[MTK] [TEE] keymaster attestation key install

文摘 MediaTek 2022-01-12 阅读:14382

[DESCRIPTION]

google规定Keymaster需要写入attestation key才可以正常使用

[SOLUTION]

- How to write attestation key into Persist partition?

device/mediateksample/$project/ProjectConfig.mk
MTK_PERSIST_PARTITION_SUPPORT = yes

- How to write attestation key into RPMB?

if KEYMASTER_VERSION =4.0/4.1
在/vendor/mediatek/proprietary/trustzone/custom/build/project/mtxxxx.mk设置KEYMASTER_RPMB=yes

if KEYMASTER_VERSION =5.0
vendor/mediatek/proprietary/trustzone/custom/build/project/xxxx.mk
KEYMASTER_RPMB=yes

device/mediatek/vendor/mgvi_64_armv82/VendorConfig.mk
KEYMASTER_RPMB=yes

下面这两种方式写attestation key,均需要将原始申请到的attestation进行加密处理。加密处理的工具在SN_Writer工具包下keybox_exe_xxx,根据DCC文档《DRM_Key_Install_Introduction.pdf》将原始attestation Key进行加密处理。

下面例子中的kb_0000000001.bin是经过加密处理后的key文件

1)SP META tool->Attestation Key Install Tool

LoadKeyFile选择经过加密的key,点击install。显示AttestationKey install OK代表写入成功

1.png

2)CA方式写入

2.1)编译/vendor/mediatek/proprietary/hardware/libkmsetkey/路径,生成kmsetkey_ca

2.2)执行下面指令写attestation key

adb root
adb push kb_0000000001.bin /data/
adb push kmsetkey_ca /data/
adb shell "chmod a+x /data/kmsetkey_ca"
adb shell "/data/kmsetkey_ca -i /data/kb_0000000001.bin"
adb shell sync

2.3)写完后可以检查/mnt/vendor/persist/attest_keybox.so是否存在

如何检查attestation key是否有成功写入?

如果将attestation key写入到persist分区,可以用下面方法检查:

1)写完后即刻检查/mnt/vendor/persist/attest_keybox.so是否存在

2)手机重启后再看下/mnt/vendor/persist/attest_keybox.so是否存在

3)如果手机写完当此检查存在,手机重启后消失

3.1)查看下persist是否有设置到power on write protect保护范围内

/vendor/mediatek/proprietary/bootable/bootloader/lk/platform/mt6xxx/write_protect.c
void set_write_protect(void)
/ group 3 /
//默认设置的是sec1到system或者super(取决于是否有system分区)
搭配/vendor/mediatek/proprietary/tools/ptgen/MT67xx/partition_tablexxxx中各分区的位置

3.2)是否有打开persist分区?

ProjectConfig.mk 中 MTK_PERSIST_PARTITION_SUPPORT = yes

3.3)是否有mount persist分区?

         fstab.in.mt67xx
   #ifdef __PERSIST_PARTITION_SUPPORT
     DEVPATH(persist) /mnt/vendor/persist ext4 FS_FLAG_COMMIT FSMGR_FLAG_FMT
   #endif

How to config keymaster attestation key?

1.[Android P] Keymaster.pdf
2.1 If customer has the keymaster source code , please refer to

2.png

2.2 If customer has no keymaster source code ,Please refer to

3.png

0条评论

© 2024 芯缘异码. Powered by Typecho