Jump to content

RidgeRun Platform Security Manual/Platform Security/TEE: Difference between revisions

RidgeRun Platform Security Manual/Platform Security/TEE (view source)

Revision as of 20:48, 13 March 2025

42 bytes removed ,  Thursday at 20:48
→‎Trusted Execution Environment
Visual
No edit summary
 
Line 8: Line 8:


== Trusted Execution Environment ==
== Trusted Execution Environment ==
When it comes to embedded systems, a Trusted Execution Environment or TEE, is a '''secure area''' of the system that is protected from the rest of the system using encryption. Data in a TEE '''can only be read or tampered with by authorized code''' outside the environment, which means that unauthorized pieces of software can not get data or execute programs that reside in the TEE.
When it comes to embedded systems, a Trusted Execution Environment (TEE) is a "secure area" of the system that is protected from the rest of the system using encryption. Data in a TEE can only be read or tampered with by authorized code outside the environment, which means that unauthorized pieces of software can not access data or execute programs that reside in the TEE.


Applications that reside inside of a TEE are known as Trusted Applications or TAs. They are considered secure since they are encrypted to the outside world. This means that data handled by a TA can only be accessed by certain components of the system so data processed by a TA can not be manipulated or altered.
Applications that reside inside a TEE are known as Trusted Applications (TAs). They are considered secure since they are encrypted to the outside world. This means that data handled by a TA can only be accessed by certain components of the system, so data processed by a TA can not be manipulated or altered.


TEE often relies in a hardware isolation mechanism to achieve the separation of the secure and non-secure worlds. TEE implementations in embedded systems are usually based on the [https://www.arm.com/technologies/trustzone-for-cortex-a ARM TrustZone] technology as it provide a low cost and efficient alternative to having a dedicated security core in an SoC. This technology works by having two virtual processors and hardware based access control, which allows having two "worlds", a secure world and a non-secure world. This two worlds operate independently and leaking of data from one world to the other is prevented.
TEE often relies on a hardware isolation mechanism to separate the secure and non-secure worlds. TEE implementations in embedded systems are usually based on the [https://www.arm.com/technologies/trustzone-for-cortex-a ARM TrustZone] technology as it provides a low cost and efficient alternative to having a dedicated security core in an SoC. This technology works by having two virtual processors and hardware-based access control, allowing two "worlds": a secure and a non-secure world. These two worlds operate independently, and data leakage from one world to the other is prevented.


An example of a TEE implementation base on the ARM TrustZone techonology is [https://www.trustedfirmware.org/projects/op-tee/ OP-TEE]. This open source implementation is used by several embedded platforms such as NVIDIA Jetson. OP-TEE main components are '''optee_os''', which works as the secure world and '''optee_client''' which is the non-secure or normal world.
An example of a TEE implementation based on the ARM TrustZone technology is [https://www.trustedfirmware.org/projects/op-tee/ OP-TEE]. This open-source implementation is used by several embedded platforms, such as NVIDIA Jetson. OP-TEE's main components are '''optee_os''', which works in the secure world, and '''optee_client''', which is in the non-secure or normal world.


The secure world, '''optee_os''', is a TEE operating system running at ARMv8 secure EL-1 level. It provides generic OS-level functions like interrupt handling, thread handling, crypto services, and shared memory. It implements the GlobalPlatform TEE Internal Core API. You can use this API to build Trusted Applications (TAs) that run in the secure world at ARMv8 secure EL-0 level.
The secure world, '''optee_os''', is a TEE operating system running at ARMv8 secure EL-1 level. It provides generic OS-level functions like interrupt handling, thread handling, crypto services, and shared memory. It implements the GlobalPlatform TEE Internal Core API. You can use this API to build Trusted Applications (TAs) that run in the secure world at ARMv8 secure EL-0 level.


On the other hand, '''optee_client''', is the normal world of OP-TEE and it implements the normal user space library. However, the GlobalPlatform TEE Client API is implemented here, and it defines an interface with which Client Applications (CAs) can communicate with a TA in the secure world.
On the other hand, '''optee_client''' is the normal world of OP-TEE and implements the normal user-space library. However, the GlobalPlatform TEE Client API is implemented here, and it defines an interface with which Client Applications (CAs) can communicate with a TA in the secure world.


The implementation of OP-TEE in Jetson platforms is illustrated in the following image:
The implementation of OP-TEE in Jetson platforms is illustrated in the following image:
Lleon
1,937

edits

Retrieved from "https://developer.ridgerun.com/wiki/index.php/Special:MobileDiff/64680"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.