Skip to content

Commit

Permalink
projects: add basic eth wallet demo
Browse files Browse the repository at this point in the history
  • Loading branch information
DemesneGH committed Nov 26, 2024
1 parent eb1ea70 commit c9b4187
Show file tree
Hide file tree
Showing 21 changed files with 1,382 additions and 0 deletions.
47 changes: 47 additions & 0 deletions projects/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Projects in Multiple Scenarios

Trusted Execution Environments (TEEs) play a vital role in providing critical
security solutions across various scenarios. The Teaclave TrustZone SDK
empowers developers to implement robust use cases such as Web3 private key
protection, authentication, and more.

The `projects/` directory showcases real-world scenarios and essential
primitives designed to help developers build secure applications tailored to
their needs.

Currently, we have released a Web3-focused scenario, with plans to expand the
project and introduce more use cases in the future.

## Available Scenarios

- **Web3**:
Available in `projects/web3/`, this scenario offers utilities for Web3
development, such as key custodians and decentralized identifiers (DIDs). It
currently includes a basic Ethereum wallet that demonstrates how to securely
create a wallet and sign transactions using wallet-derived keys within the
TEE.

## Upcoming Scenarios

- **X509 Certificate Signing & Verification**:
This scenario provides foundational Public Key Infrastructure (PKI)
primitives for securely issuing self-signed certificates and verifying
externally provided leaf certificates using a trusted certificate store.
The Trusted Application (TA) inside the TEE handles secure key pair
generation and certificate issuance, facilitating identity verification for
secure communications. This primitive is particularly valuable for
establishing trusted communication channels between nodes or devices.

- **Remote Attestation**:
This foundational primitive enables remote attestation of a Trusted
Application (TA) to ensure it is running within a Trusted Execution
Environment (TEE). It utilizes TLS and X509 PKI to establish a secure
communication channel.

- **Multi-Factor Authentication (MFA)**:
This example demonstrates how to implement MFA by securely provisioning the
public keys of trusted MFA devices (e.g., a user’s cellphone) within the
Trusted Application (TA). When high-risk operations like key usage or
transaction signing require user confirmation, the TA securely verifies
user-provided details via the trusted MFA device, eliminating reliance on
third-party services.
39 changes: 39 additions & 0 deletions projects/web3/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Reference Implementation Examples for Web3 Trusted Applications

Teaclave TrustZone SDK allows developers to create Trusted Applications
(TAs) in Rust, offering a memory-safe and secure environment. Many examples
in this repository are ported from OP-TEE C examples. With Rust's ecosystem
and support for Rust-std in Teaclave TrustZone SDK, developers can build
secure TAs to protect confidential information.

In Web3, private key protection is vital for securing on-chain identities and
assets. TAs safeguard the entire lifecycle of Web3 credentials used in wallets
or validator key protection. In DePIN, TAs enable secure device attestation,
helping to prevent Sybil attacks.

This directory contains a collection of reference implementations of TAs,
specifically tailored for Web3 use cases. These examples demonstrate how
to use Rust within TrustZone to support basic Web3 use cases. We will
gradually open-source each of them as reference implementation examples
for Web3 TAs. Web3 builders can leverage these examples to integrate secure
functionalities into their projects, particularly in environments where OP-TEE
and TrustZone technologies are employed.

## Basic Web3 Wallet
**AVAILABLE** in [eth-wallet/](./eth-wallet)

A wallet abstraction featuring key functionalities like secure key management
and transaction signing. The key management includes secure seed generation,
mnemonic derivation, and safe key storage within external TEE-protected
environments. For transaction signing, we demonstrate how to securely sign
an Ethereum transaction using wallet-derived keys inside the TEE, ensuring
the private keys never leave the trusted environment.

## Decentralized Identifier (DID)
**To Be Released**

This example will illustrate how to integrate Decentralized Identifiers (DIDs)
into TAs. DIDs enable self-sovereign identity by proving ownership without
relying on central authorities. Secure key management for creating and
operating DIDs ensures reliable device identification, mitigating the risk of
fake devices in DePIN.
33 changes: 33 additions & 0 deletions projects/web3/eth_wallet/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

# If _HOST or _TA specific compiler/target are not specified, then use common
# compiler/target for both
CROSS_COMPILE_HOST ?= aarch64-linux-gnu-
CROSS_COMPILE_TA ?= aarch64-linux-gnu-
TARGET_HOST ?= aarch64-unknown-linux-gnu
TARGET_TA ?= aarch64-unknown-linux-gnu

all:
$(q)make -C host TARGET_HOST=$(TARGET_HOST) \
CROSS_COMPILE_HOST=$(CROSS_COMPILE_HOST)
$(q)make -C ta TARGET_TA=$(TARGET_TA) \
CROSS_COMPILE_TA=$(CROSS_COMPILE_TA)

clean:
$(q)make -C host clean
$(q)make -C ta clean
38 changes: 38 additions & 0 deletions projects/web3/eth_wallet/host/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

[package]
name = "eth_wallet-rs"
version = "0.1.0"
authors = ["Teaclave Contributors <[email protected]>"]
license = "Apache-2.0"
repository = "https://github.com/apache/incubator-teaclave-trustzone-sdk.git"
description = "An example of Rust OP-TEE TrustZone SDK."
edition = "2018"

[dependencies]
proto = { path = "../proto" }
optee-teec = { path = "../../../../optee-teec" }

structopt = "0.3"
bincode = "1.3.3"
anyhow = "1.0"
uuid = { version = "1.8", features = ["serde"] }
hex = { version = "0.4", features = ["serde"] }

[profile.release]
lto = true
41 changes: 41 additions & 0 deletions projects/web3/eth_wallet/host/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

NAME := eth_wallet-rs

TARGET_HOST ?= aarch64-unknown-linux-gnu
CROSS_COMPILE_HOST ?= aarch64-linux-gnu-
OBJCOPY := $(CROSS_COMPILE_HOST)objcopy
LINKER_CFG := target.$(TARGET_HOST).linker=\"$(CROSS_COMPILE_HOST)gcc\"

OUT_DIR := $(CURDIR)/target/$(TARGET_HOST)/release

ifeq ($(STD),)
all:
@echo "Please `export STD=y` then rerun `source environment` to build the STD version"
else
all: host strip
endif

host:
@cargo build --target $(TARGET_HOST) --release --config $(LINKER_CFG)

strip: host
@$(OBJCOPY) --strip-unneeded $(OUT_DIR)/$(NAME) $(OUT_DIR)/$(NAME)

clean:
@cargo clean
97 changes: 97 additions & 0 deletions projects/web3/eth_wallet/host/src/cli.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

use anyhow::{bail, Result};
use structopt::StructOpt;

// decode hex string to [u8; 20]
pub fn decode_hex_to_address(src: &str) -> Result<[u8; 20]> {
// strip the 0x prefix
let src = src.trim_start_matches("0x");
let vec = hex::decode(src)?;
if vec.len() < 20 {
bail!("invalid address length: {}", vec.len());
}
let mut array = [0u8; 20];
array.copy_from_slice(&vec[..20]);
Ok(array)
}

// decode string to uuid
pub fn decode_str_to_uuid(s: &str) -> Result<uuid::Uuid> {
uuid::Uuid::parse_str(s).map_err(|e| e.into())
}

#[derive(Debug, StructOpt)]
pub struct CreateWalletOpt {}

#[derive(Debug, StructOpt)]
pub struct RemoveWalletOpt {
#[structopt(short, long, required = true)]
pub wallet_id: uuid::Uuid,
}

#[derive(Debug, StructOpt)]
pub struct DeriveAddressOpt {
#[structopt(short, long, required = true)]
pub wallet_id: uuid::Uuid,
#[structopt(short, long, required = true, default_value = "m/44'/60'/0'/0/0")]
pub hd_path: String,
}

#[derive(Debug, StructOpt)]
pub struct SignTransactionOpt {
#[structopt(short, long, required = true, parse(try_from_str = decode_str_to_uuid))]
pub wallet_id: uuid::Uuid,
#[structopt(short, long, default_value = "m/44'/60'/0'/0/0")]
pub hd_path: String,
#[structopt(short, long, default_value = "5")]
pub chain_id: u64,
#[structopt(short, long, default_value = "0")]
pub nonce: u128,
#[structopt(short, long, required = true, parse(try_from_str = decode_hex_to_address))]
pub to: [u8; 20],
#[structopt(short, long, required = true)]
pub value: u128,
#[structopt(short = "p", long, default_value = "1000000000")]
pub gas_price: u128,
#[structopt(short, long, default_value = "21000")]
pub gas: u128,
}

#[derive(Debug, StructOpt)]
pub enum Command {
/// Create a new wallet.
#[structopt(name = "create-wallet")]
CreateWallet(CreateWalletOpt),
/// Remove a wallet.
#[structopt(name = "remove-wallet")]
RemoveWallet(RemoveWalletOpt),
/// Derive an address from a wallet.
#[structopt(name = "derive-address")]
DeriveAddress(DeriveAddressOpt),
/// Sign a transaction.
#[structopt(name = "sign-transaction")]
SignTransaction(SignTransactionOpt),
}

#[derive(Debug, StructOpt)]
#[structopt(name = "eth_wallet", about = "A simple Ethereum wallet based on TEE")]
pub struct Opt {
#[structopt(subcommand)]
pub command: Command,
}
Loading

0 comments on commit c9b4187

Please sign in to comment.