Trusted Execution Environment (TEE) & Apple's Secure Enclave

28 February 2025

@Bibhabendu Mukherjee

Trusted Execution Environment (TEE) is a secure area in a device’s processor that protects sensitive data and computations from the main OS. Apple’s Secure Enclave is a TEE that securely handles encryption, biometrics, and DRM.

Overview of Trusted Execution Environment (TEE)

TEE is a secure area of a processor that runs code and processes data in an isolated environment. It ensures that even if the main OS is compromised, sensitive computations remain secure. TEEs are commonly used for:

  • Secure key management
  • DRM (Digital Rights Management)
  • Biometric authentication
  • Secure cryptographic operations

TEE (Trusted Execution Environment) claims security despite using the same CPU by enforcing strict hardware-level isolation.

🔒 How TEE Prevents Unauthorized CPU/RAM Access

  • Dedicated Secure Memory (Isolated RAM) : TEE uses a portion of RAM that is hardware-protected, meaning the normal OS and apps cannot read/write it.
  • CPU Mode Switching (Normal vs. Secure World) : The CPU uses 2 modes
    Normal mode and Secure mode, Normal World (Rich OS, Apps) – Where Android, iOS, and software run. Secure World (TEE Execution) – Only trusted code executes here.
  • Restricted CPU Execution Inside TEE : Only pre-approved secure apps (Trusted Applications - TAs) can execute inside TEE. The CPU follows strict access controls—normal OS requests must go through a secure API (Trusted Execution Calls - TECs).
  • Hardware-Based Memory Protection (No Direct RAM Access) : Normal applications cannot access TEE memory because hardware-enforced rules prevent it.

Even though the CPU executes both secure and non-secure code, strict hardware controls prevent normal OS from seeing or modifying TEE operations, ensuring data stays protected even if the OS is compromised

Image

Various TEE-Integrated RAM and CPU Architectures

  • ARM TrustZone (Used in Most Mobile Devices & IoT)
  • Intel SGX (Software Guard Extensions) – Used in Intel CPUs
  • AMD SEV (Secure Encrypted Virtualization) – Used in AMD EPYC Processors
  • Apple Secure Enclave (TEE inside Apple Silicon)