{"id":14966217,"url":"https://github.com/ibm/ace-riscv","last_synced_at":"2025-05-02T22:31:19.670Z","repository":{"id":197192732,"uuid":"695282199","full_name":"IBM/ACE-RISCV","owner":"IBM","description":"Assured confidential execution (ACE) implements VM-based trusted execution environment (TEE) for RISC-V with focus on a formally verified and auditable security monitor.","archived":false,"fork":false,"pushed_at":"2025-04-28T22:36:01.000Z","size":2203,"stargazers_count":47,"open_issues_count":1,"forks_count":12,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-28T23:41:13.467Z","etag":null,"topics":["confidential-computing","coq","formal-verification","refinedrust","riscv","rust-lang","security","trusted-computing","trusted-execution-environment","virtualization"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IBM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-monitor/.cargo/audit.toml","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-09-22T19:01:45.000Z","updated_at":"2025-04-16T12:54:08.000Z","dependencies_parsed_at":"2023-10-02T01:39:01.607Z","dependency_job_id":"14fb4f77-a63a-4207-b708-6fbceb39c80f","html_url":"https://github.com/IBM/ACE-RISCV","commit_stats":{"total_commits":64,"total_committers":5,"mean_commits":12.8,"dds":0.1875,"last_synced_commit":"c157ec749b67480dad879882003131639298e7ba"},"previous_names":["ibm/ace-riscv"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2FACE-RISCV","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2FACE-RISCV/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2FACE-RISCV/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2FACE-RISCV/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IBM","download_url":"https://codeload.github.com/IBM/ACE-RISCV/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252116228,"owners_count":21697339,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["confidential-computing","coq","formal-verification","refinedrust","riscv","rust-lang","security","trusted-computing","trusted-execution-environment","virtualization"],"created_at":"2024-09-24T13:36:01.510Z","updated_at":"2025-05-02T22:31:14.661Z","avatar_url":"https://github.com/IBM.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Assured Confidential Execution (ACE) for RISC-V \n![Build Status](https://github.com/IBM/ACE-RISCV/actions/workflows/build.yml/badge.svg?branch=main)\n\n\u003cimg src=\".github/ace.png\" align=\"right\" width=\"100\" height=\"100\"\u003e \n \nACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor. It is based on the [canonical architecture](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) and targets RISC-V with the goal of being portable to other architectures. The formal verification efforts focus on the [security monitor implementation](security-monitor/). We invite collaborators to work with us to push the boundaries of provable confidential computing technology. \n\nThis project implements the RISC-V CoVE spec's deployment model 3 referenced in [Appendix D](https://github.com/riscv-non-isa/riscv-ap-tee/blob/main/). \n\n**This is an active research project, without warranties of any kind.** Please read our [paper](https://dl.acm.org/doi/pdf/10.1145/3623652.3623668) to learn about the approach and goals.\n\n## Hardware requirements\nWe are currently building on RISC-V 64-bit with integer (I), atomic (A) and hypervisor extentions (H), physical memory protection (PMP), memory management unit (MMU), IOPMP, core-local interrupt controller (CLINT), and supervisor timecmp extension (Sstc). \n\n## Quick Start\nFollow instructions to run one of the sample [confidential workloads](confidential-vms) under an [untrusted Linux KVM hypervisor](hypervisor/) in an [emulated RISC-V environment](qemu/).\n\n### Requirements\nFull compilation of the framework takes a long time because many tools are built from sources. Our toolchain currently includes: a RISC-V emulator (`qemu`), hypervisor kernel (`Linux kernel`), and firmware (`security monitor` with `OpenSBI firmware`). Make sure to build this project on a machine with at least 4 cores, 4GB RAM, and 50GB disk space for reasonable (~30min) build time.\n\n### Dependencies\nYou must install build dependencies specific to the operating system you use AND install the Rust toolchain. You can also look at the [reproducible build configuration](.github/workflows/build.yml) of the continous integration (CI) system.\n\nDependencies for Ubuntu 22.04\n```\nsudo apt update\n\n# riscv-gnu-toolchain dependencies:\nsudo apt -qq -y install autoconf automake autotools-dev curl python3 libmpc-dev libmpfr-dev libgmp-dev gawk build-essential bison flex texinfo gperf libtool patchutils bc zlib1g-dev libexpat-dev\n\n# OpenSBI\nsudo apt -qq -y install clang\n\n# Qemu 8.2\nsudo apt -qq -y install git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build python3-venv libslirp-dev\n\n# Buildroot\nsudo apt -qq -y install unzip sed binutils diffutils build-essential bash patch gzip bzip2 perl tar cpio unzip rsync file bc findutils\n\n# utilities\nsudo apt install -y sshpass\n```\n\nInstall the latest Rust:\n```\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y\nsource \"$HOME/.cargo/env\"\nrustup default nightly\nrustup target add riscv64gc-unknown-none-elf\nrustup component add rustfmt\ncargo install cargo-binutils\n\n# check that the below lines are in the ~/.bashrc\n. \"$HOME/.cargo/env\"\n```\n\n### Sources\nCheckout this repository with submodules (this takes a long time!):\n```\ngit clone --recurse-submodules git@github.com:IBM/ACE-RISCV.git\n```\n\n### Compilation\n#### Prerequisites\nRun the following commands from the directory containing this README file.\n\nMake sure once again that all submodules are fetched:\n```\ngit submodule update --init --recursive\n```\n\nSet up the ACE_DIR variable to point to the location where the project will build. Default is the `build/` subdirectory of the location where you will execute the `make` command.\n```\nexport ACE_DIR=/your/path/to/build/ace\n```\n\n#### Build everything\nThe following command will build the entire framework. Set `-j` flag to the number of processor cores you have in the system. Below command assumes that you have 4 cores.\n```\nMAKEFLAGS=\"--silent -j4\" make\n```\n\n#### Build individual components\nAlternativly, you can build individual components to avoid long builds that can lead to 'ssh disconnections', 'hangups', and similar issues. \n\nInstall all develoment tools required to compile code for the RISC-V architecture:\n```\nmake devtools\n```\n\nBuild the host OS -- [a Linux KVM hypervisor](hypervisor/):\n```\nmake hypervisor\n```\n\nBuild [the low level firmware](security-monitor/opensbi) responsible for the boot process. This command will also build the [security monitor (SM)](security-monitor/):\n```\nmake firmware\n```\n\nBuild sample [confidential workloads](confidential-vms/):\n```\nmake confidential_vms\n```\n\nBuild the RISC-V emulator and utility tools that simplify running the test environment:\n```\nmake emulator\n```\n\n## Run and Test\nMake sure you have the `ACE_DIR` environmental variable set and it points to the location of your build. Check the 'Compilation' section in case this variable is not set.\n```\necho $ACE_DIR\n```\n\nTo run the test environment on a RISC-V emulator run:\n```\n${ACE_DIR}/tools/ace run\n```\n\nYou should see the output from the boot process and a promt to login to the hypervisor:\n```\n# login: root, password: passwd\n```\n\nTo run the sample Linux OS as a confidential VM execute:\n```\n./run_linux_vm.sh\n```\n\nTo run the sample `baremetal` as a confidential VM execute:\n```\n./run_baremetal.sh\n```\n\n\n# License\nThis repository is distributed under the terms of the Apache 2.0 License, see [LICENSE](LICENSE).\n\n# Citation\n```\n@inproceedings{ozga2023riscvtee,\n    title={Towards a Formally Verified Security Monitor for VM-based Confidential Computing},\n    author={Ozga, Wojciech and Hunt, Guerney D. H. and Le, Michael V. and Palmer, Elaine R. and Shinnar, Avraham},\n    booktitle = {Proceedings of the 12th International Workshop on Hardware and Architectural Support for Security and Privacy},\n    series = {HASP2023},\n    year={2023}\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fibm%2Face-riscv","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fibm%2Face-riscv","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fibm%2Face-riscv/lists"}