| RFC 9397 | TEEP Architecture | July 2023 |
| Pei, et al. | Informational | [Page] |
A Trusted Execution Environment (TEE) is an environment thatenforces the following: any code within the environment cannot be tamperedwith, and any data used by such code cannot be read or tampered with by anycode outside the environment.This architecture document discusses the motivation for designing andstandardizing a protocol for managingthe lifecycle of Trusted Applications running inside such a TEE.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9397.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Applications executing in a device are exposed to many different attacksintended to compromise the execution of the application or reveal thedata upon which those applications are operating. These attacks increasewith the number of other applications on the device, with such otherapplications coming from potentially untrustworthy sources. Thepotential for attacks further increases with the complexity of featuresand applications on devices and the unintended interactions among thosefeatures and applications. The risk of attacks on a system increasesas the sensitivity of the applications or data on the device increases.As an example, exposure of emails from a mail client is likely to be ofconcern to its owner, but a compromise of a banking application raiseseven greater concerns.¶
The Trusted Execution Environment (TEE) concept is designed to letapplications execute in a protected environment that enforces that any code within thatenvironment cannot be tampered with and that any data used by such codecannot be read or tampered with by any code outside that environment,including by a commodity operating system (if present). In a system withmultiple TEEs, this also means that code in one TEE cannot be read or tamperedwith by code in another TEE.¶
This separation reduces the possibilityof a successful attack on application components and the data contained inside theTEE. Typically, application components are chosen to execute inside a TEE becausethose application components perform security-sensitive operations or operate onsensitive data. An application component running inside a TEE is commonly referred to(e.g., in[GPTEE] and[OP-TEE]) as aTrusted Application (TA), while an application running outside any TEE, i.e., in theRich Execution Environment (REE),is referred to as an Untrusted Application (UA). In the example of a banking application, code that relates to the authentication protocol could reside in a TA while the application logic including HTTP protocol parsing could be contained in the Untrusted Application. In addition, processing of credit card numbers or account balances could be done in a TA as it is sensitive data.The precise code split is ultimately a decision of the developer based on the assets the person wants to protect according to the threat model.¶
TEEs are typically used in cases where software or data assets need to be protected from unauthorized accesswhere threat actors may have physical or administrative access to a device. This situation arises, for example, in gaming consoles where anti-cheatprotection is a concern, devices such as ATMs or IoT devices placed inlocations where attackers might have physical access, cell phones or otherdevices used for mobile payments, and hosted cloud environments. Suchenvironments can be thought of as hybrid devices where one user oradministrator controls the REE and a different (remote) user or administratorcontrols a TEE in the same physical device. Insome constrained devices, it may also be the case that there is no REE (only a TEE) and nolocal "user" per se, but only a remote TEE administrator. For further discussionof such confidential computing use cases and threat model, see[CC-Overview] and[CC-Technical-Analysis].¶
TEEs use hardware enforcement combined with software protection to secure TAs andtheir data. TEEs typically offer a more limited set of services to TAs than what is normally available to Untrusted Applications.¶
However, not all TEEs are the same. Different vendors may have differentimplementations of TEEs with different security properties, features, and control mechanisms to operate on TAs. Somevendors may market multiple different TEEs themselves, with differentproperties attuned to different markets. A device vendor may integrateone or more TEEs into their devices depending on market needs.¶
To simplify the life of TA developers interactingwith TAs in a TEE, an interoperable protocol for managing TAs running indifferent TEEs of various devices is needed. This software update protocol needs to make sure that compatible trusted and Untrusted Components (if any) of an application are installed on the correct device. In this TEE ecosystem,the need often arises for an external trusted party to verify theidentity, claims, and permissions of TA developers, devices, and their TEEs.This external trusted party is the Trusted Application Manager (TAM).¶
The Trusted Execution Environment Provisioning (TEEP) protocol addressesthe following problems:¶
For TEEs that simply verify and load signed TAs from an untrustedfilesystem, classic application distribution protocols can be usedwithout modification. On the other hand, the problems listed in the bullets aboverequire a new protocol -- the TEEP protocol. The TEEP protocol is a solution for TEEs that can install and enumerate TAs in a TEE-securedlocation where another domain-specific protocol standard (e.g.,[GSMA] and[OTRP]) that meets the needs is not already in use.¶
The following terms are used:¶
A payment application in a mobile device requires high security andtrust in the hosting device. Payments initiated from a mobiledevice can use a Trusted Applicationto provide strong identification and proof of transaction.¶
For a mobile payment application, some biometric identificationinformation could also be stored in a TEE. The mobile paymentapplication can use such information for unlocking the device and local identification of the user.¶
A trusted user interface (UI) may be used in a mobile device or point-of-sale device toprevent malicious software from stealing sensitive user input data.Such an implementation often relies on a TEE for providing access to peripherals, such as PIN input or a trusted display, so thatthe REE cannot observe or tamper with the user input or output.¶
For better security of authentication, a device may store itskeys and cryptographic libraries inside a TEE, limiting access to cryptographic functions via a well-defined interface and thereby reducing access to keying material.¶
Weak security in Internet of Things (IoT) devices has been posing threats to critical infrastructure, i.e., assets that are essential for the functioningof a society and economy. It is desirable that IoT devices can prevent malwarefrom manipulating actuators (e.g., unlocking a door) orstealing or modifying sensitive data, such as authentication credentialsin the device. A TEE can be one of the best ways to implement such IoTsecurity functions. For example,[GPTEE] uses the term "trusted peripheral" to refer to such things beingaccessible only from the TEE, and this concept is used in some GlobalPlatform-compliant devices today.¶
A tenant can store sensitive data, such as customer details or creditcard numbers, in a TEE in a cloud computingserver such that only the tenant can access the data, which preventsthe cloud hosting provider from accessing the data. A tenant canrun TAs inside a server TEE for secure operation and enhanceddata security. This provides benefits not only to tenants withbetter data security but also to cloud hosting providers for reducedliability and increased cloud adoption.¶
Figure 1 shows the main components in a typical device with an REE and aTEE. Full descriptions ofcomponents not previously defined are provided below. Interactions ofall components are further explained in the following paragraphs.¶
+---------------------------------------------+| Device | Trusted Component| +--------+ | Signer| +---------------+ | |--------------+ || | TEE-1 | | TEEP |-----------+ | || | +--------+ | +--| Broker | | | | +-------+ || | | TEEP | | | | |<-----+ | | +-->| |<-+| | | Agent |<------+ | | | | | +-| TAM-1 || | +--------+ | | |<---+ | | +--->| | |<-+| | | +--------+ | | | | +-------+ || | +----+ +----+ | | | | | TAM-2 | || +-->|TA-1| |TA-2| | +-------+ | | | +-------+ || | | | | | |<---------| UA-2 |--+ | | || | | +----+ +----+ | +-------+ | | | Device| | +---------------+ | UA-1 | | | | Administrator| | | | | | || +--------------------| |-----+ | || | |----------+ || +-------+ |+---------------------------------------------+
A TAM is responsible for performing lifecycle management activity on Trusted Components on behalf of Trusted Component Signers and Device Administrators. This includes installation and deletion of Trusted Components and may include, for example, over-the-air updates to keep Trusted Components up-to-date and clean up when Trusted Components should be removed. TAMs may provide services that make it easier for Trusted Component Signers or Device Administrators to use the TAM's service to manage multiple devices, although that is not required of a TAM.¶
The TAM performs its management of Trusted Components on the device throughinteractions with a device's TEEP Broker, which relaysmessages between a TAM and a TEEP Agent running inside the TEE. TEEP authentication is performed between a TAM and a TEEP Agent.¶
When the TEEP Agent runs in a user or enterprise device, network and application firewallsnormally protect user and enterprise devices from arbitrary connections from external networkentities. In such a deployment, a TAM outside that network might not be able to directlycontact a TEEP Agent but needs to wait for the TEEP Broker to contact it.The architecture inFigure 1 accommodates this case as well as other less restrictive casesby leaving such details to an appropriate TEEP transport protocol (e.g.,[TEEP-HTTP],though other transport protocols can be defined under the TEEP protocol for other cases).¶
A TAM may be publicly available for use by many Trusted Component Signers, or a TAMmay be private and accessible by only one or a limited number ofTrusted Component Signers. It is expected that many enterprises, manufacturers, and network carrierswill run their own private TAM.¶
A Trusted Component Signer or Device Administrator chooses a particular TAM based onwhether the TAM is trusted by a device or set of devices. TheTAM is trusted by a device if the TAM's public key is, or chains up to,an authorized Trust Anchor in the device and conforms with all constraints defined in the Trust Anchor. A Trusted Component Signer or Device Administrator may runtheir own TAM, but the devices they wish to manage must includethis TAM's public key or certificate, or a certificate it chains up to, in theTrust Anchor Store.¶
A Trusted Component Signer or Device Administrator is free to utilize multiple TAMs. This maybe required for managing Trusted Components on multiple different types of devicesfrom different manufacturers or mobile devices ondifferent network carriers, sincethe Trust Anchor Store on these different devices may contain keysfor differentTAMs. To overcome this limitation, Device Administrator may be able to add their own TAM'spublic key or certificate, or a certificate it chains up to, to the Trust Anchor Store on all their devices.¶
Any entity is free to operate a TAM. For a TAM to be successful, it musthave its public key or certificate installed in a device's Trust Anchor Store.A TAM may set up a relationship with device manufacturers or network carriersto have them install the TAM's keys in their device's Trust Anchor Store.Alternatively, a TAM may publish its certificate and allow DeviceAdministrators to install the TAM's certificate in their devices asan aftermarket action.¶
Some devices might implement multiple TEEs. In these cases, there might be one shared TEEP Broker that interacts with all the TEEs in the device.However, some TEEs (for example, SGX[SGX]) present themselves as separate containerswithin memory without a controlling manager within the TEE. As such,there might be multiple TEEP Brokers in the REE,where each TEEP Broker communicates with one or more TEEs associated with it.¶
It is up to the REE and the Untrusted Applicationshow they select the correct TEEP Broker. Verification that the correct TAhas been reached then becomes a matter of properly verifying TA attestations,which are unforgeable.¶
The multiple TEEP Broker approach is shown in the diagram below.For brevity, TEEP Broker 2 is shown interacting with only one TAM, Untrusted Application, and TEE, but no such limitations are intended to be implied in the architecture.¶
+-------------------------------------------+| Device | Trusted Component| | Signer| +---------------+ | || | TEE-1 | | || | +-------+ | +--------+ | +--------+ || | | TEEP | | | TEEP |------------->| |<-+| | | Agent |<----------| Broker | | | | TA| | | 1 | | | 1 |---------+ | || | +-------+ | | | | | | || | | | |<---+ | | | || | +----+ +----+ | | | | | | +-| TAM-1 | Policy| | |TA-1| |TA-2| | | |<-+ | | +->| | |<-+| +-->| | | |<---+ +--------+ | | | | +--------+ || | | +----+ +----+ | | | | | | TAM-2 | || | | | | +-------+ | | | +--------+ || | +---------------+ +---| UA-2 |--+ | | ^ || | +-------+ | | | | Device| +--------------------| UA-1 | | | | | Administrator| +------| | | | | || +-----------|---+ | |---+ | | || | TEE-2 | | | |--------+ | || | +------+ | | | |-------+ | || | | TEEP | | | +-------+ | | || | | Agent|<-------+ | | || | | 2 | | | | | | || | +------+ | | | | | || | | | | | | || | +----+ | | | | | || | |TA-3|<---+ | | +---------+ | | || | | | | | | TEEP |<-+ | || | +----+ | +---| Broker | | || | | | 2 |--------------+| +---------------+ +---------+ || |+-------------------------------------------+
In the diagram above, TEEP Broker 1 controls interactions with the TAs in TEE-1,and TEEP Broker 2 controls interactions with the TAs in TEE-2. This presents some challenges for a TAM in completely managing the device,since a TAM may not interact with all the TEEP Brokers on a particularplatform. In addition, since TEEs may be physically separated, with whollydifferent resources, there may be no need for TEEP Brokers to shareinformation on installed Trusted Components or resource usage.¶
As shown inFigure 2, a TEEP Broker provides communication between one or more TEEP Agents and one or more TAMs. The selection of which TAM to interact with might bemade with or without input from an Untrusted Application but is ultimatelythe decision of a TEEP Agent.¶
For any given Trusted Component, a TEEP Agent is assumed to be able to determine whether that Trusted Component is installed (or minimally, is running) in a TEE withwhich the TEEP Agent is associated.¶
Each Trusted Component is digitally signed, protecting its integrity and linkingthe Trusted Component back to the Trusted Component Signer. The Trusted Component Signer is often the Trusted Component Developer but, insome cases, might be another party such as a Device Administratoror other partyto whom the code has been licensed (in which case, the same code mightbe signed by multiple licensees and distributed as if it were different TAs).¶
A Trusted Component Signer selects one or more TAMs and communicates the Trusted Component(s) to the TAM.For example, the Trusted Component Signer might choose TAMs based upon the markets into which the TAM can provide access. Theremay be TAMs that provide services to specific types of devices, deviceoperating systems, specific geographical regions, or network carriers. A Trusted Component Signer may bemotivated to utilize multiple TAMs in order to maximize market penetrationand availability on multiple types of devices. This means that the same Trusted Componentwill often be available through multiple TAMs.¶
When the developer of an Untrusted Application that depends on a Trusted Component publishesthe Untrusted Application to an app store or other app repository, the developeroptionally binds the Untrusted Application with a manifest that identifieswhat TAMs can be contacted forthe Trusted Component. In some situations, a Trusted Component may only be available via a single TAM; this is likely the casefor enterprise applications or Trusted Component Signers serving a closed community. For broad public apps,there will likely be multiple TAMs in the Untrusted Application's manifest, one servicing one brand of mobiledevice and another servicing a different manufacturer, etc. Because different devices and manufacturers trust different TAMs, the manifest can include multipleTAMs that support the required Trusted Component.¶
When a TEEP Broker receives a request (see the RequestTA API inSection 6.2.1) from an Untrusted Application to install a Trusted Component,a list of TAM URIs may be provided for that Trusted Component, and the request is passed to the TEEP Agent.If the TEEP Agent decides that the Trusted Component needs to be installed, the TEEP Agent selects a single TAM URIthat is consistent with the list of trusted TAMs provisioned in the TEEP Agent, invokes theHTTP transport for TEEP to connect to the TAM URI, and begins a TEEP protocol exchange. When the TEEP Agentsubsequently receives the Trusted Component to install and the Trusted Component's manifest indicates dependencieson any other Trusted Components, each dependency can include a list of TAM URIs for therelevant dependency. If such dependencies exist that are prerequisites to install the Trusted Component,then the TEEP Agent recursively follows the same procedure for each dependency that needs to be installedor updated, including selecting a TAM URI that is consistent with the list of trusted TAMs provisionedon the device and beginning a TEEP exchange. If multiple TAM URIs are considered trusted,only one needs to be contacted, and they can be attempted in some order until one responds.¶
Separate from the Untrusted Application's manifest, this framework relies on the use of the manifest format in[SUIT-MANIFEST] for expressing how to install a Trusted Component, as well as anydependencies on other TEE components and versions.That is, dependencies from Trusted Components on other Trusted Components can be expressed in a Software Update for the Internet of Things (SUIT) manifest,including dependencies on any other TAs, trusted OS code (if any), or trusted firmware.Installation steps can also be expressed in a SUIT manifest.¶
For example, TEEs compliantwith GlobalPlatform[GPTEE] may have a notion of a "security domain" (which is a grouping ofone or more TAs installed on a device that can share information within such a group)that must be created and into which one or more TAs can then be installed. It is thus upto the SUIT manifest to express a dependency on having such a security domain existingor being created first, as appropriate.¶
Updating a Trusted Component may cause compatibility issues with any Untrusted Applications or othercomponents that depend on the updated Trusted Component, just like updating the OS or a shared librarycould impact an Untrusted Application. Thus, an implementation needs to take such issues into account.¶
In TEEP, there is an explicit relationship and dependence between an Untrusted Applicationin an REE and one or more TAs in a TEE, as shown inFigure 2.For most purposes, an Untrusted Application that uses one or more TAs in a TEEappears no different from any other Untrusted Application in the REE. However, the waythe Untrusted Application and its corresponding TAs are packaged, delivered, and installed onthe device can vary. The variations depend on whether the Untrusted Application and TA are bundledtogether or provided separately, and this has implications to the management ofthe TAs in a TEE. In addition to the Untrusted Application and TA(s), the TA(s) and/or TEE may also require additional data to personalize the TA to the device or a user.Implementations of the TEEP protocol must support encryption to preserve the confidentiality of such Personalization Data,which may potentially contain sensitive data. The encryption is used to ensure that no personalization data is sent in the clear. Implementations must also support mechanisms for integrity protection of such Personalization Data.Other than the requirement to support confidentiality and integrity protection,the TEEP architecture places no limitations or requirements on the Personalization Data.¶
There are multiple possible cases for bundling of an Untrusted Application, TA(s), and Personalization Data.Such cases include (possibly among others):¶
The TEEP protocol can treat each TA, any dependencies the TA has, and Personalization Data asseparate Trusted Components with separate installation steps that are expressed in SUIT manifests, and a SUIT manifest might contain or reference multiple binaries (see[SUIT-MANIFEST]for more details). The TEEP Agent is responsible for handling any installation stepsthat need to be performed inside the TEE, such as decryption of private TA binaries orPersonalization Data.¶
In order to better understand these cases, it is helpful to review actual implementations of TEEs and their application delivery mechanisms.¶
In Intel Software Guard Extensions (SGX), the Untrusted Application and TA are typically bundled into the same package (Case 2). The TA exists in the package as a shared library (.so or .dll). The Untrusted Application loads the TA into an SGX enclave when the Untrusted Application needs the TA. This organization makes it easy to maintain compatibility between the Untrusted Application and the TA, since they are updated together. It is entirely possible to create an Untrusted Application that loads an external TA into an SGX enclave and use that TA (Cases 3-5). In this case, the Untrusted Application would require a reference to an external file or download such a file dynamically, place the contents of the file into memory, and load that as a TA. Obviously, such file or downloaded content must be properly formatted and signed for it to be accepted by the SGX TEE.¶
In SGX, anyPersonalization Data is normally loaded into the SGX enclave (the TA) after the TA hasstarted. Although it is possible with SGX to include the Untrusted Application in an encryptedpackage along with Personalization Data (Cases 1 and 5), there are currently no known instances of this in use, since such a construction would require a special installationprogram and SGX TA (which might or might not be the TEEP Agent itself based on the implementation)to receive the encrypted package, decrypt it, separate it into thedifferent elements, and then install each one. This installation is complexbecause the Untrusted Application decrypted inside the TEE must be passed out of the TEE to aninstaller in the REE that would install the Untrusted Application.Finally, the Personalization Data would need to be sent out of theTEE (encrypted in an SGX enclave-to-enclave manner) to the REE's installation app, whichwould pass this data to the installed Untrusted Application, which would in turn send this datato the SGX enclave (TA). This complexity is due to the fact that each SGX enclave is separateand does not have direct communication to other SGX enclaves.¶
As long as signed files (TAs and/or Personalization Data) are installed intoan untrusted filesystem and trust is verified by the TEE at load time, classicdistribution mechanisms can be used. However, some uses of SGX allow a modelwhere a TA can be dynamically installed into an SGX enclave thatprovides a runtime platform. The TEEP protocol can be used insuch cases, where the runtime platform could include a TEEP Agent.¶
In Arm TrustZone[TrustZone] for A-class devices, the Untrusted Application and TA may or may not be bundled together. This differs from SGX since in TrustZone, the TA lifetime is not inherently tied to a specific Untrusted Application process lifetime as occurs in SGX. A TA is loaded by a trusted OS running in the TEE, such as a TEE compliant with GlobalPlatform[GPTEE], where the trusted OS is separate from the OS in the REE. Thus, Cases 2-4 are equally applicable. In addition, it is possible for TAs to communicate with each other without involving any Untrusted Application; thus, the complexity of Cases 1 and 5 are lower than in the SGX example, though still more complex than Cases 2-4.¶
A trusted OS running in the TEE (e.g., OP-TEE[OP-TEE]) that supports loading and verifying signed TAs froman untrusted filesystem can, like SGX, use classic file distributionmechanisms. If secure TA storage is used (e.g., a Replay-ProtectedMemory Block device) on the other hand, the TEEP protocol can be usedto manage such storage.¶
This architecture leverages asymmetric cryptography toauthenticate a device to a TAM. Additionally, a TEEP Agentin a device authenticates a TAM. Theprovisioning of Trust Anchors to a device may be different fromone use case to the other. A Device Administrator may want tohave the capability to control what TAs are allowed.A device manufacturer enables verification by one or more TAMs and by Trusted Component Signers; it may embed a list of default Trust Anchors into the TEEP Agentand TEE for TAM trust verification and TA signature verification.¶
(App Developers) (App Store) (TAM) (Device with TEE) (CAs) | | | | | | | | (Embedded TEE cert) <--| | | | | | | <--- Get an app cert -----------------------------------| | | | | | | | | <-- Get a TAM cert ---------| | | | | |1. Build two apps: | | | | | | | | (a) Untrusted | | | | App - 2a. Supply --> | | | | | | | | (b) TA -- 2b. Supply ----------> | | | | | | | | --- 3. Install ------> | | | | | | | | 4. Messaging-->| |
Figure 3 shows an example where the same developer builds and signstwo applications: (a) an Untrusted Application and (b) a TAthat provides some security functions to be run insidea TEE. This example assumes that the developer, the TEE, and the TAM havepreviously been provisioned with certificates.¶
At step 1, the developer authors the two applications.¶
At step 2, the developer uploads theUntrusted Application (2a) to an Application Store. In this example, the developer is also the Trusted Component Signer and thus generatesa signed TA.The developer can then either bundle the signed TAwith the Untrusted Application or provide a signed Trusted Component containing the TAto a TAM that will be managing the TA in various devices.¶
At step 3, a userwill go to an Application Store to download the UntrustedApplication (where the arrow indicates the direction of data transfer).¶
At step 4, since the Untrusted Application depends on the TA, installing the Untrusted Application will trigger TA installationvia communication with a TAM. The TEEP Agentwill interact with the TAM via a TEEP Broker that facilitates communications between the TAMand the TEEP Agent.¶
Some implementations that install Trusted Components might ask for a user's consent. In otherimplementations,a Device Administrator might choose the Untrusted Applications and related Trusted Components tobe installed. A user consent flow is out of scope of the TEEP architecture.¶
The main components of the TEEP protocolconsist of a set of standard messages created bya TAM to deliver Trusted Component management commands to a deviceand device attestation and response messages created by a TEE thatresponds to a TAM's message.¶
It should be noted that network communication capability is generallynot available in TAs in today's TEE-powered devices. Consequently, TrustedApplications generally rely on a Broker in the REE to provide access tonetwork functionality in the REE. A Broker does not need to know the actualcontent of messages to facilitate such access.¶
Similarly, since the TEEP Agent runs inside a TEE, the TEEP Agent generallyrelies on a TEEP Broker in the REE to provide network access, relayTAM requests to the TEEP Agent, and relay the responses back to the TAM.¶
This architecture leverages the following credentials, which allowachieving end-to-end security between a TAM and a TEEP Agent.¶
Table 1 summarizes the relationships between various keys and wherethey are stored. Each public/private key identifies a Trusted Component Signer, TAM, or TEEand gets a certificate that chains up to some Trust Anchor. A list of trustedcertificates is used to check a presented certificate against.¶
Different CAs can be used for differenttypes of certificates. TEEP messages are always signed, where the signerkey is the message originator's private key, such as that of a TAMor a TEE. In addition to the keys shown inTable 1,there may be additional keys used for attestation or encryption. Refer to the RATS Architecture[RFC9334] for more discussion.¶
| Purpose | Cardinality & Location of Private Key | Private Key Signs | Location of Trust Anchor Store |
|---|---|---|---|
| Authenticating TEEP Agent | 1 per TEE | TEEP responses | TAM |
| Authenticating TAM | 1 per TAM | TEEP requests | TEEP Agent |
| Code Signing | 1 per Trusted Component Signer | TA binary | TEE |
Note that Personalization Data is not included in the table above. The use of Personalization Data is dependent on how TAs are used and what their security requirements are.¶
TEEP requests from a TAM to a TEEP Agent are signed with the TAMprivate key (for authentication and integrity protection). Personalization Data and TA binaries can be encrypted with a key unique to that specific TEE.Conversely, TEEP responses from a TEEP Agent to a TAM can be signed with theTEE private key.¶
The TEE key pair and certificate are thus used for authenticating the TEEto a remote TAM and for sending private data to the TEE. Often, the key pair is burned into the TEE by theTEE manufacturer, and the key pair and its certificate are valid forthe expected lifetime of the TEE. A TAM provider is responsiblefor configuring the TAM's Trust Anchor Store with the manufacturer certificates or CAsthat are used to sign TEE keys. This is discussed further inSection 5.3. Typically,the same TEE key pair is used for both signing and encryption, though separatekey pairs might also be used in the future, as the joint security ofencryption and signature with a single key remains, to some extent, an openquestion in academic cryptography.¶
The TAM key pair and certificate are used for authenticating a TAMto a remote TEE and for sending private data to the TAM (separate key pairs for authentication vs. encryption could also be used in the future). A TAM provideris responsible for acquiring acertificate from a CA that is trusted by the TEEs it manages. Thisis discussed further inSection 5.1.¶
The Trusted Component Signer key pair and certificate are used to sign Trusted Components that the TEEwill consider authorized to execute. TEEs must be configured withthe certificates or keys that it considers authorized to sign TAsthat it will execute. This is discussed further inSection 5.2.¶
A TEEP Agent's Trust Anchor Store contains a list of Trust Anchors, which are typically CA certificates that sign various TAM certificates. The listis usually preloaded at manufacturing time andcan be updated using the TEEP protocol if the TEE has some form of"Trust Anchor Manager TA" that has Trust Anchors in its configuration data.Thus, Trust Anchors can be updated similarly to the Personalization Datafor any other TA.¶
When a Trust Anchor update is carried out, it is imperative that any updatemust maintain integrity where only an authentic Trust Anchor list froma device manufacturer or a Device Administrator is accepted. Detailsare out of scope of this architecture document and can be addressed in a protocoldocument.¶
Before a TAM can begin operation in the marketplace to support adevice with a particular TEE, it must be able to get its raw publickey, its certificate, or a certificate it chains up to listed inthe Trust Anchor Store of the TEEP Agent.¶
The Trust Anchor Store in a TEE contains a list of Trust Anchors (raw public keysor certificates) that are used to determine whether TA binaries are allowed to execute by checking if their signatures can be verified. The listis typically preloaded at manufacturing time andcan be updated using the TEEP protocol if the TEE has some form of"Trust Anchor Manager TA" that has Trust Anchors in its configuration data.Thus, Trust Anchors can be updated similarly to the Personalization Datafor any other TA, as discussed inSection 5.1.¶
The Trust Anchor Store in a TAM consists of a list of Trust Anchors, which are certificates that sign various device TEE certificates. A TAM will accept a device for Trusted Component management if the TEE in the device uses a TEE certificate that is chained to a certificate or raw public key that the TAM trusts, is contained in an allow list, is not found on a block list, and/or fulfills any other policy criteria.¶
This architecture uses a PKI (including self-signed certificates). Trust Anchors exist on the devices to enable the TEEP Agent to authenticate TAMs and the TEE to authenticate Trusted Component Signers, and TAMs use Trust Anchors to authenticate TEEP Agents. When a PKI is used, many intermediate CA certificates can chain to a root certificate, each of which can issue many certificates. This makes the protocol highly scalable. New factories that produce TEEs can join the ecosystem. In this case, such a factory can get an intermediate CA certificate from one of the existing roots without requiring that TAMs are updated with information about the new device factory. Likewise, new TAMs can join the ecosystem, providing they are issued a TAM certificate that chains to an existing root whereby existing TAs in the TEE will be allowed to be personalized by the TAM without requiring changes to the TEE itself. This enables the ecosystem to scale and avoids the need for centralized databases of all TEEs produced, all TAMs that exist, or all Trusted Component Signers that exist.¶
Messages created by a TAM are used to deliver Trusted Componentmanagement commands to a device, and device attestation andmessages are created by the device TEE to respond to TAM messages.¶
These messages are signed end-to-end between a TEEP Agent and a TAM.Confidentiality is provided by encrypting sensitive payloads (such asPersonalization Data and attestation evidence), rather than encrypting themessages themselves. Using encrypted payloads is important to ensurethat only the targeted device TEE or TAM is able to decrypt and viewthe actual content.¶
A TEE and TAs often do not have the capability to directly communicateoutside of the hosting device. For example, GlobalPlatform[GPTEE] specifies one such architecture. This calls for a softwaremodule in the REE world to handle network communication with a TAM.¶
A TEEP Broker is an application componentrunning in the REE of the device or an SDK that facilitatescommunication between a TAM and a TEE. It also provides interfaces forUntrusted Applications to query and trigger installation of Trusted Components that theapplication needs to use.¶
An Untrusted Application might communicate with a TEEP Broker at runtime to trigger Trusted Component installation itself. Alternatively, an Untrusted Application might simply have a metadata file that describes the Trusted Components it depends on and the associated TAM(s) for each Trusted Component. An REE Application Installer can inspect this application metadata file and invoke the TEEP Broker to trigger Trusted Component installation on behalf of the Untrusted Application without requiring the Untrusted Application to run first.¶
A TEEP Broker interacts with a TEEP Agent inside a TEE,relaying messages between the TEEP Agent and the TAM, and may also interact withone or more Untrusted Applications (seeSection 6.2.1).The Broker cannot parse encrypted TEEP messages exchanged between a TAM and a TEEP Agent but merely relays them.¶
When a device has more than one TEE, one TEEP Broker per TEE couldbe present in the REE, or a common TEEP Broker could be used by multiple TEEswhere the transport protocol (e.g.,[TEEP-HTTP]) allowsthe TEEP Broker to distinguish which TEE is relevant for each message from a TAM.¶
The Broker only needs to return an error message to the TAM if the TEE isnot reachable for some reason. Other errors are represented asTEEP response messages returned from the TEE, which will then be passed tothe TAM.¶
As depicted inFigure 4, there are multiple ways in which a TEEP Brokercan be implemented with more or fewer layers being inside the TEE. For example, in model A (the model with the smallest TEE footprint), only theTEEP implementation is inside the TEE, whereas the TEEP/HTTP implementation isin the TEEP Broker outside the TEE.¶
Model: A B C TEE TEE TEE+----------------+ | | || TEEP | Agent | | | Agent| implementation | | | |+----------------+ v | | | | |+----------------+ ^ | || TEEP/HTTP | Broker | | || implementation | | | |+----------------+ | v | | | |+----------------+ | ^ || HTTP(S) | | | || implementation | | | |+----------------+ | | v | | |+----------------+ | | ^| TCP or QUIC | | | | Broker| implementation | | | |+----------------+ | | | REE REE REE
In other models, additional layers are moved into the TEE, increasing the TEE footprint,with the Broker either containing or calling the topmost protocol layer outside of the TEE.An implementation is free to choose any of these models.¶
TEEP Broker implementers should consider methods of distribution, scope, and concurrency on devices and runtime options.¶
The following conceptual APIs exist from a TEEP Broker to a TEEP Agent:¶
For comparison, similar APIs may exist on the TAM side, where a Broker may or may notexist, depending on whether the TAM uses a TEE or not:¶
The Broker installation is commonly carried out at device manufacturing time. A usermay also dynamically download and install a Broker on demand.¶
Attestation is the process through which one entity (an Attester) presents "evidence" in the formof a series of claims to another entity (a Verifier) and provides sufficient proof that the claimsare true. Different Verifiers may require different degrees of confidence in attestation proofs,and not all attestations are acceptable to every Verifier. A third entity (a Relying Party)can then use "attestation results" in the form of another series of claims from a Verifierto make authorization decisions. (See[RFC9334] for more discussion.)¶
In TEEP, as depicted inFigure 5,the primary purpose of an attestation is to allow a device (the Attester) to prove to a TAM(the Relying Party) that a TEE in the device has particular properties, was built by a particularmanufacturer, and/or is executing a particular TA. Other claims are possible; TEEPdoes not limit the claims that may appear in evidence or attestation results,but it defines a minimal set of attestation result claimsrequired for TEEP to operate properly. Extensions to these claims are possible.Other standards or groups may define the format and semanticsof extended claims.¶
+----------------+| Device | +----------+| +------------+ | Evidence | TAM | Evidence +----------+| | TEE |------------->| (Relying |-------------->| Verifier || | (Attester) | | | Party) |<--------------| || +------------+ | +----------+ Attestation +----------++----------------+ Result
At the time of writing this specification, device and TEE attestations have not been standardizedacross the market. Different devices, manufacturers, and TEEs support different attestationprotocols. In order for TEEP to be inclusive, it is agnostic to the format of evidence,allowing proprietary or standardized formats to be used between a TEE and a Verifier (which may or may notbe colocated in the TAM), as long as the format supports encryption ofany information that is considered sensitive.¶
However, it should be recognizedthat not all Verifiers may be able to process all proprietary forms of attestation evidence.Similarly, the TEEP protocol is agnostic as to the format of attestation results and the protocol(if any) used between the TAM and a Verifier, as long as they convey at least the required set of claimsin some format. Note that the respective attestation algorithms are not defined in the TEEP protocol itself;see[RFC9334] and[TEEP] for more discussion.¶
Considerations when appraising evidence provided by a TEE include the following:¶
Some TAMs may require additional claims in order to properly authorize a device or TEE. The specificformat for these additional claims are outside the scope of this specification, but the TEEP protocolallows these additional claims to be included in the attestation messages.¶
For more discussion of the attestation and appraisal process, seethe RATS Architecture[RFC9334].¶
The following information is required for TEEP attestation:¶
[RFC7696] outlines the requirements to migrate from onemandatory-to-implement cryptographic algorithm suite to another over time.This feature is also known as "crypto agility". Protocol evolutionis greatly simplified when crypto agility is consideredduring the design of the protocol. In the case of the TEEPprotocol, the diverse range of use cases (from trusted appupdates for smartphones and tablets to updates of code onhigher-end IoT devices) creates the need for differentmandatory-to-implement algorithms from the start.¶
Crypto agility in TEEP concerns the use of symmetric as well as asymmetric algorithms. In the context of TEEP, symmetric algorithms are used for encryption and integrity protection of TA binaries and Personalization Data, whereas the asymmetric algorithms are used for signing messages and managing symmetric keys.¶
In addition to the use of cryptographic algorithms in TEEP, thereis also the need to make use of different attestation technologies.A device must provide techniques to inform a TAM about theattestation technology it supports. For many deployment cases, itis more likely for the TAM to support one or more attestationtechniques, whereas the device may only support one.¶
The architecture enables the TAM to communicate, via a TEEP Broker, with the device's TEE to manage Trusted Components. However, since the TEEP Broker runs in a potentially vulnerable REE,the TEEP Broker could be malware or be infected by malware.As such, all TAM messages are signed and sensitivedata is encrypted such that the TEEP Broker cannot modify or capturesensitive data, but the TEEP Broker can still conduct DoS attacksas discussed inSection 9.3.¶
A TEEP Agent in a TEE is responsible for protecting against potential attacksfrom a compromised TEEP Broker or rogue malware in the REE. A rogue TEEP Brokermight send corrupted data to the TEEP Agent, launch a DoS attack by sending a floodof TEEP protocol requests, or simply drop or delay notifications to a TEE. The TEEP Agentvalidates the signature of each TEEP protocol requestand checks the signing certificate against its Trust Anchors. To mitigateDoS attacks, it might also add some protectionscheme such as a threshold on repeated requests or the number of TAs that can be installed.¶
Due to the lack of any available alternative, some implementations might rely on the use of an untrusted timer or other event to call the RequestPolicyCheck API (Section 6.2.1), whichmeans that a compromised REE can cause a TEE to not receive policy changes and thus be out of datewith respect to policy. The same can potentially be done by any other manipulator-in-the-middlesimply by blocking communication with a TAM. Ultimately, such outdated compliancecould be addressed by using attestation in secure communication, where the attestationevidence reveals what state the TEE is in, so that communication (other than remediationsuch as via TEEP) from an out-of-compliance TEE can be rejected.¶
Similarly, in most implementations, the REE is involved in the mechanics of installing new TAs.However, the authority for what TAs are running in a given TEE is between the TEEP Agent and the TAM.While a TEEP Broker can, in effect, make suggestions as discussed inSection 6.2.1, it cannot decide or enforce what runs where.The TEEP Broker can also control which TEE a given installation request is directed at, but a TEEPAgent will only accept TAs that are actually applicable to it and where installation instructionsare received by a TAM that it trusts.¶
The authorization model for the UnrequestTA operation is, however, weaker in that itexpresses the removal of a dependency from an application that was untrusted to begin with.This means that a compromised REE could remove a valid dependency from an Untrusted Applicationon a TA. Normal REE security mechanisms should be used to protect the REE and Untrusted Applications.¶
It is the responsibility of the TAM to protect data on its servers.Similarly, it is the responsibility of the TEE implementation to provide protection ofdata against integrity and confidentiality attacks from outside the TEE.TEEs that provide isolation among TAs within the TEE are likewiseresponsible for protecting TA data against the REE and other TAs.For example, this can be used to protect the data of one user or tenantfrom compromise by another user or tenant, even if the attacker has TAs.¶
The protocol between TEEP Agents and TAMs is similarly responsible forsecurely providing integrity and confidentiality protection againstadversaries between them. The layers at which to best provide protection against network adversaries is a design choice. As discussed inSection 6, the transport protocol and any security mechanism associated with it (e.g., the Transport Layer Security protocol) under the TEEP protocol may terminate outside a TEE. If it does, the TEEP protocol itself must provide integrity and confidentiality protection to secure data end-to-end. For example, confidentiality protection for payloads may be provided by utilizing encrypted TA binaries and encryptedattestation information. See[TEEP] for how a specific solution addresses the design question of how to provide integrity and confidentiality protection.¶
It is possible that the REE of a device is compromised. We have already seen examples of attacks on the public Internet with a large numberof compromised devices being used to mount DDoS attacks. A compromisedREE can be used for such an attack, but it cannot tamper with the TEE'scode or data in doing so. A compromised REE can, however, launch DoS attacksagainst the TEE.¶
The compromised REEmay terminate the TEEP Broker such that TEEP transactions cannot reach the TEEor might drop, replay, or delay messages between a TAM and a TEEP Agent.However, while a DoS attack cannot be prevented, the REE cannot accessanything in the TEE if the TEE is implemented correctly.Some TEEs may have some watchdog scheme to observe REE state and mitigate DoSattacks against it, but most TEEs don't have such a capability.¶
In some other scenarios, the compromised REE may ask a TEEP Brokerto make repeated requests to a TEEP Agent in a TEE to install oruninstall a Trusted Component. An installation or uninstallation request constructedby the TEEP Broker or REE will be rejected by the TEEP Agent becausethe request won't have the correct signature from a TAM to pass the requestsignature validation.¶
This can become a DoS attack by exhausting resources in a TEE withrepeated requests. In general, a DoS attack threat exists when the REEis compromised and a DoS attack can happen to other resources. The TEEParchitecture doesn't change this.¶
A compromised REE might also request initiating the full flow ofinstallation of Trusted Components that are not necessary.It may also repeat a prior legitimate Trusted Component installationrequest. A TEEP Agent implementation is responsible for ensuring that itcan recognize and decline such repeated requests. It is also responsiblefor protecting the resource usage allocated for Trusted Component management.¶
A root CA for TAM certificates might get compromised, its certificate mightexpire, or a Trust Anchor other than a root CA certificate may also expire orbe compromised.TEEs are responsible for validating the entire TAM certification path,including the TAM certificate and any intermediate certificates up tothe root certificate. SeeSection 6 of [RFC5280] for details.Such validation generally includes checking for certificaterevocation, but certificate status check protocols maynot scale down to constrained devices that use TEEP.¶
To address the above issues, a certification path update mechanismis expected from TAM operators, so that the TAM can geta new certification path that can be validated by a TEEP Agent.In addition, the Trust Anchor in the TEEP Agent's Trust Anchor Storemay need to be updated. To address this, a TEE Trust Anchor update mechanism is expected from device equipment manufacturers (OEMs), such as using the TEEP protocolto distribute new Trust Anchors.¶
Similarly, a root CA for TEE certificates might get compromised, its certificate mightexpire, or a Trust Anchor other than a root CA certificate may also expire orbe compromised.TAMs are responsible for validating the entire TEE certification path,including the TEE certificate and any intermediate certificates up tothe root certificate. Such validation includes checking for certificaterevocation.¶
If a TEE certification path validation fails, the TEEmight be rejected by a TAM, subject to the TAM's policy.To address this, a certification path update mechanismis expected from device OEMs, so that the TEE can geta new certification path that can be validated by a TAM.In addition, the Trust Anchor in the TAM's Trust Anchor Storemay need to be updated.¶
Device TEEs are responsible for validating the supplied TAM certificates. A compromised TAM may bring multiple threats and damage to user devices that it can manage and thus to the Device Owners. Information on devices that the TAM manages may be leaked to a bad actor. A compromised TAM can also install many TAs to launch a DoS attack on devices, for example, by filling up a device's TEE resources reserved for TAs such that other TAs may not get resources to be installed or properly function. It may also install malicious TAs to potentially many devices under the condition that it also has a Trusted Component signer key that is trusted by the TEEs. This makes TAMs high-value targets. A TAM could be compromised without impacting its certificate or raising concern from the TAM's operator.¶
To mitigate this threat, TEEP Agents and Device Owners have several options for detecting and mitigating a compromised TAM, including but potentially not limited to the following:¶
It is possible that a rogue developer distributes a malicious Untrusted Application and intends to have a malicious TA installed. Such a TAmight be able to escape from malware detection by the REE or access trustedresources within the TEE (but could not access other TEEs or otherTAs if the TEE provides isolation between TAs).¶
It is the responsibilityof the TAM to not install malicious TAs in the first place. The TEEParchitecture allows a TEEP Agent to decide which TAMs it trusts via Trust Anchors and delegate the TA authenticity check to the TAMs it trusts.¶
A TA that was previously considered trustworthy may later befound to be buggy or compromised.In this case, the TAM can initiate the removal of the TA by notifying devices to remove the TA (and potentially notify the REE or Device Owner to remove any Untrusted Application that depend on the TA). If the TAM does not currently have aconnection to the TEEP Agent on a device, such a notification would occurthe next time connectivity does exist. That is, to recover, the TEEP Agentmust be able to reach out to the TAM, for example, whenever the RequestPolicyCheck API (Section 6.2.1) is invoked by a timer or other event.¶
Furthermore, the policy in the Verifier in an attestation process can beupdated so that any evidence that includes the malicious TA would resultin an attestation failure. There is, however, a time window during whicha malicious TA might be able to operate successfully, which is thevalidity time of the previous attestation result. For example, ifthe Verifier inFigure 5 is updated to treat a previouslyvalid TA as no longer trustworthy, any attestation result it previouslygenerated saying that the TA is valid will continue to be used untilthe attestation result expires. As such, the TAM's Verifier shouldtake into account the acceptable time window when generating attestationresults. See[RFC9334] for further discussion.¶
TEE device certificates are expected to be long-lived, longerthan the lifetime of a device. A TAM certificate usually has amoderate lifetime of 1 to 5 years. A TAM should get renewed orrekeyed certificates. The root CA certificates for a TAM, which areembedded into the Trust Anchor Store in a device, should have longlifetimes that don't require device Trust Anchor updates. On theother hand, it is imperative that OEMs or device providers plan forsupport of a Trust Anchor update in their shipped devices.¶
For those cases where TEE devices are given certificates for which no goodexpiration date can be assigned, the recommendations inSection 4.1.2.5 of [RFC5280] are applicable.¶
In some scenarios, it is desirable to protect the TA binary or Personalization Datafrom being disclosed to the TAM that distributes them. In such a scenario,the files can be encrypted end-to-end between a Trusted Component Signer and a TEE. However, theremust be some means of provisioning the decryption key into the TEE and/or somemeans of the Trusted Component Signer securely learning a public key of the TEE that it can use toencrypt. The Trusted Component Signer cannot necessarily even trust theTAM to report the correct public key of a TEE for use with encryption, since the TAM might insteadprovide the public key of a TEE that it controls.¶
One way to solve this is for the Trusted Component Signer to run its own TAM that is only used to distribute the decryption key via the TEEP protocol and the key file can be a dependency in the manifest of the encrypted TA. Thus, the TEEP Agent would look at the Trusted Component manifest to determine if there is a dependency with a TAM URI of the Trusted Component Signer's TAM. The Agent would then install the dependency and continue with the Trusted Component installation steps, including decrypting the TA binary with the relevant key.¶
The TEEP architecture is applicable to cases where devices have a TEE that protects dataand code from the REE administrator. In such cases, the TAM administrator, not the REE administrator,controls the TEE in the devices. Examples include:¶
The privacy risk is that data in the REE might be susceptible to disclosure to the TEE administrator. This risk is not introduced by the TEEP architecture, but it is inherent in most uses of TEEs. This risk can be mitigated by making sure the REE administrator explicitly chooses to have a TEE that is managed by another party. In the cloud hoster example, this choice is made by explicitly offering a service to customers to provide TEEs for them to administer. In the device manufacturer example, this choice is made by the customer choosing to buy a device made by a given manufacturer.¶
This document has no IANA actions.¶
We would like to thankNick Cook,Minho Yoo,Brian Witten,Tyler Kim,Alin Mutu,Juergen Schoenwaelder,Nicolae Paladi,Sorin Faibish,Ned Smith,Russ Housley,Jeremy O'Donoghue,Anders Rundgren, andBrendan Moran for their feedback.¶