-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
21 changed files
with
1,382 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Projects in Multiple Scenarios | ||
|
||
Trusted Execution Environments (TEEs) play a vital role in providing critical | ||
security solutions across various scenarios. The Teaclave TrustZone SDK | ||
empowers developers to implement robust use cases such as Web3 private key | ||
protection, authentication, and more. | ||
|
||
The `projects/` directory showcases real-world scenarios and essential | ||
primitives designed to help developers build secure applications tailored to | ||
their needs. | ||
|
||
Currently, we have released a Web3-focused scenario, with plans to expand the | ||
project and introduce more use cases in the future. | ||
|
||
## Available Scenarios | ||
|
||
- **Web3**: | ||
Available in `projects/web3/`, this scenario offers utilities for Web3 | ||
development, such as key custodians and decentralized identifiers (DIDs). It | ||
currently includes a basic Ethereum wallet that demonstrates how to securely | ||
create a wallet and sign transactions using wallet-derived keys within the | ||
TEE. | ||
|
||
## Upcoming Scenarios | ||
|
||
- **X509 Certificate Signing & Verification**: | ||
This scenario provides foundational Public Key Infrastructure (PKI) | ||
primitives for securely issuing self-signed certificates and verifying | ||
externally provided leaf certificates using a trusted certificate store. | ||
The Trusted Application (TA) inside the TEE handles secure key pair | ||
generation and certificate issuance, facilitating identity verification for | ||
secure communications. This primitive is particularly valuable for | ||
establishing trusted communication channels between nodes or devices. | ||
|
||
- **Remote Attestation**: | ||
This foundational primitive enables remote attestation of a Trusted | ||
Application (TA) to ensure it is running within a Trusted Execution | ||
Environment (TEE). It utilizes TLS and X509 PKI to establish a secure | ||
communication channel. | ||
|
||
- **Multi-Factor Authentication (MFA)**: | ||
This example demonstrates how to implement MFA by securely provisioning the | ||
public keys of trusted MFA devices (e.g., a user’s cellphone) within the | ||
Trusted Application (TA). When high-risk operations like key usage or | ||
transaction signing require user confirmation, the TA securely verifies | ||
user-provided details via the trusted MFA device, eliminating reliance on | ||
third-party services. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Reference Implementation Examples for Web3 Trusted Applications | ||
|
||
Teaclave TrustZone SDK allows developers to create Trusted Applications | ||
(TAs) in Rust, offering a memory-safe and secure environment. Many examples | ||
in this repository are ported from OP-TEE C examples. With Rust's ecosystem | ||
and support for Rust-std in Teaclave TrustZone SDK, developers can build | ||
secure TAs to protect confidential information. | ||
|
||
In Web3, private key protection is vital for securing on-chain identities and | ||
assets. TAs safeguard the entire lifecycle of Web3 credentials used in wallets | ||
or validator key protection. In DePIN, TAs enable secure device attestation, | ||
helping to prevent Sybil attacks. | ||
|
||
This directory contains a collection of reference implementations of TAs, | ||
specifically tailored for Web3 use cases. These examples demonstrate how | ||
to use Rust within TrustZone to support basic Web3 use cases. We will | ||
gradually open-source each of them as reference implementation examples | ||
for Web3 TAs. Web3 builders can leverage these examples to integrate secure | ||
functionalities into their projects, particularly in environments where OP-TEE | ||
and TrustZone technologies are employed. | ||
|
||
## Basic Web3 Wallet | ||
**AVAILABLE** in [eth-wallet/](./eth-wallet) | ||
|
||
A wallet abstraction featuring key functionalities like secure key management | ||
and transaction signing. The key management includes secure seed generation, | ||
mnemonic derivation, and safe key storage within external TEE-protected | ||
environments. For transaction signing, we demonstrate how to securely sign | ||
an Ethereum transaction using wallet-derived keys inside the TEE, ensuring | ||
the private keys never leave the trusted environment. | ||
|
||
## Decentralized Identifier (DID) | ||
**To Be Released** | ||
|
||
This example will illustrate how to integrate Decentralized Identifiers (DIDs) | ||
into TAs. DIDs enable self-sovereign identity by proving ownership without | ||
relying on central authorities. Secure key management for creating and | ||
operating DIDs ensures reliable device identification, mitigating the risk of | ||
fake devices in DePIN. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
|
||
# If _HOST or _TA specific compiler/target are not specified, then use common | ||
# compiler/target for both | ||
CROSS_COMPILE_HOST ?= aarch64-linux-gnu- | ||
CROSS_COMPILE_TA ?= aarch64-linux-gnu- | ||
TARGET_HOST ?= aarch64-unknown-linux-gnu | ||
TARGET_TA ?= aarch64-unknown-linux-gnu | ||
|
||
all: | ||
$(q)make -C host TARGET_HOST=$(TARGET_HOST) \ | ||
CROSS_COMPILE_HOST=$(CROSS_COMPILE_HOST) | ||
$(q)make -C ta TARGET_TA=$(TARGET_TA) \ | ||
CROSS_COMPILE_TA=$(CROSS_COMPILE_TA) | ||
|
||
clean: | ||
$(q)make -C host clean | ||
$(q)make -C ta clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
|
||
[package] | ||
name = "eth_wallet-rs" | ||
version = "0.1.0" | ||
authors = ["Teaclave Contributors <[email protected]>"] | ||
license = "Apache-2.0" | ||
repository = "https://github.com/apache/incubator-teaclave-trustzone-sdk.git" | ||
description = "An example of Rust OP-TEE TrustZone SDK." | ||
edition = "2018" | ||
|
||
[dependencies] | ||
proto = { path = "../proto" } | ||
optee-teec = { path = "../../../../optee-teec" } | ||
|
||
structopt = "0.3" | ||
bincode = "1.3.3" | ||
anyhow = "1.0" | ||
uuid = { version = "1.8", features = ["serde"] } | ||
hex = { version = "0.4", features = ["serde"] } | ||
|
||
[profile.release] | ||
lto = true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
|
||
NAME := eth_wallet-rs | ||
|
||
TARGET_HOST ?= aarch64-unknown-linux-gnu | ||
CROSS_COMPILE_HOST ?= aarch64-linux-gnu- | ||
OBJCOPY := $(CROSS_COMPILE_HOST)objcopy | ||
LINKER_CFG := target.$(TARGET_HOST).linker=\"$(CROSS_COMPILE_HOST)gcc\" | ||
|
||
OUT_DIR := $(CURDIR)/target/$(TARGET_HOST)/release | ||
|
||
ifeq ($(STD),) | ||
all: | ||
@echo "Please `export STD=y` then rerun `source environment` to build the STD version" | ||
else | ||
all: host strip | ||
endif | ||
|
||
host: | ||
@cargo build --target $(TARGET_HOST) --release --config $(LINKER_CFG) | ||
|
||
strip: host | ||
@$(OBJCOPY) --strip-unneeded $(OUT_DIR)/$(NAME) $(OUT_DIR)/$(NAME) | ||
|
||
clean: | ||
@cargo clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
// Licensed to the Apache Software Foundation (ASF) under one | ||
// or more contributor license agreements. See the NOTICE file | ||
// distributed with this work for additional information | ||
// regarding copyright ownership. The ASF licenses this file | ||
// to you under the Apache License, Version 2.0 (the | ||
// "License"); you may not use this file except in compliance | ||
// with the License. You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, | ||
// software distributed under the License is distributed on an | ||
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
// KIND, either express or implied. See the License for the | ||
// specific language governing permissions and limitations | ||
// under the License. | ||
|
||
use anyhow::{bail, Result}; | ||
use structopt::StructOpt; | ||
|
||
// decode hex string to [u8; 20] | ||
pub fn decode_hex_to_address(src: &str) -> Result<[u8; 20]> { | ||
// strip the 0x prefix | ||
let src = src.trim_start_matches("0x"); | ||
let vec = hex::decode(src)?; | ||
if vec.len() < 20 { | ||
bail!("invalid address length: {}", vec.len()); | ||
} | ||
let mut array = [0u8; 20]; | ||
array.copy_from_slice(&vec[..20]); | ||
Ok(array) | ||
} | ||
|
||
// decode string to uuid | ||
pub fn decode_str_to_uuid(s: &str) -> Result<uuid::Uuid> { | ||
uuid::Uuid::parse_str(s).map_err(|e| e.into()) | ||
} | ||
|
||
#[derive(Debug, StructOpt)] | ||
pub struct CreateWalletOpt {} | ||
|
||
#[derive(Debug, StructOpt)] | ||
pub struct RemoveWalletOpt { | ||
#[structopt(short, long, required = true)] | ||
pub wallet_id: uuid::Uuid, | ||
} | ||
|
||
#[derive(Debug, StructOpt)] | ||
pub struct DeriveAddressOpt { | ||
#[structopt(short, long, required = true)] | ||
pub wallet_id: uuid::Uuid, | ||
#[structopt(short, long, required = true, default_value = "m/44'/60'/0'/0/0")] | ||
pub hd_path: String, | ||
} | ||
|
||
#[derive(Debug, StructOpt)] | ||
pub struct SignTransactionOpt { | ||
#[structopt(short, long, required = true, parse(try_from_str = decode_str_to_uuid))] | ||
pub wallet_id: uuid::Uuid, | ||
#[structopt(short, long, default_value = "m/44'/60'/0'/0/0")] | ||
pub hd_path: String, | ||
#[structopt(short, long, default_value = "5")] | ||
pub chain_id: u64, | ||
#[structopt(short, long, default_value = "0")] | ||
pub nonce: u128, | ||
#[structopt(short, long, required = true, parse(try_from_str = decode_hex_to_address))] | ||
pub to: [u8; 20], | ||
#[structopt(short, long, required = true)] | ||
pub value: u128, | ||
#[structopt(short = "p", long, default_value = "1000000000")] | ||
pub gas_price: u128, | ||
#[structopt(short, long, default_value = "21000")] | ||
pub gas: u128, | ||
} | ||
|
||
#[derive(Debug, StructOpt)] | ||
pub enum Command { | ||
/// Create a new wallet. | ||
#[structopt(name = "create-wallet")] | ||
CreateWallet(CreateWalletOpt), | ||
/// Remove a wallet. | ||
#[structopt(name = "remove-wallet")] | ||
RemoveWallet(RemoveWalletOpt), | ||
/// Derive an address from a wallet. | ||
#[structopt(name = "derive-address")] | ||
DeriveAddress(DeriveAddressOpt), | ||
/// Sign a transaction. | ||
#[structopt(name = "sign-transaction")] | ||
SignTransaction(SignTransactionOpt), | ||
} | ||
|
||
#[derive(Debug, StructOpt)] | ||
#[structopt(name = "eth_wallet", about = "A simple Ethereum wallet based on TEE")] | ||
pub struct Opt { | ||
#[structopt(subcommand)] | ||
pub command: Command, | ||
} |
Oops, something went wrong.