TEE, SE, smartphones, ...
General topics
Security solutions
Remember:
- A trusted execution environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside
to be protected with respect to confidentiality and integrity. A TEE as an isolated execution environment provides security
features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their
assets. A TEE offers an execution space that provides a higher level of security for
trusted applications running on the device than a rich operating system (OS) and more functionality
than a secure element (SE). See Wikipedia
- SEs are an evolution of the traditional chip that resides in smart cards. A SE is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications
and their confidential and cryptographic data. There are different form factors of SE: embedded and integrated SEs, SIM/UICC,
smart microSD as well as smart cards. See Global Platform
TEEs
TrustZone is the name of the security architecture in the Arm A-profile architecture. TrustZone provides two execution environments with system-wide hardware enforced isolation between them.
Intel SGX is Intel's counterpart.
Intel
ARM
Integrated as SoC.
Apple
- Apple wallet
- Apple ID - use by US goverment
- Apple IOS Secure Enclave (SE) - remarkable confusion with gsm's 'secure element' abbreviation
- Is a secure coprocessor (Apple T2 Security Chip) that includes a hardware-based key manager, isolated from the main processor.
- Is a hardware feature of certain versions of iPhone, iPad, Mac, Apple TV, Apple Watch and HomePod.
Android
- Android - security
- Android - hardware-backed keystore
- Android - gatekeeper
- Performs device pattern/password authentication in a TEE. Gatekeeper enrolls and verifies passwords via an HMAC with a hardware-backed secret key.
- Trusty - security
- Trusty is a secure Operating System (OS) that provides a TEE for Android. Trusty runs on the same processor as the Android OS,
but Trusty is isolated from the rest of the system by both hardware and software. Trusty and Android run parallel to each other.
- Authentication - gatekeeperd/keystoreservice - gatekeeper/keymaster (in TEE)
Samsung
SamsungKnox
Samsung Knox is a proprietary security framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Knox provides more granular control over the standard work profile to manage capabilities found only on Samsung devices.
Knox Suite is a consolidated business offering from Samsung that includes four Knox enterprise solutions — Knox Manage, Knox Platform for Enterprise, Knox Mobile Enrollment (bulk enrolment of devices), and Knox E-FOTA (firmware OTA without user intervention).
SE for Android
SE for Android provides a Mandatory Access Control (MAC) over traditional Discretionary Access Control (DAC) environments. SE for Android can grant special privileges based specific EMM policies. In DAC environments, since SE for Android controls access of kernel resources, certain apps may not run as intended. Samsung’s MAC feature allows your apps to run properly alongside SE for Android.
KU-Leuven Distrinet
Other
Hacking
Rooting, jailbreaking etc
Jailbreaking iPhone