A Trusted Execution Environment (TEE) is an isolated execution context whose internal state (memory, CPU registers etc.) is secured and cannot be reached by normal software. This means untrusted applications, and even the highly-privileged Operating System (often considered as being vulnerable to cyber attacks due to its huge complexity) cannot read / write a TEE's protected zones and cannot access secure peripherals (e.g., keypads for sensitive input, protected screens).

Trusted Execution Environments are usually implemented by a combined hardware + software approach: the CPU architecture must be extended to discern normal vs. secure execution and deny requests to secure memory addresses, while some kind of trusted firmware is used to retain an appropriate level of flexibility for a highly secure solution (for increased compatibility with various hardware / peripherals, enforce application-specific rules, implement platform upgradeability - especially in the case of bug disclosures).

Note that a TEE subsystem should follow the minimal complexity philosophy mentioned above. This means that the developers must design their application using a modular architecture and partition the code into trusted (secure) and untrusted counterparts. The trusted application must the only one with access to manipulate sensitive data (e.g., passwords / encryption keys, confidential information, cyber-physical commands etc.); the untrusted components (including the traditional / feature-rich Operating System) will only see such information travel in encrypted & integrity-authenticated (protected from modifications) form and will only serve as an intermmediary for the TAs to communicate with external entities (e.g., human-machine interface peripherals, networks, persistent storage) – practically, it should do anything that does not need to directly process / understand any of it.

Some of the commercially available TEE technologies are:

• Intel Software Guard Extensions (SGX) (for Intel's mainstream CPUs, which was announced as deprecated);
• ARM TrustZone (available for all modern ARM-based embedded / mobile platform and our primary focus for this lab);
• AMD Secure Encrypted Virtualization (for server CPUs / cloud applications);
• Intel Trust Domain Extensions (successor of SGX, but similar to AMD SEV).

On a final note for this section: unfortunately, consumer-friendly TEE solutions for personal computing (i.e., desktops & laptops) remain the domain of ongoing research and no such technologies are yet available on mainstream (PC) platforms.