key-master
is a newly introduced key management hardware abstraction layer(hal) component.It defines all apis
that must be supported
by
the OEM. ARM trust zone (TZ) keymaster
application includes
the following:
2.signing and verification - this allows signing of given data with a key stored and accessible by TZ software as well as verifying signed data with a key that is also only accessible by TZ software.
Types of keymaster HAL are as follows:
- Software-based keymaster - uses openssl software implementation. Jelly bean comes with a default soft key-master module that does all key operations in software only.
- Hardware-based keymaster - uses TZ application apis(keymaster application).hardware key master support essentially ensures that the key stored is not accessible in HLOS.
Regardless of key type(RSA/EC), the key blob generate d is encrypted by a key accessible by TZ software only and stored in the file system (FS) on the HLOS end.
Hardware key-master 1.0 implementation on android marshmallow
keymaster support on android marshmallow requires the following modules:
keymaster TA
gatekeeper.<chipset>.so
keystore.<chipset>.so
Gatekeeper is a trusted source to verify the authenticated state of the device. gatekeeper does the following:
- provides apis to enroll and verify a password
- returns a signed auth token with a timestamp to unlock keystore/key-master
- provides rollback protection on passwords
The gatekeeper architecture includes the following:
- gatekeeper daemon
- gatekeeper HAL API
- hardware gatekeeper