Vanadium: A Virtualized Secure Enclave for Hardware Signing Devices

Vanadium represents a novel approach to developing firmware applications for hardware signing devices, addressing the longstanding challenges faced in embedded development such as limited RAM and flash memory, slow iteration cycles, and the complexities of debugging. Developed as a RISC-V Virtual Machine capable of running in an embedded Secure Element, Vanadium offers a significant departure from traditional development constraints by enabling the execution of arbitrary applications, termed "V-Apps," within a secure enclave environment. This environment uniquely benefits from outsourcing memory and storage needs to an untrusted host, which effectively provides developers with virtually unlimited memory capacity. By allowing only the pages required at runtime to be loaded and storing everything else on the host, page swaps occur transparently, simplifying the development process.

The innovation extends to the development workflow; V-Apps can be written and tested as standard Rust programs without the need for vendor-specific SDKs, special toolchains, or emulators. This native development workflow not only accelerates the development cycle but also ensures the security of execution, as the VM operates within the Secure Element and all outsourced pages are encrypted and authenticated to prevent tampering by the host. Vanadium's architecture minimizes the developer's workload by encapsulating system calls, the memory outsourcing protocol, and direct VM-host communications, thereby streamlining the porting of Vanadium to new platforms.

Performance considerations have been addressed through the implementation of system services that enable performance-critical operations to run at the native speed of the underlying device. A list of ECALLs implemented in Vanadium showcases its readiness to support common Bitcoin-related use cases and potentially other cryptographic applications. Security is paramount in Vanadium’s design, ensuring that despite the host being fully untrusted, the Secure Element and display remain trusted components. The use of a manifest that commits to the exact code and metadata of a V-App before installation enhances app authenticity and code correctness.

However, the current version of Vanadium does not fully obscure memory access patterns, presenting a potential attack surface for cryptographic developers. While most applications relying on ECALLs are unaffected, those implementing cryptography directly in Vanadium apps must navigate this issue carefully. Future improvements may involve Oblivious RAM or simpler mitigations to address these cryptographic concerns. Despite its promising capabilities, Vanadium has yet to undergo an audit, and certain performance and user experience aspects require further refinement. Nevertheless, a developer preview of Vanadium for Ledger devices is available, inviting early feedback to shape its development roadmap. For more information or to try out the prototype, interested developers can visit https://github.com/LedgerHQ/vanadium.