{"id":50417890,"url":"https://github.com/asterinas/hyperenclave","last_synced_at":"2026-05-31T07:02:02.934Z","repository":{"id":259839858,"uuid":"863929994","full_name":"asterinas/hyperenclave","owner":"asterinas","description":"HyperEnclave is an open and cross-platform trusted execution environment.","archived":false,"fork":false,"pushed_at":"2025-01-21T07:38:50.000Z","size":385,"stargazers_count":33,"open_issues_count":13,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-21T08:27:11.476Z","etag":null,"topics":["hypervisor","rust","tee"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/asterinas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-27T07:16:43.000Z","updated_at":"2025-01-21T07:38:54.000Z","dependencies_parsed_at":"2024-10-28T09:47:28.301Z","dependency_job_id":"87002fc0-0059-4677-8e4a-3421dad732dc","html_url":"https://github.com/asterinas/hyperenclave","commit_stats":null,"previous_names":["asterinas/hyperenclave"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/asterinas/hyperenclave","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fhyperenclave","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fhyperenclave/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fhyperenclave/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fhyperenclave/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/asterinas","download_url":"https://codeload.github.com/asterinas/hyperenclave/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fhyperenclave/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33722156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hypervisor","rust","tee"],"created_at":"2026-05-31T07:02:01.907Z","updated_at":"2026-05-31T07:02:02.928Z","avatar_url":"https://github.com/asterinas.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/HyperEnclave/hyperenclave\"\u003e\n        \u003cimg alt=\"HyperEnclave Logo\" src=\"docs/images/logo.svg\" width=\"75%\" /\u003e\n    \u003c/a\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/HyperEnclave/hyperenclave/blob/master/LICENSE\"\u003e\n        \u003cimg alt=\"License\" src=\"https://img.shields.io/badge/license-Apache--2.0-blue\" /\u003e\n    \u003c/a\u003e\n\u003c/p\u003e\n\nHyperEnclave is an open and cross-platform trusted execution environment which runs on heterogeneous CPU platforms but decouples its root of trust from CPU vendors. In its nature, HyperEnclave calls for a better TEE ecosystem with improved transparency and trustworthiness. HyperEnclave has been implemented on various commodity CPU platforms and deployed in real-world confidential computing workloads.\n\n\n# Key features\n\n- **Unified abstractions.** Provide unified SGX-like abstraction with virtualization hardware.\n\n- **Controlled RoT.** RoT(Root of Trust) has been decoupled from CPU vendors and built on the trustworthy TPM.\n\n- **Proved security.** The first commerial Rust hypervisor that has been formally verified.\n\n- **Auditability.** The core has been open-sourced and audited by the National Authority.\n\n\n# Supported CPU List\nWe have successfully built HyperEnclave and performed tests on the following CPUs:\n## [Intel](https://www.intel.com/)\n- Intel(R) Xeon(R) Gold 6342 CPU @ 2.80GHz\n- Intel 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz\n## [AMD](https://www.amd.com/)\n- AMD EPYC 7601 64-core Processor @2.2GHz\n- AMD Ryzen R3-5300G 4-core Process @4GHz\n## [Hygon](https://www.hygon.cn/)\n- Hygon C86 7365 24-core Processor @2.50GHz\n- Hygon C86 3350 8-core Processor @2.8GHz\n## [ZHAOXIN](https://www.zhaoxin.com/)\n- ZHAOXIN KH-40000 @2.0/2.2GHz\n- ZHAOXIN KX-6000 @3.0GHz\n\n\n# Quick start\n\n## Prerequisites\n\n### Software version\n\n- Ubuntu 20.04 and Ubuntu 22.04\n- Linux kernel in [Supported Linux kernel version](#supported-linux-kernel-version)\n- Linux kernel headers (For building the driver)\n- Docker\n- GCC \u003e= 6.5\n\n\n#### Supported Linux kernel version\n\n- Linux kernel 5.10 (**Recommend**)\n- Linux kernel 5.4 with fsgsbase support\n\n\n**Updates on 2024.11:** We do not support Linux kernel 4.19 with Ubuntu OS anymore.\n\n\nWe can check the kernel version by:\n```bash\n$ uname -r\n```\n\nand install the required kernel (if necessary) by:\n\n```bash\n# Download scripts for installing kernel\n$ sudo apt install wget\n$ wget https://raw.githubusercontent.com/pimlie/ubuntu-mainline-kernel.sh/master/ubuntu-mainline-kernel.sh\n$ chmod +x ubuntu-mainline-kernel.sh\n# Download and install Linux 5.10 or 5.4.0 kernel.\n$ sudo ./ubuntu-mainline-kernel.sh -i [5.10.0 | 5.4.0]\n\n# Reboot the system, and we need to select the kernel in grub menu.\n$ sudo reboot\n```\n\nFor Linux kernel 5.4, **enabled_rdfsbase** kernel modules must be installed by following the instructions [here](https://github.com/occlum/enable_rdfsbase).\n\nAfter the Linux kernel installed, check the rdfsbase/rdgsbase is enabled:\n```bash\n$ cd scripts\n$ ./check_prereq.sh\n$ cd ..\n```\n\nAnd the output:\n```\n[Check FSGSBASE]: PASS\n```\n\nindicates that the rdfsgsbase/wrfsgsbase is enabled on your platform.\n\n### Hardware requirements\n- **CPU \u0026 Virtualization**: An Intel, AMD, or HYGON processor that supports and has enabled virtualization (VMX for Intel, AMD-V for AMD) in the BIOS.\n- **IOMMU**: Intel VT-d or AMD IOMMU must be supported and enabled in the BIOS.\n- **Memory**: At least 8GB of RAM.\n\n## Steps\n\n### Step-1: Get the full system memory size and reserve secure memory for HyperEnclave in kernel’s command-line\n\n- **Step 1.a**: Get the full system memory size: `full_system_size`, and reserved memory size: `reserved_mem_size`\n\n```bash\n$ free -h\n               total        used        free      shared  buff/cache   available\nMem：       15Gi       1.3Gi        11Gi       2.0Mi       3.5Gi        14Gi\nSwap：      2.0Gi          0B       2.0Gi\n```\n\nFor the example above, the `full_system_size` is 15G, then `reserved_mem_size` eqauls to `full_system_size / 2` = 8G\n\n- **Step 1.b**: Reserve secure memory for HyperEnclave\n\nOpen and modify the `/etc/default/grub` file, and append the following configurations for `GRUB_CMDLINE_LINUX`:\n\n```\nmemmap=[reserved_mem_size]G\\\\\\$0x100000000 iommu=off intremap=off no5lvl\n```\n\nFor the example above, the configuration should be:\n```\nmemmap=8G\\\\\\$0x100000000 iommu=off intremap=off no5lvl\n```\n\n- **Step 1.c**: Take the new grub configuration into effect, and reboot the system\n\n```bash\n$ sudo update-grub\n$ sudo reboot\n```\n\n- **Step 1.d**: Verify that the configuration takes effect\n\nAfter reboot, check whether the modified kernel's command-line takes effect:\n\n```bash\n$ cat /proc/cmdline\n```\n\nYou can see:\n```\nBOOT_IMAGE=/boot/vmlinuz-... root=... memmap=8G$0x100000000 iommu=off intremap=off no5lvl ...\n```\n\n\n### Step-2: Clone the repository\n\n```bash\n$ git clone https://github.com/asterinas/hyperenclave.git\n$ git clone https://github.com/asterinas/hyperenclave-driver.git\n```\n\n### Step-3: Build the HyperEnclave's driver\n```bash\n$ cd hyperenclave-driver\n$ make\n$ cd ..\n```\n\n### Step-4: Build and install HyperEnclave\n\n- **Step 4.a**: Install Rust toolchain\n\n```bash\n# Install rust toolchain \n$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n$ source $HOME/.cargo/env\n$ rustup component add rust-src\n```\n\n- **Step 4.b**: Build and install HyperEnclave\n\nHyperenclave now supports three CPU vendors:\n1. Intel\n2. AMD\n3. Hygon\n\nWe need to choose the correct CPU vendor and run the following script:\n\n```bash\n$ bash -x scripts/build_and_install_hyperenclave.sh [Intel | AMD | Hygon]\n```\n\n### Step-5: Start HyperEnclave\n\n```bash\n$ cd hyperenclave/scripts\n$ bash -x start_hyperenclave.sh\n$ cd ../..\n```\n\nShow the messages in kernel ring buffer by:\n```bash\n$ dmesg\n```\nAnd you can see:\n```\n...\n[0] Activating hypervisor on CPU 0...\n[1] Activating hypervisor on CPU 1...\n[2] Activating hypervisor on CPU 2...\n[3] Activating hypervisor on CPU 3...\n[4] Activating hypervisor on CPU 4...\n[5] Activating hypervisor on CPU 5...\n[6] Activating hypervisor on CPU 6...\n[7] Activating hypervisor on CPU 7...\n...\n```\n\nIt indicates we successfully start the HyperEnclave.\n\n### Step-6: Run TEE applications\n\nWe provide several sample TEE applications running atop of HyperEnclave. All of them are integrated into our docker image.\n\nHere are instructions for starting the docker container:\n```bash\n# Pull the docker image\n$ docker pull occlum/hyperenclave:0.27.10-hypermode-1.3.0-ubuntu20.04\n\n# Start the container\n$ docker run -dt --net=host --device=/dev/hyperenclave \\\n                --name hyperenclave_container \\\n                -w /root \\\n                occlum/hyperenclave:0.27.10-hypermode-1.3.0-ubuntu20.04 \\\n                bash\n\n# Enter the container\n$ docker exec -it hyperenclave_container bash\n```\n\n#### SGX SDK Samples\n\nYou can run TEE applications developed based on [Intel SGX SDK](https://github.com/intel/linux-sgx). All the SGX SDK's sample codes are preinstalled in our docker image at `/opt/intel/sgxsdk/SampleCode`. Here are two samples (Command should be done inside Docker container):\n\n- SampleEnclave\n```bash\n$ cd /opt/intel/sgxsdk/SampleCode/SampleEnclave\n$ make\n$ ./app\nInfo: executing thread synchronization, please wait...\nInfo: SampleEnclave successfully returned.\n```\n\n- RemoteAttestation\n\nReference to `demos/RemoteAttestation` for more information.\n\n#### Occlum demos\n\nYou can also run TEE applications developed based on [Occlum](https://github.com/occlum/occlum). All the Occlum demos are preinstalled in our docker image at `/root/occlum/demos`.\n\nWe take `hello_c` as an example. (Command should be done inside Docker container):\n```bash\n$ cd /root/occlum/demos/hello_c\n\n# Compile the user program with the Occlum toolchain\n$ occlum-gcc -o hello_world hello_world.c\n# Ensure the program works well outside enclave\n$ ./hello_world\nHello World\n\n# Initialize a directory as the Occlum instance, and prepare the Occlum's environment\n$ mkdir occlum_instance \u0026\u0026 cd occlum_instance\n$ occlum init\n$ cp ../hello_world image/bin/\n$ occlum build\n\n# Run the user program inside an HyperEnclave's enclave via occlum run\n$ occlum run /bin/hello_world\nHello World!\n```\n\n\n# Academic publications\n[**USENIX ATC'22**] [HyperEnclave: An Open and Cross-platform Trusted Execution Environment.](https://www.usenix.org/conference/atc22/presentation/jia-yuekai)\nYuekai Jia, Shuang Liu, Wenhao Wang, Yu Chen, Zhengde Zhai, Shoumeng Yan, and Zhengyu He. 2022 USENIX Annual Technical Conference (USENIX ATC 22). Carlsbad, CA, Jul, 2022.\n\n```\n@inproceedings {jia2022hyperenclave,\n  author = {Yuekai Jia and Shuang Liu and Wenhao Wang and Yu Chen and Zhengde Zhai and Shoumeng Yan and Zhengyu He},\n  title = {{HyperEnclave}: An Open and Cross-platform Trusted Execution Environment},\n  booktitle = {2022 USENIX Annual Technical Conference (USENIX ATC 22)},\n  year = {2022},\n  isbn = {978-1-939133-29-48},\n  address = {Carlsbad, CA},\n  pages = {437--454},\n  url = {https://www.usenix.org/conference/atc22/presentation/jia-yuekai},\n  publisher = {USENIX Association},\n  month = jul,\n}\n```\n\n[**ASPLOS'24**] [Verifying Rust Implementation of Page Tables in a Software Enclave Hypervisor.](https://dl.acm.org/doi/10.1145/3620665.3640398)\nZhenyang Dai, Shuang Liu, Vilhelm Sjoberg, Xupeng Li, Yu Chen, Wenhao Wang, Yuekai Jia, Sean Noble Anderson, Laila Elbeheiry, Shubham Sondhi, Yu Zhang, Zhaozhong Ni, Shoumeng Yan, Ronghui Gu, and Zhengyu He. 2024. Verifying Rust Implementation of Page Tables in a Software Enclave Hypervisor. In Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (ASPLOS '24), Vol. 2. Association for Computing Machinery, New York, NY, USA, 1218–1232.\n\n```\n@inproceedings{10.1145/3620665.3640398,\nauthor = {Dai, Zhenyang and Liu, Shuang and Sjoberg, Vilhelm and Li, Xupeng and Chen, Yu and Wang, Wenhao and Jia, Yuekai and Anderson, Sean Noble and Elbeheiry, Laila and Sondhi, Shubham and Zhang, Yu and Ni, Zhaozhong and Yan, Shoumeng and Gu, Ronghui and He, Zhengyu},\ntitle = {Verifying Rust Implementation of Page Tables in a Software Enclave Hypervisor},\nyear = {2024},\nisbn = {9798400703850},\npublisher = {Association for Computing Machinery},\naddress = {New York, NY, USA},\nurl = {https://doi.org/10.1145/3620665.3640398},\ndoi = {10.1145/3620665.3640398},\nabstract = {As trusted execution environments (TEE) have become the corner stone for secure cloud computing, it is critical that they are reliable and enforce proper isolation, of which a key ingredient is spatial isolation. Many TEEs are implemented in software such as hypervisors for flexibility, and in a memory-safe language, namely Rust to alleviate potential memory bugs. Still, even if memory bugs are absent from the TEE, it may contain semantic errors such as mis-configurations in its memory subsystem which breaks spatial isolation.In this paper, we present the verification of the memory subsystem of a software TEE in Rust, namely HyperEnclave. We prove spatial isolation for the secure enclave though correct configuration of page tables for an early prototype of HyperEnclave. To formally model Rust code, we introduce a lightweight formal semantics for the Mid-level intermediate representation (MIR) of Rust. To make verification scalable for such a complex system, we incorporate the MIR semantics with a layered proof framework.},\nbooktitle = {Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2},\npages = {1218–1232},\nnumpages = {15},\nkeywords = {formal verification, rust, trusted execution environments, extended page tables},\nlocation = {La Jolla, CA, USA},\nseries = {ASPLOS '24}\n}\n\n```\n\n# License\nExcept where noted otherwise, HyperEnclave's hypervisor is under the Apache License (Version 2.0). See the [LICENSE](./LICENSE) files for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasterinas%2Fhyperenclave","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasterinas%2Fhyperenclave","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasterinas%2Fhyperenclave/lists"}