Skip to main content

Trusted Execution Environment Provisioning

Document Charter Trusted Execution Environment Provisioning WG (teep)
Title Trusted Execution Environment Provisioning
Last updated 2022-03-23
State Approved
WG State Active
IESG Responsible AD Paul Wouters
Charter edit AD Paul Wouters
Send notices to (None)

The Trusted Execution Environment (TEE) is a secure area of a processor. The
TEE provides security features such as isolated execution and integrity of
Trusted Applications, along with provisions for maintaining the confidentiality
of their assets. In general terms, the TEE offers an execution space that
provides a higher level of security than a "rich" operating system
and more functionality than a secure element. For example, implementations of
the TEE concept have been developed by ARM and Intel, using the TrustZone and
the SGX technology, respectively.

To programmatically install, update, and delete applications in a TEE, the
Trusted Execution Environment Provisioning protocol runs between a service
within the TEE on a given device, a relay application or service access point
on the device's network stack and a server-side infrastructure that
interacts with and optionally maintains the applications. Some tasks are
security sensitive and the server side requires information about the device
characteristics in the form of attestation and the device-side may require
information about the server.

Privacy considerations have to be taken into account with authentication
features and attestation.

This working group aims to develop an a protocol providing TEEs with lifecycle
management and security domain management for trusted applications.

A security domain allows a service provider's applications to be isolated
so that one security domain cannot be influenced by another domain, unless the
domain exposes an API to allow inter-domain interactions.

The solution approach must take a wide range of TEE and relevant technologies
into account and will focus on the use of public key cryptography.

The group will produce the following deliverables. The first document is on
architecture, describing the involved entities, their relationships,
assumptions, the keying framework, and relevant use cases. Second, a solution
document that includes the above-described functionality in a protocol will be
developed. The choice of encoding format(s) will be decided in the working
group. The group may document several attestation technologies considering the
different hardware capabilities, performance, privacy, and operational

The group will maintain a close relationship with the IETF SUIT working group,
GlobalPlatform, Trusted Computing Group, and other relevant standards groups to
ensure interoperability, compatibility, and proper use of existing TEE-relevant
application layer interfaces.