This allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels.
In general terms, the TEE offers an execution space that provides a higher level of security for trusted applications running on the device than a rich operating system (OS) and more functionality than a 'secure element' (SE).
If the hash matches, the public key is used to verify a digital signature of trusted vendor-controlled firmware (such as a chain of bootloaders on Android devices or 'architectural enclaves' in SGX).
A nonce is requested by the untrusted party from verifier's server and is used as part of a cryptographic authentication protocol, proving integrity of the trusted application.
Because only the platform owner is meant to have access to the data recorded in the foundry, the verifying party must interact with the service set up by the vendor.
For example, using focused ion beams, scanning electron microscopes, microprobing, and chip decapsulation[17][18][19][20][21][22] is difficult, or even impossible, if the hardware is designed in such a way that reverse-engineering destroys the keys.
It allows manufacturers to grant access to TEEs only to software developers who have a (usually commercial) business agreement with the manufacturer, monetizing the user base of the hardware, to enable such use cases as tivoization and DRM and to allow certain hardware features to be used only with vendor-supplied software, forcing users to use it despite its antifeatures, like ads, tracking and use case restriction for market segmentation.
Premium content protection is a specific use case of digital rights management (DRM) and is controversial among some communities, such as the Free Software Foundation.
With the rise of cryptocurrency, TEEs are increasingly used to implement crypto-wallets, as they offer the ability to store tokens more securely than regular operating systems, and can provide the necessary computation and authentication applications.
[26] The TEE is well-suited for supporting biometric identification methods (facial recognition, fingerprint sensor, and voice authorization), which may be easier to use and harder to steal than PINs and passwords.
The TEE can be used by governments, enterprises, and cloud service providers to enable the secure handling of confidential information on mobile devices and on server infrastructure.
The TEE offers a level of protection against software attacks generated in the mobile OS and assists in the control of access rights.