Skip to content

Rust OP-TEE TrustZone SDK: Enabling Safe, Functional, and Ergonomic Development of Trustlets

License

Notifications You must be signed in to change notification settings

DemesneGH/rust-optee-trustzone-sdk

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Teaclave TrustZone SDK

License Release Homepage

Teaclave TrustZone SDK (Rust OP-TEE TrustZone SDK) provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. In addition, it enables the capability to write TrustZone applications with Rust's standard library (std) and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave (incubating).

Teaclave TrustZone SDK provides two development modes for Rust TAs: no-std and std. We recommend using no-std by default. For a detailed comparison, please refer to Comparison.

UPDATES: We have developed a new build environment on the main branch, which will now be the only branch for development and maintenance and includes breaking changes to the legacy master branch. If you're using the master branch and wish to migrate to the new development branch (main), please refer to the migration guide.

Table of Contents

TA Development Modes

Comparison

no-std

  • Pros:

    • Reuses standard Rust tier-1 toolchain targets (aarch64-unknown-linux-gnu, arm-unknown-linux-gnueabihf).
    • Significant performance improvements.
    • Substantial reduction in binary size.
  • Cons:

    • Limited support for third-party crates. In the no-std mode, Trusted Applications (TAs) are unable to utilize crates dependent on the standard library (std).

std

  • Pros:

    • Enables the utilization of more third-party crates, including those requiring std, such as serde_json and rustls, which are essential for functionality.
  • Cons:

    • Manual porting of std with infrequent updates. Currently using std version 1.56.1 and Rust version nightly-2021-09-20. (Planned to update)

Supported Examples

  • Common: See Overview of OP-TEE Rust Examples.

  • no-std: Excludes test_serde, test_tcp_client, test_udp_socket, test_message_passing_interface, test_tls_client, test_tls_server.

Quick Start with the OP-TEE Repo for QEMUv8

Teaclave TrustZone SDK has been integrated into the OP-TEE Repo since OP-TEE Release 3.15.0 (18/Oct/21). The aarch64 Rust examples are built and installed into OP-TEE's default filesystem for QEMUv8. Follow this documentation to set up the OP-TEE repo and try the Rust examples!

UPDATES: The no-std TA has replaced the original std TAs since OP-TEE Release 4.1.0 (19/Jan/24).

Getting Started

Platforms

To get started with Teaclave TrustZone SDK, you could choose either QEMU for Armv8-A (QEMUv8) or other platforms (platforms OP-TEE supported) as your development environment.

Develop with QEMUv8

The OP-TEE libraries are needed when building Rust applications, so you should finish the Quick start with the OP-TEE Repo for QEMUv8 part first. Then initialize the building environment in Teaclave TrustZone SDK, build Rust applications and copy them into the target's filesystem.

Teaclave TrustZone SDK is located in [YOUR_OPTEE_DIR]/optee_rust/. Teaclave TrustZone SDK in OP-TEE repo is pinned to the release version. Alternatively, you can try the develop version using git pull:

cd [YOUR_OPTEE_DIR]/optee_rust/
git pull github master

Develop on Other Platforms

If you are building trusted applications for other platforms (platforms OP-TEE supported). QEMU and the filesystem in the OP-TEE repo are not needed. You can follow these steps to clone the project and build applications independently from the complete OP-TEE repo. In this case, the necessary OP-TEE libraries are initialized in the setup process.

  1. The complete list of prerequisites can be found here: OP-TEE Prerequisites.

    # install dependencies
    sudo apt-get install android-tools-adb android-tools-fastboot autoconf \
    automake bc bison build-essential ccache cscope curl device-tree-compiler \
    expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \
    libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \
    libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \
    mtools netcat python-crypto python3-crypto python-pyelftools \
    python3-pycryptodome python3-pyelftools python-serial python3-serial \
    rsync unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev

    Alternatively, you can use a docker container built with our Dockerfile.

  2. After installing dependencies or building the Docker image, fetch the source code from the official GitHub repository:

    git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git
    cd incubator-teaclave-trustzone-sdk

Setup Building Environment

  1. Install the Rust environment and toolchains:

    ./setup.sh
  2. Build OP-TEE libraries

    By default, the OPTEE_DIR is incubator-teaclave-trustzone-sdk/optee/. OP-TEE submodules (optee_os and optee_client for QEMUv8) will be initialized automatically by executing:

    ./build_optee_libraries.sh optee/
  3. Before building applications, set up the configuration:

    a. By default, the target platform is aarch64 for both CA and TA. If you want to build for the arm target, you can set up ARCH:

    export ARCH_HOST=arm
    export ARCH_TA=arm

    b. By default, the build is for no-std TA. If you want to enable std TA, set the STD variable:

    export STD=y
  4. Run this script to set up all toolchain and library paths:

    source environment

Build Examples

Run this command to build all Rust examples:

make examples

Or build your own CA and TA:

make -C examples/[YOUR_APPLICATION]

Besides, you can collect all example CAs and TAs to /incubator-teaclave-trustzone-sdk/out:

make examples-install

Run Rust Applications

Considering the platform has been chosen (QEMUv8 or other), the ways to run the Rust applications are different.

Run Rust Applications in QEMUv8

  1. The shared folder is needed to share CAs and TAs with the QEMU guest system. Recompile QEMU in OP-TEE to enable QEMU VirtFS:
(cd $OPTEE_DIR/build && make QEMU_VIRTFS_ENABLE=y qemu)
  1. Copy all the Rust examples or your own applications to the shared folder:
mkdir shared_folder
cd [YOUR_OPTEE_DIR]/optee_rust/ && make examples-install)
cp -r [YOUR_OPTEE_DIR]/optee_rust/out/* shared_folder/
  1. Run QEMU:
(cd $OPTEE_DIR/build && make run-only QEMU_VIRTFS_ENABLE=y
QEMU_VIRTFS_HOST_DIR=$(pwd)/shared_folder)
  1. After the QEMU has been booted, you need to mount the shared folder in the QEMU guest system (username: root), in order to access the compiled CA/TA from QEMU. Run the command as follows in the QEMU guest terminal:
mkdir shared && mount -t 9p -o trans=virtio host shared
  1. Then run CA and TA as this documentation describes.

Run Rust Applications on Other Platforms

Copy the applications to your platform and run.

Test

In the tests/ directory, we offer comprehensive tests for examples. The applications can run on a pre-built QEMU image, independently of cloning the OP-TEE repo. You can compose a simple test here to validate your application.

Documentation

Publication

More details about the design and implementation can be found in our paper published in ACSAC 2020: RusTEE: Developing Memory-Safe ARM TrustZone Applications. Here is the BiBTeX record for your reference.

@inproceedings{wan20rustee,
    author    = "Shengye Wan and Mingshen Sun and Kun Sun and Ning Zhang and Xu
He",
    title     = "{RusTEE: Developing Memory-Safe ARM TrustZone Applications}",
    booktitle = "Proceedings of the 36th Annual Computer Security Applications
Conference",
    series    = "ACSAC '20",
    year      = "2020",
    month     = "12",
}

Contributing

Teaclave is open source in The Apache Way, we aim to create a project that is maintained and owned by the community. All kinds of contributions are welcome. Thanks to our contributors.

Community

About

Rust OP-TEE TrustZone SDK: Enabling Safe, Functional, and Ergonomic Development of Trustlets

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Rust 87.9%
  • Shell 9.9%
  • Makefile 1.7%
  • Dockerfile 0.5%