This is an automated email from the ASF dual-hosted git repository. shaojunwang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git
commit e4406f83a18cd28e346c4fe5a3170511b9395568 Author: jeffery.wsj <[email protected]> AuthorDate: Fri Oct 14 11:31:02 2022 +0800 [misc] Add proposal.md file for donation to Apache Teaclave Summary: Add proposal.md file for donation to Apache Teaclave. Test Plan: all tests pass Reviewers: lei.yul, cengfeng.lzy, sanhong.lsh Issue: https://aone.alibaba-inc.com/task/45491707 CR: https://code.aone.alibaba-inc.com/java-tee/JavaEnclave/codereview/10408127 --- Proposal.md | 103 +++++++++++++++++++++ README.md | 27 ++++-- .../JavaEnclave_Application_Dependency.png | Bin 93938 -> 93093 bytes docs/resources/JavaEnclave_Architecture.png | Bin 121478 -> 143242 bytes 4 files changed, 123 insertions(+), 7 deletions(-) diff --git a/Proposal.md b/Proposal.md new file mode 100644 index 0000000..09d9a73 --- /dev/null +++ b/Proposal.md @@ -0,0 +1,103 @@ +======== Proposal ======= + +## Abstract + +JavaEnclave is a Java confidential computing programming framework. It follows the host-and-enclave partition programming model defined by Intel-SGX SDK. +JavaEnclave provides an elegant way to divide a java project into host and enclave modules, where the enclave module is a provider of a user-defined service interface which is similar to the Java SPI model. JavaEnclave could help you to develop and build a Java confidential computing project with high efficiency. + +## Proposal + +JavaEnclave is a pure Java SDK for Java confidential computing. It eases the interactions between secured and unsecured environment with a few concise APIs. +From user's aspect, creating an enclave environment and invoking confidential computing services would be as simple as invoking SPI services. + +### Background + +The JavaEnclave project is being actively developed within Alibaba Cloud. + +### Rationale + +JavaEnclave is a Java confidential computing programming framework. The goal of Teaclave is to provide a universal secure computing platform for multiple programming languages. Teaclave currently supports Rust, Python and WebAssembly, but Java is still missing. JavaEnclave would be an important piece of the puzzle. + +### Initial Goals + +- Transfer the repository to the Apache Incubator under the Teaclave project +- Code cleanup and more documentation + +#### Meritocracy: + +JavaEnclave project was originally developed and reviewed by Shaojun Wang/Ziyi Lin/Lei Yu/Sanhong Li within Alibaba Cloud. We encourage everyone to ask questions and create pull requests for the project. + +#### Community: + +JavaEnclave was developed and applied within Alibaba Cloud before it was donated to Teaclave. + +#### Core Developers: + +The core developers are: +- Shaojun Wang ([email protected]) +- Ziyi Lin ([email protected]) + +#### Alignment: + +The project is complimentary of Teaclave's TEE backends. + +### Known Risks + +An exercise in self-knowledge. Risks don't mean that a project is unacceptable. If they are recognized and noted, then they can be addressed during incubation. + +#### Project Name + +Since the project will be accepted as a subproject in Teaclave, the project is renamed Teaclave-java-tee-sdk. + +#### Inexperience with Open Source: + +JavaEnclave has been reviewed by Mingshen Sun, who is from the Teaclave community. He's familiar with The Apache Way for the open-source community. + +#### Length of Incubation: + +The project will be in incubation with Apache Teaclave (incubating) project. + +### Documentation + +- N/A + +### Initial Source + +- N/A + +### Source and Intellectual Property Submission Plan + +We will submit a Software Grant for this project later. + +#### External Dependencies: + +The dependencies have Apache compatible license, which is provided under the BSD 2-Clause license and GPL2.0 license. + +#### Cryptography: + +N/A + +### Required Resources + +#### Mailing lists: + +The project shares the same mailing list of Teaclave. + +#### Git Repositories: + +- N/A + +#### Issue Tracking: + +Same with Teaclave. + +#### Other Resources: + +N/A + +### Initial Committers + +- Shaojun Wang ([email protected]) +- Ziyi Lin ([email protected]) +- Lei Yu ([email protected]) +- Sanhong Li ([email protected]) \ No newline at end of file diff --git a/README.md b/README.md index e2fbb77..2960229 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ ## What's Teaclave-java-tee-sdk? -Teaclave-java-tee-sdk is a Java confidential computing programming model. It follows the host-and-enclave partition programming model defined by Intel-SGX SDK. Teaclave-java-tee-sdk provides an elegant way to divide a java project into host and enclave modules, the enclave module is a provider of a user-defined service interface, it's similar to the SPI development model. Teaclave-java-tee-sdk could help you to develop and build a Java confidential computing project with high efficiency. +Teaclave-java-tee-sdk is a Java confidential computing programming framework. It follows the host-and-enclave partition programming model defined by Intel-SGX SDK. Teaclave-java-tee-sdk provides an elegant way to divide a java project into host and enclave modules, where the enclave module is a provider of a user-defined service interface which is similar to the Java SPI model. Teaclave-java-tee-sdk could help you to develop and build a Java confidential computing project with high efficiency. ## Why do we need Teaclave-java-tee-sdk? -Occlum and Gramine libOS solutions run the entire Java application inside the enclave. Although it's much easier for end users, it suffers from a large TCB(Trusted Computing Base) that may compromise the security to some degree. On the other hand, Intel-SGX and OpenEnclave SDKs are more secure by only running the sensitive code inside the enclave, but they are limited to C/C++ ecosystem, and the development experience for programmers is unfriendly. For Example, it requests the programmer [...] +Occlum and Gramine libOS solutions run the entire Java application inside the enclave. Although it's much easier for end users, it suffers from a large TCB(Trusted Computing Base) that may compromise the security to some degree. On the other hand, Intel-SGX and OpenEnclave SDKs are more secure by only running the sensitive code inside the enclave, but they are limited to C/C++ ecosystem, and the development experience for programmers is unfriendly. For Example, it requests the programmer [...] ## Teaclave-java-tee-sdk architecture @@ -24,15 +24,28 @@ Teaclave-java-tee-sdk provides seven components: - Teaclave-java-tee-sdk Docker, provides a standard build and execution environment for Java confidential computing applications. - +<br /> +<div align="center"> +<img src="./docs/resources/JavaEnclave_Architecture.png" width = "400" height = "400" alt="Teaclave-java-tee-sdk Architecture" align=center /> +</div> +<center>Teaclave-java-tee-sdk Architecture</center> +<br /> ## Confidential computing Java project structure based on Teaclave-java-tee-sdk A Java confidential computing application project based on Teaclave-java-tee-sdk is a maven project which consists of three submodules, they are host submodule, enclave submodule, and common submodule. The common submodule contains the service interface definition, the enclave submodule implements the interface defined in the common submodule, host submodule contains the management of the enclave instance and service instance. We can view the enclave submodule as an SPI provider, Teaclav [...] - - - +<br /> +<div align="center"> +<img src="./docs/resources/JavaEnclave_Application_Dependency.png" width = "400" height = "300" alt="Teaclave-java-tee-sdk Application Dependency" align=center /> +</div> +<center>Teaclave-java-tee-sdk Application Dependency</center> +<br /> +<div align="center"> +<img src="./docs/resources/JavaEnclave_Project_Structure.png" width = "400" height = "400" alt="Teaclave-java-tee-sdk Project Structure" align=center /> +</div> +<center>Teaclave-java-tee-sdk Project Structure</center> +<br /> ## Getting started @@ -42,7 +55,7 @@ A Java confidential computing application project based on Teaclave-java-tee-sdk `apt install cpuid && cpuid -1 -l 0x12` - +<img src="./docs/resources/SGX2_Supported_Check.png" width = "300" height = "100" alt="Teaclave-java-tee-sdk Application Dependency" align=center /> if SGX2 is not supported, only MOCK_IN_JVM and MOCK_IN_SVM enclave modes in Teaclave-java-tee-sdk could be run normally. diff --git a/docs/resources/JavaEnclave_Application_Dependency.png b/docs/resources/JavaEnclave_Application_Dependency.png index c5783eb..fc2e972 100644 Binary files a/docs/resources/JavaEnclave_Application_Dependency.png and b/docs/resources/JavaEnclave_Application_Dependency.png differ diff --git a/docs/resources/JavaEnclave_Architecture.png b/docs/resources/JavaEnclave_Architecture.png index 1b8b6c7..fd77d3f 100644 Binary files a/docs/resources/JavaEnclave_Architecture.png and b/docs/resources/JavaEnclave_Architecture.png differ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
