This work addresses the lack of comprehensive lifecycle management support for trusted execution environments (TEEs) on RISC-V, particularly the absence of mechanisms for secure enclaves’ updates and migration. The authors propose the first modular lifecycle management framework tailored for RISC-V TEEs, introducing three lightweight extensions at the security monitor layer to enable enclave state continuity, secure migration, and trusted time services. The design is compatible with mainstream RISC-V TEE frameworks such as Keystone and CURE, requiring only minimal interface adaptations. Experimental evaluation demonstrates that the overhead for state continuity is below 1.5%, and enclave downtime during migration is merely 0.8% for a 1KB state, meeting the stringent requirements of safety-critical domains including IoT and automotive systems.

RISC-V-based Trusted Execution Environments (TEEs) are gaining traction in the automotive and IoT sectors as a foundation for protecting sensitive computations. However, the supporting infrastructure around these TEEs remains immature. In particular, mechanisms for secure enclave updates and migrations - essential for complete enclave lifecycle management - are largely absent from the evolving RISC-V ecosystem. In this paper, we address this limitation by introducing a novel toolkit that enables RISC-V TEEs to support critical aspects of the software development lifecycle. Our toolkit provides broad compatibility with existing and emerging RISC-V TEE implementations (e.g., Keystone and CURE), which are particularly promising for integration in the automotive industry. It extends the Security Monitor (SM) - the trusted firmware layer of RISC-V TEEs - with three modular extensions that enable secure enclave update, secure migration, state continuity, and trusted time. Our implementation demonstrates that the toolkit requires only minimal interface adaptation to accommodate TEE-specific naming conventions. Our evaluation results confirm that our proposal introduces negligible performance overhead: our state continuity solution incurs less than 1.5% overhead, and enclave downtime remains as low as 0.8% for realistic applications with a 1 KB state, which conforms with the requirements of most IoT and automotive applications.