veil-core 0.1.0

Core traits and types for veil TEE abstraction
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

use std::marker::PhantomData;

use serde::{de::DeserializeOwned, Deserialize, Serialize};

use crate::{
    context::{ProtectedData, VeilContext},
    error::{Result, VeilError},
};

/// A type-safe wrapper around TEE-protected data.
///
/// `Protected<T>` ensures the inner value `T` cannot be accessed without
/// going through the TEE. The encrypted data is serializable for persistence.
///
/// Created by `Protected::new()` or by the `#[veil::protect]` macro.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Protected<T> {
    data: ProtectedData,
    #[serde(skip)]
    _phantom: PhantomData<T>,
}

impl<T: Serialize + DeserializeOwned> Protected<T> {
    /// Protect a value by serializing it and encrypting with the TEE.
    pub fn new(ctx: &mut VeilContext, value: &T) -> Result<Self> {
        let bytes = serde_json::to_vec(value)
            .map_err(|e| VeilError::Serialization(e.to_string()))?;
        let data = ctx.protect(&bytes)?;
        Ok(Self {
            data,
            _phantom: PhantomData,
        })
    }

    /// Decrypt and deserialize the protected value. Requires the same TEE.
    pub fn unprotect(&self, ctx: &mut VeilContext) -> Result<T> {
        let bytes = ctx.unprotect(&self.data)?;
        serde_json::from_slice(&bytes)
            .map_err(|e| VeilError::Serialization(e.to_string()))
    }

    /// Access the underlying `ProtectedData` for backup/restore operations.
    pub fn protected_data(&self) -> &ProtectedData {
        &self.data
    }

    /// Construct from raw `ProtectedData` (e.g., after restore).
    pub fn from_protected_data(data: ProtectedData) -> Self {
        Self {
            data,
            _phantom: PhantomData,
        }
    }
}