*** Welcome to piglix ***

Trusted execution environment


The Trusted Execution Environment (TEE) is a secure area of the main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity. The TEE as an isolated execution environment provides security features such as isolated execution, integrity of Trusted Applications along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security than a rich mobile operating system (mobile OS) and more functionality than a 'secure element' (SE).

Industry associations like GlobalPlatform (working to standardize specifications for the TEE) and Trusted Computing Group (working to align GlobalPlatform TEE specification with its Trusted Platform Module (TPM) technology for enhanced mobile security) have undertaken work in recent years.

Open Mobile Terminal Platform (OMTP) first defined the TEE in their 'Advanced Trusted Environment:OMTP TR1' standard, defining it as a "set of hardware and software components providing facilities necessary to support Applications" which had to meet the requirements of one of two defined security levels. The first security level, Profile 1, was targeted against only software attacks and whilst Profile 2, was targeted against both software and hardware attacks.

Commercial TEE solutions based on ARM TrustZone technology which conformed to the TR1 standard such as Trusted Foundations, developed by Trusted Logic, were later launched. This software would become part of the Trustonic joint venture, and the basis of future GlobalPlatform TEE solutions.

Work on the OMTP standards ended in mid 2010 when the group transitioned into the 'Wholesale Applications Community' (WAC).

The OMTP standards, including those defining a TEE, are hosted by GSMA.

In July 2010 GlobalPlatform first announced their own standardisation of the TEE, focusing first on the client API (the interface to the TEE within the mobile OS) which was expanded later to include the TEE internal API, a Remote Administration framework, a compliance programme and standardised security level.

The TEE is an isolated environment that runs in parallel with the operating system, providing security for the rich environment. It is intended to be more secure than the User-facing OS (which GlobalPlatform calls the REE or Rich Execution Environment) and offers a higher level of performance and functionality than a Secure Element (SE), using a hybrid approach that utilizes both hardware and software to protect data. It therefore offers a level of security sufficient for many applications. Trusted applications running in a TEE have access to the full power of a device's main processor and memory, while hardware isolation protects these from user installed apps running in a main operating system. Software and cryptographic isolation inside the TEE protect the trusted applications contained within from each other.


...
Wikipedia

...