protocol

TDX Host components
Nox CVM component
Proof-of-Cloud as a Hardware Provenance Seal
Measured boot and remote attestation establish what code a CVM runs and that it runs on genuine Intel TDX silicon. They do not, by themselves, establish where that silicon is, the physical and operational provenance of the host. Proof-of-Cloud is the complementary seal that addresses this gap: it binds an attested TDX platform to a known, reputable hosting environment, extending the hardware root of trust with evidence about the provenance of the machine itself.
In the current Nox fleet this property is tracked per node. The testnets fleet runs two TDX nodes, node1, hosted at OVH, and node2, hosted at phoenixNAP, of which node1 carries a Proof-of-Cloud seal and node2 does not. The distinction is meaningful for an external verifier: where present, Proof-of-Cloud raises the cost of a relocation or substitution attack by tying the attested platform to a provider's verified infrastructure, rather than relying on the quote alone to vouch for an otherwise anonymous host.
Concretely, Proof-of-Cloud is coordinated by the Proof of Cloud Alliance (https://proofofcloud.org/), a vendor-neutral group, of which iExec is a member, that maintains a signed, append-only registry binding TEE hardware identities (an Intel DCAP PPID , in case of TDX, extracted from the attestation quote) to independently verified physical facilities. Member organisations cross-verify each location during a dedicated whitelisting ceremony and when pushing a new entry to PPID registry so that a verifier can establish not only that a workload runs on genuine TDX silicon but also that this silicon sits in a facility multiple independent parties have vouched for.
Within the chain of trust, Proof-of-Cloud should be read as a provenance complement to, not a replacement for, TDX attestation: TDX attests the integrity and identity of the execution environment, while Proof-of-Cloud attests the integrity of its hosting context. Together they reinforce the foundational claim on which the remaining links of the chain, runtime attestation, source-code binding and on-chain governance, are built.
Appendixdstack-kms Boot Sequence
The full sequence diagram for dstack-kms boot is available at dstack/docs/kms-boot-sequence.md at master · iExec-Nox/dstack The diagram traces the boot of the dstack-KMS CVM with the local SGX key provider. In summary:
CVM boot and measurement. The VMM starts the KMS CVM under TDX; the CVM boots the dstack OS image and runs dstack-prepare.sh , which measures the application info (the compose_hash, the derived app_id and the instance_id) and emits a runtime event that extends these values into RTMR[3].
Sealing-key request. The script generates an ephemeral keypair and a TDX quote carrying its public key in report_data, then calls the host API over VSOCK, which forwards the request to the SGX key provider (gramine-sealing-key-provider) on localhost:3443.
Mutual attestation and key release. The SGX key provider verifies the KMS TDX quote, derives a sealing key bound to the KMS measurements (MRTD + RTMR[0..3]) and to the hardware, encrypts it under the CVM's public key, and returns it together with its own SGX quote. The CVM verifies that SGX quote, collateral through the PCCS, TCB status, and that report_data commits to the encrypted key, then decrypts the sealing key with its private key.
Key derivation. From the sealing key the CVM derives its application keys (the app_key used to self-sign an RA-TLS certificate, the disk_crypt_key, and a secp256k1 key) and, if a key_provider_id is pinned in app-compose.json, checks that the provider's MR enclave matches the expected value.
Disk mount and container start. The CVM mounts its encrypted disk with the disk_crypt_key, persists the derived app keys, and starts the KMS container through docker-compose.
KMS initialization. If root keys already exist on the encrypted disk they are simply reloaded. On a first boot, one of two paths is taken: Bootstrap (the first KMS): it generates fresh root keys (root CA, secp256k1 root, RPC key and a temporary CA), self-signs its certificates and persists them, no authorization check is performed, since this instance is the origin of the root keys. Onboarding (any subsequent KMS): it obtains a temporary-CA-signed RA-TLS certificate from an existing KMS and requests the root keys over mTLS. The source KMS verifies the requester's TDX attestation and calls the Boot Authorization server (POST /bootAuth/kms), which authorizes only if the TCB is up to date and the OS-image hash, the aggregated measurement and the device id match the kms entry of auth-config.json. On success the root keys are returned and stored; otherwise onboarding aborts and the KMS does not start.
Service ready. The KMS regenerates its certificates from the stored keys (with a fresh TDX attestation) and starts its HTTPS service (container port 8000, exposed as 9201 on the host).
In short, the KMS obtains its sealing key only after proving its measured identity to the SGX key provider, and a non-bootstrap KMS additionally requires Boot Authorization server approval before receiving the protocol root keys.
Business CVM boot Sequence
The full sequence diagram for business CVM (app CVM) boot is available at dstack/docs/app-boot-sequence.md at master · iExec-Nox/dstack The diagram traces the boot of a business (application) CVM, which provisions its keys like the gateway and then additionally joins the WireGuard overlay. In summary:
CVM boot and measurement. The VMM starts the app CVM under TDX; it boots the dstack OS image and runs dstack-prepare.sh, which measures the application info (compose_hash, the derived app_id, instance_id) and extends these values into RTMR[3].
App-key request with mutual attestation. The CVM obtains a temporary CA certificate (and the KMS ca_cert) from the KMS, builds an RA-TLS client certificate embedding its TDX quote, and calls GetAppKey over mTLS. It verifies the KMS server certificate (special_usage == "kms:rpc", emitting mr-kms to RTMR[3]), while the KMS verifies the CVM's attestation from the client certificate.
Authorization. The KMS extracts the boot info and calls the Boot Authorization server (POST /bootAuth/app), which applies the same five checks, tcb_status up to date, and os_image_hash, app_id, compose_hash and device id matching auth-config.json. On refusal the CVM reboots or shuts down.
Key derivation and disk mount. On success the KMS derives the per-app keys from its root keys, disk_crypt_key = HKDF(ca_key, app_id + instance_id + …), env_crypt_key = x25519(HKDF(ca_key, app_id + …)) and k256_key, and returns them with the gateway_app_id. The CVM optionally checks key_provider_id, saves the keys, mounts the encrypted disk with disk_crypt_key, and emits a system-ready event.
Post-mount setup and env decryption. Encrypted environment variables are decrypted with env_crypt_key (x25519 Diffie-Hellman + AES-256-GCM) and written to /dstack/.decrypted_env; the guest agent is configured.
Gateway registration (WireGuard). Unlike the gateway CVM, the app CVM joins the WireGuard overlay through which it is reached: it requests a KMS-signed RA-TLS client certificate (SignCert), connects to the gateway over mTLS (verifying the gateway's app_id matches the gateway_app_id returned by the KMS), and calls RegisterCvm with its WireGuard public key. The gateway verifies the app's identity, allocates a WireGuard IP and returns the peer configuration, after which the CVM brings up its dstack-wg0 interface.
Containers up. docker-compose starts the application container(s); at runtime the app can optionally use the guest agent over /var/run/dstack.sock to derive purpose-specific keys (get_key), obtain a KMS-signed TLS certificate (get_tls_key), or fetch a TDX quote for remote attestation (get_quote). In short, an application CVM follows the same attested, authorized key-provisioning path as the gateway, and then registers with the gateway to enter the encrypted WireGuard network that fronts it.
Environment variables cryptographic state
The full sequence diagram for encrypting and decrypting secret environment variables is available here : Link
Secret environment variables are encrypted by the operator before deployment and decrypted only inside the attested CVM, so that neither the VMM nor the KMS ever sees their plaintext. In summary:
Get the encryption public key. From the compose file the operator computes the app_id and calls the KMS (GetAppEnvEncryptPubKey). The KMS derives a per-app X25519 key pair deterministically, secret = HKDF(ca_key, app_id + "env-encrypt-key"), and returns the public half (env_public_key) together with a k256_root signature over it, which the operator verifies against the whitelisted signer. Encrypt the variables (operator side). The operator serialises the .env file to JSON, generates an ephemeral X25519 key pair, computes a shared secret by Diffie-Hellman with env_public_key, and encrypts the JSON with AES-256-GCM under a random 12-byte IV. The packed blob is eph_public_key (32 B) || IV (12 B) || ciphertext. Deploy. The operator passes the hex-encoded blob to the VMM (CreateVm), which stores it in host-shared/ and never decrypts it. CVM boot. The VMM starts the CVM under TDX; the CVM loads the encrypted blob from host-shared/. Get the decryption key. During key provisioning the CVM calls GetAppKey over the attested mTLS channel; after verifying attestation and authorization, the KMS derives the same key pair and returns the private half as env_crypt_key. Decrypt (CVM side). The CVM splits the blob back into eph_public_key, IV and ciphertext, recomputes the identical shared secret by Diffie-Hellman with env_crypt_key (the X25519 property guarantees both sides agree), decrypts with AES-256-GCM, filters the result against allowed_envs from app-compose.json, and writes it to /dstack/.decrypted_env for the containers.
The construction provides confidentiality (only the attested CVM holding env_crypt_key can decrypt), integrity (AES-GCM detects tampering), forward secrecy (each deployment uses a fresh ephemeral key that is then discarded), and blindness of both the VMM (which only stores the ciphertext) and the KMS (which only serves keys). The env_crypt_key is app-specific, derived from app_id alone, so every instance of the same app shares it, while different apps cannot read one another's variables.
$RLC
Verification only matters if you can access it. The Nox Attestation Portal turns technical verification into something builders, partners, and institutions can actually inspect: component status, verification signals, and trust evidence, all in one place. Trust, but verify. Now easier than ever 👇 https://trust.noxprotocol.io/ $RLC
Verification only matters if you can access it.

The Nox Attestation Portal turns technical verification into something builders, partners, and institutions can actually inspect: component status, verification signals, and trust evidence, all in one place.

Trust, but verify. Now easier than ever 👇
https://trust.noxprotocol.io/

$RLC
WTF!! for Write The Future The challenge is simple: pick an open source protocol, add privacy with Nox, ship something a company could deploy. $1,500 pool. 23 days on the clock. What are you building?👇 https://dorahacks.io/hackathon/wtf-hackathon
WTF!! for Write The Future

The challenge is simple: pick an open source protocol, add privacy with Nox, ship something a company could deploy.

$1,500 pool.
23 days on the clock.

What are you building?👇
https://dorahacks.io/hackathon/wtf-hackathon
iExec integrates PhalaNetwork dstack into Nox to bring this verifiable execution model to confidential DeFi and RWA systems. Institutions need to know that sensitive computation ran in the expected environment before they trust the result. That's what dstack helps verify. Nox uses it to make confidential execution measurable, attested, and provable.
iExec integrates PhalaNetwork dstack into Nox to bring this verifiable execution model to confidential DeFi and RWA systems.

Institutions need to know that sensitive computation ran in the expected environment before they trust the result.

That's what dstack helps verify.

Nox uses it to make confidential execution measurable, attested, and provable.
iExec RLC
·
--
How do you make sure a confidential workload runs in exactly the environment it's supposed to?

That's why we used dstack, an open source orchestration layer built by PhalaNetwork that operates Confidential Virtual Machines on Intel TDX.

Instead of managing Trust Domains manually, dstack provides:

🔸 A supervisor that boots CVMs from a measured, reproducible OS image
🔸 A KMS that only lets workloads boot if their measurements match a trusted whitelist
🔸 A Gateway that terminates TLS and routes traffic to each CVM over an encrypted overlay

$RLC
An overview of how dstack is deployed on a TDX host to run the Nox components 👇
An overview of how dstack is deployed on a TDX host to run the Nox components 👇
iExec RLC
·
--
How do you make sure a confidential workload runs in exactly the environment it's supposed to?

That's why we used dstack, an open source orchestration layer built by PhalaNetwork that operates Confidential Virtual Machines on Intel TDX.

Instead of managing Trust Domains manually, dstack provides:

🔸 A supervisor that boots CVMs from a measured, reproducible OS image
🔸 A KMS that only lets workloads boot if their measurements match a trusted whitelist
🔸 A Gateway that terminates TLS and routes traffic to each CVM over an encrypted overlay

$RLC
How do you make sure a confidential workload runs in exactly the environment it's supposed to? That's why we used dstack, an open source orchestration layer built by PhalaNetwork that operates Confidential Virtual Machines on Intel TDX. Instead of managing Trust Domains manually, dstack provides: 🔸 A supervisor that boots CVMs from a measured, reproducible OS image 🔸 A KMS that only lets workloads boot if their measurements match a trusted whitelist 🔸 A Gateway that terminates TLS and routes traffic to each CVM over an encrypted overlay $RLC
How do you make sure a confidential workload runs in exactly the environment it's supposed to?

That's why we used dstack, an open source orchestration layer built by PhalaNetwork that operates Confidential Virtual Machines on Intel TDX.

Instead of managing Trust Domains manually, dstack provides:

🔸 A supervisor that boots CVMs from a measured, reproducible OS image
🔸 A KMS that only lets workloads boot if their measurements match a trusted whitelist
🔸 A Gateway that terminates TLS and routes traffic to each CVM over an encrypted overlay

$RLC
Monday manifesto: more privacy onchain.
Monday manifesto: more privacy onchain.
Privacy is calling! $RLC
Privacy is calling!

$RLC
Article
A New Era for Onchain FinanceFor the past three years, the industry has repeated the same forecast: institutional capital is coming on-chain. Some of it has arrived. Most of it has not. $27 billion in tokenized assets are live on public blockchains today. The addressable market is over $100 trillion. The gap between those two numbers is not explained by demand, regulation, or blockchain readiness. It is explained by a structural problem that every institutional team runs into the moment they evaluate on-chain deployment: public blockchains expose everything by default, and institutions cannot operate that way. Confidentiality has become the missing primitive. But confidentiality alone is not the full answer. For institutional finance to move on-chain at scale, two properties have to hold at the same time. Sensitive data must stay private. Execution must remain verifiable. The Problem, Named Precisely Public blockchains expose the entire operational surface of a financial workflow. Investor allocations are readable on any block explorer. Fund flows are timestamped and traceable. Vault positions and rebalancing decisions leak strategy in real time. Settlement flows broadcast counterparty amounts before the trade completes. For institutional workflows, this is a disqualifying condition, not a tradeoff. RWA issuers cannot tokenize a regulated fund on infrastructure that publishes its investor registry. Tokenized fund managers cannot meet mandate conditions that require position privacy. Professional DeFi allocators cannot deploy strategy on rails where every rebalance is a signal to copy-traders and MEV bots. Compliance teams cannot operate under disclosure frameworks that force them to choose between full opacity and full transparency. None of these problems get solved by faster chains or cheaper gas. They only get solved by a confidentiality layer that integrates with existing on-chain infrastructure. Confidentiality Alone Is Not Enough Here is the part of the conversation the industry has been slower to grasp. Confidentiality by itself does not meet the requirements of institutional finance. Institutions do not just need private data. They need to prove to counterparties, auditors, and regulators that the private data was processed correctly, in the right environment, by the right code. A confidential system that cannot be verified is functionally the same as a black box. Institutions cannot deploy capital into a black box. The requirement is not confidentiality. The requirement is verifiable confidentiality. Sensitive data must stay protected from the market. The execution that processes that data must produce cryptographic evidence that it ran correctly, in an approved environment, on the declared inputs. Auditors and regulators must be able to receive scoped access when their mandate requires it. And the whole system must remain composable with the DeFi infrastructure that already exists. This is the model regulated finance has always operated under. The engineering challenge is bringing it on-chain without breaking composability. How Nox Delivers Both Nox is iExec's confidentiality protocol for onchain finance. The programmable confidentiality layer makes onchain finance work the way real finance does. Confidential by default. Auditable on demand. The confidentiality side of the system encrypts what matters. Balances, transaction amounts, position sizes, and strategy execution data stay encrypted onchain. Sensitive data is never exposed to the public market. Access to encrypted values is controlled through an on-chain Access Control List, which lets the data owner grant scoped read access to specific addresses, regulators, or auditors, and revoke that access when it is no longer needed. The verifiability side of the system is where Chain of Trust comes in. Chain of Trust: From Trust Us to Verify It Chain of Trust is one of the core protocol qualities behind Nox. Its purpose is straightforward. Institutional trust cannot rest on promises, reputation, or internal policy. It has to rest on evidence. Chain of Trust turns confidential execution into something you can prove, not something you have to accept on faith. It covers every critical layer of the execution path. The hardware layer is anchored by Intel TDX, which provides hardware-isolated confidential virtual machines and produces attestations confirming the physical environment your workload runs in. The execution platform produces cryptographic evidence that the correct environment was used and that the workload was not modified. The software running inside the Trust Domain is measured and verifiable. And each layer is independently attestable through Remote Attestation, a cryptographic proof mechanism that lets a user verify remotely that a task ran inside the expected environment, running the expected code, on approved hardware. The orchestration and deployment layer that makes this measurable is built on dstack, the open-source infrastructure developed by Phala Network for deploying verifiable confidential workloads on TDX hardware. Nox integrates dstack to boot and manage its confidential virtual machines from a measured, reproducible image, and to gate which workloads may run inside them. The result is that every confidential workload on Nox starts from a verifiable environment, before it is trusted with sensitive data. Phala provides the dstack infrastructure. Nox brings this verifiable execution model to confidential DeFi and RWA workflows. The practical outcome is that confidential execution stops being a claim. It becomes evidence. For institutional counterparties, this is the difference between operational risk they can quantify and operational risk they cannot. A confidential system with verifiable execution can be audited, insured, and integrated into existing compliance workflows. A confidential system without verifiable execution cannot. 👉 https://trust.noxprotocol.io/ Where This Extends: Q3 and Q4 Direction Chain of Trust is not a static feature. It is a system that iExec is continuing to build out, and two extensions are on the roadmap for the second half of the year. The first is on-chain governance for protocol measurements. Today, the reference measurements that Remote Attestation checks against are managed through operational processes. Bringing these measurements on-chain means the approved set of hardware, execution platforms, and software artifacts becomes part of the protocol's verifiable state. Any change to what counts as a trusted configuration becomes an on-chain action that participants can inspect and verify. This makes the trust layer itself governable in the same way protocols already govern parameters, upgrades, and access control. The second is source code binding. This extends the Chain of Trust one more link back, from the executed artifact to the source code it was compiled from. Institutional counterparties evaluating a confidential system today have to trust that the software running inside the Trust Domain corresponds to the source code that was audited. Source code binding closes that gap by producing verifiable evidence that the running artifact and the audited source are the same. Both of these are upcoming milestones, framed as roadmap direction rather than shipped features. Their purpose is the same as the rest of Chain of Trust. Institutional finance requires evidence. The system should provide it at every layer, and the trust surface should get more complete over time, not less. What This Means for Institutional Deployment The strongest single argument for why confidentiality has to be verifiable is a practical one. Every institutional counterparty who evaluates on-chain infrastructure eventually asks the same question. How do I know the system did what it said it did? If the answer depends on trusting the operator, the deal does not happen. If the answer is a cryptographic proof that anyone can verify, the deal can happen. Nox is being built so that the answer is always the second one. Encrypted balances. Confidential vault positions. Selective disclosure to regulators. Attested execution on approved hardware. All of it composable with the DeFi that already exists. This is what institutional-grade on-chain finance actually requires. Not confidentiality alone. Verifiable confidentiality. The market has spent three years learning that transparency-by-default is not compatible with institutional finance. The next three years are about learning that confidentiality-by-default is only half the answer. Institutions need both properties at once. Sensitive data has to stay private. Execution has to remain verifiable. Public blockchains offered the second property in extreme form and none of the first. Confidential DeFi is now catching up on the first property. Verifiable confidentiality is where the two finally meet. That is what Nox is being built to deliver. Confidential by default. Auditable on demand. Verifiable at every layer. 👉 https://trust.noxprotocol.io/ The market is not waiting for another chain. It is waiting for the confidentiality layer that makes finance work the way finance is supposed to work. We are building it.

A New Era for Onchain Finance

For the past three years, the industry has repeated the same forecast: institutional capital is coming on-chain. Some of it has arrived. Most of it has not.
$27 billion in tokenized assets are live on public blockchains today. The addressable market is over $100 trillion. The gap between those two numbers is not explained by demand, regulation, or blockchain readiness. It is explained by a structural problem that every institutional team runs into the moment they evaluate on-chain deployment: public blockchains expose everything by default, and institutions cannot operate that way.
Confidentiality has become the missing primitive. But confidentiality alone is not the full answer. For institutional finance to move on-chain at scale, two properties have to hold at the same time. Sensitive data must stay private. Execution must remain verifiable.
The Problem, Named Precisely
Public blockchains expose the entire operational surface of a financial workflow. Investor allocations are readable on any block explorer. Fund flows are timestamped and traceable. Vault positions and rebalancing decisions leak strategy in real time. Settlement flows broadcast counterparty amounts before the trade completes.
For institutional workflows, this is a disqualifying condition, not a tradeoff.
RWA issuers cannot tokenize a regulated fund on infrastructure that publishes its investor registry. Tokenized fund managers cannot meet mandate conditions that require position privacy. Professional DeFi allocators cannot deploy strategy on rails where every rebalance is a signal to copy-traders and MEV bots. Compliance teams cannot operate under disclosure frameworks that force them to choose between full opacity and full transparency.
None of these problems get solved by faster chains or cheaper gas. They only get solved by a confidentiality layer that integrates with existing on-chain infrastructure.
Confidentiality Alone Is Not Enough
Here is the part of the conversation the industry has been slower to grasp. Confidentiality by itself does not meet the requirements of institutional finance.
Institutions do not just need private data. They need to prove to counterparties, auditors, and regulators that the private data was processed correctly, in the right environment, by the right code. A confidential system that cannot be verified is functionally the same as a black box. Institutions cannot deploy capital into a black box.
The requirement is not confidentiality. The requirement is verifiable confidentiality.
Sensitive data must stay protected from the market. The execution that processes that data must produce cryptographic evidence that it ran correctly, in an approved environment, on the declared inputs. Auditors and regulators must be able to receive scoped access when their mandate requires it. And the whole system must remain composable with the DeFi infrastructure that already exists.
This is the model regulated finance has always operated under. The engineering challenge is bringing it on-chain without breaking composability.
How Nox Delivers Both
Nox is iExec's confidentiality protocol for onchain finance. The programmable confidentiality layer makes onchain finance work the way real finance does.
Confidential by default. Auditable on demand.
The confidentiality side of the system encrypts what matters. Balances, transaction amounts, position sizes, and strategy execution data stay encrypted onchain. Sensitive data is never exposed to the public market. Access to encrypted values is controlled through an on-chain Access Control List, which lets the data owner grant scoped read access to specific addresses, regulators, or auditors, and revoke that access when it is no longer needed.
The verifiability side of the system is where Chain of Trust comes in.
Chain of Trust: From Trust Us to Verify It
Chain of Trust is one of the core protocol qualities behind Nox. Its purpose is straightforward. Institutional trust cannot rest on promises, reputation, or internal policy. It has to rest on evidence.
Chain of Trust turns confidential execution into something you can prove, not something you have to accept on faith. It covers every critical layer of the execution path. The hardware layer is anchored by Intel TDX, which provides hardware-isolated confidential virtual machines and produces attestations confirming the physical environment your workload runs in. The execution platform produces cryptographic evidence that the correct environment was used and that the workload was not modified. The software running inside the Trust Domain is measured and verifiable. And each layer is independently attestable through Remote Attestation, a cryptographic proof mechanism that lets a user verify remotely that a task ran inside the expected environment, running the expected code, on approved hardware.
The orchestration and deployment layer that makes this measurable is built on dstack, the open-source infrastructure developed by Phala Network for deploying verifiable confidential workloads on TDX hardware. Nox integrates dstack to boot and manage its confidential virtual machines from a measured, reproducible image, and to gate which workloads may run inside them. The result is that every confidential workload on Nox starts from a verifiable environment, before it is trusted with sensitive data. Phala provides the dstack infrastructure. Nox brings this verifiable execution model to confidential DeFi and RWA workflows.
The practical outcome is that confidential execution stops being a claim. It becomes evidence.
For institutional counterparties, this is the difference between operational risk they can quantify and operational risk they cannot. A confidential system with verifiable execution can be audited, insured, and integrated into existing compliance workflows. A confidential system without verifiable execution cannot.
👉 https://trust.noxprotocol.io/
Where This Extends: Q3 and Q4 Direction
Chain of Trust is not a static feature. It is a system that iExec is continuing to build out, and two extensions are on the roadmap for the second half of the year.
The first is on-chain governance for protocol measurements. Today, the reference measurements that Remote Attestation checks against are managed through operational processes. Bringing these measurements on-chain means the approved set of hardware, execution platforms, and software artifacts becomes part of the protocol's verifiable state. Any change to what counts as a trusted configuration becomes an on-chain action that participants can inspect and verify. This makes the trust layer itself governable in the same way protocols already govern parameters, upgrades, and access control.
The second is source code binding. This extends the Chain of Trust one more link back, from the executed artifact to the source code it was compiled from. Institutional counterparties evaluating a confidential system today have to trust that the software running inside the Trust Domain corresponds to the source code that was audited. Source code binding closes that gap by producing verifiable evidence that the running artifact and the audited source are the same.
Both of these are upcoming milestones, framed as roadmap direction rather than shipped features. Their purpose is the same as the rest of Chain of Trust. Institutional finance requires evidence. The system should provide it at every layer, and the trust surface should get more complete over time, not less.
What This Means for Institutional Deployment
The strongest single argument for why confidentiality has to be verifiable is a practical one. Every institutional counterparty who evaluates on-chain infrastructure eventually asks the same question. How do I know the system did what it said it did?
If the answer depends on trusting the operator, the deal does not happen. If the answer is a cryptographic proof that anyone can verify, the deal can happen.
Nox is being built so that the answer is always the second one. Encrypted balances. Confidential vault positions. Selective disclosure to regulators. Attested execution on approved hardware. All of it composable with the DeFi that already exists.
This is what institutional-grade on-chain finance actually requires. Not confidentiality alone. Verifiable confidentiality.
The market has spent three years learning that transparency-by-default is not compatible with institutional finance. The next three years are about learning that confidentiality-by-default is only half the answer.
Institutions need both properties at once. Sensitive data has to stay private. Execution has to remain verifiable. Public blockchains offered the second property in extreme form and none of the first. Confidential DeFi is now catching up on the first property. Verifiable confidentiality is where the two finally meet.
That is what Nox is being built to deliver. Confidential by default. Auditable on demand. Verifiable at every layer.
👉 https://trust.noxprotocol.io/
The market is not waiting for another chain. It is waiting for the confidentiality layer that makes finance work the way finance is supposed to work.
We are building it.
When your workload runs in the cloud, how do you know the right code ran in the right environment? Attestation answers one question: "did the right code run inside genuine TDX hardware?" But for financial workloads, that is not the full trust problem. You also need to know the machine itself was not a random, unverifiable host. Proof-of-Cloud adds that missing link for Nox: it ties attested hardware to a verified cloud environment. So the proof is not just: “the code ran.” It is: “the right code ran, on the right hardware, in a verified place.” That is how confidential execution becomes something institutions can actually trust. ➡️https://trust.noxprotocol.io $RLC
When your workload runs in the cloud, how do you know the right code ran in the right environment?

Attestation answers one question: "did the right code run inside genuine TDX hardware?" But for financial workloads, that is not the full trust problem.

You also need to know the machine itself was not a random, unverifiable host.

Proof-of-Cloud adds that missing link for Nox: it ties attested hardware to a verified cloud environment.

So the proof is not just:
“the code ran.”

It is:
“the right code ran, on the right hardware, in a verified place.”

That is how confidential execution becomes something institutions can actually trust.

➡️https://trust.noxprotocol.io

$RLC
For anyone who's been curious about building with Nox: here's your window. 25 days. $1,500 pool. Pick an open source protocol, add privacy, ship something the space actually needs. Let's build👇 📆Deadline: 2026/08/01 https://dorahacks.io/hackathon/wtf-hackathon/detail $RLC
For anyone who's been curious about building with Nox: here's your window.

25 days. $1,500 pool. Pick an open source protocol, add privacy, ship something the space actually needs.

Let's build👇
📆Deadline: 2026/08/01

https://dorahacks.io/hackathon/wtf-hackathon/detail

$RLC
For institutional finance, this is what trust minimization actually looks like. Because Confidential Computing is about proving that sensitive data was processed in the expected environment, by the expected software, under the expected conditions. Protocol transparency. Execution privacy. That is how Nox turns confidential compute from a claim into proof. ✅Confidential by default. Auditable on demand.
For institutional finance, this is what trust minimization actually looks like.

Because Confidential Computing is about proving that sensitive data was processed in the expected environment, by the expected software, under the expected conditions.

Protocol transparency. Execution privacy.

That is how Nox turns confidential compute from a claim into proof.

✅Confidential by default. Auditable on demand.
iExec RLC
·
--
How do you know a confidential workflow is running in the right environment, with the right code, before it touches sensitive data?

You measure it.
You attest it.
You verify it at every layer.

That is Chain of Trust: Nox’s way of making confidential execution measurable, attested, and verifiable from the hardware layer up to the running workload.

➡️ https://trust.noxprotocol.io/

$RLC
For Nox, Chain of Trust connects every critical layer: → the TDX hardware running the workload → the execution platform booting it → the software running inside the Trust Domain → the origin of the software being executed (coming soon) Each layer adds evidence and is verifiable on its own.
For Nox, Chain of Trust connects every critical layer:

→ the TDX hardware running the workload
→ the execution platform booting it
→ the software running inside the Trust Domain
→ the origin of the software being executed (coming soon)

Each layer adds evidence and is verifiable on its own.
iExec RLC
·
--
How do you know a confidential workflow is running in the right environment, with the right code, before it touches sensitive data?

You measure it.
You attest it.
You verify it at every layer.

That is Chain of Trust: Nox’s way of making confidential execution measurable, attested, and verifiable from the hardware layer up to the running workload.

➡️ https://trust.noxprotocol.io/

$RLC
Log in to explore more content
Join global crypto users on Binance Square
⚡️ Get latest and useful information about crypto.
💬 Trusted by the world’s largest crypto exchange.
👍 Discover real insights from verified creators.
Email / Phone number
Sitemap
Cookie Preferences
Platform T&Cs