Secure collator mode

[tmpolaczyk]

Is there an existing issue?

• I have searched the existing issues

Experiencing problems? Have you tried our Stack Exchange first?

• This is not a support question.

Motivation

Validators can already run in secure mode. This hardens the validation process making it more difficult for malicious code to cause any harm if it escapes the wasm sandbox. See #1444 for more information. But collators do not have that option, they always run the runtime in the same process.

Request

We propose to add a secure collator mode, to help mitigate the risk of running untrusted runtimes. This could be benefitial for projects like tanssi in which collators rotate between several runtimes, or for sequencers that run L2s that might not necessarily trust the runtime, or even for full nodes or RPC providers that want to harden their security.

Solution

Since validation and collation have many similarities, most of the PVF code could be reused to support secure collators. This could be implemented as a new WasmExecutionMethod that's similar to "Compiled" but runs the code in a new process:

polkadot-sdk/substrate/client/cli/src/arg_enums.rs

Line 56 in 3168ed4

Compiled,

To avoid problems related to performance, this option can be disabled by default.

Are you willing to help with this request?

Yes!

[bkchr]

We propose to add a secure collator mode, to help mitigate the risk of running untrusted runtimes.

Everything is build around the assumption that the runtime is trusted code. Changing this assumption, would probably require a lot of refactorings etc. Just running the code in some external process will not help that much. Why isn't the collator just running in some clean VM or similar to keep it isolated?