Teaclave TrustZone SDK enables safe, functional, and ergonomic development of trustlets.

Clone this repo:


  1. b2fbfb0 CI: don't do things setup.sh does for us by Thomas Hebb · 6 weeks ago master
  2. a2b7bb0 Rework rustup/toolchain installation by Thomas Hebb · 6 weeks ago
  3. e70763f CI: use home directory workaround for tests too by Thomas Hebb · 6 weeks ago
  4. 5684033 setup.sh: function from any working directory by Thomas Hebb · 6 weeks ago
  5. 5147b27 setup.sh: quote variable expansions by Thomas Hebb · 6 weeks ago

Teaclave TrustZone SDK

License Release Homepage

Teaclave TrustZone SDK (Rust OP-TEE TrustZone SDK) provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. In addition, it enables the capability to write TrustZone applications with Rust's standard library (std) and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave (incubating).

Table of Contents

Quick start with the OP-TEE Repo for QEMUv8

Teaclave TrustZone SDK has been integrated into the OP-TEE Repo since OP-TEE Release 3.15.0 (18/Oct/21). The aarch64 Rust examples are built and installed into OP-TEE's default filesystem for QEMUv8. Follow this documentation to set up the OP-TEE repo and try the Rust examples!

Getting started


To get started with Teaclave TrustZone SDK, you could choose either QEMU for Armv8-A (QEMUv8) or other platforms (platforms OP-TEE supported) as your development environment.

Develop with QEMUv8

The OP-TEE libraries are needed when building Rust applications, so you should finish the Quick start with the OP-TEE Repo for QEMUv8 part first. Then initialize the building environment in Teaclave TrustZone SDK, build Rust applications and copy them into the target's filesystem.

Teaclave TrustZone SDK is located in [YOUR_OPTEE_DIR]/optee_rust/. Teaclave TrustZone SDK in OP-TEE repo is pinned to the release version. Alternatively, you can try the develop version using git pull:

cd [YOUR_OPTEE_DIR]/optee_rust/
git pull github master

Develop on other platforms

If you are building trusted applications for other platforms (platforms OP-TEE supported). QEMU and the filesystem in the OP-TEE repo are not needed. You can follow these steps to clone the project and build applications independently from the complete OP-TEE repo. In this case, the necessary OP-TEE libraries are initialized in the setup process.

  1. The complete list of prerequisites can be found here: OP-TEE Prerequisites.
# install dependencies
sudo apt-get install android-tools-adb android-tools-fastboot autoconf \
  automake bc bison build-essential ccache cscope curl device-tree-compiler \
  expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \
  libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \
  libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \
  mtools netcat python-crypto python3-crypto python-pyelftools \
  python3-pycryptodome python3-pyelftools python-serial python3-serial \
  rsync unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev

Alternatively, you can use a docker container built with our Dockerfile.

  1. After installing dependencies or building the Docker image, fetch the source code from the official GitHub repository:
# clone the project
git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git
cd incubator-teaclave-trustzone-sdk

Build & Install

To build the project, the Rust environment and several related submodules are required.

  1. By default, the OPTEE_DIR is incubator-teaclave-trustzone-sdk/optee/. OP-TEE submodules (optee_os, optee_client and build) will be initialized automatically in setup.sh.

If you are building within QEMUv8 or already have the OP-TEE repository cloned somewhere, you can set the OP-TEE root directory with:


Note: your OPTEE root directory should have build/, optee_os/ and optee_client/ as sub-directory.

  1. Run the script as follows to install the Rust environment and initialize submodules:
  1. Before building examples, the environment should be properly set up with:
source environment

Note: by default, the target platform is aarch64. If you want to build for the arm target, you can setup ARCH before the source environment command:

export ARCH=arm
source environment
  1. Before building rust examples and applications, you need to build OP-TEE libraries using:
make optee
  1. Run this command to build all Rust examples:
make examples

Or build your own CA and TA:

make -C examples/[YOUR_APPLICATION]

Besides, you can collect all example CAs and TAs to /incubator-teaclave-trustzone-sdk/out:

make examples-install

Run Rust Applications

Considering the platform has been chosen (QEMUv8 or other), the ways to run the Rust applications are different.

Run Rust Applications in QEMUv8

  1. The shared folder is needed to share CAs and TAs with the QEMU guest system. Recompile QEMU in OP-TEE to enable QEMU VirtFS:
(cd $OPTEE_DIR/build && make QEMU_VIRTFS_ENABLE=y qemu)
  1. Copy all the Rust examples or your own applications to the shared folder:
mkdir shared_folder
cd [YOUR_OPTEE_DIR]/optee_rust/ && make examples-install)
cp -r [YOUR_OPTEE_DIR]/optee_rust/out/* shared_folder/
  1. Run QEMU:
(cd $OPTEE_DIR/build && make run-only QEMU_VIRTFS_ENABLE=y
  1. After the QEMU has been booted, you need to mount the shared folder in the QEMU guest system (username: root), in order to access the compiled CA/TA from QEMU. Run the command as follows in the QEMU guest terminal:
mkdir shared && mount -t 9p -o trans=virtio host shared
  1. Then run CA and TA as this documentation describes.

Run Rust Applications on other platforms

Copy the applications to your platform and run.



More details about the design and implementation can be found in our paper published in ACSAC 2020: RusTEE: Developing Memory-Safe ARM TrustZone Applications. Here is the BiBTeX record for your reference.

    author    = "Shengye Wan and Mingshen Sun and Kun Sun and Ning Zhang and Xu
    title     = "{RusTEE: Developing Memory-Safe ARM TrustZone Applications}",
    booktitle = "Proceedings of the 36th Annual Computer Security Applications
    series    = "ACSAC '20",
    year      = "2020",
    month     = "12",


Teaclave is open source in The Apache Way, we aim to create a project that is maintained and owned by the community. All kinds of contributions are welcome. Thanks to our contributors.