Android tamper-resistant anti-replay...
Transcript of Android tamper-resistant anti-replay...
Android tamper-resistant anti-replay secure storage solution and virtualization
Zhu, Bing
Open Source Technology Center (OTC) Software and Services Group (SSG)
2
NOTICE & DISCLAIMER
• Intel technologies’ features and benefits depend on system configuration
and may require enabled hardware, software or service activation.
• Performance varies depending on system configuration.
• Intel, the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
• *Other names and brands may be claimed as the property of others.
3
Intel Android Automotive IVI Platform
Apollo Lake SoC (Intel® Atom™ /VT-x, VT-d)
Secure Monitor (Hypervisor)
Firmware Layer BIOS FW Intel® CSE Other F/Ws..
Android* OS Trusty*/TEE OS
x86 SMC
adapter layer
Trusty* drivers
(ipc,irq,mem,virtio)
Trusty* library
KM
HAL GK
HAL SS
Proxy
KM
TA
GK
TA SS
TA
CryptoS
rv. TA
Trusty* library
(crypto lib, Trusty* APIs…)
LK* kernel & drivers (ipc, virtio, irq, mem)
x86 SMC
adapter layer
X86 HAL (MMU, Interrupt, Thread …)
Secure
Ticks TRK
4
Agenda
Problem Statement
Replay Protected Memory Block (RPMB)
TEE/Trusty Secure Storage (SS)
Secure Storage Virtualization on Hypervisor
Future Directions
Problem Statement
5
Data security and privacy:
–Screen-unlock (password/pin/pattern) attempt failure record for defending against brute force attack: https://source.android.com/security/authentication/gatekeeper
–The version of system image for preventing roll-back attack
–Keybox (keypairs), e.g. for content protection and attestation
–The templates of fingerprint or iris sensor images for authentication
Google CDD requirements since Marshmallow :
–[SR] STRONGLY RECOMMENDED/ SHOULD to use tamper-evident storage
Replay Protected Memory Block
7
Technical Details
eMMC/UFS/NVMe have fixed physical RPMB partition(s) in device
–pre-allocated during flash device manufacture.
RPMB key can only be programmed once in its life time, and is invisible to any software as long as it is programed into h/w device.
All data read/write request of access to RPMB will be authenticated by H/W RPMB controller with RPMB Authkey (Authentication Key):
–Authenticate algorithm is HMAC-SHA256 (or 512)
–H/W built-in monotonic Write Counter is used for replay-protection on WRITE access;
–Software generated Random Number is used for replay-protection on READ access.
Without RPMB Authkey, read access is still possible, but the data being read may not be authentic.
8
How it works (e.g. authenticated write access)
9
RPMB Key Generation and Programming
RPMB Key generation requirements:
–Key is tied to hardware unique key (HUK).
–Key is also bound to eMMC/UFS/NVMe flash storage serial #.
RPMB key programming:
–Typically firmware is responsible for programing the RPMB Key (in cleartext) into RPMB controller through RPMB key programming interface.
–Do it once in factory, or just right after eMMC/UFS replacement if applicable.
–Key cannot be changed once it’s programmed successfully (FUSED)
TEE/Trusty Secure Storage (SS) Architecture
11
Trusty*(TEE) Secure Storage
TEE SS
Proxy
RPMB driver
(eMMC/UFS/
NVMe SSD)
Linux FS
(encrypted
file data)
RPMB
AuthKey
RPMB Key
Secure Storage (SS) TA
TD/TP
SERVICE
Proxy
Client FS RPMB
Crypto
TA
TEE Root
Key
Encryption
Key
TEE
IPC Driver
Trusty/TEE
(Secure) Linux/Android
(Non secure)
RPMB Key is protected, never goes outside of TEE. and it is constantly genernated/derived per each boot.
RPMB Key is factory-provisioned by firmware into flash device before production. Then it is invisible to any software.
Built-in secure file system
https://source.android.com/security/trusty/ https://android.googlesource.com/trusty/app/storage/
12
SS - Trusty TD Service: Tamper-Detection
1. File system meta-data is stored in RPMB
2. The user data encrypted with hardware-backed encryption key, is stored in Android/Linux-backed file system.
3. Support large amount of data.
Trusty secure file system
128KB – 16MB
Data can be deleted/replay’ed, but detectable.
13
SS - Trusty TP Service: Tamper-Proof
1. File system meta-data is stored in RPMB as well, and user Data also stored in RPMB
2. Size constrained; Typically 4MB, depending on eMMC/UFS/NVMe RPMB size.
3. Higher level of protection – Tamper Resistant!
4. Data survives in factory reset.
eMMC RPMB
AuthKey
TP PORT
User Data
(Encrypted)
Super blocks
(FS meta data)
Trusty secure file system
128KB – 16MB
14
How to use (1/2)
Native Linux app to use secure storage
OEM APP
SS TA
TD/TP
SERVICE
Proxy
Client FS RPMB
Crypto
TA
Trusty
Root Key
Encryption
Key Trusty
IPC Driver
Trusty Android
OEM TA
SS Library
(C/C++)
AuthKey
OEM Trusty TA app to use secure storage
SELinux policy protection for access Trusty IPC driver (/dev/trusty-ipc-dev0)
Protection: File created by one TA cannot be accessible to any other TAs.
Protection: File created by one APP can be accessible to any other APPs (as long as Selinux policy allow them to access IPC driver)
15
How to use (2/2)
Native Linux app to access directly its right-side backend TA (OEM TA behaves as a proxy)
OEM APP
SS TA
TD/TP
SERVICE
Proxy
Client FS RPMB
Crypto
TA
Trusty
Root Key
Encryption
Key Trusty
IPC Driver
Trusty Android
OEM TA
AuthKey
OEM Trusty TA app to use secure storage
SELinux policy protection for access Trusty IPC driver (/dev/trusty-ipc-dev0)
Secure Storage Virtualization on
Hypervisor
UOS#2
17
Secure Storage Virtualization Service OS (VM#0)
Device Emulation Process #2
Hypervisor
UOS#1
Android Trusty/TEE
SS TA
Crypto TA
VrKey#1
RPMB Proxy Daemon
RPMB cdev (/dev/vrpmb)
RPMB FE (virtio-rpmb)
Device Emulation Process #1
vBIOS / vOSLoader VrKey#1
vRPMB Emulation/Remap
VrKey#1
user
kernel
1. SOS (Service OS) is a closed system and privileged VM
2. The VrKey (virtual RPMB key) is generated randomly per UOS reboot, and securely distributed it to vSBL/vOSLoader/TEE.
3. Forward/remap vRPMB data/frame to physical RPMB partition.
eMMC/ UFS/ NVMe
RPMB Blk#0
RPMB Blk#1
Single RPMB Partition/Target
User Data Partition
RPMB Blk#2
RPMB (rsvd)
RPMB Driver (eMMC/UFS/NVMe)
RPMB Key
RPMB RAW ACCESS MODULE
RPMB Key
RPMB BE
Future Directions
19
Future Plan
Multiple RPMB Targets / Partitions with H/W support
–UFS3.0 supports 4 RPMB Partitions
–NVMe storage supports MULTIPLE RPMB partitions
Q & A