Struct TeeCapabilities 

#[non_exhaustive]
pub struct TeeCapabilities {
    pub sgx: Detection,
    pub tdx: Detection,
    pub sev: Detection,
    pub sev_snp: Detection,
    pub trustzone: Detection,
    pub secure_enclave: Detection,
    pub nitro: Detection,
}

Snapshot of every TEE probe the vault knows how to run on this host.

Adding a new probe is a minor-version change — the struct is #[non_exhaustive]. Existing fields will not change meaning across the 1.x line.

Examples

use key_vault::tee::{detect_tee_capabilities, Detection};

let caps = detect_tee_capabilities();
// We cannot assert specific values — the result depends on hardware. But
// every field is queryable:
let _ = caps.sgx;
let _ = caps.tdx;
let _ = caps.sev;
let _ = caps.sev_snp;
let _ = caps.trustzone;
let _ = caps.secure_enclave;
let _ = caps.nitro;

// Display is implemented for human-readable summaries:
let _ = format!("{caps}");

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

sgx: Detection

Intel Software Guard Extensions (SGX). Detected by CPUID leaf 7, EBX bit 2 on x86_64. Always Unknown on non-x86_64.

tdx: Detection

Intel Trust Domain Extensions (TDX). Detected by CPUID leaf 0x21 returning the “IntelTDX “ signature in EBX/ECX/EDX on x86_64. Always Unknown on non-x86_64.

sev: Detection

AMD Secure Encrypted Virtualization (SEV). Detected by CPUID extended leaf 0x8000001F EAX bit 1 on x86_64. Always Unknown on non-x86_64 or on Intel hosts.

sev_snp: Detection

AMD Secure Encrypted Virtualization — Secure Nested Paging (SEV-SNP). Detected by CPUID extended leaf 0x8000001F EAX bit 4 on x86_64. Always Unknown on non-x86_64 or on Intel hosts.

trustzone: Detection

ARM TrustZone. Userspace cannot reliably probe TrustZone availability without privileged registers, so this is always Unknown in 1.0. Operators that know their hardware supports TrustZone should configure the vault explicitly.

secure_enclave: Detection

Apple Secure Enclave. Reported as Detected on Apple Silicon (aarch64-apple-darwin), NotDetected on Intel macOS, and Unknown on non-Apple platforms.

nitro: Detection

AWS Nitro Enclaves availability. On Linux this is inferred from the DMI system vendor (/sys/devices/virtual/dmi/id/sys_vendor); other hosts report Unknown.

Implementations

impl TeeCapabilities

pub fn any_detected(self) -> bool

Returns true if at least one probe positively confirmed a TEE.

This is the convenience predicate for “should I prefer a hardware-backed fetcher?”. Unknown does not count.

Trait Implementations

impl Clone for TeeCapabilities

fn clone(&self) -> TeeCapabilities

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for TeeCapabilities

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for TeeCapabilities

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Hash for TeeCapabilities

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher.

fn hash_slice<H>(data: &[Self], state: &mut H)

where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher.

impl PartialEq for TeeCapabilities

fn eq(&self, other: &TeeCapabilities) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Copy for TeeCapabilities

impl Eq for TeeCapabilities

impl StructuralPartialEq for TeeCapabilities