The presentation slides of the paper Attestation Mechanisms for Trusted Execution Environments Demystified, published in the proceedings of the 22nd IFIP International Conference on Distributed Applications and Interoperable Systems, June 2022. Read the publication here: https://arxiv.org/abs/2206.03780 This publication incorporates results from the VEDLIoT project, which received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 957197.

1. Attestation Mechanisms
for Trusted Execution Environments Demystified
Jämes Ménétrey1 Christian Göttel1 Anum Khurshid2 Marcelo Pasin1
Pascal Felber1 Valerio Schiavoni1 Shahid Raza2
1 University of Neuchâtel, Switzerland
2 RISE Research Institutes of Sweden
June 13-17, 2022
17th International Conference on Distributed Applications
and Interoperable Systems (DAIS ’22), Lucca, Italy 🇮🇹

2. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Context
Hardware
VMM
Company
OS
Software stack
Trusted
by cloud
providers
Your apps
Trusted
by
you
Developers Cloud providers
Your apps
Attack surface of your apps
• We process and store sensitive data in clouds or
on IoT edge devices.
• Developers deploy trusted apps on systems they
assume to be trustworthy.
• TEEs reduce the attack surface and help obtaining
remote attestation.
2

3. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Remote attestation primer (ietf-rats)
Attester Veri
fi
er Relying party
Evidence Attestation result
Claims
H( )
Reference values
Reference Value
Provider
=
?
• The attester issues an evidence, which is examined by a verifier and
reports to a relying party.
• An evidence is a set of claims (e.g., code measurement).
3
Code
measurement
② Sending quote
① Provision references values
③ Verification result

4. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Scope of this survey: available technologies
4
TEEs
Intel
AMD
Arm
RISC-V
Sanctum
LIRA-V

5. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Intel SGX remote attestation
5
Enclave
Process
Operating system
Hardware
High-level architecture of Intel SGX
• The enclave are located within the process that spawn it.
• Split the application into two parts: secure and unsecure.

6. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Intel SGX remote attestation (EPID)
6
Enclave
(Attester)
SGX quoting
enclave
② Local attestation
① Challenge
Trusted service
(Veri
fi
er)
③ Quote (evidence)
Report (claims)
④ Send evidence
Intel attestation
(Verifier)
⑤ Validate evidence
⑥ Provision data
Enclave
Process
Operating system
Hardware
High-level architecture

7. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Intel SGX remote attestation (DCAP)
7
Enclave
(Attester)
SGX quoting
enclave
② Local attestation
① Challenge
Trusted service
(Veri
fi
er)
③ Quote (evidence)
Report (claims)
④ Send evidence
Intel attestation
(Verifier)
⑤ Validate evidence
⑥ Provision data
Enclave
Process
Operating system
Hardware
High-level architecture
Intel SGX Certi
fi
cation
Service
NEW: ⓪ Download certificates
for Intel SGX CPUs

8. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Arm TrustZone-A
8
TA
Process
OS
Secure monitor
High-level architecture of TrustZone-A
Trusted OS
Normal world Secure world
• Available on processors of Cortex-A series.
• Split the devices into two worlds.

9. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Arm TrustZone-A
TA
Process
OS
Secure monitor
High-level architecture
Trusted OS
• TrustZone does not provide a built-in remote
attestation mechanism.
• We demonstrate an extension found in literature [1].
9
1Establishing Mutually Trusted Channels for Remote Sensing Devices with Trusted Execution Environments, Shepherd C. et al., ARES ’17
*Evidence = System state + H( )
TA
Endorser
OP-TEE
Trusted
Measurer
TA TA
Authenticated boot
Signing keys
Trusted
Measurer
OP-TEE
TA TA
System A System B
① Challenge
② Evidence* B
③ Evidence* A
Signing keys

10. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Arm TrustZone-M
10
TA
Process
OS
Hardware
High-level architecture of TrustZone-M
Firmware
Normal world Secure world
• Designed for very small devices.
• Available on processors of Cortex-M series.

11. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
AMD SEV-SNP
11
Process
Process
OS
Hypervisor
High-level architecture of AMD SEV-SNP
OS
Firmware/Hardware
Secure virtual
machine (TEE)
• Secure code execution using virtual machines.

12. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
AMD SEV-SNP
12
Process
Process
OS
Hypervisor
High-level architecture
OS
Firmware/Hardware
Verifier
SNP Guest
(Attester)
AMD Firmware
AMD Hardware
① Challenge
Challenge (claims)
② IOCTL request
③ Report (evidence)
④ Send evidence
⑤ Provision data

13. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
RISC-V: general purpose TEEs Keystone
• Sanctum is a TEE construction that mimics Intel SGX.
• Keystone is a composable framework for TEEs with
enclaves comprised of a runtime and an enclave apps.
• TEE enforced using a secure monitor and PMP.
• Measurements are made by the secure monitor, based
on the application code during initialisation.
• Remote attestation: similar to Intel SGX.
13
Eapp
Process
OS
Secure monitor
Keystone
Hardware (PMP)
Runtime
Enclave
Enclave
Process
Operating system
Secure monitor
Sanctum
Hardware (PMP)

14. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
RISC-V: IoT edge tailored TEEs (1)
• TIMBER-V uses memory tagging to instantiate TEEs for small devices.
• Measurements are made by Tag root, based on the application code
during initialisation.
• Remote attestation: Tag root signs the evidence using a MAC
(symmetric crypto).
14
Process
OS
TIMBER-V
Hardware
Tag root
Process

15. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
RISC-V: IoT edge tailored TEEs (2)
• LIRA-V works with programs in supervisor and machine RISC-V modes
and attest regions of memory.
• Measurements are made by the Root of trust and measures at runtime.
• Remote attestation: mutual, similarly to the Arm TrustZone’s state-of-
the-art.
15
Process
Root of trust (ROM)
LIRA-V
Hardware (PMP)
Process Mem

16. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Which TEE is the best fit for me?
It depends on the deployment scenarios.
16

17. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
TEEs characteristics
Server-grade General purpose IoT
Industrial TEEs
Many domains
Mutual attestation
Encrypted DRAM
Local attestation
Find more criteria in the paper.
17
LIRA-V
Sanctum

18. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Future perspective
18

19. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Perspectives for the future: Intel TDX
• Intel TDX deploys hardware-isolated virtual machines: Trust Domains (TD).
• TDX runs legacy applications on regular OSes, similarly to AMD SEV.
• The TDX module isolates the TD thanks to new CPU instructions.
• TDX reuses the SGX attestation to support remote attestation:
• Initial measurement during TD build process
• Can be extended to measure additional data at run-time
19
Regular Virtual Machines Secure Trust Domains
TDX module
VM
TDX-aware VMM
Hardware
VM
TD TD TD
VM
High-level architecture of Intel TDX

20. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Perspectives for the future: Arm CCA
• Arm CCA deploys hardware-isolated virtual machines: Realm VM.
• RME is the hardware extension that introduce a new world: the Realm.
• Unlike TrustZone, the Realm has shielded memory (encryption + integrity).
• CCA provides attestation of the platform & initial state of the realm.
20
TA
Process
OS
Secure monitor
High-level architecture of Arm CCA
Trusted OS
Realm
VM
Hypervisor
RMM
Realm
VM
SPM
Realm
Realm Management Monitor Secure Partition Manager
Normal Secure

21. Ménétrey et al. — Attestation Mechanisms for Trusted Execution Environments Demystified — DAIS ’22 / 21
Thanks for your attention!
Takeaway
• Remote attestation ensures the genuineness of deployed applications in TEEs.
• There are many TEEs, but no “one size fits all” TEE, it depends on the usage.
• Industrial solutions have well-documented (and undiscovered?) flaws. Emerging
solutions lack hindsight.
• New TEEs design tend to be VM-based (AMD SEV, Intel TDX, Arm CCA).
21
Read me online!