In order to ease auditing, ensure product stability, as well as reduce the possibility of the supply chain attack, we vendored all TEE dependencies here. During the build process, the trusted components will only consumes packages from this designated repository and will not download any code from external sources such as crates.io.
If a crate is not available in the vendor directory, it can to be added with the following steps:
cargo buildand ensure that it passes.
cargo vendorand update the config file (e.g. crates-sgx/config). You may also utilize crates-sgx/Makefile for automation.
git add/committhe changes of Cargo.toml/Cargo.lock/config/README.txt/vendor and submit a pull request.