當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

MTK for Google AttestationKey介绍

發布時間：2025/3/21 编程问答 28 豆豆

生活随笔收集整理的這篇文章主要介紹了 MTK for Google AttestationKey介绍小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

參考:

1、googole文檔:《Keymaster2—Attestation Key Provisioning》
2、MTK文檔:《AttestationKeyToolUserGuide_3.0.pdf》

AttestationKey用途：

Keymaster2 extends the capabilities of hardware-backed key storage on Android devices. One
of the features is key attestation, allows Android apps and off-device entities to determine if the
keys are hardware backed.
For devices that have Google Mobile services, Google will provide the the keys to partners to
download from the Android Partner Front End (APFE)
(1)、可以判斷device是否支持硬件keymaster；
(2)、Google合作伙伴可以從APTEE中下載使用;

拋開問題看本質，什么是google attestationkey？

attestationkey就根據當前手機型號(id)，相關google申請的一組keybox,然后將keybox拆分成若干組key, 每組包含ECDSA和RSA，每組key寫入到手機的安全內存中.
當google GSM app或第三方APP需要使用時，調用keymaster接口，使用該key進行簽名認證等

MTK的設計:

那么我們申請到keybox，要拆分keybox，然后將key組(ECDSA和RSA)寫入到手機的安全區域中。這其中的設計思想就是，我們要怎樣保護key組(ECDSA和RSA)的安全性？

以下是MTK的設計

詳細的代碼在：aosp/trusty/vendor/mediatek/proprietary/source/trusty-app/kmsetkey

集成/客制化/調試:

1、使用腳本，生成Kkb、Pkb、Kkb_pub、Kkb_priv四個文件：

#!/bin/bashfunction format_file() {local filename=$1local tmp="temp"mv $filename $tmplen=$(ls -l $tmp | awk '{print $5}')let len-=1dd if=$tmp of=$filename bs=1 count=$lenrm $tmp }openssl genrsa -out Kkb_pri.pem 2048 openssl rsa -inform PEM -in Kkb_pri.pem -outform DER -out Kkb_pri openssl rsa -text -in Kkb_pri.pem -pubout | head -n 20 | tail -n18 > tempfile rm Kkb_pri.pemfor (( i=0;i<10;i++ )) dosed 's/ //' -i tempfile donedd if=tempfile of=Kkb_pub skip=3 bs=1 && rm tempfile format_file Kkb_pubopenssl rand -hex 32 > Kkb format_file Kkbecho "00" > tempfile format_file tempfileopenssl rand -hex 128 > tempfile2 format_file tempfile2cat tempfile tempfile2 > Pkbrm tempfile tempfile2

2、使用Splitter2.6(Splitter)工具，拆分keybox

輸入申請到的keybox xml文件，如：
2017-11-22_06-11-44.643_UTC.attest_keyboxes.1511331105487.output
輸出:keybox_0000000000.bin — keybox_0000000009.bin

3、使用Splitter2.6(Mix Composer)工具，加密googlekey

輸入:keybox_0000000000.bin
輸出:kb_0000000000.bin (寫到手機的安全區域的就是這個文件)

4、使用keytool(EncSW)工具，使用Pkb將Kkb_pub加密成EKkb_pub，并將Pkb\EKkb_pub數組寫入到代碼中:

加密后，生成要給array.c數組，里面包含Pkb和EKkb_pub

unsigned char Ekkb_pub[] = { 0xCF, 0x93, 0xE3, 0x76, 0x99, 0xE9, 0x78, 0xCD, 0xB4, 0x02, 0x9A, 0x25, 0x45, 0xDC, 0x6D, 0xBC, 0xFE, 0xB9, 0xEE, 0xAB, 0x6C, 0xA8, 0xF8, 0xE3, 0x85, 0x31, 0xB7, 0x2A, 0x40, 0x47, 0xF4, 0x59, 0x75, 0xD4, 0xFF, 0xCF, 0x2A, 0xD9, 0xB4, 0x1D, 0x72, 0xFB, 0x7C, 0x64, 0x4D, 0x53, 0xAB, 0x30, 0x9B, 0xCB, 0x26, 0x19, 0x6D, 0xF4, 0x40, 0x56, 0x3E, 0x97, 0xBC, 0xD1, 0xE4, 0xF0, 0x14, 0xD0, 0x35, 0xBE, 0x78, 0xD2, 0x2B, 0x35, 0x36, 0x99, 0x6D, 0x66, 0x56, 0x59, 0x31, 0x6A, 0x6B, 0x6F, 0xA8, 0xBB, 0xF6, 0xAF, 0x75, 0x05, 0xF1, 0x0D, 0x2F, 0xA6, 0xD5, 0x95, 0xDA, 0xB3, 0xBE, 0x22, 0x90, 0x32, 0x3E, 0x06, 0x81, 0xD7, 0xD2, 0x11, 0x0F, 0x85, 0x03, 0x7A, 0x41, 0x54, 0x2C, 0x95, 0xF8, 0x40, 0xB3, 0x5B, 0x7D, 0x10, 0x71, 0xB8, 0xC9, 0x6D, 0x2C, 0x9B, 0xFD, 0xB7, 0x7A, 0xD4, 0x7A, 0x9F, 0x7E, 0x10, 0x4E, 0x53, 0x17, 0xB1, 0x00, 0x9D, 0x64, 0xFD, 0xD9, 0x2F, 0x67, 0xA4, 0x23, 0xDA, 0x87, 0x84, 0x0D, 0x8B, 0x88, 0x08, 0x4E, 0x5D, 0x18, 0x43, 0xE7, 0x32, 0x92, 0x8E, 0x18, 0x54, 0xA3, 0x98, 0x40, 0x1C, 0x28, 0xFA, 0xD4, 0xB4, 0xF3, 0x32, 0xC3, 0xAE, 0xAA, 0xD9, 0xD3, 0xDA, 0xC4, 0x4E, 0x31, 0x06, 0x47, 0xCF, 0x43, 0x18, 0x68, 0x28, 0x47, 0x96, 0xA9, 0xD2, 0x6F, 0x98, 0x88, 0xAB, 0xFC, 0x2C, 0x4D, 0xF6, 0x6F, 0xAB, 0xB6, 0x0E, 0x52, 0xCF, 0xB2, 0x10, 0xD1, 0xCA, 0x88, 0xA9, 0x27, 0xC2, 0xE7, 0x28, 0xF5, 0x1B, 0x88, 0xDD, 0xE8, 0x25, 0x93, 0x39, 0x40, 0xBC, 0x1B, 0xAE, 0xF0, 0x5F, 0x58, 0xB8, 0x48, 0x4A, 0xD4, 0xBA, 0xEA, 0xCC, 0x15, 0x68, 0xE9, 0x05, 0x74, 0x11, 0xBA, 0x4F, 0xBF, 0x49, 0x9A, 0x11, 0x66, 0x40, 0x1F, 0x02, 0xA3, 0xA8, }; unsigned char InputPkb[] = { 0x00, 0xD9, 0x47, 0xA1, 0x6A, 0x59, 0xDE, 0x65, 0x81, 0x38, 0x92, 0x1B, 0x26, 0x99, 0x3D, 0x97, 0x9A, 0x8B, 0xC6, 0x1B, 0xB8, 0x1D, 0xB5, 0x57, 0xE7, 0xEF, 0xEA, 0x13, 0x5B, 0x00, 0xAD, 0x2F, 0x19, 0xE3, 0xB9, 0x57, 0x70, 0xFF, 0xE8, 0xDF, 0x3A, 0x03, 0xDA, 0x47, 0xBE, 0x50, 0x71, 0x24, 0x2E, 0x96, 0x47, 0x78, 0x6E, 0x55, 0xD6, 0x76, 0xE8, 0xEF, 0x58, 0x62, 0xF4, 0x9E, 0x30, 0x6F, 0x49, 0xC3, 0xCA, 0x8C, 0x35, 0x7A, 0x78, 0x9A, 0x4E, 0x6E, 0x5F, 0x60, 0xC1, 0x72, 0x7A, 0x19, 0xB0, 0xCC, 0xC0, 0x68, 0xF0, 0x91, 0xFF, 0xEC, 0xFA, 0x9D, 0x88, 0x24, 0x04, 0xD2, 0x9F, 0x00, 0x50, 0xBD, 0x3F, 0xBA, 0xA1, 0x25, 0xD8, 0x46, 0x31, 0xA3, 0x1A, 0xE3, 0x81, 0x05, 0xDE, 0xB6, 0xD4, 0xC8, 0x7B, 0xB7, 0x7C, 0xD4, 0xE5, 0x96, 0x79, 0x48, 0x26, 0x32, 0xD4, 0xED, 0xCF, 0x6D, 0xB6, };

5、寫入kb_0000000000.bin文件到手機安全區域：
（1）、可以使用CA命令:
kmsetkey_ca -i data/vendor_de/kb_0000000000.bin

（寫入成功的log）

<6>[ 127.502402] -(0)[210:teei_switch_thr][TZ_LOG] uTSecMan| ta verification is def-disabled <6>[ 127.503482] -(0)[210:teei_switch_thr][TZ_LOG] uTSecMan| <6>[ 127.504200] -(0)[210:teei_switch_thr][TZ_LOG] SST_S | rpmb cap alloc success <6>[ 127.505152] -(0)[210:teei_switch_thr][TZ_LOG] SST_S | vfs cap alloc success <6>[ 127.506090] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| google keybox rpmb solution, VERSION:1.0 <6>[ 127.509383] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| ~~~~~~ kb_store enter ~~~~~~ <6>[ 127.532984] -(0)[210:teei_switch_thr][TZ_LOG] kmsetkey| =====keybox verify success=====

(2)、可以使用MTK提供的工具：
SP_META

總結

以上是生活随笔為你收集整理的MTK for Google AttestationKey介绍的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： [crypto]-90-crypto的一
下一篇： MTK:oemlock介绍