aurora-opensource · werwurm · Apr 28, 2026 · Apr 29, 2026 · Apr 30, 2026
@@ -92,3 +92,17 @@ jobs:
           find ${{ runner.temp }}/buildroot.build -name 'nat20lib.ko' | grep -q nat20lib.ko
           echo "nat20lib.ko built successfully:"
           find ${{ runner.temp }}/buildroot.build -name 'nat20lib.ko' -exec ls -la {} \;
+
+      - name: Build nat20device kernel module
+        env:
+          NAT20DEVICE_OVERRIDE_SRCDIR: ${{ github.workspace }}
+        run: |
+          cd ${{ runner.temp }}/buildroot.build/buildroot
+          make nat20device-dirclean
+          make nat20device -j $(( $(nproc) + 1 ))
+
+      - name: Verify nat20device.ko was produced
+        run: |
+          find ${{ runner.temp }}/buildroot.build -name 'nat20device.ko' | grep -q nat20device.ko
+          echo "nat20device.ko built successfully:"
+          find ${{ runner.temp }}/buildroot.build -name 'nat20device.ko' -exec ls -la {} \;
diff --git a/examples/linux/br_external/Config.in b/examples/linux/br_external/Config.in
@@ -33,4 +33,5 @@
 # along with this program; if not, see
 # <https://www.gnu.org/licenses/>.
 
+source "$BR2_EXTERNAL_NAT20_PATH/package/nat20device/Config.in"
 source "$BR2_EXTERNAL_NAT20_PATH/package/nat20lib/Config.in"
diff --git a/examples/linux/br_external/configs/qemu_br_defconfig b/examples/linux/br_external/configs/qemu_br_defconfig
@@ -3976,4 +3976,5 @@ BR2_TARGET_UBOOT_CUSTOM_PATCH_DIR=""
 #
 # Provides NAT20 related packages.
 #
+BR2_PACKAGE_NAT20DEVICE=y
 BR2_PACKAGE_NAT20LIB=y
diff --git a/examples/linux/br_external/package/nat20device/Config.in b/examples/linux/br_external/package/nat20device/Config.in
@@ -0,0 +1,57 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+config BR2_PACKAGE_NAT20DEVICE
+    bool "nat20device"
+    help
+        Say Y if you want to enable libnat20 based DICE support.
+
+        Congratulations, you rolled a natural 20. You just enabled
+        DICE (Device Identifier Composition Engine) support which
+        is one step in the direction of establishing the root of
+        trust for your ZTA infrastructure.
+
+        To compile this driver as a module, choose M here: the
+        module will be called nat20device.
+
+        If in doubt, read up on ZTA, device state attestation, OpenDICE,
+        DICE Attestation Architecture, and DICE Layering Architecture.
+        Then come back and, enthusiastically, say Y here.
+
+        Privacy notice: This is a trusted computing feature. It is
+        very useful for fleet management and establishing authenticity
+        and integrity to a remote relying party. It can also be
+        used for tracking, so protecting this feature from unauthorized
+        access is crucial for privacy on personal end user devices.
diff --git a/examples/linux/br_external/package/nat20device/nat20device.mk b/examples/linux/br_external/package/nat20device/nat20device.mk
@@ -0,0 +1,49 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+# In CI NAT20DEVICE_OVERRIDE_SRCDIR is set to the root of the repository,
+# so that the source under test is always the current branch.
+# Integrators who use this configuration should pin the version
+# to a specific commit or branch to avoid breakages when the main branch changes.
+NAT20DEVICE_VERSION = origin/main
+NAT20DEVICE_SITE = https://github.com/aurora-opensource/libnat20.git
+NAT20DEVICE_SITE_METHOD = git
+
+NAT20DEVICE_LICENSE = GPL-2.0
+
+NAT20DEVICE_MODULE_SUBDIRS = examples/linux/nat20device
+
+$(eval $(kernel-module))
+$(eval $(generic-package))
diff --git a/examples/linux/br_external/utils/envsetup.sh b/examples/linux/br_external/utils/envsetup.sh
@@ -46,6 +46,7 @@ fi
 
 source .env
 
+export NAT20DEVICE_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 export NAT20LIB_OVERRIDE_SRCDIR="$LIBNAT20_ROOT"
 
 function ensure_popd() {
@@ -68,14 +69,15 @@ function brrebuild() {
         echo "Available targets:"
         echo "  all          - Rebuild all components"
         echo "  linux        - Rebuild the linux kernel"
+        echo "  nat20device  - Rebuild the nat20device module"
         echo "  nat20lib     - Rebuild the nat20lib library"
         popd
         return 1
     fi
 
     case "$1" in
         all)
-            ensure_popd make linux-rebuild nat20lib-rebuild all
+            ensure_popd make linux-rebuild nat20device-rebuild nat20lib-rebuild all
             ;;
         *)
             ensure_popd make $1-rebuild all

diff --git a/examples/linux/nat20device/Kbuild b/examples/linux/nat20device/Kbuild
@@ -0,0 +1,38 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+obj-m := nat20device.o
+
+ccflags-y := -I $(src)/include
diff --git a/examples/linux/nat20device/Makefile b/examples/linux/nat20device/Makefile
@@ -0,0 +1,50 @@
+# Copyright 2026 Aurora Operations, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+#
+# This work is dual licensed.
+# You may use it under Apache-2.0 or GPL-2.0 at your option.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# OR
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see
+# <https://www.gnu.org/licenses/>.
+
+KDIR ?= /lib/modules/`uname -r`/build
+INSTALL_MOD_PATH ?= /lib/modules/`uname -r`/extra
+
+all: modules
+
+modules:
+	$(MAKE) -C $(KDIR) M=$$PWD modules
+
+modules_install:
+	$(MAKE) -C $(KDIR) M=$$PWD INSTALL_MOD_PATH="$(INSTALL_MOD_PATH)" modules_install
+
+clean:
+	$(MAKE) -C $(KDIR) M=$$PWD clean
+
+.PHONY: all modules modules_install clean
diff --git a/examples/linux/nat20device/include/nat20device.h b/examples/linux/nat20device/include/nat20device.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright 2026 Aurora Operations, Inc.
+ *
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0
+ *
+ * This work is dual licensed.
+ * You may use it under Apache-2.0 or GPL-2.0 at your option.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * OR
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see
+ * <https://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+#ifndef NAT20_DEVICE_H
+#define NAT20_DEVICE_H
+
+#include <linux/module.h>
+#include <linux/types.h>
+
+struct nat20device_driver {};
+
+/**
+ * struct nat20device_buffer - Buffer for dispatch function response
+ * @data: Pointer to buffer data
+ * @size: Size of the buffer in bytes
+ */
+struct nat20device_buffer {
+    void* data;
+    size_t size;
+};
+
+/**
+ * typedef nat20device_dispatch_fn - Dispatch function callback
+ * @ctx: Driver-specific context
+ * @request: Request buffer from userspace
+ * @request_len: Length of request buffer
+ * @response: Pointer to response buffer (allocated by driver)
+ *
+ * The dispatch function processes a request and returns a response buffer.
+ * The driver must allocate the response buffer, which will be freed by
+ * the framework using kfree after the read operation completes.
+ *
+ * Return: 0 on success, negative error code on failure
+ */
+typedef int (*nat20device_dispatch_fn)(void* ctx,
+                                       void const* request,
+                                       size_t request_len,
+                                       struct nat20device_buffer* response);
+
+/**
+ * typedef nat20device_dice_chain_read - DICE chain read function callback
+ * @ctx: Driver-specific context
+ * @buf: User-space buffer to read DICE chain data into
+ * @len: Length of the buffer
+ * @f_pos: File position offset
+ *
+ * Reads the DICE certificate chain into the provided user-space buffer.
+ * The data is encoded as a CBOR indefinite-length array. See
+ * examples/linux/README.md for the encoding specification.
+ *
+ * Return: Number of bytes read on success, negative error code on failure
+ */
+typedef ssize_t (*nat20device_dice_chain_read)(void* ctx,
+                                               char __user* buf,
+                                               size_t len,
+                                               loff_t* f_pos);
+
+/**
+ * struct nat20device_driver_ops - Driver operations
+ * @dispatch: Dispatch function for handling requests
+ * @dice_chain_read: DICE chain read function for reading the boot certificate chain
+ */
+struct nat20device_driver_ops {
+    nat20device_dispatch_fn dispatch;
+    nat20device_dice_chain_read dice_chain_read;
+};
+
+/**
+ * nat20device_register_driver - Register a new NAT20 driver instance
+ * @ops: Driver operations structure
+ * @ctx: Driver-specific context
+ * @owner: Module owner (usually THIS_MODULE). This is used to manage module
+ * 	  reference counting for the driver instance. Blocks the removal
+ *    of the module while a device node remains open.
+ *
+ * Registers a new driver instance and creates a character device node
+ * with the name "nat20X" where X is an automatically assigned number.
+ *
+ * Return: Pointer to registered driver on success, ERR_PTR on failure
+ */
+struct nat20device_driver* nat20device_register_driver(const struct nat20device_driver_ops* ops,
+                                                       void* ctx,
+                                                       struct module* owner);
+
+/**
+ * nat20device_unregister_driver - Unregister a NAT20 driver instance
+ * @driver: Driver instance to unregister
+ *
+ * Unregisters a driver instance and removes its character device node.
+ */
+void nat20device_unregister_driver(struct nat20device_driver* driver);
+#endif /* NAT20_DEVICE_H */