Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Running an atelier builder

audience: operators

Atelier is the TDX-attested co-building organism. It reads the slot’s UnsealedPool and AuctionOutcome, assembles a candidate block body inside a TDX enclave, and commits it to Candidates under a BLS aggregate signature.

Role in the lattice

Atelier is the place where the actual block gets built. In a Phase 1 single-operator lattice, every committee member belongs to one operator’s fleet; in Phase 2 multiple operators contribute members (co-building). In both cases the organism’s public surface is the same.

Committee sizing

  • 3 members: minimum functional committee.
  • 5 members: recommended production baseline.
  • 7+ members: multi-operator Phase 2; each member is a distinct operator’s TDX image.

The n is pinned in atelier::Config and folds into the fingerprint. A lattice adding a co-builder is a lattice retirement + replacement, not an in-place n change — see Rotations and upgrades.

Hardware

  • TDX-enabled hosts, higher RAM. 8 GiB default memory in the TDX image; block simulation is the heaviest workload.
  • Low-latency networking. Atelier members talk to each other many times per slot on the derived private network.
  • Chain RPC access from inside the TDX image, for bundle simulation. The RPC endpoint is pinned in atelier::Config (or derivable from LATTICE_CHAIN_ID).

systemd unit example

# /etc/builder/atelier-member.env
LATTICE_INSTANCE=acme.ethereum.mainnet
LATTICE_CHAIN_ID=1
LATTICE_CONFIG_HEX=7f3a9b1c...

ATELIER_COMMITTEE_SECRET_FILE=/etc/builder/secrets/acme.ethereum.mainnet.atelier.secret
ATELIER_BLS_SECRET_FILE=/etc/builder/secrets/acme.ethereum.mainnet.atelier.member-01.bls
ATELIER_SECRET_FILE=/etc/builder/secrets/acme.ethereum.mainnet.atelier.member-01.peer

# Chain RPC for simulation.
ATELIER_CHAIN_RPC=https://eth-mainnet.g.alchemy.com/v2/...

Building the TDX image

cargo build --release --features tdx-builder-ubuntu -p builder-atelier
# target/release/tdx-artifacts/atelier/ contains:
#   initramfs.img
#   OVMF.fd
#   kernel
#   mrtd.hex    <-- publish this

Publish mrtd.hex in the lattice’s release notes; pin it in the atelier::Config.mrtd field. Integrators compiling with tee-tdx verify it on bond.

Co-building (Phase 2)

To bring a new co-builder operator into the lattice:

  1. New operator builds the reference atelier TDX image and publishes their MR_TD.
  2. The lattice’s atelier::Config.mrtd_acl is updated to include the new MR_TD. This changes the fingerprint.
  3. Lattice retirement + replacement: publish a new LatticeConfig version; existing integrators migrate on their schedule.

An in-place add-a-co-builder-without-changing-fingerprint is explicitly not supported. It would silently change the trust model under integrators’ feet.

What this organism does not do

  • It does not authenticate searchers (offer’s job).
  • It does not ship the block to proposers (relay’s job).
  • It does not attribute refunds (tally’s job).
  • It does not decide the consensus among simulations — the BLS aggregate signature is after-the-fact proof that a majority of committee members agreed on the final body. The actual agreement is reached in the Raft log.

Observing

  • atelier_candidates_committed_total — one per successful slot.
  • atelier_candidate_build_latency_seconds — per-slot build time; alert when > slot period.
  • atelier_simulation_divergence_total — when committee members disagree on a simulation. Investigate on any non-zero rate.
  • atelier_member_tdx_attested{member=...} — 0/1 per committee member’s attestation status.