The TPM is dead, long live the TEE!

Sort of related to smart cards...


Somewhat unfortunate for Microsoft and Intel who "bet the house" on TPMs (Trusted Platform Modules), all their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes enabling systems like this:

http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937

iOS:
http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

How come the competition didn't buy into the TPM?

TPMs are based on a "one-size-fits-all" API philosophy. Since Intel relies on external vendors supplying TPM-components this (IMHO fairly unwieldy) API must also be standardized which makes the process updating TPMs extremely slow and costly.

TEEs OTOH can be fitted at any time with application-specific security APIs which both can be standardized or entirely proprietary. In fact, even third-parties can create new security APIs using GlobalPlatform's TEE!

How about security? Since there is (generally) very little consensus on these matters, I should probably not dive too deep into this :-)

Anders

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Apples and oranges comparison. Tee is a privilege level, TPM is a piece of hardware for various crypto, storage, sealage, etc operations. Intel's platform actually supports more privilege levels than arm. And having something like a TPM would be nice as Tees need to typically implement methods to do some of their operations.

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

On 2014-07-14 02:41, William Roberts wrote:
>
> Apples and oranges comparison.
>

Yes, these are indeed entirely different technologies.
However, they are currently addressing the same "problem space".

> Tee is a privilege level, TPM is a piece of hardware for various crypto, storage, sealage, etc operations. Intel's platform actually supports more privilege levels than arm. And having something like a TPM would be nice as Tees need to typically implement methods to do some of their operations.
>

Yes, TEEs implement the methods that the particular OS version needs.

I got hardware protected keys to my old Android Nexus 7 through an OTA update with Android 4.4!

My brand new Dell XPS-15 that has like "everything" will be stuck with TPM 1.2 during its lifetime.   That's lame, very lame.

The reliance on external hardware is probably manly a relic from the "Palladium" days when HW had less than 1% of the power it has today.

Anders


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Il 14/07/2014 05:46, Anders Rundgren ha scritto:

> The reliance on external hardware is probably manly a relic from the "Palladium" days when HW had less than 1% of the power it has today.
Speaking of relics: smartcards :)

If it would be possible to really have a "one size fits all", the others
just would disappear...
IIUC, TEE just leverages Arm's "runlevels" -- IMVHO it's "quite" like
saying that if crypto is done inside a kernel module at ring 0 then it
have the same security of a smartcard... Sounds wrong, uh?

BYtE,
 Diego.

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

On 2014-07-14 09:36, NdK wrote:
I don't think this comparison is valid.  Smart cards in PCs do not
[generally] support Trusted Path and are thus susceptible to malware:
http://webpki.org/papers/key-access.pdf
iOS doesn't have this problem.

Smart cards offer better protection against physical attacks but I
think that will soon be history as well because a "Security Enclave"
like Apple already have hides keys from bus-monitors, debuggers and
even fairly sophisticated attacks on the chip itself.

Anyway, TPMs as implemented by MSFT/INTL doesn't offer any smart card
functionality unless you are wrapped around AD (Active Directory).

Anders


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Microsoft's VSC (Virtual Smart Card) management protocol for TPMs:
http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-TPMVSC%5D.pdf

Yaeh, DCOM was cool some 10 years ago...

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck®
Code Sight™ - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

TEE vs TPM in practice:

My old Nexus 7 got hardware-protected keys through an OTA update while my new Dell XPS-15 will be stuck with TPM 1.2 during the rest of its life!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel