Trusty TEE

- [Instructor] We've looked at the concept of hardware-backed security running in a trusted execution environment, or TEE. The use of a TEE in Android isn't new. Android has used the TEE since Version 3.0 to support its digital rights management framework. Trusty TEE is a set of software components provided by the Android Open Source Project which support the use of a TEE on Android mobile devices. It consists of the Trusty operating system and Android libraries and associated drivers to enable communication with trusted applications executed within the Trusty OS.

Trusty provides APIs for developing two classes of applications, trusted applications that run in the TEE and standard applications that need to use services provided by TAs running in the TEE. Applications for the Trusty OS are written as single-threaded C programs using a small Trusty C library. They're written as event-driven servers triggered by a request from another TA or from a standard app via the Trusty interface. Access to TA services by a standard Android app uses a service endpoint exposed with an app.service name construct.

This is known to a trusted application as a named port and is approved for use by setting its IPC port allow NS connect attribute. A session is established with tipc_connect() and closed via tipc_close(). Within a session, requests and responses are handled using send_msg(), get_msg(), and read_msg() calls. Trusty TEE provides the environment to build trusted applications, but it's still an environment for vendors, not end users.