Visible to Intel only — GUID: GUID-F0390B44-5570-438A-99AF-1C995EBE7685
Visible to Intel only — GUID: GUID-F0390B44-5570-438A-99AF-1C995EBE7685
Architecture
A Trusted Execution Environment (TEE) is a separate execution environment, consisting of firmware and hardware, that runs alongside, and provides security services for, the Rich Execution Environment (REE). The TEE isolates access to its hardware and software resources from the REE and its applications. Intel® Dynamic Application Loader (Intel® DAL) is a specific TEE with the Intel® Converged Security Engine (Intel® CSE) which is a general TEE.
The TEE offers safe execution of authorized security software and firmware known as Trusted Applications (TAs). TAs can be developed in Java* and downloaded to the TEE in run time. Inside the TEE, each TA is independent from the others. The TEE also enforces protection, confidentiality, integrity and access rights of the resources and data belonging to those TAs. A TA cannot access the security assets of another TA without authorization.
TAs are given controlled access to security resources and services via the TEE Internal API. These services may include: cryptography, secure storage, secure I/O. The TEE Internal API is provided in Java (via Intel DAL APIs). There is a possibility that Intel may extend it to C in the future.
A TA is typically accompanied by a Trusted Application Host Client, which is host software that exposes the TA services as a rich, operating system-friendly API.
The TA life cycle is managed by the Intel DAL Admin Framework that resides in the Intel CSE firmware. The TEE Management Application is an executable that implements the host side of the management protocol.
The TEE Client API is a low level communication interface designed to enable host software running in the REE to access and exchange data with the TAs running inside the TEE.
The following diagram shows the high level architecture of a generic Trusted Execution Environment (TEE).
For more details on Intel DAL components, click the appropriate link below:
- Applets: What they are, how they work, installation on end user's machine, and the Applet Manifest
- Host Applications: What they are, how they work, how they send information to the host-applet interface
- Host-Applet Interface: How it works, including TEE management and accounting for multiple versions of the applet
- Host Interface Service: Using it on Linux* and Android*