Space Fabric: A Satellite-Enhanced Trusted Execution Architecture

TL;DR

Space Fabric introduces a satellite-based trusted execution architecture that enhances security and trust in orbital computing by leveraging physical inaccessibility, distributed secure elements, and a Byzantine-tolerant endorsement protocol.

Contribution

It relocates the trusted computing stack to satellites, enabling post-launch secure attestation without pre-provisioned secrets or vendor dependence, and implements a novel endorsement protocol.

Findings

Successfully implemented on USB Armory Mk II with ARM TrustZone

End-to-end attestation verified using Veraison

Security analysis confirms robustness against strong adversaries

Abstract

The emergence of decentralized satellite networks creates a pressing need for trust architectures that operate without physical access to hardware, without pre-provisioned vendor secrets, and without dependence on a single manufacturer's attestation service. Terrestrial TEEs are insufficient: hardware-based designs are susceptible to physical attacks, and most platforms root their attestation chains in secrets provisioned during manufacturing, creating a pre-launch trust window and single-vendor dependency that cannot be independently audited. We present Space Fabric, an architecture that provides the missing trust foundation for orbital computing by relocating the trusted computing stack to satellite infrastructure, exploiting post-launch physical inaccessibility as a tamper barrier unattainable by terrestrial deployments. Our Satellite Execution Assurance Protocol binds workload execution to a specific satellite via a Byzantine-tolerant endorsement quorum of distributed ground stations, certifying not only \emph{what} executes inside the TEE but also \emph{where}. All cryptographic secrets are generated within co-located secure elements after launch, with no signing keys accessible on Earth at any point. To reduce single-vendor dependence, Space Fabric distributes its trust anchor across two independent secure elements, an NXP SE050 and a TROPIC01, both of which must co-sign attestation evidence. We implement Space Fabric on a USB Armory Mk II with ARM TrustZone, verify attestation end-to-end using Veraison, and provide a security analysis with satisfaction arguments and impossibility bounds under a strong adaptive adversary.