You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: packages/plugin-tee-log/README.md
+25
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,31 @@ Since the TEE Logging is based on the TEE, it is necessary to have a TEE enabled
12
12
- using Intel SGX (Gramine), you need to enable the plugin-sgx in the Eliza runtime, which is enabled in SGX env automatically.
13
13
- using Intel TDX (dstack), you need to enable the plugin-tee in the Eliza runtime.
14
14
15
+
## TEE Logging Mechanism
16
+
17
+
## TEE Logging Mechanism
18
+
19
+
1.**Key Pair Generation and Attestation**:
20
+
- During startup, each agent generates a key pair and creates a remote attestation for the public key. The private key is securely stored in the TEE's encrypted memory. The agent's relevant information, along with the public key and attestation, is recorded in a local database. A new key pair is generated each time the agent is updated or restarted to ensure key security.
21
+
22
+
2.**Log Recording**:
23
+
- For each log entry, basic information is recorded, including `agentId`, `roomId`, `userId`, `type`, `content`, and `timestamp`. This information is concatenated and signed using the agent's corresponding private key to ensure verifiability. The verification process follows this trust chain:
24
+
- Verify the attestation.
25
+
- Trust the public key contained in the attestation.
26
+
- Use the public key to verify the signature.
27
+
- Trust the complete log record.
28
+
29
+
3.**Data Storage**:
30
+
- All log data must be stored in the TEE's encrypted file system in production environments. Storing data in plaintext is prohibited to prevent tampering.
31
+
32
+
4.**Log Extraction for Verification**:
33
+
- Third parties can extract TEE logs for verification purposes. Two types of information can be extracted:
34
+
-**Agent Information**: This includes the agent's metadata, public key, and attestation, which can be used to verify the agent's public key.
35
+
-**Log Information**: Required logs can be extracted, with the agent's attestation and public key used to verify the signature, ensuring that each record remains untampered.
36
+
37
+
5.**Integrity Protection**:
38
+
- When users extract TEE logs via the REST API, the results are hashed, and an attestation is generated. After extraction, users can verify the attestation by comparing the hash value contained within it to the extracted results, thereby ensuring the integrity of the data.
39
+
15
40
## Services
16
41
17
42
-**[TeeLogService]**: This service is responsible for generating and storing TEE logs for agents.
0 commit comments