Hardware Abstraction Layer for Trusted Execution Environments in Confidential Computing
The ELASTIC TEE HAL (Hardware Abstraction Layer) provides a comprehensive interface for Trusted Execution Environment (TEE) workloads to interact with platform-specific hardware features while maintaining portability across different TEE implementations. Built for confidential computing applications, it offers WASI 0.2 compliance and supports both AMD SEV-SNP and Intel TDX platforms.
- Network Communication - TCP/UDP sockets with TLS/DTLS support
- Cryptographic Operations - Symmetric/asymmetric crypto, signing, platform attestation
- GPU Compute Interface - Hardware-accelerated compute pipelines
- Secure Random Generation - Cryptographically secure RNG with hardware entropy
- Time Operations - System time and monotonic clocks with TEE-aware timekeeping
- Encrypted Object Storage - Container-based storage with AES-GCM encryption
- Resource Management - Dynamic memory, CPU, and resource allocation tracking
- Event Handling - Priority-based inter-workload event communication
- Protected Communication - Secure Wasm-to-Wasm message passing
- Platform Capabilities - Runtime feature discovery and platform limits
- Platform Detection - Automatic TEE platform identification and initialization
- Hardware Attestation - Platform attestation report generation and verification
- Encrypted Storage - All data at rest encrypted with platform-derived keys
- Secure Boot - TEE secure boot verification and measurement
- Memory Protection - TEE-aware memory allocation and protection
- Network Security - TLS/DTLS with certificate management and validation
- AMD SEV-SNP - Secure Nested Paging with guest attestation β Fully Implemented
- Intel TDX - Trust Domain Extensions with measurement and attestation β
Fully Implemented
- Hardware RNG (RDRAND/RDSEED)
- TD Quote generation with MRTD and RTMR measurements
- TSM (Trust Security Module) integration
- All 4 WASI interfaces verified and operational
- ARM TrustZone - Future support planned
- Generic TEE - Fallback implementation for other platforms
- Rust 2021 Edition or later
- WASI 0.2 compatible runtime (Wasmtime recommended)
- TEE Platform - AMD SEV-SNP or Intel TDX
- GPU (optional) - For compute acceleration features
Add to your Cargo.toml:
[dependencies]
elastic-tee-hal = "0.1.0"use elastic_tee_hal::{ElasticTeeHal, HalResult};
#[tokio::main]
async fn main() -> HalResult<()> {
// Initialize HAL with automatic platform detection
// Detects AMD SEV-SNP or Intel TDX automatically
let hal = ElasticTeeHal::new()?;
// Initialize platform-specific features
hal.initialize().await?;
// Get platform capabilities
let capabilities = hal.get_capabilities().await?;
println!("Platform: {:?}", capabilities.platform_type);
println!("Features: {:?}", capabilities.features);
Ok(())
}use elastic_tee_hal::{CryptoInterface, HalResult};
async fn crypto_example() -> HalResult<()> {
let crypto = CryptoInterface::new().await?;
// Generate key pair
let keypair = crypto.generate_key_pair("Ed25519").await?;
// Sign data
let data = b"Hello, TEE!";
let signature = crypto.sign(&keypair.private_key, data, "Ed25519").await?;
// Verify signature
let is_valid = crypto.verify(&keypair.public_key, data, &signature, "Ed25519").await?;
println!("Signature valid: {}", is_valid);
// Platform attestation
let nonce = crypto.generate_nonce(32)?;
let attestation = crypto.get_platform_attestation(&nonce).await?;
println!("Attestation: {:?}", attestation);
Ok(())
}use elastic_tee_hal::{StorageInterface, StorageConfig, HalResult};
async fn storage_example() -> HalResult<()> {
let storage = StorageInterface::new().await?;
// Create encrypted storage container
let config = StorageConfig {
name: "my-container".to_string(),
capacity_mb: 100,
encrypted: true,
compression: true,
};
let container = storage.create_container(config).await?;
// Store encrypted object
let data = b"Confidential data";
let object_id = storage.store_object(container, "secret.txt", data, None).await?;
// Retrieve and decrypt object
let retrieved = storage.get_object(container, &object_id).await?;
println!("Retrieved: {:?}", String::from_utf8(retrieved));
Ok(())
}use elastic_tee_hal::{SocketInterface, HalResult};
async fn network_example() -> HalResult<()> {
let sockets = SocketInterface::new();
// Create secure TLS connection
let socket = sockets.create_tls_client(
"example.com:443",
"example.com",
None // Use default TLS config
).await?;
// Send data
let data = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n";
sockets.send(socket, data).await?;
// Receive response
let response = sockets.receive(socket, 1024).await?;
println!("Response: {:?}", String::from_utf8_lossy(&response));
Ok(())
}use elastic_tee_hal::{CommunicationInterface, BufferConfig, MessageType, MessagePriority, HalResult};
async fn communication_example() -> HalResult<()> {
let comm = CommunicationInterface::new();
// Set up communication buffer
let config = BufferConfig {
name: "workload-channel".to_string(),
capacity: 4096,
is_encrypted: true,
read_permissions: vec!["workload1".to_string(), "workload2".to_string()],
write_permissions: vec!["workload1".to_string(), "workload2".to_string()],
admin_permissions: vec!["admin".to_string()],
};
let buffer_handle = comm.setup_communication_buffer(config).await?;
// Send message from workload1
let message_data = b"Hello from workload1!";
comm.push_data_to_buffer(
buffer_handle,
message_data,
"workload1",
MessageType::Data,
MessagePriority::Normal,
).await?;
// Receive message in workload2
if let Some(message) = comm.read_data_from_buffer(buffer_handle, "workload2").await? {
println!("Received from {}: {:?}", message.sender, String::from_utf8(message.data));
}
Ok(())
}use elastic_tee_hal::{GpuInterface, HalResult};
async fn gpu_example() -> HalResult<()> {
let gpu = GpuInterface::new().await?;
// List available GPU adapters
let adapters = gpu.list_adapters().await?;
println!("Available GPUs: {}", adapters.len());
// Create device on first adapter
if let Some(adapter) = adapters.first() {
let device = gpu.create_device(adapter.handle, &[]).await?;
// Create compute pipeline
let shader_code = include_bytes!("compute_shader.wgsl");
let pipeline = gpu.create_compute_pipeline(device, shader_code, "main", [64, 1, 1]).await?;
// Create buffers and run computation
let input_data = vec![1.0f32; 1024];
let input_buffer = gpu.create_buffer(device, &bytemuck::cast_slice(&input_data), true, false).await?;
let output_buffer = gpu.create_buffer(device, &vec![0u8; 4096], false, true).await?;
// Execute compute pass
let compute_pass = gpu.begin_compute_pass(device, pipeline).await?;
gpu.set_buffer(compute_pass, 0, input_buffer).await?;
gpu.set_buffer(compute_pass, 1, output_buffer).await?;
gpu.dispatch(compute_pass, 16, 1, 1).await?;
gpu.end_compute_pass(compute_pass).await?;
// Read results
let results = gpu.read_buffer(output_buffer).await?;
println!("Compute results: {:?}", results);
}
Ok(())
}βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WASI 0.2 Applications β
β (WebAssembly Workloads) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ELASTIC TEE HAL β
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββ β
β β Crypto β β** Storage **β β** Network **β β** Clock **β β
β β β β (WASI I/O) β β (WASI) β β (WASI) β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββ β
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββ β
β β GPU β β Resources β β Events β β** Random**β β
β β β β β β β β (WASI) β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββ β
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Comm β β Platform β βCapabilities β β
β β β β β β β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β
β ** Bold ** = WASI 0.2 Standard Interfaces β
β Clock, Random, Network, Storage I/O β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TEE Hardware Platforms β
β β
β βββββββββββββββ βββββββββββββββ β
β β AMD SEV-SNP β β Intel TDX β β
β β β
Working β β β
Working β β
β βββββββββββββββ βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WASI 0.2 Runtime Layer β
β (Wasmtime, WasmEdge, etc.) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β WIT Bindings
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β WebAssembly Component Model β
β (Component Instantiation) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ELASTIC TEE HAL CORE β
β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β Platform β β Capabilities β β Error β β
β β Detection β β Discovery β β Handling β β
β β β β β β β β
β β β’ Auto-detect β β β’ Feature list β β β’ Unified β β
β β β’ AMD SEV β
β β β’ Platform β β error types β β
β β β’ Intel TDX β
β β limits β β β’ Result<T,E> β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββΌββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INTERFACE LAYER β
β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββ β
β β Crypto β β Storage β β Network β β Clock β β
β β ============= β β ============= β β ============= β β =========== β β
β β β’ Ed25519 β β β’ AES-256-GCM β β β’ TCP/UDP β β β’ System β β
β β β’ AES/ChaCha β β β’ Container β β β’ TLS/DTLS β β β’ Monotonic β β
β β β’ HMAC/SHA β β mgmt β β β’ Rustls β β β’ TEE-aware β β
β β β’ Attestation β β β’ Encryption β β β’ WebPKI β β timing β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββ β
β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββ β
β β GPU β β Resources β β Events β β Random β β
β β ============= β β ============= β β ============= β β =========== β β
β β β’ Compute β β β’ Memory β β β’ Priority β β β’ Hardware β β
β β pipelines β β allocation β β queues β β entropy β β
β β β’ WGPU (opt) β β β’ CPU usage β β β’ Publisher/ β β β’ Crypto β β
β β β’ Future β β β’ Tracking β β Subscriber β β secure β β
β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ βββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β Communication β β WIT Exports β β
β β ============================ β β ============================= β β
β β β’ Inter-workload messaging β β All 11 interfaces exported: β β
β β β’ Encrypted channels β β β’ platform, capabilities β β
β β β’ Permission-based access β β β’ crypto, storage, sockets β β
β β β’ Message priorities & types β β β’ gpu, resources, events β β
β βββββββββββββββββββββββββββββββββββββββ β β’ communication, clock, random β β
β βββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββΌββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PLATFORM LAYER β
β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββ β
β β AMD SEV-SNP β β Intel TDX β β Generic/Future β β
β β =============== β β =============== β β ================= β β
β β β
Working β β β
Working β β Future Platforms β β
β β β β β β β β
β β Hardware: β β Hardware: β β β’ ARM TrustZone β β
β β β’ /dev/sev-* β β β’ /dev/tdx_guestβ β β’ RISC-V Keystone β β
β β β’ TSM support β β β’ TSM support β β β’ Others... β β
β β β’ Real detect β β β’ RDRAND/RDSEED β β β β
β β β’ Attestation β β β’ TD Quote gen β β β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HARDWARE/OS LAYER β
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β TEE β β Crypto β β Network β β
β β Hardware β β Hardware β β Stack β β
β β β β β β β β
β β β’ SEV-SNP β β β’ AES-NI β β β’ TCP/IP β β
β β β’ TDX β β β’ RDRAND β β β’ TLS libs β β
β β β’ TrustZone β β β’ RDSEED β β β’ Sockets β β
β β (future) β β β’ Platform β β β β
β β β β RNG β β β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Application/Workload Request
β
βΌ
βββββββββββββββββββ
β WASI Component β βββΊ WIT Interface Binding
β Runtime β
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ
β ElasticTeeHal β βββΊ Platform Detection & Capabilities
β (Core HAL) β
βββββββββββββββββββ
β
ββββΊ CryptoInterface βββΊ ring/ed25519-dalek βββΊ Hardware crypto
β
ββββΊ StorageInterface βββΊ AES-GCM encryption βββΊ Filesystem
β
ββββΊ SocketInterface βββΊ tokio-rustls βββΊ Network stack
β
ββββΊ CommunicationInterface βββΊ Inter-workload channels
β
ββββΊ Other interfaces...
β
βΌ
Platform-specific implementation
β
βΌ
Hardware/OS resources
use elastic_tee_hal::{HalError, HalResult};
// All operations return HalResult<T>
match some_hal_operation().await {
Ok(result) => println!("Success: {:?}", result),
Err(HalError::PlatformNotSupported(msg)) => eprintln!("Platform error: {}", msg),
Err(HalError::CryptographicError(msg)) => eprintln!("Crypto error: {}", msg),
Err(HalError::NetworkError(msg)) => eprintln!("Network error: {}", msg),
Err(HalError::StorageError(msg)) => eprintln!("Storage error: {}", msg),
Err(e) => eprintln!("Other error: {:?}", e),
}Run the comprehensive test suite:
# Run all tests
cargo test
# Run tests with output
cargo test -- --nocapture
# Run specific interface tests
cargo test crypto::tests
cargo test storage::tests
cargo test communication::tests
# Run with features
cargo test --features gpuThe HAL is designed for high-performance confidential computing:
- Zero-copy operations where possible
- Async/await throughout for non-blocking I/O
- Hardware acceleration via GPU compute and crypto instructions
- Memory pool management for reduced allocation overhead
- Efficient serialization with bincode for inter-workload communication
- All cryptographic operations can include platform measurements
- Remote attestation supported via platform-specific mechanisms
- Hardware-rooted trust chain validation
- All sensitive data encrypted in memory when possible
- Secure memory allocation patterns for TEE environments
- Stack and heap protection via platform features
- TLS 1.3 minimum for all network communications
- Certificate pinning and validation
- Perfect forward secrecy for all connections
| Interface | Purpose | Key Methods |
|---|---|---|
ElasticTeeHal |
Main HAL entry point | new(), initialize(), get_capabilities() |
CryptoInterface |
Cryptographic operations | encrypt(), decrypt(), sign(), verify() |
StorageInterface |
Encrypted storage | create_container(), store_object(), get_object() |
SocketInterface |
Network communication | create_tls_client(), send(), receive() |
CommunicationInterface |
Inter-workload messaging | setup_communication_buffer(), push_data_to_buffer() |
GpuInterface |
GPU compute | create_device(), create_compute_pipeline(), dispatch() |
ResourceInterface |
Resource management | allocate_memory(), allocate_cpu(), get_usage_stats() |
EventInterface |
Event handling | subscribe(), publish(), unsubscribe() |
pub enum PlatformType {
AmdSev, // AMD SEV-SNP
IntelTdx, // Intel TDX
}
pub struct PlatformCapabilities {
pub platform_type: PlatformType,
pub hal_version: String,
pub features: CapabilityFeatures,
pub limits: PlatformLimits,
pub crypto_support: CryptoSupport,
}We welcome contributions! Please see our Contributing Guide for details.
# Clone the repository
git clone https://github.com/syafiq/wasmhal.git
cd wasmhal
# Install Rust toolchain
rustup target add wasm32-wasi
# Build the project
cargo build
# Run tests
cargo test
# Check formatting and lints
cargo fmt
cargo clippyThis project is licensed under the MIT License - see the LICENSE file for details.
- ELASTIC Consortium - For confidential computing research and development
- WASI Community - For WebAssembly System Interface specifications
- AMD and Intel - For TEE platform documentation and support
- Rust Community - For excellent async and cryptographic libraries
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Built for Confidential Computing and Trusted Execution Environments