Skip to content

feat: add TPM2 provider and WIT runtime for hardware crypto #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
avrabe merged 11 commits into from
Jan 26, 2026
Merged

feat: add TPM2 provider and WIT runtime for hardware crypto #36

avrabe merged 11 commits into from
Jan 26, 2026

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Jan 24, 2026

Summary

  • Add Tpm2Provider for hardware-backed ECDSA P-256 signing via TPM 2.0
  • Add WIT runtime (wsc:crypto) for hosting WASM components with hardware crypto
  • Add CI workflow for TPM2 tests with swtpm simulator

TPM2 Provider

  • Platform-gated: Linux and Windows only (macOS excluded - no TPM2 hardware)
  • Uses tss-esapi crate (v7) for TSS2 API
  • Auto-detects TCTI: /dev/tpmrm0, /dev/tpm0, Windows TBS, or TPM2_TCTI env var
  • ECDSA P-256 with proper DER signature encoding
  • Tests require swtpm simulator (run automatically in CI)

WIT Runtime

  • wsc:crypto/hardware-signing WIT interface for opaque key handle operations
  • CryptoHostState<P> bridges WIT to any SecureKeyProvider implementation
  • WscRuntime<P> for loading and running WASM components
  • Enables WASM components to use hardware crypto without exposing keys

Test plan

  • Builds on macOS (TPM2 module excluded)
  • Builds on Linux/Windows with --features tpm2
  • TPM2 tests pass with swtpm (CI will verify)
  • WIT runtime tests pass
  • Existing tests still pass

avrabe and others added 8 commits January 24, 2026 13:20
@avrabe @claude
feat: add TPM2 provider and WIT runtime for hardware crypto
e58b66d 
TPM2 Provider (Linux/Windows):
- Implement Tpm2Provider with ECDSA P-256 signing
- Auto-detect TCTI (device, resource manager, TBS, swtpm)
- Platform-gated compilation (excluded on macOS)
- DER signature encoding for p256 crate compatibility
- Comprehensive tests (require swtpm simulator)

WIT Runtime (wasmtime integration):
- Add wsc:crypto WIT interface for hardware signing
- Implement CryptoHostState bridging WIT to SecureKeyProvider
- WscRuntime for hosting WASM components with hardware crypto
- Support for key generation, signing, verification via opaque handles

CI:
- Add GitHub Actions workflow for TPM2 tests with swtpm
- Compile checks for macOS and Windows

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe
fix: simplify swtpm startup in CI workflow
f071b6a
@avrabe
fix: add missing http module
bde517d
@avrabe @claude
fix: correct tss-esapi v7 API usage in TPM2 provider
7a5d5f7 
- Replace WSError::HardwareNotAvailable with WSError::HardwareError
- Use NetworkTPMConfig instead of SwtpmConfig for swtpm connection
- Use PublicKey::try_from for ECC public key extraction instead of
  matching on PublicKeyUnion
- Implement load_key method (returns KeyNotFound for now)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: more tss-esapi v7.6 API corrections for TPM2 provider
f9d8313 
- Replace as_bytes() with value() for EccParameter
- Replace WSError::InvalidSignature with InvalidKeyHandle/VerificationError
- Use ctx.hash() to get Digest and HashcheckTicket for signing
- Remove unused sha2::Digest import
- Import MaxBuffer for hash data buffer

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: add proper session handling for TPM2 operations
64af4c8 
Wrap TPM operations with execute_with_nullauth_session to provide
necessary authorization context for:
- create_primary (key generation)
- hash and sign operations

This fixes the "Not enough sessions provided for the command"
error (0x0007000b) when running with swtpm simulator.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: make TPM2 Linux-only (tss-esapi lacks Windows bindings)
c54699f 
The tss-esapi crate doesn't have pre-generated bindings for Windows
x86_64, causing CI failure. Windows TPM support would require a
different implementation using the TBS (TPM Base Services) API.

Changes:
- Update Cargo.toml target to cfg(target_os = "linux") only
- Update platform/mod.rs cfg guards to Linux-only
- Update platform/tpm2.rs documentation
- Update CI workflow with explanatory comments

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: update Bazel configuration for compatibility
0363158 
- Pin Bazel version to 8.5.1 for CI compatibility
  - Bazel 9.x has stricter module visibility that breaks aspect_bazel_lib
- Add proc_macro_deps for maybe-async in BUILD.bazel
- Use stable rules_wasm_component commit (27eefae) to avoid
  componentize-py canary checksum instability

Note: The newer rules_wasm_component commits (58b80d2+) use canary
builds for componentize-py which have constantly changing checksums,
causing CI failures. Using the older stable commit until checksums
are properly managed upstream.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe avrabe force-pushed the feat/tpm2-and-wit-runtime branch from 33b1838 to 0363158 Compare January 25, 2026 16:55
avrabe and others added 3 commits January 26, 2026 06:37
@avrabe @claude
fix: update Fulcio certificate pin for Sigstore integration
edd77a1 
Sigstore rotated their fulcio.sigstore.dev TLS certificate. Updated
the certificate pin from the previous fingerprint to the new one:
a1ab2a71570894a6d9b2e539ec31419968cc3192b8c64bafb016bb72013f4087

The previous pin is kept in the list for rotation grace period.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
feat: add reproducibility and DSSE modules for SLSA L4 compliance
3fccf8c 
Add Phase 2 of the plan: SLSA L4 reproducibility tracking support:

- reproducibility.rs: BuildEnvironment, MaterialManifest, DependencyPin
  structures for capturing everything needed to reproduce a build
- dsse.rs: Dead Simple Signing Envelope implementation per DSSE spec
  for standards-compliant attestation signing

Key capabilities:
- Automatic CI/CD builder detection (GitHub Actions, GitLab, CircleCI,
  Azure Pipelines, Jenkins)
- Complete dependency pinning with cryptographic hashes
- in-toto Statement and Subject support
- SLSA ResourceDescriptor with PURL parsing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: add base64 dependency to attestation BUILD.bazel
013d7ee 
The DSSE module requires base64 for payload encoding. This was added
to Cargo.toml but not to the Bazel BUILD.bazel file.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe avrabe merged commit e1d5bff into main Jan 26, 2026
12 checks passed
@avrabe avrabe deleted the feat/tpm2-and-wit-runtime branch January 26, 2026 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avrabe