Here’s an idea on certification of DIY 3nodes, having in mind that a certified 3node needs to:

Lock the boot mechanism to a signed version of Zero-OS only. This gets you the 25% increase in TFT farming rewards" @weynandkuijpers

Critera Needed for DIY Certified 3nodes - Bootstrap Program

1. The BIOS is protected by a TF Grid-only* password secure boot

2. The first time the 3node is booted, it wipes all disks.

3. The Zero-OS version is verified at each boot.

4. Take note of the 3node’s overall situation (secure boot + BIOS settings + disks situation)

5. If a change happens to the 3node, it loses certification (e.g. disks are wiped). This can be verified during run time and/or at the beginning of each reboot.

*Only the TF Grid knows the secure boot password.

How it would work

A way to achieve this, in short, is to have a boot program that can load in the BIOS, check if all the parameters are ok for Zero-OS, then (1) set a secure boot password protected by the TF Grid, (2) wipe all the disks, (3) note the Zero-OS version and (4) take note of all parameters and then boot the 3node on the TF Grid.

When it reboots, (5) it makes sure no changes has been made.

When it connects to the Grid for the first time, the Grid verifies that the 3node meets all criteria. If it does, it gives the certification status.

At each new boot, the TF Grid verifies if the 3node still satisfies the criteria, if it doesn’t it loses the certification status, if it does it continues farming as a certified 3node.

Note 1: to prevent users to wipe the disks, we implement a lock period adjusted to the 3node farming rewards as to prevent users from being bad actors.

Note 2: If the users change anything, the 3node loses certification. Also, the only way to change anything would be (1) to change the BIOS but it is secured by the TF Grid, and/or to (2) wipe all disks, and this would lock the farming rewards (Note 1).

Proof-of-concept

First, have proof of concept with certain computer models that are easily certifiable and that have good specs for the Grid. Ex: some models can have the BIOS set with a .txt file. This could be easy to verify and set by the bootstrap program.

With strategic models, we could cover a big part of the market in certain geographics regions. For example, it would be amazing to have this certification process available for easily accessible computer models with basic good ratio for TF Farming. This would help decentralization in places where it’s hard to get servers or high-end computers.

A complement to the 3node marketplace

Having the 3node marketplace is great to buy/sell certified 3node built by certified builders. Having DIY 3node certification would expand certification to individual DIY TF farmers.

What do you guys think?
Thanks for reading! Let me know if I got something wrong.

This is stellar work, I love the idea

Hi @Mik. Thank you for presenting your thoughts. ThreeFold was implemented the secure boot principles and are working on improving on those. Currently we use the “secure boot” facility inside modern BIOS’s and install a custom secure boot keys to check and validate whether the kernel that is being presented to boot is signed by the right key.

People are looking into using TPM (A Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. This key pair is generated by the TPM based on the Endorsement Key and an owner-specified password).

The challenge is that “someone” needs to install this, and this is where the “trusted” path starts. So we need to think of a way that we can create a trust relationship with the individual, engineer, marketplace seller. That’s what we have to solve and think a little about.

This is to be a DAO thing, and we have to come up with a way that we can “trust in” individuals and corporations to do the right right and be true in doing so.

Thanks for this reply.

Would it be possible that a DIY farmer install the TPM but then to have the password generated by the TF Grid, instead of the two parties?

If the TPM could then be verified externally, it would suffice to certified the node.
It would be something akin to a trustless process.

Since we want to lock the 3node, it doesn’t matter if the password is only known to the TF Grid, as we do not expect to change anything within the 3node’s secure boot after it’s set up.

There might be technicalities that I am not aware of preventing this solution.

Thank you for your time and thoughts.

I wonder if a BIOS password can be set by a program? I’m guessing no, but I’m not sure.

If demand was there it would be neat to have a regional meetup where people could take their 3nodes to get certified. Bigger farms could have someone go out and certify their racks.

I am not sure either for the BIOS password. I’m really just exploring ideas now.

Regional meetup would be amazing.

Of course moving in and out dozens of rack servers might not be optimal.

We could have a TF certification van on the move, certifying 3nodes from door to door. Haha

Let’s brainstorm on. Kristof also had the idea a while ago to have little OpenWRT devices that can be configured by trusted partners that act as a PXE boot device. Cost is low and works with all hardware. Again - the problem is not necessarily how to solve this in the technology level, but how can you create a community / shared version of this trust instead of a single (centralized) authority… We have some to do.

Oh wow, that’s actually a brilliant idea. Would be a fantastic way to bring certified to the DIY crowd. Sounds like a perfect project to roll out on a zimaboard (although they are getting pricey so maybe not). I’ll mess with that some if mine ever comes in.

Indeed using the OpenWRT devices is a brilliant idea.

Adding the proposition from Nelson to have community gatherings in local places bringing in their 3nodes, we could have partners in those events that can install the PXE boot device.

This could be a great first step in decentralizing certification of 3nodes. It would require less resources than having the partners going to individual places. Of course, for bigger setups such as big farms, an individual visit would be more effective.

I’m using a openwrt router to run my ygg public node, it’s so close to base Linux that I have a hard time imagining someone smarter then me couldnt adapt a form of zos to be a downloadable package within openwrt that Could allow Someone to create a gateway for the planetary network with a 50-60$ device, could really increase node count rapidly. Add in some lmr400 and an external antenna, you would have a service ready way to share expand the local mesh to include homes without their own connections.

I really love the idea of being able to bring a nice somewhere and have it certified!