The Knights Templar of the Computing World!

The last few articles were merely the preambles to the fascinating world of computing security, more specific topics now-onwards. I am rooting for us to have fun with lively arguments on some of these topics.

I ran into security in the very early days of my career. One appliance maker had a novel thought of common hardware and allowing the HMI (Human Machine Interface) panel to determine the actual feature set & and functionality. Within no time there were shops around the country that would upgrade an appliance for peanuts by merely changing the HMI panel .. of course totally unauthorized. That was my first rodeo to security.

My formal security initiation though came a few years later in the beautiful city of Helsinki via the formidable Antti Jauhiainen who commands rare expertise in embedded security. During a day-long 1:1 workshop organized by Samu Kaajas , Antti taught me the first principles and cautioned me to keep in mind that hackers are usually smarter than me. Anyway, the reason behind this little recollection is that he touched base on the concept of called Trusted Execution Environment (TEE) and how to effectively design a secured system using TEE.

Going by this line of thought, a system however complex it is can be designed to the required level of security by splitting it into two boundaries viz.

• Trusted Execution Environment (TEE), a small footprint minimalistic & well-equipped environment of which users are blissfully unaware, which manages security-specific computing processes, exposes well-defined interfaces for the non-TEE world, and
• Rich Execution Environment (REE), is another world comprised of one or many user-facing functionalities, hosting user-interfaced applications and experiences hosted on one or many subsystems.

At no point a sane security professional would say REE should not care about security, security should be always systemic, holistic, and pervasive. It is just that REE can bank upon TEE to protect certain fundamental security assets and functionalities.

Little More About TEE

TEE is a physical or logical entity within a computing system, an isolated & and secured execution environment to provide essential security services to the rest of the system. The primary job of TEE is to secure the rest of the SoC or more precisely whatever needs to be protected in the rest of SoC. Such protected assets could be some data, cryptographic keys, or certain functions. There are various implementations of the TEE doing all sorts of different things but they do hinge upon some specific capabilities and features. I often think of these TEE units within SoC as the Knights Templar of the computing world securing what needs to be secured relentlessly.

While a TEE can be implemented in many ways, typical TEE exhibits the following characteristics

Offers isolated execution environment

A firewalled execution environment with its own execution resources viz. processing capability, memories like immutable ROM and SRAM, register space, security-specific peripherals like cryptographic accelerators, random number generators, one-time programmable memory, key vault/storage, etc. Hardware firewall prohibits any non-TEE computing subsystem from accessing the execution within the bounds of TEE.

Offers security services

TEE would offer a set of security services leveraging its inherent capabilities like integrity, confidentiality, authenticity, access control, identity & and time. Most typical examples of such services are secured boot, secured storage, encryption, privilege management, digital rights management, attestation, anti-cloning, anti-rollback, and whatnot. These services are at the behest of the generalized Rich Execution Environment (REE).

Protections Against Physical & Logical Tampering

TEE would implement a degree of mitigation against physical & and logical tampering. While the logical attack surface is directly proportional to the number of interfaces and services a system offers, physical attacks are limited in some way. Most often these are around messing up with power, frequency, current, temperature, EMI, decapsulating chip, laser & and optical attacks, etc. TEE usually implements some level of mitigations, such mitigations should also be in sync with the value of the assets it is protecting. Then there are more subtle classes of attacks called side-channel attacks, these derive their name from the fact that they occur while the system is executing its mission mode functionality without being aware of any attempt to extract meaningful data from it.9

Implementations of TEE

As we talked earlier, there is a wide degree of freedom as to how to implement TEE. The scope, features & and capabilities of TEE implementation also depend upon the scope of the overall system, as security should always be proportional to the assets it is protecting.

One of the most prevalent architectures in the consumer world is ARM. ARM implements TEE as ARM TrustZone. One could easily look at the name of the ARM system and understand if a given ARM-based chip implements TEE or not. Just look at the famous TDMI where T stands for TrustZone. This architecture allows certain execution resources like register banks (heard of shadow banks?) but uses the same processor (CPU) for both TEE and REE. The processor thus toggles between two modes of execution, each mode equipped with its own set of execution environments. By the way, this TrustZone technology is also rooted in Helsinki, Finland - where a major phone maker thought about techniques to protect subsidy locks to various carriers. Ask Janne Hirvimies Antti Jauhiainen Rauno Tamminen Jiri Uitto Jari Lukkarila Markus Osa Dmitry Kasatkin & few others if you wish to know more - some of the best minds in this area.

Coming over to desktop/cloud/server space you would see x86 architecture (AMD and Intel) playing major roles, typically these systems allocate dedicated firewalled islands with their own processor & and security execution resources for TEE. If you come across terminologies like AMD Secure Processor (ASP) or Converged Security & Management Engine (CSME) you are looking at the TEE implementation of these chip vendors.

Finally, TEE really is not only what we read above. As computing evolved there were few more TEE implementations, especially in the heavy workload environments. One of the most pervasive terminology in the computing world today - in the era of cloud computing is confidential computing. AMD, Intel, Qualcomm & and so on have their own implementations to meet the needs of the hour, and in general though these techniques are used to isolate user payload rather than system security, these are still called TEE. More on these & few earlier references in the following articles.