MyTEE: Own the Trusted Execution Environment on Embedded Devices

We propose MyTEE to address the limitations of hosting TEE on embedded devices. It is designed with the harsh assumption that most TrustZone extensions are not supported (other than the security state of the CPU). In other words, TrustZone Address Space Controller (TZASC) and TrustZone Memory Adapter (TZMA) for memory access control, and TrustZone Protection Controller (TZPC) for establishing a secure IO channel, are not supported. The input/output memory management unit (IOMMU) for preventing malicious direct memory access (DMA) is not available either. Without such hardware security primitives, MyTEE isolates the TEE region, prevents DMA attacks, and dynamically builds a secure IO channel between the TEE and peripherals.