Implement Android Tamper-Resistant Secure Storage And .
Implement Android Tamper-Resistant SecureStorage and Secure it in VirtualizationBing Zhu (bing.zhu@intel.com)Contributors:Yang Huang, Tomas Winkler, Wei Deng, Yadong Qi, Kai Wang, Luhai Chen, Eddie DongOpen Source Technology Center / Software and Services Group (SSG)Linux Security Summit Europe 2018October 24, 2018
NOTICE & DISCLAIMER Intel technologies’ features and benefits depend on system configurationand may require enabled hardware, software or service activation. Performance varies depending on system configuration. Intel, the Intel logo are trademarks of Intel Corporation in the U.S. and/orother countries. *Other names and brands may be claimed as the property of others.2
AgendaProblem StatementReplay Protected Memory Block (RPMB)VT-TEE/Trusty* Secure Storage (SS)Secure Storage Virtualization in ACRN* Hypervisor(TEE Isolation, Replay/Integrity Protection and Storage Encryption for Confidentiality)Conclusion and Future Considerations3
Problem StatementData security and privacy: Screen-unlock (password/pin/pattern) attempt failure record for defendingagainst brute force ntication/gatekeeper The version of system image for preventing roll-back attack Keybox (keypairs), e.g. for content protection and attestation The templates of fingerprint or iris sensor images for authenticationGoogle* Android* CDD requirements since Marshmallow : [SR] STRONGLY RECOMMENDED/ SHOULD to use tamper-evident storage4
Replay Protected Memory Block(RPMB)5
RPMB Partition (e.g. eMMC)Boot #1 Boot #2 RPMBUser Data AreaFixed in Size, typically 4MB(128KB 16MB)6
Technical Details / Characteristics1.Authentication key (RPMB AuthKey) is required. The Key must be programmed before any access, the built-in algorithm is HMAC-SHA256. The key can only be programmed once in device life time, and is invisible to any softwareafter it is programed into h/w device. Key must be required to write data a RPMB partition. Notes: Without RPMB key, read access is still possible, but the data being read may not beauthentic (no guarantee of data integrity and replay protection). Hence, RPMB doesn’tprovide data confidentiality protection (encryption is done by software if necessary)2.Replay Protection Storage controller H/W built-in monotonic Write Counter is used for replay-protection onWRITE access; Software generated Random Number is used for replay-protection on READaccess.7
How it works (e.g. authenticated write access)eMMC H/WAuthKeyWriteCounterHMACSHA256System SoftwareBlank register initially, and thenfactory-fused/programmed insecure envrionmentAuthKeyInitially 0, and then 1 followedby each successful RPMB writeaccess. This register is taRPMB Data AreaWriteCounterwrite requestMACDataMetadataWriteCounterData will be written to RPMB,only when both WriteCounter and MAC match.8
VT-TEE/Trusty Secure Storage (SS)9
VT-TEE/Trusty in Android (Two-VM)Android (non-secure VM)SecurestoragekeystoreGatekeeperTrusty (secure VM)FingerprintSecureStorage TAKeyMasterTAGatekeeperTAFingerprintTATrusty Libraries(TIPC, DRNG, Crypto Primitives, etc.)Trusty Libraries(TIPC)Trusty Driver(ipc, irq, mem, virtio)Little KernelTrusty Root KeyLightweight HypervisorFirmwarex86 SoC Platform (CPU with VT-x/d) CSE10
Android Secure Storage (SS)TrustyLinux/AndroidSecure Storage (SS) TATEE SSProxyTD/TPSERVICETrustyIPC DriverRPMB driver(eMMC/UFS/NVMe)Linux FS(encryptedfile pp/storage/ProxyClientSS EncryptionKeyCryptoTAFSBuilt-in securefile systemRPMBAuthKeyTEE RootKeyRPMB AuthKey isprotected, never goesoutside of TEE. and it isconstantly genernated /derived per each boot(power cycle).11
SS/TP : Tamper-Proof Secure storageTP Service1. Secure File System meta-data anduser data are all stored in RPMB.User Data(Encrypted)2. Much higher security level ofprotection – Tamper Resistant!Super blocks(FS metadata)3. Data survives in Android factoryreset (pretty good for storingfactory-provisioned key materials)4. Size constrained; Typically 2MB,depending on eMMC/UFS/NVMeRPMB size in manufacturing.Trusty securefile systemeMMC/ UFSRPMBAuthKey128KB – 16MB12
SS/TD : Tamper-Detection Secure storageTD Service1. Secure File System metadata isstored in RPMB.Trusty securefile system2. Support large amount of data.3. However, the user data(encrypted with hardware-backedencryption key), is stored inAndroid/Linux-backed file systemin ordinary /Data partition.4. Tamper-Detection (or TamperEvident) protection.Super blocks(FS metadata)eMMC/ UFSRPMBAuthKeyUser Data(Encrypted)Android /DataPartition128KB – 16MBData can be deleted/replay’ed,but be detectable.13
Secure StorageVirtualizationin ACRN* HypervisorACORN:Picture source: https://en.wikipedia.org/wiki/Acorn*ACRN Hypervisor: https://projectacrn.org/14
ACRN Hypervisor ArchitectureService OS VM (SOS)Example Usage:Automotive invehicleinfotainmentor/andentertainmentsystem, can supportmultiple AndroidUOS VMs in a singleSoC platform.Note that ServiceOS is a privilegedVM, typically it is aclosed system.VMManagerEPTACRNHypervisorAndroid VM (User OS, UOS)AndroidApplicationACRN DeviceACRN (Mediators)DeviceModelModel (Mediators)Native DeviceDriverNativeDriverMultiple Android VMsAndroid Libraries / FrameworksKernelMediatorsLinux KernelDriversHypercallsVMXVT-dAndroidApplicationVM APIVirtio APIvPIC/vLAPIC/vIOAPIC/vMSI15
Trusty/TEE Isolation in ACRN (One-VM / Two-World)Service OS VM (SOS)*ACRN creates onlyone VM structureper each UOS, butcreates twodifferent vCPUcontext areas tosave/restore twoworlds’ virtual CPUstates as per worldswitch request fromeither world.VMManagerNative DeviceDriverNativeDriverAndroid VM (User OS, UOS)AndroidWorld(nonsecure)ACRN DeviceACRN (Mediators)DeviceModelModel (Mediators)Trusty IPCDriverKernelMediatorsTrustyWorld(secure)IPC driverHypercallsACRNHypervisorWorld Switch*APIWorld-Context Switch16
Secure Storage VirtualizationSOS (Service OS) is aclosed system andprivileged VM.Service OS VM (SOS)Android VM (User OS, UOS#2)ACRN Device Model Process #1The VrKey (virtual RPMBAuthkey) is generatedrandomly per UOS boot,and securely distributed itto TEE/Trusty SS TA.vRPM Module in SOSforwards/remaps vRPMBdata/frame to physicalRPMB partition.Android VM (User OS, UOS#1)ACRN Device Model Process #2RPMBBackEndvRPMB Module(Emulation/Remap)Android WorldTEE SS ProxyVrKey#1Trusty WorldSS TAVrKey#1Native RPMBDriverRPMB ACCESSModuleAuthKeyAuthKeyRPMB(rsvd blks)RPMB e RPMB PartitionvirtioACRN HypervisoreMMC/UFS/NVMe17
Secure Storage Virtualization – ConfidentialityProblem: How to ensure secure storage dataconfidentiality for each TEE/Trusty instanceper UOS?Android VM (User OS, UOS#1)Android WorldTEE SS ProxyTrusty WorldSS TAVrKey#1SSEKRPMB FrontEnd(virtio-rpmb)Hence, how to generate Secure Storage Encryption Key (SSEK)per each TEE/Trusty?18
ACRN Hypervisor SEED/SSEK DerivationService OS VM (SOS)RoT firmware generates aPlatform SEED (pSEED,unique per platform, 256 bit)Hypervisor gets thepSEED, derives VM-SEED(vSEED) for eachTrusty/TEE in UOS, andsends it to the associatedTrusty/TEE guestinstance.ACRN Device ModelProcess #2ACRN Device ModelProcess #1AndroidWorldUOS UUIDConfigurationNative DeviceDriverNativeDriverTrustyWorldAndroid VM (UOS#2)AndroidWorldFirmware (Root of Trust)pSEEDTrustyWorldSS TASS y DerivationAndroid VM (UOS#1)UUID#2KDFpSEED19
Conclusion and Future Considerations20
Conclusion1.Both Tamper-resistant and Tamper-evident secure storage can beimplemented in native Android and multiple virtual Android VMs on ACRNHypervisor.2.Both Date Integrity and Confidentiality protection can be achieved.3.Replay Protection can be achieved for native Android, but for virtualAndroid on ACRN hypervisor, it relies on the integrity of Service OS (SOS)1. SOS is implemented as a closed system, and SOS has no knowledge of securedata encryption key for each virtual Android/Trusty, but,2. SOS does have actual physical RPMB key (recording data then replaying it later)4.The entire solution depends on intact chain of trust (e.g. verified boot)21
Future Considerations1.2.Enhance security with dedicated RPMB partition per VM/UOSoLatest UFS (v3.0) support 4 RPMB paritions with 4 different RPMB Authkeys.oNVMe storage supports multiple RPMB partitions as well.Service OS (SOS) application / data integrity protection (e.g. dm-verity)oRefer to ACRN security HLD: es/security-hld.html22
Questions?
ReferencesGoogle/Android hl en-usGoogle Trusty Secure p/storage/eMMC Specification (latest: cUFS Specification (latest: us/flash/universal-flash-storage-ufsNVMe cifications/ACRN github.com/projectacrn24
Backup Slides25
RPMB Key Generation and ProgrammingRPMB Key generation requirements:1.Key is tied to hardware unique key (HUK).2.Key is also bound to eMMC/UFS/NVMe flash storage serial #.RPMB key programming:1.Typically firmware is responsible for programing the RPMB Key (in cleartext) intoRPMB controller through RPMB key programming interface.2.Do it once in factory, or just right after eMMC/UFS/NVMe replacement if applicable.3.Key cannot be changed once it’s programmed successfully (OTP FUSED)26
Implement Android Tamper-Resistant Secure Storage and Secure it in Virtualization Bing Zhu (bing.zhu@intel.com) Contributors: Yang Huang, Tomas Winkler, Wei Deng, Yadong Qi, Kai Wang, Luhai Chen, Eddie Dong Open Source Technology Center / Software and Services Group (SSG) Linux Security Summit Europe 2018 October 24, 2018
a speci c, commonly used, case of secure computation. To implement secure computation and secure key storage on mobile platforms hardware solutions were invented. One commonly used solution for secure computation and secure key storage is the Secure Element [28]. This is a smart card like tamper resistant
Android Studio IDE Android SDK tool Latest Android API Platform - Android 6.0 (Marshmallow) Latest Android API emulator system image - Android 6.0 Android Studio is multi-platform Windows, MAC, Linux Advanced GUI preview panel See what your app looks like in different devices Development environment Android Studio 9
Research has been done to implement technologies similar to TPM into Android mobile . research has yet led to the creation of a secure Android mobile device for distribution. The only Android-based mobile device that contains a root of trust is the Panasonic Toughpad tablet, . random number generator (RNG), non-volatile tamper-resistant .
www.bryant-electric.com Tamper-Resistant Duplex Receptacles Complies with NEC 406.11 Complies wi
ADT (Android Development Tool) bundle or ! Eclipse ADT plug-in Android SDK or ! Android studio ! Download earlier SDK versions using SDK manager if needed . Android Virtual Device (AVD) ! Android emulator allows . Android App Essentials ! Layout ! View objects: UI widgets such as buttons, text box etc. .
Android Development Tools ADT A plug-in for Eclipse (see Eclipse) to develop Android applications. Android Operating system for smartphones. Android Market The Android distribution service of mobile applications. Android Lifecycle A model Android uses to handle the lifecycle of an activity in applications.
Dial91 Android Edition User Guide 1 About Dial91 Android Edition Dial91 Android Edition is a SIP- based phone for an Android phone. With Dial91 Android Edition (Dial91), you can use the Wi-Fi internet connection on your Android phone to make and receive calls without using your mobile
Fjalët kyce : Administrim publik, Demokraci, Qeverisje, Burokraci, Korrupsion. 3 Abstract. Public administration, and as a result all the other institutions that are involved in the spectrum of its concept, is a field of study that are mounted on many debates. First, it is not determined whether the public administration ca be called a discipline in itself, because it is still a heated debate .
