Android tamper-resistant anti-replay secure storage solution and virtualization

Zhu, Bing

Open Source Technology Center (OTC) Software and Services Group (SSG)

2

NOTICE & DISCLAIMER

• Intel technologies’ features and benefits depend on system configuration

and may require enabled hardware, software or service activation.

• Performance varies depending on system configuration.

• Intel, the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

• *Other names and brands may be claimed as the property of others.

3

Intel Android Automotive IVI Platform

Apollo Lake SoC (Intel® Atom™ /VT-x, VT-d)

Secure Monitor (Hypervisor)

Firmware Layer BIOS FW Intel® CSE Other F/Ws..

Android* OS Trusty*/TEE OS

x86 SMC

adapter layer

Trusty* drivers

(ipc,irq,mem,virtio)

Trusty* library

KM

HAL GK

HAL SS

Proxy

KM

TA

GK

TA SS

TA

CryptoS

rv. TA

Trusty* library

(crypto lib, Trusty* APIs…)

LK* kernel & drivers (ipc, virtio, irq, mem)

x86 SMC

adapter layer

X86 HAL (MMU, Interrupt, Thread …)

Secure

Ticks TRK

4

Agenda

Problem Statement

Replay Protected Memory Block (RPMB)

TEE/Trusty Secure Storage (SS)

Secure Storage Virtualization on Hypervisor

Future Directions

Problem Statement

5

Data security and privacy:

–Screen-unlock (password/pin/pattern) attempt failure record for defending against brute force attack： https://source.android.com/security/authentication/gatekeeper

–The version of system image for preventing roll-back attack

–Keybox (keypairs), e.g. for content protection and attestation

–The templates of fingerprint or iris sensor images for authentication

Google CDD requirements since Marshmallow :

–[SR] STRONGLY RECOMMENDED/ SHOULD to use tamper-evident storage

Replay Protected Memory Block

7

Technical Details

eMMC/UFS/NVMe have fixed physical RPMB partition(s) in device

–pre-allocated during flash device manufacture.

RPMB key can only be programmed once in its life time, and is invisible to any software as long as it is programed into h/w device.

All data read/write request of access to RPMB will be authenticated by H/W RPMB controller with RPMB Authkey (Authentication Key):

–Authenticate algorithm is HMAC-SHA256 (or 512)

–H/W built-in monotonic Write Counter is used for replay-protection on WRITE access;

–Software generated Random Number is used for replay-protection on READ access.

Without RPMB Authkey, read access is still possible, but the data being read may not be authentic.

8

How it works (e.g. authenticated write access)

9

RPMB Key Generation and Programming

RPMB Key generation requirements:

–Key is tied to hardware unique key (HUK).

–Key is also bound to eMMC/UFS/NVMe flash storage serial #.

RPMB key programming:

–Typically firmware is responsible for programing the RPMB Key (in cleartext) into RPMB controller through RPMB key programming interface.

–Do it once in factory, or just right after eMMC/UFS replacement if applicable.

–Key cannot be changed once it’s programmed successfully (FUSED)

TEE/Trusty Secure Storage (SS) Architecture

11

Trusty*(TEE) Secure Storage

TEE SS

Proxy

RPMB driver

(eMMC/UFS/

NVMe SSD)

Linux FS

(encrypted

file data)

RPMB

AuthKey

RPMB Key

Secure Storage (SS) TA

TD/TP

SERVICE

Proxy

Client FS RPMB

Crypto

TA

TEE Root

Key

Encryption

Key

TEE

IPC Driver

Trusty/TEE

(Secure) Linux/Android

(Non secure)

RPMB Key is protected, never goes outside of TEE. and it is constantly genernated/derived per each boot.

RPMB Key is factory-provisioned by firmware into flash device before production. Then it is invisible to any software.

Built-in secure file system

https://source.android.com/security/trusty/ https://android.googlesource.com/trusty/app/storage/

12

SS - Trusty TD Service: Tamper-Detection

1. File system meta-data is stored in RPMB

2. The user data encrypted with hardware-backed encryption key, is stored in Android/Linux-backed file system.

3. Support large amount of data.

Trusty secure file system

128KB – 16MB

Data can be deleted/replay’ed, but detectable.

13

SS - Trusty TP Service: Tamper-Proof

1. File system meta-data is stored in RPMB as well, and user Data also stored in RPMB

2. Size constrained; Typically 4MB, depending on eMMC/UFS/NVMe RPMB size.

3. Higher level of protection – Tamper Resistant!

4. Data survives in factory reset.

eMMC RPMB

AuthKey

TP PORT

User Data

(Encrypted)

Super blocks

(FS meta data)

Trusty secure file system

128KB – 16MB

14

How to use (1/2)

Native Linux app to use secure storage

OEM APP

SS TA

TD/TP

SERVICE

Proxy

Client FS RPMB

Crypto

TA

Trusty

Root Key

Encryption

Key Trusty

IPC Driver

Trusty Android

OEM TA

SS Library

(C/C++)

AuthKey

OEM Trusty TA app to use secure storage

SELinux policy protection for access Trusty IPC driver (/dev/trusty-ipc-dev0)

Protection: File created by one TA cannot be accessible to any other TAs.

Protection: File created by one APP can be accessible to any other APPs (as long as Selinux policy allow them to access IPC driver)

15

How to use (2/2)

Native Linux app to access directly its right-side backend TA (OEM TA behaves as a proxy)

OEM APP

SS TA

TD/TP

SERVICE

Proxy

Client FS RPMB

Crypto

TA

Trusty

Root Key

Encryption

Key Trusty

IPC Driver

Trusty Android

OEM TA

AuthKey

OEM Trusty TA app to use secure storage

SELinux policy protection for access Trusty IPC driver (/dev/trusty-ipc-dev0)

Secure Storage Virtualization on

Hypervisor

UOS#2

17

Secure Storage Virtualization Service OS (VM#0)

Device Emulation Process #2

Hypervisor

UOS#1

Android Trusty/TEE

SS TA

Crypto TA

VrKey#1

RPMB Proxy Daemon

RPMB cdev (/dev/vrpmb)

RPMB FE (virtio-rpmb)

Device Emulation Process #1

vBIOS / vOSLoader VrKey#1

vRPMB Emulation/Remap

VrKey#1

user

kernel

1. SOS (Service OS) is a closed system and privileged VM

2. The VrKey (virtual RPMB key) is generated randomly per UOS reboot, and securely distributed it to vSBL/vOSLoader/TEE.

3. Forward/remap vRPMB data/frame to physical RPMB partition.

eMMC/ UFS/ NVMe

RPMB Blk#0

RPMB Blk#1

Single RPMB Partition/Target

User Data Partition

RPMB Blk#2

RPMB (rsvd)

RPMB Driver (eMMC/UFS/NVMe)

RPMB Key

RPMB RAW ACCESS MODULE

RPMB Key

RPMB BE

Future Directions

19

Future Plan

Multiple RPMB Targets / Partitions with H/W support

–UFS3.0 supports 4 RPMB Partitions

–NVMe storage supports MULTIPLE RPMB partitions

Q & A