• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Remote Provisioning HAL
2
3## Objective
4
5Design a HAL to support over-the-air provisioning of certificates for asymmetric
6keys. The HAL must interact effectively with Keystore (and other daemons) and
7protect device privacy and security.
8
9Note that this API is designed for KeyMint, but with the intention that it
10should be usable for other HALs that require certificate provisioning.
11Throughout this document we'll refer to the Keystore and KeyMint (formerly
12called Keymaster) components, but only for concreteness and convenience; those
13labels could be replaced with the names of any system and secure area
14components, respectively, that need certificates provisioned.
15
16## Key design decisions
17
18### General approach
19
20To more securely and reliably get keys and certificates to Android devices, we
21need to create a system where no party outside of the device's secure components
22is responsible for managing private keys. The strategy we've chosen is to
23deliver certificates over the air, using an asymmetric key pair created
24on-device in the factory as a root of trust to create an authenticated, secure
25channel. In this document we refer to this device-unique asymmetric key pair as
26Device Key (DK), its public half DK\_pub, its private half DK\_priv and a Device
27Key Certificate containing DK\_pub is denoted DKC.
28
29In order for the provisioning service to use DK (or a key authenticated by DK),
30it must know whether a given DK\_pub is known and trusted. To prove trust, we
31ask device OEMs to use one of two mechanisms:
32
331.  (Preferred, recommended) The device OEM extracts DK\_pub from each device it
34    manufactures and uploads the public keys to a backend server.
35
361.  The device OEM signs the DK\_pub to produce DKC and stores it on the device.
37    This has the advantage that they don't need to upload a DK\_pub for every
38    device immediately, but the disadvantage that they have to manage their
39    private signing keys, which means they have to have HSMs, configure and
40    secure them correctly, etc. Some backend providers may also require that the
41    OEM passes a factory security audit, and additionally promises to upload the
42    keys eventually as well.
43
44Note that in the full elaboration of this plan, DK\_pub is not the key used to
45establish a secure channel. Instead, DK\_pub is just the first public key in a
46chain of public keys which ends with the KeyMint public key, KM\_pub. All keys
47in the chain are device-unique and are joined in a certificate chain called the
48_Boot Certificate Chain_ (BCC), because in phases 2 and 3 of the remote
49provisioning project it is a chain of certificates corresponding to boot phases.
50We speak of the BCC even for phase 1, though in phase 1 it contains only a
51single self-signed DKC. This is described in more depth in the Phases section
52below.
53
54The BCC is authenticated by DK\_pub. To authenticate DK\_pub, we may have
55additional DKCs, from the SoC vendor, the device OEM, or both. Those are not
56part of the BCC but included as optional fields in the certificate request
57structure.
58
59The format of the the DK and BCC is specified within [Open Profile for DICE]
60(https://pigweed.googlesource.com/open-dice/+/HEAD/docs/specification.md).  To
61map phrases within this document to their equivalent terminology in the DICE
62specification, read the terms as follows: the DK corresponds to the UDS-derived
63key pair, DKC corresponds to the UDS certificate, and the BCC entries between
64DK\_pub and KM\_pub correspond to a chain of CDI certificates.
65
66Note: In addition to allowing 32 byte hash values for fields in the BCC payload,
67this spec additionally constrains some of the choices allowed in open-DICE.
68Specifically, these include which entries are required and which are optional in
69the BCC payload, and which algorithms are acceptable for use.
70
71### Phases
72
73RKP will be deployed in three phases, in terms of managing the root of trust
74binding between the device and the backend. To briefly describe them:
75
76* Phase 1: In phase 1 there is only one entry in the BCC; DK_pub and KM_pub are
77  the same key and the certificate is self-signed.
78* Phase 2: This is identical to phase 1, except it leverages the hardware root
79  of trust process described by DICE. Instead of trust being rooted in the TEE,
80  it is now rooted in the ROM by key material blown into fuses which are only
81  accessible to the ROM code.
82* Phase 3: This is identical to Phase 2, except the SoC vendor also does the
83  public key extraction or certification in their facilities, along with the OEM
84  doing it in the factory. This tightens up the "supply chain" and aims to make
85  key upload management more secure.
86
87### Privacy considerations
88
89Because DK and the DKCs are unique, immutable, unspoofable hardware-bound
90identifiers for the device, we must limit access to them to the absolute minimum
91possible. We do this in two ways:
92
931.  We require KeyMint (which knows the BCC and either knows or at least has the
94ability to use KM\_priv) to refuse to ever divulge the BCC or additional
95signatures in plaintext. Instead, KeyMint requires the caller to provide an
96_Endpoint Encryption Key_ (EEK), with which it will encrypt the data before
97returning it. When provisioning production keys, the EEK must be signed by an
98approved authority whose public key is embedded in KeyMint. When certifying test
99keys, KeyMint will accept any EEK without checking the signature, but will
100encrypt and return a test BCC, rather than the real one.  The result is that
101only an entity in possession of an Trusted EEK (TEEK) private key can discover
102the plaintext of the production BCC.
1031.  Having thus limited access to the public keys to the trusted party only, we
104need to prevent the entity from abusing this unique device identifier.  The
105approach and mechanisms for doing that are beyond the scope of this document
106(they must be addressed in the server design), but generally involve taking care
107to ensure that we do not create any links between user IDs, IP addresses or
108issued certificates and the device pubkey.
109
110Although the details of the mechanisms for preventing the entity from abusing
111the BCC are, as stated, beyond the scope of this document, there is a subtle
112design decision here made specifically to enable abuse prevention. Specifically
113the `CertificateRequest` message sent to the server is (in
114[CDDL](https://tools.ietf.org/html/rfc8610)):
115
116```
117cddl
118CertificateRequest = [
119    DeviceInfo,
120    challenge : bstr,
121    ProtectedData,
122    MacedKeysToSign
123]
124```
125
126The public keys to be attested by the server are in `MacedKeysToSign`, which is
127a COSE\_Mac0 structure, MACed with a key that is found in `ProtectedData`. The
128MAC key is signed by DK\_pub.
129
130This structure allows the backend component that has access to EEK\_priv to
131decrypt `ProtectedData`, validate that the request is from an authorized device,
132check that the request is fresh and verify and extract the MAC key. That backend
133component never sees any data related to the keys to be signed, but can provide
134the MAC key to another backend component that can verify `MacedKeysToSign` and
135proceed to generate the certificates.
136
137In this way, we can partition the provisioning server into one component that
138knows the device identity, as represented by DK\_pub, but never sees the keys to
139be certified or certificates generated, and another component that sees the keys
140to be certified and certificates generated but does not know the device
141identity.
142
143### Key and cryptographic message formatting
144
145For simplicity of generation and parsing, compactness of wire representation,
146and flexibility and standardization, we've settled on using the CBOR Object
147Signing and Encryption (COSE) standard, defined in [RFC
1488152](https://tools.ietf.org/html/rfc8152). COSE provides compact and reasonably
149simple, yet easily-extensible, wire formats for:
150
151*   Keys,
152*   MACed messages,
153*   Signed messages, and
154*   Encrypted messages
155
156COSE enables easy layering of these message formats, such as using a COSE\_Sign
157structure to contain a COSE\_Key with a public key in it. We call this a
158"certificate".
159
160Due to the complexity of the standard, we'll spell out the COSE structures
161completely in this document and in the HAL and other documentation, so that
162although implementors will need to understand CBOR and the CBOR Data Definition
163Language ([CDDL, defined in RFC 8610](https://tools.ietf.org/html/rfc8610)),
164they shouldn't need to understand COSE.
165
166Note, however, that the certificate chains returned from the provisioning server
167are standard X.509 certificates.
168
169### Algorithm choices
170
171This document uses:
172
173*   ECDSA P-256 for attestation signing keys;
174*   Remote provisioning protocol signing keys:
175  *  Ed25519 / P-256
176*   ECDH keys:
177  *  X25519 / P-256
178*   AES-GCM for all encryption;
179*   SHA-256 for all message digesting;
180*   HMAC-SHA-256 for all MACing; and
181*   HKDF-SHA-256 for all key derivation.
182
183We believe that Curve25519 offers the best tradeoff in terms of security,
184efficiency and global trustworthiness, and that it is now sufficiently
185widely-used and widely-implemented to make it a practical choice.
186
187However, since Secure Elements (SE) do not currently offer support for curve
18825519, we are allowing implementations to instead make use of EC P-256 for
189signing and ECDH. To put it simply, the device unique key pair will be a P-256
190key pair for ECDSA instead of Ed25519, and the ProtectedData COSE\_Encrypt
191message will have its payload encrypted with P-256 ECDH key exchange instead of
192X25519.
193
194The CDDL in the rest of the document will use the '/' operator to show areas
195where either curve 25519 or P-256 may be used. Since there is no easy way to
196bind choices across different CDDL groups, it is important that the implementor
197stays consistent in which type is chosen. E.g. taking ES256 as the choice for
198algorithm implies the implementor should also choose the P256 public key group
199further down in the COSE structure.
200
201### Testability
202
203It's critical that the remote provisioning implementation be testable, to
204minimize the probability that broken devices are sold to end users. To support
205testing, the remote provisioning HAL methods take a `testMode` argument. Keys
206created in test mode are tagged to indicate this. The provisioning server will
207check for the test mode tag and issue test certificates that do not chain back
208to a trusted public key. In test mode, any EEK will be accepted, enabling
209testing tools to use EEKs for which they have the private key so they can
210validate the content of certificate requests. The BCC included in the
211`CertificateRequest` must contain freshly-generated keys, not the real BCC keys.
212
213Keystore (or similar) will need to be able to handle both testMode keys and
214production keys and keep them distinct, generating test certificate requests
215when asked with a test EEK and production certificate requests when asked with a
216production EEK. Likewise, the interface used to instruct Keystore to create keys
217will need to be able to specify whether test or production keys are desired.
218
219## Design
220
221### Certificate provisioning flow
222
223TODO(jbires): Replace this with a `.png` containing a sequence diagram.  The
224provisioning flow looks something like this:
225
226Provisioner -> Keystore: Prepare N keys
227Keystore -> KeyMint: generateKeyPair
228KeyMint -> KeyMint: Generate  key pair
229KeyMint --> Keystore: key\_blob,pubkey
230Keystore -> Keystore: Store key\_blob,pubkey
231Provisioner -> Server: Get TEEK
232Server --> Provisioner: TEEK
233Provisioner -> Keystore: genCertReq(N, TEEK)
234Keystore -> KeyMint: genCertReq(pubkeys, TEEK)
235KeyMint -> KeyMint: Sign pubkeys & encrypt BCC
236KeyMint --> Keystore: signature, encrypted BCC
237Keystore -> Keystore: Construct cert\_request
238Keystore --> Provisioner: cert\_request
239Provisioner --> Server: cert\_request
240Server -> Server: Validate cert\_request
241Server -> Server: Generate certificates
242Server --> Provisioner: certificates
243Provisioner -> Keystore: certificates
244Keystore -> Keystore: Store certificates
245
246The actors in the above diagram are:
247
248*   **Server** is the backend certificate provisioning server. It has access to
249    the uploaded device public keys and is responsible for providing encryption
250    keys, decrypting and validating requests, and generating certificates in
251    response to requests.
252*   **Provisioner** is an application that is responsible for communicating with
253    the server and all of the system components that require key certificates
254    from the server. It also implements the policy that defines how many key
255    pairs each client should keep in their pool.
256*   **Keystore** is the [Android keystore
257    daemon](https://developer.android.com/training/articles/keystore) (or, more
258    generally, whatever system component manages communications with a
259    particular secure aread component).
260*   **KeyMint** is the secure area component that manages cryptographic keys and
261    performs attestations (or perhaps some other secure area component).
262
263### `BCC`
264
265The _Boot Certificate Chain_ (BCC) is the chain of certificates that contains
266DK\_pub as well as other often device-unique certificates. The BCC is
267represented as a COSE\_Key containing DK\_pub followed by an array of
268COSE\_Sign1 "certificates" containing public keys and optional additional
269information, ordered from root to leaf, with each certificate signing the next.
270The first certificate in the array is signed by DK\_pub, the last certificate
271has the KeyMint (or whatever) signing key's public key, KM\_pub. In phase 1
272there is only one entry; DK\_pub and KM\_pub are the same key and the
273certificate is self-signed.
274
275Each COSE\_Sign1 certificate is a CBOR Web Token (CWT) as described in [RFC
2768392](https://tools.ietf.org/html/rfc8392) with additional fields as described
277in the Open Profile for DICE. Of these additional fields, only the
278_subjectPublicKey_ and _keyUsage_ fields are expected to be present for the
279KM\_pub entry (that is, the last entry) in a BCC, but all fields required by the
280Open Profile for DICE are expected for other entries (each of which corresponds
281to a particular firmware component or boot stage). The CWT fields _iss_ and
282_sub_ identify the issuer and subject of the certificate and are consistent
283along the BCC entries; the issuer of a given entry matches the subject of the
284previous entry.
285
286The BCC is designed to be constructed using the Open Profile for DICE. In this
287case the DK key pair is derived from the UDS as described by that profile and
288all BCC entries before the leaf are CBOR CDI certificates chained from DK\_pub.
289The KM key pair is not part of the derived DICE chain. It is generated (not
290derived) by the KeyMint module, certified by the last key in the DICE chain, and
291added as the leaf BCC entry. The key usage field in this leaf certificate must
292indicate the key is not used to sign certificates. If a UDS certificate is
293available on the device it should appear in the certificate request as the leaf
294of a DKCertChain in AdditionalDKSignatures (see
295[CertificateRequest](#certificaterequest)).
296
297The Open Profile for DICE allows for an arbitrary configuration descriptor. For
298BCC entries, this configuration descriptor is a CBOR map with the following
299optional fields. If no fields are relevant, an empty map should be encoded.
300Additional implementation-specific fields may be added using key values not in
301the range \[-70000, -70999\] (these are reserved for future additions here).
302
303```
304| Name              | Key    | Value type | Meaning                           |
305| ----------------- | ------ | ---------- | ----------------------------------|
306| Component name    | -70002 | tstr       | Name of firmware component / boot |
307:                   :        :            : stage                             :
308| Component version | -70003 | int        | Version of firmware component /   |
309:                   :        :            : boot stage                        :
310| Resettable        | -70004 | null       | If present, key changes on factory|
311:                   :        :            : reset                             :
312```
313
314Please see
315[ProtectedData.aidl](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl)
316for a full CDDL definition of the BCC.
317
318### `CertificateRequest`
319
320The full CBOR message that will be sent to the server to request certificates
321is:
322
323```cddl
324CertificateRequest = [
325    DeviceInfo,
326    challenge : bstr,       // Provided by the server
327    ProtectedData,          // See ProtectedData.aidl
328    MacedKeysToSign         // See IRemotelyProvisionedComponent.aidl
329]
330
331DeviceInfo = [
332    VerifiedDeviceInfo,     // See DeviceInfo.aidl
333    UnverifiedDeviceInfo
334]
335
336// Unverified info is anything provided by the HLOS. Subject to change out of
337// step with the HAL.
338UnverifiedDeviceInfo = {
339    ? "fingerprint" : tstr,
340}
341
342```
343
344It will be the responsibility of Keystore and the Provisioner to construct the
345`CertificateRequest`. The HAL provides a method to generate the elements that
346need to be constructed on the secure side, which are the tag field of
347`MacedKeysToSign`, `VerifiedDeviceInfo`, and the ciphertext field of
348`ProtectedData`.
349
350### HAL
351
352The remote provisioning HAL provides a simple interface that can be implemented
353by multiple secure components that require remote provisioning. It would be
354slightly simpler to extend the KeyMint API, but that approach would only serve
355the needs of KeyMint, this is more general.
356
357NOTE the data structures defined in this HAL may look a little bloated and
358complex. This is because the COSE data structures are fully spelled-out; we
359could make it much more compact by not re-specifying the standardized elements
360and instead just referencing the standard, but it seems better to fully specify
361them. If the apparent complexity seems daunting, consider what the same would
362look like if traditional ASN.1 DER-based structures from X.509 and related
363standards were used and also fully elaborated.
364
365Please see the related HAL documentation directly in the source code at the
366following links:
367
368*   [IRemotelyProvisionedComponent
369    HAL](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl)
370*   [ProtectedData](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl)
371*   [MacedPublicKey](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/MacedPublicKey.aidl)
372*   [RpcHardwareInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl)
373*   [DeviceInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl)
374
375