{"id":13641060,"url":"https://github.com/apache/incubator-teaclave-trustzone-sdk","last_synced_at":"2025-05-15T05:05:11.435Z","repository":{"id":38196404,"uuid":"167625003","full_name":"apache/incubator-teaclave-trustzone-sdk","owner":"apache","description":"Teaclave TrustZone SDK enables safe, functional, and ergonomic development of trustlets.","archived":false,"fork":false,"pushed_at":"2025-05-09T16:00:29.000Z","size":1443,"stargazers_count":236,"open_issues_count":9,"forks_count":65,"subscribers_count":25,"default_branch":"main","last_synced_at":"2025-05-10T17:16:34.423Z","etag":null,"topics":["confidential-computing","rust","secure-computing","tee","trusted-execution-environment","trustzone"],"latest_commit_sha":null,"homepage":"https://teaclave.apache.org","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apache.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-25T22:56:42.000Z","updated_at":"2025-05-09T16:00:33.000Z","dependencies_parsed_at":"2024-01-23T17:29:53.627Z","dependency_job_id":"5e45a95f-7fd0-4289-b437-3e263da6775a","html_url":"https://github.com/apache/incubator-teaclave-trustzone-sdk","commit_stats":{"total_commits":445,"total_committers":22,"mean_commits":"20.227272727272727","dds":0.5865168539325842,"last_synced_commit":"3177d4fa06f77afb351d0a19b8aa51b4a50fa1c8"},"previous_names":["mesalock-linux/rust-optee-trustzone-sdk","sccommunity/rust-optee-trustzone-sdk"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fincubator-teaclave-trustzone-sdk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fincubator-teaclave-trustzone-sdk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fincubator-teaclave-trustzone-sdk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fincubator-teaclave-trustzone-sdk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apache","download_url":"https://codeload.github.com/apache/incubator-teaclave-trustzone-sdk/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253450236,"owners_count":21910514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["confidential-computing","rust","secure-computing","tee","trusted-execution-environment","trustzone"],"created_at":"2024-08-02T01:01:17.348Z","updated_at":"2025-05-15T05:05:11.424Z","avatar_url":"https://github.com/apache.png","language":"Rust","funding_links":[],"categories":["Language Frameworks","隐私新技术"],"sub_categories":["Library OSes and SDKs","隐私相关领域法规/条例"],"readme":"# Teaclave TrustZone SDK\n\n[![License](https://img.shields.io/badge/license-Apache-green.svg)](LICENSE)\n[![Release](https://img.shields.io/github/v/tag/apache/incubator-teaclave-trustzone-sdk?label=release\u0026sort=semver)](https://github.com/apache/incubator-teaclave-trustzone-sdk/releases)\n[![Homepage](https://img.shields.io/badge/site-homepage-blue)](https://teaclave.apache.org/)\n\nTeaclave TrustZone SDK (Rust OP-TEE TrustZone SDK) provides abilities to build\nsafe TrustZone applications in Rust. The SDK is based on the\n[OP-TEE](https://www.op-tee.org/) project which follows\n[GlobalPlatform](https://globalplatform.org/) [TEE\nspecifications](https://globalplatform.org/specs-library/tee-internal-core-api-specification/)\nand provides ergonomic APIs. In addition, it enables the capability to write\nTrustZone applications with Rust's standard library (std) and many third-party\nlibraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of [Apache\nTeaclave (incubating)](https://teaclave.apache.org/).\n\nTeaclave TrustZone SDK provides two development modes for Rust TAs: `no-std`\nand `std`. \nWe recommend using `no-std` by default. For a detailed comparison, please refer\nto [Comparison](#comparison).\n\n**UPDATES:** We have developed a new build environment on the `main` branch, \nwhich will now be the only branch for development and maintenance and includes \nbreaking changes to the legacy `master` branch.\nIf you're using the `master` branch and wish to migrate to the new development \nbranch (`main`), please refer to the \n[migration guide](docs/migrating-to-new-building-env.md).\n\n## Table of Contents\n\n- [TA Development Modes](#ta-development-modes)\n  - [Comparison](#comparison)\n  - [Supported Examples](#supported-examples)\n- [Quick Start with the OP-TEE Repo for QEMUv8](#quick-start-with-the-op-tee-repo-for-qemuv8)\n- [Getting Started](#getting-started)\n  - [Platforms](#platforms)\n    - [Develop with QEMUv8](#develop-with-qemuv8)\n    - [Develop on Other Platforms](#develop-on-other-platforms)\n  - [Setup Building Environment](#setup-building-environment)\n  - [Build Examples](#build-examples)\n  - [Run Rust Applications](#run-rust-applications)\n    - [Run Rust Applications in QEMUv8](#run-rust-applications-in-qemuv8)\n    - [Run Rust Applications on Other Platforms](#run-rust-applications-on-other-platforms)\n  - [Test](#test)\n- [Documentation](#documentation)\n- [Publication](#publication)\n- [Contributing](#contributing)\n- [Community](#community)\n\n\n## TA Development Modes\n\n### Comparison\n\n#### `no-std`\n\n- **Pros**:\n  - Reuses standard Rust tier-1 toolchain targets (`aarch64-unknown-linux-gnu`, \n    `arm-unknown-linux-gnueabihf`).\n  - Significant performance improvements.\n  - Substantial reduction in binary size.\n  \n- **Cons**:\n  - Limited support for third-party crates. In the no-std mode, Trusted\n    Applications (TAs) are unable to utilize crates dependent on the standard\n    library (std).\n\n#### `std`\n\n- **Pros**:\n  - Enables the utilization of more third-party crates, including those\n    requiring `std`, such as `rustls`, which are essential for functionality.\n  \n- **Cons**:\n  - Manual porting of `std` with infrequent updates. Currently using `std`\n    version `1.80.0` and `Rust` version `nightly-2024-05-14`, which might not\n    meet the MSRV requirements of some crates.\n\n### Supported Examples\n\n- **Common**: See\n  [Overview of OP-TEE Rust Examples](https://teaclave.apache.org/trustzone-sdk-docs/overview-of-optee-rust-examples/).\n\n- **`no-std`**: Excludes `test_serde`, `test_message_passing_interface`,\n  `test_tls_client`, `test_tls_server`, `test_secure_db_abstraction`.\n\n- **`std`**: Excludes `test_mnist_rs`, `test_build_with_optee_utee_sys`.\n\n\n## Quick Start with the OP-TEE Repo for QEMUv8\n\nTeaclave TrustZone SDK has been integrated into the OP-TEE Repo since OP-TEE\nRelease 3.15.0 (18/Oct/21). The aarch64 Rust examples are built and installed\ninto OP-TEE's default filesystem for QEMUv8. Follow [this\ndocumentation](https://optee.readthedocs.io/en/latest/building/optee_with_rust.html)\nto set up the OP-TEE repo and try the Rust examples!\n\nUPDATES: The `no-std` TA has replaced the original `std` TAs since OP-TEE \nRelease 4.1.0 (19/Jan/24).\n\n## Getting Started\n\n### Platforms\n\nTo get started with Teaclave TrustZone SDK, you could choose either [QEMU for\nArmv8-A](#develop-with-qemuv8) (QEMUv8) or [other\nplatforms](#develop-on-other-platforms) ([platforms OP-TEE\nsupported](https://optee.readthedocs.io/en/latest/general/platforms.html)) as\nyour development environment.\n\n#### Develop with QEMUv8\n\nThe OP-TEE libraries are needed when building Rust applications, so you should\nfinish the [Quick start with the OP-TEE Repo for\nQEMUv8](#quick-start-with-the-op-tee-repo-for-qemuv8) part first. Then\ninitialize the building environment in Teaclave TrustZone SDK, build Rust\napplications and copy them into the target's filesystem.\n\nTeaclave TrustZone SDK is located in `[YOUR_OPTEE_DIR]/optee_rust/`. Teaclave\nTrustZone SDK in OP-TEE repo is pinned to the release version. Alternatively,\nyou can try the develop version using `git pull`:\n\n```sh\ncd [YOUR_OPTEE_DIR]/optee_rust/\ngit pull github master\n```\n\n#### Develop on Other Platforms\n\nIf you are building trusted applications for other platforms ([platforms OP-TEE\nsupported](https://optee.readthedocs.io/en/latest/general/platforms.html)). QEMU\nand the filesystem in the OP-TEE repo are not needed.  You can follow these\nsteps to clone the project and build applications independently from the\ncomplete OP-TEE repo. In this case, the necessary OP-TEE libraries are\ninitialized in the setup process.\n\n1. The complete list of prerequisites can be found here: [OP-TEE\nPrerequisites](https://optee.readthedocs.io/en/latest/building/prerequisites.html).\n\n   ```sh\n   # install dependencies\n   sudo apt-get install android-tools-adb android-tools-fastboot autoconf \\\n   automake bc bison build-essential ccache cscope curl device-tree-compiler \\\n   expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \\\n   libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \\\n   libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \\\n   mtools netcat python-crypto python3-crypto python-pyelftools \\\n   python3-pycryptodome python3-pyelftools python-serial python3-serial \\\n   rsync unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev\n   ```\n\n   Alternatively, you can use a docker container built with our\n   [Dockerfile](Dockerfile).\n\n2. After installing dependencies or building the Docker image, fetch the source\n   code from the official GitHub repository:\n   \n   ```sh\n   git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git\n   cd incubator-teaclave-trustzone-sdk\n   ```\n\n### Setup Building Environment\n\nCurrently, we support building on both `aarch64` and `x86_64` host machines, and\n they share the same steps.\n\n1. Install the Rust environment and toolchains:\n\n   ```sh\n   ./setup.sh\n   ```\n\n2. Build OP-TEE libraries\n\n   By default, the `OPTEE_DIR` is \n   `incubator-teaclave-trustzone-sdk/optee/`. OP-TEE submodules \n   (`optee_os` and `optee_client` for QEMUv8) will be initialized \n   automatically by executing:\n\n   ```sh\n   ./build_optee_libraries.sh optee/\n   ```\n\n3. Before building applications, set up the configuration:\n\n   a. By default, the target platform is `aarch64` for both CA and TA. If \n   you want to build for the `arm` target, you can set up `ARCH`:\n\n   ```sh\n   export ARCH_HOST=arm\n   export ARCH_TA=arm\n   ```\n\n   b. By default, the build is for `no-std` TA. If you want to enable \n   `std` TA, set the `STD` variable:\n\n   ```sh\n   export STD=y\n   ```\n\n4. Run this script to set up all toolchain and library paths:\n\n   ```sh\n   source environment\n   ```\n\n### Build Examples\n\nRun this command to build all Rust examples:\n\n``` sh\nmake examples\n```\n\nOr build your own CA and TA:\n\n```sh\nmake -C examples/[YOUR_APPLICATION]\n```\n\nBesides, you can collect all example CAs and TAs to\n`/incubator-teaclave-trustzone-sdk/out`:\n\n```sh\nmake examples-install\n```\n\n### Run Rust Applications\n\nConsidering the platform has been chosen\n([QEMUv8](#run-rust-applications-in-qemuv8) or\n[other](#run-rust-applications-on-other-platforms)), the ways to run the Rust\napplications are different.\n\n#### Run Rust Applications in QEMUv8\n\n1. The shared folder is needed to share CAs and TAs with the QEMU guest system.\nRecompile QEMU in OP-TEE to enable QEMU VirtFS:\n\n```sh\n(cd $OPTEE_DIR/build \u0026\u0026 make QEMU_VIRTFS_ENABLE=y qemu)\n```\n\n2. Copy all the Rust examples or your own applications to the shared folder:\n\n```sh\nmkdir shared_folder\ncd [YOUR_OPTEE_DIR]/optee_rust/ \u0026\u0026 make examples-install)\ncp -r [YOUR_OPTEE_DIR]/optee_rust/out/* shared_folder/\n```\n\n3. Run QEMU:\n\n```sh\n(cd $OPTEE_DIR/build \u0026\u0026 make run-only QEMU_VIRTFS_ENABLE=y\nQEMU_VIRTFS_HOST_DIR=$(pwd)/shared_folder)\n```\n\n4. After the QEMU has been booted, you need to mount the shared folder in the\nQEMU guest system (username: root), in order to access the compiled CA/TA from\nQEMU. Run the command as follows in the QEMU guest terminal:\n\n```sh\nmkdir shared \u0026\u0026 mount -t 9p -o trans=virtio host shared\n```\n\n5. Then run CA and TA as [this\ndocumentation](https://optee.readthedocs.io/en/latest/building/optee_with_rust.html)\ndescribes.\n\n#### Run Rust Applications on Other Platforms\n\nCopy the applications to your platform and run.\n\n### Test\n\nIn the `tests/` directory, we offer comprehensive tests for examples. The \napplications can run on a pre-built QEMU image, independently of cloning the \nOP-TEE repo. You can compose a simple test here to validate your application.\n\n## Documentation\n\n- [Overview of OP-TEE Rust\n  Examples](https://teaclave.apache.org/trustzone-sdk-docs/overview-of-optee-rust-examples/)\n- [Debugging OP-TEE\n  TA](https://teaclave.apache.org/trustzone-sdk-docs/debugging-optee-ta.md/)\n- [Host API\n  Reference](https://teaclave.apache.org/api-docs/trustzone-sdk/optee-teec/)\n- [TA API\n  Reference](https://teaclave.apache.org/api-docs/trustzone-sdk/optee-utee/)\n\n## Publication\n\nMore details about the design and implementation can be found in our paper\npublished in ACSAC 2020:\n[RusTEE: Developing Memory-Safe ARM TrustZone\nApplications](https://csis.gmu.edu/ksun/publications/ACSAC20_RusTEE_2020.pdf).\nHere is the BiBTeX record for your reference.\n\n```bibtex\n@inproceedings{wan20rustee,\n    author    = \"Shengye Wan and Mingshen Sun and Kun Sun and Ning Zhang and Xu\nHe\",\n    title     = \"{RusTEE: Developing Memory-Safe ARM TrustZone Applications}\",\n    booktitle = \"Proceedings of the 36th Annual Computer Security Applications\nConference\",\n    series    = \"ACSAC '20\",\n    year      = \"2020\",\n    month     = \"12\",\n}\n```\n\n## Contributing\n\nTeaclave is open source in [The Apache\nWay](https://www.apache.org/theapacheway/),\nwe aim to create a project that is maintained and owned by the community. All\nkinds of contributions are welcome.\nThanks to our [contributors](https://teaclave.apache.org/contributors/).\n\n## Community\n\n- Join us on our [mailing\n  list](https://lists.apache.org/list.html?dev@teaclave.apache.org).\n- Follow us at [@ApacheTeaclave](https://twitter.com/ApacheTeaclave).\n- See [more](https://teaclave.apache.org/community/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fincubator-teaclave-trustzone-sdk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapache%2Fincubator-teaclave-trustzone-sdk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fincubator-teaclave-trustzone-sdk/lists"}