android keymaster_keymint 1.0-优快云博客

keymaster is a newly instroduced key management hardware abstraction layer(hal) component. 
It defines all apis that must be supported by the OEM.
the arm trustzone (TZ) keymaster application includes the following:
1.generation of keys - this involves generating a public key and a private key for cryptography.
2.signing and verification - this allows signing of given data with a key stored and accessible by TZ software as well as verifying signed data with a key that is also only accessible by TZ software.

Types of keymaster HAL are as follows:
- Software-based keymaster - uses the openssl software implementation.jelly bean comes with a default softkeymaster module that does all key operations in software only.
- Hardware-based keymaster - uses TZ application apis(keymaster application).hardware keymaster
support essentially ensures that the key stored is not accessible in HLOS.
Regardless of key type(RSA/EC),the keyblob generated is encrypted by a key accessible by TZ software only and stored in the file system(FS) on the HLOS end.
Commonly Hardware-based keymaster is used and enable by default.
keystore.<chipset>.so is loaded during boot up. This lib may not open source to OEM. we can
check property "sys.keymaster.loaded" value to know whether it is loaded success or not.
property "sys.keymaster.loaded" is set to true after keystore.<chipset>.so is loaded success. by
default, it is false.

Hardware keymaster 1.0 implementaton on android marshmallow 
key master is an access control-based key service with access to trusted hardware-bound crypto.
It is implemented as a trustzone-based trusted appllication(TA).keymaster cannot be compromised by any kernel or userland bug.all keys generated are bound to the device cryptographically.
keymaster support on android marshmallow requires the following modules:
keymaster TA
gatekeeper.<chipset>.so
keystore.<chipset>.so

gatekeeper is a trusted source to verify the authenticated state of the device.
gatekeeper does the following:
- provides apis to enroll and verify a password
- returns a signed auth token with a timestamp to unlock keystore/keymaster
- provides rollback protection on passwords

the gatekeeper architecture includes the following:
- gatekeeper daemon
- gatekeeper HAL API
- hardware gatekeeper