This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TrustZone - Trusted application development questions

I want to develop a trusted application running on the TEE/TrustZone that is embedded in Android Devices.

I contacted a TEE provider and enquired about joining the developer program and getting there SDK.

However the cost is tens of thousands of Euros to join, which is prohibitively expensive for your average android developer.

Is it possible to develop TEE trusted apps without the huge expense?

Is it possible to use "factory built in " trusted apps already in the TEE?

many thanks

Lee

Parents
  • Could you explain your requirements a bit more? Has the TEE OS already been selected and you want to write an app for it? Are you trying to write an Android app that stores keys in the trusted environment through Android or TEE OS APIs (i.e. hardware-backed storage)? It is possible to secure keys in Android without developing your own TrustZone executable but if you want to execute code for DRM or payment systems, yeah, some of the TrustZone OSes that run on some Android devices have pretty expensive SDKs.

    Check out 4.3's new security features for hardware backed RSA storage.

    Android 4.3 APIs | Android Developers

    Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available by calling KeyChain.IsBoundKeyAlgorithm().

Reply
  • Could you explain your requirements a bit more? Has the TEE OS already been selected and you want to write an app for it? Are you trying to write an Android app that stores keys in the trusted environment through Android or TEE OS APIs (i.e. hardware-backed storage)? It is possible to secure keys in Android without developing your own TrustZone executable but if you want to execute code for DRM or payment systems, yeah, some of the TrustZone OSes that run on some Android devices have pretty expensive SDKs.

    Check out 4.3's new security features for hardware backed RSA storage.

    Android 4.3 APIs | Android Developers

    Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available by calling KeyChain.IsBoundKeyAlgorithm().

Children