TRustForge: Secure Firmware with Hardware Isolation and Rust

This repository contains the open-source artifacts for the paper "TRustForge: Secure Firmware with Hardware Isolation and Rust". It combines a modified OpenSBI firmware with a Rust implementation of the TRustForge runtime for hardware-isolated secure firmware deployment.

Directories

• opensbi: modified OpenSBI source tree with TRustForge support
• rust: Rust implementation of the TRustForge runtime
• opensbi_trf.patch: standalone patch containing the OpenSBI-side changes

Preparation

The top-level build expects:

• a RISC-V cross-compilation toolchain
• Rust nightly, as specified in rust/rust-toolchain.toml
• llvm-objdump, mkimage, and python3

Build

Build the full firmware image with:

make

If you are using a vendor toolchain installed outside the default PATH, point the build to the toolchain prefix directory:

make COMPILE_TOOL_PATH=/path/to/toolchain/bin/

Deployment Notes

Before flashing to a board, review the platform memory map and PMP layout:

• rust/trf/src/config.rs: adjust OpenSBI, transition, normal-memory, MMIO, and secure-memory ranges
• rust/trf/build.rs: regenerate PMP regions and firmware layout derived from those addresses

Then:

1. Rebuild the firmware with make.
2. Replace the vendor OpenSBI firmware with build/fw_dynamic.itb.
3. Flash the image to the board.
4. Update U-Boot and Linux configuration so their memory reservations remain consistent with the TRustForge layout.