From 03314b8ee86eb6e1e03e93ab0224d497d930c181 Mon Sep 17 00:00:00 2001 From: Marcin S Date: Thu, 9 Nov 2023 10:18:14 +0100 Subject: [PATCH] Document secure-validator mode (#5346) * Document secure-validator mode This page will be linked to in an error message if a validator fails to meet the requirements. Let me know if there is too much or too little detail. Closes https://github.com/w3f/polkadot-wiki/issues/4881 * Make requirement use a bit less technical language * Add warning about disabling secure mode * minor edits, grammar check --------- Co-authored-by: filippoweb3 --- .../maintain-guides-secure-validator.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/maintain/maintain-guides-secure-validator.md b/docs/maintain/maintain-guides-secure-validator.md index fd5c4eaab050..32d9dd63006b 100644 --- a/docs/maintain/maintain-guides-secure-validator.md +++ b/docs/maintain/maintain-guides-secure-validator.md @@ -69,6 +69,33 @@ behavior. ::: +### Secure-Validator Mode + +Parity Polkadot has a Secure-Validator Mode, enabling several protections for keeping keys secure. +The protections include highly strict filesystem, networking, and process sandboxing on top of the +existing wasmtime sandbox. + +This mode is **activated by default** if the machine meets the following requirements. If not, there +is an error message with instructions on disabling Secure-Validator Mode, though this is not +recommended due to the security risks involved. + +#### Requirements + +1. **Linux on x86-64 family** (usually Intel or AMD). +2. **seccomp enabled**. You can check that this is the case by running the following command: + +``` +cat /boot/config-`uname -r` | grep CONFIG_SECCOMP= +``` + +The expected output, if enabled, is: + +``` +CONFIG_SECCOMP=y +``` + +3. OPTIONAL: **Linux 5.13**. Provides access to even more strict filesystem protections. + ## Monitoring Tools - [Telemetry](https://github.com/paritytech/substrate-telemetry) This tracks your node details