WIXLIB

On-board Credentials development Trusted application development– BASIC like scripting language– Common crypto primitivesavailable (RSA, AES, SHA) REE application counterpart– Standard smartphone app(Windows Phone)– ObC API: provisioning, trustedapplication executionObC counterpart application pseudo code// install provisioned credentialsecret obc.InstallSecret(provSecret)app obc.InstallCode(provApplication)credential obc.CreateCredential(secret,app, authData)// run installed credentialoutput obc.RunCredential(credential, input)ObC trusted application extractServiceproviderrem --- Quote operationif mode MODE QUOTEread array(IO SEALED RW, 2, pcr 10)read array(IO PLAIN RW, 3, ext nonce)rem --- Create TPM PCR COMPOSITEpcr composite[0] 0x0002 rem --- sizeOfSelect 2pcr composite[1] 0x0004 rem --- PCR 10 selected (00 04)pcr composite[2] 0x0000 rem --- PCR selection size 20pcr composite[3] 0x0014append array(pcr composite, pcr 10)sha1(composite hash, pcr composite)rem --- Create TPM QUOTE INFOquote info[0] 0x0101rem --- version (major/minor)quote info[1] 0x0000rem --- (revMajor/Minor)quote info[2] 0x5155rem --- fixed ( Q' and U')quote info[3] 0x4F54rem --- fixed ( O' and T')append array(quote info, composite hash)append array(quote info, ext nonce)write array(IO PLAIN RW, 1, pcr composite)rem --- Hash QUOTE INFO for MirrorLink PA signingsha1(quote hash, quote info)write array(IO PLAIN RW, 2, quote hash)34

Example application: MirrorLink attestation MirrorLink system enables smartphone services in automotive contextCar head-unit needs to enforce driver distraction regulationsAttestation protocol– Defined using TPM structures (part of MirrorLink standard)– Implemented as On-board Credentials trusted application (deployed to Nokia devices)3. Enforce driver distraction1. Attestation request2. Attestation responseSmartphone(with ObC)Car head-unithttp://www.mirrorlink.comKostiainen, Asokan and Ekberg. Practical Property-Based Attestationon Mobile Devices. TRUST 2011.35

TEE Use CasesExample application: Public transport ticketing Mobile ticketing with NFC and TEE 110 traveler trial in New York (summer 2012) Implemented as On-board Credentials trusted applicationDeployed to Nokia devicesTransaction evidence(authenticated counter as ObC app)AccountingsystemOffline terminalSkip to tBaseTransportauthoritysystemOnline terminalEkberg and Tamrakar. Tapping and Tripping with NFC. TRUST 201337

Application development summary Previously mainly internal purposes– DRM, subsidy lock Third-party APIs have started to emerge– Android KeyStore (TrustZone)– Trustonic security APIMobile device Research for open TEEs– On-board Credentials with open provisioning Standardization would help developers REETEEAppAppTrustedappMobile OSTrustedappTrusted OSTEE entryDevice hardware39

See you in 10 minutes BREAK

Trustonic t-base TEE L4: minimized kernel: IPC, scheduling, MMURun-Time Manager: Installation, I/O.Crypto driver: key access, crypto, RNG, secure storageSmart-card like provisioning and life-cycle model for TAsGlobal Platform compatibilityContentMgmtSecurity domainmgmtTA mgmtBoot assertionsRun-TimeManagerSystem and3rd-party TAskernelmonitorSchedulerHandler extensionsMMUCryptoCrypto&otherdrvrsDriverkeys, accelerators, devices41

t-base TA invocationvoid *secVirt mcMap(void *, int len)TrustedapplicationSecure WorldmcOpenSession(void *, int len, .)Rich worldRich worldapplicationvoid tlMain(addr tciBuffer,int tciBufferLen)opt. mapping1MBTCI bufferRun-TimeManagerTCI buffer1MBstack, code, bss1MBUser spacePrivileged modeKernelVMM mgrMMU(Rich world)Phys. memoryVMaddressMMU (Sec world)42

Code Example: Rich World1. Open connection to TEE2. Open session- provide TA- Opt: provide shared mem.static TEEC Result Run (TEEC Session *session,unsigned char *pData){TEEC Result nError;TEEC Operation sOperation;3. Communicatememset(&sOperation, 0, sizeof(TEEC Operation));sOperation.paramTypes TEEC PARAM TYPES(TEEC MEMREF TEMP INOUT, TEEC NONE,TEEC NONE, TEEC NONE);sOperation.params[0].tmpref.buffer pData;sOperation.params[0].tmpref.size 512;4. Terminate session andconnectionnError TEEC InvokeCommand(session,CMD GENKEY, &sOperation, NULL);}#define CMD GENKEY 1return nError;48

Code Example: Secure World1. Provide handlers for- instantiation / unload- session open / close2. Provide code for- function thatis called#define CMD GETKEY 1TA InvokeCommandEntryPoint(void* pSessionContext,uint32 t nCommandID,uint32 t nParamTypes, TEE Param pParams[4]){ switch(nCommandID){case CMD GENKEY:if (nParamTypes ! CMD GENKEY PTYPES) { }pInput pParams[0].memref.buffer;size (uint32 t)pParams[0].memref.size;if (TEE CheckMemoryAccessRights( ) { }TEE AllocateTransientObject(TEE TYPE RSA KEYPAIR,maxObjectSize, &keyObj))TEE GenerateKey(keyObj, 2048, NULL, 0);TEE GetObjectBufferAttribute(keyObj,TEE ATTR RSA MODULUS, );TEE FreeTransientObject(keyObj);return TEE SUCCESS; 49

tbase demo Run a dev-board so that wecan see the activityNormal worldAppSecure worldAppAndroidTrusted OSTEE entry”GoogleNexus 10”Device hardwareSamsungExynos5250Androidcommand lineConsolewww.arndaleboard.org50

Application development summary Previously mainly internal purposes– DRM, subsidy lock Third-party APIs have started to emerge– Android KeyStore (TrustZone)– Trustonic tbaseMobile deviceREE Research for open TEEsTEEApp– On-board Credentials withopen provisioningAppTrustedappMobile OS Standardization would helpdevelopers TrustedappTrusted OSTEE entryDevice hardwareSkip to Outline51

See you in 10 minutes BREAK

Outline A look back (10 min)– Why mobile devices have TEEs? Mobile hardware security (30 min)– What constitutes a TEE? Application development (30 min)– Mobile hardware security APIs DEMOBreak (10 min) Current standardization (60 min)– NIST, Global Platform, TPM 2.0 A look ahead (10 min)– Challenges and summaryTutorial based on: Ekberg, Kostiainen and Asokan. The Untapped Potential ofTrusted Execution Environments on Mobile Devices. IEEE S&P magazine, 2013.53

NIST guidelines, Global Platform, Trusted Computing Group, JedecSTANDARDIZATION

TEE-related standards and specifications- First versions of standards already out- Needed for compliance/interoperability- Enables app developers to leverage TEEsCode execution(and provisioning)FunctionalAPIOSSecureBoot55Trusted ExecutionEnvironments (TEE)StorageIsolationRPMBIntegrity55

EFI SECURE BOOT

UEFI –boot principleFirmware initEFI applicationsDriver firmware setupEFI driversEFIdriversEFIEFIdriversOS loadersOSThings that e.g. sets up the device (like TZ)Boot loadersReplacement for BIOSSecure Boot is an optional featureUnified Extensible Firmware Interface SpecificationNyström et al: UEFI Networking and Pre-OS security (2011)57

UEFI – secure bootKey management forupdatesPlatform FirmwareKey Storage tamper-resistant updates governed byplatform keyKey Exchange KeysPlatform Key (Pub/Priv)58

UEFI – secure bootSignature Database (s) tamper-resistant(rollback prevention) updates governed by keysKey managementfor updatesPlatform FirmwareKey Storage tamper-resistant updates governed byplatform keyKeys allowed toupdate(ref: UEFI spec)Key Exchange KeysPlatform Key (Pub/Priv)59

UEFI – secure bootSignature Database (s) tamper-resistant(rollback prevention) updates governed by keysKey management for updatePlatform FirmwareKey Storage tamper-resistant updates governed byplatform keyKeys allowed toupdate(ref: UEFI spec)Key Exchange KeysSuccessful &failedauthorizationsPlatform Key (Pub/Priv)White list Black list for database imagesImage Information Table hash name, path Initialized / rejected60

ROOTS OF TRUST (HARDWARE ANCHORS)

Guidelines on Hardware-RootedSecurity in Mobile Devices (SP800-164, draft) Required security components area) Roots of Trust (RoT)b) an application programming interface (API) to expose theRoT to the platformc) a Policy Enforcement Engine (PEnE)”“RoTs are preferably implemented in hardware”62

Secure Capabilities built from Roots-of-TrustAppAppAppAppOperating nRoT forRoT forIntegrityReportingRoots ofTrustRoT forStorageDevice IntegrityRoT forVerificationPicture: Andrew Regenshield: NIST/Computer Security DivisionRoT forMeasurement63

ARM TrustZone Secure Boot Secrets RoT?1. Secure boot Root of Trust for Verification2. Measuring in secure boot Root of Trust for Measurement3. Device key code in TZ TEE Root of Trust for Reporting4. TEE secure memory Root of Trust for Integrity5. Device key TEE Most of Root of Trust for Storage. No easyrollback protection.Trusted Execution Environment (TEE)StorageIsolationIntegrity67

Specifications: www.globalplatform.orgGLOBALPLATFORM

Global PlatformMost of the smart-card based ecosystems around authentication, paymentand ticketing make use of Global Platform standards:- For card interaction and provisioning protocols- For reader terminal architecture and certificationThe Global Platform Device Committee specifies architecture and interfacesfor a trusted operating system in a icationsdevice.asp- TEE System Architecture- TEE Client API Specification v.1.0- TEE Internal API Specification v1.0- Trusted User Interface API v 1.069

Global Platform in industryOMARich worldRich worldRichappsworldappsappsETSI/3GPPEMVSecurity enablers / service APIsPKCS#11, PC/SC, JSRsTPM APIs(TSS, TDDLI)ISO 7816GP Client APIsGlobalPlatformSmart PM?70

Global Platform Device Architecture- API to communicate with the TEE- System interface library (libc .) for Trusted Applications withRPC, crypto and necessary I/O EETrustedApplicationTEE Client API v.1.0“Rich ExecutionEnvironment”OSTEE Internal API v.1.0Trusted Operating SystemSecure StorageCryptoI/ORPCTrusted User Interface API v.1.0Eventually, these APIs may become the reference model for writing code for andinteracting with a TEE. Missing pieces still include provisioning and compliance aspects71

Interaction with a TEE (GP) -- caller(adapted from example in TEE Client API specification)result TEEC InitializeContext( NULL, &context);result TEEC OpenSession(&context, &session, &cryptoTEEApp, TEEC LOGIN USER,NULL, NULL, NULL);commsSM.size 20; commsSM.flags TEEC MEM INPUT TEEC MEM OUTPUT;result TEEC AllocateSharedMemory(&context, &commsSM);// omitted: registration of additional shared memory for in-place encryption of dataoperation.paramTypes TEEC PARAM TYPES(TEEC VALUE INPUT, TEEC MEMREF PARTIAL INPUT,TEEC NONE, TEEC NONE);ivPtr (uint8 t*)commsSM.buffer; memset(ivPtr, 0, 16); // Set input (IV)operation.params[0].value.a 1;// Set input (key handle 1)operation.params[1].memref.parent &commsSM;operation.params[1].memref.offset 0;Settingoperation.params[1].memref.size 20;up parametersresult TEEC InvokeCommand(&session, CMD ENCRYPT INIT, &operation, NULL);Parameters:D2CMDVal:1RefN/AN/A72

Interaction with a TEE (GP) -- calleeMandatory handler functions:Constructor / DestructorTA CreateEntryPoint(void); / TA DestroyEntryPoint(void);TA OpenSessionEntryPoint(uint32 t param types, TEE Param params[4], void **session)May point toany memorychosen by TATA CloseSessionEntryPoint (.)TA InvokeCommandEntryPoint(void *session, uint32 t cmd,uint32 t param types, TEE Param params[4]){switch(cmd){Parameters:case CMD ENCRYPT INIT:.D2CMDVal:1}Ref}N/AN/A73

Interaction with a TEE (GP)TA pointer to shared memory in the callers’ context.Efficient mechanism for in-place encryption / decryption etc.The TA programmer must be aware of differences in memory references.Ekberg et al, Authenticated Encryption Primitives for Size-Constrained Trusted Computing, TRUST 2012“Normal”ApplicationTEE Client API v.1.0“Rich E Internal API v.1.0Trusted Operating SystemSecure StorageCryptoI/ORPC74

Storage and RPC (GP TEE internal API)Secure storage: Memory / objects in a TA can be persistently storedTEE CreatePersistentObject(TEE STORAGE PRIVATE, objID, objIDLen, flags, attributes, ., handle)bytes readTEE ReadObjectData(handle, buffer, size, count);TEE WriteObjectData(handle, buffer, size);TEE SeekObjectData(handle, offset, ref);TEE TruncateObjectData(handle, size);handle”file pointer”Object identifermetadataRPC: Communication with other TAsTEE OpenTASession(TEE UUID* destination, , paramTypes, params[4], &session);TEE InvokeTACommand(session, , commandId, paramTypes, params[4]);(The invocation calls the same interface as the one used for external calls)75

Trusted path to user (GP) Trustworthy user interaction needed– Provisioning– User authentication– Transaction confirmationTrusted User Interface API 1.0:– Set up widget structures– Call TEE TUIDisplayScreen– Collect resultsOnly for I/O directly wired toto the trusted OSREETEEAppAppMobile OSTrustedappTrustedappTrusted OSTEE entrySmartphone hardware76

GP User-Centric provisioning modelUser-centric provisioning white paperTrad:issuer /service cemanagerserviceproviderGP device committee is working on a TEE provisioning specification77

Specifications: www.jedec.orgJEDEC

JEDEC RPMB in e·MMC v4.41 and v4.5Jedec is primarily known for standards like DDR, MMC , UFS, but isimportant esp. in microelectronics.Boot 1RPMB: Replay-Protected Memory Block Separate partition in the MMC Authenticated channelMemory write/readsprotected with HMAC-SHA256TEEBoot 2RPMBRPMBRandom values for freshnessCounter binding for replay protection(write)AuthKeyAuthKeyWrite Counter79

Specifications: www.trustedcomputinggroup.orgTRUSTED COMPUTING GROUPTPM / TPM2 / TPM MOBILE

TCG Trusted Platform Module (TPM) an application interface to secure services deployed to hundreds of millions of PCs andlaptop (v1.2. chip drivers) potential way applications and OS servicesinteract with platform security81

TPM Component that collects state and is separate fromsystem on which it reports Relies on Roots of Trust For remote partiesRemote attestation in well-defined mannerAuthorization for functionality provided by the TPM Locally Key generation and key use with TPM-resident keys Secure binding with encryption, as well as non-volatile storage An engine for encryption / decryption and signing, also for hashalgorithms and symmetric ciphers82

A TPM is NOT An enforcing component or mechanismfor services outside the TPM An eavesdropping channel for remote monitoringHOWEVERSecure Boot (GP TEE OR TPM)can potentially be used to violate privacyalternatively, it can be used to protect user privacy83

Platform Configuration Register (PCR). Measurement aggregation for eventual binding or attestation. A given expected PCR value can ONLY be reached by a correct extensionsequence. In an aggregate with a trustworthy root, any divergence in reported eventscauses an irrevocable change in the eventual PCR value.Authenticatedbootmeasure m3send m3 to TPMlaunch code 3measure m2send m2 to TPMlaunch code 2measure m1send m1 to TPMlaunch code 1 Code 3Remote Attestation:SIG(chall, PCR value)Code 2Code 1RTMH H(new H-old) H H(m3 H(m2 H (m1)))H(0) 084

TPM Mobile (Mobile Trusted Module)A TPM profile for Mobile devices (v 1.2. & v.2) that adds mechanisms forAdaptation to TEEs:New RoT definitions and requirements for TEE adaptationMulti-Stakeholder Model (MSM):Rich Application – Trusted Application – TPM relationMeasurements, lifecycle modelsRelations between different ”types” of TPM mobiles”Certified boot”:Secure boot with TCG authorizations(RIM Certificates TPM2 authorization)85

TPM Mobile on GP TEE(Whitepaper: TPM on GP TEE) Do GP TEEs provide needed functionality? Do GP TEEs provide needed security assurance?REETEERoT forStorageRich AppRich AppTPMTPM Client APITEE Client APITATATEE Internal API TEE trusted UI Mobile OSTrusted OSRoT forVerificationRoT forIntegrityRoT forMeasurementRoT forSmartphone hardwareTEE entryReporting86

TPM Mobile Multi-Stakeholder Model (MSM)A TEE can host a mumber of ”simultaneous” TPMsOne TPM (platform) is needed for OS services – say secure bootMost applications do not need dedicated code (a TA) in the TEE. But they mayneed secure storage, state-aware keys, and attestation for those“Normal”NormalApplicationapplicationTPM TSS“Rich orm”TPMApplicationApplicationApplicationspecific TPMsApplicationspecificTPMsspecificTPMsspecific TPMsTAsTrusted Operating SystemSecure StorageCryptoI/ORPC87

TPM authorization Many users of varying security levels System state awareness is a fundamental to TPMs –sets TPMs apart from e.g. removable smartcards. To implement any TPM service that enforcescontrol, authorization is essential88

Authorization (policy) TPM 1SystemTPM 1Systemstate infoExternal auth (e.g. password)Object (e.g. key)Object invocationrulesetObject authorizationMTM added key authorization, but only for PCRs89

Authorization (policy) TPM2SystemTPM2Commands to includesome part of TPM2(system) state inpolicy validationSystemstate infoOtherTPM objssessionObject (e.g. key)Object invocationreference value: authValObject authorization90

TPM2 Policy Session‹different types of preconditions can be part of anauthorization policy (session)‹In addition, logical relations should be applicable on theset of atomic preconditions that constitutes the policy(AND, OR)‹A policy session accumulates all policy informationneeded to make the authorization decision.91

TPM2 Policy Session Contents‹An accumulated session policy value called policyDigestnewDigestValue : H(oldDigestValue policyCommand stateinfo )‹Some policy commands reset the valueIF condition THENnewDigestValue : H( 0 policyCommand stateinfo )‹Session also contai

Application development (30 min) - Mobile hardware security APIs DEMO Break (10 min) Current standardization (60 min) - NIST, Global Platform, TPM 2.0 A look ahead (10 min) - Challenges and summary Tutorial based on: Ekberg, Kostiainen and Asokan. The Untapped Potential of Trusted Execution Environments on Mobile Devices.