The TPM is dead, long live the TEE!

[Anders Rundgren]

In spite of Microsoft, Intel and Nokia "betting the house" on TPMs (Trusted Platform Modules), all their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE (Trusted Execution Environment) schemes like this:

http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937
http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

How come the competition didn't buy into TPMs?

TPMs are based on a "one-size-fits-all" API philosophy. Since Intel relies on external vendors supplying TPM-components this (IMHO fairly unwieldy) API must also be standardized making the process updating TPMs extremely slow and costly.  The constraints on silicon that existed during the "Palladium" days are since long gone.

TEEs OTOH can be fitted at any time with application-specific security APIs which both can be standardized or entirely proprietary. In fact, even third-parties can introduce new security APIs using GlobalPlatform's TEE.

Converted into practice: My old Nexus 7 got hardware-protected keys through an OTA update while my new Dell XPS-15 will be stuck with TPM 1.2 during the rest of its life!