A 

Trusted Execution Environment (TEE)

is a separate execution environment, consisting of firmware and hardware, that runs alongside, and provides security services for, the 

Rich Execution Environment (REE)

. The TEE isolates access to its hardware and software resources from the REE and its applications.

Intel® Dynamic Application Loader (

Intel® DAL) is a specific TEE with the

Intel®

Converged Security Engine (

Intel®

CSE) which is a general TEE.

The TEE offers safe execution of authorized security software and firmware known as 

Trusted Applications

 (TAs)

. TAs can be developed in Java* and downloaded to the TEE in run time. Inside the TEE, each TA is independent from the others. The TEE also enforces protection, confidentiality, integrity and access rights of the resources and data belonging to those TAs. A TA cannot access the security assets of another TA without authorization.

TAs are given controlled access to security resources and services via the TEE Internal API. These services may include: cryptography, secure storage, secure I/O. The TEE Internal API is provided in Java (via Intel DAL APIs). There is a possibility that Intel may extend it to C in the future.

A TA is typically accompanied by a 

Trusted Application Host Client

, which is host software that exposes the TA services as a rich, operating system-friendly API.

The TA life cycle is managed by the

Intel

DAL Admin Framework

 that resides in the Intel CSE firmware. The 

TEE Management Application

 is an executable that implements the host side of the management protocol.

The 

TEE Client API

 is a low level communication interface designed to enable host software running in the REE to access and exchange data with the TAs running inside the TEE.

The following diagram shows the high level architecture of a generic Trusted Execution Environment (TEE). 

For more details on Intel DAL components, click the appropriate link below: