TPM, TEE, SE, smartphones, ...


General topics


Discrete chip, a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.

One of Windows 11's system requirements is TPM 2.0. Microsoft has stated that this is to help increase security against firmware attacks


Hardware and software

A Trusted Execution Environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. A TEE offers an execution space that provides a higher level of security for trusted applications running on the device than a rich operating system (OS) and more functionality than a secure element (SE). See Wikipedia.

Overview: 'GlobalPlatform Technology TEE System Architecture v1.3' - White Paper May 2022 – GPD_SPE_009.

Local info: The TEE exposes sets of APIs to enable communication from the REE and other APIs to enable Trusted Application (TA) software functionality within the TEE. GlobalPlatform specified a TEE Protection Profile and API specifications for a GlobalPlatform TEE.

An REE interfaces to the TEE as follows.

GlobalPlatform TEE

Apache's Teaclave incubator

KU-Leuven Distrinet TEEs

TEE hardware families

There are a lot of technologies available in modern processors to implement a TEE:

Arm TrustZone and derivatives

TrustZone is the name of the security architecture in the Arm architecture. It provides two execution environments with system-wide hardware enforced isolation between them. AMD incorporates Arm TrustZone functionality through partnership.

TEE is integrated as SoC.

Intel SGX

Intel's counterpart to Arm TrustZone.



Has its own view on this.

TEE software

Open Source OP-TEE

Origin: STMicroelectronics => Linaro => project.

OP-TEE is a companion to a non-secure Linux kernel running on Arm. It implements TEE Internal Core API v1.1.x which is the API exposed to Trusted Applications and the TEE Client API v1.0, which is the API describing how to communicate with a TEE. Those APIs are defined in the GlobalPlatform API specifications.

You use an OP-TEE linker script to link a compiled Rust library, a TA header and libraries such as libutee into a TA ELF, which then gets signed.

OP-TEE components: More details about the design and implementation can be found in the paper published in ACSAC 2020: RusTEE: Developing Memory-Safe ARM TrustZone Applications. See Here is the BiBTeX record. bibtex @inproceedings{wan20rustee, author = "Shengye Wan and Mingshen Sun and Kun Sun and Ning Zhang and Xu He", title = "{RusTEE: Developing Memory-Safe ARM TrustZone Applications}", booktitle = "Proceedings of the 36th Annual Computer Security Applications Conference", series = "ACSAC '20", year = "2020", month = "12", }

Trustonic's Kinibi

Kinibi is used to protect application-level processors, such as the ARM Cortex-A range, and are used on several smartphone devices like the Samsung Galaxy S series Trustonic’s Kinibi TEE and Qualcomm’s QTEE are the two major TEE implementations used in Android based on Arm TrustZone. Kinibi was primarily designed for devices with the Exynos chipset, mainly used in European and Asian markets. Qualcomm-based Samsung devices run QTEE but also support the execution of Kinibi.

Kinibi has been deployed for countless applications across many chipsets. Kinibi 600, the latest iteration, focuses on performance and flexibility, providing 64-bit SMP and broad support for Android and automotive environments.

Fortanix Enclave Development Platform

Open Source Android's Trusty


Samsung also has its own implementation called TEEGRIS, based on TrustZone.

Huawei iTrustee

iTrustee is the Huawei implementation of a TEE operating system for ARM’s TrustZone.

Qualcomm QTEE

Used on a lot of smartphones.

AWS Nitro hard- and software


SEs are an evolution of the traditional chip that resides in smart cards. A SE is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications and their confidential and cryptographic data. There are different form factors of SE: embedded and integrated SEs, SIM/UICC, smart microSD as well as smart cards. See Global Platform.

SE - Secure Element

Refer to smart cards and smart card applications.





Samsung Knox is a proprietary security framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Knox provides more granular control over the standard work profile to manage capabilities found only on Samsung devices.

Knox Suite is a consolidated business offering from Samsung that includes four Knox enterprise solutions — Knox Manage, Knox Platform for Enterprise, Knox Mobile Enrollment (bulk enrolment of devices), and Knox E-FOTA (firmware OTA without user intervention).

SE for Android

SE for Android provides a Mandatory Access Control (MAC) over traditional Discretionary Access Control (DAC) environments. SE for Android can grant special privileges based specific EMM policies. In DAC environments, since SE for Android controls access of kernel resources, certain apps may not run as intended. Samsung’s MAC feature allows your apps to run properly alongside SE for Android.



Jailbreaking iPhone