Security overview
Trust boundaries, attestation flow, and the assets the marketplace protects.
Trust boundaries
The marketplace is designed so the only environment that ever holds a validator's plaintext Ed25519 identity key is the AWS Nitro Enclave. Everything else (the host-proxy, the marketplace API, the trader's SDK, the operator's terminal) talks to the enclave over authenticated channels and never sees the key.
| Component | Holds key? | Notes |
|---|---|---|
| Nitro Enclave | yes (plaintext, in memory only) | Decrypts the KMS-wrapped ciphertext at boot. Never logged, never serialised. |
| KMS | yes (ciphertext) | PCR-bound key policy gates decryption to the expected enclave measurements. |
| Host-proxy | no | Forwards gRPC over vsock to the enclave. |
| Marketplace API | no | Issues short-lived ES256 JWTs via kms:Sign. Verifies trader identity but never the validator's key. |
| Trader SDK | no | Holds a marketplace-issued JWT, never the validator's key. |
Attestation flow
At boot, the enclave produces a signed attestation document that
encodes its PCR measurements. The KMS key policy refuses
Decrypt calls unless the calling enclave's attestation matches
the expected PCRs, so an attacker who substitutes a malicious
enclave image cannot retrieve the wrapped key.
Signing oracle scope
The enclave only signs payloads that match
fd_keyguard_payload_matches_tls_cv, Firedancer's
CertificateVerify matcher. Any other byte sequence is rejected.
This bounds the blast radius if an attacker somehow obtains a
short-lived JWT: they can complete one TLS handshake, not forge a
vote or a transaction signature.
For the formal threat model and the published whitepaper, see the security whitepaper.