参考:
1、googole文档:《Keymaster2—Attestation Key Provisioning》
2、MTK文档:《AttestationKeyToolUserGuide_3.0.pdf》
AttestationKey用途:
Keymaster2 extends the capabilities of hardware-backed key storage on Android devices. One
of the features is key attestation, allows Android apps and off-device entities to determine if the
keys are hardware backed.
For devices that have Google Mobile services, Google will provide the the keys to partners to
download from the Android Partner Front End (APFE)
(1)、可以判断device是否支持硬件keymaster;
(2)、Google合作伙伴可以从APTEE中下载使用;
抛开问题看本质,什么是google attestationkey?
attestationkey就根据当前手机型号(id),相关google申请的一组keybox,然后将keybox拆分成若干组key, 每组包含ECDSA和RSA,每组key写入到手机的安全内存中.
当google GSM app或第三方APP需要使用时,调用keymaster接口,使用该key进行签名认证等
MTK的设计:
那么我们申请到keybox,要拆分keybox,然后将key组(ECDSA和RSA)写入到手机的安全区域中。这其中的设计思想就是,我们要怎样保护key组(ECDSA和RSA)的安全性?
以下是MTK的设计
详细的代码在:aosp/trusty/vendor/mediatek/proprietary/source/trusty-app/kmsetkey
集成/客制化/调试:
1、使用脚本,生成Kkb、Pkb、Kkb_pub、Kkb_priv四个文件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | #!/bin/bash function format_file() { local filename=$1 local tmp="temp" mv $filename $tmp len=$(ls -l $tmp | awk '{print $5}') let len-=1 dd if=$tmp of=$filename bs=1 count=$len rm $tmp } openssl genrsa -out Kkb_pri.pem 2048 openssl rsa -inform PEM -in Kkb_pri.pem -outform DER -out Kkb_pri openssl rsa -text -in Kkb_pri.pem -pubout | head -n 20 | tail -n18 > tempfile rm Kkb_pri.pem for (( i=0;i<10;i++ )) do sed 's/ //' -i tempfile done dd if=tempfile of=Kkb_pub skip=3 bs=1 && rm tempfile format_file Kkb_pub openssl rand -hex 32 > Kkb format_file Kkb echo "00" > tempfile format_file tempfile openssl rand -hex 128 > tempfile2 format_file tempfile2 cat tempfile tempfile2 > Pkb rm tempfile tempfile2 |
2、使用Splitter2.6(Splitter)工具,拆分keybox
输入申请到的keybox xml文件,如:
2017-11-22_06-11-44.643_UTC.attest_keyboxes.1511331105487.output
输出:keybox_0000000000.bin — keybox_0000000009.bin
3、使用Splitter2.6(Mix Composer)工具,加密googlekey
输入:keybox_0000000000.bin
输出:kb_0000000000.bin (写到手机的安全区域的就是这个文件)
4、使用keytool(EncSW)工具,使用Pkb将Kkb_pub加密成EKkb_pub, 并将Pkb\EKkb_pub数组写入到代码中:
加密后,生成要给array.c数组,里面包含Pkb和EKkb_pub
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | unsigned char Ekkb_pub[] = { 0xCF, 0x93, 0xE3, 0x76, 0x99, 0xE9, 0x78, 0xCD, 0xB4, 0x02, 0x9A, 0x25, 0x45, 0xDC, 0x6D, 0xBC, 0xFE, 0xB9, 0xEE, 0xAB, 0x6C, 0xA8, 0xF8, 0xE3, 0x85, 0x31, 0xB7, 0x2A, 0x40, 0x47, 0xF4, 0x59, 0x75, 0xD4, 0xFF, 0xCF, 0x2A, 0xD9, 0xB4, 0x1D, 0x72, 0xFB, 0x7C, 0x64, 0x4D, 0x53, 0xAB, 0x30, 0x9B, 0xCB, 0x26, 0x19, 0x6D, 0xF4, 0x40, 0x56, 0x3E, 0x97, 0xBC, 0xD1, 0xE4, 0xF0, 0x14, 0xD0, 0x35, 0xBE, 0x78, 0xD2, 0x2B, 0x35, 0x36, 0x99, 0x6D, 0x66, 0x56, 0x59, 0x31, 0x6A, 0x6B, 0x6F, 0xA8, 0xBB, 0xF6, 0xAF, 0x75, 0x05, 0xF1, 0x0D, 0x2F, 0xA6, 0xD5, 0x95, 0xDA, 0xB3, 0xBE, 0x22, 0x90, 0x32, 0x3E, 0x06, 0x81, 0xD7, 0xD2, 0x11, 0x0F, 0x85, 0x03, 0x7A, 0x41, 0x54, 0x2C, 0x95, 0xF8, 0x40, 0xB3, 0x5B, 0x7D, 0x10, 0x71, 0xB8, 0xC9, 0x6D, 0x2C, 0x9B, 0xFD, 0xB7, 0x7A, 0xD4, 0x7A, 0x9F, 0x7E, 0x10, 0x4E, 0x53, 0x17, 0xB1, 0x00, 0x9D, 0x64, 0xFD, 0xD9, 0x2F, 0x67, 0xA4, 0x23, 0xDA, 0x87, 0x84, 0x0D, 0x8B, 0x88, 0x08, 0x4E, 0x5D, 0x18, 0x43, 0xE7, 0x32, 0x92, 0x8E, 0x18, 0x54, 0xA3, 0x98, 0x40, 0x1C, 0x28, 0xFA, 0xD4, 0xB4, 0xF3, 0x32, 0xC3, 0xAE, 0xAA, 0xD9, 0xD3, 0xDA, 0xC4, 0x4E, 0x31, 0x06, 0x47, 0xCF, 0x43, 0x18, 0x68, 0x28, 0x47, 0x96, 0xA9, 0xD2, 0x6F, 0x98, 0x88, 0xAB, 0xFC, 0x2C, 0x4D, 0xF6, 0x6F, 0xAB, 0xB6, 0x0E, 0x52, 0xCF, 0xB2, 0x10, 0xD1, 0xCA, 0x88, 0xA9, 0x27, 0xC2, 0xE7, 0x28, 0xF5, 0x1B, 0x88, 0xDD, 0xE8, 0x25, 0x93, 0x39, 0x40, 0xBC, 0x1B, 0xAE, 0xF0, 0x5F, 0x58, 0xB8, 0x48, 0x4A, 0xD4, 0xBA, 0xEA, 0xCC, 0x15, 0x68, 0xE9, 0x05, 0x74, 0x11, 0xBA, 0x4F, 0xBF, 0x49, 0x9A, 0x11, 0x66, 0x40, 0x1F, 0x02, 0xA3, 0xA8, }; unsigned char InputPkb[] = { 0x00, 0xD9, 0x47, 0xA1, 0x6A, 0x59, 0xDE, 0x65, 0x81, 0x38, 0x92, 0x1B, 0x26, 0x99, 0x3D, 0x97, 0x9A, 0x8B, 0xC6, 0x1B, 0xB8, 0x1D, 0xB5, 0x57, 0xE7, 0xEF, 0xEA, 0x13, 0x5B, 0x00, 0xAD, 0x2F, 0x19, 0xE3, 0xB9, 0x57, 0x70, 0xFF, 0xE8, 0xDF, 0x3A, 0x03, 0xDA, 0x47, 0xBE, 0x50, 0x71, 0x24, 0x2E, 0x96, 0x47, 0x78, 0x6E, 0x55, 0xD6, 0x76, 0xE8, 0xEF, 0x58, 0x62, 0xF4, 0x9E, 0x30, 0x6F, 0x49, 0xC3, 0xCA, 0x8C, 0x35, 0x7A, 0x78, 0x9A, 0x4E, 0x6E, 0x5F, 0x60, 0xC1, 0x72, 0x7A, 0x19, 0xB0, 0xCC, 0xC0, 0x68, 0xF0, 0x91, 0xFF, 0xEC, 0xFA, 0x9D, 0x88, 0x24, 0x04, 0xD2, 0x9F, 0x00, 0x50, 0xBD, 0x3F, 0xBA, 0xA1, 0x25, 0xD8, 0x46, 0x31, 0xA3, 0x1A, 0xE3, 0x81, 0x05, 0xDE, 0xB6, 0xD4, 0xC8, 0x7B, 0xB7, 0x7C, 0xD4, 0xE5, 0x96, 0x79, 0x48, 0x26, 0x32, 0xD4, 0xED, 0xCF, 0x6D, 0xB6, }; |
5、写入kb_0000000000.bin文件到手机安全区域:
(1)、可以使用CA命令:
kmsetkey_ca -i data/vendor_de/kb_0000000000.bin
(写入成功的log)
1 2 3 4 5 6 7 | <6>[ 127.502402] -(0)[210:teei_switch_thr][TZ_LOG] uTSecMan| ta verification is def-disabled <6>[ 127.503482] -(0)[210:teei_switch_thr][TZ_LOG] uTSecMan| <6>[ 127.504200] -(0)[210:teei_switch_thr][TZ_LOG] SST_S | rpmb cap alloc success <6>[ 127.505152] -(0)[210:teei_switch_thr][TZ_LOG] SST_S | vfs cap alloc success <6>[ 127.506090] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| google keybox rpmb solution, VERSION:1.0 <6>[ 127.509383] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| ~~~~~~ kb_store enter ~~~~~~ <6>[ 127.532984] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| =====keybox verify success===== |
(2)、可以使用MTK提供的工具:
SP_META