{"id":13642172,"url":"https://github.com/Penglai-Enclave/Penglai-Enclave","last_synced_at":"2025-04-20T16:30:36.194Z","repository":{"id":48793728,"uuid":"328141726","full_name":"Penglai-Enclave/Penglai-Enclave","owner":"Penglai-Enclave","description":"This is the main repo for Penglai.","archived":false,"fork":false,"pushed_at":"2023-10-12T13:32:39.000Z","size":607,"stargazers_count":62,"open_issues_count":4,"forks_count":13,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-08-03T01:25:49.759Z","etag":null,"topics":["enclave","risc-v","security","systems","tee"],"latest_commit_sha":null,"homepage":"http://penglai-enclave.systems/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Penglai-Enclave.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-01-09T11:41:42.000Z","updated_at":"2024-07-11T05:49:48.000Z","dependencies_parsed_at":"2024-01-14T11:19:06.195Z","dependency_job_id":"ec23b705-a35a-4c74-be19-8a34ca1525ca","html_url":"https://github.com/Penglai-Enclave/Penglai-Enclave","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Penglai-Enclave%2FPenglai-Enclave","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Penglai-Enclave%2FPenglai-Enclave/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Penglai-Enclave%2FPenglai-Enclave/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Penglai-Enclave%2FPenglai-Enclave/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Penglai-Enclave","download_url":"https://codeload.github.com/Penglai-Enclave/Penglai-Enclave/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223832840,"owners_count":17210724,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["enclave","risc-v","security","systems","tee"],"created_at":"2024-08-02T01:01:28.171Z","updated_at":"2024-11-09T13:30:41.096Z","avatar_url":"https://github.com/Penglai-Enclave.png","language":null,"funding_links":[],"categories":["Other TEEs"],"sub_categories":["Memory Protection"],"readme":"\u003cimg src=\"docs/images/penglai_logo.jpg\" width=\"500\"\u003e\n\nPenglai is a set of security solutions based on Trusted Execution Environment.\n\nThis repo contains an overview of the whole project.\n\nIt currently supports RISC-V platforms, including both high-performant MMU RISC-V64 arch and MCU (RISC-V32, no MMU).\n\nMore informations can be found in our online document: [Penglai-doc](https://penglai-doc.readthedocs.io/en/latest/)\n\n## Systems\n\nPenglai contains a set of systems satisfying different scenarios.\n\n- **[Penglai-TVM](https://github.com/Penglai-Enclave/Penglai-Enclave-TVM)**: it is based on OpenSBI, supports fine-grained isolation (page-level isolation) between untrusted host and enclaves. The code is maintained in [Penglai-TVM](https://github.com/Penglai-Enclave/Penglai-Enclave-TVM).\n- **[Penglai-sPMP](https://github.com/Penglai-Enclave/Penglai-Enclave-sPMP)**: it utilizes PMP or sPMP (S-mode PMP) to provide basic enclave functionalities. A version based on OpenSBI for Nuclei devices is maintained in [Nuclei SDK](https://github.com/Nuclei-Software/nuclei-linux-sdk/tree/dev_flash_penglai_spmp).\n- **[Penglai-Zone](https://github.com/Penglai-Enclave/PenglaiZone)**: PenglaiZone is a project that aims to support the privileged zone in Trusted Execution Environment (TEE), such as TEEOS, standaloneMM in Unified Extensible Firmware Interface (UEFI). The code is maintained in [Penglai-Zone](https://github.com/Penglai-Enclave/PenglaiZone).\n- **Penglai-MCU**: it supports Global Platform, and PSA now. Not open-sourced. Refer [Penglai-MCU](#) for more info.\n\n## Monthly Report\nMonthly update reports for Penglai TEE (include Penglai-sPMP, Penglai-TVM and Penglai-Zone) can be obtained [here](https://github.com/Penglai-Enclave/Penglai-Enclave/tree/main/report).\n\n## Features\n\nWe highlight several features on Penglai which are novel over other TEE systems.\n\n### Cross-enclave communication\n\nPenglai supports the synchronous and asynchronous cross-enclave communication using the zero-copy memory transferring mechanism.\n\n##### Synchronous IPC interface:\n\n```c\nstruct call_enclave_arg_t\n{\n  unsigned long req_arg;\n  unsigned long resp_val;\n  unsigned long req_vaddr;\n  unsigned long req_size;\n  unsigned long resp_vaddr;\n  unsigned long resp_size;\n};\n\nunsigned long acquire_enclave(char* name);;\nunsigned long call_enclave(unsigned long handle, struct call_enclave_arg_t* arg);\nvoid SERVER_RETURN(struct call_enclave_arg_t *arg);\n```\n\nAs for synchronous cross-enclave communication, Penglai sdk provides three IPC-related interfaces: `acquire_enclave`, `call_enclave` and `SERVER_RETURN`.\n\n+ `Acquire_enclave` receives the callee enclave name and returns the corresponding enclave handler.\n\n+ `Call_enclave` has two parameters, one is the enclave handler, and another is the argument's structure: `struct call_enclave_arg_t`. `struct call_enclave_arg_t` contains six variables: `req_arg` and `resp_val` are the calling and return value passing by the register. `req_size` and `req_vaddr` indicate a memory range that will map to the callee enclave using the zero-copy mechanism. `resp_size` and `resp_vaddr` are similar to the `req_size` and `req_vaddr`,  which are ignored in the calling procedure, but will be filled by monitor in the return procedure.\n\n  Call_enclave will be hanged until the calling procedure returns.\n\n+ `SERVER_RETURN` also receives the `struct call_enclave_arg_t`, which indicates the `resp_size` and `resp_vaddr`.\n\nAsynchronous IPC interface:\n\n```c\nunsigned long asyn_enclave_call(char* name, struct call_enclave_arg_t *arg);\n```\n\n`asyn_enclave_call` receives two parameters, one is the callee enclave name and another is the pointer of the `struct call_enclave_arg_t`, but only the req_vaddr and `req_size` are effective. When an enclave invokes the `asyn_enclave_call`, Penglai monitor will unmap these memory pages, and re-map them to the callee enclave before it running. In addition, asyn_enclave_call will not suspend the caller enclave procedure.\n\n### Secure file system\n\nPenglai adopts xv6fs and littlefs as its file system, serving enclaves.\nIt utilizes the encryption libraries in SDK to encrypt/decrypt the data and provide integrity protections.\n\nPenglai add an interface layer on top of file system to support unified interface abstraction to client enclave. In the implementation of this layer, these file system related interfaces are the functions supported to client. Clients call the functions in the way of IPC between enclave.\n\nOn the client side, we hide the details of IPC in the musl libc we offered in penglai SDK. So if a client want to interact with file system, they can just use the standard libc file system interfaces.\n\nAt this moment, the following file system related interfaces are supported.\n\n```c\nFILE* fopen(const char* pathname, const char* mode);\nFILE* fclose(FILE* stream);\nsize_t fread(void* ptr, size_t size, size_t nmemb, FILE* stream);\nsize_t fwrite(const void* ptr, size_t size, size_t nmemb, FILE* stream);\nchar* fgets(char* s, int size, FILE* stream);\nint fputs(const char* s, FILE* stream);\nint fseek(FILE* stream, long offset, int whence);\nint mkdir(const char* pathname, mode_t mode);\nint stat(const char* path, struct stat *buf);\nint truncate(const char* path, off_t length);\n```\n\nHere is a easy example to show how to use file system.\n```c\nint EAPP_ENTRY main(){\n    unsigned long* args;\n    EAPP_RESERVE_REG;\n    FILE *f;\n    int status;\n    char buf[52] = {0};\n    eapp_print(\"before fopen\\n\");\n    f = fopen(\"/create.txt\",\"w\");\n    char str[] = \"just for create and write\\ntest fgets\";\n    fputs(str,f);\n    eapp_print(\"after fwrite\\n\");\n    struct stat st;\n    fclose(f);\n    status = stat(\"/create.txt\", \u0026st);\n    if(!status){\n        eapp_print(\"stat succeed: file length: %d\\n\",st.st_size);\n    }\n    f = fopen(\"/create.txt\",\"r\");\n    memset(buf,0,52);\n    eapp_print(\"fopen /create.txt for read\\n\");\n    char* res = fgets(buf,52,f);\n    if(res == NULL){\n        eapp_print(\"fgets failed\\n\");\n    }\n    eapp_print(\"read writed content: %s\\n\",buf);\n    fseek(f,0,SEEK_SET);\n    memset(buf,0,53);\n    fgets(buf,52,f);\n    eapp_print(\"read after seek: %s\\n\",buf);\n    fclose(f);\n    f = fopen(\"/sub/empty.txt\",\"w\");\n    if(!f){\n        eapp_print(\"open file failed, directory does not exist\\n\");\n        if(mkdir(\"/sub\", 0) != 0){\n            eapp_print(\"mkdir failed\\n\");\n            EAPP_RETURN(0);\n        }\n    }\n    f = fopen(\"/sub/empty.txt\",\"w\");\n    if(!f){\n        eapp_print(\"open after mkdir failed\\n\");\n        EAPP_RETURN(0);\n    }\n    fputs(str, f);\n    fclose(f);\n    eapp_print(\"write to empty file\\n\");\n    f = fopen(\"/sub/empty.txt\",\"r\");\n    fgets(buf,52,f);\n    eapp_print(\"read from empty file, %s\\n\",buf);\n    fclose(f);\n    int fd;\n    if ((fd = open(\"/sub/empty2.txt\", O_RDWR| O_CREAT)) \u003c 0) {\n        eapp_print(\"open error\\n\");\n     }\n    struct stat stat_buf;\n    eapp_print(\"stat begin\\n\");\n    stat(\"/sub/empty.txt\", \u0026stat_buf);\n    printf(\"/sub/empty.txt file size = %d/n\", stat_buf.st_size);\n    EAPP_RETURN(0);\n}\n```\n\n### Encryption library in SDK\n\nPenglai supports national secret algorithm like **SM4**.\n\nBesides, Penglai utilizes the mbedtls to provide other crypto algorithm support.\n\nMbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems. And Mbed TLS includes a reference implementation of the PSA Cryptography API.\n\nYou can find the basic doc tutorial in mbedtls/docs. And if you want to get more specific API documents, you can use doxygen engine to generate the API documents. The doxygen file is located at mbedtls/doxygen.\n\nThe implementation of mbedtls is very flexible and very easy to port to different platforms. You can modify the configurations in mbedtls/include/mbedtls/config.h to adapt to the library to your platform.\n\n\n\n\n### Support existing frameworks\n\n- PSA: description TODO\n- GP: description TODO\n\n## License Details\n\nMulan Permissive Software License，Version 1 (Mulan PSL v1)\n\n## Collaborators\n\nWe thank all of our collaborators (companies, organizations, and communities).\n\n[\u003cimg alt=\"Huawei\" src=\"./docs/collaborator-logos/huawei.png\" width=\"146\"\u003e](https://www.huawei.com/) |[\u003cimg alt=\"nuclei\" src=\"./docs/collaborator-logos/nuclei.png\" width=\"146\"\u003e](https://www.nucleisys.com/) |[\u003cimg alt=\"StarFive\" src=\"./docs/collaborator-logos/starfive.jpeg\" width=\"146\"\u003e](https://starfivetech.com/) |[\u003cimg alt=\"ISCAS\" src=\"./docs/collaborator-logos/ISCAS.svg\" width=\"146\"\u003e](http://www.is.cas.cn/) |\n:---: |:---: |:---: |:---: |\n[Huawei (华为)](https://www.huawei.com/) |[Nuclei (芯来科技)](https://www.nucleisys.com/) |[StarFive (赛昉科技)](https://starfivetech.com/) |[ISCAS(中科院软件所)](http://www.is.cas.cn/) |\n\n[\u003cimg alt=\"openEuler\" src=\"./docs/collaborator-logos/openeuler.png\" width=\"146\"\u003e](https://openeuler.org/) |[\u003cimg alt=\"OpenHarmony\" src=\"./docs/collaborator-logos/OpenHarmony.svg\" width=\"146\"\u003e](https://www.openharmony.cn/) |[\u003cimg alt=\"secGear\" src=\"./docs/collaborator-logos/secGear.png\" width=\"146\"\u003e](https://gitee.com/openeuler/secGear) |\n:---: |:---: |:---: |\n[openEuler community](https://openeuler.org/) |[OpenHarmony community](https://www.openharmony.cn/) |[secGear framework](https://gitee.com/openeuler/secGear)|\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPenglai-Enclave%2FPenglai-Enclave","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPenglai-Enclave%2FPenglai-Enclave","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPenglai-Enclave%2FPenglai-Enclave/lists"}