TM

GlobalPlatform

04 April 2014

GlobalPlatform Workshop April 15th 1.30-5.30pm

MPAA Office;

15301 Ventura Blvd,

Sherman Oaks,

CA 91403

1

TM

Workshop

• Intended audience:

– Primarily rights holders and content service providers, also

Technology/Device/Silicon Platform providers

• Objective:

– GlobalPlatform is working on standardising TEE APIs for use in content protection

use cases

– GlobalPlatform is working on a path to providing assurance for devices using TEEs

– This workshop is to intended to give participants an update as to roadmap, progress,

and also relevance of GlobalPlatform’s work in this area

– Input and dialogue is also sought in terms of use case alignment as well as threat

model discussions

2

TM

Workshop Agenda

• Introduction: Kevin Gillick, Executive Director of GlobalPlatform

• Status update from PCTF, Michael Lu/Jim Helman

• Status update from TEE spec working group: Existing roadmap

• Status update from TEE security working group – Herve Siebert (STM, Chair of TEE Security Working Group)

– Presentation of the TEE Protection Profile and its status (currently undergoing official evaluation), focus on the security model

• Strategy to ensure certification regime suitability for the content industry

– Call to participate to an upcoming TEE international Technical Community (TEE iTC)

• Open discussion with participants on: – Gathering of premium content security requirements:

• Discussion on title diversity, Renewability;

• Threat model discussion for content protection on device

– Maintenance and evolution of the TEE Protection Profile

• Different profiles and how do we establish roadmap;

3

TM

@GlobalPlatform_ www.linkedin.com/company/globalplatform

GlobalPlatform Overview

For

Premium Content Task Force Open Session

Kevin Gillick

Executive Director

GlobalPlatform

15 April 2014

TM

Thank You to Our Host!

5

TM

GlobalPlatform Positioning

6

TM

GlobalPlatform Mission

• GlobalPlatform works across

industries to identify, develop and

publish specifications which

facilitate the secure and

interoperable deployment and

management of multiple embedded

applications on secure chip

technology

• GlobalPlatform Specifications

enable trusted end-to-end solutions

which serve multiple actors and

support several business models

TM

TM

GlobalPlatform Vision

• Member-driven organization to define

technology standards for cards,

devices and systems and create

foundation for future growth.

• License royalty-free card, device, and

systems specifications.

• Compliance Program tools to verify

card, device, systems compliance to

GlobalPlatform technology.

• Foster adoption of secure chip

technology standards and

implementations across industries.

TM

TM

GlobalPlatform At-a-Glance

What is the output of GlobalPlatform?

Specifications – technical industry guidelines

Configurations – applying the guidelines to different market sectors

Security Certifications – streamlining security requirements & testing

Industry Compliance Program – confirming a product’s functionality aligns to

GlobalPlatform technology

Educating the Industry – white papers & technical documents

Workshops – specification training & educational

TM

A Wealth of Resources! (White Papers)

UICC System Role

and

GlobalPlatform Messaging

Requirements for NFC Mobile:

Management of Multiple Secure Elements

The Trusted

Execution Environment

TM

A Wealth of Resources! (White Papers)

The Consumer-Centric Model

The End-to-End Simplified

Service Management Framework

On-Card API

TM

Access to the Experts! (Seminars)

2nd Annual Trusted Execution Environment (TEE) Seminar

Tuesday, 30 September in Santa Clara, California

Pre-Seminar Technical Training on Monday, 29 September

TM

GlobalPlatform Members TM

TM

GlobalPlatform Structure How our Members Participate / Contribute

TM

TM

Visit us @ www.globalplatform.org

kevin_gillick@globalplatform.org

How To

Join

TM

1

6

Thank you!

TM

PCTF and GlobalPlatform TEE Roadmap

update

Michael Lu

Business Development Director, Trustonic

Jim Helman

CTO, Movielabs

April 14-15, 2014

17

TM

2014 Activities of Interest

• To continue the advancement of specifications to address the administration of

the TEE.

• To support the evolution of the GlobalPlatform TEE Compliance Program.

• To establish a TEE Security Certification Program, which will aim to drive

‘practical’ TEE security certifications with short time-to-market constraints.

• To address the requirements of GlobalPlatform’s recently formed Premium

Content Task Force, and ensure alignment on work priorities.

• To engage with mobile network operators and key players in the web

ecosystem to confirm industry requirements, as well as continue to serve the

needs of specific vertical markets such as premium content protection, financial

services, enterprise and government.

18

TM

What is a TEE?

• TEE provides hardware-based

isolation from rich operating

systems (OS) such as Android

• TEE runs on the main device

chipset

• TEE has privileged access to

platform and device resources

(user interface, display

controller, memory controller,

HW decoder/renderer, crypto

accelerators, secure elements…)

• Technology already massively

deployed

• Premium content protection is

currently a major use case

19

Hardware Platform

Rich OS Application Environment

Rich OS

Trusted Execution Environment

Trusted CoreEnvironment

GlobalPlatformTEEInternalAPI

TrustedFunctions

Payment Corporate

Client Applications

TrustedApplication

DRM

TrustedApplication

Payment

TrustedApplicationCorporate

HW Secure Resources

GlobalPlatformTEE Internal

TEE Kernel

API

GlobalPlatform TEE Client API

Open to malware and

rooting / jailbreaking

Isolation of sensitive

assets

TM

What’s the TEE Scope in GlobalPlatform?

20

TEE Software

Interfaces

Functional

Compliance

Security

Certification

TEE Administration

Use Cases

& Business

Requirements

• Mobile platform and silicon

providers

• Device vendors

• Network operators

• Services Providers

• TSM providers

• TEE OS providers

• Test and security labs

Participation for TEE includes

Technology Agnostic

TM

GlobalPlatform TEE Main Functions

• Code and data isolation

• Secure cryptography

• Secure storage

• Secure clock

• Trusted user interface

• Secure Element interface

• Administration scheme

Hardware-based

TEE Functions = ToolBox

• Device authentication

• User authentication

• DRM protection

• Trusted playback

• Trusted link protection

• Downloadable scheme

Value for Premium Content

includes

TM

GlobalPlatform TEE Compliance &

Security Certification

22

+ TEE OS

System on Chip-based Platform Supporting GlobalPlatform TEE

Functional

GlobalPlatform

Compliance

Security

Certification

GlobalPlatform

STAMP

GlobalPlatform-

defined test

suite

GlobalPlatform-

defined TEE

Protection

Profile

• Current and first focus = platform

• Final product (final smartphone, tablet…): light delta compliance and / or security

certification might be defined at a later stage

First TEE

TestFest

in Oct.

2012

TM

Charter of PCTF

• The Premium Content Task Force purpose is to

– Identify and establish liaisons with relevant stakeholders and organizations in the Media industry

– Identify the relevant content protection use cases and address their enablement in a Device offering TEE capability to prevent fragmentation

– Provide inputs to define content protection compliance and certification programs to GlobalPlatform Committees

– Promote GlobalPlatform technology adoption and membership to interested parties in the Media Industry

• The deliverables for the group include:

– Develop a public position paper which provides an overview of the premium content landscape on consumer electronics devices:

• Identify the scope of GlobalPlatform's role in this area

• Define key premium content use cases and determine the relevant business and technical

requirements for these use cases

• Determine how GlobalPlatform technologies such as TEE should be best utilized in this market

• Identify the enhancements that may be needed to meet requirements

– Deliver requirements to GlobalPlatform's relevant technical committees to ensure that GlobalPlatform Specifications, Compliance and Certification programs are enhanced to provide interoperable and verifiable solutions to the market

23

TM

Content and Service Protection through TEE

• Content Piracy Prevention

– Raises assurance bar for protection of decrypted Media playback on devices;

– Certification and Independent Evaluation for Hardware and Firmware

implementation;

• TEE for Service Piracy Prevention

– Acts as a security plugin to the platform OS (Android, Windows or Tizen)

• TEE provides secure environment for sensitive tasks without exposing cryptographic

credentials.

– Provides a programmable security environment where updates can be provided in

case of security breach.

10/

31/

13

24

TM

Proposed PCTF Milestones & Deliverables

• Milestone 1:

– Purpose

• Enables ecosystem to leverage GP TEEs for secure video playback

– Expected DC deliverables

• Architecture and Secure Video Playback API

• Review of existing GP TEE PP

• Milestone 2:

– Purpose:

• Standardise TEE capabilities for enhanced protection associated with UltraHD content

• Identify additional use cases associated with UltraHD content distribution

• Identify additional threats above current protection profile associated with UltraHD content

distribution

• Expected DC deliverables

– Additional specifications and APIs

– Potential changes in PP and certification regime

• Milestone 3:

– TBD pending on ecosystem requirement gathering

25

TM

Status of the PCTF Deliverables

• Milestone One requirements

– Scope approved by PCTF

– Document to be finalized in next two weeks (by April 11)

• Milestone Two requirements

– In progress

• White Paper on Relevance of GlobalPlatform TEE in the media industry

– In progress

TM

Milestone 1

• All use cases below requires rendering to internal display or protected link

• Playback of premium content from the broadcast network;

• Playback of premium content using streaming technologies

• Playback of stored premium content

• Playback of premium content using an application Over-The-Top accessible through the browser;

• Trickplay;

• Playback of premium content from a Personal Video Recorder;

• Playback of premium content for which the protection system is no longer available in the device

• Playback of several premium content protected with different protection systems (optional)

27

TM

GP Confidential

©2014

TEE Security Certification

Hervé Sibert

Security Architect, Director, ST Micro

TEE Security WG Chair, GlobalPlatform

April 14-15, 2014

2

8

TM

TEE Security Certification

29

TM

Why?

30

TM

It is part of GlobalPlatform vision

GlobalPlatform

qualified tools and

accredited labs

GlobalPlatform

TEE Client API specification

TEE Internal API specification

GlobalPlatform

TEE test suite

GlobalPlatform

TEE Protection Profile

Internationally-

recognized process

TEE Functional

Compliance

TEE Security

Certification

31

TM

It is essential for deployment

• The TEE Security Working Group gathers members from the complete

ecosystem, from TEE providers and Smartcard/SoC/Device manufacturers to

laboratories, operators…

• Goals

– To make sure that there is a means of evaluating TEE security by closing the

certification gap with a pragmatic approach compatible with short device life-cycle

– To provide security assurance to stakeholders (device manufacturers, service

providers, regulators)

• The choice of Common Criteria methodology has been triggered by

– Proven framework for the statement of security requirements (through Protection

Profiles) and evaluation methodology

– Existent network of security accredited labs

– International recognition

– Applicability to the domain

– Market acceptance

32

TM

Milestones

33

TM

Q4 Q3 Q2

2 0 1 3

Q1 Q4 Q3 Q2 Q1

TEE Security WG Roadmap

“Final” version of

the TEE

Protection Profile

2 0 1 4

End of public review of

the TEE Protection

Profile

Presentation of the

TEE PP at ICCC

2013

TEE Security

Certification Workshop

2 0 1 2

Initial Security

Requirements

document

Decision to go for

Common Criteria

methodology

TEE Protection Profile

v0.1:= TOE, Assets,

Threats, Objectives

TEE Protection

Profile v0.3 =

v0.2 + EAL TEE

2 0 1 1

TEE Protection Profile

v0.2 = v0.1 + SFRs

Q4 Q3 Q2 Q1 Q4 Q3 Q2 Q1

PP review process

PP review process PP Certification

34

TM

TEE Protection Profile strategic choices

35

TM

Protection Profile template

• Usual CC Protection Profile

• Designed to be usable today by accredited labs

• Does not mandate any particular technology

– Compatible with all the ways considered by GP to realize a TEE

• ARM proprietary TrustZone technology

• Virtualization

• Dedicated security processor/subsystem

– Does not define the way the TEE is instantiated

• The “Secure boot” process varies a lot between platforms

36

TM

Target of Evaluation

Boundary with Rich operating system (OS): Messaging interface

Boundary with Trusted Applications:

TEE Internal API

TOE (HW, FW, SW)

The TOE comprises:

• Any hardware, firmware and software

used to provide the TEE security functionality

• The guidance for the secure usage of the

TEE after delivery

The TOE does not comprise:

• The trusted applications

• The rich execution environment (REE)

• The client applications

37

TM

TOE Security Functionality

• TEE initialization process using

assets bound to the SoC, that ensures

the authenticity and integrity of the TEE

code running in the device

(implementation-dependent)

• Isolation of the TEE services, the TEE

resources involved and all the trusted

applications (TAs) from the REE

• Isolation between TAs and isolation of

the TEE from TAs

• Protected communication interface

between CAs and TAs within the TEE,

including communication endpoints in

the TEE

• Trusted storage of TA and TEE data

and keys, ensuring consistency,

confidentiality, atomicity and binding to

the TEE

• Correct execution of TA services

• Random number generator

• Cryptographic API including generation

and derivation of keys and key pairs,

support for cryptographic algorithms

such as SHA-256, AES 128/256, T-

DES, RSA 2048, etc.

• Monotonic TA instance time

• TEE firmware integrity up to

modifications authorized by the

upgrade policy (implementation-

dependent)

• Advanced TEE (rollback protection over

resets)

– Monotonic persistent time

– Full integrity protection of TA data,

code, keys and TEE data

38

TM

Threat model

• The TEE PP addresses threats that arise during the end-usage phase and can

be achieved by software means without damaging the device

• At the identification phase

– The attacker discovers some vulnerability, conceives malicious software and

distributes it

– No assumption holds regarding the equipment, expertise, etc. and the possibility to

use more than one device, potentially in a destructive way

• At the exploitation phase

– The attacker exploits the vulnerability by running the malicious software

– There are two main exploitation profiles: remote attacker and basic device attacker

– Basic, non-destructive HW attacks are also possible

– More expensive or destructive HW attacks are not forbidden for exploitation, but they

are not compatible with the potential given to the attacker at the assurance level

chosen for the TEE

39

TM

Threats

Side-channel: PMA, EMA, cache

Bus injection/capture

Glitches

Debug

Fuzzing

Memory isolation breach

Rollback

Buffer overflow

Bad crypto

/binding

41

TM

Security Objectives

42

TM

Mapping of objectives to CP requirements (1/3)

43

GP TEE PP Security Objective Application to content protection schemes

O.CA_TA_IDENTIFICATION Typically each content protection scheme will be installed in its own TA. This objective generally exceeds requirements of most CP schemes.

O.CRYPTOGRAPHY

CP TAs make use of available cryptographic functions in the TEE when available. Some CP schemes require unique functions not provided by standard cryptographic implementations. For performance reasons, some CP schemes require hardware cryptographic modules that operate as TEE-based peripherals.

O.DEVICE_ID CP TAs make use of unique device IDs to derive keys bound to the device. Such keys are used to provide secure storage and similar functions.

O.INITIALIZATION This objective applies to the TEE itself.

O.INSTANCE_TIME Many CP TAs require monotonic time. In general, absolute time is not a requirement.

O.OPERATION This objective applies to the TEE itself.

TM

44

GP TEE PP Security Objective Application to content protection schemes

O.RNG CP TAs use RNG functions to create ephemeral keys and protocol data, generate unique keys and key pairs.

O.RUNTIME_CONFIDENTIALITY CP TAs are required to protect the confidentiality of secret data and in some cases algorithms during runtime.

O.RUNTIME_INTEGRITY Runtime integrity enforces correct operation of TAs.

O.TA_ISOLATION TAs must be isolated from each other.

O.TEE_DATA_PROTECTION This objective applies to the TEE itself.

O.TEE_FIRMWARE_UPGRADE This objective generally exceeds the requirements of most CP schemes.

O.TEE_ISOLATION This objective applies to the TEE itself.

O.TRUSTED_STORAGE TA CPs may make use of trusted storage to protect secret data of the scheme, its protocols and data.

O.ROLLBACK_PROTECTION This objective generally exceeds the requirements of most CP schemes.

O.TA_PERSISTENT_TIME This objective generally exceeds the requirements of most CP schemes.

Mapping of objectives to CP requirements (2/3)

TM

45

GP TEE PP Security Objective Application to content protection schemes

OE.DEBUG This objective applies to the TEE itself, but fulfils a need to protect CP TAs from analysis, debugging and inspection.

OE.INTEGRATION_CONFIGURATION This objective applies to the TEE itself.

OE.MANAGEMENT This objective applies to the TEE itself.

OE.PROTECTION_AFTER_DELIVERY Pre-installed CP TAs may have to account for the fact that the TEE is not fully provisioned until first use.

OE.ROLLBACK Not needed if O.ROLLBACK_PROTECTION is implemented.

OE.SECRETS CP TAs may rely on the TEE’s implementation of this objective to provide secure provisioning and personalization.

OE.TA_DEVELOPMENT CP TA developers must observe the guidelines provided by the TEE supplier.

OE.TEE_FIRMWARE_UPGRADE This objective applies to the TEE itself.

OE.UNIQUE_DEVICE_ID CP TAs may rely on the TEE’s implementation of this objective to reliably derive unique secret data for their own purposes.

Mapping of objectives to CP requirements (3/3)

TM

EAL

• The Working Group decided to define a specific EAL for the TEE

• The TEE PP provides:

– The TEE attack quotation table for rating full attack paths from identification to exploitation

– The description and quotation of four representative exploitation profiles

– A list of illustrative attacks at identification phase

• The TEE PP states the attack potential at « Enhanced-Basic »

– Higher than the score of known attacks to Rich OS devices

– Lower than the « High » attack potential of secure elements

• The TEE PP takes into account the constraints of SoC manufacturing and TEE integration

– TEE tight integration with SoC resources yields involvement of several teams that are not dedicated to security

– EAL 2 has been chosen as the EAL base, and augmented with the “Enhanced-Basic” attack potential

• Discussions are ongoing with Certification Bodies on the relevance of these choices (see further)

47

TM

Future extensions

• The updates will be managed as optional modules like the Time and Rollback

module, in order to avoid having different PPs

– Internal core 1.1, Debug API, SE API etc… (minor impact)

– Remote management

– Content protection

49

TM

Product certification process

50

TM

TEE Security Certification in the short

term

• The TEE Protection Profile is available at

http://www.globalplatform.org/specificationsdevice.asp

• Usual Common Criteria framework

Certification of the Protection Profile – ongoing, target is completion before

end of Q2, 2014

Certification of products

• Discussions with Certification Bodies (CBs) on the TEE EAL

– Some CBs advise to come back to standard EAL2 (with “Basic” attacks only),

otherwise they will not recognize the EAL (or downgrade their recognition to EAL2)

– Our intention is to stay at EAL2+

• CBs should all recognize certified products at EAL2

• Certification at the defined TEE EAL can only be done with CBs recognizing our specific EAL

51

TM

Short term options summary

52

Option 1 (preferred) Option 2

Description Pass PP certification with existing

EAL2+ (EAL TEE) level

Pass PP certification with

EAL level back to EAL2

Time impact Few weeks delay

Certification

recognition impact

EAL2 recognition by CC CBs,

EAL2+ recognition only by willing

CC schemes

EAL2 recognition by CC

CBs

Certification level

impact

None Downgrade vs current PP

Certification

process

Willing CC CBs for EAL2+ (or GP

stamp), usual CC for EAL2

Usual CC for EAL2

TM

Expectations for certification

• Common Criteria is undergoing transformation, based on the creation of

“international Technical Communities” for each technology, defining and

maintaining the Protection profile(s) for this technology

– It will still take some years to be well in place

– GlobalPlatform has announced its intention to be part of a TEE iTC, and even

proposes to organize it

• GlobalPlatform is considering the organization of a certification process,

reusing the CC structure

– The main objective is to avoid loss of time due to disagreements between countries

for technical and/or political reasons

– Evaluation would be done by recognized labs, familiar with CC methodology

• Is it mandatory to you that these labs are CC-accredited?

– To do that, GlobalPlatform may organize an open “Technical Community”, open to

non-members

– Does official governmental recognition matter, or would you consider a

GlobalPlatform-driven process for certification?

53

TM

Long term options summary

54

Option 1 Option 2

Description Form an international

Technical Community

under CC

Create and promote an open GP Technical

Community

Time impact Unknown (few years) Start now

Certification

recognition

impact

Recognition by those

CC CBs recognizing

the iTC

Use CC to certify subsequent PP versions,

to enable govt recognition.

Create a GP stamp for product certification

(not linked to one CB).

Certification

level impact

Controlled by

governments – but can

be non-standard

Tailor the existing PP with different levels:

- Existing EAL TEE

- EAL TEE+ for higher security

- Additional functional testing for NIAP

Certification

process

CC CBs recognizing

the iTC

Labs selected by GlobalPlatform (CC

accredited or used by GP TC members)

…then turn it into an iTC once the iTC

framework is up and running well

TM

Requirements of Labs to be GP Qualified (derived

from GP Compliance testing rules)

• Lab must initially qualify, and then re-qualify every year

• Qualification criteria includes :

– Lab must participate in the GP TEE Technical Community

– Lab must execute GP’s Consulting Services License Agreement and Qualification

and Listing Agreement

– Lab must submit to GP documents that confirm they are currently an […Common

Criteria, FIPS, PCI…?] qualified laboratory

– Lab must support the up-to-date version(s) of the Protection Profile

– Lab must have at least one expert trained on (1) TEE Specifications and (2) the

Protection Profile. Training to be performed by a GlobalPlatform TEE Certification

Expert

– The trained expert(s) must be involved in the GP TEE evaluations performed by the

lab

Please note that if a company has more than one laboratory it wishes to qualify, then each laboratory must be qualified separately by GlobalPlatform.

TM

Re-Qualification of Laboratories (derived from GP

Compliance testing rules)

• Laboratories to be re-qualified every year

• Re-qualification criteria to include:

– GP TEE Technical Community continuation

– Consulting Services License Agreement and Qualification and Listing Agreements

remains in effect

– Lab remains qualified to […Common Criteria, FIPS, PCI…?]

– Support of the up-to-date Protection Profile versions

– Audit of the evaluations performed by the lab by GlobalPlatform TEE Certification

Expert

56

TM

Open Discussion on Use Case and Threat

Model

57

TM

Content and Service Protection through TEE

• Content Piracy Prevention

– Raises assurance bar for protection of decrypted Media playback on devices;

– Certification and Independent Evaluation for Hardware and Firmware

implementation;

• TEE for Service Piracy Prevention

– Acts as a security plugin to the platform OS (Android, Windows or Tizen)

• TEE provides secure environment for sensitive tasks without exposing cryptographic

credentials.

– Provides a programmable security environment where updates can be provided in

case of security breach.

58

TM

Where should the security bar be?

• The TEE may serve different purposes for content protection

– Offload features from the main OS to the TEE (for security reasons)

– Offload features from smartcards to the TEE (for flexibility reasons)

– Offload features from SoC HW to the TEE (for flexibility reasons)

• Major examples

– Protection of media path to prevent OS access to clear content (Trusted Video Path)

– Protection of other features currently managed in main OS (CA application offload)

– DRM and other cardless systems

– Virtual smartcard either instead of discrete smartcard, or to allow revocation/change

of CA system

• What is the current TEE certification level adapted to?

Our expectation is:

– Adapted to Trusted Video Path and CA application offload

– DRM currently managed in main OS

– Additional, higher security may be expected for other use cases

59

TM

TEE for other content protection features

• Among the following features, what would you consider the TEE for, and what

is your expectation for the related security requirements?

– Key management

• TEE for key storage

• TEE for key ladders

• Any difference between DRM and CA?

– Algorithm agility

• TEE for proprietary (tweaked) algorithms

– Watermarking

• TEE for watermark insertion

• TEE for watermark recognition

• What is the hierarchy of security requirements depending on the nature of the

content?

– Quality

– Type of content

– Value/time scale

60

TM

Threat Landscape

Threats Mitigation GlobalPlatform Positioning

Local attacker – discovery of attack

Increase Expertise and Cost required for Attack

Raises assurance bar for protection of decrypted Media playback on devices; Certification and Independent Evaluation for Hardware and Firmware implementation;

Packaging, Distribution and Replication of Attack;

Avoid use of Class secrets; Use of device binding; Experience degradation; Revocation;

Platform integrity, secure boot, Isolation between REE and between TAs prevents certain types of software attacks being replicated; In general TEE security features make it very costly to replicate attacks across devices;

Online distribution of pirated content

Forensic Watermarking, Legal means; System Renewal after Attack;

If TEE is not breached, provides a programmable security environment where updates can be provided in case of security breach.

61

TM

ECP Threats and Mitigation Discussion

• Zero Day rips

– Raises assurance bar for protection of decrypted Media playback on devices;

– Certification and Independent Evaluation for Hardware and Firmware

implementation;

• Hack One, Hack All

– Device Binding

– Copy and Title Diversity;

– Software Diversity

• Revocation and Renewal

• Compromise of the TEE

• What are the threats and attacks that could result in compromise of TEE;

• What are the impacts of a breach

62

TM

THANK YOU!

63