teep
C Implementation of draft-ietf-teep-protocol
MIT License
TEEP
C Implementation of draft-ietf-teep-protocol and draft-ietf-teep-otrp-over-http.
The directories are organized as follows.
Directories to make external libraries compile into static libs usable in a Trusted Application (TA), with actual files under the directories of the same names under the external/ directory:
-
ctoken: EAT implementation.
-
LibEay32: OpenSSL's crypto library.
-
openssl_includes: Copies OpenSSL includes into the openssl directory where other libs can find them.
-
qcbor: CBOR implementation.
-
t_cose: COSE implementation.
Protocol:
-
protocol/TeepAgentBrokerLib: TEEP Agent Broker in a static lib.
-
protocol/TeepAgentLib: TEEP Agent in a static lib.
-
protocol/TeepCommonLib: TEEP common static lib used by TeepAgentLib and TeepTamLib.
-
protocol/TeepTamBrokerLib: TEEP TAM Broker in a static lib.
-
protocol/TeepTamLib: TEEP TAM in a static lib.
-
protocol/WindowsHttpClientLib: HTTP client module for Windows.
-
protocol/WindowsHttpServerLib: HTTP server module for Windows.
TAs:
-
ta/TeepAgentTABrokerLib: Static lib containing a TEEP Agent Broker for communicating with TeepAgentTA.
-
ta/TeepAgentTA: TA containing a TEEP Agent.
-
ta/TeepCommonTALib: Static lib with TEEP trusted code that is needed by both TeepAgentTA and TeepTamTA.
-
ta/TeepTamTABrokerLib: Static lib containing a TEEP TAM Broker for communicating with TeepTamTA.
-
ta/TeepTamTA: TA containing a TEEP TAM.
Configuration:
- tam/manifests: Repository of SUIT manifest files for Trusted Components. This
directory is read by the TeepTamBrokerLib and used to populate the TAM's
repository of manifests. A sample SUIT manifest is included by default.
The files must be named as<UUID>.cborwhere UUID is the TA ID.
The project at https://gitlab.arm.com/research/ietf-suit/suit-tool
can be used to generate SUIT manifest files.
Apps:
-
DeviceHost: Sample host app to run a TEEP Agent Broker.
-
TamHost: Sample host app to run a TEEP TAM Broker.
-
TeepUnitTest: Standalone unit tests to test the TEEP implementation.
Prerequisites
You must git clone this repository recursively:
git clone --recurse-submodules https://github.com/dthaler/teep.git
You must have the following installed to compile and debug:
- Visual Studio 2019 or 2022. Any edition, including the (free) Community edition is fine
-
Open Enclave Visual Studio Extension v0.17 or later
and its prerequisites
The TAM is currently written to run on Windows, due to the HTTP layer. However, the TeepAgentBrokerLib/HttpHelper.h API should already be platform-agnostic and one could replace the Windows HttpHelper.cpp with a different implementation for other platforms.
You must also have OpenSSL 3.0.7 or later installed to %ProgramW6432%\OpenSSL. You can do this either by running a pre-built installer such as the one from https://www.softpedia.com/get/Programming/Components-Libraries/OpenSSL.shtml or by building it yourself as follows:
- cd external\openssl
- mkdir _build
- perl ..\Configure VC-WIN64A
- perl configdata.pm --dump
- nmake
- nmake install
Running the code
Compiling on Windows will result in generating DeviceHost.exe and TamHost.exe.
DeviceHost.exe is run as follows:
Usage: DeviceHost [-s] [-r <TA ID>] [-u <TA ID>] <TAM URI>
where -s if present means to only simulate a TEE
-r <TA ID> if present is a TA ID to request (38b08738-227d-4f6a-b1f0-b208bc02a781 if none specified)
-u <TA ID> if present is a TA ID that is no longer needed by any normal app
<TAM URI> is the default TAM URI to use
The <TA ID> to request ought to be one of the SUIT manifests configured
on the TAM as noted above in the description of the manifests directory.
TamHost.exe is run as follows, but must be run as Administrator in order to register the URI to listen on:
Usage: TamHost [-s] <TAM URI>
where -s if present means to only simulate a TEE
<TAM URI> is the TAM URI to use, e.g., http://192.168.1.37:54321/TEEP
Currently the <TAM URI> must end in /TEEP
Keys
Before the TAM and the TEEP Agent can fully communicate, they must be configured to trust each other.
The trusted directory under tam and agent contain a set of .pem files
of public keys that that entity considers trusted.
This can be done as follows:
- The first time that TamHost is run it will generate
tam-public-key.pemandtam-private-key-pair.pem
under thetamdirectory. - The first time that DeviceHost is run it will generate
agent-public-key.pemandagent-private-key-pair.pem
under theagentdirectory. - Copy
tam/tam-public-key.pemtoagent/trusted/tam-public-key.pem. - Copy
agent/agent-public-key.pemtotam/trusted/agent-public-key.pem. - Restart the TamHost and DeviceHost.
Configurations
The following configurations should work:
- DebugStandalone | x64 - Use this to test/run as a normal application
outside any TEE, for development and debugging purposes. - Debug | x64 - Use this to test/run on an SGX-capable machine
or with the-soption to run on a non-SGX-capable machine
but simulating run inside SGX.
To run and debug inside Visual Studio, change the debugger Working Directory to $(OutDir). To do this, right click on the project, and change Properties -> Debugging -> Working Directory and change the value to $(OutDir) instead of $(ProjectDir). This is because the apps will attempt to load the enclaves from the current directory.