Trusted execution environment

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

A trusted execution environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity[clarification needed].[1] A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets.[2] In general terms, the TEE offers an execution space that provides a higher level of security[for whom?] than a rich mobile operating system open (mobile OS) and more functionality than a 'secure element' (SE).[3]

Industry associations like GlobalPlatform (working to standardize specifications for the TEE[4]) and Trusted Computing Group (working to align GlobalPlatform TEE specification with its Trusted Platform Module (TPM) technology for enhanced mobile security[5]) have undertaken work in recent years.


Open Mobile Terminal Platform (OMTP) first defined TEE in their 'Advanced Trusted Environment:OMTP TR1' standard, defining it as a "set of hardware and software components providing facilities necessary to support Applications" which had to meet the requirements of one of two defined security levels. The first security level, Profile 1, was targeted against only software attacks and whilst Profile 2, was targeted against both software and hardware attacks.[6]

Commercial TEE solutions based on ARM TrustZone technology which conformed to the TR1 standard such as Trusted Foundations, developed by Trusted Logic, were later launched.[7] This software would become part of the Trustonic joint venture, and the basis of future GlobalPlatform TEE solutions.[8][9]

Work on the OMTP standards ended in mid 2010 when the group transitioned into the 'Wholesale Applications Community' (WAC).[10]

The OMTP standards, including those defining a TEE, are hosted by GSMA.[11]

In July 2010 GlobalPlatform first announced their own standardisation of the TEE, focusing first on the client API (the interface to the TEE within the mobile OS)[12] which was expanded later to include the TEE internal API,[12] a Remote Administration framework,[13] a compliance programme and standardised security level.[14]


The TEE is an isolated environment that runs in parallel with the operating system, providing security for the rich environment. It is intended to be more secure than the User-facing OS (which GlobalPlatform calls the REE or Rich Execution Environment) and offers a higher level of performance and functionality than a Secure Element (SE), using a hybrid approach that utilizes both hardware and software to protect data.[15] It therefore offers a level of security sufficient for many applications. Trusted applications running in a TEE have access to the full power of a device's main processor and memory, while hardware isolation protects these from user installed apps running in a main operating system. Software and cryptographic isolation inside the TEE protect the trusted applications contained within from each other.[16]

Service providers, mobile network operators (MNO), operating system developers, application developers, device manufacturers, platform providers and silicon vendors are the main stakeholders contributing to the standardization efforts around the TEE.

To prevent simulation of hardware with a user-controlled software a hardware root of trust is used. To simulate the hardware in a way enabling it to pass remote authentication an attacker should extract keys from the hardware, which is costly because of used equipment and reverse engineering skills required (focused ion beam, scanning electron microscope, microprobing, decapsulation) or even impossible if the hardware is designed in a way that reverse engineering destroys the keys. In some cases the keys are unique for each piece of hardware, so a key extracted from one chip is useless for another ones.

Though deprivation of ownership is not an inherent property of TEE (it is possible to design the system in the way allowing only the user who has obtained the ownership of the device first to control the system), in practice all such systems in consumer electronics are intentionally designed in the way to allow chip manufacturers control access to attestation and its algorithms. It allows manufacturers to allow access to TEE for only to the software developers who have a (usually commercial) business agreement with the manufacturer and enables such use cases as tivoization and DRM.


There are a number of use cases for the TEE. Though not all possible use cases exploit the deprivation of ownership, TEE is usually used exactly for this.

Premium Content Protection / Digital Rights Management

Note: Much TEE literature covers this topic under the definition "premium content protection" which is the preferred nomenclature of many copyright holders. Premium content protection is a specific use case of Digital Rights Management (DRM), and is controversial among some communities. It is widely used by copyrights holders to restrict the ways in which end users can consume content such as 4K high definition films.

The TEE is a suitable environment for protecting digitally encoded information (for example, HD films or audio) on connected devices such as smart phones, tablets and HD televisions. This suitability comes from the ability of the TEE to deprive owner of the device from reading stored secrets, and the fact that there is often a protected hardware path between the TEE and the display and/or subsystems on devices.

The TEE is used to protect the content once it is on the device: while the content is protected during transmission or streaming by the use of encryption, the TEE protects the content once it has been decrypted on the device by ensuring that decrypted content is not exposed to the environment not approved by app developer OR platform vendor.

Mobile financial services

Mobile Commerce applications such as: mobile wallets, peer-to-peer payments, contactless payments or using a mobile device as a point of sale (POS) terminal) often have well-defined security requirements. TEEs can be used, often in conjunction with near field communication (NFC), SEs and trusted backend systems to provide the security required to enable financial transactions to take place.[17]

In some scenarios, interaction with the end user is required, and this may require the user to expose sensitive information such as a PIN, password or biometric identifier to the mobile OS as a means of authenticating the user. The TEE optionally offers a trusted user interface which can be used to construct user authentication on a mobile device.[18]


The TEE is well-suited for supporting biometric ID methods (facial recognition, fingerprint sensor and voice authorization), which may be easier to use and harder to steal than PINs and passwords. The authentication process is generally split into three main stages:

  • Storing a reference 'template' identifier on the device for comparison with the 'image' extracted in next stage.
  • Extracting an 'image' (scanning the fingerprint or capturing a voice sample, for example).
  • Using a matching engine to compare the 'image' and the 'template'.

A TEE is a good area within a mobile device to house the matching engine and the associated processing required to authenticate the user. The environment is designed to protect the data and establish a buffer against the non-secure apps located in mobile OS. This additional security may help to satisfy the security needs of service providers in addition to keeping the costs low for handset developers.

The FIDO Alliance is collaborating with GlobalPlatform to standardize the TEE for natural ID implementations.[19]

Enterprise and government

The TEE can be used by governments and enterprises to enable the secure handling of confidential information on a mobile device. The TEE offers a level of protection against software attacks generated in the mobile OS and assists in the control of access rights. It achieves this by housing sensitive, ‘trusted’ applications that need to be isolated and protected from the mobile OS and any malicious malware that may be present. Through utilizing the functionality and security levels offered by the TEE, governments and enterprises can be assured that employees using their own devices are doing so in a secure and trusted manner.

Secure Modular Programming

With the rise of software assets and reuses, Modular programming is the most productive process to design software architecture, by decoupling the functionalities into small independent modules. As each module contains everything necessary to execute its desired functionality, the TEE allows to organize the complete system featuring a high level of reliability and security, while preventing each module from vulnerabilities of the others.

Hardware support[edit]

The following embedded hardware technologies can be used to support TEE implementations:


Several TEE implementations are available from different TEE providers:

  • Commercial implementations
    • Kinibi (formerly: Trusted Foundation, MobiCore, t-base),[30] a commercial implementation from Trustonic that has been qualified by GlobalPlatform[31]
    • QSEE, a commercial implementation from Qualcomm
    • TSEE,[32] a commercial implementation based on ARM TrustZone, Intel SGX and ARM Virtualization from TrustKernel and has been qualified by GlobalPlatform[33]
    • securiTEE,[34] a commercial implementation from Solacia that has been qualified by GlobalPlatform[35]
    • CoreTEE,[36] a commercial implementation from Sequitur Labs
    • MicroEJ VEE,[37] a royalty free commercial implementation from MicroEJ. MicroEJ VEE combined its TEE (called Kernel&Features) with a full virtualization of code execution, without any hardware specific means, making MicroEJ VEE and the applications transparently portable across any MCU, MPU, SoC architectures. Full specification here [38]. Starter kits available from Renesas, NXP, ST, Espressif.
    • ProvenCore,[39] a commercial implementation from Prove&Run
    • ISEE, a commercial implementation from Beijing Bean Pod Technology
  • Open-source implementations
  • Implementations with dual commercial/open-source licensing
    • SierraTEE,[45] an implementation from Sierraware available both under commercial and GPL-licensing


While there are a number of proprietary systems, GlobalPlatform is working to standardize the TEE. Standardizing the TEE is helpful for implementers of mobile wallets, NFC payment implementations, premium content protection and bring your own device (BYOD) initiatives.

These following TEE specifications are currently available from the GlobalPlatform website:[46]

Trustonic was the company to qualify a GlobalPlatform-compliant TEE product.[49] Since then, a significant number of GlobalPlatform TEE implementations have become available. A list of those which have been formally qualified by GlobalPlatform can be found at,[50] and many other TEE products offer a high level of compatibility with GlobalPlatform standards.


The GlobalPlatform TEE Protection Profile specifies the typical threats the hardware and software of the TEE needs to withstand. It also details the security objectives that are to be met in order to counter these threats and the security functional requirements that a TEE will have to comply with. A security assurance level of EAL2+ has been selected; the focus is on vulnerabilities that are subject to widespread, software-based exploitation.

The Common Criteria portal has officially listed the GlobalPlatform TEE Protection Profile[51] on its website, under the Trusted Computing category. This important milestone means that industries using TEE technology to deliver services such as premium content and mobile wallets, or enterprises and governments establishing secure mobility solutions, can now formally request that TEE products are certified against this security framework.

GlobalPlatform is committed to ensuring a standardized level of security for embedded applications on secure chip technology. It has developed an open and thoroughly evaluated trusted execution environment (TEE) ecosystem with accredited laboratories and evaluated products. This certification scheme created to certify a TEE product in 3 months has been launched officially in June 2015[52]

See also[edit]


  1. ^ "Trusted Execution Environment, millions of users have one, do you have yours?". Poulpita. 2014-02-18. Retrieved 2017-05-17.
  2. ^ Ram Kumar Koppu (26 October 2013). "The benefits of Trusted Execution Environment (TEE)". YouTube.
  3. ^ "The Trusted Execution Environment : Delivering Enhanced Security at a Lower Cost to the Mobile Market" (PDF). Retrieved 2017-05-17.
  4. ^ "GlobalPlatform publishes TEE Security Best Practice Guidelines".
  5. ^ "TPM MOBILE with Trusted Execution Environment for Comprehensive Mobile Device Security - Trusted Computing Group". 1 June 2012.
  6. ^ "Omtp Hardware Requirements And Defragmentation" (PDF). Retrieved 2017-05-17.
  7. ^ [1]
  8. ^ [2]
  9. ^ "Archived copy". Archived from the original on 2014-08-27. Retrieved 2014-08-27.
  10. ^ "OMTP announces final documents prior to transition into Wholesale Application Community".
  11. ^ "OMTP documents". May 2012. Retrieved 12 September 2014.
  12. ^ a b "GlobalPlatform".
  13. ^ "GlobalPlatform".
  14. ^ "GlobalPlatform".
  15. ^ "A Glance at Mobile Security: The Trusted Execution Environment - Entrust, Inc".
  16. ^ "Solutions - Trustonic- Securing Smart Devices & Mobile Applications".
  18. ^ "GlobalPlatform - TEE Conference - 13 October 2016".
  19. ^ "GlobalPlatform - TEE Conference - 13 October 2016".
  20. ^ "AMD Secure Processor (Built-in technology)".
  21. ^ "Secure Hardware and the Creation of an Open Trusted Ecosystem" (PDF). Retrieved 2017-05-17.
  22. ^ Chiappetta, Marco (2014-04-29). "AMD Beema and Mullins Low Power 2014 APUs Tested - Page 2". HotHardware. Retrieved 2017-05-17.
  23. ^ a b "ARM TrustZone Software - Open Virtualization FAQ".
  24. ^ "GlobalPlatform Trusted Execution Environment & TrustZone… - ARM".
  25. ^ "The Trusted Execution Environments on Mobile Devices" (PDF). Retrieved 2017-05-17.
  26. ^ "WW46_2014_MCG_Tablet_Roadmap_图文_百度文库".
  27. ^ "CyanogenMod/android_device_asus_mofd-common". GitHub.
  28. ^ "heidiao/sfp_m2_bt". GitHub.
  29. ^ "Hex Five Security Adds MultiZone™ Trusted Execution Environment to the SiFive Software Ecosystem". Retrieved 2018-09-13.
  30. ^ "Solutions | Trustonic- Securing Smart Devices & Mobile Applications". Trustonic. Retrieved 2017-05-17.
  31. ^ "Re: GlobalPlatform Letter of Qualification - Product" (PDF). Retrieved 2017-05-17.
  32. ^ "Pingbo Information Technology - TrustKernel".
  33. ^ "Re: GlobalPlatform Letter of Qualification – Product" (PDF). Retrieved 2017-05-17.
  34. ^ "Solacia".
  35. ^ "Re: GlobalPlatform Letter of Qualification – Product" (PDF). Retrieved 2017-05-17.
  36. ^ "CoreTEE | Sequitur Labs Inc". Sequitur Labs Inc. Retrieved 2017-06-22.
  37. ^ "MicroEJ VEE | MicroEJ".
  38. ^ "KF| Kernel and Features".
  39. ^ "ProvenCore | Prove & Run". Retrieved 2017-06-22.
  40. ^ "OP-TEE". GitHub.
  41. ^ " Git - 3rdparty/ote_partner/tlk.git/summary".
  42. ^ "T6 - Secure OS and TEE".
  43. ^ "Open-TEE/project". GitHub.
  44. ^ "GzOS, A Microkernel-Based Trusted OS".
  45. ^ "Open Virtualization - ARM TrustZone and ARM Hypervisor Open Source Software".
  46. ^ "GlobalPlatform".
  47. ^ Clark, Sarah (2010-08-11). "GlobalPlatform specification adds secure area to mobile phone baseband processors • NFC World". Retrieved 2017-05-17.
  48. ^ a b "GlobalPlatform releases Trusted Execution Environment specs". Finextra Research. 17 May 2012.
  49. ^ "Enterprise | Trustonic- Flexibility As Well As Device Security". Trustonic. Retrieved 2017-05-17.
  50. ^ "GlobalPlatform Qualified Products". GlobalPlatform.
  51. ^ "GlobalPlatform Device Committee : TEE Protection Profile Version 1.2" (PDF). Retrieved 2017-05-17.
  52. ^ "GlobalPlatform".