MTK for Google AttestationKey介绍

参考:

1、googole文档:《Keymaster2—Attestation Key Provisioning》
2、MTK文档:《AttestationKeyToolUserGuide_3.0.pdf》

AttestationKey用途：

Keymaster2 extends the capabilities of hardware-backed key storage on Android devices. One
of the features is key attestation, allows Android apps and off-device entities to determine if the
keys are hardware backed.
For devices that have Google Mobile services, Google will provide the the keys to partners to
download from the Android Partner Front End (APFE)
(1)、可以判断device是否支持硬件keymaster；
(2)、Google合作伙伴可以从APTEE中下载使用;

抛开问题看本质，什么是google attestationkey？

attestationkey就根据当前手机型号(id)，相关google申请的一组keybox,然后将keybox拆分成若干组key, 每组包含ECDSA和RSA，每组key写入到手机的安全内存中.
当google GSM app或第三方APP需要使用时，调用keymaster接口，使用该key进行签名认证等

MTK的设计:

那么我们申请到keybox，要拆分keybox，然后将key组(ECDSA和RSA)写入到手机的安全区域中。这其中的设计思想就是，我们要怎样保护key组(ECDSA和RSA)的安全性？

以下是MTK的设计

详细的代码在：aosp/trusty/vendor/mediatek/proprietary/source/trusty-app/kmsetkey

集成/客制化/调试:

1、使用脚本，生成Kkb、Pkb、Kkb_pub、Kkb_priv四个文件：

#!/bin/bashfunction format_file()
{local filename=$1local tmp="temp"mv $filename $tmplen=$(ls -l $tmp | awk '{print $5}')let len-=1dd if=$tmp of=$filename bs=1 count=$lenrm $tmp
}openssl genrsa -out Kkb_pri.pem 2048
openssl rsa -inform PEM -in Kkb_pri.pem -outform DER -out Kkb_pri
openssl rsa -text -in Kkb_pri.pem -pubout | head -n 20 | tail -n18 > tempfile
rm Kkb_pri.pemfor (( i=0;i<10;i++ ))
dosed 's/ //' -i tempfile
donedd if=tempfile of=Kkb_pub skip=3 bs=1 &&  rm tempfile
format_file Kkb_pubopenssl rand -hex 32 > Kkb
format_file Kkbecho "00" > tempfile
format_file tempfileopenssl rand -hex 128 > tempfile2
format_file tempfile2cat tempfile tempfile2 > Pkbrm tempfile tempfile2

2、使用Splitter2.6(Splitter)工具，拆分keybox

输入申请到的keybox xml文件，如：
2017-11-22_06-11-44.643_UTC.attest_keyboxes.1511331105487.output
输出:keybox_0000000000.bin — keybox_0000000009.bin

3、使用Splitter2.6(Mix Composer)工具，加密googlekey

输入:keybox_0000000000.bin
输出:kb_0000000000.bin (写到手机的安全区域的就是这个文件)

4、使用keytool(EncSW)工具，使用Pkb将Kkb_pub加密成EKkb_pub，并将Pkb\EKkb_pub数组写入到代码中:

加密后，生成要给array.c数组，里面包含Pkb和EKkb_pub

unsigned char Ekkb_pub[] = { 0xCF, 0x93, 0xE3, 0x76, 0x99, 0xE9, 0x78, 0xCD, 0xB4, 0x02, 0x9A, 0x25, 0x45, 0xDC, 0x6D, 0xBC, 0xFE, 0xB9, 0xEE, 0xAB, 0x6C, 0xA8, 0xF8, 0xE3, 0x85, 0x31, 0xB7, 0x2A, 0x40, 0x47, 0xF4, 0x59, 0x75, 0xD4, 0xFF, 0xCF, 0x2A, 0xD9, 0xB4, 0x1D, 0x72, 0xFB, 0x7C, 0x64, 0x4D, 0x53, 0xAB, 0x30, 0x9B, 0xCB, 0x26, 0x19, 0x6D, 0xF4, 0x40, 0x56, 0x3E, 0x97, 0xBC, 0xD1, 0xE4, 0xF0, 0x14, 0xD0, 0x35, 0xBE, 0x78, 0xD2, 0x2B, 0x35, 0x36, 0x99, 0x6D, 0x66, 0x56, 0x59, 0x31, 0x6A, 0x6B, 0x6F, 0xA8, 0xBB, 0xF6, 0xAF, 0x75, 0x05, 0xF1, 0x0D, 0x2F, 0xA6, 0xD5, 0x95, 0xDA, 0xB3, 0xBE, 0x22, 0x90, 0x32, 0x3E, 0x06, 0x81, 0xD7, 0xD2, 0x11, 0x0F, 0x85, 0x03, 0x7A, 0x41, 0x54, 0x2C, 0x95, 0xF8, 0x40, 0xB3, 0x5B, 0x7D, 0x10, 0x71, 0xB8, 0xC9, 0x6D, 0x2C, 0x9B, 0xFD, 0xB7, 0x7A, 0xD4, 0x7A, 0x9F, 0x7E, 0x10, 0x4E, 0x53, 0x17, 0xB1, 0x00, 0x9D, 0x64, 0xFD, 0xD9, 0x2F, 0x67, 0xA4, 0x23, 0xDA, 0x87, 0x84, 0x0D, 0x8B, 0x88, 0x08, 0x4E, 0x5D, 0x18, 0x43, 0xE7, 0x32, 0x92, 0x8E, 0x18, 0x54, 0xA3, 0x98, 0x40, 0x1C, 0x28, 0xFA, 0xD4, 0xB4, 0xF3, 0x32, 0xC3, 0xAE, 0xAA, 0xD9, 0xD3, 0xDA, 0xC4, 0x4E, 0x31, 0x06, 0x47, 0xCF, 0x43, 0x18, 0x68, 0x28, 0x47, 0x96, 0xA9, 0xD2, 0x6F, 0x98, 0x88, 0xAB, 0xFC, 0x2C, 0x4D, 0xF6, 0x6F, 0xAB, 0xB6, 0x0E, 0x52, 0xCF, 0xB2, 0x10, 0xD1, 0xCA, 0x88, 0xA9, 0x27, 0xC2, 0xE7, 0x28, 0xF5, 0x1B, 0x88, 0xDD, 0xE8, 0x25, 0x93, 0x39, 0x40, 0xBC, 0x1B, 0xAE, 0xF0, 0x5F, 0x58, 0xB8, 0x48, 0x4A, 0xD4, 0xBA, 0xEA, 0xCC, 0x15, 0x68, 0xE9, 0x05, 0x74, 0x11, 0xBA, 0x4F, 0xBF, 0x49, 0x9A, 0x11, 0x66, 0x40, 0x1F, 0x02, 0xA3, 0xA8, }; unsigned char InputPkb[] = { 0x00, 0xD9, 0x47, 0xA1, 0x6A, 0x59, 0xDE, 0x65, 0x81, 0x38, 0x92, 0x1B, 0x26, 0x99, 0x3D, 0x97, 0x9A, 0x8B, 0xC6, 0x1B, 0xB8, 0x1D, 0xB5, 0x57, 0xE7, 0xEF, 0xEA, 0x13, 0x5B, 0x00, 0xAD, 0x2F, 0x19, 0xE3, 0xB9, 0x57, 0x70, 0xFF, 0xE8, 0xDF, 0x3A, 0x03, 0xDA, 0x47, 0xBE, 0x50, 0x71, 0x24, 0x2E, 0x96, 0x47, 0x78, 0x6E, 0x55, 0xD6, 0x76, 0xE8, 0xEF, 0x58, 0x62, 0xF4, 0x9E, 0x30, 0x6F, 0x49, 0xC3, 0xCA, 0x8C, 0x35, 0x7A, 0x78, 0x9A, 0x4E, 0x6E, 0x5F, 0x60, 0xC1, 0x72, 0x7A, 0x19, 0xB0, 0xCC, 0xC0, 0x68, 0xF0, 0x91, 0xFF, 0xEC, 0xFA, 0x9D, 0x88, 0x24, 0x04, 0xD2, 0x9F, 0x00, 0x50, 0xBD, 0x3F, 0xBA, 0xA1, 0x25, 0xD8, 0x46, 0x31, 0xA3, 0x1A, 0xE3, 0x81, 0x05, 0xDE, 0xB6, 0xD4, 0xC8, 0x7B, 0xB7, 0x7C, 0xD4, 0xE5, 0x96, 0x79, 0x48, 0x26, 0x32, 0xD4, 0xED, 0xCF, 0x6D, 0xB6, };

5、写入kb_0000000000.bin文件到手机安全区域：
（1）、可以使用CA命令:
kmsetkey_ca -i data/vendor_de/kb_0000000000.bin

（写入成功的log）

<6>[  127.502402] -(0)[210:teei_switch_thr][TZ_LOG] uTSecMan| ta verification is def-disabled
<6>[  127.503482] -(0)[210:teei_switch_thr][TZ_LOG] uTSecMan|
<6>[  127.504200] -(0)[210:teei_switch_thr][TZ_LOG] SST_S   | rpmb cap alloc success
<6>[  127.505152] -(0)[210:teei_switch_thr][TZ_LOG] SST_S   | vfs cap alloc success
<6>[  127.506090] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| google keybox rpmb solution, VERSION:1.0
<6>[  127.509383] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| ~~~~~~ kb_store enter ~~~~~~
<6>[  127.532984] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| =====keybox verify success=====

(2)、可以使用MTK提供的工具：
SP_META