This document was published by the FIDO Alliance as a Final Document. If you wish to make comments regarding this document, please Contact Us. All comments are welcome.

Implementation of certain elements of this Document may require licenses under third party intellectual property rights, including without limitation, patent rights. The FIDO Alliance, Inc. and its Members and any other contributors to this Document are not, and shall not be held, responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights.

THIS FIDO ALLIANCE DOCUMENT IS PROVIDED “AS IS” AND WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTY OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

This document helps support the FIDO Authenticator Security Certification program. The FIDO Security Requirements requires authenticators to run in an Allowed Restricted Operating Environment (AROE) for level 2 and above. Authenticators not running in an AROE can qualify for level 1.

Notation

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [[!RFC2119]].

Introduction

FIDO Authenticators can be implemented in various ways.

The FIDO Authenticator is typically implemented based on some hardware and firmware. For example, this might be a secure element as hardware with the basic secure element firmware in which the Authenticator Trusted Application runs. As another example it might also be a multifunctional device containing some CPUs which are securely shared between the firmware of the restricted operating environment and the high-level operating system.

It is important that by definition, all parts which are relevant for the FIDO Authenticator (e.g. underlying hardware, ...) are part of the Authenticator itself. So the FIDO Authenticator is more than just the Authenticator Application.

We use the term Authenticator Application to refer to the entity that combines the underlying hardware and firmware in a way that results in a FIDO Authenticator.

Restricted Operating Environments Overview
Restricted Operating Environments Architectural Overview

We distinguish these components as the Restricted Operating Environment can be implemented in a way that it supports more than just the Authenticator Application. Additionally the security of the Restricted Operating Environment (ROE) (without the Authenticator Application) can be demonstrated or certified using existing programs (e.g. Common Criteria).

The FIDO Security Certification covers the various components with different depths. At FIDO Security Level 1, we are concenred about the protection against scalable attacks on the server side an on the communication channel. At FIDO Security Levels 2 and 3, we are mostly concerned about the protection against client side scalable attacks (e.g. malware). At FIDO Security Levels 4 and 5 we also require protection against physical attacks.

Restricted Operating Environments Certification Focus
Restricted Operating Environments Security Certification Focus

The following aspects of the AROE are relevant for the FIDO Security Certification:

Restricted Operating Environments Certification Focus
AROE Aspects Relevant for FIDO Security Certification

Allowed Restricted Operating Environments

The following table outlines the Allowed Restricted Operating Environments (AROEs) for FIDO Security Certification.

Operating Environment Notes
TEEs based on ARM TrustZone HW All operating systems (ROE firmware) running on ARM TrustZone HW are accepted for Level 1 FIDO Security Certification. See ARM TrustZone Security Whitepaper and ARM Architecture Reference Manual.
TEE Based on Intel VT HW All operating systems (ROE firmware) running on Intel VT HW are accepted for Level 1 FIDO Security Certification. See Intel Vanderpool Technology for IA-32 Processors (VT-x) Preliminary Specification.
TEE Based on Intel SGX HW All operating systems (ROE firmware) running on Intel SGX HW are accepted for Level 1 FIDO Security Certification. See Innovative Instructions and Software Model for Isolated Execution and Innovative Technology for CPU based Attestation and Sealing.
TEE Based on Intel ME/TXE HW All operating systems (ROE firmware) running on Intel ME/TXE HW are accepted for Level 1 FIDO Security Certification
TEE with GlobalPlatform TEE Protection Profile Certification GlobalPlatform TEE Protection Profile Certification is NOT required for Level 1 FIDO Security Certification, but it is sufficient for any TEE to be qualified as an Allowed Restricted Operating Environment. See TEE Protection Profile v1.2.1
Windows 10 Virtualization-based Security. Security apps and services that are running at Virtual Trust Level 1. See Moore Defeating - Pass the Hash Separation of Powers.
Secure World of AMD PSP (Platform Security coProcessor). All operating environments running on the secure world side of the TrustZone in the AMD PSP. See AMD Secure Technology.
Trusted Platform Modules (TPMs) Complying to Trusted Computing Group specifications. For example, TPM Main Specification Version 1.2 [[TPM]] or TPM Library Specification Version 2.0 [[TPMv2]].
Secure Element (SE) Secure Operating Systems (ROE firmware) running on a secure tamper-resistant microcontroller.

Requirements for Restricted Operating Environment to be Allowed