TEE Management Framework V1.0
Total Page:16
File Type:pdf, Size:1020Kb
GlobalPlatform Device Technology TEE Management Framework Version 1.0 Public Release November 2016 Document Reference: GPD_SPE_120 Copyright 2012-2016 GlobalPlatform, Inc. All Rights Reserved. Recipients of this document are invited to submit, with their comments, notification of any relevant patents or other intellectual property rights (collectively, “IPR”) of which they may be aware which might be necessarily infringed by the implementation of the specification or other work product set forth in this document, and to provide supporting documentation. The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly prohibited. TEE Management Framework – Public Release v1.0 THIS SPECIFICATION OR OTHER WORK PRODUCT IS BEING OFFERED WITHOUT ANY WARRANTY WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NON-INFRINGEMENT IS EXPRESSLY DISCLAIMED. ANY IMPLEMENTATION OF THIS SPECIFICATION OR OTHER WORK PRODUCT SHALL BE MADE ENTIRELY AT THE IMPLEMENTER’S OWN RISK, AND NEITHER THE COMPANY, NOR ANY OF ITS MEMBERS OR SUBMITTERS, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER DIRECTLY OR INDIRECTLY ARISING FROM THE IMPLEMENTATION OF THIS SPECIFICATION OR OTHER WORK PRODUCT. Copyright 2012-2016 GlobalPlatform, Inc. All Rights Reserved. The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly prohibited. TEE Management Framework – Public Release v1.0 3 / 228 Contents 1 Introduction .......................................................................................................................... 12 1.1 Audience ............................................................................................................................................. 12 1.2 IPR Disclaimer .................................................................................................................................... 12 1.3 References .......................................................................................................................................... 12 1.4 Terminology and Definitions ............................................................................................................... 13 1.5 Abbreviations and Notations ............................................................................................................... 15 1.6 Revision History .................................................................................................................................. 16 2 General Considerations (Informative) ................................................................................. 17 2.1 Scope .................................................................................................................................................. 17 2.2 Authorities ........................................................................................................................................... 17 2.3 Mandatory Nature of this Specification ............................................................................................... 17 2.4 System Overview ................................................................................................................................ 18 2.5 Resources ........................................................................................................................................... 19 3 General Considerations (Normative) .................................................................................. 20 3.1 Endianness Convention ...................................................................................................................... 20 3.2 Cryptographic Keys and Algorithm Usage .......................................................................................... 20 4 Security Model for Administration ...................................................................................... 21 4.1 Security Domains ................................................................................................................................ 21 4.1.1 Security Domain Associations ..................................................................................................... 23 4.1.2 Retrieving the UUID of a Parent Security Domain ....................................................................... 24 4.1.3 Security Domain Privileges .......................................................................................................... 24 4.1.4 Trustworthiness of SDs and TAs ................................................................................................. 30 4.1.5 (Informative) Installation of Roots of SD Hierarchies: The Bootstrap Domain ............................. 31 4.2 Trusted Execution Environment Life Cycle ......................................................................................... 32 4.2.1 TEE_SECURED Life Cycle State ................................................................................................ 33 4.2.2 TEE_LOCKED Life Cycle State ................................................................................................... 34 4.3 Trusted Application Life Cycle ............................................................................................................ 35 4.3.1 General State Diagram ................................................................................................................ 35 4.3.2 Executable Life Cycle State ......................................................................................................... 36 4.3.3 Locked Life Cycle State ............................................................................................................... 37 4.3.4 Inactive Life Cycle State............................................................................................................... 38 4.4 Security Domain Life Cycle ................................................................................................................. 39 4.4.1 General State Diagram ................................................................................................................ 39 4.4.2 Active Life Cycle State ................................................................................................................. 40 4.4.3 Restricted Life Cycle State ........................................................................................................... 41 4.4.4 Blocked Life Cycle State .............................................................................................................. 42 4.5 TEE Audit Information ......................................................................................................................... 43 5 Authentication and Authorization ....................................................................................... 44 5.1 Authentication and Secure Communication ........................................................................................ 44 5.2 Authorization of Administration Operations......................................................................................... 45 5.2.1 Explicit Authorization Using Authorization Tokens ...................................................................... 45 5.2.2 Implicit Authorization Using a Secure Channel ............................................................................ 45 5.2.3 Secure Channel with Authorization Tokens ................................................................................. 45 5.3 Authorization Tokens .......................................................................................................................... 46 5.3.1 Authorization Token Structure ..................................................................................................... 47 5.3.2 Authorization Constraints ............................................................................................................. 48 5.3.3 Authorization Token Verification Procedure................................................................................. 49 Copyright 2012-2016 GlobalPlatform, Inc. All Rights Reserved. The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly prohibited. 4 / 228 TEE Management Framework – Public Release v1.0 5.4 Key Management ................................................................................................................................ 50 5.4.1 Root of Trust Instantiation ............................................................................................................ 50 5.4.2 Security Domain Keys .................................................................................................................. 50 5.4.3 Using Keys in Administration Operations ..................................................................................... 51 5.5 Data Storage ....................................................................................................................................... 52