Information security technology - Trusted execution environment - Basic security specification
1 Scope
This document specifies the overall technical framework of trusted execution environment system. It describes the basic requirements of trusted execution environment, trusted virtualization system, trusted operating system, trusted application and service management, cross-platform application middleware and other main contents, as well as their testing and evaluation methods.
This document is applicable to guide the design, production, and testing of trusted execution environment system.
2 Normative references
The following documents contain requirements which, through reference in this text, constitute indispensable requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 20271-2006 Information security technology - Common security techniques requirement for information system
GB/T 25069-2010 Information security techniques - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
virtualization
method of virtualizing one or more forms of resources into another or more forms of resources
3.2
trusted virtualization
virtualization method based on trusted execution environment
3.3
trusted execution environment
software environment built based on hardware-level isolation and secure boot mechanisms to ensure the confidentiality, integrity, authenticity, and nonrepudiation of data and code associated with security-sensitive applications
Note: Hardware-level isolation is a security mechanism based on the hardware security extension mechanism. It ensures that isolated resources are not accessed by the rich execution environment through fixed division or dynamic sharing of computing resources.
3.4
rich execution environment
software runtime environment that provides basic functionality and computing resources for applications
Note: Rich execution environment is a runtime environment relatively independent of trusted execution environment.
3.5
trusted execution environment system
a system consisting of trusted execution environment and runtime environment that supports client application in rich execution environment
3.6
trusted service
various services provided in the trusted execution environment for trusted application and execution environment.
3.7
secure boot
a security mechanism provided to verify the authenticity and integrity of loaded code at each stage of the system startup process
3.8
trusted application
application running in a trusted execution environment
3.9
client application
application running in a rich execution environment and working with trusted applications to form a complete application
3.10
certificate issuer
issuer of certificate used for signature verification
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
API: Application Programming Interface
CPU: Central Processing Unit
DMA: Direct Memory Access
IOMMU: Input Output Memory Management Unit
NFC: Near Field Communication
SE: Secure Element
TA: Trusted Application
TAM: Trusted Application Manager
TEE: Trusted Execution Environment
5 General description
6 Basic requirements
7 Trusted virtualization system
8 Trusted operating system
9 Trusted application and service management
10 Trusted service
11 Cross-platform application middleware
12 Trusted application
13 Testing and evaluation methods
Annex A (Informative) Reference framework of trusted execution environment
Annex B (Informative) Examples of applications that support multiple identity authentication
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General description
6 Basic requirements
7 Trusted virtualization system
8 Trusted operating system
9 Trusted application and service management
10 Trusted service
11 Cross-platform application middleware
12 Trusted application
13 Testing and evaluation methods
Annex A (Informative) Reference framework of trusted execution environment
Annex B (Informative) Examples of applications that support multiple identity authentication