A trusted execution environment (TEE) is a secure, integrity protected processing environment, consisting of processing,memory and storage capabilities. It is isolated from the ” normal” processing environment, sometimes called the rich execution environment (REE), where the device operating system and applications run.
TEEs can make it possible tobuild REE applications and services with better security and usability by partitioning them so that sensitive operations are restricted to the TEE and sensitive data never leave the TEE. In our daily lives, we encounter more and more services that use dedicated hardware tokens to improve their security.
Security in mobile world has had a very different trajectory compared to the world of personal computers. Various stakeholders had strict security requirements, some of which dateback to two decades ago, right at the beginning of the explosion of personal mobile communications.
Standardization requirements like ensuring that the device identifier will resist manipulation and change, regulatory requirements like ensuring secure storage for radio frequency parameters,business requirements like ensuring that subsidy locks, and end user expectations (e.g., no blue screen of death) incentivized mobile device manufacturers, chip vendors and platform providers to design and deploy hardware and platform security mechanisms for mobile platforms from early on. Hardware-based TEEs were seen as essential building blocks in meeting these requirements.
The first mobile phones with hardware-based TEEs appeared almost a decade ago, andtoday almost every smartphone and tablet contains a TEE like ARM TrustZone, along with software platform security mechanisms.
Despite such a large-scale deployment, the use of TEE functionality has been largely restricted to its original intended uses. There has been no widely available means for application developers to benefit from existing TEE functionality. Fortunately, with emerging standardization this situation is about to change.
In this tutorial, we explain the security features provided by mobile TEEs and describe on-board Credentials (ObC) system that enables third-party TEE development. We discuss ongoing TEE standardization activities, including the Global Platform standards and the Trusted Platform Module (TPM) 2.0 specification, and identify open problems for the near future of mobile hardware security.
To read this external content in full, download the complete paper from the author archive online.