├── .bazelrc ├── .bazelversion ├── .circleci └── config.yml ├── .clang-format ├── .clang-tiny ├── .github ├── ISSUE_TEMPLATE │ └── issue_template.yaml └── workflows │ └── stale.yml ├── .gitignore ├── BUILD.bazel ├── CMakeLists.txt ├── LEGAL.md ├── LICENSE ├── README.md ├── README.zh-CN.md ├── REPO_LAYOUT.md ├── WORKSPACE ├── bazel ├── BUILD.bazel ├── cppcodec.BUILD ├── dcap.BUILD ├── gperftools.BUILD ├── httplib.BUILD ├── openssl.BUILD ├── patches │ ├── cppcodec.patch │ └── grpc.patch ├── repositories.bzl ├── sf_apis.BUILD ├── sgxsdk.BUILD └── trustflow.bzl ├── build.sh ├── cargo ├── .gitignore ├── Cargo.toml ├── README.md ├── trustflow-attestation-generator │ ├── Cargo.toml │ └── src │ │ ├── bindings.h │ │ └── main.rs ├── trustflow-attestation-rs │ ├── .gitignore │ ├── Cargo.toml │ ├── build.rs │ └── src │ │ └── lib.rs └── trustflow-attestation-sys │ ├── .gitignore │ ├── Cargo.toml │ ├── bindings.h │ └── src │ ├── .gitignore │ └── lib.rs ├── cmake ├── Abseil.cmake ├── ApisProto.cmake ├── Cppcodec.cmake ├── CsvHeader.cmake ├── DcapVerifier.cmake ├── Emscripten.cmake ├── Fmtlib.cmake ├── Openssl.cmake ├── Protobuf.cmake ├── Pybind.cmake ├── SgxHeaders.cmake ├── Spdlog.cmake ├── Yacl.cmake └── patch │ ├── dcap.patch │ └── dcap2.patch ├── dev-requirements.txt ├── dm_component ├── .gitignore ├── MANIFEST.in ├── README.md ├── componentize │ ├── __init__.py │ ├── compdef.py │ ├── component │ │ ├── component.py │ │ ├── data_utils.py │ │ └── eval_param_reader.py │ ├── constants.py │ ├── kuscia │ │ ├── configmanager.py │ │ ├── datamesh.py │ │ └── kusica_task_config.py │ ├── main.py │ ├── server │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── conf │ │ │ └── flags.conf │ │ ├── kuscia_proto │ │ │ ├── Cargo.toml │ │ │ ├── build.rs │ │ │ └── src │ │ │ │ ├── common.proto │ │ │ │ ├── custom_serde.rs │ │ │ │ ├── datamesh │ │ │ │ ├── domaindata.proto │ │ │ │ └── domaindatasource.proto │ │ │ │ └── lib.rs │ │ └── src │ │ │ ├── client.rs │ │ │ ├── client │ │ │ └── data_mesh_client.rs │ │ │ ├── config.rs │ │ │ ├── constants.rs │ │ │ ├── error.rs │ │ │ ├── main.rs │ │ │ ├── service.rs │ │ │ ├── service │ │ │ ├── download.rs │ │ │ ├── get_domain_data.rs │ │ │ └── upload.rs │ │ │ ├── utils.rs │ │ │ └── utils │ │ │ └── log.rs │ └── tools.py ├── deployment │ ├── Dockerfile │ ├── app_image.yaml │ ├── config_templates.yml │ └── deploy_templates.yml ├── requirements.txt └── setup.py ├── docker ├── trustflow-dev-ubuntu22.04.Dockerfile └── trustflow-release-ubuntu22.04.Dockerfile ├── docs ├── Makefile ├── advanced_topic │ ├── cross_domain_controll_in_tee.md │ ├── index.rst │ └── roadmap.md ├── architecture │ ├── apps │ │ ├── binary_evaluation.md │ │ ├── corr.md │ │ ├── data_describe.md │ │ ├── feature_filter.md │ │ ├── index.rst │ │ ├── intersect.md │ │ ├── lgbm_predict.md │ │ ├── lgbm_train.md │ │ ├── lr_predict.md │ │ ├── lr_train.md │ │ ├── prediction_bias_eval.md │ │ ├── split.md │ │ ├── vif.md │ │ ├── woe_binning.md │ │ ├── woe_substitution.md │ │ ├── xgb_predict.md │ │ └── xgb_train.md │ ├── data_lineage.md │ ├── index.rst │ ├── policy.md │ ├── principle.md │ └── tee │ │ ├── csv.md │ │ ├── index.rst │ │ ├── sgx.md │ │ └── tdx.md ├── build.sh ├── conf.py ├── development │ ├── index.rst │ └── new_component.ipynb ├── images │ ├── constraint_op.jpg │ ├── csv.jpg │ ├── data_lineage.png │ ├── data_output.png │ ├── policy.png │ ├── quick_start.png │ ├── san_quan_flow.jpg │ ├── sgx.png │ ├── sgx_and_tdx.png │ ├── sgx_dcap.png │ ├── tdx.png │ ├── tee_app.png │ ├── tee_roadmap.jpg │ ├── trustflow.jpg │ ├── trustflow_cross_domain_controll.jpg │ ├── trustflow_en.jpg │ ├── trustflow_principle.png │ ├── trustflow_principle_en.png │ └── use_auth.png ├── index.rst ├── make.bat ├── quick_start │ ├── index.rst │ ├── step0.ipynb │ ├── step1.ipynb │ ├── step2.ipynb │ ├── step3.ipynb │ ├── step4.ipynb │ └── step5.ipynb └── requirements.txt ├── env.sh ├── pylib └── trustflow │ └── attestation │ ├── generation │ ├── BUILD.bazel │ ├── __init__.py │ └── generator_modules.cc │ └── verification │ ├── BUILD.bazel │ ├── CMakeLists.txt │ ├── __init__.py │ └── verifier_modules.cc ├── requirements.txt ├── setup.py └── trustflow └── attestation ├── README.md ├── README.zh-CN.md ├── collateral ├── BUILD.bazel ├── hygon_collateral.cc ├── hygon_collateral.h ├── hygon_collateral_test.cc ├── intel_collateral.cc └── intel_collateral.h ├── common ├── BUILD.bazel ├── constants.h └── status.h ├── generation ├── csv │ ├── BUILD.bazel │ ├── csv_generator.cc │ └── csv_generator.h ├── interface │ ├── BUILD.bazel │ ├── generator.cc │ └── generator.h ├── sgx2 │ ├── BUILD.bazel │ ├── sgx2_generator.cc │ └── sgx2_generator.h ├── tdx │ ├── BUILD.bazel │ ├── tdx_generator.cc │ └── tdx_generator.h └── wrapper │ ├── BUILD.bazel │ ├── generator_wrapper.cc │ ├── generator_wrapper.h │ ├── generator_wrapper_c_api.cc │ └── generator_wrapper_c_api.h ├── sample ├── generation │ ├── BUILD.bazel │ └── main.cc └── verification │ └── wasm │ ├── .gitignore │ └── sample_react_app │ ├── .gitignore │ ├── .npmrc │ ├── .umirc.ts │ ├── README.md │ ├── package.json │ ├── pnpm-lock.yaml │ ├── src │ ├── layouts │ │ ├── index.less │ │ └── index.tsx │ └── pages │ │ └── index │ │ ├── .gitignore │ │ └── index.tsx │ ├── tsconfig.json │ └── typings.d.ts ├── utils ├── BUILD.bazel └── json2pb.h └── verification ├── BUILD.bazel ├── CMakeLists.txt ├── csv ├── BUILD.bazel ├── CMakeLists.txt ├── csv_verifier.cc └── csv_verifier.h ├── interface ├── BUILD.bazel ├── CMakeLists.txt ├── verifier.cc └── verifier.h ├── sgx2 ├── BUILD.bazel ├── CMakeLists.txt ├── sgx2_verifier.cc └── sgx2_verifier.h ├── tdx ├── BUILD.bazel ├── CMakeLists.txt ├── tdx_verifier.cc └── tdx_verifier.h ├── verifier_factory.h ├── wasm_binding.cc └── wrapper ├── BUILD.bazel ├── CMakeLists.txt ├── verifier_wrapper.cc ├── verifier_wrapper.h ├── verifier_wrapper_c_api.cc └── verifier_wrapper_c_api.h /.bazelrc: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | common --experimental_repo_remote_exec 16 | common --experimental_cc_shared_library 17 | 18 | build --incompatible_new_actions_api=false 19 | build --copt=-fdiagnostics-color=always 20 | build --enable_platform_specific_config 21 | build --force_pic 22 | 23 | coverage --copt -fPIC 24 | 25 | build --cxxopt=-std=c++17 26 | build --host_cxxopt=-std=c++17 27 | 28 | 29 | test --keep_going 30 | test --test_output=errors 31 | test --test_timeout=1800 32 | 33 | # platform specific config 34 | # Bazel will automatic pick platform config since we have enable_platform_specific_config set 35 | build:macos --copt="-Xpreprocessor -fopenmp" 36 | build:macos --copt=-Wno-unused-command-line-argument 37 | build:macos --features=-supports_dynamic_linker 38 | build:macos --cxxopt -Wno-deprecated-enum-enum-conversion 39 | build:macos --cxxopt -Wno-deprecated-anon-enum-enum-conversion 40 | build:macos --macos_minimum_os=11.0 41 | build:macos --host_macos_minimum_os=11.0 42 | 43 | 44 | build:asan --strip=never 45 | build:asan --copt -fno-sanitize-recover=all 46 | build:asan --copt -fsanitize=address 47 | build:asan --copt -Og 48 | build:asan --copt -g 49 | build:asan --copt -fno-omit-frame-pointer 50 | build:asan --linkopt -fsanitize=address 51 | build:asan --linkopt -static-libasan 52 | 53 | build:ubsan --strip=never 54 | build:ubsan --copt -fno-sanitize-recover=all 55 | build:ubsan --copt -fsanitize=undefined 56 | build:ubsan --copt -Og 57 | build:ubsan --copt -g 58 | build:ubsan --copt -fno-omit-frame-pointer 59 | build:ubsan --linkopt -fsanitize=undefined 60 | build:ubsan --linkopt -static-libubsan 61 | 62 | build:macos-asan --features=asan 63 | build:macos-ubsan --features=ubsan 64 | 65 | test:asan --strip=never 66 | test:asan --copt -fno-sanitize-recover=all 67 | test:asan --copt -fsanitize=address 68 | test:asan --copt -O0 69 | test:asan --copt -g 70 | test:asan --copt -fno-omit-frame-pointer 71 | test:asan --linkopt -fsanitize=address 72 | test:asan --linkopt -static-libasan 73 | 74 | test:ubsan --strip=never 75 | test:ubsan --copt -fno-sanitize-recover=all 76 | test:ubsan --copt -fsanitize=undefined 77 | test:ubsan --copt -O0 78 | test:ubsan --copt -g 79 | test:ubsan --copt -fno-omit-frame-pointer 80 | test:ubsan --linkopt -fsanitize=undefined 81 | test:ubsan --linkopt -static-libubsan 82 | -------------------------------------------------------------------------------- /.bazelversion: -------------------------------------------------------------------------------- 1 | 6.2.1 -------------------------------------------------------------------------------- /.clang-format: -------------------------------------------------------------------------------- 1 | # Use the Google style in this project. 2 | BasedOnStyle: Google 3 | 4 | IncludeBlocks: Regroup 5 | IncludeCategories: 6 | - Regex: '^<.*\.h>' 7 | Priority: 1 8 | - Regex: '^<.*' 9 | Priority: 2 10 | - Regex: '.*\.pb\.h"$' 11 | Priority: 5 12 | - Regex: '^"trustflow.*' 13 | Priority: 4 14 | - Regex: '^".*' 15 | Priority: 3 16 | -------------------------------------------------------------------------------- /.clang-tiny: -------------------------------------------------------------------------------- 1 | Checks: "abseil-cleanup-ctad, 2 | abseil-faster-strsplit-delimiter, 3 | abseil-duration-*, 4 | abseil-no-namespace, 5 | abseil-redundant-strcat-calls, 6 | abseil-str-cat-append, 7 | abseil-string-find-startswith, 8 | abseil-upgrade-duration-conversions 9 | bugprone-*, 10 | -bugprone-easily-swappable-parameters, 11 | google-build-using-namespace, 12 | google-explicit-constructor, 13 | google-global-names-in-headers, 14 | google-readability-casting, 15 | google-runtime-int, 16 | google-runtime-operator, 17 | misc-unused-using-decls, 18 | modernize-*, 19 | -modernize-use-trailing-return-type, 20 | -modernize-use-nodiscard, 21 | performance-*, 22 | readability-*, 23 | -readability-else-after-return, 24 | -readability-identifier-length, 25 | -readability-magic-numbers, 26 | -readability-named-parameter" 27 | 28 | CheckOptions: 29 | - key: bugprone-argument-comment.StrictMode 30 | value: 1 31 | 32 | - key: bugprone-dangling-handle.HandleClasses 33 | value: "std::basic_string_view;std::experimental::basic_string_view;absl::string_view" 34 | 35 | - key: misc-non-private-member-variables-in-classes.IgnoreClassesWithAllMemberVariablesBeingPublic 36 | value: 1 37 | 38 | # Ignore GoogleTest function macros. 39 | - key: readability-identifier-naming.FunctionIgnoredRegexp 40 | value: "(TEST|TEST_F|TEST_P|INSTANTIATE_TEST_SUITE_P|MOCK_METHOD|TYPED_TEST)" 41 | 42 | - key: readability-identifier-naming.ClassCase 43 | value: "CamelCase" 44 | 45 | - key: readability-identifier-naming.EnumCase 46 | value: "CamelCase" 47 | 48 | - key: readability-identifier-naming.EnumConstantCase 49 | value: "CamelCase" 50 | 51 | - key: readability-identifier-naming.ParameterCase 52 | value: "lower_case" 53 | 54 | - key: readability-identifier-naming.PrivateMemberCase 55 | value: "lower_case" 56 | 57 | - key: readability-identifier-naming.PrivateMemberSuffix 58 | value: "_" 59 | 60 | - key: readability-identifier-naming.StructCase 61 | value: "CamelCase" 62 | 63 | - key: readability-identifier-naming.TypeAliasCase 64 | value: "CamelCase" 65 | 66 | - key: readability-identifier-naming.UnionCase 67 | value: "CamelCase" 68 | 69 | - key: readability-identifier-naming.FunctionCase 70 | value: "CamelBack" -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Mark stale issues and pull requests 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: 40 9 * * * 7 | jobs: 8 | stale: 9 | uses: secretflow/.github/.github/workflows/stale.yml@main 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # devtools 2 | .idea/ 3 | *.plist 4 | clion/ 5 | *.swp 6 | tags 7 | sftp-config.json 8 | build_cmakelist.py 9 | .akconfig 10 | .cloudide/ 11 | *.code-workspace 12 | vipclient-* 13 | *.pb.h 14 | *.pb.cc 15 | compile_commands.json 16 | .clangd 17 | Pipfile 18 | .vscode 19 | 20 | # python-package 21 | /dist 22 | *.egg-info 23 | __pycache__ 24 | build 25 | _build 26 | 27 | # bazel 28 | bazel-* 29 | 30 | # cmake related 31 | abseil-cpp 32 | bld 33 | bld.install 34 | CMakeCache.txt 35 | cmake_install.cmake 36 | CTestTestfile.cmake 37 | 38 | # mixed 39 | .DS_Store 40 | .ipynb_checkpoints 41 | trace.*log 42 | 43 | dump/ 44 | 45 | # clangd cache 46 | .cache 47 | external 48 | 49 | *metadata.txt 50 | 51 | target 52 | _build 53 | .venv 54 | -------------------------------------------------------------------------------- /BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "hygon_csv_header", 19 | hdrs = ["@hygon_csv_header//file:csv/attestation/attestation.h"], 20 | strip_include_prefix = "file", 21 | ) 22 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.5.1) 2 | 3 | # Define build mode 4 | set(BUILD_MODE 5 | "wasm" 6 | CACHE STRING "Select build mode for libverification(host|wasm)") 7 | 8 | # Print build mode 9 | message(STATUS "Build Mode: ${BUILD_MODE}") 10 | 11 | 12 | set(CMAKE_POSITION_INDEPENDENT_CODE ON) 13 | 14 | if(BUILD_MODE STREQUAL "wasm") 15 | set(CMAKE_TOOLCHAIN_FILE "${CMAKE_CURRENT_SOURCE_DIR}/cmake/Emscripten.cmake") 16 | set(WASM 1) 17 | add_definitions(-DWASM) 18 | SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -sMAIN_MODULE=2 -fPIC -fexceptions -O3") 19 | elseif() 20 | 21 | endif() 22 | 23 | project(trustflow) 24 | 25 | set(CMAKE_CXX_STANDARD 17) 26 | set(CMAKE_CXX_STANDARD_REQUIRED ON) 27 | set(CMAKE_CXX_EXTENSIONS OFF) 28 | 29 | list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake") 30 | 31 | include(Abseil) 32 | include(ApisProto) 33 | include(Cppcodec) 34 | include(DcapVerifier) 35 | include(Fmtlib) 36 | include(Openssl) 37 | include(Protobuf) 38 | include(SgxHeaders) 39 | include(Yacl) 40 | include(Spdlog) 41 | include(CsvHeader) 42 | # include(Pybind) 43 | 44 | include_directories(${CMAKE_CURRENT_SOURCE_DIR}) 45 | 46 | add_subdirectory(trustflow/attestation/verification) 47 | add_subdirectory(pylib/trustflow/attestation/verification) 48 | -------------------------------------------------------------------------------- /LEGAL.md: -------------------------------------------------------------------------------- 1 | Legal Disclaimer 2 | 3 | Within this source code, the comments in Chinese shall be the original, governing version. Any comment in other languages are for reference only. In the event of any conflict between the Chinese language version comments and other language version comments, the Chinese language version shall prevail. 4 | 5 | 法律免责声明 6 | 7 | 关于代码注释部分,中文注释为官方版本,其它语言注释仅做参考。中文注释可能与其它语言注释存在不一致,当中文注释与其它语言注释存在不一致时,请以中文注释为准。 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 简体中文English 3 |

4 | 5 | ## What's TrustFlow 6 | 7 | **TrustFlow** is a zero-trust computing system based on TEE(Trusted Execution Environments). TrustFlow derives its name from the fusion of **Trusted** Execution environments and **Secret**Flow. 8 | 9 | TrustFlow leverages trusted execution environment technology to establish a secure and isolated environment that safeguards sensitive data. With a focus on data confidentiality, integrity, and availability, TrustFlow provides robust data storage and processing capabilities. 10 | 11 | By employing encryption and utilizing controlled and restricted environments, TrustFlow ensures protection against unauthorized access. It incorporatesa range of security measures, such as remote authentication, computational isolation, authorization controls, and auditing mechanisms to provide comprehensive data protection. The implementation of end-to-end encryption enhances its zero-trust security features, allowing encryption mechanisms to be validated and limiting data access to the absolute minimum permissions required. 12 | 13 | In addition to its strong security features, TrustFlow offers a diverse array of data processing functionalities. These include data preprocessing, classical machine learning, deep learning, large language modeling, and data analysis. These capabilities empower organizations to maximize the value of their data while preserving privacy. 14 | 15 | TrustFlow is especially valuable in scenarios that involve secure storage, processing, or sharing of sensitive data, as it effectively mitigates the risks associated with data exposure and unauthorized usage. Its comprehensive security measures and powerful data processing capabilities make it a reliable solution for organizations seeking to protect their data and make the most of its potential. 16 | 17 | ![trustflow](./docs/images/trustflow_en.jpg) 18 | 19 | ## Documentation 20 | 21 | - [TrustFlow](https://www.secretflow.org.cn/docs/trustflow) 22 | 23 | ## TrustFlow Related Projects 24 | 25 | - [CapsuleManager](https://github.com/asterinas/trustflow-capsule-manager): authorization and key management module. 26 | - [TEEAPPs](https://github.com/asterinas/trustflow-teeapps): trusted applications. 27 | - [CapsuleManagerSDK](https://github.com/asterinas/trustflow-capsule-manager-sdk): the CLI tool and sdk for CapsuleManager. 28 | 29 | ## Roadmap 30 | 31 | [roadmap](./docs/advanced_topic/roadmap.md) -------------------------------------------------------------------------------- /README.zh-CN.md: -------------------------------------------------------------------------------- 1 |

2 | 简体中文English 3 |

4 | 5 | ## TrustFlow 6 | 7 | 可信执行环境(Trusted Execution Environment,TEE) 是一种基于硬件的隐私保护技术。它保证了执行代码的真实性,运行时状态(如寄存器、内存和敏感I/O)的完整性,以及存储在内存中的代码、数据和运行时状态的机密性。此外,还应能够向第三方提供远程认证,以证明其可靠性。 8 | 9 | **TrustFlow**是隐语基于可信硬件的隐私计算引擎。TrustFlow立足于可信执行环境技术,提供受保护和隔离的环境,其中封装了敏感数据,并且提供数据安全存储和处理能力。TrustFlow可以保护数据的机密性、完整性和可用性。 10 | 11 | 在TrustFlow中,数据被加密并存储在受控环境中,以防止未经授权访问。TrustFlow采用多种安全措施,如远程认证、计算隔离、授权管控和审计机制,以确保数据被正确保护。TrustFlow具有端到端全链路加密能力,提供了零信任(Zero-Trust)安全特性,机构可以对TrustFlow进行验证,限制数据使用最小权限访问。 12 | 13 | 与此同时,TrustFlow提供了丰富的数据加工处理能力,包括数据预处理、经典机器学习、深度学习、大模型、数据分析等,在保护数据隐私的同时可以充分释放数据价值。 14 | 15 | TrustFlow可用于需要安全存储、处理或共享敏感数据的场景,以最大程度地减少暴露或未经授权使用的风险。 16 | 17 | ![trustflow](./docs/images/trustflow.jpg) 18 | 19 | ## 文档 20 | 21 | - [TrustFlow](https://www.secretflow.org.cn/docs/trustflow) 22 | 23 | ## 关联的代码仓库 24 | 25 | - [CapsuleManager](https://github.com/asterinas/trustflow-capsule-manager): 授权和密钥管理模块。 26 | - [TEEAPPs](https://github.com/asterinas/trustflow-teeapps): 可信应用。 27 | - [CapsuleManagerSDK](https://github.com/asterinas/trustflow-capsule-manager-sdk): CapsuleManager的命令行工具和SDK。 28 | 29 | ## 路线图 30 | 31 | [roadmap](./docs/advanced_topic/roadmap.md) -------------------------------------------------------------------------------- /REPO_LAYOUT.md: -------------------------------------------------------------------------------- 1 | # Repository Layout 2 | 3 | This is a high level overview of how the repository is laid out. Some major folders are listed below: 4 | 5 | * [bazel/](bazel/): Configuration for TrustFlow's use of [Bazel](https://bazel.build/). It includes some remote repositories and rules that we use in our build system. 6 | * [dm_component/](dm_component/): Data management component. 7 | * [docker/](docker/): Dockerfiles used to build images for compiling or running TrustFlow. 8 | * [docs/](docs/): Documents of TrustFlow. 9 | * [trustflow/](trustflow/): Some common libs used by TrustFlow. 10 | * [attestation/](trustflow/attestation/): C++ implementations of remote attestation for different platforms. 11 | * [collateral/](trustflow/attestation/collateral/): Get quote collateral in Passport type report. 12 | * [common/](trustflow/attestation/common/): Common definitions or implementations for attestation. 13 | * [generation/](trustflow/attestation/generation/): Remote attestation generation. 14 | * [sample/](trustflow/attestation/sample/): Sample code for attestation. 15 | * [utils/](trustflow/attestation/utils/): Utilities for attestation. 16 | * [verification/](trustflow/attestation/verification/): Remote attestation verification. -------------------------------------------------------------------------------- /WORKSPACE: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | workspace(name = "trustflow") 16 | 17 | load("//bazel:repositories.bzl", "trustflow_dependencies") 18 | 19 | trustflow_dependencies() 20 | 21 | load("@com_github_grpc_grpc//bazel:grpc_deps.bzl", "grpc_deps") 22 | 23 | grpc_deps() 24 | 25 | load("@com_github_grpc_grpc//bazel:grpc_extra_deps.bzl", "grpc_extra_deps") 26 | 27 | grpc_extra_deps() 28 | 29 | load("@yacl//bazel:repositories.bzl", "yacl_deps") 30 | 31 | yacl_deps() 32 | 33 | # need by yacl 34 | load("@rules_python//python:repositories.bzl", "py_repositories") 35 | 36 | py_repositories() 37 | 38 | load("@rules_proto_grpc//:repositories.bzl", "rules_proto_grpc_repos", "rules_proto_grpc_toolchains") 39 | 40 | rules_proto_grpc_toolchains() 41 | 42 | rules_proto_grpc_repos() 43 | 44 | load("@rules_proto_grpc//cpp:repositories.bzl", rules_proto_grpc_cpp_repos = "cpp_repos") 45 | 46 | rules_proto_grpc_cpp_repos() 47 | 48 | load( 49 | "@rules_foreign_cc//foreign_cc:repositories.bzl", 50 | "rules_foreign_cc_dependencies", 51 | ) 52 | 53 | rules_foreign_cc_dependencies( 54 | register_built_tools = False, 55 | register_default_tools = False, 56 | register_preinstalled_tools = True, 57 | ) 58 | -------------------------------------------------------------------------------- /bazel/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | config_setting( 18 | name = "trustflow_build_as_release", 19 | values = {"compilation_mode": "opt"}, 20 | ) 21 | 22 | config_setting( 23 | name = "trustflow_build_as_debug", 24 | values = {"compilation_mode": "dbg"}, 25 | ) 26 | 27 | config_setting( 28 | name = "trustflow_build_as_fast", 29 | values = {"compilation_mode": "fastbuild"}, 30 | ) 31 | 32 | config_setting( 33 | name = "with_boringssl", 34 | values = {"define": "ssl=boringssl"}, 35 | ) 36 | 37 | alias( 38 | name = "ssl", 39 | actual = select({ 40 | ":with_boringssl": "@boringssl//:ssl", 41 | "//conditions:default": "@com_github_openssl_openssl//:openssl", 42 | }), 43 | ) 44 | 45 | alias( 46 | name = "crypto", 47 | actual = select({ 48 | ":with_boringssl": "@boringssl//:ssl", 49 | "//conditions:default": "@com_github_openssl_openssl//:openssl", 50 | }), 51 | ) 52 | -------------------------------------------------------------------------------- /bazel/cppcodec.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@rules_cc//cc:defs.bzl", "cc_library") 16 | 17 | cc_library( 18 | name = "cppcodec", 19 | hdrs = glob([ 20 | "cppcodec/data/*.hpp", 21 | "cppcodec/detail/*.hpp", 22 | "cppcodec/*.hpp", 23 | ]), 24 | visibility = ["//visibility:public"], 25 | ) 26 | -------------------------------------------------------------------------------- /bazel/dcap.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "sgx_dcap_quoteverify", 19 | linkopts = ["-lsgx_dcap_quoteverify"], 20 | deps = [ 21 | ":sgx_dcap_quoteverify_header", 22 | "@sgxsdk//:sgxsdk_header", 23 | ], 24 | ) 25 | 26 | cc_library( 27 | name = "sgx_dcap_quoteverify_header", 28 | hdrs = [ 29 | "QuoteVerification/dcap_quoteverify/inc/sgx_dcap_quoteverify.h", 30 | ], 31 | strip_include_prefix = "QuoteVerification/dcap_quoteverify/inc", 32 | ) 33 | 34 | cc_library( 35 | name = "qgs_msg_lib", 36 | srcs = ["QuoteGeneration/quote_wrapper/qgs_msg_lib/qgs_msg_lib.cpp"], 37 | hdrs = [ 38 | "QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h", 39 | ], 40 | strip_include_prefix = "QuoteGeneration/quote_wrapper/qgs_msg_lib/inc", 41 | ) 42 | 43 | cc_library( 44 | name = "tdx_attest", 45 | srcs = ["QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c"], 46 | hdrs = [ 47 | "QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.h", 48 | ], 49 | strip_include_prefix = "QuoteGeneration/quote_wrapper/tdx_attest", 50 | deps = [":qgs_msg_lib"], 51 | ) 52 | -------------------------------------------------------------------------------- /bazel/gperftools.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@rules_cc//cc:defs.bzl", "cc_library") 16 | load("@rules_foreign_cc//foreign_cc:defs.bzl", "configure_make") 17 | 18 | package(default_visibility = ["//visibility:public"]) 19 | 20 | filegroup( 21 | name = "all_srcs", 22 | srcs = glob(["**"]), 23 | ) 24 | 25 | configure_make( 26 | name = "gperftools_build", 27 | configure_options = [ 28 | "--enable-shared=no", 29 | "--enable-frame-pointers", 30 | "--disable-libunwind", 31 | "--disable-dependency-tracking", 32 | ], 33 | copts = ["-fPIC"], 34 | env = { 35 | "AR": "", 36 | }, 37 | lib_source = ":all_srcs", 38 | linkopts = ["-lpthread"], 39 | out_static_libs = ["libtcmalloc_and_profiler.a"], 40 | targets = ["-s -j4 install-libLTLIBRARIES install-perftoolsincludeHEADERS"], 41 | ) 42 | 43 | cc_library( 44 | name = "gperftools", 45 | deps = [ 46 | "gperftools_build", 47 | ], 48 | ) 49 | -------------------------------------------------------------------------------- /bazel/httplib.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "httplib", 19 | hdrs = ["httplib.h"], 20 | copts = ["-DCPPHTTPLIB_OPENSSL_SUPPORT"], 21 | deps = ["@com_github_openssl_openssl//:openssl"], 22 | ) 23 | -------------------------------------------------------------------------------- /bazel/openssl.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "openssl", 19 | linkopts = [ 20 | "-lssl", 21 | "-lcrypto", 22 | ], 23 | ) 24 | -------------------------------------------------------------------------------- /bazel/patches/cppcodec.patch: -------------------------------------------------------------------------------- 1 | diff --git a/cppcodec/base32_rfc4648_unpadded.hpp b/cppcodec/base32_rfc4648_unpadded.hpp 2 | new file mode 100644 3 | index 0000000..5b73a63 4 | --- /dev/null 5 | +++ b/cppcodec/base32_rfc4648_unpadded.hpp 6 | @@ -0,0 +1,48 @@ 7 | +/** 8 | + * Copyright (C) 2016 Topology LP 9 | + * All rights reserved. 10 | + * 11 | + * Permission is hereby granted, free of charge, to any person obtaining a copy 12 | + * of this software and associated documentation files (the "Software"), to 13 | + * deal in the Software without restriction, including without limitation the 14 | + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 15 | + * sell copies of the Software, and to permit persons to whom the Software is 16 | + * furnished to do so, subject to the following conditions: 17 | + * 18 | + * The above copyright notice and this permission notice shall be included in 19 | + * all copies or substantial portions of the Software. 20 | + * 21 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 22 | + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 23 | + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 24 | + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 25 | + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 26 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 27 | + * IN THE SOFTWARE. 28 | + */ 29 | + 30 | +#ifndef CPPCODEC_BASE32_RFC4648_UNPADDED 31 | +#define CPPCODEC_BASE32_RFC4648_UNPADDED 32 | + 33 | +#include "base32_rfc4648.hpp" 34 | + 35 | +namespace cppcodec { 36 | + 37 | +namespace detail { 38 | + 39 | +class base32_rfc4648_unpadded : public base32_rfc4648 40 | +{ 41 | +public: 42 | + template using codec_impl = stream_codec; 43 | + 44 | + static CPPCODEC_ALWAYS_INLINE constexpr bool generates_padding() { return false; } 45 | + static CPPCODEC_ALWAYS_INLINE constexpr bool requires_padding() { return false; } 46 | +}; 47 | + 48 | +} // namespace detail 49 | + 50 | +using base32_rfc4648_unpadded = detail::codec>; 51 | + 52 | +} // namespace cppcodec 53 | + 54 | +#endif // CPPCODEC_BASE32_RFC4648_UNPADDED 55 | -------------------------------------------------------------------------------- /bazel/patches/grpc.patch: -------------------------------------------------------------------------------- 1 | diff --git a/bazel/grpc_deps.bzl b/bazel/grpc_deps.bzl 2 | index 0954ed54d4..0c85e99b01 100644 3 | --- a/bazel/grpc_deps.bzl 4 | +++ b/bazel/grpc_deps.bzl 5 | @@ -57,12 +57,12 @@ def grpc_deps(): 6 | 7 | native.bind( 8 | name = "libssl", 9 | - actual = "@boringssl//:ssl", 10 | + actual = "@com_github_openssl_openssl//:openssl", 11 | ) 12 | 13 | native.bind( 14 | name = "libcrypto", 15 | - actual = "@boringssl//:crypto", 16 | + actual = "@com_github_openssl_openssl//:openssl", 17 | ) 18 | 19 | native.bind( 20 | -------------------------------------------------------------------------------- /bazel/sf_apis.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@rules_proto//proto:defs.bzl", "proto_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | proto_library( 20 | name = "sf_apis_proto", 21 | srcs = glob([ 22 | "secretflowapis/v2/**/*.proto", 23 | ]), 24 | visibility = ["//visibility:public"], 25 | deps = [ 26 | "@com_google_protobuf//:any_proto", 27 | ], 28 | ) 29 | 30 | cc_proto_library( 31 | name = "cc_sf_apis_proto", 32 | deps = [ 33 | ":sf_apis_proto", 34 | ], 35 | ) 36 | -------------------------------------------------------------------------------- /bazel/sgxsdk.BUILD: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "sgxsdk_header", 19 | hdrs = glob(["include/*.h"]), 20 | strip_include_prefix = "include", 21 | ) 22 | -------------------------------------------------------------------------------- /bazel/trustflow.bzl: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """ 16 | warpper bazel cc_xx to modify flags. 17 | """ 18 | 19 | load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library", "cc_test") 20 | 21 | WARNING_FLAGS = [ 22 | "-Wall", 23 | "-Wextra", 24 | "-Werror", 25 | "-Wno-unused-parameter", 26 | "-Wnon-virtual-dtor", 27 | ] + select({ 28 | "@bazel_tools//src/conditions:darwin": ["-Wunused-const-variable"], 29 | "//conditions:default": ["-Wunused-const-variable=1"], 30 | }) 31 | DEBUG_FLAGS = ["-O0", "-g"] 32 | RELEASE_FLAGS = ["-O2"] 33 | FAST_FLAGS = ["-O1"] 34 | 35 | def _trustflow_copts(): 36 | return select({ 37 | "@trustflow//bazel:trustflow_build_as_release": RELEASE_FLAGS, 38 | "@trustflow//bazel:trustflow_build_as_debug": DEBUG_FLAGS, 39 | "@trustflow//bazel:trustflow_build_as_fast": FAST_FLAGS, 40 | "//conditions:default": FAST_FLAGS, 41 | }) + WARNING_FLAGS 42 | 43 | def trustflow_cc_binary( 44 | linkopts = [], 45 | copts = [], 46 | deps = [], 47 | **kargs): 48 | cc_binary( 49 | linkopts = linkopts + ["-lm"], 50 | copts = copts + _trustflow_copts(), 51 | deps = deps, 52 | **kargs 53 | ) 54 | 55 | def trustflow_cc_library( 56 | linkopts = [], 57 | copts = [], 58 | deps = [], 59 | **kargs): 60 | cc_library( 61 | linkopts = linkopts + ["-ldl"], 62 | copts = _trustflow_copts() + copts, 63 | deps = deps + [ 64 | "@com_github_gabime_spdlog//:spdlog", 65 | ], 66 | **kargs 67 | ) 68 | 69 | def trustflow_cc_test( 70 | linkopts = [], 71 | copts = [], 72 | deps = [], 73 | linkstatic = True, 74 | **kwargs): 75 | cc_test( 76 | # -lm for tcmalloc 77 | linkopts = linkopts + ["-lm"], 78 | copts = _trustflow_copts() + copts, 79 | deps = deps + [ 80 | "@com_google_googletest//:gtest_main", 81 | ], 82 | # static link for tcmalloc 83 | linkstatic = linkstatic, 84 | **kwargs 85 | ) 86 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2024 Ant Group Co., Ltd. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | bazel --output_base=target build //trustflow/... -c opt --repository_cache=/tmp/bazel_repo_cache --remote_download_minimal 19 | -------------------------------------------------------------------------------- /cargo/.gitignore: -------------------------------------------------------------------------------- 1 | Cargo.lock -------------------------------------------------------------------------------- /cargo/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | 3 | members = [ 4 | "trustflow-attestation-generator", 5 | "trustflow-attestation-sys", 6 | "trustflow-attestation-rs" 7 | ] -------------------------------------------------------------------------------- /cargo/README.md: -------------------------------------------------------------------------------- 1 | # TrustFlow Attestation Rust Library Binding 2 | 3 | 4 | Excecute this command to generate the binding code: 5 | ``` 6 | cargo run -p trustflow-attestation-generator -- \ 7 | --headers-dir .. --header trustflow-attestation-generator/src/bindings.h -o trustflow-attestation-sys/src 8 | ``` -------------------------------------------------------------------------------- /cargo/trustflow-attestation-generator/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "trustflow-attestation-generator" 3 | version = "0.3.1-dev20240726" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | clap = { version = "4.5.2", features = ["derive"] } 10 | bindgen = "0.65.1" -------------------------------------------------------------------------------- /cargo/trustflow-attestation-generator/src/bindings.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/generation/wrapper/generator_wrapper_c_api.h" 16 | #include "trustflow/attestation/verification/wrapper/verifier_wrapper_c_api.h" -------------------------------------------------------------------------------- /cargo/trustflow-attestation-generator/src/main.rs: -------------------------------------------------------------------------------- 1 | use clap::Parser; 2 | use std::fs; 3 | use std::path::PathBuf; 4 | 5 | #[derive(Parser, Debug)] 6 | #[command(name = "generator")] 7 | #[command(long_about = None)] 8 | pub struct Args { 9 | /// Directory containing the header files 10 | #[arg(long, value_name = "DIR")] 11 | headers_dir: PathBuf, 12 | 13 | #[arg(long, value_name = "FILE")] 14 | header: String, 15 | 16 | /// Directory to write the generated code to 17 | #[arg(short, long, value_name = "DIR")] 18 | output: PathBuf, 19 | } 20 | 21 | fn main() { 22 | let args = Args::parse(); 23 | 24 | println!("{:?}", fs::canonicalize(&args.headers_dir).unwrap()); 25 | let bindings = bindgen::Builder::default() 26 | // The input header we would like to generate 27 | // bindings for. 28 | .header(args.header) 29 | //.clang_arg("-I/home/huanxian/code/trustflow") 30 | .clang_arg(format!( 31 | "-I{}", 32 | fs::canonicalize(&args.headers_dir) 33 | .unwrap() 34 | .to_str() 35 | .unwrap() 36 | )) 37 | // Tell cargo to invalidate the built crate whenever any of the 38 | // included header files changed. 39 | .parse_callbacks(Box::new(bindgen::CargoCallbacks)) 40 | // Finish the builder and generate the bindings. 41 | .generate() 42 | // Unwrap the Result and panic on failure. 43 | .expect("Unable to generate bindings"); 44 | 45 | bindings 46 | .write_to_file(args.output.join("bindings.rs")) 47 | .expect("Couldn't write bindings!"); 48 | } 49 | -------------------------------------------------------------------------------- /cargo/trustflow-attestation-rs/.gitignore: -------------------------------------------------------------------------------- 1 | Cargo.lock -------------------------------------------------------------------------------- /cargo/trustflow-attestation-rs/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "trustflow-attestation-rs" 3 | version = "0.3.1-dev20240726" 4 | edition = "2021" 5 | description = "TrustFlow Attestation Rust Library" 6 | license = "Apache-2.0" 7 | repository = "https://github.com/asterinas/trustflow.git" 8 | 9 | 10 | [dependencies] 11 | trustflow-attestation-sys = { version = "0.3.1-dev20240726"} 12 | sdc_apis = "0.2.1-dev20240222" 13 | serde_json = "1.0.114" 14 | 15 | -------------------------------------------------------------------------------- /cargo/trustflow-attestation-rs/build.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | fn main() { 16 | // load dynamic library 17 | println!("cargo:rustc-link-lib=dylib=generation"); 18 | println!("cargo:rustc-link-lib=dylib=verification"); 19 | } 20 | -------------------------------------------------------------------------------- /cargo/trustflow-attestation-sys/.gitignore: -------------------------------------------------------------------------------- 1 | Cargo.lock -------------------------------------------------------------------------------- /cargo/trustflow-attestation-sys/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "trustflow-attestation-sys" 3 | version = "0.3.1-dev20240726" 4 | edition = "2021" 5 | description = "TrustFlow Attestation Rust Library" 6 | repository = "https://github.com/asterinas/trustflow.git" 7 | license = "Apache-2.0" 8 | include = ["lib.rs", "bindings.rs", "build.rs"] -------------------------------------------------------------------------------- /cargo/trustflow-attestation-sys/bindings.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/generation/wrapper/generator_wrapper_c_api.h" 16 | #include "trustflow/attestation/verification/wrapper/verifier_wrapper_c_api.h" -------------------------------------------------------------------------------- /cargo/trustflow-attestation-sys/src/.gitignore: -------------------------------------------------------------------------------- 1 | bindings.rs -------------------------------------------------------------------------------- /cargo/trustflow-attestation-sys/src/lib.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | include!("bindings.rs"); 16 | -------------------------------------------------------------------------------- /cmake/Abseil.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | abseil 5 | URL https://github.com/abseil/abseil-cpp/archive/refs/tags/20230802.1.tar.gz) 6 | 7 | FetchContent_MakeAvailable(abseil) 8 | -------------------------------------------------------------------------------- /cmake/ApisProto.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | apis_proto 5 | GIT_REPOSITORY https://github.com/secretflow/secure-data-capsule-apis.git 6 | GIT_TAG 986ce7e6fed128a8ebedc0c02cc6abae01124716) 7 | 8 | FetchContent_GetProperties(apis_proto) 9 | if(NOT apis_proto_POPULATED) 10 | # Fetch the content using previously declared details 11 | FetchContent_Populate(apis_proto) 12 | 13 | set(IMPORT_DIRS ${apis_proto_SOURCE_DIR}) 14 | set(PROTOC_OUT_DIR ${apis_proto_BINARY_DIR}/generated) 15 | file(GLOB UAL_PROTOS ${apis_proto_SOURCE_DIR}/secretflowapis/v2/sdc/ual.proto) 16 | set(PROTOBUF_PROTOC_EXECUTABLE protoc) 17 | make_directory(${PROTOC_OUT_DIR}) 18 | 19 | foreach(proto ${UAL_PROTOS}) 20 | message("STATUS ${PROTOBUF_PROTOC_EXECUTABLE} --proto_path=${IMPORT_DIRS} --cpp_out=${PROTOC_OUT_DIR} ${proto}") 21 | execute_process( 22 | COMMAND ${PROTOBUF_PROTOC_EXECUTABLE} --proto_path=${IMPORT_DIRS} 23 | --cpp_out=${PROTOC_OUT_DIR} ${proto} RESULT_VARIABLE rv) 24 | # Optional, but that can show the user if something have gone wrong with the 25 | # proto generation 26 | if(${rv}) 27 | message("Generation of data model returned ${rv} for proto ${proto}") 28 | endif() 29 | endforeach() 30 | 31 | file(GLOB_RECURSE PROTO_SOURCES "${PROTOC_OUT_DIR}/**/*.cc") 32 | add_library(ual_proto STATIC ${PROTO_SOURCES}) 33 | add_dependencies(ual_proto protobuf) 34 | target_include_directories(ual_proto PUBLIC ${PROTOC_OUT_DIR}) 35 | target_link_libraries(ual_proto PUBLIC protobuf::libprotobuf) 36 | target_compile_options(ual_proto PUBLIC -fPIC) 37 | endif() 38 | -------------------------------------------------------------------------------- /cmake/Cppcodec.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | cppcodec 5 | GIT_REPOSITORY https://github.com/tplgy/cppcodec.git 6 | GIT_TAG 9f67d7026d3dee8fc6a0af614d97f9365cee2872) 7 | 8 | FetchContent_GetProperties(cppcodec) 9 | if(NOT cppcodec_POPULATED) 10 | # Fetch the content using previously declared details 11 | FetchContent_Populate(cppcodec) 12 | 13 | add_library(cppcodec INTERFACE) 14 | target_include_directories(cppcodec INTERFACE ${cppcodec_SOURCE_DIR}) 15 | endif() 16 | -------------------------------------------------------------------------------- /cmake/CsvHeader.cmake: -------------------------------------------------------------------------------- 1 | set(CSV_HEADER_FILE_PATH 2 | ${CMAKE_BINARY_DIR}/external/hygon-devkit/csv/attestation/attestation.h) 3 | set(CSV_HEADER_INCLUDE ${CMAKE_BINARY_DIR}/external/hygon-devkit) 4 | 5 | find_program(SED_EXECUTEABLE NAMES sed) 6 | 7 | file( 8 | DOWNLOAD 9 | https://gitee.com/anolis/hygon-devkit/raw/2683fd4577a1d2e0fc19247b47a6ca68f4879c33/csv/attestation/attestation.h 10 | ${CSV_HEADER_FILE_PATH}) 11 | 12 | execute_process(COMMAND ${SED_EXECUTEABLE} -i "/ioctl.h/ d" 13 | ${CSV_HEADER_FILE_PATH}) 14 | -------------------------------------------------------------------------------- /cmake/Fmtlib.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | fmtlib URL https://github.com/fmtlib/fmt/archive/refs/tags/10.1.1.tar.gz) 5 | 6 | set(fmtlib_FMT_TEST 7 | OFF 8 | CACHE INTERNAL "") 9 | 10 | FetchContent_MakeAvailable(fmtlib) 11 | -------------------------------------------------------------------------------- /cmake/Openssl.cmake: -------------------------------------------------------------------------------- 1 | include(ExternalProject) 2 | 3 | set(LIBOPENSSL_ROOT ${CMAKE_BINARY_DIR}/external/openssl) 4 | set(LIBOPENSSL_SRC_PATH ${LIBOPENSSL_ROOT}/src/openssl) 5 | set(LIBOPENSSL_BINARY_PATH ${LIBOPENSSL_ROOT}/build) 6 | set(LIBOPENSSL_INC_PATH ${LIBOPENSSL_BINARY_PATH}/include) 7 | set(LIBOPENSSL_LIB_PATH ${LIBOPENSSL_BINARY_PATH}/lib) 8 | 9 | if(WASM) 10 | message("OpenSSL: Using emscripten!") 11 | ExternalProject_Add( 12 | openssl 13 | URL https://www.openssl.org/source/openssl-3.0.12.tar.gz 14 | PREFIX ${LIBOPENSSL_ROOT} 15 | CONFIGURE_COMMAND 16 | cd ${LIBOPENSSL_SRC_PATH} && emconfigure ./Configure 17 | --prefix=${LIBOPENSSL_BINARY_PATH} linux-x86 no-asm no-threads no-engine 18 | no-hw no-weak-ssl-ciphers no-dtls no-shared no-dso no-tests no-unit-test 19 | && sed -i -e "s|^CROSS_COMPILE.*$|CROSS_COMPILE=|g" Makefile 20 | BUILD_COMMAND cd ${LIBOPENSSL_SRC_PATH} && emmake make -j4 build_generated 21 | libssl.a libcrypto.a 22 | INSTALL_COMMAND cd ${LIBOPENSSL_SRC_PATH} && make install) 23 | 24 | add_library(OpenSSL::Crypto STATIC IMPORTED) 25 | set_property(TARGET OpenSSL::Crypto PROPERTY IMPORTED_LOCATION 26 | ${LIBOPENSSL_LIB_PATH}/libcrypto.a) 27 | make_directory(${LIBOPENSSL_INC_PATH}) 28 | target_include_directories(OpenSSL::Crypto INTERFACE ${LIBOPENSSL_INC_PATH}) 29 | else() 30 | find_package(OpenSSL REQUIRED) 31 | 32 | message("OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}") 33 | message("OpenSSL libraries: ${OPENSSL_LIBRARIES}") 34 | 35 | endif() 36 | -------------------------------------------------------------------------------- /cmake/Protobuf.cmake: -------------------------------------------------------------------------------- 1 | include(ExternalProject) 2 | 3 | set(LIBPROTOBUF_ROOT ${CMAKE_BINARY_DIR}/external/protobuf) 4 | set(LIBPROTOBUF_SRC_PATH ${LIBPROTOBUF_ROOT}/src/protobuf) 5 | set(LIBPROTOBUF_BINARY_PATH ${LIBPROTOBUF_ROOT}/build) 6 | set(LIBPROTOBUF_INC_PATH ${LIBPROTOBUF_BINARY_PATH}/include) 7 | 8 | 9 | if(WASM) 10 | message("Using emscripten!") 11 | 12 | ExternalProject_Add( 13 | protobuf 14 | URL https://github.com/protocolbuffers/protobuf/archive/refs/tags/v3.19.4.tar.gz 15 | PREFIX ${LIBPROTOBUF_ROOT} 16 | CONFIGURE_COMMAND 17 | cd ${LIBPROTOBUF_SRC_PATH}/cmake && emcmake cmake 18 | -DCMAKE_POSITION_INDEPENDENT_CODE=ON 19 | -Dprotobuf_BUILD_PROTOC_BINARIES:BOOL=OFF -Dprotobuf_BUILD_TESTS:BOOL=OFF 20 | -DCMAKE_INSTALL_PREFIX=${LIBPROTOBUF_BINARY_PATH} 21 | BUILD_COMMAND cd ${LIBPROTOBUF_SRC_PATH}/cmake && emmake make 22 | INSTALL_COMMAND cd ${LIBPROTOBUF_SRC_PATH}/cmake && make install) 23 | add_library(protobuf::libprotobuf STATIC IMPORTED) 24 | set_property( 25 | TARGET protobuf::libprotobuf 26 | PROPERTY IMPORTED_LOCATION ${LIBPROTOBUF_BINARY_PATH}/lib/libprotobuf.a) 27 | make_directory(${LIBPROTOBUF_INC_PATH}) 28 | target_include_directories(protobuf::libprotobuf 29 | INTERFACE ${LIBPROTOBUF_INC_PATH}) 30 | else() 31 | ExternalProject_Add( 32 | protobuf 33 | URL https://github.com/protocolbuffers/protobuf/archive/refs/tags/v3.19.4.tar.gz 34 | PREFIX ${LIBPROTOBUF_ROOT} 35 | CONFIGURE_COMMAND 36 | cd ${LIBPROTOBUF_SRC_PATH}/cmake && cmake 37 | -DCMAKE_POSITION_INDEPENDENT_CODE=ON 38 | -Dprotobuf_BUILD_PROTOC_BINARIES:BOOL=OFF -Dprotobuf_BUILD_TESTS:BOOL=OFF 39 | -DCMAKE_INSTALL_PREFIX=${LIBPROTOBUF_BINARY_PATH} 40 | BUILD_COMMAND cd ${LIBPROTOBUF_SRC_PATH}/cmake && make 41 | INSTALL_COMMAND cd ${LIBPROTOBUF_SRC_PATH}/cmake && make install) 42 | add_library(protobuf::libprotobuf STATIC IMPORTED) 43 | set_property( 44 | TARGET protobuf::libprotobuf 45 | PROPERTY IMPORTED_LOCATION ${LIBPROTOBUF_BINARY_PATH}/lib/libprotobuf.a) 46 | make_directory(${LIBPROTOBUF_INC_PATH}) 47 | target_include_directories(protobuf::libprotobuf 48 | INTERFACE ${LIBPROTOBUF_INC_PATH}) 49 | endif() 50 | -------------------------------------------------------------------------------- /cmake/Pybind.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | pybind11 5 | URL https://github.com/pybind/pybind11_bazel/releases/download/v2.11.1/pybind11_bazel-2.11.1.tar.gz) 6 | 7 | FetchContent_GetProperties(pybind11) 8 | if(NOT pybind11_POPULATED) 9 | FetchContent_Populate(pybind11) 10 | add_subdirectory(${pybind11_SOURCE_DIR} ${pybind11_BINARY_DIR}) 11 | endif() -------------------------------------------------------------------------------- /cmake/SgxHeaders.cmake: -------------------------------------------------------------------------------- 1 | if(EXISTS SGX_DIR) 2 | set(SGX_PATH ${SGX_DIR}) 3 | elseif(EXISTS SGX_ROOT) 4 | set(SGX_PATH ${SGX_ROOT}) 5 | elseif(EXISTS $ENV{SGX_SDK}) 6 | set(SGX_PATH $ENV{SGX_SDK}) 7 | elseif(EXISTS $ENV{SGX_DIR}) 8 | set(SGX_PATH $ENV{SGX_DIR}) 9 | elseif(EXISTS $ENV{SGX_ROOT}) 10 | set(SGX_PATH $ENV{SGX_ROOT}) 11 | else() 12 | set(SGX_PATH "/opt/intel/sgxsdk") 13 | endif() 14 | 15 | set(SGX_INCLUDE_PATH ${SGX_PATH}/include) 16 | 17 | add_library(sgx_headers INTERFACE) 18 | target_include_directories(sgx_headers INTERFACE ${SGX_INCLUDE_PATH}) 19 | -------------------------------------------------------------------------------- /cmake/Spdlog.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | spdlog URL https://github.com/gabime/spdlog/archive/refs/tags/v1.13.0.tar.gz) 5 | 6 | FetchContent_MakeAvailable(spdlog) 7 | -------------------------------------------------------------------------------- /cmake/Yacl.cmake: -------------------------------------------------------------------------------- 1 | include(FetchContent) 2 | 3 | FetchContent_Declare( 4 | yacl 5 | URL https://github.com/secretflow/yacl/archive/refs/tags/0.4.5b0.tar.gz) 6 | 7 | FetchContent_GetProperties(yacl) 8 | if(NOT yacl_POPULATED) 9 | # Fetch the content using previously declared details 10 | FetchContent_Populate(yacl) 11 | 12 | add_library(yacl_exception INTERFACE) 13 | target_link_libraries(yacl_exception INTERFACE absl::debugging 14 | absl::type_traits fmt::fmt) 15 | target_include_directories(yacl_exception INTERFACE ${yacl_SOURCE_DIR}) 16 | 17 | add_library(yacl_buffer STATIC ${yacl_SOURCE_DIR}/yacl/base/buffer.cc) 18 | target_link_libraries(yacl_buffer PUBLIC yacl_exception) 19 | 20 | add_library(yacl_crypto STATIC 21 | ${yacl_SOURCE_DIR}/yacl/crypto/hash/ssl_hash.cc) 22 | target_link_libraries(yacl_crypto PUBLIC yacl_buffer OpenSSL::Crypto) 23 | endif() 24 | -------------------------------------------------------------------------------- /cmake/patch/dcap2.patch: -------------------------------------------------------------------------------- 1 | diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile 2 | index 5e9327c..53e9608 100644 3 | --- a/QuoteVerification/dcap_quoteverify/linux/Makefile 4 | +++ b/QuoteVerification/dcap_quoteverify/linux/Makefile 5 | @@ -35,7 +35,7 @@ include ../../buildenv.mk 6 | INSTALL_PATH ?= /usr/lib/x86_64-linux-gnu 7 | QVE_SRC_PATH := $(DCAP_QV_DIR)/QvE 8 | 9 | -QVL_LIB_INC += -I$(PREBUILD_OPENSSL_PATH)/inc -I$(QVE_SRC_PATH)/Include 10 | +QVL_LIB_INC += -I$(PREBUILD_OPENSSL_PATH)/inc -I$(QVE_SRC_PATH)/Include -I$(DCAP_QG_DIR)/qpl/inc 11 | QVL_PARSER_INC += -I$(PREBUILD_OPENSSL_PATH)/inc 12 | QVL_VERIFY_INC := -I$(QVE_SRC_PATH)/Include \ 13 | -I../inc \ 14 | -------------------------------------------------------------------------------- /dev-requirements.txt: -------------------------------------------------------------------------------- 1 | -r requirements.txt 2 | twine 3 | pybind11-global -------------------------------------------------------------------------------- /dm_component/.gitignore: -------------------------------------------------------------------------------- 1 | **/__pycache__ 2 | **/*.whl 3 | build 4 | dist 5 | *.egg-info 6 | componentize/dmserver -------------------------------------------------------------------------------- /dm_component/MANIFEST.in: -------------------------------------------------------------------------------- 1 | include componentize/dm_server -------------------------------------------------------------------------------- /dm_component/README.md: -------------------------------------------------------------------------------- 1 | # Data management component 2 | 3 | 数据管理组件是对 capsule-mananger-sdk 的封装,用于实现对用户数据的处理:包括数据加密上传,数据授权,数据删除,授权取消以及数据导出。并且需要在 Kusica 上部署才可以正常运行。 4 | 5 | ## Quick Start 6 | ``` 7 | python main.py --task_config_path /etc/kuscia/task_config.conf 8 | ``` 9 | ## 详细设计 10 | 11 | ### 数据上传 12 | 数据上传的时序图如下,数据上传是一个两方算子,uploader 需要在本地加密文件,在请求 receiver 接受数据。 13 | ```puml 14 | @startuml 15 | 16 | autonumber 17 | 18 | participant "端侧dm" as edge_dm 19 | participant "端侧引擎\n(Uploader)" as client 20 | 21 | participant "CapsuleManager" as auth 22 | participant "TEE节点引擎\n(Reciever)" as center_node 23 | participant "TEE DM" as dm 24 | participant "存储" as dp 25 | 26 | 27 | client -> edge_dm: queryDomainData(dmdo) 28 | edge_dm -> client: DomainData 29 | client -> auth: 获取远程认证报告以及证书:GetRaCert() 30 | client -> auth: 注册数据解密密:CreateDataKey() 31 | client -> client: 使用公钥加密数据\n(数字信封) 32 | 33 | client->center_node: 上传数据以及DomainData 34 | center_node -> dm: 根据 dmds 注册数据 35 | center_node -> dp: 存储数据 36 | client->center_node: shutdown server 37 | client -> edge_dm: 端侧任务\nreport 38 | 39 | @enduml 40 | ``` 41 | 在实现上程序入口都是从 `main.py` 开始,如果是 uploader,那么后续执行的逻辑仍然基于 python 实现;如果是 recevier 则会单独拉起一个 Http Server 用于接受请求。 Http Server 在数据上传过程使用到两个接口:第 6 步中的数据上传接口,以及第 9 步的 shutdown 接口,用于正常退出: 42 | 43 | upload 接口用于上传数据,需要指定本地上传文件的本地路径`file`,在 recevier 端上注册数据的位置`store_path`, 以及数据的meta数据 `domain_data`: 44 | ``` 45 | curl -F file=@localfile \ 46 | store_path=dm://output?datasource_id=default-data-source&id=alice-table&uri=alice-table.encrypted \ 47 | domain_data="" \ 48 | http://localhost/upload 49 | 50 | ``` 51 | 52 | shutdown 接口用于让 server 正常退出,因为 uploader 可能会多次重试上传数据,只有当 uploader 需要 shutdown server 的时候,进程才会退出。 53 | ``` 54 | curl -X POST http://localhost/shutdown 55 | ``` 56 | 57 | 58 | **注意:算子因为假设运行在 kuscia 的框架之下,鉴权相关部分依赖 kuscia,算子不会有相关设计** 59 | 60 | -------------------------------------------------------------------------------- /dm_component/componentize/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /dm_component/componentize/component/data_utils.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | import enum 16 | from dataclasses import dataclass 17 | 18 | import numpy as np 19 | from secretflow.spec.v1.component_pb2 import IoDef 20 | 21 | 22 | class MetaEnum(enum.EnumMeta): 23 | def __contains__(cls, item): 24 | try: 25 | cls(item) 26 | except ValueError: 27 | return False 28 | return True 29 | 30 | 31 | class BaseEnum(enum.Enum, metaclass=MetaEnum): 32 | def __repr__(self): 33 | return self.value 34 | 35 | def __str__(self): 36 | return self.__repr__() 37 | 38 | def __eq__(self, other): 39 | return str(self) == str(other) 40 | 41 | 42 | @enum.unique 43 | class DistDataType(BaseEnum): 44 | VERTICAL_TABLE = "sf.table.vertical_table" 45 | INDIVIDUAL_TABLE = "sf.table.individual" 46 | SS_SGD_MODEL = "sf.model.ss_sgd" 47 | SGB_MODEL = "sf.model.sgb" 48 | WOE_RUNNING_RULE = "sf.rule.woe_binning" 49 | SS_XGB_MODEL = "sf.model.ss_xgb" 50 | REPORT = "sf.report" 51 | 52 | 53 | @enum.unique 54 | class DataSetFormatSupported(BaseEnum): 55 | CSV = "csv" 56 | 57 | 58 | SUPPORTED_VTABLE_DATA_TYPE = { 59 | "int8": np.int8, 60 | "int16": np.int16, 61 | "int32": np.int32, 62 | "int64": np.int64, 63 | "uint8": np.uint8, 64 | "uint16": np.uint16, 65 | "uint32": np.uint32, 66 | "uint64": np.uint64, 67 | "float16": np.float16, 68 | "float32": np.float32, 69 | "float64": np.float64, 70 | "bool": bool, 71 | "int": int, 72 | "float": float, 73 | "str": object, 74 | } 75 | 76 | REVERSE_DATA_TYPE_MAP = dict((v, k) for k, v in SUPPORTED_VTABLE_DATA_TYPE.items()) 77 | 78 | 79 | def check_io_def(io_def: IoDef): 80 | for t in io_def.types: 81 | if t not in DistDataType: 82 | raise ValueError( 83 | f"IoDef {io_def.name}: {t} is not a supported DistData types" 84 | ) 85 | -------------------------------------------------------------------------------- /dm_component/componentize/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | 16 | AES_KEY_LEN_IN_BYTES = 16 17 | -------------------------------------------------------------------------------- /dm_component/componentize/kuscia/configmanager.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | import os 16 | from typing import List, Tuple 17 | 18 | import requests 19 | 20 | 21 | def make_url(scheme: str, endpoint, *res): 22 | url = scheme + "://" + endpoint 23 | for r in res: 24 | url = "{}/{}".format(url, r) 25 | return url 26 | 27 | 28 | def get_cert_from_config_manager(endpoint: str, data: dict) -> Tuple[List[str], str]: 29 | """Get private key and corresponding certificate from config manager 30 | 31 | Args: 32 | endpoint (str): config manager endpoint 33 | data (dict): request paramters 34 | 35 | Returns: 36 | Tuple[str, str]: (certificate, private_key) 37 | """ 38 | env_client_cert_file = os.environ.get("CLIENT_CERT_FILE", "") 39 | env_client_key_file = os.environ.get("CLIENT_PRIVATE_KEY_FILE", "") 40 | env_trusted_ca_file = os.environ.get("TRUSTED_CA_FILE", "") 41 | 42 | # mTLS enabled. 43 | r = requests.post( 44 | make_url("https", endpoint, "api/v1/cm/certificate/generate"), 45 | verify=env_trusted_ca_file, 46 | cert=(env_client_cert_file, env_client_key_file), 47 | json=data, 48 | ) 49 | assert r.status_code == 200, f"error msg: {r.json()}" 50 | content = r.json() 51 | assert content["status"]["code"] == 0 52 | 53 | return (content["cert_chain"], content["key"]) 54 | -------------------------------------------------------------------------------- /dm_component/componentize/server/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | .vscode 3 | temp 4 | Cargo.lock 5 | -------------------------------------------------------------------------------- /dm_component/componentize/server/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "server" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | httparse = { version = "1.0" } 10 | reqwest = { version = "0.10", features = ["json", "rustls-tls"] } 11 | hyper = { version = "0.13.6", features = ["stream"] } 12 | tokio = { version = "0.2.2", default-features = false, features = ["io-util", "macros", "rt-threaded", "sync", "fs"] } 13 | 14 | multipart-async = { git = "https://github.com/abonander/multipart-async.git" } 15 | kuscia_proto = { path = "kuscia_proto"} 16 | openssl-sys = "0.9" 17 | openssl = { version = "0.10", features = ["vendored"] } 18 | futures = "0.3" 19 | 20 | clap = { version = "4.4.3", features = ["derive"] } 21 | serde_yaml = "0.9" 22 | log = "0.4" 23 | log4rs = "1.0.0" 24 | rand = "0.8.5" 25 | 26 | serde_json = "1.0.104" 27 | thiserror = "1.0.25" 28 | http = "0.2.9" 29 | 30 | serde = { version = "1.0", features = ["derive"] } 31 | url = "2.4.1" 32 | serde_qs = "0.12.0" 33 | lazy_static = "1.4.0" 34 | 35 | tokio-util = { version = "0.3", features = ["codec"] } -------------------------------------------------------------------------------- /dm_component/componentize/server/conf/flags.conf: -------------------------------------------------------------------------------- 1 | -p 333 -------------------------------------------------------------------------------- /dm_component/componentize/server/kuscia_proto/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "kuscia_proto" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | bytes = "1.5.0" 10 | prost = "0.11" 11 | prost-types = "0.11.1" 12 | serde = { version = "1.0", features = ["derive"] } 13 | prost-wkt = "0.4" 14 | prost-wkt-types = "0.4" 15 | 16 | [build-dependencies] 17 | prost-build = "0.12.1" 18 | prost-wkt-build = "0.4" 19 | -------------------------------------------------------------------------------- /dm_component/componentize/server/kuscia_proto/build.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | fn main() -> Result<(), Box> { 17 | // Use this in build.rs 18 | let mut config = prost_build::Config::new(); 19 | config.type_attribute(".", "#[derive(serde::Deserialize, serde::Serialize)]"); 20 | 21 | config.field_attribute("file_format", "#[serde(deserialize_with = \"crate::custom_serde::FileFormat::from_str\")]"); 22 | config.field_attribute(".kuscia.proto.api.v1alpha1.datamesh", "#[serde(default)]"); 23 | config.field_attribute(".kuscia.proto.api.v1alpha1.RequestHeader", "#[serde(default)]"); 24 | config.field_attribute(".kuscia.proto.api.v1alpha1.Status", "#[serde(default)]"); 25 | config.field_attribute(".kuscia.proto.api.v1alpha1.Partition", "#[serde(default)]"); 26 | config.field_attribute(".kuscia.proto.api.v1alpha1.DataColumn", "#[serde(default)]"); 27 | config.extern_path(".google.protobuf.Any", "::prost_wkt_types::Any"); 28 | config.compile_protos( 29 | &[ 30 | "src/datamesh/domaindatasource.proto", 31 | "src/datamesh/domaindata.proto", 32 | ], 33 | &["src/"], 34 | )?; 35 | Ok(()) 36 | } 37 | -------------------------------------------------------------------------------- /dm_component/componentize/server/kuscia_proto/src/common.proto: -------------------------------------------------------------------------------- 1 | // Copy from https://github.com/secretflow/kuscia/blob/main/proto/api/v1alpha1/common.proto 2 | // Copyright 2023 Ant Group Co., Ltd. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | syntax = "proto3"; 17 | 18 | package kuscia.proto.api.v1alpha1; 19 | 20 | import "google/protobuf/any.proto"; 21 | 22 | option go_package = "github.com/secretflow/kuscia/proto/api/v1alpha1"; 23 | option java_package = "org.secretflow.v1alpha1.common"; 24 | 25 | // RequestHeader carries the user custom headers. 26 | message RequestHeader { 27 | // Custom headers used to record custom information. 28 | map custom_headers = 1; 29 | } 30 | 31 | // Status carries the response status information. 32 | // Reference: https://github.com/grpc/grpc/blob/master/src/proto/grpc/status/status.proto 33 | message Status { 34 | // The status code, which should be one of google rpc code or custom code. 35 | int32 code = 1; 36 | // Message for recording the error information. 37 | string message = 2; 38 | // A list of messages that carry the additional supplementary error details. 39 | repeated google.protobuf.Any details = 3; 40 | } 41 | 42 | message Partition { 43 | // enum path, odps 44 | string type = 1; 45 | repeated DataColumn fields = 2; 46 | } 47 | 48 | // DataColumn defines the column of data. 49 | message DataColumn { 50 | string name = 1; 51 | // enum: string integer float datetime timestamp 52 | string type = 2; 53 | // The description of column 54 | string comment = 3; 55 | } 56 | 57 | enum FileFormat { 58 | UNKNOWN = 0; 59 | CSV = 1; 60 | } -------------------------------------------------------------------------------- /dm_component/componentize/server/kuscia_proto/src/custom_serde.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | use serde::{Deserializer, Deserialize, de}; 17 | 18 | pub enum FileFormat { 19 | Unknown = 0, 20 | Csv = 1, 21 | } 22 | 23 | impl FileFormat { 24 | pub fn from_str<'de, D>(deserializer: D) -> Result 25 | where 26 | D: Deserializer<'de>, 27 | { 28 | let s: &str = Deserialize::deserialize(deserializer)?; 29 | 30 | match s.to_lowercase().as_str() { 31 | "unknown" => Ok(Self::Unknown as i32), 32 | "csv" => Ok(Self::Csv as i32), 33 | _ => Err(de::Error::unknown_variant(s, &["UNKNOWN", "CSV"])), 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /dm_component/componentize/server/kuscia_proto/src/lib.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | pub mod custom_serde; 17 | // Include the `items` module, which is generated from items.proto. 18 | // It is important to maintain the same structure as in the proto. 19 | pub mod api { 20 | include!(concat!(env!("OUT_DIR"), "/kuscia.proto.api.v1alpha1.rs")); 21 | pub mod datamesh { 22 | include!(concat!(env!("OUT_DIR"), "/kuscia.proto.api.v1alpha1.datamesh.rs")); 23 | } 24 | } -------------------------------------------------------------------------------- /dm_component/componentize/server/src/client.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | pub mod data_mesh_client; 17 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/config.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | use std::{env, fs}; 17 | 18 | use clap::{CommandFactory, FromArgMatches, Parser}; 19 | 20 | #[derive(Parser)] 21 | #[command(author, version, about = "http server", long_about = None)] 22 | pub(super) struct Config { 23 | /// port 24 | #[arg(short, long, default_value_t = 10001, action = clap::ArgAction::Append)] 25 | pub port: u16, 26 | 27 | /// data mesh endpoint 28 | #[arg(short, long, default_value_t = String::from("datamesh:8070"), action = clap::ArgAction::Append)] 29 | pub data_mesh_endpoint: String, 30 | 31 | /// domain id 32 | #[arg(short, long, default_value_t = String::from(""), action = clap::ArgAction::Append)] 33 | pub domain_id: String, 34 | 35 | /// log file name 36 | #[arg(long, default_value_t = String::from("log"), action = clap::ArgAction::Append)] 37 | pub log_dir: String, 38 | 39 | /// log level 40 | #[arg(long, default_value_t = String::from("info"), action = clap::ArgAction::Append)] 41 | pub log_level: String, 42 | 43 | /// enable console logger 44 | #[arg(long, default_value_t = true, action = clap::ArgAction::Append)] 45 | pub enable_console_logger: bool, 46 | 47 | /// Sets a custom config file 48 | #[arg(short, long)] 49 | config_file_path: Option, 50 | } 51 | 52 | impl Config { 53 | pub fn new() -> Config { 54 | let mut args: Vec = env::args().collect(); 55 | let mut matches: clap::ArgMatches = 56 | ::command().get_matches_from(args.clone()); 57 | if let Some(config_file_path) = matches.get_one::("config_file_path") { 58 | let config_file_content = fs::read_to_string(config_file_path) 59 | .expect(format!("file `{config_file_path}` is not exist.").as_str()); 60 | let mut file_args: Vec = config_file_content 61 | .split_ascii_whitespace() 62 | .into_iter() 63 | .map(|x| x.to_string()) 64 | .collect(); 65 | args.append(&mut file_args); 66 | let mut matches: clap::ArgMatches = 67 | ::command().get_matches_from(args.clone()); 68 | let config = ::from_arg_matches_mut(&mut matches).unwrap(); 69 | return config; 70 | } 71 | 72 | let config = ::from_arg_matches_mut(&mut matches).unwrap(); 73 | config 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/constants.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | pub const TEMP_DIR: &str = "temp"; 17 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/error.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | pub type Error = Box; 17 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/main.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | mod client; 17 | mod config; 18 | mod constants; 19 | mod error; 20 | mod service; 21 | mod utils; 22 | 23 | use crate::client::data_mesh_client; 24 | use hyper::server::conn::AddrStream; 25 | use hyper::service::{make_service_fn, service_fn}; 26 | use hyper::Server; 27 | use std::fs; 28 | use std::path; 29 | use std::sync::Arc; 30 | 31 | type Error = Box; 32 | 33 | #[tokio::main] 34 | async fn main() { 35 | let config = config::Config::new(); 36 | 37 | // init log 38 | utils::log::init_log( 39 | &config.log_dir, 40 | &config.log_level, 41 | config.enable_console_logger, 42 | ); 43 | 44 | let addr = ([0, 0, 0, 0], config.port).into(); 45 | 46 | if !path::Path::new(constants::TEMP_DIR).exists() { 47 | fs::create_dir(constants::TEMP_DIR).unwrap(); 48 | } 49 | 50 | let data_mesh_client = Arc::new( 51 | data_mesh_client::DataMeshClient::new(config.data_mesh_endpoint) 52 | .expect("create data mesh client failed."), 53 | ); 54 | 55 | let (tx, rx) = tokio::sync::oneshot::channel::<()>(); 56 | 57 | service::SHUTDOWN_TX.lock().unwrap().replace(tx); 58 | 59 | let make_svc = make_service_fn(|socket: &AddrStream| { 60 | println!("request from: {}\n", socket.remote_addr()); 61 | let data_mesh_client = data_mesh_client.clone(); 62 | async move { 63 | Ok::<_, Error>(service_fn(move |req| { 64 | service::serve_req(req, data_mesh_client.clone()) 65 | })) 66 | } 67 | }); 68 | 69 | // Then bind and serve... 70 | let server = Server::bind(&addr).serve(make_svc); 71 | 72 | log::info!("server running on {}", server.local_addr()); 73 | 74 | let graceful = server.with_graceful_shutdown(async { 75 | rx.await.ok(); 76 | }); 77 | 78 | if let Err(e) = graceful.await { 79 | eprintln!("an error occurred: {}", e); 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/service/download.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | use crate::error::Error; 17 | use hyper::{Body, Request, Response}; 18 | use serde::{Deserialize, Serialize}; 19 | use std::{path::Path, sync::Arc}; 20 | use tokio::fs::File; 21 | use tokio_util::codec::{BytesCodec, FramedRead}; 22 | 23 | use crate::{ 24 | client::data_mesh_client::DataMeshClient, 25 | service::{not_found, DmInputUriQueryParams}, 26 | }; 27 | 28 | #[derive(Deserialize, Serialize)] 29 | struct RequestParams { 30 | pub uri: String, 31 | } 32 | 33 | pub(crate) async fn handle_download( 34 | req: Request, 35 | dm_client: Arc, 36 | ) -> Result, Error> { 37 | log::info!("download"); 38 | let body_bytes = hyper::body::to_bytes(req).await?; 39 | let request_params: RequestParams = serde_json::from_slice(&body_bytes)?; 40 | let url = url::Url::parse(&request_params.uri)?; 41 | println!("{url}"); 42 | match url.scheme() { 43 | "dm" => { 44 | let qs = url.query().ok_or("lack query")?; 45 | let params: DmInputUriQueryParams = serde_qs::from_str(qs)?; 46 | let domain_data = dm_client.get_domain_data(¶ms.id).await?; 47 | let relative_uri = domain_data.relative_uri; 48 | 49 | let domain_data_source = dm_client 50 | .get_domain_datasource(&domain_data.datasource_id) 51 | .await?; 52 | let info = domain_data_source.info.ok_or("lack datasource info")?; 53 | let info_localfs = info.localfs.ok_or("lack localfs config")?; 54 | 55 | let filename = Path::new(&info_localfs.path).join(relative_uri); 56 | if let Ok(file) = File::open(filename).await { 57 | let stream = FramedRead::new(file, BytesCodec::new()); 58 | let body = Body::wrap_stream(stream); 59 | return Ok(Response::new(body)); 60 | } 61 | } 62 | "file" => { 63 | if let Ok(file) = File::open(url.path()).await { 64 | let stream = FramedRead::new(file, BytesCodec::new()); 65 | let body = Body::wrap_stream(stream); 66 | return Ok(Response::new(body)); 67 | } 68 | } 69 | _ => return Err(Error::from("Unsupport scheme")), 70 | } 71 | 72 | Ok(not_found()) 73 | } 74 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/service/get_domain_data.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | use crate::error::Error; 17 | use hyper::{Body, Request, Response}; 18 | use serde::{Deserialize, Serialize}; 19 | use std::sync::Arc; 20 | 21 | use crate::{client::data_mesh_client::DataMeshClient, service::DmInputUriQueryParams}; 22 | 23 | #[derive(Deserialize, Serialize)] 24 | struct RequestParams { 25 | pub uri: String, 26 | } 27 | 28 | pub(crate) async fn get_domain_data( 29 | req: Request, 30 | dm_client: Arc, 31 | ) -> Result, Error> { 32 | let body_bytes = hyper::body::to_bytes(req).await?; 33 | let request_params: RequestParams = serde_json::from_slice(&body_bytes)?; 34 | let url = url::Url::parse(&request_params.uri)?; 35 | println!("{url}"); 36 | match url.scheme() { 37 | "dm" => { 38 | let qs = url.query().ok_or("lack query")?; 39 | let params: DmInputUriQueryParams = serde_qs::from_str(qs)?; 40 | let domain_data = dm_client.get_domain_data(¶ms.id).await?; 41 | let domain_data_json = serde_json::to_vec(&domain_data)?; 42 | return Ok(Response::new(Body::from(domain_data_json))); 43 | } 44 | _ => return Err(Error::from("Unsupport scheme")), 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /dm_component/componentize/server/src/utils.rs: -------------------------------------------------------------------------------- 1 | // Copyright 2023 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | pub mod log; 17 | -------------------------------------------------------------------------------- /dm_component/componentize/tools.py: -------------------------------------------------------------------------------- 1 | # /bin/python3 2 | 3 | # Copyright 2023 Ant Group Co., Ltd. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # https://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | import re 18 | from typing import Optional, Tuple 19 | 20 | # . 一次或多次,()结果整体为一个分组 21 | _netloc_re = re.compile(r"^(.+):(\d+)$") 22 | 23 | 24 | def split_host_and_port(endpoint: str) -> Tuple[str, Optional[int]]: 25 | """ 26 | 取出IP地址和端口 返回:`(host, port)` 元组 27 | """ 28 | match = _netloc_re.match(endpoint) 29 | if match: 30 | host = match.group(1) 31 | port = int(match.group(2)) # type: Optional[int] 32 | else: 33 | host = endpoint 34 | port = 80 35 | return (host, port) 36 | 37 | 38 | def make_url(scheme: str, endpoint, *res): 39 | url = scheme + "://" + endpoint 40 | for r in res: 41 | url = "{}/{}".format(url, r) 42 | return url 43 | -------------------------------------------------------------------------------- /dm_component/deployment/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | FROM secretflow/anolis8-python:3.8.15 as python 16 | FROM secretflow/trustflow-ci-sim:0.1.0 as builder 17 | 18 | 19 | RUN apt install protobuf-compiler build-essential -y && apt clean 20 | COPY componentize /home/admin/dev/componentize 21 | COPY setup.py /home/admin/dev/setup.py 22 | COPY MANIFEST.in /home/admin/dev/MANIFEST.in 23 | COPY requirements.txt /home/admin/dev/requirements.txt 24 | 25 | WORKDIR /home/admin/dev 26 | RUN export PATH=/root/.cargo/bin:$PATH && python setup.py sdist bdist_wheel 27 | 28 | FROM ubuntu:20.04 29 | 30 | COPY --from=python /root/miniconda3/envs/secretflow/bin/ /usr/local/bin/ 31 | COPY --from=python /root/miniconda3/envs/secretflow/lib/ /usr/local/lib/ 32 | 33 | RUN grep -rl '#!/root/miniconda3/envs/secretflow/bin' /usr/local/bin/ | xargs sed -i -e 's/#!\/root\/miniconda3\/envs\/secretflow/#!\/usr\/local/g' 34 | 35 | ARG config_templates="" 36 | LABEL kuscia.secretflow.config-templates=$config_templates 37 | 38 | ARG deploy_templates="" 39 | LABEL kuscia.secretflow.deploy-templates=$deploy_templates 40 | 41 | COPY --from=builder /home/admin/dev/dist/*.whl /tmp/tee_dm/ 42 | RUN pip install $(ls /tmp/tee_dm/*.whl) && pip cache purge 43 | 44 | 45 | -------------------------------------------------------------------------------- /dm_component/deployment/app_image.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: kuscia.secretflow/v1alpha1 16 | kind: AppImage 17 | metadata: 18 | name: tee-dm-image 19 | spec: 20 | configTemplates: 21 | task-config.conf: | 22 | { 23 | "task_id": "{{.TASK_ID}}", 24 | "task_input_config": "{{.TASK_INPUT_CONFIG}}", 25 | "task_cluster_def": "{{.TASK_CLUSTER_DEFINE}}", 26 | "allocated_ports": "{{.ALLOCATED_PORTS}}" 27 | } 28 | deployTemplates: 29 | - name: tee-dm 30 | replicas: 1 31 | spec: 32 | containers: 33 | - command: 34 | - sh 35 | - -c 36 | - "python -m componentize.main --task_config_path /etc/kuscia/task-config.conf" 37 | configVolumeMounts: 38 | - mountPath: /etc/kuscia/task-config.conf 39 | subPath: task-config.conf 40 | name: tee-dm 41 | ports: 42 | - name: tee-dm 43 | port: 36954 44 | protocol: HTTP 45 | scope: Cluster 46 | workingDir: /work 47 | restartPolicy: Never 48 | image: 49 | name: secretflow/sf-tee-dm-sim 50 | tag: "0.1.0b0" -------------------------------------------------------------------------------- /dm_component/deployment/config_templates.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | task-config.conf: | 16 | { 17 | "task_id": "{{.TASK_ID}}", 18 | "task_input_config": "{{.TASK_INPUT_CONFIG}}", 19 | "task_cluster_def": "{{.TASK_CLUSTER_DEFINE}}", 20 | "allocated_ports": "{{.ALLOCATED_PORTS}}" 21 | } -------------------------------------------------------------------------------- /dm_component/deployment/deploy_templates.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | - name: sf-tee-dm-sim 16 | replicas: 1 17 | spec: 18 | containers: 19 | - command: 20 | - sh 21 | args: 22 | - -c 23 | - "python -m componentize.main --task_config_path /etc/kuscia/task-config.conf" 24 | configVolumeMounts: 25 | - mountPath: /etc/kuscia/task-config.conf 26 | subPath: task-config.conf 27 | name: sf-tee-dm-sim 28 | ports: 29 | - name: tee-dm 30 | port: 36954 31 | protocol: HTTP 32 | scope: Cluster 33 | workingDir: /work 34 | restartPolicy: Never -------------------------------------------------------------------------------- /dm_component/requirements.txt: -------------------------------------------------------------------------------- 1 | numpy==1.23.5 # FEATURE=[lite] 2 | kuscia==0.0.1b2 # FEATURE=[lite] 3 | protobuf==3.19.6 # FEATURE=[lite] 4 | clean-text==0.6.0 5 | grpcio==1.56.2 # FEATURE=[lite] 6 | requests==2.31.0 7 | tenacity==8.2.3 8 | secretflow-spec==0.1.0.dev20231101 9 | capsule_manager_sdk==0.1.0b0 10 | sdc-apis==0.2.0.dev20230930 11 | requests_toolbelt==1.0.0 12 | cryptography==41.0.2 13 | certifi==2023.7.22 -------------------------------------------------------------------------------- /docker/trustflow-release-ubuntu22.04.Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ARG BASE_IMAGE=ubuntu:22.04 16 | FROM ${BASE_IMAGE} 17 | 18 | LABEL maintainer="secretflow-contact@service.alipay.com" 19 | 20 | # change dash to bash as default shell 21 | RUN ln -sf /usr/bin/bash /bin/sh 22 | 23 | 24 | # note: openssl will be installed along with wget 25 | RUN apt update && apt install wget curl -y && apt clean 26 | 27 | # install conda 28 | RUN wget http://repo.anaconda.com/miniconda/Miniconda3-py310_24.4.0-0-Linux-x86_64.sh \ 29 | && bash Miniconda3-py310_24.4.0-0-Linux-x86_64.sh -b && rm -f Miniconda3-py310_24.4.0-0-Linux-x86_64.sh \ 30 | && ln -sf /root/miniconda3/bin/conda /usr/bin/conda \ 31 | && conda init 32 | 33 | 34 | # install dcap lib in ubuntu 22.04 35 | RUN echo "ca_directory=/etc/ssl/certs" >> /etc/wgetrc \ 36 | && echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list \ 37 | && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ 38 | && cat intel-sgx-deb.key | tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null \ 39 | && rm -f intel-sgx-deb.key \ 40 | && apt update && apt install -y libsgx-epid libsgx-quote-ex libsgx-dcap-ql libsgx-dcap-quote-verify-dev libsgx-dcap-default-qpl && apt clean \ 41 | && pushd /usr/lib/x86_64-linux-gnu/ && ln -s libdcap_quoteprov.so.1 libdcap_quoteprov.so && popd -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- 1 | # Minimal makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line, and also 5 | # from the environment for the first two. 6 | SPHINXOPTS ?= 7 | SPHINXBUILD ?= sphinx-build 8 | SOURCEDIR = . 9 | BUILDDIR = _build 10 | 11 | # Put it first so that "make" without argument is like "make help". 12 | help: 13 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 14 | 15 | .PHONY: help Makefile 16 | 17 | update: $(eval SHELL:=/bin/bash) 18 | @sh "./update_data.sh" 19 | 20 | # Catch-all target: route all unknown targets to Sphinx using the new 21 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). 22 | %: Makefile 23 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) 24 | -------------------------------------------------------------------------------- /docs/advanced_topic/index.rst: -------------------------------------------------------------------------------- 1 | 高阶话题 2 | ======================== 3 | 想了解TrustFlow相关的高阶话题,欢迎阅读下列文章! 4 | 5 | 6 | .. toctree:: 7 | :maxdepth: 2 8 | 9 | cross_domain_controll_in_tee 10 | roadmap 11 | 12 | -------------------------------------------------------------------------------- /docs/advanced_topic/roadmap.md: -------------------------------------------------------------------------------- 1 | # 路线图 2 | 3 | ## 功能列表 4 | 5 | 6 | |大类|小项|是否支持| 7 | |-----|----|----| 8 | |跨域管控|数据密态存储|✅| 9 | ||计算管控 - 静态计算逻辑|✅| 10 | ||计算管控 - 动态计算逻辑|✅| 11 | ||计算管控 - 计算时间|(计划中)| 12 | ||计算管控 - 计算次数|(计划中)| 13 | ||计算管控 - 列管控(CCL)|(计划中)| 14 | ||结果管控 - 导出审批|✅| 15 | ||结果管控 - 数据血缘|✅| 16 | ||结果管控 - 计算代码血缘|(计划中)| 17 | |可信AI|预处理|✅| 18 | ||传统ML|✅| 19 | ||深度学习|(计划中)| 20 | ||大模型|(计划中)| 21 | |可信BI||(计划中)| 22 | 23 | 24 | ## 路线图 25 | 26 | ![roadmap](../images/tee_roadmap.jpg) -------------------------------------------------------------------------------- /docs/architecture/apps/binary_evaluation.md: -------------------------------------------------------------------------------- 1 | # 二分类评估 2 | 3 | 对预测结果进行二分类评估。 4 | 5 | ## 组件定义 6 | 7 | 1. 参数 8 | (1) bucket_num: 分桶数目。 9 | (2) min_item_cnt_per_bucket: 每个分桶允许包含的最小样本条数。 10 | 2. 输入:预测结果(比如LR预测的输出)。 11 | 3. 输出:结果为一个report,包含以下内容: 12 | (1) summary_report: 总结报告,包含total_samples、positive_samples、negative_samples、auc、ks和f1_score。 13 | (2) eq_frequent_bin_report: 等频分箱报告。 14 | (3) eq_range_bin_report: 等距分箱报告。 15 | (4) head_report: FPR=[0.001,0.005,0.01,0.05,0.1,0.2]的精度报告,包含fpr、precision、recall和threshold。 16 | 17 | ```json 18 | { 19 | "domain": "ml.eval", 20 | "name": "biclassification_eval", 21 | "desc": "Statistics evaluation for a bi-classification model on a dataset.\n1. summary_report: SummaryReport\n2. eq_frequent_bin_report: List[EqBinReport]\n3. eq_range_bin_report: List[EqBinReport]\n4. head_report: List[PrReport]\nreports for fpr = 0.001, 0.005, 0.01, 0.05, 0.1, 0.2", 22 | "version": "0.0.1", 23 | "attrs": [ 24 | { 25 | "name": "bucket_num", 26 | "desc": "Number of buckets.", 27 | "type": "AT_INT", 28 | "atomic": { 29 | "is_optional": true, 30 | "default_value": { 31 | "i64": "10" 32 | }, 33 | "lower_bound_enabled": true, 34 | "lower_bound": { 35 | "i64": "1" 36 | }, 37 | "lower_bound_inclusive": true 38 | } 39 | }, 40 | { 41 | "name": "min_item_cnt_per_bucket", 42 | "desc": "Min item cnt per bucket. If any bucket doesn't meet the requirement, error raises. For security reasons, we require this parameter to be at least 2.", 43 | "type": "AT_INT", 44 | "atomic": { 45 | "is_optional": true, 46 | "default_value": { 47 | "i64": "2" 48 | }, 49 | "lower_bound_enabled": true, 50 | "lower_bound": { 51 | "i64": "2" 52 | }, 53 | "lower_bound_inclusive": true 54 | } 55 | } 56 | ], 57 | "inputs": [ 58 | { 59 | "name": "predictions", 60 | "desc": "Input table with predictions", 61 | "types": [ 62 | "sf.table.individual" 63 | ], 64 | "attrs": [ 65 | { 66 | "name": "label", 67 | "desc": "The real value column name", 68 | "col_min_cnt_inclusive": "1", 69 | "col_max_cnt_inclusive": "1" 70 | }, 71 | { 72 | "name": "score", 73 | "desc": "The score value column name", 74 | "col_min_cnt_inclusive": "1", 75 | "col_max_cnt_inclusive": "1" 76 | } 77 | ] 78 | } 79 | ], 80 | "outputs": [ 81 | { 82 | "name": "reports", 83 | "desc": "Output report.", 84 | "types": [ 85 | "sf.report" 86 | ] 87 | } 88 | ] 89 | } 90 | ``` -------------------------------------------------------------------------------- /docs/architecture/apps/corr.md: -------------------------------------------------------------------------------- 1 | # 相关系数矩阵 2 | 3 | 计算数据集的皮尔逊乘积矩相关系数。 4 | 5 | ## 组件定义 6 | 7 | 1. 输入:数据集以及选中的特征列。如果不选择列,则会对所有列进行计算。 8 | 2. 输出:结果为一个report,report的内容为一张相关系数表。 9 | 10 | ```json 11 | { 12 | "domain": "stats", 13 | "name": "pearsonr", 14 | "desc": "Calculate Pearson's product-moment correlation coefficient for individual dataset.", 15 | "version": "0.0.1", 16 | "inputs": [ 17 | { 18 | "name": "input_data", 19 | "desc": "Input table.", 20 | "types": [ 21 | "sf.table.individual" 22 | ], 23 | "attrs": [ 24 | { 25 | "name": "feature_selects", 26 | "desc": "Specify which features to calculate correlation coefficient with. If empty, all features will be used" 27 | } 28 | ] 29 | } 30 | ], 31 | "outputs": [ 32 | { 33 | "name": "report", 34 | "desc": "Output Pearson's product-moment correlation coefficient report.", 35 | "types": [ 36 | "sf.report" 37 | ] 38 | } 39 | ] 40 | } 41 | ``` 42 | 43 | ## 结果示例 44 | 45 | 输出内容的json形式如下。 46 | ```json 47 | { 48 | "name": "corr", 49 | "desc": "corr table", 50 | "tabs": [ 51 | { 52 | "divs": [ 53 | { 54 | "children": [ 55 | { 56 | "type": "table", 57 | "table": { 58 | "headers": [ 59 | { 60 | "name": "SALARY", 61 | "type": "float" 62 | }, 63 | { 64 | "name": "AGE", 65 | "type": "float" 66 | } 67 | ], 68 | "rows": [ 69 | { 70 | "name": "SALARY", 71 | "items": [ 72 | { 73 | "f": 1.0 74 | }, 75 | { 76 | "f": 0.8728716 77 | } 78 | ] 79 | }, 80 | { 81 | "name": "AGE", 82 | "items": [ 83 | { 84 | "f": 0.8728716 85 | }, 86 | { 87 | "f": 1.0 88 | } 89 | ] 90 | } 91 | ] 92 | } 93 | } 94 | ] 95 | } 96 | ] 97 | } 98 | ] 99 | } 100 | ``` 101 | 102 | 用表格来展示如下。 103 | 104 | | | SALARY | AGE | 105 | | ------ | ---------- | --------- | 106 | | SALARY | 1 | 0.8728716 | 107 | | AGE | 0.8728716 | 1 | 108 | -------------------------------------------------------------------------------- /docs/architecture/apps/data_describe.md: -------------------------------------------------------------------------------- 1 | # 全表统计 2 | 3 | 全表统计对数据进行统计,并输出统计信息。 4 | 5 | 输出信息包含每一列的以下信息。 6 | 1. datatype(数据类型) 7 | 2. total_count(总数) 8 | 3. count(非nan总数) 9 | 4. count_na(nan总数) 10 | 5. min 11 | 6. max 12 | 7. var 13 | 8. std 14 | 9. sem(standard error of the mean) 15 | 10. skewness(偏度) 16 | 11. kurtosis(峰度) 17 | 12. q1(分位数) 18 | 13. q2 19 | 14. q3 20 | 15. moment_2 21 | 16. moment_3 22 | 17. moment_4 23 | 18. central_moment_2 24 | 19. central_moment_3 25 | 20. central_moment_4 26 | 21. sum 27 | 22. sum_2 28 | 23. sum_3 29 | 24. sum_4 30 | ● moment_2 表示 E[X^2] 31 | ● central_moment_2 表示 E[(X - mean(X))^2] 32 | ● sum_2 表示 sum(X^2) 33 | 34 | ## 组件定义 35 | 36 | ```json 37 | { 38 | "domain": "stats", 39 | "name": "table_statistics", 40 | "desc": "Get a table of statistics,\nincluding each column's\n1. datatype\n2. total_count\n3. count\n4. count_na\n5. min\n6. max\n7. var\n8. std\n9. sem\n10. skewness\n11. kurtosis\n12. q1\n13. q2\n14. q3\n15. moment_2\n16. moment_3\n17. moment_4\n18. central_moment_2\n19. central_moment_3\n20. central_moment_4\n21. sum\n22. sum_2\n23. sum_3\n24. sum_4\n- moment_2 means E[X^2].\n- central_moment_2 means E[(X - mean(X))^2].\n- sum_2 means sum(X^2).", 41 | "version": "0.0.1", 42 | "inputs": [ 43 | { 44 | "name": "input_data", 45 | "desc": "Input table.", 46 | "types": [ 47 | "sf.table.individual" 48 | ] 49 | } 50 | ], 51 | "outputs": [ 52 | { 53 | "name": "report", 54 | "desc": "Output table statistics report.", 55 | "types": [ 56 | "sf.report" 57 | ] 58 | } 59 | ] 60 | } 61 | ``` -------------------------------------------------------------------------------- /docs/architecture/apps/feature_filter.md: -------------------------------------------------------------------------------- 1 | # 特征过滤 2 | 3 | 该组件用于从数据集中删除指定的特征。 4 | 5 | ## 组件定义 6 | 7 | 1. 输入:数据集以及要删除的特征列。 8 | 2. 输出:删除指定特征列之后的数据。 9 | 10 | ```json 11 | { 12 | "domain": "preprocessing", 13 | "name": "feature_filter", 14 | "desc": "Drop features from the dataset.", 15 | "version": "0.0.1", 16 | "inputs": [ 17 | { 18 | "name": "in_ds", 19 | "desc": "Input table.", 20 | "types": [ 21 | "sf.table.individual" 22 | ], 23 | "attrs": [ 24 | { 25 | "name": "drop_features", 26 | "desc": "Features to drop.", 27 | "col_min_cnt_inclusive": "1" 28 | } 29 | ] 30 | } 31 | ], 32 | "outputs": [ 33 | { 34 | "name": "out_ds", 35 | "desc": "Output table.", 36 | "types": [ 37 | "sf.table.individual" 38 | ] 39 | } 40 | ] 41 | } 42 | ``` -------------------------------------------------------------------------------- /docs/architecture/apps/index.rst: -------------------------------------------------------------------------------- 1 | 可信APP 2 | ======================== 3 | TrustFlow内置了多种可信APP,每一个可信APP在执行计算逻辑之前,会先向CapsuleManager请求数据密钥,具体流程如下图所示。 4 | 5 | .. image:: ../../images/tee_app.png 6 | 7 | 可信APP使用隐语组件标准 `component spec `_ 进行定义。 8 | 9 | 每个组件包含名称、版本号、属性、输入(inputs)和输出(outputs)。 10 | 11 | 1. 组件名称由domain + name决定,组件名称通常表示了某一个具体功能的组件。 12 | 2. 组件版本号(version)标识了组件的版本,需要注意,不同版本可能兼容也可能不兼容,具体应该见组件说明。 13 | 3. 属性(attrs)定义了算子的参数以及它们的默认值、取值范围或者可选值等。 14 | 4. 输入(inputs)和输出(outputs)定义了输入输出的类型,用来标识它是一张数据表(table)、一个机器学习的模型(model)还是一个数据分析的报告(report)等。输入输出中的属性(attrs)用来表示该输入输出的额外属性,例如求交算子中用"key"来表示输入表中的求交列,woe分箱算子中用"feature_selects"来表示输入表选取列。 15 | 16 | 下面,我们会先通过求交和woe分箱这两个可信APP来详细说明组件化定义的方式以及任务配置文件的书写方式。更多的组件示例详见列表。 17 | 18 | 19 | .. toctree:: 20 | :maxdepth: 1 21 | 22 | intersect 23 | woe_binning 24 | woe_substitution 25 | split 26 | feature_filter 27 | corr 28 | data_describe 29 | vif 30 | xgb_train 31 | lr_train 32 | xgb_predict 33 | lr_predict 34 | lgbm_train 35 | lgbm_predict 36 | binary_evaluation 37 | prediction_bias_eval 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /docs/architecture/apps/prediction_bias_eval.md: -------------------------------------------------------------------------------- 1 | # 预测偏差评估 2 | 3 | 对预测结果进行预测偏差评估。 4 | 5 | ## 组件定义 6 | 1. 参数 7 | (1) bucket_num: 分桶数目。 8 | (2) min_item_cnt_per_bucket: 每个分桶允许包含的最小样本条数。 9 | (3) bucket_method: 分桶方法,取值可以是“equal_width”或者“equal_frequency”,分别对应等宽和等频。 10 | 2. 输入:预测结果。 11 | 3. 输出:输出的eport内容为分箱报告,具体包含每个分箱的avg_prediction、avg_label和bias。 12 | 13 | ```json 14 | { 15 | "domain": "ml.eval", 16 | "name": "prediction_bias_eval", 17 | "desc": "Calculate prediction bias, ie. average of predictions - average of labels.", 18 | "version": "0.0.1", 19 | "attrs": [ 20 | { 21 | "name": "bucket_num", 22 | "desc": "Num of bucket.", 23 | "type": "AT_INT", 24 | "atomic": { 25 | "is_optional": true, 26 | "default_value": { 27 | "i64": "10" 28 | }, 29 | "lower_bound_enabled": true, 30 | "lower_bound": { 31 | "i64": "1" 32 | }, 33 | "lower_bound_inclusive": true 34 | } 35 | }, 36 | { 37 | "name": "min_item_cnt_per_bucket", 38 | "desc": "Min item cnt per bucket. If any bucket doesn't meet the requirement, error raises. For security reasons, we require this parameter to be at least 2.", 39 | "type": "AT_INT", 40 | "atomic": { 41 | "is_optional": true, 42 | "default_value": { 43 | "i64": "2" 44 | }, 45 | "lower_bound_enabled": true, 46 | "lower_bound": { 47 | "i64": "2" 48 | }, 49 | "lower_bound_inclusive": true 50 | } 51 | }, 52 | { 53 | "name": "bucket_method", 54 | "desc": "Bucket method.", 55 | "type": "AT_STRING", 56 | "atomic": { 57 | "is_optional": true, 58 | "default_value": { 59 | "s": "equal_width" 60 | }, 61 | "allowed_values": { 62 | "ss": [ 63 | "equal_width", 64 | "equal_frequency" 65 | ] 66 | } 67 | } 68 | } 69 | ], 70 | "inputs": [ 71 | { 72 | "name": "predictions", 73 | "desc": "Input table with predictions.", 74 | "types": [ 75 | "sf.table.individual" 76 | ], 77 | "attrs": [ 78 | { 79 | "name": "label", 80 | "desc": "The real value column name", 81 | "col_min_cnt_inclusive": "1", 82 | "col_max_cnt_inclusive": "1" 83 | }, 84 | { 85 | "name": "score", 86 | "desc": "The score value column name", 87 | "col_min_cnt_inclusive": "1", 88 | "col_max_cnt_inclusive": "1" 89 | } 90 | ] 91 | } 92 | ], 93 | "outputs": [ 94 | { 95 | "name": "reports", 96 | "desc": "Output report.", 97 | "types": [ 98 | "sf.report" 99 | ] 100 | } 101 | ] 102 | } 103 | ``` -------------------------------------------------------------------------------- /docs/architecture/apps/split.md: -------------------------------------------------------------------------------- 1 | # 随机分割 2 | 3 | 将数据集拆分为训练集和测试集。 4 | 5 | ## 组件定义 6 | 7 | 1. 参数 8 | (1) train_size: 训练集占的比例,取值范围为(0, 1),默认值为0.75。 9 | (2) fix_random: 是否使用固定的随机数种子。 10 | (3) random_state: 随机数种子,取值为integer,默认值为1024。 11 | (4) shuffle: 拆分前是否对数据进行打乱,true表示打乱。 12 | 2. 输入:待拆分的数据。 13 | 3. 输出:拆分后得到的训练集和测试集。 14 | 15 | ```json 16 | { 17 | "domain": "preprocessing", 18 | "name": "train_test_split", 19 | "desc": "Split datasets into random train and test subsets.\n- Please check: https://scikit-learn.org/stable/modules/generated/sklearn.model_selection.train_test_split.html", 20 | "version": "0.0.1", 21 | "attrs": [ 22 | { 23 | "name": "train_size", 24 | "desc": "Proportion of the dataset to include in the train subset.", 25 | "type": "AT_FLOAT", 26 | "atomic": { 27 | "is_optional": true, 28 | "default_value": { 29 | "f": 0.75 30 | }, 31 | "lower_bound_enabled": true, 32 | "lower_bound": {}, 33 | "lower_bound_inclusive": true, 34 | "upper_bound_enabled": true, 35 | "upper_bound": { 36 | "f": 1 37 | }, 38 | "upper_bound_inclusive": true 39 | } 40 | }, 41 | { 42 | "name": "fix_random", 43 | "desc": "Whether to fix random.", 44 | "type": "AT_BOOL", 45 | "atomic": { 46 | "is_optional": true, 47 | "default_value": { 48 | "b": true 49 | } 50 | } 51 | }, 52 | { 53 | "name": "random_state", 54 | "desc": "Specify the random seed of the shuffling.", 55 | "type": "AT_INT", 56 | "atomic": { 57 | "is_optional": true, 58 | "default_value": { 59 | "i64": "1024" 60 | }, 61 | "lower_bound_enabled": true, 62 | "lower_bound": {} 63 | } 64 | }, 65 | { 66 | "name": "shuffle", 67 | "desc": "Whether to shuffle the data before splitting.", 68 | "type": "AT_BOOL", 69 | "atomic": { 70 | "is_optional": true, 71 | "default_value": { 72 | "b": true 73 | } 74 | } 75 | } 76 | ], 77 | "inputs": [ 78 | { 79 | "name": "input_data", 80 | "desc": "Input table.", 81 | "types": [ 82 | "sf.table.individual" 83 | ] 84 | } 85 | ], 86 | "outputs": [ 87 | { 88 | "name": "train", 89 | "desc": "Output train dataset.", 90 | "types": [ 91 | "sf.table.individual" 92 | ] 93 | }, 94 | { 95 | "name": "test", 96 | "desc": "Output test dataset.", 97 | "types": [ 98 | "sf.table.individual" 99 | ] 100 | } 101 | ] 102 | } 103 | ``` -------------------------------------------------------------------------------- /docs/architecture/apps/vif.md: -------------------------------------------------------------------------------- 1 | # VIF 2 | 3 | 计算独立数据集的方差膨胀因子VIF(Variance Inflation Factor)。 4 | 5 | ## 组件定义 6 | 7 | 1. 输入:数据集,以及要计算的列。如果不选择列,则默认计算所有列。 8 | 2. 输出:VIF结果。 9 | 10 | ```json 11 | { 12 | "domain": "stats", 13 | "name": "vif", 14 | "desc": "Calculate Variance Inflation Factor(VIF) for individual dataset", 15 | "version": "0.0.1", 16 | "inputs": [ 17 | { 18 | "name": "input_data", 19 | "desc": "Input table.", 20 | "types": [ 21 | "sf.table.individual" 22 | ], 23 | "attrs": [ 24 | { 25 | "name": "feature_selects", 26 | "desc": "Column(s) used to join. If not provided, ids of the Specify which features to calculate VIF with. If empty, all features will be used." 27 | } 28 | ] 29 | } 30 | ], 31 | "outputs": [ 32 | { 33 | "name": "report", 34 | "desc": "Output Variance Inflation Factor(VIF) report.", 35 | "types": [ 36 | "sf.report" 37 | ] 38 | } 39 | ] 40 | } 41 | ``` -------------------------------------------------------------------------------- /docs/architecture/apps/woe_substitution.md: -------------------------------------------------------------------------------- 1 | # WOE转换 2 | 3 | 该组件通常和WOE分箱组件配合使用,根据WOE分箱组件产出的分享规则,对指定的数据列进行分箱。 4 | 5 | ## 组件定义 6 | 1. 输入为待分箱的数据和分箱规则 7 | 2. 输出为分箱后的数据 8 | 9 | ```json 10 | { 11 | "domain": "feature", 12 | "name": "vert_woe_substitution", 13 | "desc": "Substitute datasets' value by WOE substitution rules.", 14 | "version": "0.0.1", 15 | "inputs": [ 16 | { 17 | "name": "input_data", 18 | "desc": "Dataset to be substituted.", 19 | "types": [ 20 | "sf.table.individual" 21 | ] 22 | }, 23 | { 24 | "name": "woe_rule", 25 | "desc": "WOE substitution rule.", 26 | "types": [ 27 | "sf.rule.woe_binning" 28 | ] 29 | } 30 | ], 31 | "outputs": [ 32 | { 33 | "name": "output_data", 34 | "desc": "Output substituted dataset.", 35 | "types": [ 36 | "sf.table.individual" 37 | ] 38 | } 39 | ] 40 | } 41 | ``` -------------------------------------------------------------------------------- /docs/architecture/data_lineage.md: -------------------------------------------------------------------------------- 1 | # 数据血缘 2 | 3 | 数据血缘是指在TrustFlow流转的数据可以追溯其原始数据来源和计算链路。数据血缘可以作为计算结果正确性校验、审计等的重要依据。 4 | 5 | 如图所示,TrustFlow会在数据中记录产生该数据的所有祖先以及历经的计算代码,并且提供完整性保护。 6 | 7 | ![principle](../images/data_lineage.png) -------------------------------------------------------------------------------- /docs/architecture/index.rst: -------------------------------------------------------------------------------- 1 | 架构设计 2 | ======================== 3 | 想了解TrustFlow原理和功能,欢迎阅读下列文章! 4 | 5 | 6 | .. toctree:: 7 | :maxdepth: 3 8 | 9 | principle 10 | policy 11 | data_lineage 12 | apps/index 13 | tee/index 14 | 15 | -------------------------------------------------------------------------------- /docs/architecture/principle.md: -------------------------------------------------------------------------------- 1 | # TrustFlow原理 2 | 3 | TrustFlow的核心原理如下图所示。主要流程描述如下。 4 | 5 | 1. 数据持有方(图中以alice和bob为例)对[CapsuleManager](https://github.com/asterinas/trustflow-capsule-manager)(运行在TEE中)进行远程认证,确认CapsuleManager被正确部署在TEE环境中,且代码未被篡改。CapsuleManager的公钥会随着远程认证报告一起返回给数据持有方。 6 | 7 | 2. 数据持有方生成数据加密密钥,对数据进行加密,并且使用CapsuleManager的公钥对加密密钥进行加密。 8 | 9 | 3. 数据持有方根据数据使用需求,生成授权策略,详见[授权策略](../quick_start/step3.ipynb),策略文件使用持有方的私钥进行签名。 10 | 11 | 4. 数据持有方把加密后的数据密钥和签名后的授权策略文件发送给CapsuleManager。 12 | 13 | 5. 数据持有方把加密后的数据发送给数据加工方(提供TEE计算资源)。 14 | 15 | 6. 数据加工方启动可信APP(运行在TEE中),可信APP从CapsuleManager请求获取数据密钥。CapsuleManager会进行以下验证,验证通过后才会把数据密钥发送给可信APP,发送时使用可信APP的公钥加密以确保安全。 16 | 17 | (1) 对可信APP进行远程认证,确认可信APP运行在TEE环境中,且代码未被篡改。 18 | 19 | (2) 根据数据持有方设置的策略,检查可信APP是否在授权列表中。 20 | 21 | (3) 根据数据持有方设置的策略,检查计算参与方是否在授权列表中。比如图中carol执行可信APP使用了alice和bob的数据,仅当alice和bob的策略都允许carol执行计算才会通过。 22 | 23 | (4) 根据数据持有方的策略进行其他检查(取决于策略的具体设置)。 24 | 25 | 7. 可信APP使用私钥解密得到数据加密密钥,继而解密得到明文数据,并按照预设的计算逻辑对数据进行计算。 26 | 27 | ![principle.png](../images/trustflow_principle.png) -------------------------------------------------------------------------------- /docs/architecture/tee/csv.md: -------------------------------------------------------------------------------- 1 | # 海光 CSV 2 | 海光CSV(China Secure Virtualization)是由海光自主研发的安全虚拟化技术,属于面向虚拟机的TEE方案。它采用国密算法实现,CSV虚拟机在写内存数据时CPU硬件自动加密,读内存数据时硬件自动解密,每个CSV虚拟机使用独立的密钥。海光CPU内部使用ASID(Address Space ID)区分不同的CSV虚拟机和主机,每个CSV虚拟机使用独立的Cache、TLB等CPU资源,实现CSV虚拟机、主机之间的资源隔离。CSV虚拟机使用隔离的硬件资源,支持启动度量、远程认证等功能,是一种安全的可信执行环境。 3 | 4 | 5 | ![csv](../../images/csv.jpg) 6 | 更多技术细节可以参见[Hygon Arch](https://openanolis.cn/sig/Hygon-Arch) -------------------------------------------------------------------------------- /docs/architecture/tee/index.rst: -------------------------------------------------------------------------------- 1 | 可信执行环境简介 2 | ======================== 3 | 可信执行环境(Trusted Execution Environments, TEE)是是一种基于硬件的隐私保护技术。 4 | 它保证了执行代码的真实性,运行时状态(如寄存器、内存和敏感I/O)的完整性, 5 | 以及存储在内存中的代码、数据和运行时状态的机密性。 6 | 此外,还应能够向第三方提供远程认证,以证明其可靠性。 7 | 8 | 目前包括Intel、AMD、ARM等在内的主流硬件厂商均提供了TEE产品,比如Intel SGX、Intel TDX、 9 | AMD SEV、ARM TrustedZone、ARM CCA、海光CSV等。当前TrustFlow主要支持Intel SGX、 10 | Intel TDX和海光CSV,对其他硬件的支持正在进行中。下列文章对部分TEE的原理进行了介绍,以方便读者了解TEE。 11 | 12 | 13 | .. toctree:: 14 | :maxdepth: 2 15 | 16 | sgx 17 | tdx 18 | csv 19 | 20 | -------------------------------------------------------------------------------- /docs/architecture/tee/sgx.md: -------------------------------------------------------------------------------- 1 | # Intel SGX 2 | 3 | Intel SGX(Software Guard Extensions)是由Intel推出的一种TEE方案。SGX的安全模型是只信任CPU和微码。 4 | 5 | ## Enclave 6 | 7 | SGX最重要的核心概念是Enclave(飞地),Enclave可以被视为进程中安全可信的部分,其中运行的程序和数据的机密性和完整性受到SGX的保护。Enclave所处的内存是加密的,除了Enclave自身和CPU之外, 其他系统软件包括 Operating system (OS), Virtual Machine Monitor (VMM), System Management Mode (SMM), BIOS等都无法访问 Enclave,从而避免 Enclave 被恶意攻击。 8 | 9 | 下图中黄色部分表示了Enclave。从图中我们可以看到,在标准的SGX模型下,应用被分为可信和不可信两部分,可信部分为 Enclave, 10 | 非可信部分为运行在外面的代码和数据。 11 | 12 | 关于Enclave的更详细介绍,可以阅读[SGX Enclave](https://www.intel.com/content/dam/develop/external/us/en/documents/overview-of-intel-sgx-enclave-637284.pdf). 13 | 14 | ![sgx](../../images/sgx.png) 15 | 16 | ### Enclave身份标识 - MRENCLAVE 和 MRSIGNER 17 | 18 | 每个Enclave都具有两个与其绑定的身份标识。 19 | 20 | 第一个是Enclave Identity(飞地身份),它由**MRENCLAVE**的值表示,MRENCLAVE是Enclave的度量值,度量了Enclave构建和初始化过程的每个步骤的加密哈希值。MRENCLAVE唯一标识任何特定的飞地。不同版本的飞地构建/版本将导致不同的MRENCLAVE值。 21 | 22 | 第二个是由授权机构提供的Signing Identity(签名身份),该机构在分发之前对enclave进行签名。该值称为**MRSIGNER**,对于所有使用相同授权机构签名的飞地,该值均是相同的。 23 | 24 | 根据场景的不同,您可以选择用MRENCLAVE或者MRSIGNER来唯一确认Enclave的身份,通常情况下应该使用MRENCLAVE。若您可以信任某个机构,则可以使用MRSIGNER,从而减缓使用中可能遇到的潜在问题,比如代码频繁升级带来的困扰。 25 | 26 | 27 | ## 远程认证 28 | 29 | 远程认证提供了一种机制,允许远程用户验证远程进程中软件的真实性。SGX的远程认证可以对以下内容进行验证: 30 | 31 | 1. Enclave运行在SGX内部 32 | 33 | 2. Enclave运行在具有最新安全级别的系统上 34 | 35 | 3. Enclave的代码 36 | 37 | 通过远程认证,用户可以确保enclave运行环境是可靠的,且运行的代码未被篡改。 38 | 39 | 目前SGX支持两种类型的远程认证:ECDSA(Elliptic Curve Digital Signature Algorithm)认证和 Intel EPID(Intel Enhanced Privacy ID) 认证,更详细说明参见[intel remote attestation](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/attestation-services.html)。SecretFlow目前仅支持ECDSA认证模式。 40 | 41 | ECDSA配合 Intel SGX DCAP(Intel Software Guard Extensions Data Center Attestation Primitives)可以允许用户构建自己的认证服务,而不需要依赖intel的远程认证服务。intel提供了Provisioning Certification Caching Service (PCCS)来帮助用户完成这一目标。 42 | 43 | ![sgx_dcap](../../images/sgx_dcap.png) 44 | 45 | ([图片来源](https://download.01.org/intel-sgx/sgx-dcap/1.10/linux/docs/SGX_DCAP_Caching_Service_Design_Guide.pdf)) 46 | 47 | ### 如何部署PCCS服务 48 | 49 | #### 情形一:使用云厂商自带的PCCS服务 50 | 如果您购买的是云厂商的机器,则云厂商通常会默认提供PCCS服务。 51 | 比如您的服务器提供商是阿里云,则可参考[阿里云远程证明服务](https://www.alibabacloud.com/help/zh/ecs/user-guide/build-an-sgx-encrypted-computing-environment#section-utn-xc1-656)。 52 | 53 | 具体可以查阅对应云厂商的官方文档。 54 | 55 | #### 自行搭建PCCS服务 56 | 如果您希望自行搭建PCCS服务,则可以参考[Intel PCCS](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs)。 57 | -------------------------------------------------------------------------------- /docs/architecture/tee/tdx.md: -------------------------------------------------------------------------------- 1 | # Intel TDX 2 | 3 | 英特尔全新发布的第五代英特尔® 至强® 可扩展处理器内置英特尔®可信域( Trust Domain Extension,TDX)技术,为客户提供面向虚拟化实例的机密计算新方案。英特尔® TDX提供了坚实的技术保障,助力客户在不改变现有应用程序的情况下,为其基础设施即服务( Infrastructure as a Service, IaaS)和平台即服务( Platform as a Service, PaaS)应用分别构建基于硬件设备的可信执行环境( Trusted Execution Environment, TEE),如机密虚拟机或机密容器。同时,英特尔® TDX 技术使用便捷,客户能在云环境中大规模部署并实现实时迁移,拥有更灵活和友好的机密云计算环境。 4 | 5 | ## 英特尔®至强®可扩展处理器机密计算方案 6 | 作为机密计算技术的重要引领者,英特尔推出了两种基于硬件级别的安全保护技术:英特尔® 软件防护扩展 (Software Guard Extensions, SGX) 技术,提供软件级别的安全隔离保护;英特尔® 可信域(TDX)技术,提供虚拟化层级的安全隔离保护。凭借这两项内置的安全技术,第五代英特尔®至强®可扩展处理器能够提供全面的机密计算能力,助力云服务提供商能够在基于硬件的可信执行环境(TEE)中,提供IaaS、PaaS和SaaS应用服务。 7 | 8 | ![sgx_and_tdx](../../images/sgx_and_tdx.png) 9 | 10 | 此外,通过创建一个 “信任域(TD)”的虚拟机环境,英特尔®TDX将客户操作系统和虚拟机(VM)应用程序与云主机、系统管理程序以及同一平台的其他虚拟机隔离开来。阿里云在第八代企业级ECS实例中集成了英特尔®TDX,成为首家公有云服务提供商,在公有云中提供基于TD的机密实例和机密容器。英特尔®TDX为云上整个虚拟化实例(包括虚拟机和云原生容器)创建了一个可信赖的边界。因此,云终端用户可以创建一个机密计算环境,该环境将信任边界扩展到整个虚拟化实例,通过直接迁移(lift-and-shift),简化了传统应用程序向机密计算的迁移。 11 | 12 | ### 机密计算安全隔离 13 | 借助英特尔® 虚拟机扩展 (Intel® Virtual Machine Extension,英特尔® VMX) 技术与英特尔® 多密钥全内存加密(Intel® Multi-Key Total Memory Encryption,英特尔® MK-TME)技术,英特尔® TDX 为云实例提供了一种被称为“信任域 (Trust Domain, TD)”的全新虚拟访客环境。 TD 可与其它 TD、实例,以及底层系统软件、管理软件实现相互隔离。而这些安全策略的实施,是由运行在安全仲裁模式 (Secure-Arbitration Mode, SEAM) 下的 TDX 安全服务模块来完成。 14 | 15 | ### 加密内存数据流通性能优异 16 | 通过CPU处理器中集成在内存控制器(IMC)的内置内存加密引擎,英特尔®TDX帮助用户能够对传输中的敏感数据进行加密。这种方法消除了传统数据库在处理敏感计算时反复进行数据加密解密的额外开销。通过在基于英特尔®TDX的可信执行环境(TEE)中运行数据库操作引擎,当云数据库处理用户敏感数据时,数据的状态始终可以得到机密保护。 17 | 18 | ### 便于大规模部署 19 | 直接迁移(lift-and-shift)简化了复杂的数据库系统向机密计算的迁移。此外,英特尔®TDX还为超大规模部署提供了丰富的云操作能力,例如无服务中断的实时迁移和TCB升级。这些能力都降低了云上全密态数据库的操作和维护成本,提高了整体可用性。 20 | 21 | ![tdx](../../images/tdx.png) 22 | 23 | 更多技术细节可以参见[Intel TDX白皮书](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html)。 -------------------------------------------------------------------------------- /docs/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2024 Ant Group Co., Ltd. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | make clean 19 | env PYTHONPATH=$PYTHONPATH:$PWD/.. make SPHINXOPTS="-D language=zh_CN" html 20 | -------------------------------------------------------------------------------- /docs/conf.py: -------------------------------------------------------------------------------- 1 | # Configuration file for the Sphinx documentation builder. 2 | # 3 | # For the full list of built-in configuration values, see the documentation: 4 | # https://www.sphinx-doc.org/en/master/usage/configuration.html 5 | 6 | # -- Project information ----------------------------------------------------- 7 | # https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information 8 | 9 | project = "TrustFlow" 10 | copyright = "2023 Ant Group Co., Ltd." 11 | author = "SecretFlow authors" 12 | 13 | # -- General configuration --------------------------------------------------- 14 | # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration 15 | 16 | extensions = ["myst_nb"] 17 | 18 | templates_path = ["_templates"] 19 | exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"] 20 | 21 | # -- Options for sphinx-intl ------------------------------------------------- 22 | locale_dirs = ["locale/"] # path is example but recommended. 23 | gettext_compact = False # optional. 24 | 25 | # -- Options for HTML output ------------------------------------------------- 26 | # https://www.sphinx-doc.org/en/master/usage/configuration.html#options-for-html-output 27 | 28 | html_theme = "pydata_sphinx_theme" 29 | html_static_path = [] 30 | html_css_files = [] 31 | html_js_files = [] 32 | html_theme_options = { 33 | "icon_links": [ 34 | { 35 | "name": "GitHub", 36 | "url": "https://github.com/asterinas/trustflow", 37 | "icon": "fab fa-github-square", 38 | "type": "fontawesome", 39 | }, 40 | ], 41 | "logo": { 42 | "text": "TrustFlow", 43 | }, 44 | "show_nav_level": 4, 45 | } 46 | 47 | # Options for MyST-Parser 48 | # https://myst-parser.readthedocs.io/ 49 | 50 | # Enable all MyST features 51 | myst_gfm_only = False 52 | # Enable anchors for heading level h1 through h6 53 | myst_heading_anchors = 6 54 | 55 | # Enable TODO 56 | todo_include_todos = True 57 | 58 | myst_enable_extensions = [ 59 | "amsmath", 60 | "colon_fence", 61 | "deflist", 62 | "dollarmath", 63 | "fieldlist", 64 | "html_admonition", 65 | "html_image", 66 | "linkify", 67 | "replacements", 68 | "smartquotes", 69 | "strikethrough", 70 | "substitution", 71 | "tasklist", 72 | "attrs_inline", 73 | "attrs_block", 74 | ] 75 | 76 | # Options for MyST-NB 77 | # https://myst-nb.readthedocs.io/ 78 | 79 | nb_execution_mode = "off" 80 | 81 | autodoc_default_options = { 82 | "members": True, 83 | "member-order": "bysource", 84 | "special-members": "__init__", 85 | "undoc-members": False, 86 | "show-inheritance": False, 87 | } 88 | -------------------------------------------------------------------------------- /docs/development/index.rst: -------------------------------------------------------------------------------- 1 | .. _development: 2 | 3 | 开发者教程 4 | =============== 5 | 本文档面向想要基于TrustFlow进行二次开发的工程人员。 6 | 7 | 新组件开发 8 | --------------- 9 | TrustFlow已经提供了一些常用的组件。 10 | 但有时候您可能想新增一个组件,或者想要修改已有组件的参数。这是您可以阅读 `新组件开发教程 `_ 。 11 | 12 | .. toctree:: 13 | :maxdepth: 2 14 | 15 | new_component -------------------------------------------------------------------------------- /docs/images/constraint_op.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/constraint_op.jpg -------------------------------------------------------------------------------- /docs/images/csv.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/csv.jpg -------------------------------------------------------------------------------- /docs/images/data_lineage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/data_lineage.png -------------------------------------------------------------------------------- /docs/images/data_output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/data_output.png -------------------------------------------------------------------------------- /docs/images/policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/policy.png -------------------------------------------------------------------------------- /docs/images/quick_start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/quick_start.png -------------------------------------------------------------------------------- /docs/images/san_quan_flow.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/san_quan_flow.jpg -------------------------------------------------------------------------------- /docs/images/sgx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/sgx.png -------------------------------------------------------------------------------- /docs/images/sgx_and_tdx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/sgx_and_tdx.png -------------------------------------------------------------------------------- /docs/images/sgx_dcap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/sgx_dcap.png -------------------------------------------------------------------------------- /docs/images/tdx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/tdx.png -------------------------------------------------------------------------------- /docs/images/tee_app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/tee_app.png -------------------------------------------------------------------------------- /docs/images/tee_roadmap.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/tee_roadmap.jpg -------------------------------------------------------------------------------- /docs/images/trustflow.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/trustflow.jpg -------------------------------------------------------------------------------- /docs/images/trustflow_cross_domain_controll.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/trustflow_cross_domain_controll.jpg -------------------------------------------------------------------------------- /docs/images/trustflow_en.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/trustflow_en.jpg -------------------------------------------------------------------------------- /docs/images/trustflow_principle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/trustflow_principle.png -------------------------------------------------------------------------------- /docs/images/trustflow_principle_en.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/trustflow_principle_en.png -------------------------------------------------------------------------------- /docs/images/use_auth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/asterinas/trustflow/5ceebb7355ca1b0e92435ba2c7d912bd8bd7bf71/docs/images/use_auth.png -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- 1 | :notoc: 2 | 3 | TrustFlow 4 | ============= 5 | 6 | `TrustFlow `_ 是隐语基于可信硬件的隐私保护引擎。 7 | TrustFlow立足于可信执行环境技术,提供受保护和隔离的环境,其中封装了敏感数据,并且提供数据安全存储和计算能力。 8 | 9 | 10 | 可信执行环境(Trusted Execution Environment,TEE) 是一种基于硬件的隐私保护技术。它保证了执行代码的真实性,运行时状态(如寄存器、内存和敏感I/O)的完整性, 11 | 以及存储在内存中的代码、数据和运行时状态的机密性。此外,还能够向第三方提供远程认证,以证明其可靠性。基于TEE,TrustFlow可以保护数据的机密性、完整性和可用性。 12 | 13 | 在TrustFlow中,数据被加密并存储在受控和限制的环境,以防止未经授权访问。 14 | TrustFlow采用多种安全措施,如远程认证、计算隔离、授权管控和审计机制,以确保数据被正确保护。 15 | TrustFlow具有端到端全链路加密能力,提供了零信任安全特性,机构可以对TrustFlow进行验证,限制数据使用最小权限访问。 16 | 与此同时,TrustFlow提供了丰富的数据加工处理能力,包括数据预处理、经典机器学习、深度学习、大模型、数据分析等, 17 | 在保护数据隐私的同时可以充分释放数据价值。 18 | 19 | TrustFlow可用于需要安全存储、处理或共享敏感数据的场景,以最大程度地减少暴露或未经授权使用的风险。 20 | 21 | .. image:: images/trustflow.jpg 22 | 23 | 为什么选择TrustFlow 24 | --------------------- 25 | 26 | TrustFlow允许机构在保护数据安全的前提下,探索强大的人工智能(AI)以及大数据分析(BI)技术,充分释放数据价值。 27 | TrustFlow保护了数据使用中(data-in-use)、数据存储(data-at-rest)、数据传输(data-in-transit)的安全。 28 | 使用TrustFlow,你可以获得丰富的可信应用。 29 | 30 | - **可信传统机器学习**:基于TrustFlow的传统机器学习能力,用户可以以安全可信的方式运行诸如逻辑回归、树模型等机器学习。 31 | 32 | - **可信深度学习**:基于TrustFlow的深度学习能力,用户可以以安全可信的方式运行常用的深度学习框架(比如PyTorch、TensorFlow)。 33 | 34 | - **可信大模型**:基于TrustFlow的大模型能力,用户可以以安全可信的方式对大模型进行微调(fine-tune)以及部署大模型在线服务。 35 | 36 | - **可信分析**:基于TrustFlow的数据分析能力,用户可以以安全可信的方式对数据进行诸如求交、聚合、统计等分析。 37 | 38 | 入门 39 | ----- 40 | 从零开始,体验如何使用TrustFlow进行联合建模,欢迎阅读 `快速上手 `_ 。 41 | 42 | 架构和设计 43 | ----------- 44 | 了解TrustFlow架构、原理和更多功能,欢迎阅读 `架构设计 `_ 。 45 | 46 | 1. `TrustFlow核心原理 `_ 47 | 2. `授权策略 `_ 48 | 3. `可信应用 `_ 49 | 50 | 自定义可信组件 51 | --------------- 52 | 开发新的自定义可信组件,欢迎阅读 `新组件开发教程 `_ 。 53 | 54 | 高阶话题 55 | ----------- 56 | 关于TrustFlow的更多话题,欢迎阅读 `高阶话题 `_ 。 57 | 58 | 1. `基于TrustFlow的跨域管控 `_ 59 | 60 | 61 | 路线图 62 | ----------- 63 | TrustFlow功能列表和路线图,欢迎阅读 `路线图 <./advanced_topic/roadmap>`_。 64 | 65 | 获得帮助 66 | ------------ 67 | 使用 TrustFlow 时遇到问题?在这里找到获得帮助的方式。 68 | 69 | - TrustFlow 的 `Issues `_ 70 | 71 | .. toctree:: 72 | :maxdepth: 2 73 | :hidden: 74 | :titlesonly: 75 | 76 | quick_start/index 77 | architecture/index 78 | development/index 79 | advanced_topic/index 80 | -------------------------------------------------------------------------------- /docs/make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | pushd %~dp0 4 | 5 | REM Command file for Sphinx documentation 6 | 7 | if "%SPHINXBUILD%" == "" ( 8 | set SPHINXBUILD=sphinx-build 9 | ) 10 | set SOURCEDIR=. 11 | set BUILDDIR=_build 12 | 13 | if "%1" == "" goto help 14 | 15 | %SPHINXBUILD% >NUL 2>NUL 16 | if errorlevel 9009 ( 17 | echo. 18 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 19 | echo.installed, then set the SPHINXBUILD environment variable to point 20 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 21 | echo.may add the Sphinx directory to PATH. 22 | echo. 23 | echo.If you don't have Sphinx installed, grab it from 24 | echo.http://sphinx-doc.org/ 25 | exit /b 1 26 | ) 27 | 28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% 29 | goto end 30 | 31 | :help 32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% 33 | 34 | :end 35 | popd 36 | -------------------------------------------------------------------------------- /docs/quick_start/index.rst: -------------------------------------------------------------------------------- 1 | .. _quick_start: 2 | 3 | 快速上手 4 | =============== 5 | 欢迎使用TrustFlow! 6 | 7 | 整体流程和详细步骤 8 | -------------------- 9 | 10 | .. toctree:: 11 | :maxdepth: 2 12 | 13 | step0 14 | step1 15 | step2 16 | step3 17 | step4 18 | step5 19 | 20 | -------------------------------------------------------------------------------- /docs/quick_start/step0.ipynb: -------------------------------------------------------------------------------- 1 | { 2 | "cells": [ 3 | { 4 | "cell_type": "markdown", 5 | "metadata": {}, 6 | "source": [ 7 | "# 整体流程\n", 8 | "\n", 9 | "整个快速上手的使用流程如下图所示。\n", 10 | "\n", 11 | "![quick_start](../images/quick_start.png)\n", 12 | "\n", 13 | "## 仿真模式与真实TEE模式\n", 14 | "\n", 15 | "为了方便用户上手体验,TrustFlow提供仿真模式,用户可以在没有TEE硬件的情况下体验TrustFlow的基本功能。\n", 16 | "需要注意的是,仿真模式没有TEE安全特性,因此仅限于体验使用,请勿在生产中使用仿真模式。\n", 17 | "\n", 18 | "如果用户有真实的TEE机器,则可以尝试SGX/TDX/CSV模式执行(未来会支持更多TEE硬件)。\n", 19 | "\n", 20 | "## 参与机构\n", 21 | "\n", 22 | "为了方便后续演示,我们假设有三个机构分别为alice、bob和carol,其中alice和bob提供数据,carol提供TEE机器。\n", 23 | "每个机构的职责不同,后续会有相应说明。\n", 24 | "\n", 25 | "注意,我们并不限定TEE机器必须是第三方(carol)提供,亦可以是alice或者bob自身,这里以carol提供TEE机器为例是为了方便进行说明。\n", 26 | "\n", 27 | "## 机构证书\n", 28 | "\n", 29 | "后续的演示依赖每个机构提供证书和私钥。为了方便测试,可以用以下命令为每个机构生成一个自签的证书。\n", 30 | "**请使用openssl 3.0以上版本执行下列命令,以免产生证书格式不匹配的问题**\n", 31 | "**注意,自签证书仅适用于测试,请勿直接用于生产**\n", 32 | "\n", 33 | "1. alice生成私钥,私钥文件名为alice.key\n", 34 | "```bash\n", 35 | " openssl genrsa -out alice.key 3072\n", 36 | "```\n", 37 | "\n", 38 | "2. alice自签发证书,证书文件名为alice.crt。\n", 39 | "```bash\n", 40 | " openssl req -x509 -new -nodes -key alice.key -sha256 -days 3650 -out alice.crt\n", 41 | "``` \n", 42 | "\n", 43 | "3. bob、carol用相同方式生成自签证书,记得修改产出文件的名称。" 44 | ] 45 | } 46 | ], 47 | "metadata": { 48 | "language_info": { 49 | "name": "python" 50 | } 51 | }, 52 | "nbformat": 4, 53 | "nbformat_minor": 2 54 | } 55 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | # minimum Python version is now 3.9 2 | myst-nb==1.0.0 3 | myst-parser==2.0.0 4 | sphinx==7.1.2 5 | pydata-sphinx-theme 6 | linkify-it-py 7 | sphinx-intl -------------------------------------------------------------------------------- /env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2023 Ant Group Co., Ltd. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 19 | image=secretflow/trustflow-dev-ubuntu22.04:latest 20 | DOCKER=docker 21 | project=trustflow 22 | if [[ $1 == 'enter' ]]; then 23 | $DOCKER exec -it ${project}-build-ubuntu-$(whoami) bash 24 | else 25 | $DOCKER run --name ${project}-build-ubuntu-$(whoami) -td \ 26 | --network=host \ 27 | -v /dev/sgx_enclave:/dev/sgx/enclave -v /dev/sgx_provision:/dev/sgx/provision \ 28 | -v $DIR:$DIR \ 29 | -v ${HOME}/${USER}-${project}-bazel-cache-test:/root/.cache/bazel \ 30 | -w $DIR \ 31 | --cap-add=SYS_PTRACE --security-opt seccomp=unconfined \ 32 | --cap-add=NET_ADMIN \ 33 | --privileged=true \ 34 | ${image} 35 | fi 36 | -------------------------------------------------------------------------------- /pylib/trustflow/attestation/generation/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@pybind11_bazel//:build_defs.bzl", "pybind_extension") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | pybind_extension( 20 | name = "generator", 21 | srcs = ["generator_modules.cc"], 22 | deps = [ 23 | "@trustflow//trustflow/attestation/generation/wrapper:generator_wrapper", 24 | ], 25 | ) 26 | 27 | py_library( 28 | name = "generator_module", 29 | data = [":generator.so"], 30 | ) 31 | -------------------------------------------------------------------------------- /pylib/trustflow/attestation/generation/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /pylib/trustflow/attestation/generation/generator_modules.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "pybind11/pybind11.h" 16 | 17 | #include "trustflow/attestation/generation/wrapper/generator_wrapper.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | namespace pylib { 23 | 24 | namespace py = ::pybind11; 25 | 26 | PYBIND11_MODULE(generator, m) { 27 | m.doc() = 28 | "TrustFlow Attestation Generator is a library for generating " 29 | "attestation report on different tee platforms"; 30 | 31 | // bind AttestationGenerator class 32 | py::class_( 33 | m, "AttestationGenerator") 34 | .def("generate_report_json", 35 | &trustflow::attestation::generation::AttestationGenerator:: 36 | GenerateReportJson); 37 | 38 | // bind CreateAttestationGenerator function 39 | m.def("create_attestation_generator", 40 | &trustflow::attestation::generation::CreateAttestationGenerator, 41 | py::return_value_policy::take_ownership); 42 | } 43 | } // namespace pylib 44 | } // namespace generation 45 | } // namespace attestation 46 | } // namespace trustflow 47 | -------------------------------------------------------------------------------- /pylib/trustflow/attestation/verification/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@pybind11_bazel//:build_defs.bzl", "pybind_extension") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | pybind_extension( 20 | name = "verifier", 21 | srcs = ["verifier_modules.cc"], 22 | deps = [ 23 | "@trustflow//trustflow/attestation/verification/wrapper:verifier_wrapper", 24 | ], 25 | ) 26 | 27 | py_library( 28 | name = "verifier_module", 29 | data = [":verifier.so"], 30 | ) 31 | -------------------------------------------------------------------------------- /pylib/trustflow/attestation/verification/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | find_package(pybind11 REQUIRED) 3 | 4 | pybind11_add_module(verifier verifier_modules.cc) 5 | target_link_libraries(verifier PUBLIC verifier_wrapper) 6 | target_link_libraries(verifier PUBLIC OpenSSL::Crypto absl::type_traits 7 | absl::symbolize spdlog::spdlog) -------------------------------------------------------------------------------- /pylib/trustflow/attestation/verification/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /pylib/trustflow/attestation/verification/verifier_modules.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "pybind11/pybind11.h" 16 | 17 | #include "trustflow/attestation/verification/wrapper/verifier_wrapper.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace verification { 22 | namespace pylib { 23 | 24 | namespace py = ::pybind11; 25 | 26 | PYBIND11_MODULE(verifier, m) { 27 | m.doc() = 28 | "TrustFlow Attestation Verifier is a library for verifying attestation " 29 | "reports from different tee platforms."; 30 | 31 | // bind trustflow::attestation::Status 32 | py::class_(m, "Status") 33 | .def(py::init<>()) 34 | .def_readwrite("code", &trustflow::attestation::Status::code) 35 | .def_readwrite("message", &trustflow::attestation::Status::message) 36 | .def_readwrite("details", &trustflow::attestation::Status::details); 37 | 38 | m.def("attestation_report_verify", 39 | &trustflow::attestation::verification::AttestationReportVerify, 40 | py::arg("report_json_str"), py::arg("policy_json_str")); 41 | } 42 | 43 | } // namespace pylib 44 | } // namespace verification 45 | } // namespace attestation 46 | } // namespace trustflow -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | protobuf>=4.21.3,<5.0dev 2 | sdc-apis==0.2.1.dev20240320 3 | -------------------------------------------------------------------------------- /trustflow/attestation/README.md: -------------------------------------------------------------------------------- 1 | # TrustFlow Attestation Library 2 | 3 | TrustFlow Attestation Library provides the ability to generate and verify remote attestation reports for different TEE hardware devices. Currently, it supports Intel SGX2, Intel TDX and Hygon CSV. 4 | 5 | ## Build 6 | 7 | ### Bazel 8 | Bazel supports building the generation and verification modules for the Linux platform. 9 | 10 | **Compiling the verification module** 11 | ``` 12 | bazel build //trustflow/attestation/verification/wrapper:libverification.so -c opt 13 | ``` 14 | The generated path for libverification.so is `bazel-bin/trustflow/attestation/verification/wrapper/libverification.so` 15 | 16 | **Compiling the generation module** 17 | 18 | Because the generation needs to be bound to a specific TEE platform, you need to specify the platform type when compiling: 19 | 20 | Intel SGX2 and running with Occlum: `--define tee_type=sgx2` 21 | 22 | Intel TDX: `--define tee_type=tdx` 23 | 24 | Hygon CSV: `--define tee_type=csv` 25 | 26 | For example, Intel TDX: 27 | ``` 28 | bazel build --define tee_type=tdx //trustflow/attestation/generation/wrapper:libgeneration.so -c opt 29 | ``` 30 | The generated path for libgeneration.so is `bazel-bin/trustflow/attestation/generation/wrapper/libgeneration.so` 31 | 32 | ### CMake 33 | CMake currently only supports compiling the verification module using WebAssembly to enable remote attestation execution on the Web. 34 | ``` 35 | cmake -H. -Bbuild 36 | cd build && make 37 | ``` 38 | The generated JS file path is `trustflow/attestation/verification/trustflow_verifier.js` 39 | For sample code using this JS file, refer to [here](sample/verification/wasm/sample_react_app/README.md) 40 | 41 | ## Multi-Language Support 42 | 43 | Currently supports C/C++, Python, Rust -------------------------------------------------------------------------------- /trustflow/attestation/README.zh-CN.md: -------------------------------------------------------------------------------- 1 | # TrustFlow Attestation Library 2 | 3 | TrustFlow Attestation Library 为不同类型的可信硬件设备提供生成和验证远程认证报告的功能。目前,支持 Intel SGX2、Intel TDX 以及 Hygon CSV。 4 | 5 | ## Build 6 | 7 | ### Bazel 8 | Bazel 支持构建 Linux 平台的 generation 和 verification 模块。 9 | 10 | **verification 模块编译** 11 | ``` 12 | bazel build //trustflow/attestation/verification/wrapper:libverification.so -c opt 13 | ``` 14 | libverification.so 生成路径为:`bazel-bin/trustflow/attestation/verification/wrapper/libverification.so` 15 | 16 | **generation 模块编译** 17 | 18 | 因为generation 需要与特定 TEE 平台绑定,所以在编译时需要制定平台类型: 19 | 20 | Intel SGX2 并使用 occlum 运行: `--define tee_type=sgx2` 21 | 22 | Intel TDX: `--define tee_type=tdx` 23 | 24 | Hygon CSV: `--define tee_type=csv` 25 | 26 | 例如 Intel TDX: 27 | ``` 28 | bazel build --define tee_type=tdx //trustflow/attestation/generation/wrapper:libgeneration.so -c opt 29 | ``` 30 | libgeneration.so 生成路径为:`bazel-bin/trustflow/attestation/generation/wrapper/libgeneration.so` 31 | 32 | ### CMake 33 | CMake 目前仅支持使用 WebAssembly 编译 verification 模块的能力,用于支持在 Web 上执行远程认证。 34 | ``` 35 | cmake -H. -Bbuild 36 | cd build && make 37 | ``` 38 | 生成的 JS 文件路径为:`trustflow/attestation/verification/trustflow_verifier.js` 39 | 使用该 JS 的sample code 参考[这里](sample/verification/wasm/sample_react_app/README.md) 40 | 41 | ## 多语言支持 42 | 43 | 目前支持 C/C++、Python、Rust -------------------------------------------------------------------------------- /trustflow/attestation/collateral/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library", "trustflow_cc_test") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "intel_collateral", 21 | srcs = ["intel_collateral.cc"], 22 | hdrs = ["intel_collateral.h"], 23 | deps = [ 24 | "//trustflow/attestation/utils:json2pb", 25 | "@dcap//:sgx_dcap_quoteverify", 26 | "@sf_apis//:cc_sf_apis_proto", 27 | "@yacl//yacl/base:exception", 28 | ], 29 | ) 30 | 31 | trustflow_cc_library( 32 | name = "hygon_collateral", 33 | srcs = ["hygon_collateral.cc"], 34 | hdrs = ["hygon_collateral.h"], 35 | deps = [ 36 | "//trustflow/attestation/utils:json2pb", 37 | "@com_github_httplib//:httplib", 38 | "@cppcodec", 39 | "@sf_apis//:cc_sf_apis_proto", 40 | "@trustflow//:hygon_csv_header", 41 | "@yacl//yacl/base:exception", 42 | ], 43 | ) 44 | 45 | trustflow_cc_test( 46 | name = "hygon_collateral_test", 47 | srcs = ["hygon_collateral_test.cc"], 48 | deps = [":hygon_collateral"], 49 | ) 50 | -------------------------------------------------------------------------------- /trustflow/attestation/collateral/hygon_collateral.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/collateral/hygon_collateral.h" 16 | 17 | #include "cppcodec/base64_rfc4648.hpp" 18 | #include "csv/attestation/attestation.h" 19 | #include "spdlog/spdlog.h" 20 | #include "yacl/base/exception.h" 21 | 22 | #include "trustflow/attestation/utils/json2pb.h" 23 | 24 | #define CPPHTTPLIB_OPENSSL_SUPPORT 25 | #include "httplib.h" 26 | 27 | namespace trustflow { 28 | namespace attestation { 29 | namespace collateral { 30 | 31 | namespace { 32 | 33 | constexpr int kHttpRetryTimes = 3; 34 | 35 | constexpr int kHttpResponseOk = 200; 36 | 37 | constexpr char kHygonCertUrl[] = "https://cert.hygon.cn"; 38 | 39 | constexpr char kHygonHskCekSubUrl[] = "/hsk_cek?snumber="; 40 | 41 | } // namespace 42 | 43 | // Get Hygon Hsk Cek 44 | void GetHygonCsvCollateral( 45 | const std::string &chip_id, 46 | secretflowapis::v2::sdc::HygonCsvCertChain &hygon_csv_cert_chain) { 47 | httplib::Client client(kHygonCertUrl); 48 | // TODO support server certificate verification 49 | client.enable_server_certificate_verification(false); 50 | 51 | std::string hsk_cek_url = std::string(kHygonHskCekSubUrl) + chip_id; 52 | 53 | httplib::Result ret{nullptr, httplib::Error::Unknown}; 54 | for (int i = 0; i < kHttpRetryTimes; i++) { 55 | ret = client.Get(hsk_cek_url); 56 | if (ret && ret->status == kHttpResponseOk) { 57 | break; 58 | } 59 | } 60 | YACL_ENFORCE(ret, "Failed to connect hygon cert server, http ret is null"); 61 | YACL_ENFORCE(ret->status == kHttpResponseOk, 62 | "Get hygon csv hsk and cek failed, http status: {}, reason: {}", 63 | ret->status, ret->reason); 64 | 65 | // ret->body is a binary string 66 | YACL_ENFORCE_EQ( 67 | ret->body.length(), sizeof(CHIP_ROOT_CERT_t) + sizeof(CSV_CERT_t), 68 | "hsk and cek length should be {}, but got {}", 69 | sizeof(CHIP_ROOT_CERT_t) + sizeof(CSV_CERT_t), ret->body.length()); 70 | hygon_csv_cert_chain.set_b64_hsk_cert(cppcodec::base64_rfc4648::encode( 71 | ret->body.data(), sizeof(CHIP_ROOT_CERT_t))); 72 | hygon_csv_cert_chain.set_b64_cek_cert(cppcodec::base64_rfc4648::encode( 73 | ret->body.data() + sizeof(CHIP_ROOT_CERT_t), sizeof(CSV_CERT_t))); 74 | 75 | SPDLOG_INFO("Get hygon csv hsk and cek from hygon website succeed"); 76 | } 77 | 78 | } // namespace collateral 79 | } // namespace attestation 80 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/collateral/hygon_collateral.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "secretflowapis/v2/sdc/ual.pb.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace collateral { 22 | 23 | void GetHygonCsvCollateral( 24 | const std::string& chip_id, 25 | secretflowapis::v2::sdc::HygonCsvCertChain& hygon_csv_cert_chain); 26 | 27 | } // namespace collateral 28 | } // namespace attestation 29 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/collateral/hygon_collateral_test.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/collateral/hygon_collateral.h" 16 | 17 | #include "cppcodec/base64_rfc4648.hpp" 18 | #include "csv/attestation/attestation.h" 19 | #include "gtest/gtest.h" 20 | 21 | namespace trustflow { 22 | namespace attestation { 23 | namespace collateral { 24 | 25 | namespace { 26 | constexpr char kCorrectChipId[] = "NUX0419032405"; 27 | constexpr char kWrongChipId[] = "NUX041903"; 28 | } // namespace 29 | 30 | TEST(HygonCsvCollateralTest, 31 | GetHygonCsvCollateral_with_correct_chipid_should_OK) { 32 | secretflowapis::v2::sdc::HygonCsvCertChain hygon_cert_chain; 33 | 34 | EXPECT_NO_THROW({ 35 | trustflow::attestation::collateral::GetHygonCsvCollateral(kCorrectChipId, 36 | hygon_cert_chain); 37 | }); 38 | 39 | auto cek_cert = 40 | cppcodec::base64_rfc4648::decode(hygon_cert_chain.b64_cek_cert()); 41 | auto hsk_cert = 42 | cppcodec::base64_rfc4648::decode(hygon_cert_chain.b64_hsk_cert()); 43 | 44 | EXPECT_EQ(cek_cert.size(), sizeof(CSV_CERT_t)); 45 | EXPECT_EQ(hsk_cert.size(), sizeof(CHIP_ROOT_CERT_t)); 46 | } 47 | 48 | TEST(HygonCsvCollateralTest, 49 | GetHygonCsvCollateral_with_wrong_chipid_should_throw) { 50 | secretflowapis::v2::sdc::HygonCsvCertChain hygon_cert_chain; 51 | EXPECT_ANY_THROW({ 52 | trustflow::attestation::collateral::GetHygonCsvCollateral(kWrongChipId, 53 | hygon_cert_chain); 54 | }); 55 | } 56 | 57 | } // namespace collateral 58 | } // namespace attestation 59 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/collateral/intel_collateral.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "secretflowapis/v2/sdc/ual.pb.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace collateral { 22 | 23 | void GetIntelCollateral( 24 | const std::string& quote, const uint32_t quote_size, 25 | secretflowapis::v2::sdc::SgxQlQveCollateral& collateral); 26 | 27 | } // namespace collateral 28 | } // namespace attestation 29 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/common/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "constants", 21 | hdrs = ["constants.h"], 22 | ) 23 | 24 | trustflow_cc_library( 25 | name = "status", 26 | hdrs = ["status.h"], 27 | ) 28 | -------------------------------------------------------------------------------- /trustflow/attestation/common/constants.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | namespace trustflow { 18 | namespace attestation { 19 | 20 | constexpr char kReportVersion[] = "1.0"; 21 | 22 | constexpr int kReportMaxSize = 40960; 23 | 24 | constexpr unsigned int kAttributeMaxSize = 40960; 25 | 26 | struct ReportType { 27 | static constexpr char kReportTypeBgcheck[] = "BackgroundCheck"; 28 | static constexpr char kReportTypePassport[] = "Passport"; 29 | }; 30 | 31 | struct Platform { 32 | static constexpr char kPlatformSgxDcap[] = "SGX_DCAP"; 33 | static constexpr char kPlatformTdx[] = "TDX"; 34 | static constexpr char kPlatformCsv[] = "CSV"; 35 | }; 36 | 37 | } // namespace attestation 38 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/common/status.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | 22 | enum class ErrorCode : int { 23 | kOk = 0, 24 | kArgumentError = 1, 25 | kIndexOverflow, 26 | kNotFound, 27 | kLogicError, 28 | kPermissionError = 5, 29 | kInvalidFormat, 30 | kAlreadyExist, 31 | kNotImplemented, 32 | kVersionMismatch, 33 | kNotReady, 34 | kNetworkError, 35 | kTimeout, 36 | kInternalError = 18, 37 | kUnknown = 23 38 | }; 39 | 40 | struct Status { 41 | int code; 42 | std::string message; 43 | std::string details; 44 | }; 45 | 46 | } // namespace attestation 47 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/csv/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "csv_generator", 21 | srcs = ["csv_generator.cc"], 22 | hdrs = ["csv_generator.h"], 23 | deps = [ 24 | "//trustflow/attestation/collateral:hygon_collateral", 25 | "//trustflow/attestation/common:constants", 26 | "//trustflow/attestation/generation/interface:generator", 27 | "//trustflow/attestation/utils:json2pb", 28 | "@com_google_absl//absl/strings", 29 | "@cppcodec", 30 | "@trustflow//:hygon_csv_header", 31 | "@yacl//yacl/base:exception", 32 | "@yacl//yacl/crypto/hash:hash_utils", 33 | "@yacl//yacl/crypto/hmac:hmac_sm3", 34 | "@yacl//yacl/crypto/rand", 35 | "@yacl//yacl/utils:scope_guard", 36 | ], 37 | ) 38 | -------------------------------------------------------------------------------- /trustflow/attestation/generation/csv/csv_generator.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "trustflow/attestation/generation/interface/generator.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | 23 | class CsvAttestationGenerator : public AttestationGenerator { 24 | public: 25 | secretflowapis::v2::sdc::UnifiedAttestationReport GenerateReport( 26 | const secretflowapis::v2::sdc::UnifiedAttestationGenerationParams& 27 | gen_params) override; 28 | }; 29 | 30 | } // namespace generation 31 | } // namespace attestation 32 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/interface/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "generator", 21 | srcs = ["generator.cc"], 22 | hdrs = ["generator.h"], 23 | deps = [ 24 | "//trustflow/attestation/utils:json2pb", 25 | "@sf_apis//:cc_sf_apis_proto", 26 | ], 27 | ) 28 | -------------------------------------------------------------------------------- /trustflow/attestation/generation/interface/generator.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/generation/interface/generator.h" 16 | 17 | #include "trustflow/attestation/utils/json2pb.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | 23 | std::string AttestationGenerator::GenerateReportJson( 24 | const std::string& gen_params_json) { 25 | secretflowapis::v2::sdc::UnifiedAttestationGenerationParams gen_params; 26 | JSON2PB(gen_params_json, &gen_params); 27 | 28 | auto report = GenerateReport(gen_params); 29 | 30 | std::string report_json; 31 | PB2JSON(report, &report_json); 32 | return report_json; 33 | } 34 | } // namespace generation 35 | } // namespace attestation 36 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/interface/generator.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "secretflowapis/v2/sdc/ual.pb.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | 23 | class AttestationGenerator { 24 | public: 25 | virtual ~AttestationGenerator() = default; 26 | 27 | virtual secretflowapis::v2::sdc::UnifiedAttestationReport GenerateReport( 28 | const secretflowapis::v2::sdc::UnifiedAttestationGenerationParams& 29 | gen_params) = 0; 30 | 31 | std::string GenerateReportJson(const std::string& gen_params_json); 32 | }; 33 | 34 | } // namespace generation 35 | } // namespace attestation 36 | } // namespace trustflow 37 | -------------------------------------------------------------------------------- /trustflow/attestation/generation/sgx2/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "sgx2_generator", 21 | srcs = ["sgx2_generator.cc"], 22 | hdrs = ["sgx2_generator.h"], 23 | deps = [ 24 | "//trustflow/attestation/collateral:intel_collateral", 25 | "//trustflow/attestation/common:constants", 26 | "//trustflow/attestation/generation/interface:generator", 27 | "//trustflow/attestation/utils:json2pb", 28 | "@com_google_absl//absl/strings", 29 | "@cppcodec", 30 | "@dcap//:sgx_dcap_quoteverify", 31 | "@yacl//yacl/base:exception", 32 | "@yacl//yacl/crypto/hash:hash_utils", 33 | "@yacl//yacl/utils:scope_guard", 34 | ], 35 | ) 36 | -------------------------------------------------------------------------------- /trustflow/attestation/generation/sgx2/sgx2_generator.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "trustflow/attestation/generation/interface/generator.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | 23 | class Sgx2AttestationGenerator : public AttestationGenerator { 24 | public: 25 | secretflowapis::v2::sdc::UnifiedAttestationReport GenerateReport( 26 | const secretflowapis::v2::sdc::UnifiedAttestationGenerationParams& 27 | gen_params) override; 28 | }; 29 | 30 | } // namespace generation 31 | } // namespace attestation 32 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/tdx/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "tdx_generator", 21 | srcs = ["tdx_generator.cc"], 22 | hdrs = ["tdx_generator.h"], 23 | deps = [ 24 | "//trustflow/attestation/collateral:intel_collateral", 25 | "//trustflow/attestation/common:constants", 26 | "//trustflow/attestation/generation/interface:generator", 27 | "@com_google_absl//absl/strings", 28 | "@cppcodec", 29 | "@dcap//:sgx_dcap_quoteverify", 30 | "@dcap//:tdx_attest", 31 | "@yacl//yacl/base:exception", 32 | "@yacl//yacl/crypto/hash:hash_utils", 33 | ], 34 | ) 35 | -------------------------------------------------------------------------------- /trustflow/attestation/generation/tdx/tdx_generator.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "trustflow/attestation/generation/interface/generator.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | 23 | class TdxAttestationGenerator : public AttestationGenerator { 24 | public: 25 | secretflowapis::v2::sdc::UnifiedAttestationReport GenerateReport( 26 | const secretflowapis::v2::sdc::UnifiedAttestationGenerationParams& 27 | gen_params) override; 28 | }; 29 | 30 | } // namespace generation 31 | } // namespace attestation 32 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/wrapper/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | config_setting( 20 | name = "sgx2", 21 | values = {"define": "tee_type=sgx2"}, 22 | ) 23 | 24 | config_setting( 25 | name = "csv", 26 | values = {"define": "tee_type=csv"}, 27 | ) 28 | 29 | config_setting( 30 | name = "tdx", 31 | values = {"define": "tee_type=tdx"}, 32 | ) 33 | 34 | trustflow_cc_library( 35 | name = "generator_wrapper", 36 | srcs = ["generator_wrapper.cc"], 37 | hdrs = ["generator_wrapper.h"], 38 | copts = select({ 39 | ":sgx2": ["-DTEE_TYPE_SGX2"], 40 | ":tdx": ["-DTEE_TYPE_TDX"], 41 | ":csv": ["-DTEE_TYPE_CSV"], 42 | "//conditions:default": [], 43 | }), 44 | deps = select({ 45 | ":sgx2": ["//trustflow/attestation/generation/sgx2:sgx2_generator"], 46 | ":tdx": ["//trustflow/attestation/generation/tdx:tdx_generator"], 47 | ":csv": ["//trustflow/attestation/generation/csv:csv_generator"], 48 | "//conditions:default": [], 49 | }) + [ 50 | "//trustflow/attestation/common:constants", 51 | "//trustflow/attestation/common:status", 52 | "//trustflow/attestation/generation/interface:generator", 53 | "//trustflow/attestation/utils:json2pb", 54 | "@yacl//yacl/base:exception", 55 | ], 56 | ) 57 | 58 | trustflow_cc_library( 59 | name = "generator_wrapper_c_api", 60 | srcs = ["generator_wrapper_c_api.cc"], 61 | hdrs = ["generator_wrapper_c_api.h"], 62 | deps = [ 63 | ":generator_wrapper", 64 | ], 65 | ) 66 | 67 | cc_binary( 68 | name = "libgeneration.so", 69 | srcs = [ 70 | "generator_wrapper_c_api.cc", 71 | ], 72 | linkshared = True, 73 | deps = [ 74 | ":generator_wrapper_c_api", 75 | ], 76 | ) 77 | -------------------------------------------------------------------------------- /trustflow/attestation/generation/wrapper/generator_wrapper.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/generation/wrapper/generator_wrapper.h" 16 | 17 | #include "yacl/base/exception.h" 18 | 19 | #ifdef TEE_TYPE_SGX2 20 | #include "trustflow/attestation/generation/sgx2/sgx2_generator.h" 21 | #endif 22 | 23 | #ifdef TEE_TYPE_TDX 24 | #include "trustflow/attestation/generation/tdx/tdx_generator.h" 25 | #endif 26 | 27 | #ifdef TEE_TYPE_CSV 28 | #include "trustflow/attestation/generation/csv/csv_generator.h" 29 | #endif 30 | 31 | namespace trustflow { 32 | namespace attestation { 33 | namespace generation { 34 | 35 | std::unique_ptr CreateAttestationGenerator() { 36 | #ifdef TEE_TYPE_SGX2 37 | return std::make_unique(); 38 | #endif 39 | 40 | #ifdef TEE_TYPE_TDX 41 | return std::make_unique(); 42 | #endif 43 | 44 | #ifdef TEE_TYPE_CSV 45 | return std::make_unique(); 46 | #endif 47 | 48 | YACL_THROW("Unsupported TEE type!"); 49 | } 50 | 51 | } // namespace generation 52 | } // namespace attestation 53 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/wrapper/generator_wrapper.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "trustflow/attestation/generation/interface/generator.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace generation { 22 | 23 | std::unique_ptr CreateAttestationGenerator(); 24 | 25 | } // namespace generation 26 | } // namespace attestation 27 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/generation/wrapper/generator_wrapper_c_api.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | /// @brief C API for getting the size of the generated report 22 | /// @param params_buf: [Input] The other report generation parameters buffer. 23 | /// @param params_len: [Input] The length of other report generation parameters. 24 | /// @param report_len: [Output] The max report size 25 | /// 26 | /// @return Error code. 27 | /// 28 | extern int GetAttestationReportSize(const char* params_buf, 29 | const unsigned int params_len, 30 | unsigned int* report_len); 31 | 32 | /// @brief C API for report generation 33 | /// @param params_buf: [Input] The other report generation parameters buffer. 34 | /// @param params_len: [Input] The length of other report generation parameters. 35 | /// @param report_buf: [Output] The output serialized JSON string of the report 36 | /// @param report_len: [Input and Output] The maximal JSON report buffer size as 37 | /// input, 38 | /// and the real JSON report string size as output. 39 | /// @param msg: [Output] The error message if any error occurs. 40 | /// @param msg_len: [Input and Output] The maximal error message buffer size as 41 | /// input. 42 | /// The real error message size as output. 43 | /// @param details: [Output] The detailed error message if any error occurs. 44 | /// @param details_len: [Input and Output] The maximal detailed error message 45 | /// buffer size as input. 46 | /// The real detailed error message size as output. 47 | /// 48 | /// 49 | /// @note All the lengths are memory sizes in bytes. For example, char array[] = 50 | /// "hello" has a length of 6, not 5. 51 | /// 52 | /// @return Error code. 53 | /// 54 | extern int GenerateAttestationReport(const char* params_buf, 55 | const unsigned int params_len, 56 | char* report_buf, unsigned int* report_len, 57 | char* msg, unsigned int* msg_len, 58 | char* details, unsigned int* details_len); 59 | 60 | #ifdef __cplusplus 61 | } 62 | #endif -------------------------------------------------------------------------------- /trustflow/attestation/sample/generation/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_binary") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_binary( 20 | name = "main", 21 | srcs = ["main.cc"], 22 | deps = [ 23 | "//trustflow/attestation/generation/wrapper:generator_wrapper_c_api", 24 | "//trustflow/attestation/utils:json2pb", 25 | "@com_google_absl//absl/strings", 26 | "@sf_apis//:cc_sf_apis_proto", 27 | ], 28 | ) 29 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/.gitignore: -------------------------------------------------------------------------------- 1 | /node_modules 2 | /.env.local 3 | /.umirc.local.ts 4 | /config/config.local.ts 5 | /src/.umi 6 | /src/.umi-production 7 | /src/.umi-test 8 | /dist 9 | .swc 10 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/.npmrc: -------------------------------------------------------------------------------- 1 | registry=https://registry.npmmirror.com/ 2 | 3 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/.umirc.ts: -------------------------------------------------------------------------------- 1 | import { defineConfig } from "umi"; 2 | 3 | export default defineConfig({ 4 | routes: [ 5 | { path: "/", component: "index" }, 6 | ], 7 | npmClient: 'pnpm', 8 | }); 9 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/README.md: -------------------------------------------------------------------------------- 1 | # 项目初始化&启动 2 | 3 | ## 环境准备 4 | 5 | 确保正确安装 [Node.js](https://nodejs.org/en/) 且版本为 16+ 即可。 6 | 7 | ```bash 8 | $ node -v 9 | v16.14.2 10 | ``` 11 | 12 | 确保已安装[pnpm](https://pnpm.io/installation#using-npm) 13 | 14 | ```bash 15 | $ pnpm -v 16 | 8.8.0 17 | ``` 18 | 19 | ## trustflow_verifier.js 准备 20 | 参考 [TrustFlow Attestation Library CMake Build](../../../../REMADME.md#CMake) 构建 `trustflow_verifier.js` 21 | 22 | 将 `trustflow_verifier.js` 拷贝到 `src/pages/index` 目录下 23 | 24 | ## 初始化项目 25 | 26 | 在项目根目录运行 27 | 28 | ```bash 29 | $ pnpm i 30 | ``` 31 | 32 | ## 启动项目 33 | 34 | 在项目根目录运行 35 | 36 | ```bash 37 | $ pnpm dev 38 | ``` 39 | 40 | 此时访问(http://localhost:8000) 即可进入 41 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "private": true, 3 | "author": "霓君", 4 | "scripts": { 5 | "dev": "umi dev", 6 | "build": "umi build", 7 | "postinstall": "umi setup", 8 | "setup": "umi setup", 9 | "start": "npm run dev" 10 | }, 11 | "dependencies": { 12 | "antd": "^5.15.1", 13 | "umi": "^4.1.2" 14 | }, 15 | "devDependencies": { 16 | "@types/react": "^18.2.64", 17 | "@types/react-dom": "^18.2.21", 18 | "typescript": "^5.4.2" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/src/layouts/index.less: -------------------------------------------------------------------------------- 1 | .navs { 2 | ul { 3 | padding: 0; 4 | list-style: none; 5 | display: flex; 6 | } 7 | li { 8 | margin-right: 1em; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/src/layouts/index.tsx: -------------------------------------------------------------------------------- 1 | import { Link, Outlet } from 'umi'; 2 | import styles from './index.less'; 3 | 4 | export default function Layout() { 5 | return ( 6 |
7 | 8 |
9 | ); 10 | } 11 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/src/pages/index/.gitignore: -------------------------------------------------------------------------------- 1 | trustflow_verifier.js -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/src/pages/index/index.tsx: -------------------------------------------------------------------------------- 1 | import Verifier from './trustflow_verifier'; 2 | import { Input, Button, Form } from 'antd'; 3 | 4 | export default function HomePage() { 5 | 6 | const policy = ''; 7 | 8 | const [form] = Form.useForm(); 9 | 10 | const verify = async (report: string, policy: string) => { 11 | const wasmModule = await Verifier(); 12 | console.log(wasmModule); 13 | const res = await wasmModule.ready.then(() => { 14 | const status = wasmModule.evidenceVerify(report, policy); 15 | return status; 16 | }); 17 | 18 | return res; 19 | }; 20 | 21 | return ( 22 |
23 |

Yay! Welcome to WASM RA Test (react sample app)!

24 |
{ 25 | const {raReport, policy} = val 26 | const res = await verify(raReport, policy); 27 | alert(JSON.stringify(res)); 28 | }}> 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 44 | 45 |
46 |
47 | ); 48 | } 49 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": "./src/.umi/tsconfig.json" 3 | } 4 | -------------------------------------------------------------------------------- /trustflow/attestation/sample/verification/wasm/sample_react_app/typings.d.ts: -------------------------------------------------------------------------------- 1 | import 'umi/typings'; 2 | -------------------------------------------------------------------------------- /trustflow/attestation/utils/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "json2pb", 21 | hdrs = ["json2pb.h"], 22 | deps = [ 23 | "@com_github_grpc_grpc//:grpc++", 24 | "@yacl//yacl/base:exception", 25 | ], 26 | ) 27 | -------------------------------------------------------------------------------- /trustflow/attestation/utils/json2pb.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "google/protobuf/util/json_util.h" 18 | #include "yacl/base/exception.h" 19 | 20 | #define PB2JSON(pbmsg, p_jsonstr) \ 21 | do { \ 22 | ::google::protobuf::util::JsonPrintOptions options; \ 23 | options.preserve_proto_field_names = false; \ 24 | using google::protobuf::util::MessageToJsonString; \ 25 | (p_jsonstr)->clear(); \ 26 | auto status = MessageToJsonString((pbmsg), (p_jsonstr), options); \ 27 | YACL_ENFORCE(status.ok(), \ 28 | "Parsing pb message to json failed, " \ 29 | "error: {}", \ 30 | status.ToString()); \ 31 | } while (0) 32 | 33 | #define JSON2PB(jsonstr, p_pbmsg) \ 34 | do { \ 35 | using google::protobuf::util::JsonStringToMessage; \ 36 | auto status = JsonStringToMessage((jsonstr), (p_pbmsg)); \ 37 | YACL_ENFORCE(status.ok(), \ 38 | "Parsing json to pb message failed, json: {}, " \ 39 | "error: {}", \ 40 | jsonstr, status.ToString()); \ 41 | } while (0) 42 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "verifier_factory", 19 | hdrs = ["verifier_factory.h"], 20 | deps = [ 21 | "//trustflow/attestation/verification/csv:csv_verifier", 22 | "//trustflow/attestation/verification/sgx2:sgx2_verifier", 23 | "//trustflow/attestation/verification/tdx:tdx_verifier", 24 | ], 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_subdirectory(interface) 2 | add_subdirectory(sgx2) 3 | add_subdirectory(tdx) 4 | add_subdirectory(csv) 5 | add_subdirectory(wrapper) 6 | 7 | if(WASM) 8 | 9 | set(SOURCES wasm_binding.cc) 10 | 11 | add_executable(trustflow_verifier ${SOURCES}) 12 | target_link_libraries(trustflow_verifier PUBLIC verifier_wrapper) 13 | 14 | set(WASM_MAIN_BASE_FLAGS "-sMAIN_MODULE=2 -fPIC -fexceptions") 15 | set(WASM_COMMON_FLAGS 16 | "-sALLOW_MEMORY_GROWTH=1 -sSAFE_HEAP=1 -fexceptions -fPIC -Wno-limited-postlink-optimizations -Wno-linkflags -O3" 17 | ) 18 | set(WASM_MAIN_NORMAL_FLAGS 19 | "${WASM_COMMON_FLAGS} -sMAIN_MODULE=2 --use-preload-plugins -lembind -sDEFAULT_LIBRARY_FUNCS_TO_INCLUDE=$AsciiToString" 20 | ) 21 | set(WASM_MAIN_ASYNC_FLAGS 22 | "${WASM_MAIN_NORMAL_FLAGS} -gsource-map -sASYNCIFY -sASYNCIFY_IMPORTS=['dcap_fetch_proxy'] -sSINGLE_FILE -s EXPORT_ES6=1 -s MODULARIZE=1" 23 | ) 24 | 25 | target_link_libraries(trustflow_verifier PUBLIC OpenSSL::Crypto absl::type_traits 26 | absl::symbolize spdlog::spdlog) 27 | set_target_properties( 28 | trustflow_verifier 29 | PROPERTIES COMPILE_FLAGS ${WASM_MAIN_BASE_FLAGS} 30 | LINK_FLAGS "${WASM_MAIN_ASYNC_FLAGS}" 31 | SUFFIX ".js") 32 | 33 | endif() 34 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/csv/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | load("@trustflow//bazel:trustflow.bzl", "trustflow_cc_library", "trustflow_cc_test") 16 | 17 | package(default_visibility = ["//visibility:public"]) 18 | 19 | trustflow_cc_library( 20 | name = "csv_verifier", 21 | srcs = ["csv_verifier.cc"], 22 | hdrs = ["csv_verifier.h"], 23 | deps = [ 24 | "//trustflow/attestation/common:constants", 25 | "//trustflow/attestation/utils:json2pb", 26 | "//trustflow/attestation/verification/interface:verifier", 27 | "@com_google_absl//absl/strings", 28 | "@cppcodec", 29 | "@sf_apis//:cc_sf_apis_proto", 30 | "@trustflow//:hygon_csv_header", 31 | "@yacl//yacl/base:exception", 32 | "@yacl//yacl/crypto:openssl_wrappers", 33 | "@yacl//yacl/crypto/sign:sm2_signing", 34 | ], 35 | ) 36 | 37 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/csv/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set(SOURCES csv_verifier.cc) 2 | 3 | add_library(csv_verifier STATIC ${SOURCES}) 4 | target_link_libraries( 5 | csv_verifier 6 | ual_proto 7 | yacl_buffer 8 | cppcodec 9 | yacl_crypto spdlog::spdlog_header_only) 10 | 11 | target_include_directories(csv_verifier PUBLIC ${CSV_HEADER_INCLUDE}) 12 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/csv/csv_verifier.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "csv/attestation/attestation.h" 16 | 17 | #include "trustflow/attestation/verification/interface/verifier.h" 18 | 19 | #include "secretflowapis/v2/sdc/ual.pb.h" 20 | 21 | namespace trustflow { 22 | namespace attestation { 23 | namespace verification { 24 | 25 | class CsvAttestationVerifier : public AttestationVerifier { 26 | public: 27 | explicit CsvAttestationVerifier(const std::string& report_json_str) 28 | : AttestationVerifier(report_json_str) { 29 | Init(); 30 | } 31 | explicit CsvAttestationVerifier( 32 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) 33 | : AttestationVerifier(report) { 34 | Init(); 35 | } 36 | 37 | void ParseUnifiedReport( 38 | secretflowapis::v2::sdc::UnifiedAttestationAttributes& attrs) override; 39 | 40 | void VerifyPlatform() override; 41 | 42 | static std::unique_ptr Create( 43 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) { 44 | return std::make_unique(report); 45 | } 46 | 47 | protected: 48 | void Init(); 49 | 50 | private: 51 | // HygonCsvReport contains the following 3 fields: 52 | csv_attestation_report quote_; 53 | CHIP_ROOT_CERT_t hsk_cert_; 54 | CSV_CERT_t cek_cert_; 55 | }; 56 | 57 | } // namespace verification 58 | } // namespace attestation 59 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/verification/interface/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "verifier", 19 | srcs = ["verifier.cc"], 20 | hdrs = ["verifier.h"], 21 | deps = [ 22 | "//trustflow/attestation/utils:json2pb", 23 | "@sf_apis//:cc_sf_apis_proto", 24 | "@yacl//yacl/crypto/hash:ssl_hash", 25 | ], 26 | ) 27 | 28 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/interface/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set(SOURCES verifier.cc) 2 | 3 | add_library(verifier_interface STATIC ${SOURCES}) 4 | target_link_libraries( 5 | verifier_interface 6 | ual_proto 7 | yacl_crypto) 8 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/interface/verifier.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "trustflow/attestation/utils/json2pb.h" 18 | 19 | #include "secretflowapis/v2/sdc/ual.pb.h" 20 | 21 | namespace trustflow { 22 | namespace attestation { 23 | namespace verification { 24 | 25 | class AttestationVerifier { 26 | public: 27 | virtual ~AttestationVerifier() = default; 28 | 29 | AttestationVerifier(const std::string& report_json_str) { 30 | JSON2PB(report_json_str, &report_); 31 | } 32 | 33 | AttestationVerifier( 34 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) 35 | : report_(report) {} 36 | 37 | /** 38 | * @brief Parse report to UnifiedAttestationAttributes 39 | * 40 | * @param attrs 41 | */ 42 | virtual void ParseUnifiedReport( 43 | secretflowapis::v2::sdc::UnifiedAttestationAttributes& attrs) = 0; 44 | 45 | /** 46 | * @brief Verify platform information 47 | * 48 | */ 49 | virtual void VerifyPlatform() = 0; 50 | 51 | static void VerifyAttributes( 52 | const secretflowapis::v2::sdc::UnifiedAttestationAttributes& actual_attrs, 53 | const secretflowapis::v2::sdc::UnifiedAttestationPolicy& policy); 54 | 55 | virtual void VerifyReport( 56 | const secretflowapis::v2::sdc::UnifiedAttestationPolicy& policy); 57 | 58 | protected: 59 | secretflowapis::v2::sdc::UnifiedAttestationReport report_; 60 | }; 61 | 62 | } // namespace verification 63 | } // namespace attestation 64 | } // namespace trustflow 65 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/sgx2/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "sgx2_verifier", 19 | srcs = ["sgx2_verifier.cc"], 20 | hdrs = ["sgx2_verifier.h"], 21 | deps = [ 22 | "//trustflow/attestation/common:constants", 23 | "//trustflow/attestation/verification/interface:verifier", 24 | "@cppcodec", 25 | "@dcap//:sgx_dcap_quoteverify", 26 | "@yacl//yacl/crypto/hash:ssl_hash", 27 | ], 28 | ) 29 | 30 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/sgx2/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set(SOURCES sgx2_verifier.cc) 2 | 3 | add_library(sgx2_verifier STATIC ${SOURCES}) 4 | target_link_libraries( 5 | sgx2_verifier 6 | ual_proto 7 | yacl_buffer 8 | cppcodec 9 | sgx_headers 10 | dcap::quoteverify 11 | yacl_crypto) 12 | add_dependencies(sgx2_verifier dcap) 13 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/sgx2/sgx2_verifier.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "yacl/base/buffer.h" 18 | 19 | #include "trustflow/attestation/verification/interface/verifier.h" 20 | 21 | namespace trustflow { 22 | namespace attestation { 23 | namespace verification { 24 | 25 | class Sgx2AttestationVerifier : public AttestationVerifier { 26 | public: 27 | explicit Sgx2AttestationVerifier(const std::string& report_json_str) 28 | : AttestationVerifier(report_json_str) { 29 | Init(); 30 | } 31 | 32 | explicit Sgx2AttestationVerifier( 33 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) 34 | : AttestationVerifier(report) { 35 | Init(); 36 | } 37 | 38 | void ParseUnifiedReport( 39 | secretflowapis::v2::sdc::UnifiedAttestationAttributes& attrs) override; 40 | 41 | void VerifyPlatform() override; 42 | 43 | static std::unique_ptr Create( 44 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) { 45 | return std::make_unique(report); 46 | } 47 | 48 | protected: 49 | void Init(); 50 | 51 | private: 52 | std::vector quote_; 53 | secretflowapis::v2::sdc::SgxQlQveCollateral collateral_; 54 | }; 55 | 56 | } // namespace verification 57 | } // namespace attestation 58 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/verification/tdx/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "tdx_verifier", 19 | srcs = ["tdx_verifier.cc"], 20 | hdrs = ["tdx_verifier.h"], 21 | deps = [ 22 | "//trustflow/attestation/common:constants", 23 | "//trustflow/attestation/verification/interface:verifier", 24 | "@cppcodec", 25 | "@dcap//:sgx_dcap_quoteverify", 26 | "@yacl//yacl/crypto/hash:ssl_hash", 27 | ], 28 | ) 29 | 30 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/tdx/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set(SOURCES tdx_verifier.cc) 2 | 3 | add_library(tdx_verifier STATIC ${SOURCES}) 4 | target_link_libraries( 5 | tdx_verifier 6 | ual_proto 7 | yacl_buffer 8 | cppcodec 9 | sgx_headers 10 | dcap::quoteverify 11 | yacl_crypto) 12 | add_dependencies(tdx_verifier dcap) 13 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/tdx/tdx_verifier.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "yacl/base/buffer.h" 18 | 19 | #include "trustflow/attestation/verification/interface/verifier.h" 20 | 21 | namespace trustflow { 22 | namespace attestation { 23 | namespace verification { 24 | 25 | class TdxAttestationVerifier : public AttestationVerifier { 26 | public: 27 | explicit TdxAttestationVerifier(const std::string& report_json_str) 28 | : AttestationVerifier(report_json_str) { 29 | Init(); 30 | } 31 | 32 | explicit TdxAttestationVerifier( 33 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) 34 | : AttestationVerifier(report) { 35 | Init(); 36 | } 37 | 38 | void ParseUnifiedReport( 39 | secretflowapis::v2::sdc::UnifiedAttestationAttributes& attrs) override; 40 | 41 | void VerifyPlatform() override; 42 | 43 | static std::unique_ptr Create( 44 | const secretflowapis::v2::sdc::UnifiedAttestationReport& report) { 45 | return std::make_unique(report); 46 | } 47 | 48 | protected: 49 | void Init(); 50 | 51 | private: 52 | std::vector quote_; 53 | secretflowapis::v2::sdc::SgxQlQveCollateral collateral_; 54 | }; 55 | 56 | } // namespace verification 57 | } // namespace attestation 58 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/verification/verifier_factory.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include 16 | 17 | #include "absl/strings/escaping.h" 18 | #include "yacl/base/exception.h" 19 | 20 | #include "trustflow/attestation/verification/interface/verifier.h" 21 | 22 | namespace trustflow { 23 | namespace attestation { 24 | namespace verification { 25 | 26 | class VerifierFactory { 27 | public: 28 | VerifierFactory() {} 29 | VerifierFactory(const VerifierFactory &) = delete; 30 | VerifierFactory &operator=(const VerifierFactory &) = delete; 31 | 32 | std::unique_ptr Create( 33 | const std::string &report_json_str) { 34 | secretflowapis::v2::sdc::UnifiedAttestationReport report; 35 | JSON2PB(report_json_str, &report); 36 | const std::string &name = report.str_tee_platform(); 37 | 38 | std::vector supported_platforms(creators_.size()); 39 | std::transform(creators_.begin(), creators_.end(), 40 | supported_platforms.begin(), 41 | [](const auto &pair) { return pair.first; }); 42 | 43 | YACL_ENFORCE(creators_.count(name) > 0, 44 | "Supported platform list: {}, but not include {}", 45 | fmt::join(supported_platforms, ", "), name); 46 | return creators_[name](report); 47 | } 48 | 49 | void Register( 50 | const std::string &name, 51 | std::function( 52 | const secretflowapis::v2::sdc::UnifiedAttestationReport &report)> 53 | &&creator) { 54 | creators_[name] = std::move(creator); 55 | } 56 | 57 | protected: 58 | std::unordered_map< 59 | std::string, 60 | std::function( 61 | const secretflowapis::v2::sdc::UnifiedAttestationReport &report)>> 62 | creators_; 63 | }; 64 | 65 | } // namespace verification 66 | } // namespace attestation 67 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/verification/wasm_binding.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include 16 | 17 | #include "trustflow/attestation/verification/wrapper/verifier_wrapper.h" 18 | 19 | using namespace emscripten; 20 | 21 | // Binding code 22 | EMSCRIPTEN_BINDINGS(trustflow) { 23 | value_object("Status") 24 | .field("code", &trustflow::attestation::Status::code) 25 | .field("message", &trustflow::attestation::Status::message) 26 | .field("details", &trustflow::attestation::Status::details); 27 | 28 | function("evidenceVerify", 29 | &trustflow::attestation::verification::AttestationReportVerify); 30 | } -------------------------------------------------------------------------------- /trustflow/attestation/verification/wrapper/BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Ant Group Co., Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package(default_visibility = ["//visibility:public"]) 16 | 17 | cc_library( 18 | name = "verifier_wrapper", 19 | srcs = ["verifier_wrapper.cc"], 20 | hdrs = ["verifier_wrapper.h"], 21 | deps = [ 22 | "//trustflow/attestation/common:status", 23 | "//trustflow/attestation/verification:verifier_factory", 24 | "//trustflow/attestation/verification/csv:csv_verifier", 25 | "//trustflow/attestation/verification/sgx2:sgx2_verifier", 26 | "//trustflow/attestation/verification/tdx:tdx_verifier", 27 | ], 28 | ) 29 | 30 | cc_library( 31 | name = "verifier_wrapper_c_api", 32 | srcs = ["verifier_wrapper_c_api.cc"], 33 | hdrs = ["verifier_wrapper_c_api.h"], 34 | deps = [ 35 | "//trustflow/attestation/common:status", 36 | "//trustflow/attestation/verification:verifier_factory", 37 | "//trustflow/attestation/verification/csv:csv_verifier", 38 | "//trustflow/attestation/verification/sgx2:sgx2_verifier", 39 | "//trustflow/attestation/verification/tdx:tdx_verifier", 40 | ], 41 | ) 42 | 43 | cc_binary( 44 | name = "libverification.so", 45 | srcs = ["verifier_wrapper_c_api.cc"], 46 | linkshared = True, 47 | deps = [ 48 | ":verifier_wrapper_c_api", 49 | ], 50 | ) 51 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/wrapper/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | set(SOURCES verifier_wrapper.cc) 2 | 3 | add_library(verifier_wrapper STATIC ${SOURCES}) 4 | target_link_libraries( 5 | verifier_wrapper 6 | verifier_interface 7 | sgx2_verifier 8 | tdx_verifier 9 | csv_verifier 10 | ) 11 | add_dependencies(verifier_wrapper dcap) 12 | -------------------------------------------------------------------------------- /trustflow/attestation/verification/wrapper/verifier_wrapper.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "trustflow/attestation/verification/wrapper/verifier_wrapper.h" 16 | 17 | #include "trustflow/attestation/common/constants.h" 18 | #include "trustflow/attestation/utils/json2pb.h" 19 | #include "trustflow/attestation/verification/csv/csv_verifier.h" 20 | #include "trustflow/attestation/verification/sgx2/sgx2_verifier.h" 21 | #include "trustflow/attestation/verification/tdx/tdx_verifier.h" 22 | #include "trustflow/attestation/verification/verifier_factory.h" 23 | 24 | #include "secretflowapis/v2/sdc/ual.pb.h" 25 | 26 | namespace trustflow { 27 | namespace attestation { 28 | namespace verification { 29 | 30 | trustflow::attestation::Status AttestationReportVerify( 31 | const std::string& report_json_str, const std::string& policy_json_str) { 32 | secretflowapis::v2::sdc::UnifiedAttestationPolicy policy; 33 | 34 | trustflow::attestation::Status status = {0, "success", ""}; 35 | try { 36 | VerifierFactory factory; 37 | factory.Register(Platform::kPlatformTdx, &TdxAttestationVerifier::Create); 38 | factory.Register(Platform::kPlatformSgxDcap, 39 | &Sgx2AttestationVerifier::Create); 40 | factory.Register(Platform::kPlatformCsv, &CsvAttestationVerifier::Create); 41 | 42 | JSON2PB(policy_json_str, &policy); 43 | factory.Create(report_json_str)->VerifyReport(policy); 44 | } catch (const yacl::ArgumentError& ex) { 45 | status.code = 46 | static_cast(trustflow::attestation::ErrorCode::kArgumentError); 47 | status.message = ex.what(); 48 | status.details = ex.stack_trace(); 49 | } catch (const yacl::InvalidFormat& ex) { 50 | status.code = 51 | static_cast(trustflow::attestation::ErrorCode::kInvalidFormat); 52 | status.message = ex.what(); 53 | status.details = ex.stack_trace(); 54 | } catch (const yacl::Exception& ex) { 55 | status.code = 56 | static_cast(trustflow::attestation::ErrorCode::kInternalError); 57 | status.message = ex.what(); 58 | status.details = ex.stack_trace(); 59 | } catch (const std::exception& ex) { 60 | status.code = 61 | static_cast(trustflow::attestation::ErrorCode::kInternalError); 62 | status.message = ex.what(); 63 | } 64 | return status; 65 | } 66 | 67 | } // namespace verification 68 | } // namespace attestation 69 | } // namespace trustflow -------------------------------------------------------------------------------- /trustflow/attestation/verification/wrapper/verifier_wrapper.h: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Ant Group Co., Ltd. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #pragma once 16 | 17 | #include "trustflow/attestation/common/status.h" 18 | 19 | namespace trustflow { 20 | namespace attestation { 21 | namespace verification { 22 | 23 | trustflow::attestation::Status AttestationReportVerify( 24 | const std::string& report_json_str, const std::string& policy_json_str); 25 | 26 | } // namespace verification 27 | } // namespace attestation 28 | } // namespace trustflow 29 | --------------------------------------------------------------------------------