Back in the dawn of time (well 2004), a group of people (including myself) got together at the behest of mobile network operators (MNO) in an organisation called Open Mobile Terminal Platform (OMTP) and defined the basic characteristics of a TEE (then called an ATE). Those original documents are now hosted by the GSMA
Having defined the basic capabilities from the MNO point of view, a wider section of industry became interested in the security provided by the TEE functionality, and since 2010, GlobalPlatform has been the core location for driving the development of standardised functionality, and security validation for the TEE (and, very importantly, driving independent TESTS to prove real devices pass these standards!)
Over the years, new enabling API’s have been added to the TEE (such as a real Trusted User Interface, isolated from access by other parts of a device) as more advanced capability has appeared in hardware.
To introduce all this work and place it in context, GlobalPlatform has a TEE System Architecture document. The latest version of which has been released in December 2018.
While this provides a good introduction to traditional TEE design, those of you only moderately familiar with proper TEE’s may find a few surprises in the basic document, such as support for TEE’s based on hardware backed isolation models beyond ARM TrustZone Technology.
What is new in 1.2?
Root of Trust
In the past, GlobalPlatform TEE’s have been used to implement Trusted Computing Group (TCG) Trusted Platform Module (TPM) functionality. The TPM is a well-known component of Rich Operating Systems Root of Trust (RoT) and GlobalPlatform have wanted to clarify how RoT works in TEE.
Unlike a traditional PC, running a single operating system (e.g. Microsoft Windows), a mobile device tends to have many independent platforms, each with a potential Root of Trust. Think about a cellphone, which typically contains a BaseBand OS, a Rich OS (e.g. Android) … as well as other sub-platforms such as TEE and Secure Element).
This TEE System Architecture release adds clarity on potential Roots-Of-Trust, using the GlobalPlatform definitions for the terminology.
What makes a GlobalPlatform Root OF Trust?
From the GlobalPlatform point of view, any code that cannot be attested to in some way by other code on the platform, is a Root of Trust. And that is a gross oversimplification, so read the GlobalPlatform definition document.
Secure Boot and Root of Trust