Secure Elements in a Trusted Execution Environment

A Secure Element is a tamper resistant device that provides secure storage and an execution environment for sensitive data and cryptographic processing. They connect to the host processors through I2C or SPI on the physical channel and the T=1 ISO/IEC 7816 block oriented half-duplex protocol on the second layer.

A Trusted Execution Environment (TEE) is an area of the main processor that provides isolated execution and confidentiality of its assets. A TEE executes its own secure operating system with access to cryptographic algorithms that, depending on the SoC, can be implemented in software libraries (i.e: libtomcrypt, libmbedtls) or in hardware as accelerator co-processors.

The shared memory mechanisms used by TEEs to communicate with bootloaders and Rich Execution Environments (REE) such as Linux are a perfect match to transport block protocols like T=1. This gives a TEE the opportunity to share buses with a REE, while avoiding access collisions and without imposing static usage or power requirements.

This presentation will explain how the NXP EdgeLock SE05x driver was integrated and upstreamed to OP-TEE, and how it provides cryptographic support and secure storage to the boot firmware (U-boot), the TEE (OP-TEE), and the REE (Linux).