Design a HAL to support over-the-air provisioning of certificates for asymmetric keys. The HAL must interact effectively with Keystore (and other services) and protect device privacy and security.
Note that this API was originally designed for KeyMint, with the intention that it should be usable for other HALs that require certificate provisioning. Throughout this document we'll refer to the Keystore and KeyMint (formerly called Keymaster) components, but only for concreteness and convenience; those labels could be replaced with the names of any system and secure area components, respectively, that need certificates provisioned.
To more securely and reliably get keys and certificates to Android devices, we need to create a system where no party outside of the device‘s secure components is responsible for managing private keys. The strategy we’ve chosen is to deliver certificates over the air, using an asymmetric key pair derived from a unique device secret (UDS) as a root of trust for authenticated requests from the secure components. We refer to the public half of this asymmetric key pair as UDS_pub.
In order for the provisioning service to trust UDS_pub we ask device OEMs to use one of two mechanisms:
(Preferred, recommended) The device OEM extracts the UDS_pub from each device they manufacture and uploads the public keys to a backend server.
The device OEM signs the UDS_pub and stores the certificates on the device rather than uploading a UDS_pub for every device immediately. However, there are many disadvantages and costs associated with this option as the OEM will need to pass a security audit of their factory‘s physical security, CA and HSM configuration, and incident response processes before the OEM’s public key is registered with the provisioning server.
Note that in the full elaboration of this plan, UDS_pub is not the key used to sign certificate requests. Instead, UDS_pub is just the first public key in a chain of public keys that end the KeyMint public key. All keys in the chain are transitively derived from the UDS and joined in a certificate chain following the specification of the Android Profile for DICE.
RKP will be deployed with phased management of the root of trust binding between the device and the backend. To briefly describe them:
Because the UDS, CDIs and derived values are unique, immutable, unspoofable hardware-bound identifiers for the device, we must limit access to them. We require that the values are never exposed in public APIs and are only available to the minimum set of system components that require access to them to function correctly.
For simplicity of generation and parsing, compactness of wire representation, and flexibility and standardization, we've settled on using the CBOR Object Signing and Encryption (COSE) standard, defined in RFC 8152. COSE provides compact and reasonably simple, yet easily-extensible, wire formats for:
COSE enables easy layering of these message formats, such as using a COSE_Sign structure to contain a COSE_Key with a public key in it. We call this a “certificate”.
Due to the complexity of the standard, we‘ll spell out the COSE structures completely in this document and in the HAL and other documentation, so that although implementors will need to understand CBOR and the CBOR Data Definition Language (CDDL, defined in RFC 8610), they shouldn’t need to understand COSE.
Note, however, that the certificate chains returned from the provisioning server are standard X.509 certificates.
This document uses:
We believe that Curve25519 offers the best tradeoff in terms of security, efficiency and global trustworthiness, and that it is now sufficiently widely-used and widely-implemented to make it a practical choice.
However, since hardware such as Secure Elements (SE) do not currently offer support for curve 25519, we are allowing implementations to instead make use of ECDSA and ECDH.
The CDDL in the rest of the document will use the ‘/’ operator to show areas where either curve 25519, P-256 or P-384 may be used. Since there is no easy way to bind choices across different CDDL groups, it is important that the implementor stays consistent in which type is chosen. E.g. taking ES256 as the choice for algorithm implies the implementor should also choose the P256 public key group further down in the COSE structure.
TODO(jbires): Replace this with a .png containing a sequence diagram. The provisioning flow looks something like this:
rkpd -> KeyMint: generateKeyPair KeyMint -> KeyMint: Generate key pair KeyMint --> rkpd: key_blob,pubkey rkpd -> rkpd: Store key_blob,pubkey rkpd -> Server: Get challenge Server --> rkpd: challenge rkpd -> KeyMint: genCertReq(pubkeys, challenge) KeyMint -> KeyMint: Sign CSR KeyMint --> rkpd: signed CSR rkpd --> Server: CSR Server -> Server: Validate CSR Server -> Server: Generate certificates Server --> rkpd: certificates rkpd -> rkpd: Store certificates
The actors in the above diagram are:
The remote provisioning HAL provides a simple interface that can be implemented by multiple secure components that require remote provisioning. It would be slightly simpler to extend the KeyMint API, but that approach would only serve the needs of KeyMint, this is more general.
NOTE the data structures defined in this HAL may look a little bloated and complex. This is because the COSE data structures are fully spelled-out; we could make it much more compact by not re-specifying the standardized elements and instead just referencing the standard, but it seems better to fully specify them. If the apparent complexity seems daunting, consider what the same would look like if traditional ASN.1 DER-based structures from X.509 and related standards were used and also fully elaborated.
Please see the related HAL documentation directly in the source code at the following links:
The Android Virtualization Framwork (AVF) relies on RKP to provision keys for VMs. A privileged vm, the RKP VM, is reponsible for generating and managing the keys for client VMs that run virtualized workloads. See the following for more background information on the RKP VM:
It is important to distinquish the RKP VM from other components, such as KeyMint. An RKP VM marker (key -70006) is used for this purpose. The existence or absence of this marker is used to identify the type of component decribed by a given DICE chain.
The following describes which certificate types may be request based on the RKP VM marker:
“rkp-vm”: If a DICE chain has zero or more certificates without the RKP VM marker followed by one or more certificates with the marker, then that chain describes an RKP VM. If there are further certificates without the RKP VM marker, then the chain does not describe an RKP VM.
Implementations must include the first RKP VM marker as early as possible after the point of divergence between TEE and non-TEE components in the DICE chain, prior to loading the Android Bootloader (ABL).
“widevine” or “keymint”: If there are no certificates with the RKP VM marker then it describes a TEE component.
None: Any component described by a DICE chain that does not match the above two categories.