hardware-enclave 0.1.6

Hardware-backed key management — macOS Secure Enclave, Windows TPM 2.0, Linux TPM/keyring — plus in-process memory protection
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

// Copyright 2026 Jay Gowdy
// SPDX-License-Identifier: MIT

// The p256/elliptic-curve ecosystem uses deprecated generic-array APIs.
// The TPM FFI modules also need unseparated literal suffixes (tss-esapi constants)
// and eprintln for user-facing warnings.
#![allow(
    dead_code,
    unused_imports,
    unused_qualifications,
    unreachable_patterns,
    deprecated,
    clippy::unseparated_literal_suffix,
    clippy::print_stderr
)]

//! Linux TPM 2.0 backend via tss-esapi.
//!
//! Uses the kernel TPM resource manager (`/dev/tpmrm0`) or `tpm2-abrmd`.
//! Keys are stored as TPM-wrapped blobs -- the private portion is encrypted
//! by the TPM and useless without the same physical hardware.
//!
//! On musl/Alpine, tss-esapi is not available and this crate compiles as
//! empty stubs (`is_available()` returns `false`).

// tss-esapi requires glibc. On musl, everything compiles as stubs.
#[cfg(all(target_os = "linux", target_env = "gnu"))]
mod tpm;

#[cfg(all(target_os = "linux", target_env = "gnu", feature = "signing"))]
mod sign;

#[cfg(all(target_os = "linux", target_env = "gnu", feature = "encryption"))]
mod encrypt;

#[cfg(all(target_os = "linux", target_env = "gnu", feature = "signing"))]
pub use sign::LinuxTpmSigner;

#[cfg(all(target_os = "linux", target_env = "gnu", feature = "encryption"))]
pub use encrypt::LinuxTpmEncryptor;

/// Check if a Linux TPM is available.
pub fn is_available() -> bool {
    #[cfg(all(target_os = "linux", target_env = "gnu"))]
    {
        tpm::is_available()
    }
    #[cfg(not(all(target_os = "linux", target_env = "gnu")))]
    {
        false
    }
}

#[cfg(test)]
mod tests {
    #[test]
    #[cfg(not(all(target_os = "linux", target_env = "gnu")))]
    fn is_available_returns_false_on_non_linux() {
        assert!(!super::is_available());
    }

    #[test]
    #[cfg(all(target_os = "linux", target_env = "gnu"))]
    fn is_available_returns_bool_on_linux() {
        // Just verify it doesn't panic — actual TPM may or may not be present
        let _ = super::is_available();
    }
}