A trusted execution environment (TEE) is an area on the main processor of a device that is separated from the system’s main operating system (OS) to ensure that sensitive data can be stored and managed in a secure environment. TEEs are designed to protect trusted applications and information within an isolated, cryptographic electronic structure and enable end-to-end security. This includes the execution of authenticated code, confidentiality, authenticity, privacy, system integrity and data access rights.
Running parallel to the operating system and using both hardware and software, a TEE is intended to be more secure than the traditional processing environment. This is sometimes referred to as a rich operating system execution environment, or REE, where the device OS and applications run.
Although a secure element requires no industry standards – in fact, it is often constructed by several different companies all in competition for ownership of the chip – a TEE employs a set of industry standards to manage many remote devices at one time. These standards relate to the operations of encryption key management, end-to-end security and lifecycle applications. Service providers, mobile network operators, OS developers, application developers, device manufacturers, platform providers and silicon vendors are all contributing to efforts to standardize TEEs.
Uses of trusted execution environments
As demand for digital trust grows and concern over securing connected devices rises, TEEs have gained in significance. The concept of a “trusted execution environment” is not brand-new, but it is no longer confined to use in high-end technology. TEEs are employed widely in devices, such as smartphones, tablets and set-top boxes. Additionally, they are commonly used by manufacturers of constrained chipsets and Internet of Things (IoT) devices in sectors such as industrial automation, automotive and healthcare.
Applications and services
Applications inside the TEE are considered trusted applications. The data stored on and processed by trusted applications is protected and interactions (whether between applications or the device and end user) are executed securely.
Further, TEEs enable the following services:
- Secure peripheral access: TEEs can directly access and secure peripherals such as the touchscreen or display, offering protection for fingerprint sensors, cameras, microphones and speakers, for example.
- Secure communication with remote entities: These environments can secure data, communications and cryptographic operations. Encryption private and public keys are stored, managed and used only within the secure environment.
- Trusted device identity and authentication: Some TEEs use roots of trust, which allow the legitimacy of a device to be verified by the connected service with which it is trying to enroll.