search

apache / incubator-teaclave-trustzone-sdk

Teaclave TrustZone SDK enables safe, functional, and ergonomic development of trustlets.
https://teaclave.apache.org
Apache License 2.0
204 stars 58 forks source link

Signature Verification example using ring crate #84

Closed syedelec closed 1 year ago

syedelec commented 1 year ago

Hi

I am trying to play around with some rust TA examples and I found that the signature_verification-rs example is using the ring module from a specific repo (https://github.com/veracruz-project/ring.git)

My questions are the following:

  1. is it safe and secure to use external crate in the TA for cryptographic operations instead of tee api?
  2. why use a specific repo for ring and not the official crate? (https://crates.io/crates/ring)
  3. are there other crypto crate we could use in TA?

Thanks

DemesneGH commented 1 year ago

Hi @syedelec

  1. is it safe and secure to use external crate in the TA for cryptographic operations instead of tee api?

TEE Core APIs are defined in the standard specification and implemented differently in various TEE OS. OP-TEE uses libtomcrypt as its default implementation of the crypto APIs. It also supports adding a new software implementation. It's okay to use the third-party crypto libraries in TAs. Its security depends on the security of the crypto library itself.

2. why use a specific repo for ring and not the official crate? (https://crates.io/crates/ring)

Ring in veracruz-project has been ported to OP-TEE (e.g. this commit).

3. are there other crypto crate we could use in TA?

Other crypto crates can be used in TA after they have been ported to OP-TEE's standard library. Ring is the only crypto crate supported now.

syedelec commented 1 year ago

Thanks! That's way clearer now!