Library Implementation and Performance Analysis of GlobalPlatform TEE Internal API for Intel SGX and RISC-V Keystone

Abstract

Trusted Execution Environment (TEE) becomes a popular security extension on current CPUs (e.g., Arm Trust-Zone, Intel SGX, and RISC-V Keystone), but each TEE has its original SDK and cannot keep software portability. GlobalPlatform (GP) defines the general APIs named “TEE Internal APIs”, and smartphones mainly use them. In addition, the implementation of GP API assumes a Trusted OS, and some TEEs cannot implement it directly. Furthermore, some TEEs offer Enclave Definition Language (EDL) for secure communication between a normal application and a trusted application, which is not assumed by GP APIs. In order to solve these problems, we propose a library implementation of GP TEE internal APIs on each TEE SDK. We selected GP APIs for architecture-dependent or independent (e.g., secure storage and time). The architecture-independent APIs require the help of Linux or can be implemented efficiently with CPU-specific instruction. They are implemented as same as possible on each architecture. The library is designed to fit for each EDL (i.e., “edger8r” on Intel SGX “keyedge” on RISC-V) and keeps the communication security. The library is implemented on Intel SGX and RISC-V Keystone. The performances are measured and compared with the OP-TEE which is a trusted OS style implementation on Arm TrustZone. The comparison shows the feature of each implementation.