Skip to main content

Podling Teaclave Report - June 2024

Yuan Zhuang

Teaclave

Three most important unfinished issues to address before graduating:

  • Improve project structure and documentation
  • Grow the community (attracting more committers, contributors, users)
  • Publish Apache releases (resolving logistics on Apache release)

Are there any issues that the IPMC or ASF Board need to be aware of?

None.

How has the community developed since the last report?

Since the last report, we have organized three monthly virtual meetups. For each meetup, we have write-ups published on the Teaclave blog https://teaclave.apache.org/blog/.

Additionally, we introduced a new project Teaclave Java TEE SDK to our community:
https://teaclave.apache.org/blog/2022-10-18-accepting-java-enclave-proposal/

How has the project developed since the last report?

Here are the summaries of recent progress:

Teaclave Faas Platform:

Teaclave TrustZone SDK

Teaclave SGX SDK

[NEW] Teaclave Java TEE SDK

How would you assess the podling's maturity?

  • Initial setup
  • Working towards first release
  • Community building
  • Nearing graduation
  • Other:

Date of last release:

2023-06-26: Apache Teaclave (incubating) FaaS Platfrom 0.6.0

When were the last committers or PPMC members elected?

2023-05-04: He Sun (Apache ID: hsun), PPMC

Have your mentors been helpful and responsive?

Yes, our mentors work responsively to help us with electing new mentors, developing new features, fixing bugs, and expanding the community.

Is the PPMC managing the podling's brand / trademarks?

We don't find any 3rd parties incorrectly using the podling's name and brand. The VP, Brand has approved the project name. (PODLINGNAMESEARCH-175)

Teaclave Meetup #15

He Sun

Agenda

Propose He as Committer

Teaclave FaaS

  • upgrading Teacalve SGX SDK 2.0 PR
    • disable macos/ios CI
    • protected fs in teaclavs SGX sdk is not compatible with intel sgx sdk
    • TODO: support macos/ios target for protected fs in Teaclave SGX SDK
    • third-party crates
      • new repo to host forked crates: incubator-teaclave-crates
      • no need to vendor third-party crates, having a Cargo.lock to lock the third-party
      • update readme to explain the supply chain issue
    • need review

Java TEE SDK

  • S2 (March 2023): integrate with Teaclave SGX SDK 2.0
  • Release PR

Discussion

https://r3conclave.github.io/ccl-documentation/

Attendees

  • He Sun
  • Hongbo chen
  • Kailun Qin
  • Mingshen Sun
  • Qinkun Bao
  • Ran Duan
  • Sanhong Li
  • Shaojun Wang
  • Yingchun Gao
  • Yu Lei
  • Ziyi Lin

Teaclave Meetup #14

He Sun

Agenda

Introduction

Teaclave FaaS

  • Upgrade to Rust SGX SDK 2.0
  • Q: DockerHub image (Mingshen: add He as owner)
  • MS: apache DockerHub infra for Teaclave
  • Protected FS in 2.0 for macos/iOS is not supported (Ran)
  • Replace RPC as tonic based on RA-TLS (Yingchun: create a github issue)
  • RA-TLS standard (CCC, Ali, Intel, etc)
  • Function languages: Rust, WebAssembly, Python, Occlum

Teaclave SGX SDK (Rust SGX SDK)

  • Protected FS in SDK is not compatible with Intel SGX SDK
  • Supports Teaclave and Occlum features
  • Cache size/key policy added in Teaclave SGX SDK
  • 2.0 release
    • testing
      • unit test
      • Rust std tests (800) and benchmark
      • sample code test
      • teaclave dependencies
    • document
    • CI
    • EDMM in 2.0 (Occlum will use EDMM)

Teaclave Java TEE SDK

  • 0.1 release
    • Voting
    • Checklist
  • CI (self-hosted runner for GitHub Actions)
    • Apache Infra Jira ticket, Github Actions token (Mingshen: apply token)

Teaclave TrustZone SDK (Rust OP-TEE TrustZone SDK)

  • N/A

Attendees

  • He Sun
  • Hongbo chen
  • Kailun Qin
  • Mingshen Sun
  • Qinkun Bao
  • Ran Duan
  • Sanhong Li
  • Shaojun Wang
  • Yingchun Gao
  • Yu Lei
  • Ziyi Lin

Accepting JavaEnclave to Apache Teaclave (incubating) Proposal

The Teaclave PPMC

Abstract

Teaclave Java TEE SDK is a Java confidential computing programming framework. It follows the host-and-enclave partition programming model defined by Intel-SGX SDK. Teaclave Java TEE SDK provides an elegant way to divide a java project into host and enclave modules, where the enclave module is a provider of a user-defined service interface which is similar to the Java SPI model. Teaclave Java TEE SDK could help you to develop and build a Java confidential computing project with high efficiency.

Proposal

Teaclave Java TEE SDK is a pure Java SDK for Java confidential computing. It eases the interactions between secured and unsecured environment with a few concise APIs. From user's aspect, creating an enclave environment and invoking confidential computing services would be as simple as invoking SPI services.

Background

The Teaclave Java TEE SDK project is being actively developed within Alibaba Cloud.

Rationale

Teaclave Java TEE SDK is a Java confidential computing programming framework. The goal of Teaclave is to provide a universal secure computing platform for multiple programming languages. Teaclave currently supports Rust, Python and WebAssembly, but Java is still missing. Teaclave Java TEE SDK would be an important piece of the puzzle.

Initial Goals

  • Transfer the repository to the Apache Incubator under the Teaclave project
  • Code cleanup and more documentation

Meritocracy:

Teaclave Java TEE SDK project was originally developed and reviewed by Shaojun Wang/Ziyi Lin/Lei Yu/Sanhong Li within Alibaba Cloud. We encourage everyone to ask questions and create pull requests for the project.

Community:

Teaclave Java TEE SDK was developed and applied within Alibaba Cloud before it was donated to Teaclave.

Core Developers:

The core developers are:

Alignment:

The project is complimentary of Teaclave's TEE backends.

Known Risks

An exercise in self-knowledge. Risks don't mean that a project is unacceptable. If they are recognized and noted, then they can be addressed during incubation.

Project Name

Teaclave Java TEE SDK was initially developed and applied within Alibaba Cloud as a closed-source project which was called JavaEnclave.

Inexperience with Open Source:

Teaclave Java TEE SDK has been reviewed by Mingshen Sun, who is from the Teaclave community. He's familiar with The Apache Way for the open-source community.

Length of Incubation:

The project will be in incubation with Apache Teaclave (incubating) project.

Documentation

Initial Source

Source and Intellectual Property Submission Plan

We will submit a Software Grant for this project later.

External Dependencies:

The dependencies have Apache compatible license, which is provided under the BSD 2-Clause license and GPL2.0 license. One dependency of Teaclave Java TEE SDK is GraalVM SubstraceVM with GPL2.0 license, it's used as the enclave module's native image compiler, and Teaclave Java TEE SDK has contributed some patches to GraalVM and they had been contained in GraalVM's official releases assets. Teaclave Java TEE SDK is dependent on GraalVM's official releases and doesn't make any modifications to GraalVM's source code, so there's no legal risk. https://www.apache.org/legal/resolved.html

Cryptography:

N/A

Required Resources

Mailing lists:

The project shares the same mailing list of Teaclave.

Git Repositories:

  • N/A

Issue Tracking:

Same with Teaclave.

Other Resources:

N/A

Initial Committers

Teaclave Meetup #13

Mingshen Sun

Agenda

Dear Teaclave community,

Since some members have conflicts on tomorrow's meetup and suggested scheduling the meetup today, let's have an informal meet today at 7:00am PT (10am China Time).

There's no presentation today. Let's just have a chitchat and discuss recent updates in the community. Thanks.

Podling Teaclave Report - May 2022

Mingshen Sun

Teaclave

Three most important unfinished issues to address before graduating:

  • Improve project structure and documentation
  • Grow the community (attracting more committers, contributors, users)
  • Publish Apache releases (resolving logistics on Apache release)

Are there any issues that the IPMC or ASF Board need to be aware of?

None.

How has the community developed since the last report?

Since the last report, we have organized three monthly virtual meetups. For each meetup, we have write-ups published on the Teaclave blog.

We also released two versions of the Teaclave platform and Teaclave TrustZone seperately:

How has the project developed since the last report?

Here are the summaries of recent progress:

Teaclave Faas Platform:

Teaclave TrustZone SDK

Teaclave SGX SDK

Website

How would you assess the podling's maturity?

  • Initial setup
  • Working towards first release
  • Community building
  • Nearing graduation
  • Other:

Date of last release:

2021-04-18: Apache Teaclave (incubating) TrustZone SDK 0.2.0

When were the last committers or PPMC members elected?

  • 2022-04-26: Qinkun Bao (Apache ID: qinkun), Committer

Have your mentors been helpful and responsive?

Yes, our mentors work responsively to help us with electing new mentors, developing new features, fixing bugs, and expanding the community.

Is the PPMC managing the podling's brand / trademarks?

We don't find any 3rd parties incorrectly using the podling's name and brand. The VP, Brand has approved the project name. (PODLINGNAMESEARCH-175)

Teaclave Meetup #12

Mingshen Sun

Agenda

  • Recent Updates on Teaclave - Mingshen Sun (10m)
  • Enarx - Wenwen Ruan (40m)
  • Free discussion (10m)

Attendees

  • Mingshen Sun
  • Shuang Liu
  • He Sun
  • Weijie Liu
  • Gordon
  • Tongxin Li
  • Wenhao Wang
  • Ukei Kim

Group Photo

Group Photo

Announcing Apache Teaclave (incubating) 0.4.0

Mingshen Sun

On behalf of the Teaclave community, I am happy to announce the fourth Apache Incubator release of Teaclave, 0.4.0. Teaclave is a universal secure computing platform, making computation on privacy-sensitive data safe and simple. Apache Teaclave (including the FaaS platform, SGX SDK, and TrustZone SDK) is being used and contributed by developers from many organizations and other open source projects. Please see the powered by page to learn more.

In this release, we mainly focus on better user management, task management, performance improvement and stability.

Highlights

In this release, we introduce a role-based access control for user management. Specifically, we define roles like admin, function owner, data owner, data owner manager, etc. Additionally, we also add APIs to support user management functionalities. In addition, we also implement a feature to cancel a running task to kill a long-run function which is no longer needed. Besides these two new features, we also made a lot of underlying changes to improve the performance of RPC and stability of the secure database.

To learn more, here is a list of notable changes in Teaclave version 0.4.0.

Features

  • Add the DisableFunction interface (#620)
  • Better user management interfaces: add the UserUpdate, UserChangePassword, ResetUserPassword, DeleteUser, and ListUsers interfaces
  • Support optional input/output files (#603)
  • Start Teaclave docker services with auto-detection mechanism (#559)
  • Add watchdog functionality to monitor service status (#600)
  • Support cancel a task
  • Support intermediate cert in DCAP attestation cert

Enhancements

  • Better error handling in Python client SDK (#632)
  • Refactor services error types and messages, make them readable to end users
  • Optimize RPC memory footprint of serde (#577)
  • Support selectively including executors (#574)
  • Support AES-GCM output files (#629)
  • Add port probe for service launching
  • Update WAMR version to WAMR-01-18-2022 (#616)
  • Move execution context into a separate crate (#598)
  • Support Ubuntu 20.04 docker image and add corresponding CI pipelines
  • Persistent MockDB in test mode (#580)

Bug Fixes

  • Better task state error and fix cancel error issue in the example (#637)
  • Fix privilege issues in the GetFunction and ListFunctions interfaces (#636)
  • Better building system: fix packages rebuild every time, avoid issues in parallel make (#589, #596)
  • Fix the issue of generating code coverage of tests (#627)
  • Fix LevelDB assertion issue: leveldb lru bug, using disk db for unit test (#583)

Docs

Download

Teaclave 0.4.0 can be downloaded at the download page. Note that it is essential to verify the integrity of the downloaded file using the PGP signature (the .asc file) or a hash (the .sha256 file).

Documentation

If it is the first time to try Teaclave, we provide a simple but clear tutorial to guide you getting stated with Teaclave by invoking your first function in Teaclave.

Basically, you can build the Teaclave platform using docker with these commands:

$ tar zxvf apache-teaclave-0.4.0-incubating.tar.gz && cd \
  apache-teaclave-0.4.0-incubating
$ # Instructions to verify the source tar: https://teaclave.apache.org/download/#verify-the-integrity-of-the-files

$ docker run --rm -v $(pwd):/teaclave -w /teaclave \
  -it teaclave/teaclave-build-ubuntu-1804-sgx-2.14:latest \
   bash -c ". /root/.cargo/env && \
     . /opt/sgxsdk/environment && \
     mkdir -p build && cd build && \
     cmake -DTEST_MODE=ON -DSGX_SIM_MODE=ON -DGIT_SUBMODULE=OFF .. && \
     make"

Launch all services with docker-compose using simulation mode:

$ (cd docker && docker-compose -f docker-compose-ubuntu-1804-sgx-sim-mode.yml up --build)

And invoke function with a Python client:

$ cd examples/python
$ PYTHONPATH=../../sdk/python python3 builtin_echo.py 'Hello, Teaclave!'
[+] registering user
[+] login
[+] registering function
[+] creating task
[+] approving task
[+] invoking task
[+] getting result
[+] done
[+] function return:  b'Hello, Teaclave!'

If you want to understand the internals of Teaclave, we provide several documents about the design of Teaclave. Also, we extensively document our codebase in each sub directories. At last, API references are automatically generated and uploaded to our homepage.

Community

Announcing Apache Teaclave TrustZone SDK (incubating) 0.2.0

Mingshen Sun

On behalf of the Teaclave community, I am happy to announce the release of Teaclave TrustZone SDK 0.2.0.

Teaclave TrustZone SDK provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. In addition, it enables capability to write TrustZone applications with Rust's standard library and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave (incubating). To learn more about the design and history of TrustZone SDK, please read the blog Welcome Rust OP-TEE TrustZone SDK To Teaclave.

This is the second Apache Incubator release of Teaclave TrustZone SDK. Teaclave TrustZone SDK provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. In addition, it enables the capability to write TrustZone applications with Rust's standard library and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave (incubating).

During this period, we are working closely with the OP-TEE community to integrate TA examples written in Rust into the upstream repository. You can try and play with the examples written in Rust with Teaclave TrustZone SDK since the OP-TEE 3.15.0 release.

More specifically, in this release we have the following updates:

Features

  • Add support for tee-supplicant loadable plugins and examples
  • Add TEE Socket APIs and examples

Enhancements

Integration into OP-TEE

  • Add the -rs suffix to examples and update test scripts (#34)
  • Update to OP-TEE 3.14.0 (#35)
  • Update to OP-TEE 3.16.0 (#59)

Building

  • Upgrade building docker to Ubuntu 20.04 (#33)
  • Update Rust toolchain to nightly-2021-09-20 and std to 1.56.1 (#53)
  • Add setup.sh to setup rust environment and initialize submodules (#40, #63)

CI

  • Switch to GitHub Actions (#33)
  • Add expect script for OP-TEE CI and fix CI errors (#45, #50)

Bug fixes

  • Fix ldelf error of arm32 ta (#38)
  • fix error when making the plugin example second time (#42)
  • Correct toolchain PATH env (#44)

Docs

  • Add debugging OP-TEE TA doc: Debugging OP-TEE TA
  • Add documentation of Rust examples: Overview of OP-TEE Rust Examples
  • Polish the getting started documentation

Download

You can download the release from the download page. Also, please checkout our repository hosted on GitHub.

Contributing

Teaclave TrustZone SDK is under the Apache License v2 and open source in The Apache Way. We aim to create a project that is maintained and owned by the community. All kinds of contributions are welcome. Thanks to our contributors.

Teaclave Meetup #11

Mingshen Sun

Agenda

  • Recent Updates on Teaclave - Mingshen Sun (10m)
  • HyperEnclave - Shuang Liu (40m)
  • Free discussion (10m)

Attendees

  • Mingshen Sun
  • Ran Duan
  • He Sun
  • Weijie Liu
  • Shuang Liu
  • Bing Duan

Group Photo

Group Photo