Comprehensive Guide to TEE
Introduction
Trusted Execution Environments (TEEs) are CPU-encrypted isolated private enclaves inside the memory, used for protecting data in use at the hardware level.
While the sensitive data is inside an enclave, unauthorized entities cannot remove it, modify it, or add more data to it. The contents of an enclave remain invisible and inaccessible to external parties, protected against outsider and insider threats.
As a result, a TEE ensures the following:
- Data integrity
- Code integrity
- Data confidentiality
TEE terminology and operation
In a system with a TEE, we have untrusted applications running on a Rich Execution Environment (REE) and trusted applications (TAs) running on a Trusted Execution Environment (TEE).
Only trusted applications running on a TEE (Secure World) have complete access to the main processor, peripherals and memory, while hardware isolation protects these from untrusted applications running on the main operating system (Non-Secure World).
How to implement a TEE?
We could isolate applications in a “sandbox”, for example using containers. This would prevent an application from seeing and accessing data from other applications.
But what about the kernel? How to prevent a code running in kernel space from being exploited to access a certain peripheral or memory region used by a trusted application?
Software can’t protect software!
So we need support in the hardware to implement a TEE. We need a way to partition and isolate the hardware (busses, peripherals, memory regions, interrupts, etc) so that the running code does not have access to protected resources.
That’s where ARM’s TrustZone, RISC-V’s MultiZone and many other solutions come in.
Hardware support to implement a TEE:
- ARM’s TrustZone
- RISC-V’s MultiZone
- AMD Platform Security Processor (PSP)
- Intel Software Guard Extensions (SGX)
- Apple SEP (Secure Enclave Processor)
- Google Titan M
ARM’s TrustZone
Several commercial TEE implementations have been developed over the years:
- Trustonic Kinibi
- Samsung TEEGRIS
- Qualcomm Qualcomm Secure Execution Environment (QSEE)
- Google Trusty(opensource)
- OP-TEE (Open Portable Trusted Execution Environment) (opensource)