• Learn about Trusted Execution Environments and their application;
• Describe ARM's trusted boot process & the TrustZone architecture;
• Install OP-TEE trusted operating system within ARM CPU's secure domain;
• Build & run trusted applications;

A Trusted Execution Environment (TEE) is an isolated execution context whose internal state (memory, CPU registers etc.) is secured and cannot be reached by normal software. This means untrusted applications, and even the usually-privileged Operating System (often considered as being vulnerable to cyber attacks) cannot read / write from a TEE's protected space and cannot access secure peripherals (e.g., keypads for sensitive input, protected screens).

Trusted Execution Environments are usually implemented by a combined hardware + software approach: the CPU architecture must be extended to discern normal vs. secure execution and deny requests to secure memory addresses, while trusted software is used to retain an appropriate level of flexibility for a highly secure solution (for increased compatibility with various hardware / peripherals, enforce application-specific rules, maintain upgradeability - especially in the case of bug disclosures).

Modern ARM CPU architectures feature the TrustZone Security Extensions (starting with armv7 for ARM Cortex-A, expanding to Cortex-Ms after v8), which introduces the necessary execution context separation required for implementing TEEs.

It realized this by using a new CPU state bit (NS - Non-Secure - flag) create an additional privilege level - orthogonal to the original Exception Levels (EL0-2), meaning both Secure and Non-Secure Worlds can have software running in each of these common ELs. An additional Exception Level, EL3 (Firmware / Secure Monitor), was also introduced to securely manage the software transition between the two trust domains.

Furthermore, the ARM AXI (Advanced eXtensible Interface) bus protocol was also extended to tag all memory transactions with a NS flag, which the on-chip modules (e.g., SRAM / DRAM) and other peripherals can check against and allow / deny access to specific resources. Devices using this kind of access control are called TrustZone-aware peripherals. For example, interfaces used for connecting fingerprint readers and NFCs used for banking applications could be configured to block unauthorized access from untrusted applications (modern iPhones smartphones already do this!).