Google Git
Sign in
fuchsia / fuchsia / refs/heads/main / . / src / security / lib
tree: 9889a3f46761a0bf5ef81d4fb5af63465cfa06d4 [path history] [tgz]
  1. fcrypto/
  2. fuchsia-tcti/
  3. fuchsia-tpm-protocol/
  4. keysafe/
  5. kms-stateless/
  6. scrutiny/
  7. tee/
  8. tpm/
  9. zxcrypt/
  10. BUILD.gn
  11. README.md
src/security/lib/README.md

Fuchsia Security: Libraries

Overview

This directory contains all libraries owned by the Fuchsia security team. Not all of these libraries are intended for general consumption please consult the security team before including them in a new project.

Library Descriptions

  • fcrypto: Harder-to-misuse C++ library providing cryptographic primitives wrapping boringssl routines intended to support zxcrypt.
  • fuchsia-tcti: The Fuchsia implementation of the TPM Command Transmission interface. This is consumed by our port of //third_party/tpm2-tss to enable the TCG TPM2 Software Stack (TSS2) to work on Fuchsia.
  • fuchsia-tpm-protocol: The implementation of the fuchsia.tpm FIDL interfaces. This allows the implementation to be shared by the cr50_agent and the tpm_agent. This protocol allows for provisioning and deprovisioning of the TPM.
  • keysafe: Keysafe trusted application interface, which defines the list of supported commands and their parameters.
  • kms-stateless: A stateless (does not persist anything by itself) key management service built on top of the KeySafe TA. Currently supports hardware protected key derivation and rotations.
  • scrutiny: Scrutiny is a static analysis library for Fuchsia . It is a powerful framework that aims to allow you to inspect all aspects of a built product and build verifiers on top of it which can guarantee properties are maintained at build time. For instance we use this library today to validate that all protocol routes in the system are valid or to prevent unwanted files sneaking into bootfs. See ffx scrutiny for all the verifiers implemented on top of this library.
  • tee: Client API that allows Fuchsia to invoke an security service provided by a TA in TEE. The client API confirms to GlobalPlatform standard and currently handles TA session establishment, invoking a command, shared memory management etc.
  • zxcrypt: An encrypted (but not authenticated) filter block device core and supporting client libraries. minfs, where used, is generally configured to sit atop a zxcrypt-encrypted block device to protect mutable data.