Unifying hardware trusted execution environment technologies using virtual secure enclave device

What is claimed is: 1. A computer-implemented method for creating and managing trusted execution environments (TEEs) based on different hardware TEE mechanisms using a virtual secure enclave device running in a virtualized environment in a computer system, the method comprising: transmitting an enclave command using a universal application programming interface (API) to the virtual secure enclave device from a software process running in the computer system, including inserting the enclave command into a command queue in the virtual secure enclave device; in response to the enclave command received at the virtual secure enclave device, retrieving the enclave command from the virtual secure device, including emulating the command queue in the virtual secure enclave device to retrieve the enclave command in the command queue of the virtual secure enclave device; parsing the retrieved enclave command to extract a description of an enclave operation to be executed from the retrieved enclave command; requesting a TEE backend module to interact with a particular hardware TEE mechanism among the different hardware TEE mechanisms that is included in the computer system so that the enclave operation for the software process is executed by the particular hardware TEE mechanism, wherein the TEE backend module is configured to interact with each of the different hardware TEE mechanisms using commands specific to each of the different hardware TEE mechanisms; and translating the retrieved enclave command from the universal API to a particular API selected from a plurality of APIs depending on the particular hardware TEE mechanism in the computer system so that the enclave operation for the software process is executed by the particular hardware TEE mechanism. 2. The method of claim 1 , wherein transmitting an enclave command to the virtual secure enclave device includes communicating with the virtual secure enclave device through a device driver for the virtual secure enclave device, wherein communications between the device driver and the virtual secure enclave device are executed using the universal application programming interface regardless of which of the different hardware TEE mechanisms is included in the computer system. 3. The method of claim 2 , wherein communications between the TEE backend module and the particular hardware TEE mechanism in the computer system are executed using the particular application programming interface specific to the particular hardware TEE mechanism. 4. The method of claim 1 , wherein retrieving the enclave command from the virtual secure enclave device includes trapping an operation of inserting the enclave command into the command queue in the virtual secure enclave device. 5. The method of claim 4 , wherein trapping an operation of inserting the enclave command into the command queue is performed by a virtual machine monitor (VMM) running in a VMkernel in the virtualized environment. 6. The method of claim 1 , wherein the virtual secure enclave device is running in a hypervisor to receive and insert the enclave command into the command queue in the hypervisor, and wherein emulating the command queue is performed by a virtual machine executable (VMX) module running in the hypervisor. 7. A non-transitory computer-readable storage medium containing program instructions for creating and managing trusted execution environments (TEEs) based on different hardware TEE mechanisms using a virtual secure enclave device running in a virtualized environment in a computer system, wherein execution of the program instructions by one or more processors of the computer system causes the one or more processors to perform steps comprising: transmitting an enclave command using a universal application programming interface (API) to the virtual secure enclave device from a software process running in the computer system, including inserting the enclave command into a command queue in the virtual secure enclave device; in response to the enclave command received at the virtual secure enclave device, retrieving the enclave command from the virtual secure device; parsing the retrieved enclave command to extract a description of an enclave operation to be executed from the retrieved enclave command, including emulating the command queue in the virtual secure enclave device to retrieve the enclave command in the command queue of the virtual secure enclave device; requesting a TEE backend module to interact with a particular hardware TEE mechanism among the different hardware TEE mechanisms that is included in the computer system so that the enclave operation for the software process is executed by the particular hardware TEE mechanism, wherein the TEE backend module is configured to interact with each of the different hardware TEE mechanisms using commands specific to each of the different hardware TEE mechanisms; and translating the retrieved enclave command from the universal API to a particular API selected from a plurality of APIs depending on the particular hardware TEE mechanism in the computer system so that the enclave operation for the software process is executed by the particular hardware TEE mechanism. 8. The computer-readable storage medium of claim 7 , wherein transmitting an enclave command to the virtual secure enclave device includes communicating with the virtual secure enclave device through a device driver for the virtual secure enclave device, wherein communications between the device driver and the virtual secure enclave device are executed using the universal application programming interface regardless of which of the different hardware TEE mechanisms is included in the computer system. 9. The computer-readable storage medium of claim 8 , wherein communications between the TEE backend module and the particular hardware TEE mechanism in the computer system are executed using the particular application programming interface specific to the particular hardware TEE mechanism. 10. The computer-readable storage medium of claim 7 , wherein retrieving the enclave command from the virtual secure enclave device includes trapping an operation of inserting the enclave command into the command queue in the virtual secure enclave device. 11. The computer-readable storage medium of claim 10 , wherein trapping an operation of inserting the enclave command into the command queue is performed by a virtual machine monitor (VMM) running in a VMkernel in the virtualized environment. 12. The computer-readable storage medium of claim 7 , wherein the virtual secure enclave device is running in a hypervisor to receive and insert the enclave command into the command queue in the hypervisor, and wherein emulating the command queue is performed by a virtual machine executable (VMX) module running in the hypervisor. 13. A computer system comprising: memory; and at least one processor configured to: transmit an enclave command using a universal application programming interface (API) to a virtual secure enclave device running in a virtualized environment in the computer system from a software process running in the computer system, including inserting the enclave command into a command queue in the virtual secure enclave device; in response to the enclave command received at the virtual secure enclave device, retrieve the enclave command from the virtual secure device, including emulating the command queue in the virtual secure enclave device to retrieve the enclave command in the command queue of the virtual secure enclave device; parse the retrieved enclave command to extract a description of an enclave operation to be executed from the retrieved enclave comma