Oxide and Friends Building a Quorum of Trust in the Oxide Rack
23 snips
Apr 4, 2026 Finch Foner, cryptography and distributed-systems engineer who implemented sans-IO protocol core and ZFS plumbing. Andrew Stone, systems engineer who led Trust Quorum design and Shamir-based key management. They talk about building a rack root of trust, choosing TLS over SPDM, Shamir secret sharing for disk keys, bootstrap vs full quorum designs, simulator-driven testing, and atomic ZFS key rotation.
AI Snips
Chapters
Transcript
Episode notes
Root Of Trust Anchors Sled Identity
- Oxide uses a hardware Root of Trust (ROT) per sled to store private keys and provide an unforgeable identity for mutual authentication.
- In manufacturing the ROT generates a keypair, sends a CSR to an online signer, and receives an injected cert tying serial and public key to the board.
Choose TLS Then Layer Attestations
- The team pivoted from implementing SPDM to using TLS for channel establishment and layering attestations separately.
- SPDM coupled attestation and channel keys in ways that conflicted with Oxide's desire for separate keys and simpler timing, so they used TLS plus a CO_RIM attestation manifest.
Quorum Lets Racks Boot Without A Password
- Trust Quorum exists mainly to allow autonomous cold-boot decryption of disk pools without an operator present.
- They split a rack secret into Shamir shares stored on sled-local M.2s so multiple sleds must cooperate to derive disk keys and decrypt U.2 drives.