Introduction to TEE (Trusted Execution Environment) and Its Application in Fingerprint Authentication

With the development of technologies such as Face ID, fingerprint recognition, 5G, and AI, mobile terminals store increasingly more sensitive information, facing significant security challenges. The mobile system runs in REE (Rich Execution Environment) with Rich OS (such as Android), which is vulnerable to malicious attacks including data theft, digital copyright abuse, and payment fraud.

In July 2010, Global Platform proposed TEE (Trusted Execution Environment) design. TEE runs alongside REE as an independent execution environment with higher security than Rich OS, providing secure services like fingerprint enrollment, matching, and payment authentication.

TEE Basic Principles:

TEE is built on ARM TrustZone technology, implementing hardware and software isolation to separate normal world (REE) and secure world (TEE). TrustZone is a system-level protection technology for ARM architectures. ARMV8 supports secure mode, enabled via the Secure Configuration Register. When the last bit of this register is 0, the CPU operates in secure mode. ARM allows configuring system resources as secure state through TZPC control registers, making bus, memory, DMA, and cache inaccessible to normal world programs.

TEE Software Framework:

The software architecture follows GPD TEE specification, divided into REE and TEE parts, with Monitor Mode handling security/non-security state switching.

REE components include: CA (Client Application) - upper-level applications like fingerprint and payment apps using TEE Client API; REE Communication Agent - message passing between TA and CA; TEE Client API - driver interface for CA-TA data exchange.

TEE components include: TA (Trusted Application) - specific function applications with high security; TEE Communication Agent - secure message transmission with REE agent; TEE Internal Core API - internal interfaces for cryptography and memory management; Trusted Device Drivers - communication for TEE-specific peripherals; Shared Memory - secure memory accessible only to CA and TA.

CA-TA Interaction Flow:

1) CA calls TEE Client API to trigger system call into REE kernel

2) REE driver invokes SMC assembly instruction to enter Monitor mode

3) Processor switches to secure kernel state

4) CA service request transmitted via bus to TEE

5) TEE OS calls corresponding TA via TEE Internal API

6) TA returns results to CA

7) SMC instruction switches back to REE

GP API Interfaces:

CA side: TEEC_InitializeContext, TEEC_OpenSession, TEEC_InvokeCommand, TEEC_CloseSession, TEEC_FinalizeContext

TA side: TA_CreateEntryPoint, TA_DestroyEntryPoint, TA_OpenSessionEntryPoint, TA_CloseSessionEntryPoint, TA_InvokeCommandEntryPoint

Fingerprint Application:

On Android, the fingerprint software framework in REE includes APP (unlock logic), Framework (HAL callbacks), HAL (hardware/fingerprint TA interaction), and Linux kernel. TEE contains Fingerprint TA controlling sensor and algorithm execution.

Fingerprint enrollment flow: sensor init → capture → enroll → end enroll → encrypted template storage in secure memory. All sensitive operations including image capture, processing, matching, and template storage occur in TEE, making fingerprint authentication a secure unlock method.