| Danielle Roberts | 8bb806d | 2015-11-05 17:47:03 -0800 | [diff] [blame] | 1 | page.title=Hardware-backed Keystore |
| Bert McMeen | daa1137 | 2015-09-17 16:35:18 -0700 | [diff] [blame] | 2 | @jd:body |
| 3 | |
| 4 | <!-- |
| 5 | Copyright 2015 The Android Open Source Project |
| 6 | |
| 7 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | you may not use this file except in compliance with the License. |
| 9 | You may obtain a copy of the License at |
| 10 | |
| 11 | http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | Unless required by applicable law or agreed to in writing, software |
| 14 | distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | See the License for the specific language governing permissions and |
| 17 | limitations under the License. |
| 18 | --> |
| 19 | <div id="qv-wrapper"> |
| 20 | <div id="qv"> |
| 21 | <h2>In this document</h2> |
| 22 | <ol id="auto-toc"> |
| 23 | </ol> |
| 24 | </div> |
| 25 | </div> |
| 26 | |
| 27 | <p>The availability of a trusted execution environment in a system on a chip (SoC) |
| 28 | offers an opportunity for Android devices to provide hardware-backed, strong |
| 29 | security services to the Android OS, to platform services, and even to |
| 30 | third-party apps.</p> |
| 31 | |
| Danielle Roberts | 8bb806d | 2015-11-05 17:47:03 -0800 | [diff] [blame] | 32 | <p>Keymaster has been <a href="features.html">significantly enhanced</a> |
| Bert McMeen | daa1137 | 2015-09-17 16:35:18 -0700 | [diff] [blame] | 33 | in Android 6.0 with the addition of symmetric cryptographic primitives, |
| 34 | AES and HMAC, and the addition of an access control |
| 35 | system for hardware-backed keys. Access controls are specified during key |
| 36 | generation and enforced for the lifetime of the key. Keys can be restricted to |
| 37 | be usable only after the user has authenticated, only at a specific usage |
| 38 | velocity, and only for specified purposes or with specified cryptographic |
| 39 | parameters. For more information, please see |
| Danielle Roberts | 8bb806d | 2015-11-05 17:47:03 -0800 | [diff] [blame] | 40 | the <a href="implementer-ref.html">Implementer's Reference</a>.</p> |
| Bert McMeen | daa1137 | 2015-09-17 16:35:18 -0700 | [diff] [blame] | 41 | |
| 42 | <p>Before Keymaster 1.0, Android already had a simple, hardware-backed crypto |
| 43 | services API: Keymaster versions 0.2 and 0.3, which provided only digital |
| 44 | signing and verification operations, plus generation of |
| 45 | asymmetric signing key pairs. This is already |
| 46 | implemented on many devices, but there are many security goals that cannot |
| 47 | easily be achieved with only a signature API. The intent of Keymaster 1.0 is to |
| 48 | extend the Keymaster API to provide a broader range of capabilities.</p> |
| 49 | |
| 50 | <h2 id=goals>Goals</h2> |
| 51 | |
| 52 | <p>The goal of the Keymaster API is to provide a basic but adequate set of |
| 53 | cryptographic primitives to allow the implementation of protocols using |
| 54 | access-controlled, hardware-backed keys.</p> |
| 55 | |
| 56 | <p>In addition to expanding the range of cryptographic primitives, Keymaster v1.0 |
| 57 | adds the following:</p> |
| 58 | |
| 59 | <ul> |
| 60 | <li>A usage control scheme to allow key usage to be limited, to mitigate the risk |
| 61 | of security compromise due to misuse of keys |
| 62 | <li>An access control scheme to enable restriction of keys to specified users, |
| 63 | clients, and a defined time range |
| 64 | </ul> |
| 65 | |
| 66 | <h2 id=architecture>Architecture</h2> |
| 67 | |
| 68 | <p>The Keymaster API is a Hardware Abstraction Layer module, which is a |
| 69 | dynamically-loaded library. Implementations must not |
| 70 | perform any sensitive operations in user space, or even in kernel space. |
| 71 | Sensitive operations are delegated to a secure processor reached through some |
| 72 | kernel interface. The resulting architecture looks something like the |
| 73 | following:</p> |
| 74 | |
| 75 | <img src="../images/access-to-keymaster.png" alt="Access to Keymaster" id="figure1" /> |
| 76 | <p class="img-caption"><strong>Figure 1.</strong> Access to Keymaster</p> |
| 77 | |
| 78 | <p>Within an Android device, the "client" actually consists of multiple layers |
| 79 | (e.g. app, framework, keystore daemon), but that can be ignored for the |
| 80 | purposes of this document. This means that the described API is low-level, used |
| 81 | by platform-internal components, and not exposed to app developers. The |
| 82 | higher-level API, for API level 23, is described on |
| 83 | the <a href="http://developer.android.com/reference/java/security/KeyStore.html">Android Developer site</a>.</p> |
| 84 | |
| 85 | <p>The purpose of the <code>libkeymaster</code> library is not to implement the |
| 86 | security-sensitive algorithms but only to |
| 87 | marshal and unmarshal requests to the secure world. The wire format is |
| 88 | implementation-defined.</p> |
| 89 | |
| 90 | <h2 id=compatibility_with_previous_versions>Compatibility with previous versions</h2> |
| 91 | |
| 92 | <p>The Keymaster v1.0 API is completely incompatible with the previously-released |
| 93 | APIs, e.g. Keymaster v0.2 and v0.3. |
| 94 | To facilitate interoperability on pre-Marshmallow devices that launched |
| 95 | with the older Keymaster APIs, Keystore provides an adapter that provides |
| 96 | the 1.0 API implemented with calls to the existing hardware library. The result |
| 97 | cannot provide the full range of functionality in the |
| 98 | 1.0 API. In particular, it will only support RSA and ECDSA algorithms, and all |
| 99 | of the key authorization enforcement will be performed by the adapter, in the |
| 100 | non-secure world.</p> |