Difference between TPM, TEE and SE

First let's layout the different definitions:

  • TPM is a piece of Hardware specifically created to do crypto calculation with. It is physically isolated from the rest of the processing system and is often a separated IC on the mainboard to be so.
  • TEE is an area on the chipset that works like a TPM, but is not physically isolated from the rest of the chip.
  • SE is a tamper-resistant secrets store, much like a smart-card or SIM-card. Its main purpose is to store cryptographic secrets in such a way that illicit use is hard or impossible to do. An example of this technology in major use is the EMV chip on payment cards.

We can clearly see when comparing the definitions that these 3 items are different, but share a common goal. The difference between a TPM and a TEE is mainly in how it is implemented (purely hardware, or hardware and software combo). The SE has a different function that can be part of the function of a TPM and/or a TEE, by being a safe place to store cryptographic secrets.


A little more on the functional aspects:

  • TPM is fixed, well-specified functionality by an ISO and TCG standard. You can‘t just add or change this. Usually it‘s a discrete security chip connected through SPI to the host uC.

  • TEE is (as explained by the previous posters) an execution environment on a larger chip/SoC, but the code running inside this TEE, is up to developers‘ liberty.
    There are even TPM implementations that run inside a TEE.

  • the Secure Element (SE) commonly (without splitting hairs) refers to a discrete security chip which is connected through a serial interface to the host uC. On the SE typically you find a JavaCard implementation and consequently the functionality of the SE depends on which applets are loaded and performed.