🤟 WIA Standards

🛡️ Secure Enclave Simulator

Interactive demonstration of TEE, Intel SGX, ARM TrustZone, and secure processing

Data Format

Algorithms

Protocol

Integration

QR & VC

Secure Enclave Data Formats

🔐

Enclave Identity

Unique identifier and measurement hash (MRENCLAVE) for enclave code and data.

📜

Attestation Report

Cryptographically signed report proving enclave authenticity and configuration state.

💾

Sealed Data

Encrypted data blob that can only be unsealed by the same enclave instance.

// Enclave Identity Structure
struct EnclaveIdentity {
    mr_enclave: [u8; 32],    // SHA-256 hash of enclave code
    mr_signer: [u8; 32],     // Hash of enclave signer key
    isv_prod_id: u16,          // Product ID
    isv_svn: u16,              // Security version number
    attributes: u64,           // Enclave attributes
}

// Attestation Report Structure
struct AttestationReport {
    version: u16,
    sign_type: u16,
    epid_group_id: [u8; 4],
    qe_svn: u16,
    pce_svn: u16,
    basename: [u8; 32],
    report_data: [u8; 64],    // Custom data from enclave
    signature: Vec<u8>,
}

Secure Enclave Algorithms

🛡️

TEE Technologies

Intel SGX AES-128

ARM TrustZone AES-256

AMD SEV AES-128

// Memory Encryption Engine (MEE)
function encryptEnclaveMemory(plaintext, key) {
    // Counter mode encryption with integrity tree
    const counter = getMemoryCounter(address);
    const ciphertext = AES_128_CTR(plaintext, key, counter);
    const mac = GMAC(ciphertext, key);
    return { ciphertext, mac };
}

// Remote Attestation Key Derivation
function deriveAttestationKey(mrenclave, mrsigner) {
    const seal_key_request = {
        key_name: "SEAL_KEY",
        key_policy: "MRENCLAVE",
        isv_svn: current_svn
    };
    return EGETKEY(seal_key_request);
}

// Sealed Storage
function sealData(data, seal_key) {
    const iv = generateRandomIV();
    const encrypted = AES_GCM_encrypt(data, seal_key, iv);
    const mac = GMAC(encrypted, seal_key);
    return { encrypted, iv, mac };
}

Attestation & Sealing Protocol

Remote Attestation Flow

1. Enclave Init

→

2. Generate Quote

→

3. Send to IAS

→

4. Verify Report

→

5. Establish Trust

Sealed Storage Flow

1. Data Input

→

2. Derive Key

→

3. Encrypt+MAC

→

4. Store Sealed

→

5. Unseal Later

// Remote Attestation Protocol
async function performRemoteAttestation() {
    // Step 1: Create enclave report
    const report = await createEnclaveReport({
        target_info: quoting_enclave_info,
        report_data: custom_data
    });

    // Step 2: Generate quote from report
    const quote = await generateQuote(report);

    // Step 3: Send to Intel Attestation Service
    const attestation_result = await fetch('https://api.trustedservices.intel.com/sgx/attestation/v4/report', {
        method: 'POST',
        body: quote
    });

    // Step 4: Verify signature and enclave identity
    const verified = verifyAttestationReport(attestation_result);
    return verified;
}

// Sealed Data Persistence
function sealAndStore(sensitive_data) {
    const seal_key = deriveKey("SEAL_KEY", "MRENCLAVE");
    const sealed = seal(sensitive_data, seal_key);
    persistToUntrustedStorage(sealed);
}

Platform Integration

⚡ Intel SGX

x86_64 processors with SGX support. Requires BIOS enabled.

🛡️ ARM TrustZone

ARM Cortex-A processors. Separate secure world execution.

🔥 AMD SEV

Secure Encrypted Virtualization for VM isolation.

🌐 Cloud TEE

Azure Confidential Computing, AWS Nitro Enclaves.

📱 Mobile TEE

Apple Secure Enclave, Android StrongBox.

🔐 TPM

Trusted Platform Module for key storage and attestation.

// Intel SGX Integration Example
import { sgx } from '@wia/secure-enclave';

const enclave = await sgx.createEnclave({
    path: './enclave.signed.so',
    debug: false
});

// Execute sensitive operation in enclave
const result = await enclave.call('process_secret', {
    data: sensitive_input
});

// ARM TrustZone Integration Example
import { trustzone } from '@wia/secure-enclave';

const ta = await trustzone.openSession({
    uuid: '550e8400-e29b-41d4-a716-446655440000'
});

const encrypted = await ta.invokeCommand('encrypt_data', plaintext);

QR Codes & Verifiable Credentials

🔐

Attestation Report QR

🛡️

Enclave Identity QR

Verifiable Credential

Issuer: Intel Attestation Service

Subject: Enclave MR: 0xABCD...1234

Status: ✓ Verified

// Verifiable Credential for Enclave Attestation
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://wiastandards.com/credentials/secure-enclave/v1"
  ],
  "type": ["VerifiableCredential", "EnclaveAttestationCredential"],
  "issuer": "did:web:attestation.intel.com",
  "issuanceDate": "2025-12-25T00:00:00Z",
  "credentialSubject": {
    "id": "did:enclave:0xABCD1234...",
    "enclaveType": "Intel SGX",
    "mrenclave": "0xABCDEF1234567890...",
    "mrsigner": "0x9876543210FEDCBA...",
    "isvProdId": 1,
    "isvSvn": 2,
    "attestationStatus": "GROUP_OUT_OF_DATE",
    "platformInfo": {
      "cpuSvn": "0x0F0F...",
      "pceSvn": 10
    }
  },
  "proof": {
    "type": "RsaSignature2018",
    "created": "2025-12-25T00:00:00Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:web:attestation.intel.com#key-1",
    "jws": "eyJhbGc..."
  }
}