Android TZ Keymaster

 key-master  is a newly introduced key management hardware abstraction layer(hal) component.It defines all apis that must be supported by the OEM. ARM trust zone (TZ) keymaster application includes the following:

1.generation of keys - this involves generating a public key and a private key for cryptography.
2.signing and verification - this allows signing of given data  with a key stored and accessible  by TZ software as well  as verifying signed data with a key that is also only accessible by TZ software.

Types of keymaster HAL are as follows:
- Software-based keymaster - uses openssl software implementation. Jelly bean comes  with a default soft key-master module that does all key operations in software only.
- Hardware-based keymaster - uses TZ application apis(keymaster application).hardware key master support essentially ensures that the key stored is not accessible in HLOS.
Regardless of key type(RSA/EC), the key blob generate d is encrypted by a key accessible  by TZ software only and stored in the file system (FS) on the HLOS  end.

Hardware key-master 1.0 implementation on android marshmallow 

key master is an access control-based key service  with access to trusted hardware-bound crypto.It is implemented as a trustzone-based trusted appllication(TA). Key master cannot be compromised  by any kernel or userland bug.all keys generated are bound  to the device cryptographically.
keymaster support on android marshmallow requires the following modules:
keymaster TA
gatekeeper.<chipset>.so
keystore.<chipset>.so

Gatekeeper is a trusted source to verify the authenticated state of the device. gatekeeper does the following:

- provides apis to enroll and verify a password

- returns a signed auth token with a timestamp to unlock keystore/key-master

- provides rollback protection on passwords

The gatekeeper architecture includes the following:

- gatekeeper daemon

- gatekeeper HAL API

- hardware gatekeeper