keymaster is a newly instroduced key management hardware abstraction layer(hal) component.
It defines all apis that must be supported bythe OEM.
the arm trustzone (TZ) keymaster application includes the following:
1.generation of keys - this involves generating a public key and a private key for cryptography.
2.signing and verification - this allows signing ofgiven data with a key stored and accessible by TZ software as well as verifying signed data with a key thatis also only accessible by TZ software.
Types of keymaster HAL are as follows:
- Software-based keymaster - uses the openssl software implementation.jelly bean comes with a default softkeymaster module thatdoes all key operations in software only.
- Hardware-based keymaster - uses TZ application apis(keymaster application).hardware keymaster
support essentially ensures thatthe key stored isnot accessible in HLOS.
Regardless of key type(RSA/EC),the keyblob generated is encrypted by a key accessible by TZ software only and stored inthefile system(FS) onthe HLOS end.
Commonly Hardware-based keymaster is used and enable by default.
keystore.<chipset>.so is loaded during boot up. This lib may not open source to OEM. we can
check property"sys.keymaster.loaded" value to know whether itis loaded success ornot.
property"sys.keymaster.loaded"issettotrueafter keystore.<chipset>.so is loaded success. by
default, itisfalse.
Hardware keymaster 1.0 implementaton on android marshmallow
key master is an access control-based key service with access to trusted hardware-bound crypto.
It is implemented as a trustzone-based trusted appllication(TA).keymaster cannot be compromised by any kernel or userland bug.all keys generated are bound tothe device cryptographically.
keymaster support on android marshmallow requires the following modules:
keymaster TA
gatekeeper.<chipset>.so
keystore.<chipset>.so
gatekeeper is a trusted source to verify the authenticated state ofthe device.
gatekeeper doesthe following:
- provides apis to enroll and verify a password
- returns a signed auth token with a timestamp to unlock keystore/keymaster
- provides rollback protection on passwords
the gatekeeper architecture includes the following:
- gatekeeper daemon
- gatekeeper HAL API
- hardware gatekeeper