[idea] SFOS Support for Secure Elements (SE) (or Trusted Execution Environment (TEE))

asked 2017-03-18 15:26:31 +0300

hw gravatar image

updated 2017-03-24 00:37:49 +0300

revision 1

SFOS Privacy and Security is excellent. Security could be enhanced in the future by supporting Secure Elements (SE) or even API for Trusted Applications (TA) inside a Trusted Execution Environment (TEE). A piece of hardware (smart card) or secure enclave (TEE) might be very useful for the security even on a mobile, for applications and the OS itself. (IPsec/OpenVPN, GnuPG, S/MIME, random numbers, FIDO U2F, trusted user interface...)


a)Support for SE with OpenSC https://github.com/OpenSC/OpenSC as middleware, PC/SC and a CCID driver for a smart card reader; there are a lot of use cases with OpenSC support and a lot of supported Secure Elements (e.g. OpenSC PKCS#11 Smart Cards are widely used on linux desktops, rasbian too) Could this work in practice with a mobile, with the opensc minidriver and read only PKCS#11 card access, e.g. with SDCard or NFC support?

vevgenievtried access with the browser https://together.jolla.com/question/132416/using-certificate-on-hardware-token-in-browser/

...complex or not working?

b)Support for SE with Open Mobile API http://simalliance.org/wp-content/uploads/2015/03/SIMalliance_OpenMobileAPI_v3_2.pdf maintained by GlobalPlatform https://www.globalplatform.org/specificationsdevice.asp (includes support for SE like UICC Applets, ASSD SDCards or embedded SE)

seek-for-android is an example for the Open Mobile API and can be implemented by the handset vendor because it is not a part of AOSP http://seek-for-android.github.io/


c)WebAPI for Accessing Secure Element - a new approach http://globalplatform.github.io/WebApis-for-SE/doc/


d)TEE client API for access to Trusted Applications (TA) inside a Trusted Execution Environment (TEE) https://www.globalplatform.org/specificationsdevice.asp (e.g. TEE secured by ARM TrustZone and provisioning distributing TA by a service provider with Trusted Service Manager (TSM))

...very complex, indeed

SFOS developers - are there other (simple) possibilities or are there already solutions (using the other half and I2C)?

EDIT: tag changed from feature-request to idea; lots of minor changes

edit retag flag offensive close delete


what are the privacy concerns for secaas? usb dongles are with the phone; loose the phone, loose the dongle.

tortoisedoc ( 2017-03-18 18:50:41 +0300 )edit

I've never seen so many acronyms in one post before.

nthn ( 2017-03-19 01:50:52 +0300 )edit

As far as I understand, integrating SIM-based SE support will be one of the requirement of Android apps requring SIM access to function correctly. TEE support will complement soonish-coming Sailfish Device Manager, but I have no idea on how it will be implemented.

peremen ( 2017-03-19 14:46:42 +0300 )edit

Yeah . . . . . . you lost me at SE, API and TA . . . . . : /

davekelly ( 2017-03-20 00:49:35 +0300 )edit

That is what you get on a platform like together.jolla.com with mixed intent. Developers and Users and those inbetween gather here ;-)

MoritzJT ( 2017-03-20 02:57:23 +0300 )edit