Introduction
As more and more devices become connected so the need for ever greater security and protection of critical assets increases. Traditionally such support has been provided by aHardware Security Module (HSM)but over the last decade the use ofTrusted Execution Environments (TEE)has grown significantly. This article aims to provide the reader with an understanding of the difference between these two solutions and their suitability for different scenarios.
HSM V TEE
Generically, a HSM provides key management and cryptographic functionality for other applications.
A TEE also provides this functionality, along with enabling application (or security focused parts of applications) to execute inside its isolation environment.
For example, in modern Android mobile devices, the TEE is already unknowingly used every day, by millions of people as an HSM equivalent, through the use of a Trusted Application (TA) providing the Android KeyMaster functionality.
Regular Execution Environment (REE) is the term in the TEE community for everything in a device that is outside a particular TEE. Technically, from a particular TEEs point of view, all components that are outside of its security boundary live in the REE. Having said that, for simplification of the big picture, a device with multiple TEEs, SIMs, HSMs or other high trust components, may have those separated out from the REE. The REE houses the Regular OS, which in combination with the rest of that execution environment, does not have sufficient security to meet a task needed by the device.
For more background on terminology like TEE and REE please have a look in “What is a TEE?”
For more information on the ARM TrustZone hardware security behind the TEE have a look in “What is a TrustZone?”
How a HSM solves your problems…
In compact devices withintegratedHSM,thesoftware architecture lookssomethinglikethis:
The HSM provides Cryptographic Services to your security focusedtask.
The“Secure” taskin the REEhas data. The HSM can receive that data and encrypt or decryptthat data,before handing it backto the issuertaskin the REE.
How is this doneusing a TEE?
Here ishow we support HSM functionality ina TEE enabled devicetoday:
In an Android device, the above HSM will typically be replaced by a TA, within the TEE, implementingKeymasterfunctionality and an Android specific REE stack rather thanOpenSSL/PKCS#11.
In the above case, with a simpler Regular OS as might be found in an Engine Control Unit (ECU), a generic TA has been specifically written to provide the functionality of a typical HSM.
Of course, with a TEE you can always do better than that
A TEE need not be used as a fixed purpose service provider like an HSM, it can also host the tasks directly.
Here we move the task into the TEE and manipulation of the unencrypted data can occur, in a place inaccessible to activity in the REE.
As an example of what we gain:
- A device typically supports other tasks like complicated communication protocols (e.g.,CAN Bus,IP,BlueToothor even5G).
- These communication mechanisms may, or may not, be used by a particular secure task.
- What is important, is that by placing the secure task somewhere isolated from that communication software (e.g., in a TEE), security issues in the communication software no longer potentially drag down the security of the secure task.
Some HSMs can load code to execute through proprietary extensions, but aGlobalPlatformcompliant TEE usesstandardised interfaces, enabling tasks developed for one TEE, to execute on another. Such tasks, executing in the TEE, are called “Trusted Applications”.
What you cannot do with a HSM, but can do with a TEE in a well-designed SoC
HSM’s cannot directly protect the I/O ports providing sensor data, or controlling actuators, from software attacks in, for example, the REE of the ECU of a vehicle.
Unlike an HSM,on a correctly designedSystem-On-Chip (SoC)a TEE canalsointerface toperipherals.Thisenablesthe creation ofa secure task,housed safely inside theTEE,thatcan be used to substantially enhance thecritical tasks’security.
What do we gain here?
Well, consider an example, from the automotive industry, of a fuel throttle. If the throttles’ I/O control port on the ECU is exposed in the REE software then it does not matter how much security the REE “Secure” task use of the HSM brings; you would not be using an HSM if you had high confidence in the security of the REE itself, and so you cannot have confidence that the software in the REE cannot be attacked.
If the REE is open to attack, that means that attacked REE software can potentially gain unauthorised access to that I/O port, no matter how good the HSM is.
In the TEE (like in an HSM), we do not have the generic load of software tasks unrelated to security. A task in the TEE can interface to hardware control ports without risk of other software making unauthorised access.
If I only have an HSM in the above example, then all I can do is protect the data traffic to a device, not the decision making in the device. With a TEE, I can do both.
Physical Attacks: TEE vs HSM
As we have seen above, one issue with the use of an HSM is the exposure of data communications before any encryption has occurred.
- This impacts the data while it is in software, where it can be extracted or modified by a corrupted REE before the HSM has had a chance to act upon it.
- This also impacts the hardware attack profile.
Fundamentally, device integrated HSMs might go as far as to use on-SoC hardware methods to protect their keys from extraction that are stronger than those of a TEE. However, the method to transfer data to the HSM for protection by those keys is no more strongly protected, than that used by a TEE and can be far weaker.
Consider the following PCB-attached HSM in comparison to a typical TEE which will be using a stacked die (Package on a Package) to protect its much higher speed traffic:
StrongerTEEsdo not even useexternalRAM,as shown above,but can useon-SoCRAMinstead.
In this case, the benefit of using a TEE to provide traditional HSM functionality is a significant reduction in the exposure of unprotected data and therefore an enhancement of the overall security for the platform.
Ultimately, if you are concerned about key extraction, it is advised that designs keep the key batch size small, whether using a TEE or an HSM.
It is worth noting that in theEVITA standards, some HSM types reside on the same SoC as the REE, but in those cases their hardware protection methods are typically the same as a TEE (see the EVITA HSM levels).
Conclusions
In fast moving new innovation areas, such as connected vehicles and robotics, as well as consumer electronics devices, a TEE provides a cost effective and future proofed alternative to using an HSM.
In addition to the potential of providing typical HSM functionality, a GlobalPlatform compliant TEE can also protect the critical tasks directly and has standardised methods for enabling over-the-air updating of critical systems.
Fundamentally, a typical HSM is an attack-resistant cryptographic device designed to perform a specific set of cryptographic functions by the HSM designer. It provides the confidence of non-interference inside the scope defined by the relevant protection profile. A standardised TEE can do the same, and significantly more without the need to add additional hardware. As the TEE resides on the existing SoC integrated MMUs and TrustZone enabled hardware, the overall hardware bill of materials can be reduced and as components are being removed, and incidentally reducing risks of hardware failure.
The development of TEEs is driven by standards, such as GlobalPlatform, and this brings predictability and interoperability. This means that device OEMs and third parties, can develop Trusted Applications to support an ever-growing list of platform security requirements.
Tags:
Technical articles
As an expert deeply immersed in the field of hardware security and trusted execution environments (TEEs), I bring a wealth of firsthand knowledge and experience to shed light on the nuances of the article. My expertise is anchored in a comprehensive understanding of the intricate concepts surrounding hardware security modules (HSMs) and TEEs.
The article distinguishes between HSMs and TEEs, both pivotal in addressing the escalating need for security in an increasingly interconnected landscape. Traditionally, HSMs have been the stalwart guardians, providing key management and cryptographic functions. However, the past decade has witnessed a surge in the adoption of TEEs, offering a broader spectrum of capabilities beyond what HSMs traditionally deliver.
In dissecting the comparison between HSMs and TEEs, the article delves into the core functionalities of each. HSMs, embedded in compact devices, facilitate cryptographic services for security-focused tasks within the Regular Execution Environment (REE). On the other hand, TEEs not only offer key management but also enable the execution of secure tasks within their isolation environment, distinct from the REE. Trusted Applications (TAs) play a pivotal role in TEEs, exemplified by Android's use of a Trusted Application for the KeyMaster functionality.
The concept of the Regular Execution Environment (REE) is introduced, delineating the boundary of a particular TEE. This REE encompasses components outside the TEE's security boundary, including the Regular OS. The article emphasizes the TEE's flexibility in hosting tasks directly, enhancing security by isolating critical tasks from communication software vulnerabilities.
Furthermore, the article touches on the significance of standardization in TEEs, exemplified by GlobalPlatform compliance. This adherence to standardized interfaces allows Trusted Applications developed for one TEE to execute seamlessly on another, fostering interoperability and predictability.
The critical distinction between HSMs and TEEs becomes apparent in their interaction with peripherals. Unlike HSMs, TEEs on a well-designed System-On-Chip (SoC) can interface with peripherals, providing a secure enclave for critical tasks. This capability is illustrated using an automotive example, where a TEE safeguards the I/O control port of a fuel throttle, mitigating potential security risks.
The discussion extends to the realm of physical attacks, comparing TEEs and HSMs. While HSMs may employ on-SoC hardware methods to protect keys, TEEs exhibit a strategic advantage in reducing exposure of unprotected data through methods like stacked die (Package on a Package) and on-SoC RAM usage.
In conclusion, the article posits that, especially in dynamic domains like connected vehicles and consumer electronics, TEEs offer a cost-effective and future-proof alternative to HSMs. Beyond typical HSM functionality, a GlobalPlatform-compliant TEE can directly protect critical tasks and facilitate standardized over-the-air updates, enhancing security without additional hardware. The development of TEEs is underscored by standards, ensuring predictability, interoperability, and a streamlined hardware bill of materials.
