The Secret VM Build System is a specialized Yocto-based build system designed for creating secure virtual machines, primarily used within the Secret Network ecosystem. This build system enables the creation of secure, attestable virtual machine images that form the foundation for confidential computing environments.
Built for the Secret Network, a privacy-first blockchain platform, this system ensures that computational environments maintain the highest standards of security and privacy. The build system leverages TEE (Trusted Execution Environment) technology and remote attestation to provide verifiable guarantees about the integrity and confidentiality of running environments.
Security Note: This build system is designed for production-grade secure environments. Proper handling of attestation keys and secure configurations is critical for maintaining the security guarantees.
- Docker
- Git
- 120GB+ free disk space
- Linux host system (recommended: Ubuntu 20.04 or later)
-
Clone the repository:
git clone https://github.com/scrtlabs/secret-vm-build.git cd secret-vm-build -
Initializes and updates all submodules:
git submodule update --init
-
Build:
scripts/build_reproducible.sh
Build artifacts are located in ./artifacts:
rootfs.cpio,rootfs.iso: Root file system for VMs without GPUrootfs-gpu.cpio.rootfs-gpu.iso: Root file system for VMs with GPUbzImage: Linux kernelinitramfs.cpio.gz: Initial RAM filesystemovmf.fd: UEFI firmware imageencryptedfs.qcow2: empty image for the encrypted file system
- Without GPU:
scripts/start_vm.sh
- With GPU:
sudo scripts/start_vm_gpu.sh
- Enable IOMMU in your host system
- Configure PCI pass-through in your VM launch script
- Use GPU-enabled image build