A trusted execution environment, referred to herein as an “enclave,” protects the execution of trusted computer-program code from potentially malicious other code by executing the trusted code in a secure region of computer memory that is inaccessible to other code—a so-called “inverse sandbox” mechanism. In this approach, rather than attempting to identify and isolate all the malicious code on a system, trusted code may be sealed inside the enclave and protected from attack by the malicious code, irrespective of the privilege level of the latter. The enclave even protects the trusted code from malicious software in a system's operating system or other malicious software having heightened system privileges.
In order to preserve the security of the enclave, communication between the enclave and hardware devices on or connected to the system must be trusted. For example, a device may encrypt data before sending it to the enclave which may then decrypt it; any malicious code would therefore be able to view only encrypted data. This encryption and decryption is, however, both time- and power-consuming and may be the cause of a significant performance and/or battery-life problem on some systems, especially mobile systems.