Architecture
Last updated
Last updated
Vorta's architecture is a distributed system comprising three core components, meticulously designed for orchestrating secure containerized workloads.
1. Scheduler
The Scheduler is the intelligent heart of Vorta's resource allocation, responsible for the optimal placement of secure workloads. It operates in a multi-phase process:
A. Feasibility Analysis Engine:
SGX Capabilities Check: Verifies worker node's SGX support (SGX1/SGX2, FLT, etc.), available EPC size, and SGX driver/PSW versions.
Gramine Compatibility: Ensures the worker has the necessary Gramine version and dependencies for the target workload.
ZK-Proof Readiness: For ZKP tasks, it checks for pre-requisite cryptographic libraries, specific curve support within the verifier enclave, and sufficient enclave memory for proof artifacts and execution traces.
Attestation Infrastructure Check: Validates the worker's ability to generate quotes (e.g., QE and Provisioning Certificate Enclave (PCE) health, DCAP library presence).
Input Parameters: WorkloadManifest, NodeCapabilitiesReport.
Output: Boolean (Feasible/NotFeasible), ConstraintViolationReport.
B. Worker Scoring Subsystem:
Dynamic Scoring Algorithms: Employs a weighted scoring model. Example factors:
EPC_Available_Score = (AvailableEPC / TotalEPC) * Weight_EPC
ZK_Perf_Score = (Node_ZKP_Throughput_Benchmark / Max_Cluster_ZKP_Throughput) * Weight_ZKP_Perf
Attestation_Success_Rate_Score = (SuccessfulAttestations / TotalAttestations) * Weight_Attestation
Enclave_Utilization_Penalty = (1 - CurrentEnclaveSlotsUsed / MaxEnclaveSlots) * Weight_Util
Network_Latency_Score = (1 - NormalizedLatency) * Weight_Latency
TEE_Attestation_Freshness_Score: Based on the age of the last successful platform attestation.
Predictive Modeling (Advanced): May incorporate machine learning models trained on historical performance data to predict workload completion times on different workers.
Input: List of Feasible Workers, RealTimeNodeMetrics, HistoricalPerformanceData.
Output: Ranked List of Candidate Workers with Scores.
C. Optimal Selection Module:
Policy-Driven Selection: Supports different scheduling policies (e.g., minimize-cost, maximize-throughput, balanced-load, data-locality-preference).
Affinity/Anti-Affinity Rules: Allows specifying rules for co-locating or separating workloads.
Batching & Gang Scheduling (for ZKPs): Optimizes for scenarios where multiple dependent ZK verifications need to be scheduled, potentially considering inter-enclave communication overhead.
Considers Proof Verification Throughput: Prioritizes workers that can meet the specific throughput demands of the incoming ZKP jobs.
Enclave Memory Pressure Awareness: Avoids overloading workers with insufficient EPC, preventing SGX swapping overhead.
Input: Ranked Workers, JobRequirements, SchedulingPolicy.
Output: Selected Worker Node ID.
2. Manager (Mainframe)
The Manager, internally referred to as Mainframe, is the central control plane of Vorta. For maximum security, the Mainframe itself is designed to run within a TEE (SGX enclave).
Core Responsibilities:
Orchestration Engine: Manages the lifecycle of secure workloads, invoking the Scheduler, and coordinating with Workers.
Job Lifecycle Management: Handles submission, queuing, execution, monitoring, and termination of jobs. States include: PENDING, SCHEDULING, DEPLOYING, RUNNING_UNATTESTED, ATTESTING, RUNNING_ATTESTED, COMPLETED, FAILED, ABORTED.
State Persistence: Maintains a resilient and consistent state of all jobs, enclave deployments, attestation reports, and cluster configuration.
Primary API Endpoint: Exposes a comprehensive API for users and other services.
Mainframe API (gRPC/RESTful):
Job Management:
POST /jobs: Submit a new secure workload.
GET /jobs/{job_id}: Retrieve job status.
POST /jobs/{job_id}/stop: Terminate a job.
GET /jobs: List all jobs.
Attestation & Verification:
GET /jobs/{job_id}/attestation: Retrieve attestation report.
POST /attest/verify: Submit a quote for verification.
GET /enclaves/{enclave_id}/mrenclave: Query expected MRENCLAVE.
Cluster & Node Management:
GET /nodes: List worker nodes.
GET /nodes/{node_id}/capabilities: Get node capabilities.
GET /cluster/metrics: Retrieve cluster metrics.
Configuration Management:
POST /config/policies: Update policies.
Job Storage (JobStore):
Technology: Could use a distributed, fault-tolerant database.
Schema: Stores job specs, state, worker, logs, attestation data, results.
Metrics Collection & Aggregation:
TEE Performance, SGX Specifics, ZK-Proof Metrics, Resource Utilization, Security Events.
Tools: Prometheus, Grafana.
3. Worker
Worker nodes are the actual execution agents in the Vorta cluster.
Core Responsibilities:
Secure Container Execution: Uses Gramine (gramine-sgx) to launch containers in SGX enclaves.
Remote Attestation Generation: Interacts with SGX hardware to generate quotes.
Proof Artifact Management: Securely handles proof data and execution traces for ZKP workloads.
Metric Reporting: Reports metrics to the Manager.
Worker API (gRPC for internal Manager-Worker communication):
rpc LaunchEnclave(LaunchEnclaveRequest) returns (LaunchEnclaveResponse)
rpc GetEnclaveStatus(EnclaveStatusRequest) returns (EnclaveStatusResponse)
rpc TerminateEnclave(TerminateEnclaveRequest) returns (TerminateEnclaveResponse)
rpc GenerateAttestationQuote(AttestationQuoteRequest) returns (AttestationQuoteResponse)
rpc ReportMetrics(MetricsReport) returns (Ack)
rpc FetchProofData(ProofDataRequest) returns (stream ProofDataChunk)
Internal Workflow (Example: ZK Proof Verification Task):
Manager assigns task to Worker.
Worker prepares and launches ZKP verifier in SGX using Gramine.
Verifier processes proof.
Manager requests attestation; Worker generates quote.
Worker sends quote and result to Manager.
Manager verifies quote and records result.
