TPM, TEE, SE, smartphones, ...
Contents
General topics
TPM
Discrete chip, a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.
One of Windows 11's system requirements is TPM 2.0. Microsoft has stated that this is to help increase security against firmware attacks
TEE
Hardware and software
A Trusted Execution Environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. A TEE offers an execution space that provides a higher level of security for trusted applications running on the device than a rich operating system (OS) and more functionality than a secure element (SE). See Wikipedia.
Overview: 'GlobalPlatform Technology TEE System Architecture v1.3' - White Paper May 2022 – GPD_SPE_009.
Local info:
The TEE exposes sets of APIs to enable communication from the REE and other APIs to enable Trusted Application (TA) software functionality within the TEE. GlobalPlatform specified a TEE Protection Profile and API specifications for a GlobalPlatform TEE.
An REE interfaces to the TEE as follows.
- Within the REE, the architecture identifies an optional protocol specification layer, an API, and a supportingvcommunication agent.
- The REE Communication Agent provides REE support for messaging between the Client Application and the Trusted Application.
- The TEE Client API is a low-level communication interface designed to enable a Client Application running in the Regular OS to access and exchange data with a Trusted Application running inside a
Trusted Execution Environment.
- The TEE Protocol Specifications layer exposed in the REE offers Client Applications a set of higher-level APIs to access some TEE services. TEE TA Debug API ([TEE TA Debug]), the TMF ASN.1
Profile, and TMF OTrP Profile ([TMF OTrP]) currently use this stack layer.
GlobalPlatform TEE
Apache's Teaclave incubator
- Teaclave Apache incubator for universal secure computing platform, subprojects include
- Teaclave SGX SDK
- Teaclave TrustZone SDK
- Teaclave TrustZone SDK (Rust OP-TEE TrustZone SDK) provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications . In addition, it enables the capability to write TrustZone applications with Rust's standard library (std) and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave (incubating).
- At first sight this runs on Qemu, so no need to do a hard install of anything else...
- Teaclave Java TEE SDK
KU-Leuven Distrinet TEEs
TEE hardware families
There are a lot of technologies available in modern processors to implement a TEE:
- Arm’s TrustZone technology offers an efficient, system-wide approach to security with hardware-enforced isolation built into the CPU.
- MultiZone Security is the first trusted execution environment for RISC-V created by Hex Five Security.
- The AMD Platform Security Processor (PSP), officially known as AMD Secure Technology, is a trusted execution environment subsystem incorporated into AMD microprocessors.
- Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that are built into some modern Intel CPUs that could be used to implement a TEE.
- Apple uses a dedicated processor called SEP (Secure Enclave Processor) for features like data protection, Touch ID, and Face ID. The SEP is responsible for handling keys and other information such as biometrics that is sensitive enough to not be handled by the application processor.
- Google also has a similar solution called Titan M, an external chip available on some Android Pixel devices to implement a TEE and handle features like secure boot, lock screen protection, disk encryption, etc.
Arm TrustZone and derivatives
TrustZone is the name of the security architecture in the Arm architecture. It provides two execution environments with system-wide hardware enforced isolation between them. AMD incorporates Arm TrustZone functionality through partnership.
TEE is integrated as SoC.
Intel SGX
Intel's counterpart to Arm TrustZone.
AMD
- AMD Pro-security overall page
- Microsoft Pluton Security Processor- a Microsoft TPM for Windows on-chip on AMD chips, as from Windows 10
- AMD Memory Guard
- AMD Secure Processor ('PSP')
- AMD Shadow Stack
- AMD Secure Boot - extends the AMD silicon root of trust to help protect the system by establishing an unbroken chain of trust from the AMD silicon root of trust to the BIOS. The UEFI secure boot helps continue the chain of trust from the system BIOS to the OS Bootloader. This helps defend against remote attackers seeking to embed malware into firmware.
- AMD product security
- AMD PSP - Wikipedia Platform Security Processor
- Is a trusted execution environment subsystem incorporated since about 2013 into AMD microprocessors.
- The PSP itself represents an ARM Cortex A5 with the TrustZone extension which is inserted into the main CPU die as a coprocessor.
- The PSP contains on-chip firmware which is responsible for verifying the SPI ROM and loading off-chip firmware from it.
- It is believed that he off-chip firmware from the SPI ROM contains an application resembling an entire micro operating system.
- Investigation of a Lenovo ThinkPad A285 notebook's motherboard flash chip (stores UEFI firmware) revealed that the PSP core itself (as a device) is run before the main CPU and that its firmware bootstrapping process starts just before basic UEFI gets loaded. The firmware is run inside in the same system's memory space that user's applications do with unrestricted access to it.
- Because PSP is the chip that decides whenever the x86 cores will run or not, it is used to implement hardware downcoring, specific cores on the system can be made permanently inaccessible during manufacturing.
- The PSP also provides a random number generator for the RDRAND instruction and provides TPM services.
- Reverse-engineering the PSP
- AMD SEV Secure Encrypted Virtualization
- Uses one key per virtual machine to isolate guests and the hypervisor from one another. The keys are managed by the AMD Secure Processor.
Apple
Has its own view on this.
TEE software
Open Source OP-TEE
Origin: STMicroelectronics => Linaro => TrustedFirmware.org project.
OP-TEE is a companion to a non-secure Linux kernel running on Arm. It implements TEE Internal Core API v1.1.x which is the API exposed to Trusted Applications and the TEE Client API v1.0, which is the API describing how to communicate with a TEE. Those APIs are defined in the GlobalPlatform API specifications.
You use an OP-TEE linker script to link a compiled Rust library, a TA header and libraries such as libutee into a TA ELF, which then gets signed.
OP-TEE components:
- Secure privileged layer, executing at Arm secure PL-1 (v7-A) or EL-1 (v8-A) level.
- Secure user space libraries designed for Trusted Applications needs.
- Linux kernel TEE framework and driver (merged to the official tree in v4.12).
- Linux user space library designed upon the GlobalPlatform TEE Client API specifications.
- Linux user space supplicant daemon (tee-supplicant) responsible for remote services expected by the TEE OS.
- Test suite (xtest), for doing regression testing and testing the consistency of the API implementations.
- An example git containing a couple of simple host- and TA-examples.
- Some build scripts, debugging tools to ease its integration and the development of Trusted Applications and secure services.
More details about the design and implementation can be found in the paper published in ACSAC 2020: RusTEE: Developing Memory-Safe ARM TrustZone Applications. See https://csis.gmu.edu/ksun/publications/ACSAC20_RusTEE_2020.pdf. Here is the BiBTeX record.
bibtex @inproceedings{wan20rustee, author = "Shengye Wan and Mingshen Sun and Kun Sun and Ning Zhang and Xu He", title = "{RusTEE: Developing Memory-Safe ARM TrustZone Applications}", booktitle = "Proceedings of the 36th Annual Computer Security Applications Conference", series = "ACSAC '20", year = "2020", month = "12", }
Trustonic's Kinibi
Kinibi is used to protect application-level processors, such as the ARM Cortex-A range, and are used on several smartphone devices like the Samsung Galaxy S series
- Trustonic - founded by Arm, G&D and Gemalto to deliver TEE for Arm (Arm Trustzone)
Trustonic’s Kinibi TEE and Qualcomm’s QTEE are the two major TEE implementations used in Android based on Arm TrustZone. Kinibi was primarily designed for devices with the Exynos chipset, mainly used in European and Asian markets. Qualcomm-based Samsung devices run QTEE but also support the execution of Kinibi.
Kinibi has been deployed for countless applications across many chipsets. Kinibi 600, the latest iteration, focuses on performance and flexibility, providing 64-bit SMP and broad support for Android and automotive environments.
Fortanix Enclave Development Platform
Open Source Android's Trusty
Samsung TEEGRIS
Samsung also has its own implementation called TEEGRIS, based on TrustZone.
Huawei iTrustee
iTrustee is the Huawei implementation of a TEE operating system for ARM’s TrustZone.
Qualcomm QTEE
Used on a lot of smartphones.
AWS Nitro hard- and software
- AWS Nitro - hypervisor plus supporting cards and chips
- AWS Annapurna Labs acquired by Amazon in 2016
- AWS Graviton CPUs by Annapurna Labs
- Family of 64-bit ARM-based CPUs designed by the Amazon Web Services (AWS) subsidiary Annapurna Labs. The processor family is distinguished by its lower energy use relative to x86-64, static clock rates, and omission of simultaneous multithreading. It was designed to be tightly integrated with AWS servers and datacenters, and is not sold outside Amazon.
SE
SEs are an evolution of the traditional chip that resides in smart cards. A SE is a tamper-resistant platform (typically a one chip secure microcontroller) capable of securely hosting applications
and their confidential and cryptographic data. There are different form factors of SE: embedded and integrated SEs, SIM/UICC, smart microSD as well as smart cards. See Global Platform.
SE - Secure Element
Refer to smart cards and smart card applications.
Apple
- Apple wallet
- Apple ID - use by US goverment
- Apple IOS Secure Enclave (SE) - remarkable confusion with gsm's 'secure element' abbreviation
- Is a secure coprocessor (Apple T2 Security Chip) that includes a hardware-based key manager, isolated from the main processor.
- Is a hardware feature of certain versions of iPhone, iPad, Mac, Apple TV, Apple Watch and HomePod.
Android
- Android - security
- Android - hardware-backed keystore
- Android - gatekeeper
- Performs device pattern/password authentication in a TEE. Gatekeeper enrolls and verifies passwords via an HMAC with a hardware-backed secret key.
- Trusty - security
- Trusty is a secure Operating System (OS) that provides a TEE for Android. Trusty runs on the same processor as the Android OS,
but Trusty is isolated from the rest of the system by both hardware and software. Trusty and Android run parallel to each other.
- Authentication - gatekeeperd/keystoreservice - gatekeeper/keymaster (in TEE)
Samsung
SamsungKnox
Samsung Knox is a proprietary security framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Knox provides more granular control over the standard work profile to manage capabilities found only on Samsung devices.
Knox Suite is a consolidated business offering from Samsung that includes four Knox enterprise solutions — Knox Manage, Knox Platform for Enterprise, Knox Mobile Enrollment (bulk enrolment of devices), and Knox E-FOTA (firmware OTA without user intervention).
SE for Android
SE for Android provides a Mandatory Access Control (MAC) over traditional Discretionary Access Control (DAC) environments. SE for Android can grant special privileges based specific EMM policies. In DAC environments, since SE for Android controls access of kernel resources, certain apps may not run as intended. Samsung’s MAC feature allows your apps to run properly alongside SE for Android.
Other
Hacking
Jailbreaking iPhone