8fe0cfb098
This implementation does not provide any security guaranties. * The input method (NotSoSecureInput) runs a crypto protocols that is sufficiently secure IFF the end point is implemented on a trustworthy secure input device. But since the endpoint is currently in the HAL service itself this implementation is not secure. * This implementation provides most of the functionality, but not the secure UI infrastructure required to run Android Protected Confirmation. Bug: 146078942 Test: VtsHalConfirmationUIV1_0TargetTest Change-Id: I14717b5fa4ef15db960cdd506b8c6fe5369aec8d
20 lines
No EOL
1.1 KiB
Text
20 lines
No EOL
1.1 KiB
Text
## Secure UI Architecture
|
|
|
|
To implement confirmationui a secure UI architecture is required. This entails a way
|
|
to display the confirmation dialog driven by a reduced trusted computing base, typically
|
|
a trusted execution environment (TEE), without having to rely on Linux and the Android
|
|
system for integrity and authenticity of input events. This implementation provides
|
|
neither. But it provides most of the functionlity required to run a full Android Protected
|
|
Confirmation feature when integrated into a secure UI architecture.
|
|
|
|
## Secure input (NotSoSecureInput)
|
|
|
|
This implementation does not provide any security guaranties.
|
|
The input method (NotSoSecureInput) runs a cryptographic protocols that is
|
|
sufficiently secure IFF the end point is implemented on a trustworthy
|
|
secure input device. But since the endpoint is currently in the HAL
|
|
service itself this implementation is not secure.
|
|
|
|
NOTE that a secure input device end point needs a good source of entropy
|
|
for generating nonces. The current implementation (NotSoSecureInput.cpp#generateNonce)
|
|
uses a constant nonce. |