is a separate execution environment, consisting of firmware and hardware, that runs alongside, and provides security services for, the
Rich Execution Environment (REE)
. The TEE isolates access to its hardware and software resources from the REE and its applications.
Intel® Dynamic Application Loader (
Intel® DAL) is a specific TEE with the
Converged Security Engine (
CSE) which is a general TEE.
The TEE offers safe execution of authorized security software and firmware known as
. TAs can be developed in Java* and downloaded to the TEE in run time. Inside the TEE, each TA is independent from the others. The TEE also enforces protection, confidentiality, integrity and access rights of the resources and data belonging to those TAs. A TA cannot access the security assets of another TA without authorization.
TAs are given controlled access to security resources and services via the TEE Internal API. These services may include: cryptography, secure storage, secure I/O. The TEE Internal API is provided in Java (via Intel DAL APIs). There is a possibility that Intel may extend it to C in the future.
A TA is typically accompanied by a
Trusted Application Host Client
, which is host software that exposes the TA services as a rich, operating system-friendly API.
The TA life cycle is managed by the
DAL Admin Framework
that resides in the Intel CSE firmware. The
TEE Management Application
is an executable that implements the host side of the management protocol.
TEE Client API
is a low level communication interface designed to enable host software running in the REE to access and exchange data with the TAs running inside the TEE.
The following diagram shows the high level architecture of a generic Trusted Execution Environment (TEE).
For more details on Intel DAL components, click the appropriate link below: