DemesneGH opened a new pull request, #221: URL: https://github.com/apache/incubator-teaclave-trustzone-sdk/pull/221
This PR mainly updates the TLS client and TLS server examples to support Rustls **0.23.0+** (currently using `0.23.12`). Upgrading Rustls and its dependencies will: 1. remove existing security warnings, e.g.: [Dependabot alert #27](https://github.com/apache/incubator-teaclave-trustzone-sdk/security/dependabot/27) , and other warnings of `rustls`, `webpki`, and `ring`. 2. demonstrate fully updated TLS examples ## Key Improvements in Rustls 0.23+ Rustls now supports: - **[CryptoProvider](https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html)** - **[TimeProvider](https://docs.rs/rustls/latest/rustls/time_provider/trait.TimeProvider.html)** This allows us to integrate directly with `optee-utee` APIs without manually porting entire crates. After customizing the rng and time providers, Rustls can run in OP-TEE `std` TAs. (`no-std` support is in future plan but not included here.) - **TimeProvider**: Straightforward to implement, please see code in this PR. - **CryptoProvider**: More involved, detailed below. ## Crypto Provider Available Rustls crypto providers: <https://github.com/rustls/rustls?tab=readme-ov-file#cryptography-providers> Of course we can implement and maintain our own crypto provider for OP-TEE, but if there are existing providers available, it’s better to reuse them. We selected `ring` and `rustls-rustcrypto` as our candidates. ### 1. `ring` provider - Built into Rustls (via the `ring` feature). (https://github.com/rustls/rustls/tree/main/rustls/src/crypto/ring) - Dependency chain: `ring-provider-in-rustls` → `ring` → `getrandom`. - Problem: `ring`’s `SystemRandom` is not OP-TEE–compatible. (https://github.com/briansmith/ring/blob/main/src/rand.rs#L165) Would require changes to both `getrandom` **and** `ring` (or `ring-provider-in-rustls`). ### 2. `rustls-rustcrypto` provider - Third-party provider. (https://github.com/RustCrypto/rustls-rustcrypto) - Dependency chain: `rustls-rustcrypto` → `rand_core` → `getrandom`. - Only requires `getrandom` modifications. No changes to the provider code itself. Our decision is, port `getrandom` to OP-TEE, then use `rustls-rustcrypto` as the provider. ## Getrandom Porting - `getrandom` is a hardware RNG crate with multiple backends. - We have added an OP-TEE target and backend: - Since `rustls-rustcrypto` depends on `getrandom 0.2` (which is in maintenance mode), we maintain an OP-TEE-enabled `getrandom` in **`incubator-teaclave-crates`** (currently in my fork: `git = "https://github.com/DemesneGH/incubator-teaclave-crates.git"`, I will open a PR and modify this url after it merged). - We plan to upstream OP-TEE support for `getrandom 0.3`. - Because the ported `getrandom` depends on `optee-utee` **0.4.0**, all other TLS TA modules also pin `optee-*` crates to 0.4.0 to avoid build inconsistencies. ## Code Changes - New `tls_client` and `tls_server` examples using Rustls `0.23.12`. We chose this version because it is the one currently used by `rustls-rustcrypto`. - New `rustls-provider` crate under `crates/`, used by TLS examples. - Updated outdated TLS server test certs and improved test script error checks. - Fixed 32-bit TLS TA build errors by disabling `CFG_TA_FLOAT_SUPPORT` (see commit message for details). ## `no-std` TLS examples They need the `no-std` Rustls and `no-std` crypto backend. AFAIK: - Rustls now offers initial support for `no-std` ([release notes](https://github.com/rustls/rustls/releases/tag/v%2F0.23.0)), which requires further research for our usecase. - Several `rustcrypto` crates already support `no-std`. It is possible to have `no-std` TLS TAs, but this will require additional effort and investigation, so it remains a goal for future work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
