Hardware Abstraction Layer for Trusted Execution Environments in Confidential Computing
The ELASTIC TEE HAL (Hardware Abstraction Layer) provides a comprehensive interface for Trusted Execution Environment (TEE) workloads to interact with platform-specific hardware features while maintaining portability across different TEE implementations. Built for confidential computing applications, it offers WASI 0.2 compliance and supports both AMD SEV-SNP and Intel TDX platforms.
- Network Communication - TCP/UDP sockets with TLS/DTLS support
- Cryptographic Operations - Symmetric/asymmetric crypto, signing, platform attestation
- GPU Compute Interface - Hardware-accelerated compute pipelines
- Secure Random Generation - Cryptographically secure RNG with hardware entropy
- Time Operations - System time and monotonic clocks with TEE-aware timekeeping
- Encrypted Object Storage - Container-based storage with AES-GCM encryption
- Resource Management - Dynamic memory, CPU, and resource allocation tracking
- Event Handling - Priority-based inter-workload event communication
- Protected Communication - Secure Wasm-to-Wasm message passing
- Platform Capabilities - Runtime feature discovery and platform limits
- Platform Detection - Automatic TEE platform identification and initialization
- Hardware Attestation - Platform attestation report generation and verification
- Encrypted Storage - All data at rest encrypted with platform-derived keys
- Secure Boot - TEE secure boot verification and measurement
- Memory Protection - TEE-aware memory allocation and protection
- Network Security - TLS/DTLS with certificate management and validation
- AMD SEV-SNP - Secure Nested Paging with guest attestation ✅ Fully Implemented
- Intel TDX - Trust Domain Extensions with measurement and attestation ✅ Fully Implemented
- Hardware RNG (RDRAND/RDSEED)
- TD Quote generation with MRTD and RTMR measurements
- TSM (Trust Security Module) integration
- All 4 WASI interfaces verified and operational
- ARM TrustZone - Future support planned
- Generic TEE - Fallback implementation for other platforms
- Rust 2021 Edition or later
- WASI 0.2 compatible runtime (Wasmtime recommended)
- TEE Platform - AMD SEV-SNP or Intel TDX
- GPU (optional) - For compute acceleration features
Add to your Cargo.toml:
[dependencies]
elastic-tee-hal = "0.1.0"use elastic_tee_hal::{ElasticTeeHal, HalResult};
#[tokio::main]
async fn main() -> HalResult<()> {
// Initialize HAL with automatic platform detection
// Detects AMD SEV-SNP or Intel TDX automatically
let hal = ElasticTeeHal::new()?;
// Initialize platform-specific features
hal.initialize().await?;
// Get platform capabilities
let capabilities = hal.get_capabilities().await?;
println!("Platform: {:?}", capabilities.platform_type);
println!("Features: {:?}", capabilities.features);
Ok(())
}use elastic_tee_hal::{CryptoInterface, HalResult};
async fn crypto_example() -> HalResult<()> {
let crypto = CryptoInterface::new().await?;
// Generate key pair
let keypair = crypto.generate_key_pair("Ed25519").await?;
// Sign data
let data = b"Hello, TEE!";
let signature = crypto.sign(&keypair.private_key, data, "Ed25519").await?;
// Verify signature
let is_valid = crypto.verify(&keypair.public_key, data, &signature, "Ed25519").await?;
println!("Signature valid: {}", is_valid);
// Platform attestation
let nonce = crypto.generate_nonce(32)?;
let attestation = crypto.get_platform_attestation(&nonce).await?;
println!("Attestation: {:?}", attestation);
Ok(())
}use elastic_tee_hal::{StorageInterface, StorageConfig, HalResult};
async fn storage_example() -> HalResult<()> {
let storage = StorageInterface::new().await?;
// Create encrypted storage container
let config = StorageConfig {
name: "my-container".to_string(),
capacity_mb: 100,
encrypted: true,
compression: true,
};
let container = storage.create_container(config).await?;
// Store encrypted object
let data = b"Confidential data";
let object_id = storage.store_object(container, "secret.txt", data, None).await?;
// Retrieve and decrypt object
let retrieved = storage.get_object(container, &object_id).await?;
println!("Retrieved: {:?}", String::from_utf8(retrieved));
Ok(())
}use elastic_tee_hal::{SocketInterface, HalResult};
async fn network_example() -> HalResult<()> {
let sockets = SocketInterface::new();
// Create secure TLS connection
let socket = sockets.create_tls_client(
"example.com:443",
"example.com",
None // Use default TLS config
).await?;
// Send data
let data = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n";
sockets.send(socket, data).await?;
// Receive response
let response = sockets.receive(socket, 1024).await?;
println!("Response: {:?}", String::from_utf8_lossy(&response));
Ok(())
}use elastic_tee_hal::{CommunicationInterface, BufferConfig, MessageType, MessagePriority, HalResult};
async fn communication_example() -> HalResult<()> {
let comm = CommunicationInterface::new();
// Set up communication buffer
let config = BufferConfig {
name: "workload-channel".to_string(),
capacity: 4096,
is_encrypted: true,
read_permissions: vec!["workload1".to_string(), "workload2".to_string()],
write_permissions: vec!["workload1".to_string(), "workload2".to_string()],
admin_permissions: vec!["admin".to_string()],
};
let buffer_handle = comm.setup_communication_buffer(config).await?;
// Send message from workload1
let message_data = b"Hello from workload1!";
comm.push_data_to_buffer(
buffer_handle,
message_data,
"workload1",
MessageType::Data,
MessagePriority::Normal,
).await?;
// Receive message in workload2
if let Some(message) = comm.read_data_from_buffer(buffer_handle, "workload2").await? {
println!("Received from {}: {:?}", message.sender, String::from_utf8(message.data));
}
Ok(())
}use elastic_tee_hal::{GpuInterface, HalResult};
async fn gpu_example() -> HalResult<()> {
let gpu = GpuInterface::new().await?;
// List available GPU adapters
let adapters = gpu.list_adapters().await?;
println!("Available GPUs: {}", adapters.len());
// Create device on first adapter
if let Some(adapter) = adapters.first() {
let device = gpu.create_device(adapter.handle, &[]).await?;
// Create compute pipeline
let shader_code = include_bytes!("compute_shader.wgsl");
let pipeline = gpu.create_compute_pipeline(device, shader_code, "main", [64, 1, 1]).await?;
// Create buffers and run computation
let input_data = vec![1.0f32; 1024];
let input_buffer = gpu.create_buffer(device, &bytemuck::cast_slice(&input_data), true, false).await?;
let output_buffer = gpu.create_buffer(device, &vec![0u8; 4096], false, true).await?;
// Execute compute pass
let compute_pass = gpu.begin_compute_pass(device, pipeline).await?;
gpu.set_buffer(compute_pass, 0, input_buffer).await?;
gpu.set_buffer(compute_pass, 1, output_buffer).await?;
gpu.dispatch(compute_pass, 16, 1, 1).await?;
gpu.end_compute_pass(compute_pass).await?;
// Read results
let results = gpu.read_buffer(output_buffer).await?;
println!("Compute results: {:?}", results);
}
Ok(())
}┌─────────────────────────────────────────────────────────────────┐
│ WASI 0.2 Applications │
│ (WebAssembly Workloads) │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ ELASTIC TEE HAL │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌───────────┐ │
│ │ Crypto │ │** Storage **│ │** Network **│ │** Clock **│ │
│ │ │ │ (WASI I/O) │ │ (WASI) │ │ (WASI) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └───────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌───────────┐ │
│ │ GPU │ │ Resources │ │ Events │ │** Random**│ │
│ │ │ │ │ │ │ │ (WASI) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └───────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Comm │ │ Platform │ │Capabilities │ │
│ │ │ │ │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ ** Bold ** = WASI 0.2 Standard Interfaces │
│ Clock, Random, Network, Storage I/O │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ TEE Hardware Platforms │
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ AMD SEV-SNP │ │ Intel TDX │ │
│ │ ✅ Working │ │ ✅ Working │ │
│ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ WASI 0.2 Runtime Layer │
│ (Wasmtime, WasmEdge, etc.) │
└─────────────────────────────────────────────────────────────────────────────┘
│
│ WIT Bindings
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ WebAssembly Component Model │
│ (Component Instantiation) │
└─────────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ ELASTIC TEE HAL CORE │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Platform │ │ Capabilities │ │ Error │ │
│ │ Detection │ │ Discovery │ │ Handling │ │
│ │ │ │ │ │ │ │
│ │ • Auto-detect │ │ • Feature list │ │ • Unified │ │
│ │ • AMD SEV ✅ │ │ • Platform │ │ error types │ │
│ │ • Intel TDX ✅ │ │ limits │ │ • Result<T,E> │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
│
┌─────────────┼─────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ INTERFACE LAYER │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ ┌─────────────┐ │
│ │ Crypto │ │ Storage │ │ Network │ │ Clock │ │
│ │ ============= │ │ ============= │ │ ============= │ │ =========== │ │
│ │ • Ed25519 │ │ • AES-256-GCM │ │ • TCP/UDP │ │ • System │ │
│ │ • AES/ChaCha │ │ • Container │ │ • TLS/DTLS │ │ • Monotonic │ │
│ │ • HMAC/SHA │ │ mgmt │ │ • Rustls │ │ • TEE-aware │ │
│ │ • Attestation │ │ • Encryption │ │ • WebPKI │ │ timing │ │
│ └───────────────┘ └───────────────┘ └───────────────┘ └─────────────┘ │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ ┌─────────────┐ │
│ │ GPU │ │ Resources │ │ Events │ │ Random │ │
│ │ ============= │ │ ============= │ │ ============= │ │ =========== │ │
│ │ • Compute │ │ • Memory │ │ • Priority │ │ • Hardware │ │
│ │ pipelines │ │ allocation │ │ queues │ │ entropy │ │
│ │ • WGPU (opt) │ │ • CPU usage │ │ • Publisher/ │ │ • Crypto │ │
│ │ • Future │ │ • Tracking │ │ Subscriber │ │ secure │ │
│ └───────────────┘ └───────────────┘ └───────────────┘ └─────────────┘ │
│ │
│ ┌─────────────────────────────────────┐ ┌─────────────────────────────────┐ │
│ │ Communication │ │ WIT Exports │ │
│ │ ============================ │ │ ============================= │ │
│ │ • Inter-workload messaging │ │ All 11 interfaces exported: │ │
│ │ • Encrypted channels │ │ • platform, capabilities │ │
│ │ • Permission-based access │ │ • crypto, storage, sockets │ │
│ │ • Message priorities & types │ │ • gpu, resources, events │ │
│ └─────────────────────────────────────┘ │ • communication, clock, random │ │
│ └─────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
│
┌─────────────┼─────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ PLATFORM LAYER │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌───────────────────┐ │
│ │ AMD SEV-SNP │ │ Intel TDX │ │ Generic/Future │ │
│ │ =============== │ │ =============== │ │ ================= │ │
│ │ ✅ Working │ │ ✅ Working │ │ Future Platforms │ │
│ │ │ │ │ │ │ │
│ │ Hardware: │ │ Hardware: │ │ • ARM TrustZone │ │
│ │ • /dev/sev-* │ │ • /dev/tdx_guest│ │ • RISC-V Keystone │ │
│ │ • TSM support │ │ • TSM support │ │ • Others... │ │
│ │ • Real detect │ │ • RDRAND/RDSEED │ │ │ │
│ │ • Attestation │ │ • TD Quote gen │ │ │ │
│ └─────────────────┘ └─────────────────┘ └───────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ HARDWARE/OS LAYER │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ TEE │ │ Crypto │ │ Network │ │
│ │ Hardware │ │ Hardware │ │ Stack │ │
│ │ │ │ │ │ │ │
│ │ • SEV-SNP │ │ • AES-NI │ │ • TCP/IP │ │
│ │ • TDX │ │ • RDRAND │ │ • TLS libs │ │
│ │ • TrustZone │ │ • RDSEED │ │ • Sockets │ │
│ │ (future) │ │ • Platform │ │ │ │
│ │ │ │ RNG │ │ │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
Application/Workload Request
│
▼
┌─────────────────┐
│ WASI Component │ ──► WIT Interface Binding
│ Runtime │
└─────────────────┘
│
▼
┌─────────────────┐
│ ElasticTeeHal │ ──► Platform Detection & Capabilities
│ (Core HAL) │
└─────────────────┘
│
├──► CryptoInterface ──► ring/ed25519-dalek ──► Hardware crypto
│
├──► StorageInterface ──► AES-GCM encryption ──► Filesystem
│
├──► SocketInterface ──► tokio-rustls ──► Network stack
│
├──► CommunicationInterface ──► Inter-workload channels
│
└──► Other interfaces...
│
▼
Platform-specific implementation
│
▼
Hardware/OS resources
use elastic_tee_hal::{HalError, HalResult};
// All operations return HalResult<T>
match some_hal_operation().await {
Ok(result) => println!("Success: {:?}", result),
Err(HalError::PlatformNotSupported(msg)) => eprintln!("Platform error: {}", msg),
Err(HalError::CryptographicError(msg)) => eprintln!("Crypto error: {}", msg),
Err(HalError::NetworkError(msg)) => eprintln!("Network error: {}", msg),
Err(HalError::StorageError(msg)) => eprintln!("Storage error: {}", msg),
Err(e) => eprintln!("Other error: {:?}", e),
}Run the comprehensive test suite:
# Run all tests
cargo test
# Run tests with output
cargo test -- --nocapture
# Run specific interface tests
cargo test crypto::tests
cargo test storage::tests
cargo test communication::tests
# Run with features
cargo test --features gpuThe HAL is designed for high-performance confidential computing:
- Zero-copy operations where possible
- Async/await throughout for non-blocking I/O
- Hardware acceleration via GPU compute and crypto instructions
- Memory pool management for reduced allocation overhead
- Efficient serialization with bincode for inter-workload communication
- All cryptographic operations can include platform measurements
- Remote attestation supported via platform-specific mechanisms
- Hardware-rooted trust chain validation
- All sensitive data encrypted in memory when possible
- Secure memory allocation patterns for TEE environments
- Stack and heap protection via platform features
- TLS 1.3 minimum for all network communications
- Certificate pinning and validation
- Perfect forward secrecy for all connections
| Interface | Purpose | Key Methods |
|---|---|---|
ElasticTeeHal |
Main HAL entry point | new(), initialize(), get_capabilities() |
CryptoInterface |
Cryptographic operations | encrypt(), decrypt(), sign(), verify() |
StorageInterface |
Encrypted storage | create_container(), store_object(), get_object() |
SocketInterface |
Network communication | create_tls_client(), send(), receive() |
CommunicationInterface |
Inter-workload messaging | setup_communication_buffer(), push_data_to_buffer() |
GpuInterface |
GPU compute | create_device(), create_compute_pipeline(), dispatch() |
ResourceInterface |
Resource management | allocate_memory(), allocate_cpu(), get_usage_stats() |
EventInterface |
Event handling | subscribe(), publish(), unsubscribe() |
pub enum PlatformType {
AmdSev, // AMD SEV-SNP
IntelTdx, // Intel TDX
}
pub struct PlatformCapabilities {
pub platform_type: PlatformType,
pub hal_version: String,
pub features: CapabilityFeatures,
pub limits: PlatformLimits,
pub crypto_support: CryptoSupport,
}We welcome contributions! Please see our Contributing Guide for details.
# Clone the repository
git clone https://github.com/syafiq/wasmhal.git
cd wasmhal
# Install Rust toolchain
rustup target add wasm32-wasi
# Build the project
cargo build
# Run tests
cargo test
# Check formatting and lints
cargo fmt
cargo clippyThis project is licensed under the MIT License - see the LICENSE file for details.
- ELASTIC Consortium - For confidential computing research and development
- WASI Community - For WebAssembly System Interface specifications
- AMD and Intel - For TEE platform documentation and support
- Rust Community - For excellent async and cryptographic libraries
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Built for Confidential Computing and Trusted Execution Environments