docs: add TEE analysis for issue #168

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace]
-members = ["cmd/passless", "passless-config-doc", "passless-core"]
+members = ["cmd/passless", "passless-config-doc", "passless-core", "passless-tee"]
 resolver = "2"
 
 [workspace.package]
@@ -13,6 +13,7 @@ repository = "https://github.com/pando85/passless"
 # Workspace crates
 passless-core = { path = "./passless-core", version = "0.7.6" }
 passless-config-doc = { path = "./passless-config-doc", version = "0.7.6" }
+passless-tee = { path = "./passless-tee", version = "0.7.6" }
 
 soft-fido2 = "0.10.1"
 soft-fido2-ctap = "0.10.1"

Makefile

@@ -180,3 +180,37 @@ uninstall: uninstall-systemd uninstall-udev uninstall-sysusers uninstall-binary
 	@echo "    Note: The 'fido' group still exists. To remove it:"
 	@echo "      sudo groupdel fido"
 	@echo ""
+
+# Gramine/SGX targets
+.PHONY: gramine-build
+gramine-build:	## build Passless with Gramine/SGX support
+	@echo "Building Passless with Gramine/SGX..."
+	cd gramine && ./build.sh
+
+.PHONY: gramine-clean
+gramine-clean:	## clean Gramine build artifacts
+	@echo "Cleaning Gramine artifacts..."
+	cd gramine && ./build.sh clean
+
+.PHONY: gramine-run
+gramine-run:	## run Passless in SGX enclave (standard storage)
+	@echo "Running Passless in SGX enclave..."
+	cd gramine && ./run.sh
+
+.PHONY: gramine-run-sealed
+gramine-run-sealed:	## run Passless in SGX enclave (sealed storage)
+	@echo "Running Passless in SGX enclave with sealed storage..."
+	cd gramine && ./run.sh --sealed
+
+.PHONY: gramine-keygen
+gramine-keygen:	## generate Gramine enclave signing key
+	cd gramine && ./build.sh keygen
+
+.PHONY: docker-sgx
+docker-sgx:	## build Docker image with Gramine/SGX support
+	@echo "Building Docker image with SGX support..."
+	docker build -f gramine/Dockerfile -t passless-sgx .
+
+.PHONY: test-tee-detection
+test-tee-detection:	## test TEE hardware detection
+	cargo test -p passless-tee --all-features

README.md

@@ -53,6 +53,7 @@ Users should choose the solution that best fits their own security and practical
   - [pass](https://www.passwordstore.org/) (encrypted, git-synced)
   - TPM 2.0 (Experimental)
   - Local filesystem (testing only)
+- **Intel SGX support via Gramine** (hardware memory isolation)
 - Security hardening (memory locking, core dump prevention)
 - Credential management via CTAP commands
 
@@ -99,12 +100,24 @@ make install
 yay -S passless
 ```
 
-or the binary from AUR:
+### Gramine/Intel SGX
 
+For enhanced security with hardware memory isolation, Passless can run in an Intel SGX enclave using Gramine.
+
+**Requirements:**
+- Intel SGX-capable CPU (6th gen or newer)
+- SGX enabled in BIOS
+- Linux kernel 5.11+
+
+**Quick start:**
 ```bash
-yay -S passless-bin
+# Build and run with SGX
+make gramine-build
+make gramine-run
 ```
 
+See [Gramine Integration Guide](docs/GRAMINE_INTEGRATION.md) for detailed setup instructions.
+
 ## Acknowledgements
 
 A big thank you to the [PassKeeZ](https://github.com/Zig-Sec/PassKeeZ) project for being such a

contrib/scripts/install-gramine.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Install Gramine support for Passless
+
+set -e
+
+GRAMINE_DIR="/opt/passless/gramine"
+BIN_DIR="/usr/local/bin"
+SERVICE_DIR="/etc/systemd/system"
+
+echo "Installing Gramine support for Passless..."
+
+# Create directories
+echo "Creating directories..."
+sudo mkdir -p "$GRAMINE_DIR"
+sudo mkdir -p /var/lib/passless
+
+# Copy Gramine files
+echo "Copying Gramine files..."
+sudo cp -r gramine/* "$GRAMINE_DIR/"
+
+# Make scripts executable
+sudo chmod +x "$GRAMINE_DIR/build.sh"
+sudo chmod +x "$GRAMINE_DIR/run.sh"
+
+# Copy systemd wrapper
+sudo install -m 755 contrib/scripts/passless-sgx-wrapper "$BIN_DIR/passless-sgx"
+
+# Build manifest if not exists
+if [ ! -f "$GRAMINE_DIR/passless-sealed.manifest.sgx" ]; then
+    echo "Building Gramine manifest..."
+    cd "$GRAMINE_DIR"
+    ./build.sh
+fi
+
+# Install systemd service
+if command -v systemctl &> /dev/null; then
+    echo "Installing systemd service..."
+    sudo cp contrib/systemd/passless-sgx.service "$SERVICE_DIR/"
+    sudo systemctl daemon-reload
+    echo ""
+    echo "To enable the service:"
+    echo "  sudo systemctl enable passless-sgx"
+    echo "  sudo systemctl start passless-sgx"
+fi
+
+echo ""
+echo "Installation complete!"
+echo ""
+echo "Run with:"
+echo "  passless-sgx"
+echo ""
+echo "Or with systemd:"
+echo "  sudo systemctl start passless-sgx"

contrib/scripts/uninstall-gramine.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Uninstall Gramine support for Passless
+
+set -e
+
+GRAMINE_DIR="/opt/passless/gramine"
+BIN_DIR="/usr/local/bin"
+SERVICE_DIR="/etc/systemd/system"
+
+echo "Uninstalling Gramine support for Passless..."
+
+# Stop and disable service
+if [ -f "$SERVICE_DIR/passless-sgx.service" ]; then
+    echo "Stopping systemd service..."
+    sudo systemctl stop passless-sgx 2>/dev/null || true
+    sudo systemctl disable passless-sgx 2>/dev/null || true
+    sudo rm -f "$SERVICE_DIR/passless-sgx.service"
+    sudo systemctl daemon-reload
+fi
+
+# Remove binary wrapper
+echo "Removing binary wrapper..."
+sudo rm -f "$BIN_DIR/passless-sgx"
+
+# Remove Gramine directory
+echo "Removing Gramine files..."
+sudo rm -rf "$GRAMINE_DIR"
+
+echo ""
+echo "Uninstallation complete!"
+echo ""
+echo "Note: Credential data in /var/lib/passless is preserved."

contrib/systemd/passless-sgx-wrapper.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Systemd wrapper for running Passless with Gramine/SGX
+# Install to /usr/local/bin/passless-sgx
+
+set -e
+
+GRAMINE_DIR="/opt/passless/gramine"
+
+# Check SGX device
+if [ ! -e /dev/sgx_enclave ] && [ ! -e /dev/sgx/enclave ]; then
+    echo "ERROR: Intel SGX device not found" >&2
+    exit 1
+fi
+
+# Check UHID device
+if [ ! -e /dev/uhid ]; then
+    echo "ERROR: UHID device not found" >&2
+    exit 1
+fi
+
+# Check manifest
+if [ ! -f "$GRAMINE_DIR/passless-sealed.manifest.sgx" ]; then
+    echo "ERROR: Gramine manifest not found" >&2
+    exit 1
+fi
+
+# Run in SGX enclave with sealed storage
+cd "$GRAMINE_DIR"
+exec gramine-sgx passless-sealed "$@"

contrib/systemd/passless-sgx.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=Passless FIDO2 Authenticator (Gramine/SGX)
+Documentation=https://github.com/pando85/passless
+After=network.target
+ConditionPathExists=/dev/sgx_enclave
+ConditionPathExists=/dev/uhid
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/passless-sgx
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/var/lib/passless
+
+# SGX device access
+DeviceAllow=/dev/sgx_enclave rw
+DeviceAllow=/dev/sgx/provision rw
+DeviceAllow=/dev/uhid rw
+
+# Resource limits
+LimitNOFILE=1024
+TasksMax=10
+
+[Install]
+WantedBy=multi-user.target