-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
26 changed files
with
2,695 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Projects in Multiple Scenarios | ||
|
||
Since there are many scenarios where TEEs (Trusted Execution Environments) provide critical security solutions, the Teaclave TrustZone SDK can be leveraged to implement use cases such as Web3 private key protection and AI model protection. | ||
|
||
In the `project/`, we demonstrate real-world scenarios and offer essential primitives to help developers build secure applications tailored to their needs. | ||
|
||
Currently, we have included one scenario, and we plan to add more in the future as we expand the project. | ||
|
||
- **Web3 Private Key Protection**: AVAILABLE in `web3/`: | ||
|
||
This provides a basic Web3 wallet implementation with security features such as attestation and multi-factor confirmation to ensure secure key management. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Reference Implementation Examples for Web3 Trusted Application | ||
|
||
Teaclave TrustZone SDK enables developers to write Trusted Applications (TAs) in Rust, offering a memory-safe environment for secure application development. Many of the examples in this repo are ported from OP-TEE C examples. However, thanks to Rust's robust crate ecosystem and the support for Rust-std in Teaclave TrustZone SDK, developers can now create more functional and secure TAs. These applications are designed to protect confidential information while maintaining Rust's inherent memory safety. | ||
|
||
A particularly relevant scenario is in Web3, where private key protection is critical for securing on-chain identities and assets. In this context, TAs can protect the entire lifecycle of Web3 credentials, such as those used in self-custody wallets or validator signing key protection. In DePIN, TAs provide security for device attestation to mitigate Sybil device threats. This, for instance, allows safe airdropping to trusted devices, ensuring only verified devices are eligible. | ||
|
||
This directory contains a collection of reference implementations of TAs, specifically tailored for Web3 use cases. These examples demonstrate how to use Rust within TrustZone to support basic Web3 use cases. We will gradually open-source each of them as reference implementation example as Web3 TA. Web3 builders can leverage these examples to integrate secure functionalities into their projects, particularly in environments where OP-TEE and TrustZone technologies are employed. | ||
|
||
## Basic Web3 Wallet | ||
AVAILABLE in [eth-wallet/](./eth-wallet) | ||
|
||
A wallet abstraction featuring key functionalities like secure key management and transaction signing. The key management includes secure seed generation, mnemonic derivation, and safe key storage within external TEE-protected environments. For transaction signing, we demonstrate how to securely sign an Ethereum transaction using wallet-derived keys inside the TEE, ensuring the private keys never leave the trusted environment. | ||
|
||
## X509 Certificate Signing & Verification | ||
Status: To Be Released | ||
|
||
Basic Public Key Infrastructure (PKI) primitives that securely issue self-signed certificates and verify externally provided leaf certificates through a trusted certificate store. The Trusted Application (TA) running inside the TEE is responsible for securely generating key pairs and issuing self-signed certificates, used for identity verification in secure communications. It also handles the verification of certificates provided by external entities, ensuring their validity by cross-referencing them with a secure certificate store within the TEE. This primitive is particularly useful for establishing trusted communication channels between nodes, validators, or devices in Web3 environments, where trust and identity verification are critical for decentralized interactions. | ||
|
||
## Remote Attestation | ||
Status: To Be Released | ||
|
||
A foundational primitive used to remotely attest the authenticity of a Trusted Application (TA), ensuring it is indeed running in a Trusted Execution Environment (TEE). This primitive leverages TLS and X509 PKI to establish a secure communication channel. During the TLS handshake, the TA generates an attestation report, which can be signed using its private key within the TEE. The remote party then verifies this report, confirming the TA’s integrity and the secure execution environment. In Web3 scenarios, remote attestation ensures that only trusted devices and applications can participate in sensitive operations, such as airdrop or validator duties. This guarantees the authenticity and trustworthiness of participants in decentralized systems, mitigating risks like Sybil attacks and unauthorized access. | ||
|
||
## Multi-Factor Authentication (MFA) | ||
Status: To Be Released | ||
|
||
In Web3, ensuring explicit user confirmation through a trusted channel is a challenging task. This example demonstrates how to implement MFA mechanisms by securely provisioning the public keys of trusted MFA devices (e.g., the user’s cellphone) within the Trusted Application (TA). When a high-risk operation, such as key usage or transaction signing, requires user confirmation, the TA can verify the details confirmed by the user via the trusted MFA device, without relying on any third party. This empowers Web3 builders to create more secure, decentralized systems where user interactions are reliably authenticated for critical tasks like transaction signing or private key access. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
|
||
all: | ||
@make -s -C host | ||
@make -s -C ta | ||
|
||
clean: | ||
@make -s -C host clean | ||
@make -s -C ta clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
# Eth-Wallet: A Sample Trusted Application for Wallet Abstraction and Transaction Signing | ||
|
||
This repository provides a reference implementation of an Ethereum wallet as a Trusted Application (TA) written in Rust. The primary goal is to ensure that secret credentials (such as private keys) remain securely within the Trusted Execution Environment (TEE) throughout their entire lifecycle, enhancing security and privacy for Ethereum-based operations. | ||
This reference implementation can be extended to support additional wallet features or adapted to other blockchain platforms with similar requirements for secure key management. | ||
The implementation provides basic wallet abstractions, including: | ||
- Key Generation: Securely generating random seeds within the TEE. | ||
- Key Derivation: Deriving keys from seeds within the TEE. | ||
- Key Persistency: Storing cryptographic keys securely in the TEE. | ||
- Transaction Signing: Signing Ethereum transactions without exposing private keys to the normal world. | ||
- Key Erase: Erasing keys when they are no longer needed. | ||
|
||
## Structure | ||
- [TA](./ta): The Trusted Application (TA) that performs all secure operations related to the wallet. This component runs within the TrustZone TEE, ensuring that secret credentials never leave the secure environment. | ||
- [CA](./host): The Client Application (CA) that runs in the normal world and communicates with the TA. It is responsible for user interaction and non-sensitive operations. | ||
- [Proto](./proto): Contains shared structures and definitions used by both the TA and CA to facilitate communication between the two environments. | ||
|
||
## Setup | ||
|
||
To set up the environment, follow the instructions in the | ||
[Apache Teaclave TrustZone SDK README](https://github.com/apache/incubator-teaclave-trustzone-sdk/blob/master/README.md). | ||
|
||
## Functionalities | ||
|
||
- **Create Wallet**: Generate a new Ethereum wallet with a unique ID. | ||
- **Derive Address**: Derive an Ethereum address from a wallet. | ||
- **Sign Transaction**: Sign Ethereum transactions securely within the TEE. | ||
- **Remove Wallet**: Delete a wallet and its associated keys from the TEE. | ||
|
||
## Usage | ||
|
||
### Build | ||
``` | ||
$ cd projects/eth_wallet-rs | ||
$ make | ||
``` | ||
|
||
### Run | ||
|
||
After QEMU boots: | ||
|
||
```bash | ||
Welcome to Buildroot, type root or test to login | ||
buildroot login: root | ||
# mkdir shared && mount -t 9p -o trans=virtio host shared | ||
# cd shared/ | ||
# ls | ||
be2dc9a0-02b4-4b33-ba21-9964dbdf1573.ta | ||
eth_wallet-rs | ||
# cp be2dc9a0-02b4-4b33-ba21-9964dbdf1573.ta /lib/optee_armtz/ | ||
# ./eth_wallet-rs | ||
``` | ||
|
||
### Command-Line Interface | ||
|
||
```bash | ||
A simple Ethereum wallet based on TEE | ||
|
||
USAGE: | ||
eth_wallet-rs <SUBCOMMAND> | ||
|
||
FLAGS: | ||
-h, --help Prints help information | ||
-V, --version Prints version information | ||
|
||
SUBCOMMANDS: | ||
create-wallet Create a new wallet | ||
derive-address Derive an address from a wallet | ||
help Prints this message or the help of the given subcommand(s) | ||
remove-wallet Remove a wallet | ||
sign-transaction Sign a transaction | ||
``` | ||
|
||
## Example Commands | ||
|
||
### Create a Wallet | ||
|
||
```bash | ||
# ./eth_wallet-rs create-wallet | ||
``` | ||
|
||
**CA Output:** | ||
|
||
```text | ||
CA: command: CreateWallet | ||
CA: invoke_command success | ||
Wallet ID: aa5798a1-3c89-4708-b316-712aea4f59e2 | ||
``` | ||
|
||
**TA Output:** | ||
|
||
```text | ||
[+] TA create | ||
[+] TA open session | ||
[+] TA invoke command | ||
[+] Wallet created: Wallet { id: aa5798a1-3c89-4708-b316-712aea4f59e2, entropy: [...] } | ||
[+] Wallet ID: aa5798a1-3c89-4708-b316-712aea4f59e2 | ||
[+] Wallet saved in secure storage | ||
``` | ||
|
||
### Derive an Address | ||
|
||
```bash | ||
# ./eth_wallet-rs derive-address -w aa5798a1-3c89-4708-b316-712aea4f59e2 | ||
``` | ||
|
||
**CA Output:** | ||
|
||
```text | ||
CA: command: DeriveAddress | ||
CA: invoke_command success | ||
Address: 0x7ca2b64a29bbf7a77bf8a3187ab09f50413826ea | ||
Public key: 03e1289e07eca6fe47c4825ea52f7cd27e3143ac5d65d5842aa5f59b5eba2d58df | ||
``` | ||
|
||
**TA Output:** | ||
|
||
```text | ||
[+] TA invoke command | ||
[+] Deriving address: secure object loaded | ||
[+] Wallet::derive_pub_key(): pub key: "xpub6FhY8TmVeQ6Yo5ViNX6LK3mM66nMJDe4ZumHmznLNRkK2wEhGoEjaossvKmjgETpFHNGs9CFjUS7HK1un9Djzw9jfsukyNxu53b87abRJUv" | ||
[+] Wallet::derive_pub_key(): non-extended pub key: 03e1289e07eca6fe47c4825ea52f7cd27e3143ac5d65d5842aa5f59b5eba2d58df | ||
[+] Wallet::derive_address(): address: [124, 162, 182, 74, 41, 187, 247, 167, 123, 248, 163, 24, 122, 176, 159, 80, 65, 56, 38, 234] | ||
[+] Deriving address: address: [124, 162, 182, 74, 41, 187, 247, 167, 123, 248, 163, 24, 122, 176, 159, 80, 65, 56, 38, 234] | ||
[+] Deriving address: public key: [3, 225, 40, 158, 7, 236, 166, 254, 71, 196, 130, 94, 165, 47, 124, 210, 126, 49, 67, 172, 93, 101, 213, 132, 42, 165, 245, 155, 94, 186, 45, 88, 223] | ||
``` | ||
|
||
### Sign a Transaction | ||
|
||
```bash | ||
# ./eth_wallet-rs sign-transaction -t 0xc0ffee254729296a45a3885639AC7E10F9d54979 -v 100 -w aa5798a1-3c89-4708-b316-712aea4f59e2 | ||
``` | ||
|
||
**CA Output:** | ||
|
||
```text | ||
CA: command: SignTransaction | ||
CA: invoke_command success | ||
Signature: "f86380843b9aca0082520894c0ffee254729296a45a3885639ac7e10f9d5497964802ea0774fc5a364c3d7e3f4e039f8da96b66fb0a5d51cad7524e54a0c9013fb473304a033922ecf964f02c6ebdd7380bc86fe759b65c87dc9e09677d983622e35334931" | ||
``` | ||
|
||
**TA Output:** | ||
|
||
```text | ||
[+] TA invoke command | ||
[+] Sign transaction: secure object loaded | ||
[+] Wallet::derive_prv_key() finished | ||
[+] sign_transaction: signed transaction bytes: [248, 99, 128, 132, 59, 154, 202, 0, 130, 82, 8, 148, 192, 255, 238, 37, 71, 41, 41, 106, 69, 163, 136, 86, 57, 172, 126, 16, 249, 213, 73, 121, 100, 128, 46, 160, 119, 79, 197, 163, 100, 195, 215, 227, 244, 224, 57, 248, 218, 150, 182, 111, 176, 165, 213, 28, 173, 117, 36, 229, 74, 12, 144, 19, 251, 71, 51, 4, 160, 51, 146, 46, 207, 150, 79, 2, 198, 235, 221, 115, 128, 188, 134, 254, 117, 155, 101, 200, 125, 201, 224, 150, 119, 217, 131, 98, 46, 53, 51, 73, 49] | ||
[+] Sign transaction: signature: [248, 99, 128, 132, 59, 154, 202, 0, 130, 82, 8, 148, 192, 255, 238, 37, 71, 41, 41, 106, 69, 163, 136, 86, 57, 172, 126, 16, 249, 213, 73, 121, 100, 128, 46, 160, 119, 79, 197, 163, 100, 195, 215, 227, 244, 224, 57, 248, 218, 150 | ||
, 182, 111, 176, 165, 213, 28, 173, 117, 36, 229, 74, 12, 144, 19, 251, 71, 51, 4, 160, 51, 146, 46, 207, 150, 79, 2, 198, 235, 221, 115, 128, 188, 134, 254, 117, 155, 101, 200, 125, 201, 224, 150, 119, 217, 131, 98, 46, 53, 51, 73, 49] | ||
``` | ||
|
||
### Remove a Wallet | ||
|
||
```bash | ||
# ./eth_wallet-rs remove-wallet -w aa5798a1-3c89-4708-b316-712aea4f59e2 | ||
``` | ||
|
||
**CA Output:** | ||
|
||
```text | ||
CA: command: RemoveWallet | ||
CA: invoke_command success | ||
Wallet removed | ||
``` | ||
|
||
**TA Output:** | ||
|
||
```text | ||
[+] TA invoke command | ||
[+] Removing wallet: secure object loaded | ||
[+] Wallet removed from secure storage | ||
``` |
Oops, something went wrong.