first commit with hacker challenge

.gitignore

@@ -0,0 +1 @@
+book

book.toml

@@ -0,0 +1,34 @@
+[book]
+authors = ["Valentyn Faychuk"]
+language = "en"
+multilingual = false
+src = "src"
+title = "DeTEE Public Documentation"
+
+[output.html]
+smart-punctuation = true
+mathjax-support = true
+site-url = "https://detee.ltd"
+git-repository-url = "https://gitea.detee.cloud/general/public-docs"
+#edit-url-template = "https://github.com/rust-lang/mdBook/edit/master/guide/{path}"
+
+[output.html.playground]
+runnable = false
+editable = true
+line-numbers = true
+
+#[output.html.code.hidelines]
+#python = "~"
+
+[output.html.search]
+limit-results = 20
+use-boolean-and = true
+boost-title = 2
+boost-hierarchy = 2
+boost-paragraph = 1
+expand = true
+heading-split-level = 2
+
+#[output.html.redirect]
+#"/format/config.html" = "configuration/index.html"
+

src/404.md

@@ -0,0 +1,3 @@
+# Document not found (404)
+
+This URL is invalid, sorry. Try the search instead!

src/README.md

@@ -0,0 +1,22 @@
+# <img class="left" src="img/logo.svg" alt="DeTEE logo">&nbsp;&nbsp;DeTEE
+
+---
+
+Welcome to the DeTEE's documentation. DeTEE is a decentralized confidential cloud. It is designed to make deploying Confidential VMs and Containers quick and easy, with the ability to scale up to the complex setups.
+
+Get started with [Installation](./todo.md) and then get an overview with the [Quickstart](./todo.md).\
+There is also a [Hacker Challenge](./hacker_challenge/README.md) if you want to try breaking DeTEE for a reward!\
+DeTEE depends on the [Occlum](https://occlum.readthedocs.io) library for working with Intel SGX, and the [Rust sev crate](https://crates.io/crates/sev) for working with AMD SEV.
+
+</br>
+
+---
+
+The documentation is under active development.\
+If you see any issue, feel free to contact <valy@detee.ltd>.
+- [x] Prepare the first version of docs
+- [x] Add Hacker Challenge
+- [ ] Add installation steps
+- [ ] Add contributors
+- [ ] Add license
+- [ ] ...

src/SUMMARY.md

@@ -0,0 +1,35 @@
+# Summary
+
+[Introduction](./README.md)
+
+---
+
+# User Guide
+
+- [Installation](./todo.md)
+- [Become a Node]()
+- [Buy DTE Token]()
+
+# Reference Guide
+
+- [Provider Nodes]()
+    - [detee-daemon]()
+- [Brain Nodes]()
+    - [brain-node]()
+- [Users]()
+    - [detee-cli]()
+
+---
+
+# Security
+
+- [Hacker Challenge](./hacker_challenge/README.md)
+    - [Prerequisites](./hacker_challenge/prerequisites.md)
+    - [Quick Start](./hacker_challenge/quick_start.md)
+    - [Hacking](./hacker_challenge/hacking.md)
+    - [Network](./hacker_challenge/network.md)
+    - [Issues](./hacker_challenge/known_issues.md)
+
+---
+
+[Contributors](./misc/contributors.md)

src/hacker_challenge/README.md

@@ -0,0 +1,11 @@
+# Hacker Challenge
+
+---
+
+Hack the wallet 2yKf...Yxpb to unlock the DeTEE prize! Wallet keys are secured inside every node of the Hacker Challenge cluster, which anybody can join! No rules - hack the node, seize the keys, win the prize!
+
+#### The main rules of the hacker challenge:
+- Don't ever send to the hacker challenge wallet what you don't want to lose
+- Before joining as a node, make sure your processor meets requirements
+- Otherwise, no restrictions - anybody can participate
+- Also no rules for hacking, you can even use a tank

src/hacker_challenge/hacking.md

@@ -0,0 +1,22 @@
+# How it all works?
+
+This node is part of the DeTEE hacker-challenge, a decentralized wallet that mints the HCT Token.
+The private key of the mint authority was generated within the network. The challenge is easy:
+Hack the network to get the private key, and all the SOL is yours. We also offer other rewards, including:
+- a unique NFT
+- token rewards at after release of the DeTEE token
+- a seat on the Advisory Board of DeTEE
+- possible employment at DeTEE
+
+The mint address of the token is: TOKEN_ADDRESS
+The mint authority is: MINT_AUTHORITY
+
+In order to mint, the mint authority will need some SOL. Before sending SOL, take into consideration that
+DeTEE REPRESENTATIVES DON'T KNOW HOW TO GET THE SOL OUT OF THE NETWORK!
+
+You can make following requests:
+- `/nodes                 ` <- information about nodes and counters of network activity
+- `/mint?address=<address>` <- mint HCT tokens to the address; the wallet needs SOL for this operation
+
+If you were able to get the SOL out of the wallet, please contact <valy@detee.ltd>, <gheo@detee.ltd>
+The code of the challenge can be found at https://gitea.detee.cloud/general/hacker-challenge

src/hacker_challenge/how_it_works.md

@@ -0,0 +1 @@
+# How it works?

src/hacker_challenge/known_issues.md

@@ -0,0 +1,16 @@
+# Known issues
+
+1. If you create a new node as a root and it will create the private key and save it
+   to the disk, it will remain sealed and when the node will restart and try to join
+   the rest of the network, it will still use the private key from the disk for
+   minting and sharing.
+2. If you run the hacker challenge on the Out Of Life processors you may have a
+   privilege to run certain attacks, for instance check [this
+   article](https://x.com/PratyushRT/status/1828183761055330373).
+3. The challenge is compiled using the HW mode, not HYPER so it may not work on
+   some cloud providers, like Azure Intel SGX VMs (needs more testing).
+4. The performance and stability of the challenge is not at its theoretical peak as
+   the challenge was done mostly as a poc and was not meant to be infinitely scalable
+   or very performant.
+5. The challenge is not mutable once deployed, which means that it will remain
+   secure for as long as the community will not find a new vulnerability in SGX.

src/hacker_challenge/network.md

@@ -0,0 +1,11 @@
+# More about the network
+
+Each node in the network runs inside an enclave. The enclave is a program that operates in a trusted execution environment (TEE). Memory of programs within the enclave can not be inspected from outside the enclave. Programs within the enclave have access to sources of entropy that cannot be predicted from outside. Programs can also access reproducible secrets that they can use to seal[^1] persistent data. Each enclave has a certain set of measurements, consisting of all the data required for the program to run (instructions, configuration, etc.). A running program can generate a quote that can be used to verify the measurements and legitimacy of the hardware it's running on.
+
+Assuming there are no vulnerabilities in any of the mentioned hardware features, and our node implementation has none either, it should be practically impossible to steal the SOL from the network wallet because:
+- wallet key is generated with the enclave's source of entropy
+- nobody can inspect the memory that contains the key
+- nodes verify the quote of each peer and refuse connections if quote measurements don't match their own
+- node seals[^1] all persistent data saved to disk with the enclave's key
+
+[^1]: uses symmetric encryption to encrypt some data before exposing it to untrusted environment to later recover the data by decrypting

src/hacker_challenge/prerequisites.md

@@ -0,0 +1,13 @@
+# Prerequisites
+
+For running the Hacker Challenge you need a VM with Intel processor that supports SGX1/2, check [supported processors](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions-processors.html). You may also rent a VM, see [RedSwitches](redswitches.com) or [Hetzner](hetzner.com). Public IP is not mandatory to participate.
+
+Make sure you enabled SGX in BIOS. Just do `cpuid | grep -i sgx` to see if SGX is enabled.
+Make sure you also have kernel above v5.13 to get a built-in SGX DCAP driver.
+Final step is to add the symlinks for the sgx devices.
+
+```bash
+sudo mkdir -p /dev/sgx
+sudo ln -sf ../sgx_enclave /dev/sgx/enclave
+sudo ln -sf ../sgx_provision /dev/sgx/provision
+```

src/hacker_challenge/quick_start.md

@@ -0,0 +1,17 @@
+# Quick Start
+
+Hacker challenge works as a cluster that anybody can join.
+To join a cluster you need to run the DeTEE Hacker Challenge node (for simplicity we call it dthc):
+
+```bash
+docker run --device /dev/sgx/enclave --device /dev/sgx/provision --env INIT_NODES="212.95.45.139 46.165.199.12 184.107.183.210" -v /tmp/dthc:/challenge/main -p 80:31372 -p 31373:31373 -d  --name dthc detee/hacker-challenge:latest
+```
+
+Note.
+- devices are mandatory to give node the access to the SGX driver
+- `INIT_NODES` are current nodes (we update them) so that your node can download Solana keys from cluster
+- in the /tmp/dthc you will find the file where the node writes Solana keys, it's called `TRY_TO_HACK_THIS`
+- port 31373 is needed if you have a public IP and want other nodes to connect to you
+- port 80 is the web interface of your node, it has `/nodes`, `/metrics` and `/mint <address>` endpoints
+
+After your node has started, feel free to start exploring logs in `docker logs <hash>` and /tmp/dthc/logs

src/img/cross.svg

@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="22" height="22" viewBox="0 0 22 22" fill="none">
+  <path d="M11 11L21 21M11 11L1 1M11 11L1 21M11 11L21 1" stroke="url(#paint0_linear_0_648)" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+  <defs>
+    <linearGradient id="paint0_linear_0_648" x1="1" y1="15.3013" x2="19.943" y2="19.8093" gradientUnits="userSpaceOnUse">
+      <stop stop-color="#46CDFD"/>
+      <stop offset="1" stop-color="#1D598A"/>
+    </linearGradient>
+  </defs>
+</svg>

src/misc/contributors.md

@@ -0,0 +1,10 @@
+# Contributors
+
+Here is a list of the contributors who have helped improving DeTEE. Big
+shout-out to them!
+
+- Gheorghe Ungureanu
+- Valentyn Faychuk
+- Noor Mohammed B
+- Ramil Algayev
+- Jakub Doka

src/todo.md

@@ -0,0 +1,3 @@
+# The Page is under development 🫡
+
+Feel free to contact us at <valy@detee.ltd> or <gheo@detee.ltd>