Space Fabric: A Satellite-Enhanced Trusted Execution Architecture
Filip Rezabek, Dahlia Malkhi, Amir Yahalom
Abstract
The emergence of decentralized satellite networks creates a pressing need for trust architectures that operate without physical access to hardware, without pre-provisioned vendor secrets, and without dependence on a single manufacturer's attestation service. Terrestrial TEEs are insufficient: hardware-based designs are susceptible to physical attacks, and most platforms root their attestation chains in secrets provisioned during manufacturing, creating a pre-launch trust window and single-vendor dependency that cannot be independently audited. We present Space Fabric, an architecture that provides the missing trust foundation for orbital computing by relocating the trusted computing stack to satellite infrastructure, exploiting post-launch physical inaccessibility as a tamper barrier unattainable by terrestrial deployments. Our Satellite Execution Assurance Protocol binds workload execution to a specific satellite via a Byzantine-tolerant endorsement quorum of distributed ground stations, certifying not only \emph{what} executes inside the TEE but also \emph{where}. All cryptographic secrets are generated within co-located secure elements after launch, with no signing keys accessible on Earth at any point. To reduce single-vendor dependence, Space Fabric distributes its trust anchor across two independent secure elements, an NXP SE050 and a TROPIC01, both of which must co-sign attestation evidence. We implement Space Fabric on a USB Armory Mk II with ARM TrustZone, verify attestation end-to-end using Veraison, and provide a security analysis with satisfaction arguments and impossibility bounds under a strong adaptive adversary.