Client Application and Trusted Application in Trusted Execution Environment (TEE)

2.3k views Asked by At

I am new to the TEE (Trusted Execution Environment). Can someone help me with few basic doubts?

AFAIK, every Android mobile device have a separate TEE OS installed along with some predefined TA (Trusted Application) to store the secret information like fingerprint images, password, key pair, etc.

How to identify the TEE OS running on a Android phone? Is there a chance that multiple TEE present in one device like Trusty (from Google), Kinibi (from Trustonic), etc?

As Trusty came from Google, will all the device have a Trust OS by default?

How can I list the existing TA application present inside a TEE? If so, can we connect to the existing TA using CA (Client Application using Trusty API from google) from mobile phone?

2

There are 2 answers

0
Dalton Cézane On BEST ANSWER

In order to use the TrustZone capabilities (TEE operations and features), we have to use one "Secure OS": Trusty OS, OP-TEE OS, SierraTEE. The secure boot process, that starts at ROM, has some phases and initializes the Secure OS before the "Rich OS" (insecure OS). Once both are initialized, the Client Applications at Normal World (Rich OS) can communicate with the Trusted Applications at Secure World (Secure OS) by using the TEE Driver. For your first question, I think we can observe the boot process to observe which Secure OS is initialized. My little knowledge lead me to think that there is no command we can run to discover this information, since the communication between two worlds is made by the TEE Driver.

Regarding multiple TEE OS running on same device, you would have to change the way secure boot is executed, to add the order of Secure OSes initialization, and you would need specific drivers for communication with each Secure OS or a general driver responsible to communicate with all of them. I do not know why you should want to have many TEE OS running, but I know that you can run many TAs (Trusted Applications) at same time in a Secure OS.

To work with Trusty, you have to check if the Android version supports it. Also, you have to check if TrustZone is enabled at your device (many devices have the technology, but they are sold with it disabled).

At the Normal World you can not list the Trusted Applications running at the Secure World. You can list all the Client Applications that are running at Normal World. But these surely can connect to specific Trusted Applications running at Secure World.

0
Deepak Arya On

Please note, Trusty OS is not compliance to Global platform TEE specification rather it is based on Google TEE API.

Other TEE OS like OP-TEE/Open TEE are global platform compliance and hence solve the inter operability issue.

So while developing CA / TA you must need to tack care target platform. if we think in this way there are rare chance that more then one TEE OS supposed to present on Single device.