[[TOC]]

Teaclave SGX SDK应用开发环境简介以及搭建​

Intel SGX (Software Guard Extension, 软件防护扩展) 因为其较为出色的性能和安全性，是目前最为学术界和工业界关注的 TEE (Trusted Execution Environment, 可信执行环境)。Intel SGX 在内存中划分了名为 enclave（飞地）的隔离区域，用来存放敏感数据和代码。通过提供该隔离的可信执行环境，enclave 在操作系统、BIOS 和虚拟机监控器等系统软件均不可信的情况下，仍然对 enclave 内部的代码和数据提供保护，保障用户的关键数据和代码的机密性和完整性。

但如果 Intel SGX 程序仍然使用 C/C++ 这类内存不安全的语言开发的话，就会和传统软件一样面临着内存破坏漏洞的问题。对于 enclave 来说，受到的危害会更为严重，因为 enclave 中保存的多是机密数据和代码。Teaclave SGX 的主要目标就是通过使用高效的内存安全语言 —— Rust 来支持 enclave 应用程序的开发，从而在保证 Intel SGX enclave 内存安全的同时不会带来显著的性能开销。

Teaclave SGX SDK 内部结构分为三层：

• 最底层是使用 C/C++ 和汇编实现的 Intel SGX SDK。
• 中间层是 Rust 对 C/C++ 的 FFI (Foreign function Interfaces, 外部函数接口)。
• 最高层是 Teaclave SGX SDK。

Teaclave SGX SDK 应用程序开发者在进行开发时就只需要基于最上层的 Teaclave SGX SDK 来进行开发，底层的实现对于开发者来说是透明的。本文将从开发者的角度介绍基于 Teaclave SGX SDK 开发自己的应用程序的过程。

准备条件​

• Ubuntu16.04 或者 18.04 或者 20.04 (Teaclave SGX SDK v1.1.3 中增加了对 Ubuntu 20.04 的支持)
• docker 环境

本文基于 Teaclave SGX SDK v1.1.3 提交哈希值：d107bd0718f723221750a4f2973451b386cbf9d2

基于 docker 配置 Teaclave SGX SDK 开发环境​

首先需要用户机器 CPU 支持 Intel SGX 并且在 BIOS 上开启了 Intel SGX 支持。用户可以通过 SGX-hardware项目 或者在 Intel 官网 中搜索自己的 CPU 型号查看是否支持 Intel SGX。下图以 Intel Core i7-7700K 处理器为例，如下图所示，该机型支持 SGX。

当确定 CPU 支持 Intel SGX 之后，还需要开启 BIOS 中的 SGX 选项。CPU 上的 SGX 选项可能有 enabled 或者 software controlled。具有 enabled 选项的主机直接在 BIOS 上选择 enabled 即可，而software controlled 表示 SGX 的开启需要由软件触发，还需通过 Intel 官方提供的 sgx-software-enable 开启。下载好 sgx-software-enable 之后，运行 Makefile 编译生成可执行代码 sgx_enable ，执行 sudo ./sgx_enable 顺利运行后重启主机，即可顺利开启 Intel SGX。

硬件条件准备完毕之后，还需要安装 Linux SGX 驱动（本实验环境的操作系统版本为 ubuntu16.04 ，安装时需要根据自己的操作系统版本号在 官网 下载对应的 Intel SGX 驱动） ，安装完毕之后需要确认 /dev/isgx 的存在。

下载 Teaclave SGX SDK 以及支持编译 SGX 设备的 docker image。

$ https://github.com/apache/incubator-teaclave-sgx-sdk

$ docker pull baiduxlab/sgx-rust

启动一个 docker，并且把 Teaclave SGX SDK 项目目录映射到 docker 中。

$ docker run -v /your/absolute/path/to/incubator-teaclave-sgx-sdk:/root/sgx -ti --device /dev/isgx baiduxlab/sgx-rust

在运行的 docker container 中启动 aesm 服务，White list update request successful for Version 语句意味着启动成功。

root@docker:/# LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm/ /opt/intel/sgx-aesm-service/aesm/aesm_service &
aesm_service[17]: [ADMIN]White List update requested
aesm_service[17]: Failed to load QE3: 0x4004
aesm_service[17]: The server sock is 0x56096ab991c0
aesm_service[17]: [ADMIN]White list update request successful for Version: 103

执行 Teaclave SGX SDK 中的简单实例 helloworld ，检查是否正常运行。

root@docker:~# cd sgx/samplecode/helloworld/
root@docker:~/sgx/samplecode/helloworld# make
root@docker:~/sgx/samplecode/helloworld# cd bin/
root@docker:~/sgx/samplecode/helloworld/bin# ./app
[+] global_eid: 2
This is normal world string passed into enclave!
This is a Rust string!
[+] say_something success ...

至此，我们已经成功在自己的机器上跑起来了 Teaclave SGX SDK 的 helloworld 示例啦！

Teaclave SGX SDK 示例 helloworld 剖析​

接下来，我们通过阅读 helloworld 这个简单的例子来理解 Teaclave SGX SDK 应用程序的组织结构和运行方式。

helloworld 目录结构​

helloworld/ 
├── app 
│   ├── app.c 
│   └── app.h 
├── bin 
│   └── readme.txt 
├── enclave 
│   ├── Cargo.toml 
│   ├── Enclave.config.xml 
│   ├── Enclave.edl 
│   ├── Enclave.lds 
│   ├── Enclave_private.pem 
│   ├── Makefile 
│   ├── src 
│   │   └── lib.rs 
│   ├── x86_64-unknown-linux-sgx.json 
│   └── Xargo.toml 
├── lib 
│   └── readme.txt 
└── Makefile 

helloworld 的目录结构和 Intel SGX 的 SampleEnclave 目录结构非常类似。

• app 目录中存放的是不可信部分代码，包括 main 函数以及 OCALL 函数具体逻辑实现。
• enclave 目录中存放的是可信部分代码，主要是 ECALL 函数具体逻辑实现。
  • 不同于 SGX ，应用安全区的代码实现位于 src/lib.rs, 该文件是整个 helloworld 文件夹中唯一使用 Rust 编写的文件，程序员可以在该文件中增加需要的功能。
  • 另外，enclave 文件夹下多了 Cargo.toml, src/lib.rs, x86_64-unknown-linux-sgx.json, Xargo.toml：
    • Cargo.toml: 项目清单文件，包括项目名称、项目版本以及依赖项等。
    • x86_64-unknown-linux-sgx.json 和 Xargo.toml 描述了用于项目交叉编译的信息。

重要代码文件解析​

• Enclave.edl
  该文件规定了 Enclave 边界 ECALL/OCALL 的定义。

enclave {
    from "sgx_tstd.edl" import *;
    from "sgx_stdio.edl" import *;
    from "sgx_backtrace.edl" import *;
    from "sgx_tstdc.edl" import *;

    trusted {
        /* define ECALLs here. */
        public sgx_status_t say_something([in, size=len] const uint8_t* some_string, size_t len);
    };

    untrusted {

    };
};

trusted {...} 中声明 ECALL 函数， untrusted {...} 中声明 OCALL 函数。本例中声明了一个 ECALL 函数 say_something，该函数的具体实现在 src/lib.rs 中，它的参数包括 uint8_t * 类型的指针和长度参数 len。

• app/app.c

在 app/app.c 的 main 函数中有一个完整的调用 ECALL 的例子。

sgx_ret = say_something(global_eid,
                        &enclave_ret,
                        (const uint8_t *) str,
                        len);

这里的 say_something 似乎和 Enclave.edl 中的声明不太一样，ECALL传递参数时多了两个隐参数：enclave_eid 和 say_something 的返回值 &enclave_ret。而 sgx_ret 表示的是 ECALL 执行是否成功，是 SGX 的返回值。

• enclave/文件夹部分

enclave/Cargo.toml 中声明了这是一个 staticlib，表明 Enclave 在最后会被编译成一个 .a 文件，该文件会和 Intel 提供的 sgx_tstdc.a 等文件链接形成 enclave.so，再经由 sgx_sign 工具配合 Enclave.config.xml 配置文件、Enclave_private.pem 签名私钥做签名并计算 measurement ，最后生成 enclave.signed.so，这是 Enclave 的完全体。

• enclave/src/lib.rs

pub extern "C" fn say_something(some_string: *const u8, some_len: usize) -> sgx_status_t {

    let str_slice = unsafe { slice::from_raw_parts(some_string, some_len) };
    let _ = io::stdout().write(str_slice);

    // A sample &'static string
    let rust_raw_string = "This is a ";
    // An array
    let word:[u8;4] = [82, 117, 115, 116];
    // An vector
    let word_vec:Vec<u8> = vec![32, 115, 116, 114, 105, 110, 103, 33];

    // Construct a string from &'static string
    let mut hello_string = String::from(rust_raw_string);

    // Iterate on word array
    for c in word.iter() {
        hello_string.push(*c as char);
    }

    // Rust style convertion
    hello_string += String::from_utf8(word_vec).expect("Invalid UTF-8")
                                               .as_str();

    // Ocall to normal world for output
    println!("{}", &hello_string);

    sgx_status_t::SGX_SUCCESS
}

该函数实现了一个简单的将 &[u8] 数组转化为字符串输出的函数，注意在函数的最后调用的 println! 函数是一个 OCALL。 println! 的具体实现中加入了内置的 OCALL，并定义了内置的 edl ，import到了 Enclave.edl 中。

enclave {
    from "sgx_tstd.edl" import *;
    from "sgx_stdio.edl" import *;
    from "sgx_backtrace.edl" import *;
    from "sgx_tstdc.edl" import *;

编译后的代码目录​

经过编译之后的代码目录如下所示，这里省略了 release 文件夹下的内容。

├── app 
│   ├── app.c 
│   ├── app.h 
│   ├── app.o               #[generate] 
│   ├── Enclave_u.c         #[generate] 
│   ├── Enclave_u.h         #[generate] 
│   └── Enclave_u.o         #[generate] 
├── bin 
│   ├── app                 #[generate] 
│   ├── enclave.signed.so   #[generate] 
│   └── readme.txt 
├── enclave 
│   ├── Cargo.lock          #[generate] 
│   ├── Cargo.toml 
│   ├── Enclave.config.xml 
│   ├── Enclave.edl 
│   ├── Enclave.lds 
│   ├── Enclave_private.pem 
│   ├── enclave.so          #[generate] 
│   ├── Enclave_t.c         #[generate] 
│   ├── Enclave_t.h         #[generate] 
│   ├── Enclave_t.o         #[generate] 
│   ├── Makefile 
│   ├── src 
│   │   └── lib.rs 
│   ├── target              #[generate] 
│   │   ├── CACHEDIR.TAG    #[generate] 
│   │   └── release         #[generate] 
│   ├── x86_64-unknown-linux-sgx.json 
│   └── Xargo.toml 
├── lib 
│   ├── libenclave.a        #[generate] 
│   ├── libsgx_ustdc.a      #[generate] 
│   └── readme.txt 
└── Makefile 

helloworld 编译的基本流程类似于 Intel SGX:

• edger8r 将输入的 EDL 在 app/ 目录下生成不可信代码 Enclave_u.h 和 Enclave_u.c；
• 编译不可信部分生成 bin/app；
• edger8r 在 enclave/ 目录下生成可信代码 Enclave_t.h 和 Enclave_t.c；
• 编译并签名生成可信动态链接库 enclave.signed.so。

开发者如何开发自己的 Rust SGX Application​

同样类似于开发 Intel SGX Application，用户可以通过改写 Teaclave SGX SDK 所提供的 samplecode，在这里，我以一个简单的例子抛砖引玉。

添加自定义的函数​

假设用户希望在 Teaclave SGX SDK 中实现一个简单的求两个数组的交集的函数，只需要直接在 src/lib.rs 中添加实现的函数。下面的示例代码 intersection 函数是希望添加的求交集函数，注意这里求到的交集结果是无重复元素的。传入的两个参数是需要求交集的 i32 向量，最后返回的是两个向量的交集。其具体的实现是通过一个额外的散列集，记录 num1 出现的元素，再对 num2 进行遍历，如果 num2 出现了散列集中的元素，则将该值 push 到交集数组中，并将散列表中的对应元素移除。当 num2 遍历完毕之后，返回交集数组。

pub fn intersection(nums1: Vec<i32>, nums2: Vec<i32>) -> Vec<i32> {
        use std::collections::HashSet;
        let mut set: HashSet<i32> = HashSet::new();
        let mut vec: Vec<i32> = Vec::new();

        for i in nums1.iter() {
            set.insert(*i);
        }

        for i in nums2.iter() {
            if set.contains(i) {
                vec.push(*i);
                set.remove(i);
            }
        }
        return vec;
    }

考虑一个比较现实的场景，两个用户分别将自己的向量作为参数传入 enclave 中进行计算，这时候数据需要从不可信代码区域复制到可信代码区域。 首先，需要在 Enclave.edl 文件中修改 say_something 函数的定义，输入参数为两个用户的向量指针以及对应的向量大小。

public sgx_status_t say_something([in, size=len1] size_t* num1, size_t len1,
                                  [in, size=len2] size_t* num2, size_t len2);

接着，在 app.c 文件中声明需要求交集的数组以及大小并仿照示例调用 say_something。

    size_t nums1[10] = {0,1,2,3,4,5,6,7,8,9};
    size_t nums2[10] = {5,6,7,8,9,10,11,12,13,14};
    size_t len1 = sizeof(nums1);
    size_t len2 = sizeof(nums2);

    sgx_ret = say_something(global_eid, 
                            &enclave_ret,
                            nums1,
                            len1,
                            nums2,
                            len2);

回到 enclave/src/lib.rs，say_something 传进来的是两个向量的起始地址以及大小。

pub extern "C" fn say_something(nums1: *mut usize, len1: usize, nums2: *mut usize, len2: usize) -> sgx_status_t 

由于数据是从非安全区复制到安全区的，还需要对 intersection 函数进行部分改写。传进来的参数是数组指针，以指针地址为起始地址，根据大小参数限制迭代范围并获得一个用于循环的序号变量 i，在 for 循环中使用 offset 偏移指针，解引用它，读出 nums1 和 nums2 的元素值。

pub fn intersection(nums1: *mut usize, len1: usize, nums2: *mut usize, len2: usize) -> Vec<usize> {
    use std::collections::HashSet;
    let mut set: HashSet<usize> = HashSet::new();
    let mut vec: Vec<usize> = Vec::new();

    for i in 0..len1/mem::size_of::<usize>() {
        let mut val_nums1 = 0;
        unsafe {
            val_nums1 = *nums1.offset(i as isize);
        }
        set.insert(val_nums1); 
    }
    
    for i in 0..len2/mem::size_of::<usize>() {
        let mut val_nums2 = 0;
        unsafe {
            val_nums2 = *nums2.offset(i as isize);
        }
        if set.contains(&val_nums2) {
            vec.push(val_nums2);
            set.remove(&val_nums2);
        }
    }
    return vec;
}

完整的 say_something 函数如下所示。

#[no_mangle]
pub extern "C" fn say_something(nums1: *mut usize, len1: usize, nums2: *mut usize, len2: usize) -> sgx_status_t {
    let vec: Vec<usize> = intersection(nums1, len1, nums2, len2); 
    println!("intersection set is {:?}", vec);
    sgx_status_t::SGX_SUCCESS
}

重新编译并运行，得到运行结果：

[+] global_eid: 2
intersection set is [5, 6, 7, 8, 9]
[+] say_something success ...

我们基于 Teaclave SGX SDK 的 helloworld 实现了自己的求交集函数。

调用 Teaclave SGX SDK 提供的 crate​

Teaclave SGX SDK 重写了很多 SGX 的库，当我们需要用某个库时，可以先在仓库中查看是否有相应的 crate 实现以及对应的 doc。比如当我们希望生成一个随机数时，在 C++ 或者 Rust 环境下，会想到使用 rand 库。自然而然地，Teaclave SGX SDK 也用 Rust 重写了 sgx_rand 库。

首先在 enclave/Cargo.toml 中的 [target.'cfg(not(target_env = "sgx"))'.dependencies] 部分添加 sgx_rand 库的地址。

[target.'cfg(not(target_env = "sgx"))'.dependencies]
sgx_rand = {git = "https://github.com/apache/teaclave-sgx-sdk.git" }

现在万事俱备，只欠调用。回到 lib.rs 文件中，链接到 sgx_rand crate，导入其中的所有项，声明需要使用的模块。

extern crate sgx_rand;
use sgx_rand::Rng;
use sgx_rand::os::SgxRng;

调用 gen_range 函数生成 0-10 之间的随机数。

let random = rng.gen_range(0, 10);

这样就可以在 Teaclave SGX SDK 中的 enclave 中通过调用官方 crate 随机生成一个随机数。

总结​

本文首先介绍了 Teaclave SGX SDK 项目的基本结构，然后以 helloworld 为例子，介绍了一个简单的 Teaclave SGX SDK 的示例的组织结构和编译过程，最后，以在 helloworld 中实现 intersection 函数为例，介绍了如何基于提供的 SampleCode 进行 Teaclave SGX SDK 应用程序的开发。

延伸阅读​

• 一份主观的 SGX 导读：运行第一个 SGX 程序
• Teaclave 官网
• Teaclave SGX SDK 项目论文：《Towards Memory Safe Enclave Programming with Rust-SGX》

In July 29, we gathered on Zoom for the sixth Teaclave meetup. In the meetup, we announced our new mentor Gordon and invited Gordon to introduce the latest effort on integrating Graphene into Teaclave.

Schedule​

• Recent update of Teaclave, Mingshen (5m)
• Introduction to Graphene, Gordon

Notes​

• Proposal on Teaclave/Graphene integration
• Graphene v1.0: Toward A Reliable, Open-Source Library OS for SGX
• Library OS is the New Container
• Intel® TDX Architectural Extensions to Advance Confidential Computing in Public Clouds

In Jun 24, we gathered in Zoom for the fifth monthly Teaclave meetup. In this meetup, we're glad to have Hongbo (@ya0guang) talking about his contributions on adding WebAssembly Micro Runtime to Teaclave as an executor (PR: #504, #512).

Schedule​

• Recent update of Teaclave, Mingshen (5m)
• Executing WebAssembly in Teaclve, Hongbo (40m)
• Open discussion

Notes​

Recent Update of Teaclave​

Teaclave TrustZone SDK version 0.1.0 released

• Vote result: https://lists.apache.org/thread.html/r441addf283f6c8780326f372e39a9d723164f6d910184ea3686a5c4a%40%3Cdev.teaclave.apache.org%3E
• Release notes: https://github.com/apache/incubator-teaclave-trustzone-sdk/releases/tag/v0.1.0
• Download link: https://teaclave.apache.org/download/

Linaro OP-TEE Contributions meeting

• Recording: https://linaro-org.zoom.us/rec/share/0o3Ku4zaXSrP-Ep0WI5P-XB-KAiP5d94kXbKmg43VqrnRHUmsLV_sv1wI01JbL0C.kSM-ov2pc9Sggf, Passcode: 9c.&%KR6
• Slides: https://drive.google.com/file/d/1YPig8k-xRyeRxuu1ALTmkqY-nxtH5upR/view?usp=sharing

Executing WebAssembly in Teaclave​

• Slides

Some question and discussion:

• Can we reuse the WebAssembly runtime to improve the performance of startup?
• Bridging tlibc functions into WAMR.

Open Discussion​

• ARM CCA: https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture
• EdgelessSys mablerun: https://github.com/edgelesssys/marblerun
• Attestation mechanism in Google Cloud Confidential Computing

On behalf of the Teaclave community, I am happy to announce the release of Teaclave TrustZone SDK 0.1.0. This is the first Apache Incubator release since the recent donation to the Teaclave community.

Teaclave TrustZone SDK provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. In addition, it enables capability to write TrustZone applications with Rust's standard library and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave™ (incubating). To learn more about the design and history of TrustZone SDK, please read the blog Welcome Rust OP-TEE TrustZone SDK To Teaclave.

Highlights​

This version implements the following Rust APIs in GlobalPlatform TEE specifications:

TEE Client API (optee-teec)

• Context
• Error
• Operation
• Parameter
• Session
• UUID

TEE Internal Core API (optee-utee)

• Arithmetical
• Crypto Operation
• Error
• Object
• Parameter
• Time
• Trace

Here is a demonstration of using these Rust APIs to open a session and invoke a function to TA.

We also provides procedure macros to automatically generate bindings interfaces of TA:

• #[ta_create], #[ta_destroy], #[ta_open_session], #[ta_close_session], #[ta_invoke_command]

These annotations will automatically generate helper functions to bridge the normal/secure worlds.

This version includes rewrites of all examples (e.g., AES, authentication, big integer, HOTP) from OP-TEE repository. In addition, we include more examples using serde for serialization and deserialization.

This version is compatible with OP-TEE 3.13.0.

Getting Started​

Here is a simple instruction to download, build and test the TrustZone SDK:

$ wget https://dist.apache.org/repos/dist/dev/incubator/teaclave/trustzone-sdk-0.1.0-rc.1/apache-teaclave-trustzone-sdk-0.1.0-rc.1-incubating.tar.gz
$ tar zxvf apache-teaclave-trustzone-sdk-0.1.0-rc.1-incubating.tar.gz && cd
apache-teaclave-trustzone-sdk-0.1.0-incubating

$ # Instructions to verify the source tar:
https://teaclave.apache.org/download/#verify-the-integrity-of-the-files

$ # Building
$ docker run --rm -it -v$(pwd):/teaclave-trustzone-sdk -w
/teaclave-trustzone-sdk teaclave/teaclave-trustzone-sdk-build:0.1.1
bash -c "source environment && make"

$ # Testing
$ docker run --rm -it -v$(pwd):/teaclave-trustzone-sdk -w
/teaclave-trustzone-sdk teaclave/teaclave-trustzone-sdk-build:0.1.1
bash -c "source environment && cd ci && ./ci.sh"

We also provide a document Getting Started with OP-TEE for QEMU ARMv8 to get started step by step.

Download​

You can download the release from the download page. Also, please checkout our repository hosted on GitHub.

Contributing​

Teaclave TrustZone SDK is under the Apache License v2 and open source in The Apache Way. We aim to create a project that is maintained and owned by the community. All kinds of contributions are welcome. Thanks to our contributors.

Abstract​

Rust OP-TEE TrustZone SDK provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. More information can be found at the project repository: https://github.com/sccommunity/rust-optee-trustzone-sdk.

Proposal​

Rust OP-TEE TrustZone SDK provides abilities to build safe TrustZone applications in Rust.

Background​

The Rust OP-TEE TrustZone project is being actively developed within Baidu. It was open source on Jan 30, 2019.

Rationale​

ARM TrustZone is another hardware trusted execution environment implementation. The goal of Teaclave is to provide a universal secure computing platform which is agnostic with TEE implementation. Currently, Teaclave has Teaclave SGX SDK and only supports Intel SGX. With the Rust OP-TEE TrustZone SDK, we can build the Teaclave platform on ARM TrustZone.

Initial Goals​

• Transfer repository to the Apache Incubator under the Teaclave project
• Code cleanup and more documentation

Meritocracy:​

The Rust OP-TEE TrustZone SDK project was originally developed by Shengye Wan and Mingshen Sun within Baidu. The project now has new committers from around the world. Some open source projects like https://github.com/veracruz-project are using the SDK to build their systems. We encourage everyone to ask questions and create pull requests to the project.

Community:​

We see several open source projects which are using the SDK for development. Also, we already receive contributions from external comitters. The community is growing overtime.

Core Developers:​

The core developers are:

• Shengye Wan (simonsywan at gmail dot com)
• Mingshen Sun (mssun at apache.org)

Alignment:​

The project is a complimentary of Teaclave's TEE backends.

Known Risks​

An exercise in self-knowledge. Risks don't mean that a project is unacceptable. If they are recognized and noted, then they can be addressed during incubation.

Project Name​

Since the project will be accepted as a subproject in Teaclave, the project is renamed to Teaclave TrustZone SDK.

Inexperience with Open Source:​

One of the core developers, Mingshen Sun is from the Teaclave community. He's familiar with The Apache Way for the open source community.

Length of Incubation:​

The project will be in incubation with Apache Teaclave™ (incubating) project.

Documentation​

• https://github.com/sccommunity/rust-optee-trustzone-sdk/wiki/Getting-started-with-OPTEE-for-QEMU-ARMv8

Initial Source​

• https://github.com/sccommunity/rust-optee-trustzone-sdk

Source and Intellectual Property Submission Plan​

We will submit a Software Grant for this project later.

External Dependencies:​

The dependencies have Apache compatible license, which is provided under the BSD 2-Clause license.

Cryptography:​

N/A

Required Resources​

Mailing lists:​

The project shares the same mailing list of Teaclave.

Git Repositories:​

• https://gitbox.apache.org/repos/asf/incubator-teaclave-trustzone-sdk.git
• https://github.com/apache/incubator-teaclave-trustzone-sdk

Issue Tracking:​

Same with Teaclave.

Other Resources:​

N/A

Initial Committers​

• Mingshen Sun (mssun at apache dot org)
• Shengye Wan (simonsywan at gmail dot com)

In April 29, we gathered in Zoom for the third monthly Teaclave meetup. In this meetup, we're glad to have Jiang Jun from Phala Network to give a talk on Taclave SGX SDK meets Substrate. Phala Network is a decentralized confidential computing cloud with tech stack includes Teaclave SGX SDK and Substrate.

In the meetup, we discuss use cases, technical details and implementation of Phala Network, as well as some difficulties with current version of Teaclave SGX SDK.

We are continuing work with out community together to improve the projects. Hopefully, more users and developers can join in our community and share your experience.

At last, if you are interested in our meetup, please subscribe our mailing list for the latest schedule of meetups.

In March 25, we gathered in Zoom for the third monthly Teaclave meetup. In this meetup, we're glad to have two speakers talking about some initial progress of Teaclave verification and comparison of public cloud attestation services.

Schedule​

• Recent Update of Teaclave, Mingshen (3m)
• Teaclave Verification, Sean (15m)
• Comparison of Public Cloud Attestation Services, Mengyuan Li (45 m)

Teaclave Verification​

In this session, Sean talked introduced the plan of Teaclave verification. The main ideas is to create formal descriptions, specifications, and proofs for some core components of Teaclave.

The initial effort on this field is trying to formally describe the access control module in Teaclave. And then prove it with requirements defined in Common Criteria for Information Technology Security Evaluation. The security objective of access control module is to prevent unauthorized users from accessing the critical data through tasks and functions. By achieving the security objective, the threats of runtime tasks and functions abuse are eliminated under the assumptions identified in security problem definition. With these objectives, we can find some corresponding requirements in Common Criteria, e.g., FIA_UAU.2 for user authentication before any action.

The initial work has been accepted as a separate project in Teaclave. If you are interested in this topic, please see https://github.com/apache/incubator-teaclave-verification to learn more.

Comparison of Public Cloud Attestation Services​

Then, Mengyuan talked his recent research on attestation, especially, on public cloud attestation services.

Here the abstract of the talk:

Confidential computing is an emerging security feature provided by more and more public cloud service providers (e.g., Amazon AWS, Microsoft Azure, and Google Cloud) in order to help customers protect their sensitive data in the cloud environment. Some popular confidential computing services include Intel Software Guard Extensions (SGX) enclaves and AMD Secure Encrypted Virtualization (SEV) VMs. These services are usually atop different hardware-based Trusted Execution Environments (TEE) technologies.

Meanwhile, to help convince the customers the trustworthiness of the platform hardware and the integrity of codes inside the TEE, cloud services providers also offer remote attestation services. In this talk, we will first cover the remote attestation workflow provided by some famous cloud TEE services, including Azure Open Enclave, Nitro Enclave, Google confidential computing VM and Fortanix. From the perspective of customers, we also focus on the attestation reports the customers can get. We then introduce Teaclave's current attestation design and discuss the attestation report standard Teaclave should follow.

He also discussed the attestation design of Teaclave.

In the end, he also summarized the roles in the attestation ecosystem and positions of services/products discussed in this talk.

At last, thanks for attending this meetup. I'll continue to drive this meetup and make it a monthly activity for the community. If you want to speak in the next time, please post your proposed topic in the mailing list. I'll help you to schedule the time.

English | 中文

TrustZone 为手机、嵌入式设备、云计算等 ARM 生态提供安全的可信执行环境，用于包括 安全支付、密钥管理、模型保护等场景。但是由于内存安全问题，TrustZone 中运行的安全 应用 (trusted application 或叫 TA) 的安全性大打折扣。 例如高通 QSEE 内存安全问题 [1] 造成的安全世界（secure world) 的漏洞， 后果甚至可以拿到全磁盘加密的密钥 [2]。

2019 年初百度开源了 Rust OP-TEE TrustZone SDK，为当今广泛使用的开源 TrustZone 实 现 OP-TEE 提供了一套内存安全、使用方便的 SDK。SDK 基于 GlobalPlatform 的 TEE 标准，为开发者提供标准的开发接口。除此之外 Rust OP-TEE TrustZone SDK 支持 标准库和第三方库，提高了 TA 的开发速度，并扩展了 TrustZone 的应用场景。

为了加速隐私安全生态发展，完善 TrustZone 的技术基础设施，百度在 2021 年初正式把 项目捐赠给 Apache 基金会，作为 Teaclave 的子项目之一，同时更名为 Teaclave TrustZone SDK，新的项目代码库地址为： https://github.com/apache/incubator-teaclave-trustzone-sdk 。Teaclave TrustZone SDK 与 Teaclave SGX SDK 一样，可以为 Teaclave FaaS 隐私安全 计算平台提供底层支持，赋能多平台可信执行环境的隐私安全计算生态。

Teaclave TrustZone SDK 设计和实现​

Teaclave TrustZone SDK 在 GlobalPlatform 标准的 API 上重新设计了安全的 Rust 接口， 使用 Rust 编写 TA（图中的 trusted apps）和 app（图中 client apps）能够大大减少内 存安全问题，确保可信执行环境的安全。

通过使用 Rust 的过程宏（procedure macro）自动生成边界代码，减少了开发中不必要的 负担，并且能够避免开发中因为粗心造成的安全问题。如下图所示，只需要在相应的函数上 加 #[ta_create], #[ta_open_session], #[ta_close_session], #[ta_destory], #[ta_invoke_command]。

通过利用 Rust 的丰富的类型系统，能在编译时报告内存安全问题，例如下图中对于 client 的实现，相比复杂并且类型简单的 C 接口，Rust API 语义更清晰，并提供强类型 检查。

项目中提供了 13 个样例程序，包括加解密，安全存储，HOTP 等等。同时，我们还展示了 使用 Rust 的第三方库 serde 作为边界的序列化来传递复杂参数，避免出现安全边界设计 不当引发的内存安全问题。

快速上手、文档​

Teaclave TrustZone SDK 的 API 都提供了对应的文档，在项目 Wiki 中，我们提供了一个 快速上手的例子，在 QEMU 模拟器中运行使用 TrustZone SDK 的 trusted app。链接如下： https://github.com/apache/incubator-teaclave-trustzone-sdk/wiki/Getting-started-with-OPTEE-for-QEMU-ARMv8 。更多关于 Teaclave TrustZone SDK 的设计和性能等都在论文 RusTEE: Developing Memory-Safe ARM TrustZone Applications 中找到，此论文也收录于 ACSAC 2020。

Teaclave TrustZone SDK 时间线​

• 2019 年初开源。
• 2019 年在 Linaro Connect 和 RustCon Asia 对外发布，得到了 ARM 的支持，现在其隐私计算相关项目中使用。
• 2020 年相关文章发表在国际顶级安全会议 ACSAC，得到学术界肯定。
• 随着隐私安全计算的发展，多个开源项目开始使用，例如由 ARM Research 主导的 Veracruz 开源项目使用 SDK 构建其隐私计算试验项目，Veracurz 也将加入隐私计算联盟（Confidential Computing Consortium）。
• 2021 年 2 月升级 TrustZone SDK 支持 OP-TEE 3.11 和 3.12。
• 2021 年 2 月启动项目捐赠流程，通过社区投票并提交 Software Grant Agreement。
• 2021 年 3 月项目 repository 正式移交到 Apache 组织下，隶属于 Apache Teaclave™ (incubating) 项目。

Teaclave 开源社区​

TrustZone SDK 加入 Apache 后，将与 Teaclave 开源社区共同发展，非常欢迎大家的贡献， 一起推动隐私安全计算生态 。已有至少四家公司或组织在产品中使用 Teaclave，并且有超 过九个开源项目使用了 Teaclave 平台和 Teaclave SGX SDK。这些都给项目的发展提供源 源不断的动力。更多信息可以在我们的官网 community 下查看： https://teaclave.apache.org/community/

Teaclave 的开源是 The Apache Way (https://www.apache.org/theapacheway/) 的开源，无论是代码、文档、设计还是路线图规划，我们都会在社区的各个渠道中讨论。如 果 你想关注 Teaclave，亦或想加入我们的讨论，可以在 Github issues，邮件列 表 回复我们、发起新的话题。也可以关注我们的 Twitter 账号 @ApacheTeaclave了解最新动态。除此之外， 我们在官网 (https://teaclave.apache.org/)中提供了 Teaclave 相关的演讲、论文和文章，包括 TrustZone SDK 之前的演讲 slides 以及视频。

参考链接：

[1] Qualcomm's Secure Execution Environment (QSEE) privilege escalation vulnerability and exploit (CVE-2015-6639) : http://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html

[2] Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption: http://bits-please.blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html

English | 中文

TrustZone is a security feature by ARM SoC to provide a trusted execution environment to protect areas like mobile computing, edge computing, and emerging confidential computing, supporting scenarios like payments, key management, model protection, etc. However, one major security threat in TrustZone applications is the memory safety issue. For instance, a vulnerability of Qualcomm's QSEE is caused by the memory safety issue [1]. Attackers can even get the full-disk encryption key by exploiting such kind of vulnerability [2].

In 2019, Baidu open sourced the Rust OP-TEE TrustZone SDK project, enabling safe, functional, and ergonomic development of TrustZone app developments. The SDK provides a safer APIs based on the GlobalPlatform's TEE standard. In addition, Rust OP-TEE TrustZone SDK also support Rust's standard library and third-party crates (i.e., libraries). This will improve the efficiency of developments of TrustZone apps, and also extend its usage scenarios.

To accelerate the development of confidential computing ecosystem and improve TrustZone's foundation, Baidu has donated Rust OP-TEE TrustZone SDK to Apache Software Foundation as a subproject of Teaclave, and renamed it as Teaclave TrustZone SDK. The location of new repository is https://github.com/apache/incubator-teaclave-trustzone-sdk. Similar to Teaclave SGX SDK, Teaclave TrustZone SDK will be the foundation of Teaclave FaaS platform to support multiple trusted execution environments.

Design and Implementation of Teaclave TrustZone SDK​

Based on the GlobalPlatform's C APIs, Teaclave TrustZone SDK provides safer Rust interfaces. With the SDK, TrustZone apps will not be affected by any memory safety issues caused by the Rust's strong type system.

We also created procedure macros to help developments. For example, developers can simply put #[ta_create], #[ta_open_session], #[ta_close_session], #[ta_destory], and #[ta_invoke_command] annotations before corresponding functions. These annotations will automatically generate helper functions to bridge the normal/secure worlds.

By using the rich type system of Rust, the memory safety issues will be reported at compile time. For example, in the following case, compared to C's APIs, the Rust APIs have clearer semantics and more strict type checking.

The project also has 13 samples, including encryption/decryption, secure storage, HOTP, etc. Also, we provide a message passing sample code by using serde for serialization and de-serialization between different worlds to avoid any security issues caused by improper design in boundaries.

Getting Started and Documentations​

All APIs in Teaclave TrustZone SDK are well documented. In the project's Wiki page, we have a quick-start document to guide you compiling and running a TrustZone app in QEMU emulators. You can find more design and performance evaluation in our paper published in ACSAC 2020.

Teaclave TrustZone SDK Timeline​

• 2019: Open source.
• 2019: Talks in Linaro Connect and RustCon Asia.
• 2020: Technical report published in ACSAC 2020.
• 2020: Many open source projects started to use the SDK. E.g., Veracruz by ARM Research is an experimental projects on confidential computing using the SDK.
• Feb 2021: Support OP-TEE 3.11 and 3.12.
• Feb 2021: Initial the donation procedure.
• Mar 2021: Officially transferred to Teaclave.

References:

[1] Qualcomm's Secure Execution Environment (QSEE) privilege escalation vulnerability and exploit (CVE-2015-6639) : http://bits-please.blogspot.com/2016/05/qsee-privilege-escalation-vulnerability.html

[2] Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption: http://bits-please.blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html

English | 中文

Apache Teaclave™ (incubating) 是一个隐私安全计算平台，为隐私数据计算赋能。基于硬 件安全能力，Teaclave 确保敏感数据在可信域外和离岸场景下安全可控的流通和处理，无 需担心隐私数据泄露和滥用。 Teaclave 同时支持多方参与的联合计算，打破企业和组织中 的数据孤岛。Teaclave 于 2019 年由百度捐赠进入 Apache 基金会孵化器。在 2020 年 10 月发布第一个开源社区版本。

Teaclave 使用 Intel SGX， 提供基于硬件隔离、内存加密、远程证实等安全技术保护数据 隐私计算任务。 Teaclave 平台提供了函数即服务（function-as-a-service）接口，降低 了使用门槛。平台中也实现了众多内置函数，例如机器学习算法，多方联 合求交，加解密 计算等等常用功能。更重要的是，开发者还可以使用 Python 自由编写函数来操作隐私数据， 在中平台执行。最后，为了避免内存安全漏洞带来的安全风险，Teaclave 还使用内存安全 编程语言 Rust 编写。

2021 年 3 月 2 日，我们迎来了 Teaclave 第二个社区版本的发布 0.2.0。在这一版本中， 我们重点放在提供更多的内建函数，不同语言的客户端 SDK，更方便的 docker 部署环境， 命令行接口，文档等等。

Teaclave 0.2.0 亮点介绍​

在 0.2.0 中，我们添加了多种语言的客户端 SDK，现在我们提供了 Python、Rust、C、 Swift 四种语言的接口，在 Teaclave Meetup #2 中，我们已经介绍了不同语言 SDK 的组 织结构和框架。简单来说，我们使用 JSON 序列化/反序列化的方式作为多语言的边界。下 图描述了这几种语言 SDK 的关系，以及一些事例的接口。

Teaclave 0.2.0 版本详情​

详细来讲 0.2.0 包括一下修改以及新功能：

Functions​

• 增加内置的 PCA (Principal Component Analysis) 函数
• 添加泄漏密码查询内置函数 (#447)

SDK​

• 增加 Rust 客户端 SDK (#455)
• 增加 C 客户端 SDK (#470)
• 增加 Swift 客户端 SDK，也就是 iOS framework
• 修改 SDK 中接口的 CMAC 格式为 byte array

Docker​

• 增加 teaclave-file-service 容器作为示例程序的远程文件系统 (#446)
• 修复在仿真模式下的 docker compose 文件 (#462)

CLI​

• 增加 attesation 的子命令，可以展示当前 SGX 平台的远程认证报告

文档​

• 增加 codebase 中的文档
• 增加在 Azure Confidential Compute VM 中部署 Teaclave 的文档介绍

其他​

• 在 binder 模块中增加 input/output buffer 的检查以及测试
• 使用 Github Action 进行 PR 的编译、测试以及格式检查
• 文档的打磨

如何下载​

Teaclave 0.2.0 版本可以在官网下载页面找到（注意验证 PGP 签名和 hash）。

快速入门​

如果您想尝试使用 Teaclave，我们提供了一个简单的上手文档（https://teaclave.apache.org/docs/my-first-function/）来执行一个打印 hello world 的函数。

简单来说，你可以通过以下命令使用 docker 编译 Teaclave：

$ cd incubator-teaclave
$ docker run --rm -v $(pwd):/teaclave -w /teaclave \
  -it teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:latest \
   bash -c ". /root/.cargo/env && \
     . /opt/sgxsdk/environment && \
     mkdir -p build && cd build && \
     cmake -DTEST_MODE=ON .. && \
     make"

然后使用 docker-compose 在仿真模式下执行 Teaclave 的所有服务：

$ (cd docker && docker-compose -f docker-compose-ubuntu-1804-sgx-sim-mode.yml up --build)

最后，就可以在 examples 目录下使用 Python 调用 echo 函数打印 "Hello, Teaclave!"：

$ cd examples/python
$ PYTHONPATH=../../sdk/python python3 builtin_echo.py 'Hello, Teaclave!'
[+] registering user
[+] login
[+] registering function
[+] creating task
[+] approving task
[+] invoking task
[+] getting result
[+] done
[+] function return:  b'Hello, Teaclave!'

如果你想深入的了解 Teaclave 的内部设计和实现，我们还有更多设计文档、API 文档、代码库文档等你发现。