iExecBlockchainComputing
diff --git a/‎.vitepress/sidebar.ts‎
Lines changed: 23 additions & 1 deletion b/‎.vitepress/sidebar.ts‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎src/get-started/protocol/tee/intel-sgx-technology.md‎
Lines changed: 84 additions & 0 deletions b/‎src/get-started/protocol/tee/intel-sgx-technology.md‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎src/guides/build-iapp/advanced-low-level/access-confidential-assets.md‎
Lines changed: 63 additions & 0 deletions b/‎src/guides/build-iapp/advanced-low-level/access-confidential-assets.md‎
Lines changed: 63 additions & 0 deletions
@@ -127,6 +127,13 @@ export function getSidebar() {
               },
             ],
           },
+          {
+            text: 'TEE Technology',
+            collapsed: true,
+            items: [
+              { text: 'Intel SGX Technology Overview', link: '/get-started/protocol/tee/intel-sgx-technology' },
+            ],
+          },
         ],
       },
     ],
@@ -175,6 +182,21 @@ export function getSidebar() {
             text: 'Debugging',
             link: '/guides/build-iapp/debugging',
           },
+          {
+            text: 'Advanced Low‑Level iApp Building',
+            collapsed: true,
+            items: [
+              { text: 'Overview', link: '/guides/build-iapp/advanced-low-level/' },
+              { text: 'Quick Start for Developers', link: '/guides/build-iapp/advanced-low-level/quick-start-for-developers' },
+              { text: 'Build your first application', link: '/guides/build-iapp/advanced-low-level/your-first-app' },
+              { text: 'Intel SGX Technology Overview', link: '/guides/build-iapp/advanced-low-level/intel-sgx-technology' },
+              { text: 'Build your first SGX app (SCONE)', link: '/guides/build-iapp/advanced-low-level/create-your-first-sgx-app' },
+              { text: 'End-to-end Encryption', link: '/guides/build-iapp/advanced-low-level/end-to-end-encryption' },
+              { text: 'SGX Encrypted Dataset', link: '/guides/build-iapp/advanced-low-level/sgx-encrypted-dataset' },
+              { text: 'Access Confidential Assets', link: '/guides/build-iapp/advanced-low-level/access-confidential-assets' },
+              { text: 'Build Intel TDX app', link: '/guides/build-iapp/advanced-low-level/create-your-first-tdx-app' },
+            ],
+          },
         ],
       },
       {
@@ -566,5 +588,5 @@ export function getSidebar() {
         link: '/references/glossary',
       },
     ],
-  } satisfies DefaultTheme.Sidebar;
+  } as DefaultTheme.Sidebar
 }
@@ -0,0 +1,84 @@
+# Overview
+
+**Confidential Computing** (or **Trusted Execution Environments -** **'TEE'**)
+ensures computation confidentiality through mechanisms of memory encryption at
+the hardware level. Applications being executed and data being processed are
+safeguarded against even the most privileged access levels (OS, Hypervisor...).
+Only authorized code can run inside this protected area and manipulate its data.
+
+In some cases, ensuring that code runs correctly without any third party
+altering the execution, is even more important than hiding the computation's
+data. This concept is called **Trusted Computing.**
+
+These guarantees are critical for a decentralized cloud where code is being
+executed on a remote machine, that is not controlled by the requester. They are
+also required to prevent leakage while monetizing data sets.
+
+## Intel® Software Guard Extension (Intel® SGX)
+
+[Intel® SGX](https://software.intel.com/en-us/sgx) is a technology that enables
+**Trusted Computing** and **Confidential Computing**. At its core, it relies on
+the creation of a special zone in the memory called an “enclave”. This enclave
+can be considered as a vault, to which only the CPU can have access. Neither
+privileged access-levels such as root, nor the operating system itself is
+capable of inspecting the content of this region. The code, as well as the data
+inside the protected zone, is totally unreadable and unalterable from the
+outside. This guarantees non-disclosure of data as well as tamper-proof
+execution of the code.
+
+An application's code can be separated into "trusted" and "untrusted" parts
+where sensitive data is manipulated inside the protected area.
+
+## Confidential Computing with iExec
+
+Here is a general overview of how a TEE application runs on iExec:
+
+```mermaid
+graph TD
+    Req[Requester] --> |1 . Buy task| Chain
+    Chain[Blockchain] --> |2 . Notify task to compute| Worker[Worker/Workerpool]
+    Worker --> |3 . Launch TEE application| App[TEE application pre-starting]
+    App --> |4 . Send report containing integrity information of the enclave| SMS{SMS Is integrity and authenticity <br> of the requesting enclave valid?}
+    SMS --> |No| AppFailed[TEE application run aborted]
+    SMS --> |Yes| AppStarted[TEE application started]
+
+    style AppFailed color:red
+    style AppStarted color:green
+```
+
+To build such Confidential Computing (TEE) application, a developer would need
+to use the Intel® SGX SDK. With iExec, you don't need to manipulate it. Instead
+iExec supports the high-level Scone framework.
+
+At a high-level, Scone protects the confidentiality and integrity of the data
+and the code without needing to modify or recompile the application. With native
+Intel® SGX technology, the OS is not a part of the Trusted Computing Base (TCB)
+hence system calls and kernel services are not available from an Intel® SGX
+enclave. This can be limiting as the application will not be able to use File
+System and sockets directly from the code running inside the enclave. The
+[Scone](https://scontain.com/) framework resolves this and reduces the burden of
+porting the application to Intel® SGX.
+
+More precisely, Scone provides a C standard library interface to container
+processes. System calls are executed outside of the enclave, but they are
+shielded by transparently encrypting/decrypting application data. Files stored
+outside of the enclave are therefore encrypted, and network communication is
+protected by Transport Layer Security (TLS).
+
+For a deeper understanding, you can have a look to the official
+[Scone documentation](https://sconedocs.github.io/).
+
+## Let's build
+
+::: warning
+
+Following steps will show you how to build a Confidential Computing application.
+The environment you are about to use is a "develop" environment:
+
+- which can be reset at any time
+- where configurations and secrets might be inspected (debug enclaves)
+
+When your developer discovery journey is complete, please reach the
+[production section](/guides/build-iapp/build-&-deploy#go-to-production).
+
+:::
@@ -0,0 +1,63 @@
+# Access confidential assets from your app
+
+::: warning
+
+Before going any further, make sure you managed to
+[Build your first application with Scone framework](create-your-first-sgx-app.md).
+
+:::
+
+## Secret Management Service (SMS)
+
+You can use confidential assets on iExec thanks to the _iExec Secret Management
+Service_. This service verifies that the enclave asking for secrets is
+authorized to do so. Any user - as a confidential asset provider - declares on
+the blockchain which enclaves are authorized to access it. For each task, the
+SMS will query the blockchain to determine if the enclave requesting secrets is
+indeed whitelisted for it.
+
+The SMS currently supports 3 types of secrets:
+
+1. [Application developer secret](/guides/build-iapp/build-&-deploy#application-developer-secret): This secret is
+   directly accessible from the application as an environment variable. It is
+   owned by the developer of the application. It can be any kind of data (API
+   key, private key, token, ..) as long as it respects the size limit (max. 4096
+   kB).
+2. [Requester secrets](/guides/build-iapp/inputs-and-outputs#access-requester-secrets): These secrets are directly
+   accessible from the application as environment variables, as long as the
+   requester has decided to share them with it. These secrets can be any kind of
+   data as long as they respect the size limit (max. 4096 kB). Before buying a
+   task, a requester secret is pushed into the SMS and is not linked to any
+   application. When a requester buys a task, the requester can declare which
+   secrets can be accessed by the application. Doing so, a single requester
+   secret can be shared with multiple applications.
+3. [Dataset secret](sgx-encrypted-dataset.md): A dataset secret is not directly
+   accessible from the application but its decrypted content is. If a dataset is
+   requested and authorized to be used in it, its content will be automatically
+   decrypted in the application enclave. To monetize such a dataset on iExec,
+   the original dataset must be encrypted using the iExec SDK, its encrypted
+   counterpart must be publicly available and its encryption key pushed into the
+   SMS.
+
+Here is a general overview of how confidential assets are used on iExec:
+
+```mermaid
+graph TD
+    Req[Requester] -->|1.a. Push secret| SMS[SMS]
+    AppDev[Application developer] -->|1.b. Push secret| SMS
+    DatasetOwn[Dataset owner] -->|1.c. Push secret| SMS
+    Req --> |2 . Buy task| Chain
+    Chain[Blockchain] --> |3 . Notify task to compute| Worker[Worker/Workerpool]
+    Worker --> |4 . Launch TEE application| App[TEE application]
+    App --> |5.a. Get secrets for task| SMS
+    SMS --> |5.b. Check authorization for secrets| Chain
+```
+
+## Next step?
+
+You now understand how these three kinds of confidential assets work on iExec,
+you can go one step further by learning how to manipulate them:
+
+- [Attach a secret to your app](/guides/build-iapp/build-&-deploy#application-developer-secret)
+- [Access requester secrets](/guides/build-iapp/inputs-and-outputs#access-requester-secrets)
+- [Access a confidential dataset](sgx-encrypted-dataset.md)