TPM 2.0 and the Rise of Mobile
By Kathleen McGill, Mobile Platform Work Group Co-Chair, Trusted Computing Group
Today - both at work and at home - more users than ever before are relying on smartphones, tablets, and other mobile devices to keep in touch and get things done. With Bring Your Own Device, Choose Your Own Device, and other Enterprise-Owned Device models, business and personal data now coexist on the same device. More devices also mean a growing attack surface for those who aim to cause harm.
The rise in mobile device usage, however, comes with a corresponding requirement for mobile platforms to provide a secure foundation for many types of applications. While there are growing numbers of software-based security approaches and vendor solutions for the components of the mobile ecosystem, mobile device hardware itself has remained vulnerable to a variety of attacks.
For designers, manufacturers, system integrators, application developers, mobile network operators, and mobile service providers who require enhanced mobile device integrity, trustworthy acquisition and use of mobile applications and mobile services, including enterprise services, and protection of private data assets, the Trusted Computing Group (TCG) has published a collection of specifications that define trusted computing technologies for mobile platforms. These specifications are applicable to all mobile devices (smartphones, feature phones, basic phones, etc.).
In collaboration with GlobalPlatform on alignment and compatibility of TPM 2.0 Mobile and GlobalPlatform Trusted Execution Environment (TEE), TCG has ensured TPM 2.0 Mobile could be implemented as a Trusted Application within a TEE, in a standardized manner.
End users ultimately benefit from mobile applications that provide enhanced features, such as e-financial services, in a way that is both highly-secure and practical.
Trusted mobile platforms provide key benefits, such as device integrity, for mobile device operations, and offer significant improvement in securing device hardware. Standardized mobile endpoint security provides essential TPM security services for a wide range of mobile use cases and applications. It enables protection of private and sensitive assets, cross platform security compatibility, and interoperability across mobile device types. Widespread adoption of standardized interfaces, however, is a prerequisite for the development of mobile applications which use the core TPM capabilities.
There are several ways to move toward widespread adoption:
- OEMs and system integrator implementation of the FAPI specifications and underlying TPM Interface specifications in the rich environment to ensure that applications have access to TPM services through a standard interface across multiple platforms.
- Application Developers being able to develop mobile applications that use the FAPI interface to access the TPM, and other building blocks of the trusted mobile platform, to provide a variety of services with security assurances.
THE TRUSTED MOBILE PLATFORM
The below image provides an example of a notional architecture that can be used to implement a trusted mobile platform. Note, there are many possible architectures and implementations, using technologies such as hypervisors, micro-kernels, hardware mechanisms, and others, that can support trusted mobile platforms. In this example, the TPM 2.0 is hosted by a Protected Environment, which is isolated from the Rich Execution Environment (REE) of the mobile platform.
The TCG has published three TPM 2.0 Mobile Specifications. These resources provide reference on how to implement a trusted mobile platform:
- TPM 2.0 MOBILE REFERENCE ARCHITECTURE SPECIFICATION
The document provides a normative reference on how to implement mobile platform architecture to support a TPM Mobile. The TPM Mobile executes within a Protected Environment which is defined by a collection of security requirements. The Mobile Reference Architecture includes an informative example of a Protected Environment as an implementation of the GlobalPlatform Trusted Execution Environment (TEE) System Architecture and related API specifications, such as the TEE Client API Specification, TEE Internal API Specification, and others. Read more.
- TCG TPM 2.0 MOBILE COMMON PROFILE SPECIFICATION
Defines a profile of the TPM 2.0 Library Specification that is applicable to all mobile devices that claim conformance to the TPM 2.0 Mobile Reference Architecture and is optimized for ease-of-implementation in feature phones, basic phones, eBook readers, and other similar constrained mobile devices. The specification defines the actual TPM Mobile implementation (platform constants, algorithm support, commands, and required resources). Read more.
- TCG TPM 2.0 MOBILE COMMAND RESPONSE BUFFER INTERFACE SPECIFICATION
Defines an interface between a TPM and software. This interface is the Command/Response Buffer Interface (CRB). The TCG Software Stack (TSS) 2.0 Feature API Specification (FAPI) defines a very high-level API with the intention of supporting most of the commands that an application programmer would need to use the services of the TPM. Read more.
To learn more about TCG’s work on TPM and other technologies, visit the Trusted Computing Group website.