The software running on the smartcard? You write that yourself, and hopefully your security processes are good. The nice thing about smartcards is that the trusted computing base is massively smaller than that of a regular operating system.
If you disallow installing applications post-issuance (which is probably a good idea for ID cards), you don't even have to worry about VM runtime integrity either, as there will be only your application running on the card.
But how can you verify that the processor's own software, which ultimately runs the application, has not been compromised?
The software running on the smartcard? You write that yourself, and hopefully your security processes are good. The nice thing about smartcards is that the trusted computing base is massively smaller than that of a regular operating system.
If you disallow installing applications post-issuance (which is probably a good idea for ID cards), you don't even have to worry about VM runtime integrity either, as there will be only your application running on the card.