我的NPI项目之Android 安全系列 -- Android Strongbox 使能(一)

这里借用Android14高通相关的技术文档作为基础文档，该文档描述的是基于NFC的secure element. NFC型号为SN220.

有些概念的说明：

1. RoT

在我们目前的这个上下文中，首先RoT下几个内容，Bootinfo/ Additonal params(images hash) / security patch versions. 

在安全领域：RoT, root of trust, Root of Trust (RoT) is a source that can always be trusted within a cryptographic system. Because cryptographic security is dependent on keys to encrypt and decrypt data and perform functions such as generating digital signatures and verifying signatures, RoT schemes generally include a hardened hardware module.

重要性：https://www.design-reuse.com/articles/47992/rot-the-foundation-of-security.html

2. Attestation Key

简称证书。

3. 安装keybox的代码

Keybox中应该就是Google颁发的证书. Securemsm/keymaster_install_toolbox/.... 具体代码后面可以找机会看一下，目前我的项目中，新启动的设备都需要过gms认真，需要提前向Google提交申请keybox；

4. Strongbox hal 

The StrongBox Hardware Abstraction Layer (HAL) is a component in the Android operating system that provides an interface for interacting with hardware-backed secure storage, also known as the StrongBox Keymaster.

Keymaster is a trusted execution environment (TEE) component responsible for secure key storage, cryptographic operations, and hardware-backed security features. It ensures that sensitive cryptographic keys and operations are protected in a secure environment, isolated from the regular Android operating system.

The StrongBox HAL acts as a bridge between the Android framework and the StrongBox Keymaster. It allows the Android framework to utilize the hardware-backed security features provided by the StrongBox Keymaster, such as secure key storage and cryptographic operations.

By leveraging the StrongBox HAL, Android applications can benefit from enhanced security for cryptographic operations. For example, key material can be securely stored in the hardware-backed keystore, ensuring that sensitive keys are protected from unauthorized access and tampering.

The StrongBox HAL is specifically designed to work with hardware that meets the requirements for StrongBox Keymaster, including secure hardware modules or secure enclaves that provide the necessary security features.

可以这么理解，没有strongbox之前， Qualcomm提供了TEE，调用过程：

Application / Android Framework / Keymaster4.0(hal) / TEE. 

有了strongbox之后，

Application / Android Framework / Strongbox keymaster(keyminit) / TEE / Strongbox

 

5. TEE和TrustZone

Trusted Execution Environment，是指Qualcomm提供的一个可以执行安装操作的环境。Refers specifically to Qualcomm's implementation of the Trusted Execution Environment. It is a software-based component that operates within the Secure World of TrustZone-enabled Qualcomm processors. The Qualcomm TEE provides a secure environment for executing trusted applications, protecting sensitive data, and enabling secure services on Qualcomm-powered devices.

TrustZone is a hardware-based security feature implemented in many ARM-based processors, including those manufactured by Qualcomm. It provides a system-wide approach to secure the execution of trusted code and protects sensitive data on a device. TrustZone creates two separate execution environments: the Normal World and the Secure World. The Secure World, also known as the Secure World Monitor (SWM), runs trusted code isolated from the Normal World, which includes the regular operating system and applications.

6. 上一个RoT 创建和保存的过程

7. 预编译库文件