Skip to content

Commit

Permalink
[Add] projects/web3
Browse files Browse the repository at this point in the history
  • Loading branch information
DemesneGH committed Sep 13, 2024
1 parent 19d9ab8 commit bea0838
Show file tree
Hide file tree
Showing 26 changed files with 2,695 additions and 0 deletions.
12 changes: 12 additions & 0 deletions projects/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Projects in Multiple Scenarios

Since there are many scenarios where TEEs (Trusted Execution Environments) provide critical security solutions, the Teaclave TrustZone SDK can be leveraged to implement use cases such as Web3 private key protection and AI model protection.

In the `project/`, we demonstrate real-world scenarios and offer essential primitives to help developers build secure applications tailored to their needs.

Currently, we have included one scenario, and we plan to add more in the future as we expand the project.

- **Web3 Private Key Protection**: AVAILABLE in `web3/`:

This provides a basic Web3 wallet implementation with security features such as attestation and multi-factor confirmation to ensure secure key management.

29 changes: 29 additions & 0 deletions projects/web3/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Reference Implementation Examples for Web3 Trusted Application

Teaclave TrustZone SDK enables developers to write Trusted Applications (TAs) in Rust, offering a memory-safe environment for secure application development. Many of the examples in this repo are ported from OP-TEE C examples. However, thanks to Rust's robust crate ecosystem and the support for Rust-std in Teaclave TrustZone SDK, developers can now create more functional and secure TAs. These applications are designed to protect confidential information while maintaining Rust's inherent memory safety.

A particularly relevant scenario is in Web3, where private key protection is critical for securing on-chain identities and assets. In this context, TAs can protect the entire lifecycle of Web3 credentials, such as those used in self-custody wallets or validator signing key protection. In DePIN, TAs provide security for device attestation to mitigate Sybil device threats. This, for instance, allows safe airdropping to trusted devices, ensuring only verified devices are eligible.

This directory contains a collection of reference implementations of TAs, specifically tailored for Web3 use cases. These examples demonstrate how to use Rust within TrustZone to support basic Web3 use cases. We will gradually open-source each of them as reference implementation example as Web3 TA. Web3 builders can leverage these examples to integrate secure functionalities into their projects, particularly in environments where OP-TEE and TrustZone technologies are employed.

## Basic Web3 Wallet
AVAILABLE in [eth-wallet/](./eth-wallet)

A wallet abstraction featuring key functionalities like secure key management and transaction signing. The key management includes secure seed generation, mnemonic derivation, and safe key storage within external TEE-protected environments. For transaction signing, we demonstrate how to securely sign an Ethereum transaction using wallet-derived keys inside the TEE, ensuring the private keys never leave the trusted environment.

## X509 Certificate Signing & Verification
Status: To Be Released

Basic Public Key Infrastructure (PKI) primitives that securely issue self-signed certificates and verify externally provided leaf certificates through a trusted certificate store. The Trusted Application (TA) running inside the TEE is responsible for securely generating key pairs and issuing self-signed certificates, used for identity verification in secure communications. It also handles the verification of certificates provided by external entities, ensuring their validity by cross-referencing them with a secure certificate store within the TEE. This primitive is particularly useful for establishing trusted communication channels between nodes, validators, or devices in Web3 environments, where trust and identity verification are critical for decentralized interactions.

## Remote Attestation
Status: To Be Released

A foundational primitive used to remotely attest the authenticity of a Trusted Application (TA), ensuring it is indeed running in a Trusted Execution Environment (TEE). This primitive leverages TLS and X509 PKI to establish a secure communication channel. During the TLS handshake, the TA generates an attestation report, which can be signed using its private key within the TEE. The remote party then verifies this report, confirming the TA’s integrity and the secure execution environment. In Web3 scenarios, remote attestation ensures that only trusted devices and applications can participate in sensitive operations, such as airdrop or validator duties. This guarantees the authenticity and trustworthiness of participants in decentralized systems, mitigating risks like Sybil attacks and unauthorized access.

## Multi-Factor Authentication (MFA)
Status: To Be Released

In Web3, ensuring explicit user confirmation through a trusted channel is a challenging task. This example demonstrates how to implement MFA mechanisms by securely provisioning the public keys of trusted MFA devices (e.g., the user’s cellphone) within the Trusted Application (TA). When a high-risk operation, such as key usage or transaction signing, requires user confirmation, the TA can verify the details confirmed by the user via the trusted MFA device, without relying on any third party. This empowers Web3 builders to create more secure, decentralized systems where user interactions are reliably authenticated for critical tasks like transaction signing or private key access.


24 changes: 24 additions & 0 deletions projects/web3/eth_wallet/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

all:
@make -s -C host
@make -s -C ta

clean:
@make -s -C host clean
@make -s -C ta clean
173 changes: 173 additions & 0 deletions projects/web3/eth_wallet/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
# Eth-Wallet: A Sample Trusted Application for Wallet Abstraction and Transaction Signing

This repository provides a reference implementation of an Ethereum wallet as a Trusted Application (TA) written in Rust. The primary goal is to ensure that secret credentials (such as private keys) remain securely within the Trusted Execution Environment (TEE) throughout their entire lifecycle, enhancing security and privacy for Ethereum-based operations.
This reference implementation can be extended to support additional wallet features or adapted to other blockchain platforms with similar requirements for secure key management.
The implementation provides basic wallet abstractions, including:
- Key Generation: Securely generating random seeds within the TEE.
- Key Derivation: Deriving keys from seeds within the TEE.
- Key Persistency: Storing cryptographic keys securely in the TEE.
- Transaction Signing: Signing Ethereum transactions without exposing private keys to the normal world.
- Key Erase: Erasing keys when they are no longer needed.

## Structure
- [TA](./ta): The Trusted Application (TA) that performs all secure operations related to the wallet. This component runs within the TrustZone TEE, ensuring that secret credentials never leave the secure environment.
- [CA](./host): The Client Application (CA) that runs in the normal world and communicates with the TA. It is responsible for user interaction and non-sensitive operations.
- [Proto](./proto): Contains shared structures and definitions used by both the TA and CA to facilitate communication between the two environments.

## Setup

To set up the environment, follow the instructions in the
[Apache Teaclave TrustZone SDK README](https://github.com/apache/incubator-teaclave-trustzone-sdk/blob/master/README.md).

## Functionalities

- **Create Wallet**: Generate a new Ethereum wallet with a unique ID.
- **Derive Address**: Derive an Ethereum address from a wallet.
- **Sign Transaction**: Sign Ethereum transactions securely within the TEE.
- **Remove Wallet**: Delete a wallet and its associated keys from the TEE.

## Usage

### Build
```
$ cd projects/eth_wallet-rs
$ make
```

### Run

After QEMU boots:

```bash
Welcome to Buildroot, type root or test to login
buildroot login: root
# mkdir shared && mount -t 9p -o trans=virtio host shared
# cd shared/
# ls
be2dc9a0-02b4-4b33-ba21-9964dbdf1573.ta
eth_wallet-rs
# cp be2dc9a0-02b4-4b33-ba21-9964dbdf1573.ta /lib/optee_armtz/
# ./eth_wallet-rs
```

### Command-Line Interface

```bash
A simple Ethereum wallet based on TEE

USAGE:
eth_wallet-rs <SUBCOMMAND>

FLAGS:
-h, --help Prints help information
-V, --version Prints version information

SUBCOMMANDS:
create-wallet Create a new wallet
derive-address Derive an address from a wallet
help Prints this message or the help of the given subcommand(s)
remove-wallet Remove a wallet
sign-transaction Sign a transaction
```

## Example Commands

### Create a Wallet

```bash
# ./eth_wallet-rs create-wallet
```

**CA Output:**

```text
CA: command: CreateWallet
CA: invoke_command success
Wallet ID: aa5798a1-3c89-4708-b316-712aea4f59e2
```

**TA Output:**

```text
[+] TA create
[+] TA open session
[+] TA invoke command
[+] Wallet created: Wallet { id: aa5798a1-3c89-4708-b316-712aea4f59e2, entropy: [...] }
[+] Wallet ID: aa5798a1-3c89-4708-b316-712aea4f59e2
[+] Wallet saved in secure storage
```

### Derive an Address

```bash
# ./eth_wallet-rs derive-address -w aa5798a1-3c89-4708-b316-712aea4f59e2
```

**CA Output:**

```text
CA: command: DeriveAddress
CA: invoke_command success
Address: 0x7ca2b64a29bbf7a77bf8a3187ab09f50413826ea
Public key: 03e1289e07eca6fe47c4825ea52f7cd27e3143ac5d65d5842aa5f59b5eba2d58df
```

**TA Output:**

```text
[+] TA invoke command
[+] Deriving address: secure object loaded
[+] Wallet::derive_pub_key(): pub key: "xpub6FhY8TmVeQ6Yo5ViNX6LK3mM66nMJDe4ZumHmznLNRkK2wEhGoEjaossvKmjgETpFHNGs9CFjUS7HK1un9Djzw9jfsukyNxu53b87abRJUv"
[+] Wallet::derive_pub_key(): non-extended pub key: 03e1289e07eca6fe47c4825ea52f7cd27e3143ac5d65d5842aa5f59b5eba2d58df
[+] Wallet::derive_address(): address: [124, 162, 182, 74, 41, 187, 247, 167, 123, 248, 163, 24, 122, 176, 159, 80, 65, 56, 38, 234]
[+] Deriving address: address: [124, 162, 182, 74, 41, 187, 247, 167, 123, 248, 163, 24, 122, 176, 159, 80, 65, 56, 38, 234]
[+] Deriving address: public key: [3, 225, 40, 158, 7, 236, 166, 254, 71, 196, 130, 94, 165, 47, 124, 210, 126, 49, 67, 172, 93, 101, 213, 132, 42, 165, 245, 155, 94, 186, 45, 88, 223]
```

### Sign a Transaction

```bash
# ./eth_wallet-rs sign-transaction -t 0xc0ffee254729296a45a3885639AC7E10F9d54979 -v 100 -w aa5798a1-3c89-4708-b316-712aea4f59e2
```

**CA Output:**

```text
CA: command: SignTransaction
CA: invoke_command success
Signature: "f86380843b9aca0082520894c0ffee254729296a45a3885639ac7e10f9d5497964802ea0774fc5a364c3d7e3f4e039f8da96b66fb0a5d51cad7524e54a0c9013fb473304a033922ecf964f02c6ebdd7380bc86fe759b65c87dc9e09677d983622e35334931"
```

**TA Output:**

```text
[+] TA invoke command
[+] Sign transaction: secure object loaded
[+] Wallet::derive_prv_key() finished
[+] sign_transaction: signed transaction bytes: [248, 99, 128, 132, 59, 154, 202, 0, 130, 82, 8, 148, 192, 255, 238, 37, 71, 41, 41, 106, 69, 163, 136, 86, 57, 172, 126, 16, 249, 213, 73, 121, 100, 128, 46, 160, 119, 79, 197, 163, 100, 195, 215, 227, 244, 224, 57, 248, 218, 150, 182, 111, 176, 165, 213, 28, 173, 117, 36, 229, 74, 12, 144, 19, 251, 71, 51, 4, 160, 51, 146, 46, 207, 150, 79, 2, 198, 235, 221, 115, 128, 188, 134, 254, 117, 155, 101, 200, 125, 201, 224, 150, 119, 217, 131, 98, 46, 53, 51, 73, 49]
[+] Sign transaction: signature: [248, 99, 128, 132, 59, 154, 202, 0, 130, 82, 8, 148, 192, 255, 238, 37, 71, 41, 41, 106, 69, 163, 136, 86, 57, 172, 126, 16, 249, 213, 73, 121, 100, 128, 46, 160, 119, 79, 197, 163, 100, 195, 215, 227, 244, 224, 57, 248, 218, 150
, 182, 111, 176, 165, 213, 28, 173, 117, 36, 229, 74, 12, 144, 19, 251, 71, 51, 4, 160, 51, 146, 46, 207, 150, 79, 2, 198, 235, 221, 115, 128, 188, 134, 254, 117, 155, 101, 200, 125, 201, 224, 150, 119, 217, 131, 98, 46, 53, 51, 73, 49]
```

### Remove a Wallet

```bash
# ./eth_wallet-rs remove-wallet -w aa5798a1-3c89-4708-b316-712aea4f59e2
```

**CA Output:**

```text
CA: command: RemoveWallet
CA: invoke_command success
Wallet removed
```

**TA Output:**

```text
[+] TA invoke command
[+] Removing wallet: secure object loaded
[+] Wallet removed from secure storage
```
Loading

0 comments on commit bea0838

Please sign in to comment.