hyde_core/backend.rs
1use crate::error::Result;
2use serde::{Deserialize, Serialize};
3
4/// TEE backend unified interface.
5/// TDX/SEV/Secure Enclave backends will implement this same trait in Phase 2+.
6pub trait TeeBackend: Send + Sync {
7 /// Check if this backend is available on the current system.
8 fn is_available() -> bool
9 where
10 Self: Sized;
11
12 /// Initialize the Primary Key (load if exists, create + persist if not).
13 /// Called once per device.
14 fn initialize_primary_key(&mut self) -> Result<()>;
15
16 /// Generate a Data Key and wrap it with the Primary Key.
17 /// The returned WrappedKey blob cannot be unwrapped without the TEE.
18 fn generate_data_key(&mut self) -> Result<WrappedKey>;
19
20 /// Unwrap the Data Key, encrypt data, and seal with PCR policy.
21 fn seal(&mut self, key: &WrappedKey, data: &[u8]) -> Result<Vec<u8>>;
22
23 /// Unseal data. Fails if PCR values have changed.
24 fn unseal(&mut self, key: &WrappedKey, sealed: &[u8]) -> Result<Vec<u8>>;
25
26 /// Return the backend type identifier.
27 fn backend_type(&self) -> BackendType;
28}
29
30/// A Data Key wrapped by the Primary Key.
31/// Safe to persist to disk — cannot be unwrapped without the corresponding TEE.
32#[derive(Debug, Clone, Serialize, Deserialize)]
33pub struct WrappedKey {
34 /// Key material wrapped by the Primary Key.
35 pub blob: Vec<u8>,
36 /// Which backend produced this wrapped key.
37 pub backend: BackendType,
38}
39
40#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
41pub enum BackendType {
42 Tpm,
43 Software,
44 // Phase 2+
45 // Tdx,
46 // Sev,
47 // SecureEnclave,
48}