search

apache / incubator-teaclave-java-tee-sdk

Apache Teaclave (incubating) Java TEE SDK is an open source universal confidential computing framework, making java computation on privacy-sensitive data safe and simple.
https://teaclave.apache.org
Apache License 2.0
50 stars 14 forks source link

What is the current state of Teaclave Java? #34

Open MarkusBernhardt opened 7 months ago

MarkusBernhardt commented 7 months ago

We are currenlty thinking about starting a confidential computing project. Teaclave java seems to be the perfect match, but on the other hand the development seems to be cut off in April 2023.

superajun-wsj commented 7 months ago

@MarkusBernhardt

  1. the project is currently in positive maintenance mode.
  2. we plan to add a new programming model that doesn't need to divide the whole project into three parts.
  3. currently there is no particularly clear roadmap, maybe tdx will be supported as another tee, and any suggestion is welcome.
  4. absolutely, it's completely open, and it's an Apache Incubator Project.
MarkusBernhardt commented 7 months ago

@superajun-wsj

Great to hear from you!

Having everything in a single project would be very appreciated. Do you have already started the refactoring? I'm quite experienced with Maven and Java. Perhaps I could help there a little?

One more question. A lot of the dependencies and used tools are a little outdated by now. Any plans to upgrade them, or would you be interested in some help there?

superajun-wsj commented 7 months ago

@MarkusBernhardt

we have not already started the refactoring, and we appreciate any community contributions.

we could upgrade them if there is a business requirement. what's your business scene? do you mind making a shot describle, please?

MarkusBernhardt commented 7 months ago

@superajun-wsj

we are planing to create a secure e-health system. the system must process and store patient data in a way that the given data is only accessible by the patient or by, by the patient authorized, doctors.

some more questions

superajun-wsj commented 7 months ago

@MarkusBernhardt

  1. EDMM is not supported at present.
  2. Enclave id is allocated when the enclave is created, there is no method to reset its value, but I think you could map it with a map structure.
  3. the time consuming of creation of an enclave is not large, and you can destroy the enclave if you don't need it.
  4. not supported at present.
ziyilin commented 7 months ago

@MarkusBernhardt

as I unterstand it at the moment is the creation of an enclave quite time consuming. we would like to create an enclave for a patient when he logs in and use that enclave until he logs out or is logged out by a timeout some time later. is that supported?

The "enclave" you referred here could be two things:

  1. The enclave environment created in the SGX. It is created very fast, and you can destroy it at any moment.
  2. The native image version of confidential program deployed and run in the SGX. The creation of native image is a little bit time consuming, depending on the size of target program. It could be a few minutes. It is created at build time and deployed in the SGX in advance. It shouldn't be created at the user logging time.

can we persist the enclave memory to some storage in a secure way and restore later back?

This also depends on your actual requirement.

  1. If you want to persist some data in the memory, you can serialize the data to disk and deserialize it back to memory next time. It is not supported in the framework currently, but is doable.
  2. If you want to take a snapshot of the entire program to the disk, and resume the program from the disk some time later. A technique named CRIU(https://github.com/checkpoint-restore/criu) does such job in the REE, but I doubt if it works in the TEE. The implementation of such work is beyond the scope of this project. But sitll, I think it's a very interesting topic to explore.