A trusted execution environment (TEE) is an area on the main processor of a device that is separated from the system’s main operating system (OS). It ensures that data is stored, processed and protected in a secure environment. TEE provides protection for any connected “thing,” such as a trusted application (TA), by enabling an isolated, cryptographic electronic structure and enable end-to-end security. This includes the execution of authenticated code, confidentiality, authenticity, privacy, system integrity and data access rights.
TEEs are used widely in complex devices, such as smartphones, tablets and set-top boxes. TEEs are also used by manufacturers of constrained chipsets and IoT devices in sectors such as industrial automation, automotive and healthcare, who are now recognizing its value in protecting connected things.
Running parallel to the operating system and using both hardware and software, a TEE is intended to be more secure than the traditional processing environment. This is sometimes referred to as a rich operating system execution environment, or REE, where the device OS and applications run.
Uses of trusted execution environments
As demand for digital trust grows and concern over securing connected devices rises, TEEs have gained in significance. The concept of a “trusted execution environment” is not brand-new, but it is no longer confined to use in high-end technology. TEEs are employed widely in devices, such as smartphones, tablets and set-top boxes. Additionally, they are commonly used by manufacturers of constrained chipsets and Internet of Things (IoT) devices in sectors such as industrial automation, automotive and healthcare.
Why is TEE important?
Oftentimes, especially in the case of smartphones, our devices hold a culmination of personal and professional data. For example, mobile devices with apps surrounding payment transactions will hold sensitive data. TEE can help in solving a significant problem for anyone concerned about protecting data. TEE plays an increasingly central role in preventing hacking, data breaches and use of malware.
In any situation where sensitive data is being held on a device, TEE can play an important role in ensuring a secure, connected platform with no additional limitations on device speed, computing power or memory.
How does TEE work?
Even though a TEE is isolated from the rest of the device, a trusted application that runs in a TEE will typically have access to the full power available of a device’s processor and memory. In addition, contained applications within a TEE will be separated from each other through software and cryptographic functions. A TEE can also be set to only accept previously authorized code.
Exactly how a trusted execution environment is implemented will differ depending on the use case. For example, implementation will differ for mobile payments, mobile identity, IoT, or content protection use cases. Still, the fundamental concepts stay the same -- trust, security and isolation of sensitive data
Although a secure element requires no industry standards, a TEE does employ a set of industry standards to manage many remote devices at one time. These standards relate to the operations of encryption key management, end-to-end security and lifecycle applications. Service providers, mobile network operators, OS developers, application developers, device manufacturers, platform providers and silicon vendors are all contributing to efforts to standardize TEEs.
Following the TEE isolation philosophy, TEE remote management is designed such that specific remote managers can be given control of a subset of applications but have no ability to interfere with the rest of those in the TEE. For example, an OEM may manage its TAs, and a bank may be able to manage its TAs, but neither could interfere with the other’s TAs.
Applications and services
Applications inside the TEE are considered trusted applications. The data stored on and processed by TAs is protected and interactions (whether between applications or the device and end user) are executed securely.
Further, TEEs enable the following services:
- Secure peripheral access: TEEs can directly access and secure peripherals such as the touchscreen or display, offering protection for fingerprint sensors, cameras, microphones and speakers, for example.
- Secure communication with remote entities: These environments can secure data, communications and cryptographic operations. Encryption private and public keys are stored, managed and used only within the secure environment.
- Trusted device identity and authentication: Some TEEs use roots of trust, which allow the legitimacy of a device to be verified by the connected service with which it is trying to enroll.
How TEE was developed
TEEs were created to further secure previously trusted platforms. In the mid-2000s, the implementation of TEE began to become a standard-based approach for internet-connected devices. At this point, more organizations began developing TEEs, such as the Trusted Logic and Texas Instruments in 2004. In 2006, ARM developed a commercialized product for TEE called TrustZone. That same year, the Open Mobile Terminal Platform wrote the first set of requirements for trusted environments. These requirements were revised again in 2008.
The 2010s saw a growth in the use of TEEs. In 2012, GlobalPlatform and the Trusted Computer Group founded began working together to create another set of specifications for TEE, used in conjunction with the Trusted Platform Module. Since this time, GlobalPlatform has been the driving force behind driving TEE standardization.
Current and future uses of TEE
The TEE is not an emerging technology. For example, apps such as Samsung Pay or WeChat Pay, and many of the leading Android device makers’ flagship phones, all use a TEE. In this way, TEE has become a central concept when considering security of sensitive data in smartphones.
The increase of the internet of things is also expanding the need for trusted identification to new connected devices. TEEs are one technology helping manufacturers, service providers and consumers to protect their devices, IP and sensitive data.
The trusted execution environment is already bringing value to a range of device types and sectors. The technology opens up a number of options and possibilities for hardware isolation. For example, developers can add additional value to their services by utilizing TEEs with complementary technologies like Digital Holograms that sit alongside TEEs to add value for service providers and device makers.