TL;DR;
- There will be an upgrade to 1.23 in early November and another one to 1.24 in early December
- EOL machines (Xeon E-22xx, Xeon E-21xx and older) will be banned from Secret Network in early December after 1.24 upgrade
- If you have EOL machines, please provision newer machines and share MachineIDs with Labs
- After 1.23 upgrade, new machines will be addable thru Governance; Azure machines will be accepted without restrictions
Tentative timeline:
Dear Validator Community,
After successfully hardening the network against the Wiretap.fail exploit, we are now looking to address several other important issues:
-
Retiring the End-of-Life (EOL) machines
-
Easing the restrictions for new nodes to join Secret Network while maintaining security
-
Additional decentralization steps
This will be executed in two consecutive upgrades in the coming ~60 days.
Upgrade to 1.23
In early November, we will perform an upgrade to version 1.23 that will have the following key features:
-
Ability to add new MachineIDs to the AllowList through by submitting a Governance proposal. Once approved by Governance, new MachineIDs will be accepted to the network.
-
Support for unrestricted addition of nodes running in Microsoft Azure via Azure Proof-of-Cloud
-
Detection of EOL machines (Xeon E-21xx, E-22xx and older) and notifications to affected node operators
In the period until the 1.23 upgrade, we encourage the node operators running on older hardware to start provisioning new machines and sharing their machineIDs with us to be included in the allowlist for 1.23. It should be done BEFORE the 1.23 upgrade proposal, preferably before end of October. After the 1.23 upgrade the new machines will be able to join the network.
After 1.23 the old machines will still be able to run until 1.24.
Upgrade to 1.24
In early December, roughly 30 days after 1.23, we will perform another upgrade to 1.24. In that upgrade, the EOL machines will be blocked and won’t be able to run Secret nodes anymore.
In the period between 1.23 and 1.24, the node operators can either send new MachineIDs to Labs to be included into the 1.24 allowlist, or submit governance proposals requesting the community to add new machine IDs.
We may be able to add more functionality to 1.24, TBD
Which machines to use?
A partial list of compatible machines at select CSPs (most importantly, LeaseWeb and OVH) can be found here. It’s not authoritative - the prices and specific offerings may change - DYOR.
The full list of CPUs that support SGX, as published by Intel, is available here. Anything more recent than Xeon E-22xx works.
Additional Decentralization Steps
- Moving SNIP contracts to Community Governance
In the time before the 1.23 upgrade, we will change the SNIP contracts currently managed by Labs to community governance, meaning that any upgrade to those contracts will require governance approval. Also, Labs will be removed as hard-coded contract admin in 1.23.
- Removing MRSIGNER requiremenent
After moving the network to MRENCLAVE sealing, the network builds are still required to be signed with Labs MRSIGNER, as explained here.
In either 1.23 or 1.24, we will remove the requirement for enclaves to be signed by SCRT Labs’ MRSIGNER. That means that developers outside of Labs will also be able to create new builds of Secret Network and propose upgrades to the network if they wish.
Next Steps
We will continue researching additional ways to improve the network security and update the community accordingly. We will work on the following items and more:
-
Explore support for additional Custom Attestation providers (e.g., Google Cloud, IBM Cloud) and collaborate with other CSPs to extend Proof-of-Cloud to them as well to make it easier to join the network. It is a complex process and may take time.
-
We will continue exploration for ways to develop patches for Wiretap vulnerability, including hardening of the Quoting Enclave and Provisioning Certification Enclave. This is a complex and high-risk task and we will approach it accordingly, and strive to work with the industry on making best in class solutions.
As usual, thank you for all your hard work at running the Secret Network!
The Labs team will be available to provide any support during the process.