platform_hardware_interfaces/security/rkp
Alice Wang 59e2a0804f Merge "Run VtsHalRemotelyProvisionedComponentTargetTest only on V+ devices" into main am: 938c0177e3 am: 04e1d59cdc
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3084447

Change-Id: Ib95a67a47d94f33e756b3e9d017525e9cd66f338
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-05-16 08:07:47 +00:00
..
aidl Merge "Run VtsHalRemotelyProvisionedComponentTargetTest only on V+ devices" into main am: 938c0177e3 am: 04e1d59cdc 2024-05-16 08:07:47 +00:00
CHANGELOG.md Merge "Document that the component version can be a string" 2023-04-07 20:57:25 +00:00
OWNERS Add RKP-specific owners file 2022-12-13 13:26:41 -08:00
README.md Fix formatting around rkp-vm tag 2024-04-29 19:04:20 +00:00
TEST_MAPPING Move remotely provisioned component tests to rkp directory 2022-12-13 11:03:59 -08:00

Remote Provisioning HAL

Objective

Design a HAL to support over-the-air provisioning of certificates for asymmetric keys. The HAL must interact effectively with Keystore (and other services) and protect device privacy and security.

Note that this API was originally designed for KeyMint, with the intention that it should be usable for other HALs that require certificate provisioning. Throughout this document we'll refer to the Keystore and KeyMint (formerly called Keymaster) components, but only for concreteness and convenience; those labels could be replaced with the names of any system and secure area components, respectively, that need certificates provisioned.

Key design decisions

General approach

To more securely and reliably get keys and certificates to Android devices, we need to create a system where no party outside of the device's secure components is responsible for managing private keys. The strategy we've chosen is to deliver certificates over the air, using an asymmetric key pair derived from a unique device secret (UDS) as a root of trust for authenticated requests from the secure components. We refer to the public half of this asymmetric key pair as UDS_pub.

In order for the provisioning service to trust UDS_pub we ask device OEMs to use one of two mechanisms:

  1. (Preferred, recommended) The device OEM extracts the UDS_pub from each device they manufacture and uploads the public keys to a backend server.

  2. The device OEM signs the UDS_pub and stores the certificates on the device rather than uploading a UDS_pub for every device immediately. However, there are many disadvantages and costs associated with this option as the OEM will need to pass a security audit of their factory's physical security, CA and HSM configuration, and incident response processes before the OEM's public key is registered with the provisioning server.

Note that in the full elaboration of this plan, UDS_pub is not the key used to sign certificate requests. Instead, UDS_pub is just the first public key in a chain of public keys that end the KeyMint public key. All keys in the chain are transitively derived from the UDS and joined in a certificate chain following the specification of the Android Profile for DICE.

Phases

RKP will be deployed with phased management of the root of trust binding between the device and the backend. To briefly describe them:

  • Degenerate DICE (Phase 1): A TEE root of trust key pair is used to sign certificate requests; a single self-signed certificate signifies this phase.
  • DICE (Phase 2): A hardware root of trust key pair is only accessible to ROM or ROM extension code; the boot process follows the Android Profile for DICE.
  • SoC vendor certified DICE (Phase 3): This is identical to Phase 2, except the SoC vendor also does the UDS_pub extraction or certification in their facilities, along with the OEM doing it in the factory. This tightens up the "supply chain" and aims to make key upload management more secure.

Privacy considerations

Because the UDS, CDIs and derived values are unique, immutable, unspoofable hardware-bound identifiers for the device, we must limit access to them. We require that the values are never exposed in public APIs and are only available to the minimum set of system components that require access to them to function correctly.

Key and cryptographic message formatting

For simplicity of generation and parsing, compactness of wire representation, and flexibility and standardization, we've settled on using the CBOR Object Signing and Encryption (COSE) standard, defined in RFC 8152. COSE provides compact and reasonably simple, yet easily-extensible, wire formats for:

  • Keys,
  • MACed messages,
  • Signed messages, and
  • Encrypted messages

COSE enables easy layering of these message formats, such as using a COSE_Sign structure to contain a COSE_Key with a public key in it. We call this a "certificate".

Due to the complexity of the standard, we'll spell out the COSE structures completely in this document and in the HAL and other documentation, so that although implementors will need to understand CBOR and the CBOR Data Definition Language (CDDL, defined in RFC 8610), they shouldn't need to understand COSE.

Note, however, that the certificate chains returned from the provisioning server are standard X.509 certificates.

Algorithm choices

This document uses:

  • ECDSA P-256 for attestation signing keys;
  • Remote provisioning protocol signing keys:
  • Ed25519 / P-256 / P-384
  • ECDH keys:
  • X25519 / P-256
  • AES-GCM for all encryption;
  • SHA-256 / SHA-384 / SHA-512 for message digesting;
  • HMAC with a supported message digest for all MACing; and
  • HKDF with a supported message digest for all key derivation.

We believe that Curve25519 offers the best tradeoff in terms of security, efficiency and global trustworthiness, and that it is now sufficiently widely-used and widely-implemented to make it a practical choice.

However, since hardware such as Secure Elements (SE) do not currently offer support for curve 25519, we are allowing implementations to instead make use of ECDSA and ECDH.

The CDDL in the rest of the document will use the '/' operator to show areas where either curve 25519, P-256 or P-384 may be used. Since there is no easy way to bind choices across different CDDL groups, it is important that the implementor stays consistent in which type is chosen. E.g. taking ES256 as the choice for algorithm implies the implementor should also choose the P256 public key group further down in the COSE structure.

Design

Certificate provisioning flow

TODO(jbires): Replace this with a .png containing a sequence diagram. The provisioning flow looks something like this:

rkpd -> KeyMint: generateKeyPair KeyMint -> KeyMint: Generate key pair KeyMint --> rkpd: key_blob,pubkey rkpd -> rkpd: Store key_blob,pubkey rkpd -> Server: Get challenge Server --> rkpd: challenge rkpd -> KeyMint: genCertReq(pubkeys, challenge) KeyMint -> KeyMint: Sign CSR KeyMint --> rkpd: signed CSR rkpd --> Server: CSR Server -> Server: Validate CSR Server -> Server: Generate certificates Server --> rkpd: certificates rkpd -> rkpd: Store certificates

The actors in the above diagram are:

  • Server is the backend certificate provisioning server. It has access to the uploaded device public keys and is responsible for providing encryption keys, decrypting and validating requests, and generating certificates in response to requests.
  • rkpd is, optionally, a modular system component that is responsible for communicating with the server and all of the system components that require key certificates from the server. It also implements the policy that defines how many key pairs each client should keep in their pool. When a system ships with rkpd as a modular component, it may be updated independently from the rest of the system.
  • Keystore is the Android keystore daemon (or, more generally, whatever system component manages communications with a particular secure aread component).
  • KeyMint is the secure area component that manages cryptographic keys and performs attestations (or perhaps some other secure area component).

HAL

The remote provisioning HAL provides a simple interface that can be implemented by multiple secure components that require remote provisioning. It would be slightly simpler to extend the KeyMint API, but that approach would only serve the needs of KeyMint, this is more general.

NOTE the data structures defined in this HAL may look a little bloated and complex. This is because the COSE data structures are fully spelled-out; we could make it much more compact by not re-specifying the standardized elements and instead just referencing the standard, but it seems better to fully specify them. If the apparent complexity seems daunting, consider what the same would look like if traditional ASN.1 DER-based structures from X.509 and related standards were used and also fully elaborated.

Please see the related HAL documentation directly in the source code at the following links:

Support for Android Virtualization Framework

The Android Virtualization Framwork (AVF) relies on RKP to provision keys for VMs. A privileged vm, the RKP VM, is reponsible for generating and managing the keys for client VMs that run virtualized workloads. See the following for more background information on the RKP VM:

It is important to distinquish the RKP VM from other components, such as KeyMint. An RKP VM marker (key -70006) is used for this purpose. The existence or absence of this marker is used to identify the type of component decribed by a given DICE chain.

The following describes which certificate types may be request based on the RKP VM marker:

  1. "rkp-vm": If a DICE chain has zero or more certificates without the RKP VM marker followed by one or more certificates with the marker, then that chain describes an RKP VM. If there are further certificates without the RKP VM marker, then the chain does not describe an RKP VM.

    Implementations must include the first RKP VM marker as early as possible after the point of divergence between TEE and non-TEE components in the DICE chain, prior to loading the Android Bootloader (ABL).

  2. "widevine" or "keymint": If there are no certificates with the RKP VM marker then it describes a TEE component.

  3. None: Any component described by a DICE chain that does not match the above two categories.