TEE

TEE

A Trusted Execution Environment (TEETEESecurityIsolated secure execution environment.Click to view →) is an isolated execution area within a device's main processor that provides hardware-enforced separation between trusted (secure) and untrusted (normal) software. Built on ARM TrustZone or Intel SGX technology, a TEE runs a separate secure OS alongside the main operating system, protecting sensitive code and data from malware, OS vulnerabilities, and even privileged software running in the normal world.

TEE Architecture

The TEE divides the processor into two worlds:

Hardware mechanisms prevent normal-world software from accessing secure-world memory. The context switch between worlds is triggered by a Secure Monitor Call (SMC) instruction, managed by a secure monitor that acts as the gatekeeper.

TEE vs Secure Element

While both provide security isolation, TEEs and Secure Elements occupy different points on the security-performance spectrum:

TEE in Smart Card Ecosystems

TEEs play a supporting role in smart card workflows, particularly in mobile payment and identity applications:

• Host Card Emulation (HCE): Payment tokens are stored in the TEE when no physical Secure Element is available, with cloud-based key management compensating for the lower hardware security level.
• Biometric Processing: Fingerprint and face recognition processing occurs in the TEE, with the final verification result passed to an SE-based payment or identity applet.
• Mobile ID: Government eIDeIDIdentityNational ID with embedded chip.Click to view → applications may use the TEE for user interface protection and secure display, while critical keys remain in the eSIMeSIMApplicationProgrammable embedded SIMSIMApplicationSmart card for mobile network authentication.Click to view → chip.Click to view → or embedded SE.

GlobalPlatform TEE Specifications

GlobalPlatform defines the TEE specifications, including the TEE Client API (for normal-world applications to call trusted applications), the TEE Internal Core API (for trusted application development), and the TEE management framework for trusted application installation and lifecycle. The GP TEE Protection ProfileProtection ProfileSecuritySecurity requirements document for CC.Click to view → (GPD_SPE_021) provides a Common Criteria-based certification path for TEE implementations.