Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android Trusty TEE for SAGA 2.0 #251

Open
0xBlockPay opened this issue May 7, 2024 · 1 comment
Open

Android Trusty TEE for SAGA 2.0 #251

0xBlockPay opened this issue May 7, 2024 · 1 comment

Comments

@0xBlockPay
Copy link

It is not an issue but an idea for security improvement. SAGA 2.0 will be on the Snapdragon Gen1 CPU with Qualcomm TEE. TEE is based on ARM TrustZone technology. Thanks to Trusty TEE (Trusty TEE | Android Open Source Project) is possible to run code in the security enclave. Moving code dedicated for signing transactions to enclave can have a positive influence on security.
@0xBlockPay
Copy link
Author

0xBlockPay commented May 15, 2024
edited
Loading

Maybe, it can help:
Detail description is https://source.android.com/docs/security/features/trusty

For sign ED25519 in Android trust enclave can be use rust with openssl-rust crate.

  1. First dependency should be put to: trusty api application's rules.mk

MODULE_LIBRARY_DEPS +=
trusty/user/base/lib/openssl-rust \

  1. In trusty/user/base/lib/openssl-rust folder should be rules.mk file, with dependencies for openssl-rust
    https://android.googlesource.com/trusty/lib/+/refs/heads/main/lib/openssl-rust/rules.mk

  2. Folder with openssl-rust dep is https://android.googlesource.com/platform/external/rust/crates/openssl/+/refs/heads/main

Thanks this is possible use openssl-rust precompile dependencies in trusty application:

Example with openssl in trusty -rust:
https://android.googlesource.com/trusty/app/sample/+/refs/heads/main/hwcryptohal/server/platform_functions.rs

For sign tx can be use this template:
https://android.googlesource.com/trusty/app/sample/+/refs/heads/main/rust-hello-world/lib.rs

fn on_message(
&self,
_connection: &Self::Connection,
handle: &Handle,
msg: Self::Message,) -> tipc::Result<MessageResult> {}

In function on_message as a msg's can be tx params for signing,

and then code for signing with pure openssl-rust

use openssl::pkey::PKey;
use openssl::sign::Signer;

fn main() {
println!("Sign transaction in Android Trusty API");

// ED25519 private key generation. Private Key should be load from trust store.
       
let private_key = PKey::generate_ed25519().unwrap();
let public_key = private_key.raw_public_key().unwrap();
      
let mut signer = Signer::new_without_digest(&private_key).unwrap();

let tx = hex::decode("914bf4f22ccdedf00950d01020065b233ff0afa0753cd53baa5175827707aa75").unwrap();
let signature = signer.sign_oneshot_to_vec(&tx).unwrap();
assert_eq!(signature.len(), 64);

println!("Signature: {:?}", hex::encode(&signature));

let public_key_result =PKey::public_key_from_raw_bytes(&public_key, openssl::pkey::Id::ED25519);

let binding = public_key_result.unwrap();

let mut verifier = openssl::sign::Verifier::new_without_digest(&binding).unwrap();

let verify_result = verifier.verify_oneshot(&signature, &tx);

println!("Signature is: {:?}", verify_result.unwrap());

println!("Signature verification end");

}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xBlockPay