<t base Trusted Application Development Prepared for: Praxisforum Anwender und Anbieter im Dialog Mobile Sicherheit im Unternehmen am 4.12.2014 in München Markus Katzenberger Project Manager Trustonic GmbH 1
Agenda Who we are The Trusted Execution Environment TEE <t-base OTA Ecosystem Typical Use Cases for TEE <t-base architecture and APIs <t-base devices 2
Trustonic EXECUTIVE TEAM Ben Cade CEO Olivier Leger EVP Sales & Marketing Chris Jones COO Stephan Spitz EVP Engineering Jon Geater CTO OVER 100 EMPLOYEES LOCATED BETWEEN Cambridge, London, Maidenhead, Bath Munich Helsinki Tokyo Seattle, Austin, San Francisco Sophia, Paris Seoul Taipei 3
Trustonic EXECUTIVE TEAM Seattle, Austin, San Francisco Ben Cade CEO Olivier Leger EVP Sales & Marketing 2 years of Trustonic (Dec 2012 Dec 2014) Munich Chris Jones COO Stephan Spitz EVP Engineering What an amazing 2 years it s been. Helsinki Jon Geater CTO Trustonic OVER 100 EMPLOYEES technology LOCATED can already BETWEEN be found in over 300 Million smart devices and our growing ecosystem of service providers Cambridge, London, Tokyo stands at over Maidenhead, 50 companies Bath spanning enterprise, content protection, commerce and identity management segments. So, thank you to our partners for helping to establish this common Seoul Sophia, foundation Paris of trust in devices Now 2015 promises to be a year full of opportunity for those looking to deliver Taipei trust enhanced experiences to the masses! 4
Why use a TEE? Key assets exposed Key assets protected LOGO COLOR VERSIONS SMART CONNECTED DEVICE Normal App Security Critical Assets LOGO TEE Enabled App API Call on Security critical Routine Secure Container Trusted App - Secured Critical Assets Isolated space for handling high value assets MAIN OPERATING SYSTEM TRUSTONIC TEE LOGO IN BLACK LOGO ON BLACK TRUSTZONE SYSTEM-ON-CHIP 5
Where does t-base fit? A/V OUTPUT LOGO IN BLACK SMART CONNECTED DEVICE TRUSTZONE SYSTEM-ON-CHIP APPLICATIONS LOGO ON PROCESSOR BLACK NFC BLUETOOTH WI-FI RADIO MASS STORAGE SECURE ELEMENT LOCATION SENSOR BASEBAND RADIO TOUCHSCREEN SENSOR BIOMETRIC SENSOR 6
The Ecosystem <t-directory <t-kph TAM SERVICE PROVIDERS <t-dev DEVICE MAKER LOGO COLOR VERSIONS APP DEVELOPERS <t-sdk LOGO <t-base CHIP MAKER APP STORE LOGO IN BLACK LOGO ON BLACK SILICON IP END USERS 7
8 Use Cases for t-base TEE
Content Protection Content Service DTCP/IP LOGO COLOR VERSIONS LOGO Link Protection MAIN OS LOGO IN BLACK SMART CONNECTED DEVICE TEE Enabled Content Service App DRM and Media Framework APIs TRUSTZONE SYSTEM-ON-CHIP LOGO ON BLACK Secure Container DRM Decryption TRUSTONIC TEE Secure Playback Secure Boot Device Authentication User Authentication DRM Protection Trusted time source Secure Playback Link Protection DTCP Downloadable Scheme Trustonic protects video path from studio to user 9
Payments LOGO COLOR VERSIONS SMART CONNECTED DEVICE LOGO TEE Enabled Wallet App Secure Container Signed Sealed User Input Data API Call to Authenticate User Login/Password or Biometric Secure Input MAIN OS TRUSTONIC TEE LOGO IN BLACK LOGO ON BLACK TRUSTZONE SYSTEM-ON-CHIP 10 Trustonic protects PINs and Passwords and access to Biometric sensors
Enterprise LOGO GO COLOR VERSIONS APPLICATION LEVEL 2 Factor User Authentication Identity Management Authorization and SSO Physical access control with HCE Secure messaging: Voice and Data Data loss prevention SYSTEM LEVEL Secured dual persona Secured MDM and MAM Biometric matching LOGO IN BLACK LOGO ON BLACK DEVICE LEVEL Secure boot and integrity checks Bulk storage encryption Biometric hardware interfaces 11
Automotive Mobile as car remote control BLUETOOTH LE NFC Identity Management PIN/Fingerprint Unlock Remote Lock/Unlock Car personalization Performance and comfort Insurance Interface Driver risk profiled discounts Location based payments Parking Fuel/recharging Road tolls Premium Traffic information Entertainment Movies Apps 12
Internet of Things ENERGY BROKERAGE ADVERTISER HOME GATEWAY APPLIANCE MAKER HOME INSURER CONNECTION REQUESTS AUTHORIZATIONS SMART DEVICE GATEWAY User controls who can access what data Authentication Authorization Energy suppliers bid for contracts Smart meter Appliances request service Insurers discount on occupancy User location Temperature SMART METER THERMO- STAT CONNECTED APPLIANCES 13
Healthcare Health card Identity/Authorization Secure access to records Sensors and monitoring Privacy protected activity logging Secure connection to medical equipment Secure Storage of medical data MEDICAL EQUIPMENT 14
Trusted Application Development 15
<t-base Architecture Normal-World Application Secure-World Container Trusted Application Connector TCI Trusted Application <t-base Client API Trusted Application API <t-base daemon kernel COM System Crypto Security <t-base driver MCI <t-base OS ARM TrustZone enabled SoC 16
Development Tools TA Development <t-sdk (header files, libs, sample code, scripts) ARM DS-5 for compiling and debugging GNU GCC for compiling Secure Driver Development <t-ddk (header files, libs, sample code, scripts) ARM DS-5 for compiling debugging via JTAG according to SoC Tools Normal-World Development Existing Android driver is open-source Normal-World OS tools should be used 17
<t-base Normal world Normal-World Application Trusted Application Connector Memory Session Device <t-base Client API Device Access Session Management Memory Mapping <t-base Client API <t-base daemon kernel <t-base driver 18
<t-base Secure World Trusted Application API COM a set of functions for inter-world communication System <t-base system information and functions Crypto <t-base crypto provider Security Secure object functions for binary data Secure-World Containers Trusted Application Trusted Application API Security Crypto System COM <t-base OS 19
20 <t-base-300 GlobalPlatform API
GlobalPlatform API In addition to the <t-base-2xx APIs, <t-base 300 introduced the key GP features that are already standardized TEE Client API for client applications TEE Internal API for TA Cryptography Trusted Storage Memory Management Equivalent functionality of what is already available to develop Trusted Applications on <t-base-2xx 21
TEE Client API TEEC_InitializeContext TEEC_FinalizeContext TEEC_OpenSession TEEC_CloseSession TEEC_InvokeCommand TEEC_AllocateSharedMemory TEEC_RegisterSharedMemory TEEC_ReleaseSharedMemory 22
TEE Internal API: TA Interface TA_CreateEntryPoint TA_DestroyEntryPoint TA_OpenSessionEntryPoint TA_CloseSessionEntryPoint TA_InvokeCommandEntryPoint Trusted Applications are multi-instance 23
TEE Internal API: Memory Mgmt. Functions TEE_CheckMemoryAccessRights TEE_SetInstanceData TEE_GetInstanceData TEE_Malloc TEE_Realloc TEE_Free TEE_MemMove TEE_MemCompare TEE_MemFill 24
TEE Internal API: Object Functions TEE_GetObjectInfo TEE_GetObjectBufferAttribute TEE_GetObjectValueAttribute TEE_CloseObject TEE_AllocateTransientObject TEE_FreeTransientObject TEE_ResetTransientObject TEE_PopulateTransientObject TEE_InitRefAttribute TEE_InitValueAttribute TEE_CopyObjectAttributes TEE_GenerateKey TEE_OpenPersistentObject TEE_CreatePersistentObject TEE_CloseAndDeletePersistentObject TEE_ReadObjectData TEE_WriteObjectData TEE_TruncateObjectData TEE_SeekObjectData 25
TEE Internal API: Cryptographic Functions TEE_AllocateOperation TEE_FreeOperation TEE_GetOperationInfo TEE_SetOperationKey TEE_DigestUpdate TEE_DigestDoFinal TEE_CipherInit TEE_CipherUpdate TEE_CipherDoFinal TEE_MACInit TEE_MACUpdate TEE_MACComputeFinal TEE_MACCompareFinal TEE_AsymmetricEncrypt TEE_AsymmetricDecrypt TEE_AsymmetricSignDigest TEE_AsymmetricVerifyDigest TEE_GenerateRandom Keys must be transient objects 26
<t-base devices Arndale development board http://www.arndaleboard.org Exynos 5250 SoC System or Service Provider TAs Driver development Commercial Devices Each device must be added to Trustonic test infrastructure TA can be bundled in your APK in the /res folder We will support demos and POCs We can advise on suitable devices CONFIDENTIAL