GB/T 42572-2023

Information Security Technology Trusted Execution Environment Service Specification (English Version)

GB/T 42572-2023
Standard No.
GB/T 42572-2023
Language
Chinese, Available in English version
Release Date
2023
Published By
General Administration of Quality Supervision, Inspection and Quarantine of the People‘s Republic of China
Latest
GB/T 42572-2023
Scope
This document establishes the technical framework system of the trusted execution environment service and specifies the relevant security technical requirements and test and evaluation methods. This document is applicable to the design, development, and testing of the trusted execution environment service, and can be used as a reference by trusted execution environment service participants such as equipment manufacturers, system software providers, testing agencies, and scientific research institutions.
Introduction

Analysis of the Standard Core Framework

Components Functional Positioning Security Requirements
TEE Service Provides 7 core functions such as human-computer interaction/QR code/identity authentication Hardware-level isolation, secure storage, and tamper-proof
TEE Service Agent REE environment access control and process management Secure channel communication, application authentication
TEE Service Backend Key management/device status evaluation Two-way authentication, anti-replay attack

Key management system

Four-layer key architecture:
  1. Device key: device identity authentication root key
  2. TEE service key: device-backend communication key pair
  3. Application key: application-level encryption key pair
  4. User/session key: business data protection key

Typical scenario: The application key pair is generated during the application initialization phase and transmitted encrypted through the TEE service key to ensure that the key does not leave the TEE environment.

Core service security requirements

TEE human-computer interaction service

  • A trusted interface must be built based on TUI
  • Security elements: trusted input box/keyboard/biometric collector, etc.
  • Session timeout mechanism: power event triggers session termination

TEE device security status evaluation

Evaluation type Detection method Typical collection factor
Local type Offline detection System partition/DM-Verity/Root detection
Remote type Network detection TEE service signature/debugging mode check

Implementation recommendations

Development phase

  1. Follow the 26 service interface specifications in Appendix B of the standard
  2. Biometric identification requires local/remote dual-mode liveness detection
  3. Time service uses satellite/base station/network time triple verification

Test verification

  • Key management test: verify the entire life cycle of key generation/storage/update
  • TUI security test: simulate REE environment screenshot/injection attack
  • Anti-replay test: verify the signature of device status report

Technology evolution analysis

Compared with GB/T 41388-2022 basic specification, this standard:

  • Added two scenarios: QR code service and location service
  • Refine the key backup and recovery mechanism and limit cross-device recovery
  • Strengthen the factor desensitization requirements for hybrid device evaluation

GB/T 42572-2023 Referenced Document

  • GB/T 17901.1-2020 Information technology—Security techniques—Key management—Part 1: Framework
  • GB/T 25069-2022 Information security techniques—Terminology
  • GB/T 41388-2022 Information security technology—Trusted execution environment—Basic security specification

GB/T 42572-2023 history

  • 2023 GB/T 42572-2023 Information Security Technology Trusted Execution Environment Service Specification


Copyright ©2007-2025 ANTPEDIA, All Rights Reserved