Trusted Execution Environment (TEE)

Trusted Execution Environment (TEE) is a secure area within the CPU that runs in an isolated environment, parallel to the operating system. When Apple released the iPhone 5S in 2013, most people focused on new features like the camera and Touch ID. However, above these features, Apple introduced a concept considered to have profound implications for the cryptography world. As the foundation of Touch ID, the Secure Enclave Processor (SEP) was presented as a separate sub-processor used to store sensitive data and run programs on it. These sensitive data are not accessible by regular apps. Apple kept its design and internal operations confidential, releasing only limited internal information.

Shortly after, Intel also began offering a feature called Intel Software Guard Extensions (SGX), promising to keep data encrypted even while in use. Soon after, AMD released a similar product, and even Amazon AWS developed its own software-based secure enclave. Although there are some significant differences between these 4 products, they all focus on protecting data in use, aimed at slightly different use cases.

Currently, TEE has different implementation schemes on different CPUs. On Intel CPUs, the technical solution to implement TEE is called SGX, short for Intel Software Guard Extension. AMD's SEV scheme. On ARM architecture CPUs, the technical solution to implement TEE is called TrustZone, but because of the openness of the ARM architecture, major manufacturers will adopt different solutions when customizing.


Vault

The CPU will ensure that the code and data in the TEE are both confidential and intact. The most powerful part of the TEE is that it can isolate itself from the computer system, as if a small safe is set up inside the computer, so that bad guys can't easily mess around. Important things like your passwords and payment information are inside. Therefore, even if the computer is attacked by a virus, this important information is still safe and sound.

The TEE has its own "execution space", which means that what it uses is separate from our normal operating system. In the TEE, there are some trusted applications that can access important parts of the device. The job of hardware isolation is to protect the TEE from the influence of ordinary apps in the system.

The code and data inside the TEE are strictly protected during execution. The TEE usually provides security mechanisms such as encryption and digital signatures to ensure the integrity of code and data, while ensuring the confidentiality of communications through secure protocols. This makes the TEE an ideal place to store and process sensitive information.


When the TEE starts up, it goes through a series of verifications to ensure that the entire system is secure. For example, first load some secure boot programs, and then gradually verify the critical code in the secure operating system boot process to ensure the security of everything in the TEE.

The TEE has its own execution space, and the software and hardware resources it can access are separate from the operating system. The TEE provides a secure execution environment for authorized secure software or trusted security software (Trust App), protecting its data and resource confidentiality, integrity, and access rights. During startup, the TEE verifies step-by-step to ensure the integrity of the TEE platform in order to ensure the security of the entire system. When the device is powered on, the TEE first loads the secure boot program in ROM and verifies its integrity using the root key.

It then enters the TEE initialization phase and starts the built-in secure operating system of the TEE, level by level checking the critical code at each stage of the secure operating system boot process to ensure the integrity of the secure operating system, while preventing unauthorized or maliciously tampered software from running. After the secure operating system starts, it runs the boot program for the non-secure world and starts the normal operating system. At this point, based on the chain of trust, the TEE completes the secure boot of the entire system and can effectively defend against malicious behaviors such as illegal tampering and code execution during the TEE boot process.


In recent years, cryptography in use has been a very popular topic in the security and privacy community. As with any relatively popular topic, multiple solutions emerge to address the problem at hand. In the privacy/security realm, these solutions are called Privacy Enhancing Technologies (PETs), with secure enclaves being the most widely adopted solution in the industry due to their ease of use, availability, and performance.


Usage

The application scope of TEE is very wide, covering multiple fields. One of them is secure payment. TEE can be used to protect transaction information in payment applications to prevent malware and attackers from stealing users' financial data. Another important application area is the Internet of Things (IoT). TEE can protect sensitive information in embedded devices and prevent unauthorized access and control.

TEE also plays an important role in cloud computing. By introducing TEE into cloud services, users can run code and process data in the cloud while ensuring their privacy and security. This provides higher security for cloud computing, attracting many enterprises and organizations to adopt cloud services.

Moreover, TEE will also be integrated into more cutting-edge technologies such as artificial intelligence and blockchain, giving it more functionality. As a decentralized cloud service, IC uses TEE to enhance the protection of subnet data, further enhancing on-chain privacy. Even node operators do not know what data is running on the machines in the nodes.


With the continuous advancement of digitalization, TEE will continue to play an important role and be further developed in the future. On the one hand, hardware isolation technologies will become more advanced, providing more powerful protection mechanisms. On the other hand, TEE will be more integrated into emerging technologies such as artificial intelligence and blockchain, providing a more reliable security foundation for these fields.

At the same time, TEE may face challenges in terms of standardization and cross-platform compatibility. In order to more widely promote TEE technology, the industry needs to establish consistent standards to ensure interoperability between different manufacturers and devices.

As a key security technology, the trusted execution environment provides powerful protection for data security and privacy. Its principles are based on hardware isolation and secure execution, with a wide range of applications covering payments, Internet of Things, cloud computing and other fields. In the future, with the continuous advancement of technology, TEE will continue to play an important role and demonstrate broader prospects in emerging technology fields.