3

I know the device keys for Android are in hardware and created used fuses. Where is this fuse memory? Is it directly accessible to the processor?

Because the hardware key should not read out into the memory, that means the AES operation needs to be done in the processor directly. Where is the AES implementation done that uses this fused key? Is there an equivalent of AES-NI instruction set in arm?

If this is not correct place for this question, where can I ask it?

stflow
  • 95
  • 6
  • 1
    One-Time-Programmable (OTP) fuses are not kept in memory but within the processor or the security co-processor itself. It is not usually accessed directly but instead changes the behavior of the processor. I do not know much about Android, but I _think_ this is kept in a secure co-processor. – forest Mar 14 '18 at 05:45
  • This is the correct place to ask it, or at least _a_ correct place. – forest Mar 15 '18 at 00:53

1 Answers1

6

Hardware secure keys are not a feature of Android, they're a feature of some (but not all) devices running Android, including most if not all high- and mid-end smartphones and tablets. The way they work depends on the capabilities of the hardware.

All processors based on an ARM Cortex-A core (and some older ones), whether 32-bit or 64-bit, have a feature called TrustZone, which is a sort of highly specialized virtualization. There are just two partitions: the secure world and the normal world. The secure world has access to the normal world, the normal world doesn't have access to the secure world. TrustZone itself isn't enough to do anything useful: the memory bus has to enforce the protection, which is the case on most (but not all) system-on-chips (SoC) based on a Cortex-A.

On a suitable processor, the secure world runs a trusted execution environment (TEE) with a small operating system. On reasonably modern Android versions, the keys of the Android keymaster are stored in the TEE, Android (even fully rooted) does not have direct access to them. There are phones where the device encryption key resides inside the TEE, but this isn't always the case.

The TEE data is stored encrypted using a key that Android cannot access. This key is derived from a root key which is stored in write-once memory (this can be fuses or other one-time-programmable (OTP) memory technology). The reason Android cannot access this key is that the processor ensures that it is only accessible to the secure world.

On some SoC, the secure world directly reads the memory. On other SoC, there is a dedicated component in the SoC that has exclusive access to the root key, and all the secure world on the main processor can do is to request a key derivation based on the root key. This doesn't change much regarding the security of the system: in either case, the key that the security of the system relies on is a key that gets stored in secure world memory.

Restricting the secure world to a derived key has one advantage: the key can be changed by changing the tweak on the derivation. An attacker who partially breached the TEE and managed to read data, but not to execute arbitrary code, would have access to the key. If the bug is fixed and the new TEE version uses a different key derivation parameter, then the attacker will no longer be able to read TEE data.

Some ARMv8 processors (including all high end phones today) have instructions similar to AES-NI, but this has no impact on security (except indirectly, in making cryptography less expensive and less prone to side channel attacks). AES-NI and the ARM equivalent are just ways to compute AES faster, the keys and data are still in the same place.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • Thanks. Since the trust zone is implemented (and run) on the same processor as the host OS (Android), the AES core should also be accessible to both worlds. How is the access to the usage of the fused key restricted from the host OS (Android)? – stflow Mar 15 '18 at 23:01
  • @stflow It's the same processor, but it's a different security partition. It's protected in the same way that a kernel is protected from unprivileged processes, and a hypervisor is protected from its guests. – Gilles 'SO- stop being evil' Mar 15 '18 at 23:09
  • So, from the TZ OS, if I do a key derivation using the fused key and key schedule it in the AES core, can I continue the actual decryption/encryption back in the host OS? Or should I always go back to TZ to process bytes using the scheduled key? And would that be secure, as in the key will still not be revealed/recovered on the host OS – stflow Mar 15 '18 at 23:12
  • Or is it more likely that the AES core accessible to the TZ OS not accessible to the host OS? – stflow Mar 15 '18 at 23:25
  • Isn't the TrustZone kernel typically seL4? I read somewhere that they had changed to that from OKL4. – forest Mar 16 '18 at 06:33
  • @stflow If any data flows from the TZ OS to the main OS, it's because the TZ OS had code in it to export the data (or because of a vulnerability in the TZ OS). – Gilles 'SO- stop being evil' Mar 16 '18 at 09:13
  • @forest The TZ OS is entirely dependent on the chip manufacturer and the device manufacturer. L4 is a popular design but not all TZ OSes are based on it. – Gilles 'SO- stop being evil' Mar 16 '18 at 09:14
  • For a hardware-backed (but not a Strongbox) keystore, I'm curious to know where the Keymaster stores generated keys. Are they typically stored in the RPMB partition on the same physical eMMC that the Android OS is stored on? – el_tigro Jan 21 '19 at 17:56
  • I'm also wondering where the trusted operating system (Trusty OS) is stored. Is it also stored on the same eMMC in the RPMB partition? – el_tigro Jan 21 '19 at 17:57
  • @catanman It depends. Actually, what's relevant is not whether the data or code is stored in RPMB, but whether they're protected against rollback, which only requires a root hash or counter in RPMB. But for that, too, the answer is that it depends. – Gilles 'SO- stop being evil' Jan 21 '19 at 18:09