hardbound 0.0.1

Hardbound — public trait surface for the enterprise hardware-bound trust tier of Web4. Implementations of these traits anchor identity, vault, witness chain, and policy in TPM 2.0 / YubiKey / Secure Enclave hardware. The reference closed-source implementation is at metalinxx.io; this crate is the contract any compatible implementation must satisfy.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

//! Common error types for Hardbound implementations.

/// Result alias used across the contract.
pub type Result<T> = core::result::Result<T, Error>;

/// Categories of failure an implementation may report. The contract
/// avoids being prescriptive about the underlying hardware error — most
/// callers care about which *class* of failure happened.
#[derive(Debug, thiserror::Error)]
pub enum Error {
    /// The bound hardware (TPM/YubiKey/SE) is not present or
    /// unreachable. Implementations should return this rather than
    /// panicking when the device is unplugged or PCRs don't match.
    #[error("trust anchor unavailable: {0}")]
    AnchorUnavailable(String),

    /// The provided ciphertext / signature / quote did not verify.
    /// Generic so the implementation isn't forced to disclose *why*
    /// (which can be a side channel).
    #[error("verification failed")]
    VerificationFailed,

    /// The caller asked for an operation the anchor doesn't support
    /// (e.g. asking a YubiKey-only anchor for a TPM quote).
    #[error("operation not supported: {0}")]
    Unsupported(String),

    /// Something else. Implementations may wrap any hardware-specific
    /// error here with a short human-readable summary.
    #[error("{0}")]
    Other(String),
}

impl Error {
    /// Convenience constructor for [`Error::Other`].
    pub fn other(msg: impl Into<String>) -> Self {
        Self::Other(msg.into())
    }
}