24

What is the difference between a Secure Element (SE), a Trusted Execution Environment (TEE) and a Trusted Platform Module (TPM)?

I understand that they all refer to an external secure cryptoprocessor, which is designed to store cryptographic keys and execute cryptographic algorithms securely. Is there any differences or do they all mean the same things?

blong
  • 359
  • 1
  • 3
  • 9
Raoul722
  • 491
  • 1
  • 4
  • 10

2 Answers2

21

First let's layout the different definitions:

  • TPM is a piece of Hardware specifically created to do crypto calculation with. It is physically isolated from the rest of the processing system and is often a separated IC on the mainboard to be so.
  • TEE is an area on the chipset that works like a TPM, but is not physically isolated from the rest of the chip.
  • SE is a tamper-resistant secrets store, much like a smart-card or SIM-card. Its main purpose is to store cryptographic secrets in such a way that illicit use is hard or impossible to do. An example of this technology in major use is the EMV chip on payment cards.

We can clearly see when comparing the definitions that these 3 items are different, but share a common goal. The difference between a TPM and a TEE is mainly in how it is implemented (purely hardware, or hardware and software combo). The SE has a different function that can be part of the function of a TPM and/or a TEE, by being a safe place to store cryptographic secrets.

Irvin H.
  • 148
  • 6
LvB
  • 8,217
  • 1
  • 26
  • 43
  • 1
    But a smart/SIM/EMV card is also "a piece of Hardware specifically created to do crypto calculation with". How's that different from a TPM? – Luc May 18 '20 at 15:33
  • 1
    The function is different. A TPM is for doing cryptographic operations on, not safeguard a secret (although most have a smartcard build in for that purpose). A smartcard is for safeguarding (keeping) a secret, not all cryptographic operations. Things like hashes are easy for most TPMs to calculate while most smartcard a can do little more than sign and encrypt/decrypt data. – LvB May 18 '20 at 15:40
7

A little more on the functional aspects:

  • TPM is fixed, well-specified functionality by an ISO and TCG standard. You can‘t just add or change this. Usually it‘s a discrete security chip connected through SPI to the host uC.

  • TEE is (as explained by the previous posters) an execution environment on a larger chip/SoC, but the code running inside this TEE, is up to developers‘ liberty.
    There are even TPM implementations that run inside a TEE.

  • the Secure Element (SE) commonly (without splitting hairs) refers to a discrete security chip which is connected through a serial interface to the host uC. On the SE typically you find a JavaCard implementation and consequently the functionality of the SE depends on which applets are loaded and performed.

Luc
  • 31,973
  • 8
  • 71
  • 135
Scott McCoy
  • 101
  • 1
  • 1
  • I thought TPM connects over the LPC, not SPI. – forest May 25 '18 at 05:05
  • LPC is found on Intel architectures only - but Intel is said to deprecate it shortly = LPC has no future. SPI has become the standard interface for TPMs and that works well for Intel, ARM and other uArchitectures. – Scott McCoy May 26 '18 at 07:44
  • 1
    Yeah you're right, eSPI is replacing it. My x86 knowledge is outdated. – forest May 26 '18 at 12:18