feat: add visual representations and detailed explanations for Intel SGX and TDX technologies

Le-Caignec · Le-Caignec · commit 70ba9aa11da8 · 2025-08-20T17:32:03.000+02:00
diff --git a/src/get-started/protocol/tee/intel-sgx.md b/src/get-started/protocol/tee/intel-sgx.md
@@ -37,10 +37,40 @@ applications.
 **Analogy**: SGX is like installing a small, specialized safe inside your office
 for specific valuable items.
 
-## SGX with iExec
+### Visual Representation
 
-iExec has built a comprehensive SGX infrastructure that makes it easy for
-developers to create secure, privacy-preserving applications.
+```mermaid
+graph TB
+    OS[Operating System<br/>Can see everything]
+    App[Regular Application<br/>Visible & Vulnerable]
+    Enclave[🔒 SGX Enclave<br/>Protected]
+    Data[Sensitive Code & Data<br/>Encrypted]
+    OS --> App
+    App --> Enclave
+    Enclave --> Data
+    style Enclave fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+    style Data fill:#ffffff,stroke:#00ff00,stroke-width:2px,color:#000000
+```
+
+## SGX Technology Details
+
+### How SGX Works
+
+1. **Enclave Creation**: SGX creates a secure memory region (enclave) that only
+   the CPU can access
+2. **Code Isolation**: Sensitive code runs inside the enclave, isolated from the
+   rest of the system
+3. **Memory Encryption**: All data in the enclave is automatically encrypted
+4. **Integrity Protection**: The enclave can prove it's running the correct,
+   unmodified code
+
+### SGX Limitations
+
+With native Intel® SGX technology, the OS is not a part of the Trusted
+Computing Base (TCB), hence system calls and kernel services are not available
+from an Intel® SGX enclave. This can be limiting as the application will not be
+able to use File System and sockets directly from the code running inside the
+enclave.
 
 ### iExec's SGX Infrastructure
 
@@ -53,3 +83,66 @@ iExec provides a complete SGX ecosystem that includes:
   execution
 - **🔗 Blockchain Integration**: Decentralized coordination and payment
 - **📦 Scone Framework**: High-level development framework for SGX applications
+
+### Why iExec Uses Scone
+
+To build Confidential Computing (TEE) applications with SGX, iExec uses the
+high-level **Scone framework** instead of requiring developers to manipulate the
+Intel® SGX SDK directly.
+
+#### Scone Framework Benefits
+
+At a high-level, Scone protects the confidentiality and integrity of the data
+and the code without needing to modify or recompile the application. The
+[Scone](https://scontain.com/) framework resolves the limitations of native SGX
+and reduces the burden of porting the application to Intel® SGX.
+
+#### How Scone Works
+
+More precisely, Scone provides a C standard library interface to container
+processes. System calls are executed outside of the enclave, but they are
+shielded by transparently encrypting/decrypting application data. Files stored
+outside of the enclave are therefore encrypted, and network communication is
+protected by Transport Layer Security (TLS).
+
+For a deeper understanding, you can have a look to the official
+[Scone documentation](https://sconedocs.github.io/).
+
+### iExec SGX Workflow
+
+```mermaid
+graph TD
+    Dev[Developer]
+    Build[Build with Scone]
+    Deploy[Deploy to iExec]
+    Worker[SGX Worker Selected]
+    Enclave[SGX Enclave Created]
+    Execute[Secure Execution]
+    Proof[Proof of Contribution]
+    Result[Results]
+    Dev --> Build
+    Build --> Deploy
+    Deploy --> Worker
+    Worker --> Enclave
+    Enclave --> Execute
+    Execute --> Proof
+    Proof --> Result
+    style Enclave fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+    style Execute fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+```
+
+## What's Next?
+
+**Learn about the next generation**:
+
+- **[Intel TDX Technology](/get-started/protocol/tee/intel-tdx)** -
+  Next-generation VM-level TEE technology
+- **[SGX vs TDX Comparison](/get-started/protocol/tee/sgx-vs-tdx)** - Detailed
+  comparison of both technologies
+
+**Ready to build with SGX?** Check out the practical guides:
+
+- **[Build & Deploy](/guides/build-iapp/build-&-deploy)** - Create your first
+  SGX application
+- **[Advanced SGX Development](/guides/build-iapp/advanced/create-your-first-sgx-app)** -
+  Deep dive into SGX development
diff --git a/src/get-started/protocol/tee/intel-tdx.md b/src/get-started/protocol/tee/intel-tdx.md
@@ -45,6 +45,41 @@ machines.
 **Analogy**: TDX is like moving your entire office into a secure building where
 everything is protected.
 
+### Visual Representation
+
+```mermaid
+graph TB
+    Hypervisor[Hypervisor<br/>Cannot see inside TDX]
+    TrustDomain[🔒 TDX Trust Domain<br/>Entire VM Protected]
+    App[Your Complete Application<br/>All Protected]
+    Data[OS, Libraries, Data<br/>All Encrypted]
+    Hypervisor --> TrustDomain
+    TrustDomain --> App
+    App --> Data
+    style TrustDomain fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+    style Data fill:#ffffff,stroke:#00ff00,stroke-width:2px,color:#000000
+```
+
+## TDX Technology Details
+
+### How TDX Works
+
+1. **Trust Domain Creation**: TDX creates secure virtual machines called "trust
+   domains"
+2. **VM-Level Isolation**: Entire virtual machines run in isolated, secure
+   environments
+3. **Large Memory Support**: Significantly larger secure memory space compared
+   to SGX
+4. **Legacy Compatibility**: Existing applications can run with minimal
+   modifications
+
+### TDX Advantages
+
+- **Larger Memory**: Multi-GB+ secure memory space vs limited SGX memory
+- **Easier Migration**: "Lift and shift" approach for existing applications
+- **Better Performance**: Optimized for complex, memory-intensive workloads
+- **VM-Level Security**: Protects entire virtual machines, not just applications
+
 ## TDX with iExec
 
 iExec is actively exploring TDX technology to expand the platform's capabilities
@@ -59,3 +94,55 @@ iExec provides experimental TDX support through:
 - **🔐 Secret Management Service**: SMS support for TDX applications
 - **📋 Task Verification**: Proof of contribution for TDX executions
 - **🔗 Blockchain Integration**: Decentralized coordination and payment
+
+### iExec TDX Workflow
+
+```mermaid
+graph TD
+    Dev[Developer]
+    Build[Build TDX App]
+    Deploy[Deploy to iExec]
+    Worker[TDX Worker Selected]
+    TrustDomain[TDX Trust Domain Created]
+    Execute[Secure Execution]
+    Proof[Proof of Contribution]
+    Result[Results]
+    Dev --> Build
+    Build --> Deploy
+    Deploy --> Worker
+    Worker --> TrustDomain
+    TrustDomain --> Execute
+    Execute --> Proof
+    Proof --> Result
+    style TrustDomain fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+    style Execute fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+```
+
+## When to Use TDX
+
+**TDX is ideal for**:
+
+- 💾 Working with memory-intensive applications
+- 🔄 Running existing applications with minimal changes
+- 🚀 Running complex workloads with VM-level protection
+
+## What's Next?
+
+**Learn about the foundation**:
+
+- **[Intel SGX Technology](/get-started/protocol/tee/intel-sgx)** -
+  First-generation application-level TEE technology
+- **[SGX vs TDX Comparison](/get-started/protocol/tee/sgx-vs-tdx)** - Detailed
+  comparison of both technologies
+
+**Ready to experiment with TDX?** Check out the practical guides:
+
+- **[Build Intel TDX App (Experimental)](/guides/build-iapp/advanced/create-your-first-tdx-app)** -
+  Build TDX applications with traditional deployment and iApp Generator
+- **[Create Your First TDX App](/guides/build-iapp/advanced/create-your-first-tdx-app)** -
+  Build TDX applications
+
+**For production applications, use SGX**:
+
+- **[Build & Deploy](/guides/build-iapp/build-&-deploy)** - Create
+  production-ready SGX applications
diff --git a/src/get-started/protocol/tee/introduction.md b/src/get-started/protocol/tee/introduction.md
@@ -45,6 +45,49 @@ special security measures that keep its contents completely private and secure.
 | No hardware security guarantees | Hardware-level security protection     |
 | Like working in a public space  | Like working in a secure, private room |
 
+### Visual Representation
+
+**Regular Computing:**
+
+```mermaid
+graph TB
+    OS1[Operating System<br/>Can see everything]
+    App1[Your Application<br/>Visible & Vulnerable]
+    Data1[Sensitive Data<br/>Exposed]
+    OS1 --> App1
+    App1 --> Data1
+    style Data1 fill:#ffffff,stroke:#ff0000,stroke-width:2px,color:#000000
+    style OS1 fill:#ffffff,stroke:#000000,stroke-width:1px,color:#000000
+    style App1 fill:#ffffff,stroke:#000000,stroke-width:1px,color:#000000
+```
+
+**TEE Computing:**
+
+```mermaid
+graph TB
+    OS2[Operating System<br/>Cannot see inside TEE]
+    App2[Regular Application Parts]
+    TEE[🔒 TEE Enclave<br/>Protected]
+    Data2[Sensitive Code & Data<br/>Encrypted]
+    OS2 --> App2
+    App2 --> TEE
+    TEE --> Data2
+    style TEE fill:#ffffff,stroke:#0000ff,stroke-width:2px,color:#000000
+    style Data2 fill:#ffffff,stroke:#00ff00,stroke-width:2px,color:#000000
+    style OS2 fill:#ffffff,stroke:#000000,stroke-width:1px,color:#000000
+    style App2 fill:#ffffff,stroke:#000000,stroke-width:1px,color:#000000
+```
+
+## How TEE Works
+
+### Core Principles
+
+1. **Hardware Protection**: Special CPU features create isolated, secure areas
+2. **Memory Encryption**: All data in the secure area is automatically encrypted
+3. **Access Control**: Only authorized code can enter the secure area
+4. **Integrity Verification**: The system can prove it's running the correct
+   code
+
 ## TEE Technology Evolution
 
 TEE technologies have evolved to address different use cases:
