The rapid adoption of IoT devices introduced significant security challenges because they are often resource-constrained and operate in untrusted environments. Their adoption into critical scenarios makes it paramount they remain trustworthy. A possible solution is the Trusted Execution Environment (TEE), which isolates and protects sensitive code and data in use. Many TEE implementations exist (e.g. ARM TrustZone), yet most are closed-source, with specific hardware requirements. To overcome these issues, open-source solutions like Keystone have been proposed. Keystone is a framework for building customizable TEEs targeting RISC-V devices, based on the Physical Memory Protection security extension. Enforcing local protection must be coupled with the ability to verify the device is behaving as intended. This can be achieved with attestation techniques, but for the highest security level, some additional components are required. While Keystone defines basic requirements for attestation, it does not support architectures based on standard specifications. The Trusted Computing Group developed the Device Identifier Composition Engine (DICE) specifications to establish strong identity and integrity for IoT devices. In this paper, we propose the DICE integration in Keystone, to support secure boot and attestation. We detail the design, implementation, and evaluation of this solution,

Implementation of the TCG DICE Specification into the Keystone TEE Framework / Bravi, Enrico; Sisinni, Silvia; Ferro, Lorenzo; Donnini, Valerio; Lioy, Antonio. - In: IEEE ACCESS. - ISSN 2169-3536. - 13:(2025), pp. 142284-142303. [10.1109/ACCESS.2025.3596829]

Implementation of the TCG DICE Specification into the Keystone TEE Framework

Bravi, Enrico;Sisinni, Silvia;Ferro, Lorenzo;Donnini, Valerio;Lioy, Antonio
2025

Abstract

The rapid adoption of IoT devices introduced significant security challenges because they are often resource-constrained and operate in untrusted environments. Their adoption into critical scenarios makes it paramount they remain trustworthy. A possible solution is the Trusted Execution Environment (TEE), which isolates and protects sensitive code and data in use. Many TEE implementations exist (e.g. ARM TrustZone), yet most are closed-source, with specific hardware requirements. To overcome these issues, open-source solutions like Keystone have been proposed. Keystone is a framework for building customizable TEEs targeting RISC-V devices, based on the Physical Memory Protection security extension. Enforcing local protection must be coupled with the ability to verify the device is behaving as intended. This can be achieved with attestation techniques, but for the highest security level, some additional components are required. While Keystone defines basic requirements for attestation, it does not support architectures based on standard specifications. The Trusted Computing Group developed the Device Identifier Composition Engine (DICE) specifications to establish strong identity and integrity for IoT devices. In this paper, we propose the DICE integration in Keystone, to support secure boot and attestation. We detail the design, implementation, and evaluation of this solution,
2025
File in questo prodotto:
File Dimensione Formato  
Implementation_of_the_TCG_DICE_Specification_Into_the_Keystone_TEE_Framework.pdf

accesso aperto

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Creative commons
Dimensione 2.28 MB
Formato Adobe PDF
2.28 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/3002386