rats-rs is a pure Rust implementation of a TEE remote attestation library. Its ultimate goal is to enable developers to easily integrate remote attestation capabilities into various aspects of their applications. It also includes a secure session layer implementation based on the SPDM protocol, which can provide a TLS-like secure encryption layer for communication with TEE environments.
- Pure Rust implementation
- Easy-to-use Builder Pattern API
- Extensibility for different TEE types
- Three levels of API for upper-level applications
- Support for specifying cryptographic algorithms used by certificates
- Automatic detection of current runtime TEE type
- Feature-based functionality trimming
This project adopts a modular design in supporting different TEE types. The current support status for different TEE types is as follows:
| SGX DCAP(Occlum) | TDX | SEV-SNP | CSV | CCA |
|---|---|---|---|---|
| ✔️ | ✔️ | 🚧 | 🚧 | 🚧 |
The following workflow will guide you through running the rats-rs sample program spdm-echosvr on an SGX instance. The source code can be found here.
-
First, prepare the rats-rs build environment. It is recommended to use our pre-built Docker container directly
docker run -it --privileged --device=/dev/sgx_enclave --device=/dev/sgx_provision ghcr.io/inclavare-containers/rats-rs:master bash
-
Clone the code and compile the sample program
git clone git@github.com:inclavare-containers/rats-rs.git cd rats-rs just prepare-repo cargo build -p spdm -
Run the server-side program
just run-in-occlum echo-server --attest-self --listen-on-tcp 127.0.0.1:8080
-
Run the client-side program (in a new terminal)
just run-in-host echo-client --verify-peer --connect-to-tcp 127.0.0.1:8080
You will observe the interaction between the Client and Server in the program logs, and you can use the environment variable
RATS_RS_LOG_LEVELto control the log level.For more details about the sample program, please refer to this document.
Add the following to your Cargo.toml file:
[dependencies]
rats-rs = {git = "https://github.com/inclavare-containers/rats-rs", branch = "master"}To start using the rats-rs API, it is recommended to refer to the sample programs.
It is also worth mentioning that rats-rs compilation and runtime depend on some system libraries. You can find the complete build environment setup process here.
This project uses the just tool to encapsulate some automation processes, such as testing, running, code coverage calculation, etc. It is very similar to Makefile. When you need to introduce new processes, please try to add them to the justfile.
Before you start coding, you can first read the documentation under docs.
Most documents are categorized in the docs directory. Here are some relatively important documents to facilitate getting started with this project:
- Environment Setup and Project Build Guide
- Testing Guide and Code Coverage
- Project Architecture and Module Function Description
- CPU-SPDM Protocol Core Design
- Sample Program Build and Run Instructions
- CPU-TEE SPDM Protocol Standardization Document: CPU TEE Secured Messages using SPDM Binding Specification
This project is licensed under the Apache License 2.0