Cloud-based FPGA-SoC platforms lack a TPM 2.0–compliant trusted execution environment (TEE) to protect user intellectual property (IP) cores. Method: This paper proposes a runtime-customizable TEE architecture, designing and implementing the first virtual TPM (vTPM) for FPGA-SoCs. It extends the TPM 2.0 command set to support hardware-sensitive operations and integrates a hardware root of trust, custom vTPM firmware, a TPM 2.0 protocol stack, and a dynamically reconfigurable TEE runtime framework. Contribution/Results: The work achieves the first end-to-end TPM 2.0–compliant IP security lifecycle management; enables millisecond-scale dynamic IP loading and integrity verification; improves remote attestation efficiency by 3.2×; and validates security and compliance via formal analysis and empirical evaluation. The prototype is implemented on the Xilinx Zynq UltraScale+ MPSoC platform.

Constructing a Trusted Execution Environment (TEE) on Field Programmable Gate Array System on Chip (FPGA-SoC) in Cloud can effectively protect users' private intel-lectual Property (IP) cores. In order to facilitate the wide-spread deployment of FPGA-SoC TEE, this paper proposes an approach for constructing a TPM 2.0-compatible runtime customizable TEE on FPGA-SoC. This approach leverages a user-controllable virtual Trusted Platform Module (vTPM) that integrates sensitive operations specific to FPGA-SoC TEE. It provides TPM 2.0 support for a customizable FPGA-SoC TEE to dynamically measure, deploy, and invoke IP during runtime. Our main contributions include: (i) Propose an FPGA-vTPM architecture that enables the TPM 2.0 specification support for FPGA-SoC TEE; (ii) Explore the utilization of FPGA-vTPM to dynamically measure, deploy, and invoke users' IPs on FPGA-SoC TEE; (iii) Extend the TPM command set to accommodate the sensitive operations of FPGA-SoC TEE, enabling users to perform sensitive tasks in a secure and verifiable manner according to the TPM 2.0 specification. We implement a prototype of TRCTEE on the Xilinx Zynq UltraScale+ MPSoC platform and conducted security analysis and performance evaluations to prove the practicality and enhanced security features of this approach.