I must say a year ago the secure elements used for NFC Application payment storage (and they can store digital certificates for I.D.'s etc.) VS a TPM and what it was designed to do, confused me. I'm less confused these days. Here's my take on it today.
The TPM/MTM is not used to store applications or Applets.
The payment industry wanted a very secure storage vault on any device going to be used for mobile payments for the various applications and applets required to execute the transaction. The turf war going on in the MNO's and Finacial services industry about which secure element to use will play out in the next few years. The SIM/SD Micro/Embedded Secure Elements as we know can all be certified to meet the payment industries needs but it's all about who controls the secure element etc. Keep in mind the Secure Elements cannot be used as Core Roots of Trust as defined by NIST.
Not every application or applet needs to execute in in such a secure Element but may need more security than what the Rich OS provides, thus the TEE can be used. Also those applications executed in the TEE can be run quicker than if the secure element has to be used. This maybe a plus for example if 10,000 people are trying to use their mobile phones to pay for transit tickets in the subway or train station. If the app is in the secure element it only take a couple of seconds but that is a long time for high volume processing. The DRAM (digital rights management) systems will use the TEE as apposed to the SIMS.
The long term plan is the TEE can also hold securely and execute crypographically signed applets that can be managed and completlely separate from other trusted apps. in the TEE. The TPM/MTM will be used in that process. The TEE is housed in the Application processor so it is a secure vault just like the SIM's provide.
So my take on it is who cares who's Application is being used, if the MNO or Bank or OEM or Service provider controls the Application and it's executed in the TEE VS's another Location (the secure Elements)who cares. It make's the entire security eco sysytem under one roof, the CPU processor (ARM and TrustZone with the TEE provided by G&D and Trusted Logic)with the Global Platform Specifications to tie it all together.
I believe as the industry moves forward in the mobile space it will be all about who creates the apps and sells them to the end user not where the apps are stored and executed that will generate the money. JMO
And yes there will be a need for “key management and secure boot attestation” and the rest.
In the short term we have the DOD/MicroSoft/Samsung/NIST stuff to watch develop.
| 