A GlobalPlatform TEE meets both security certification and functionality compliance, defined by the GlobalPlatform Protection Profiles and functional specifications. This document summarises aspects of both of these areas to give the reader an overview of the security and potential capabilities of a GlobalPlatform TEE.
In the latest release we add:
- Material covering further remote TEE management technologies and bridging techniques
- Informative review of security considerations hosting multiple TEEs
- Future looking discussion of enabling a TA to better identify the calling application in a complex hypervisor-based device
- More clarification of security design considerations that need to be met to meet the defining Protection Profiles
Over the last few years, further new specifications have been brought out for the TEE and GP has defined its concepts of Root of Trust. This TEE Architecture document revision brings the related architectural and conceptual additions and clarifications into one place, enabling third parties to gain a quick overview of the possibilities when using a TEE.
This document explains the hardware and software architectures behind the TEE. It introduces TEE management and explains concepts relevant to TEE functional availability in a device.
This version of the TEE System Architecture has been extended to include the second phase of TEE standardization which introduced new API's for supporting tasks such as Trusted User interface, SE and Sockets communications, and remote management for Trusted Applications. Further extensions of the TEE System Architecture are expected in subsequent phases, as described in the TEE White Paper; e.g. a more flexible Trusted User Interface API, biometrics fingerprint API, secure video content.