1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
//! Core TEE abstraction traits for Tenzro Network.
use async_trait::async_trait;
use tenzro_types::tee::*;
use crate::error::Result;
/// Core trait for TEE (Trusted Execution Environment) providers.
///
/// This trait abstracts over different TEE implementations (Intel TDX, AMD SEV-SNP, AWS Nitro)
/// to provide a unified interface for confidential computing operations in Tenzro Network.
#[async_trait]
pub trait TeeProvider: Send + Sync {
/// Returns the TEE vendor for this provider.
fn vendor(&self) -> TeeVendor;
/// Checks if the TEE hardware is available and functional.
///
/// # Returns
/// - `Ok(true)` if TEE is available and ready
/// - `Ok(false)` if TEE is not available
/// - `Err(_)` if there was an error checking availability
async fn is_available(&self) -> Result<bool>;
/// Generates an attestation report for the given user data.
///
/// The attestation report cryptographically proves that the code is running
/// inside a genuine TEE with specific security properties.
///
/// # Arguments
/// - `user_data`: Application-specific data to include in the attestation
///
/// # Returns
/// An attestation report that can be verified by other parties
async fn generate_attestation(&self, user_data: &[u8]) -> Result<AttestationReport>;
/// Verifies an attestation report.
///
/// # Arguments
/// - `report`: The attestation report to verify
///
/// # Returns
/// Detailed verification results including TCB version and measurements
async fn verify_attestation(&self, report: &AttestationReport) -> Result<AttestationResult>;
/// Executes a request inside the secure enclave.
///
/// # Arguments
/// - `request`: The enclave operation to perform
///
/// # Returns
/// The response from the enclave, potentially with attestation
async fn execute_in_enclave(&self, request: EnclaveRequest) -> Result<EnclaveResponse>;
/// Generates a cryptographic key inside the enclave.
///
/// The key never leaves the secure environment and all operations
/// using it are performed inside the TEE.
///
/// # Arguments
/// - `params`: Key generation parameters
///
/// # Returns
/// A handle to the generated key
async fn enclave_keygen(&self, params: KeyGenParams) -> Result<EnclaveKeyHandle>;
/// Signs data using a key stored in the enclave.
///
/// # Arguments
/// - `key`: Handle to the signing key
/// - `data`: Data to sign
///
/// # Returns
/// The signature
async fn enclave_sign(&self, key: &EnclaveKeyHandle, data: &[u8]) -> Result<Vec<u8>>;
/// Encrypts data using a key stored in the enclave.
///
/// # Arguments
/// - `key`: Handle to the encryption key
/// - `plaintext`: Data to encrypt
///
/// # Returns
/// The ciphertext
async fn enclave_encrypt(&self, key: &EnclaveKeyHandle, plaintext: &[u8]) -> Result<Vec<u8>>;
/// Decrypts data using a key stored in the enclave.
///
/// # Arguments
/// - `key`: Handle to the decryption key
/// - `ciphertext`: Data to decrypt
///
/// # Returns
/// The plaintext
async fn enclave_decrypt(&self, key: &EnclaveKeyHandle, ciphertext: &[u8]) -> Result<Vec<u8>>;
}