{"id":50417876,"url":"https://github.com/asterinas/jinzhao-disk","last_synced_at":"2026-05-31T07:02:02.083Z","repository":{"id":148278642,"uuid":"511004272","full_name":"asterinas/jinzhao-disk","owner":"asterinas","description":"Jinzhao Disk (JinDisk) is a log-structured secure block device for TEEs. This repo is JinDisk's Linux version.","archived":false,"fork":false,"pushed_at":"2023-05-26T03:07:32.000Z","size":1040,"stargazers_count":36,"open_issues_count":5,"forks_count":11,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-18T06:10:45.404Z","etag":null,"topics":["linux","security","storage","tee"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/asterinas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security-considerations.md","support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-07-06T05:44:24.000Z","updated_at":"2025-01-13T13:37:47.000Z","dependencies_parsed_at":"2023-12-26T03:45:04.273Z","dependency_job_id":null,"html_url":"https://github.com/asterinas/jinzhao-disk","commit_stats":null,"previous_names":["asterinas/jinzhao-disk","jinzhao-dev/jinzhao-disk"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/asterinas/jinzhao-disk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fjinzhao-disk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fjinzhao-disk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fjinzhao-disk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fjinzhao-disk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/asterinas","download_url":"https://codeload.github.com/asterinas/jinzhao-disk/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/asterinas%2Fjinzhao-disk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33722156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","security","storage","tee"],"created_at":"2026-05-31T07:02:01.197Z","updated_at":"2026-05-31T07:02:02.066Z","avatar_url":"https://github.com/asterinas.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Jinzhao Disk\n\n## Introduction\n\nJinzhao Disk (or JinDisk) is a **log-structured secure block device for TEEs**, which has the following key features:\n\n* **Transparent protection.** As a block device, JinDisk can _transparently_ protect any file system (e.g., Ext4) that is stacked upon it and runs inside a TEE from a strong adversary outside the TEE.\n\n* **Strong security.** JinDisk promises six security properties: _confidentiality_, _integrity_, _freshness_, _consistency_, _atomicity_, and _anonymity_. For more information, see [the security goal](#security-goal) below.\n\n* **High performance.** Thanks to its unique log-structured design, JinDisk can deliver an excellent I/O performance that is close to the theoretically optimal level.\n\n## Security Goal\n\nJinDisk targets a typical setting of TEE usage, where applications are ported into the TEE with no (or few) modifications thanks to a TEE-aware runtime. For enclave TEEs (e.g., Intel SGX), one popular choice for such a runtime is library OSes (e.g., [Occlum](https://github.com/occlum/occlum)). For VM TEEs (e.g., AMD SEV), one can choose off-the-shelf OS kernels like Linux.\n\n![The threat model of JinDisk.](./docs/figures/jindisk-threat-model.png)\n\nAs shown in the image above, the TEE runtime is integrated with JinDisk, which serves as a trusted logical block device that supports four standard block I/O commands including `read()`, `write()`, `flush()`, and `trim()`. From the perspective of JinDisk's users (e.g., file systems), all data written to or read from JinDisk is in plaintext. To serve these I/O requests securely, JinDisk takes some extra security measures, including but not limited to encrypting/decrypting the data transferred to/from the host block device properly.\n\nTo distinguish between the addresses on the trusted logical block device (i.e., JinDisk) and on the untrusted host block device, we term the former as _logical block addresses (LBAs)_ and the latter _host block addresses (HBAs)_.\n\nThe security goal of JinDisk is to provide to its users (e.g., file systems) the following six security guarantees:\n\n* **Confidentiality** guarantees that the user data submitted by any write is not leaked and thus prevents tampering attacks.\n* **Integrity** promises that the user data returned from any read are genuinely generated by the user and thus prevents snooping attacks.\n* **Freshness** ensures that the user data returned from any read are up-to-date and thus prevents rollback attacks.\n* **Consistency** ensures that all the security guarantees are held despite any accidental crashes or crashing attacks.\n* **Atomicity** promises that all writes before a flush are persisted in an all-or-nothing manner.\n* **Anonymity** avoids LBA leakage in the sense that the adversary cannot learn LBAs from the on-disk data structures directly or infer LBAs from HBAs.\n\nPrior disk I/O protection solutions only provide a subset of JinDisk's security guarantees. For example, Linux's [dm-crypt](https://docs.kernel.org/admin-guide/device-mapper/dm-crypt.html) and [dm-integrity](https://docs.kernel.org/admin-guide/device-mapper/dm-crypt.html) only protect confidentiality and integrity, respectively. Although Linux's [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) ensures both integrity and freshness, it is read-only. As another example, [Intel SGX Protected File System Library](https://www.intel.com/content/www/us/en/developer/articles/technical/overview-of-intel-protected-file-system-library-using-software-guard-extensions.html) protects confidentiality, integrity, freshness, and consistency, but falls short of atomicity and anonymity.\n\n## Implementations\n\nAs of this moment, JinDisk has two implementations.\n\n* The Linux version, written in C ([this repository](https://github.com/jinzhao-dev/jindisk)), is for use in VM TEEs like [AMD SEV](https://developer.amd.com/sev/) and [Intel TDX](https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html).\n* The [Occlum](https://github.com/occlum/occlum) version, written in Rust, is for use in [Intel SGX](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/overview.html) enclaves.\n\nBoth implementations are being developed actively. They are ready for technical preview, but still lack some production-grade features.\n\nOur long-term plan is to ultimately merge the two implementations into one unified Rust implementation that can be integrated with Linux, Occlum, and probably other OSes as well. We will submit patches to the Linux community so that JinDisk may be eventually included in the mainline Linux.\n\nFor more information about the design of JinDisk, see [the paper]().\n\n## How to Use\n\nThe repository contains the Linux version of JinDisk, which consists of two parts:\n\n* [`kernel-module`](kernel-module/) is the kernel-space component of JinDisk, a [Linux device mapper](https://www.kernel.org/doc/html/next/admin-guide/device-mapper/index.html) target that implements the log-structured secure block device.\n\n* [`user-cli`](user-cli/) is the user-space component of JinDisk, which includes a set of tools used to set up JinDisk-enabled virtual disks conveniently.\n\n## License\n\nExcept where noted otherwise, the individual files within this package are licensed as 3-Clause BSD license. However, when linked together to form a Linux kernel module, the resulting Linux kernel module is dual licensed as BSD/GPLv2.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasterinas%2Fjinzhao-disk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasterinas%2Fjinzhao-disk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasterinas%2Fjinzhao-disk/lists"}