[MTK] [TEE] keymaster attestation key install
文摘 MediaTek 2022-01-12 阅读:14134[DESCRIPTION]
google规定Keymaster需要写入attestation key才可以正常使用
[SOLUTION]
- How to write attestation key into Persist partition?
device/mediateksample/$project/ProjectConfig.mk
MTK_PERSIST_PARTITION_SUPPORT = yes
- How to write attestation key into RPMB?
if KEYMASTER_VERSION =4.0/4.1
在/vendor/mediatek/proprietary/trustzone/custom/build/project/mtxxxx.mk设置KEYMASTER_RPMB=yes
if KEYMASTER_VERSION =5.0
vendor/mediatek/proprietary/trustzone/custom/build/project/xxxx.mk
KEYMASTER_RPMB=yes
device/mediatek/vendor/mgvi_64_armv82/VendorConfig.mk
KEYMASTER_RPMB=yes
下面这两种方式写attestation key,均需要将原始申请到的attestation进行加密处理。加密处理的工具在SN_Writer工具包下keybox_exe_xxx,根据DCC文档《DRM_Key_Install_Introduction.pdf》将原始attestation Key进行加密处理。
下面例子中的kb_0000000001.bin是经过加密处理后的key文件
1)SP META tool->Attestation Key Install Tool
LoadKeyFile选择经过加密的key,点击install。显示AttestationKey install OK代表写入成功
2)CA方式写入
2.1)编译/vendor/mediatek/proprietary/hardware/libkmsetkey/路径,生成kmsetkey_ca
2.2)执行下面指令写attestation key
adb root
adb push kb_0000000001.bin /data/
adb push kmsetkey_ca /data/
adb shell "chmod a+x /data/kmsetkey_ca"
adb shell "/data/kmsetkey_ca -i /data/kb_0000000001.bin"
adb shell sync
2.3)写完后可以检查/mnt/vendor/persist/attest_keybox.so是否存在
如何检查attestation key是否有成功写入?
如果将attestation key写入到persist分区,可以用下面方法检查:
1)写完后即刻检查/mnt/vendor/persist/attest_keybox.so是否存在
2)手机重启后再看下/mnt/vendor/persist/attest_keybox.so是否存在
3)如果手机写完当此检查存在,手机重启后消失
3.1)查看下persist是否有设置到power on write protect保护范围内
/vendor/mediatek/proprietary/bootable/bootloader/lk/platform/mt6xxx/write_protect.c
void set_write_protect(void)
/ group 3 /
//默认设置的是sec1到system或者super(取决于是否有system分区)
搭配/vendor/mediatek/proprietary/tools/ptgen/MT67xx/partition_tablexxxx中各分区的位置
3.2)是否有打开persist分区?
ProjectConfig.mk 中 MTK_PERSIST_PARTITION_SUPPORT = yes
3.3)是否有mount persist分区?
fstab.in.mt67xx
#ifdef __PERSIST_PARTITION_SUPPORT
DEVPATH(persist) /mnt/vendor/persist ext4 FS_FLAG_COMMIT FSMGR_FLAG_FMT
#endif