1# Remote Provisioning HAL 2 3## Objective 4 5Design a HAL to support over-the-air provisioning of certificates for asymmetric 6keys. The HAL must interact effectively with Keystore (and other services) and 7protect device privacy and security. 8 9Note that this API was originally designed for KeyMint, with the intention that 10it should be usable for other HALs that require certificate provisioning. 11Throughout this document we'll refer to the Keystore and KeyMint (formerly 12called Keymaster) components, but only for concreteness and convenience; those 13labels could be replaced with the names of any system and secure area 14components, respectively, that need certificates provisioned. 15 16## Key design decisions 17 18### General approach 19 20To more securely and reliably get keys and certificates to Android devices, we 21need to create a system where no party outside of the device's secure components 22is responsible for managing private keys. The strategy we've chosen is to 23deliver certificates over the air, using an asymmetric key pair derived from a 24unique device secret (UDS) as a root of trust for authenticated requests from 25the secure components. We refer to the public half of this asymmetric key pair 26as UDS\_pub. 27 28In order for the provisioning service to trust UDS\_pub we ask device OEMs to 29use one of two mechanisms: 30 311. (Preferred, recommended) The device OEM extracts the UDS\_pub from each 32 device they manufacture and uploads the public keys to a backend server. 33 341. The device OEM certifies the UDS\_pub using an x.509 certificate chain 35 then stores the chain on the device rather than uploading a UDS\_pub for 36 every device immediately. However, there are many disadvantages and costs 37 associated with this option as the OEM will need to pass a security audit 38 of their factory's physical security, CA and HSM configuration, and 39 incident response processes before the OEM's public key is registered with 40 the provisioning server. 41 42Note that in the full elaboration of this plan, UDS\_pub is not the key used to 43sign certificate requests. Instead, UDS\_pub is just the first public key in a 44chain of public keys that end the KeyMint public key. All keys in the chain are 45transitively derived from the UDS and joined in a certificate chain following 46the specification of the [Android Profile for DICE](android-profile-for-dice). 47 48[android-profile-for-dice]: https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/android.md 49 50### Phases 51 52RKP will be deployed with phased management of the root of trust 53binding between the device and the backend. To briefly describe them: 54 55* Degenerate DICE (Phase 1): A TEE root of trust key pair is used to sign 56 certificate requests; a single self-signed certificate signifies this phase. 57* DICE (Phase 2): A hardware root of trust key pair is only accessible to ROM 58 or ROM extension code; the boot process follows the [Android Profile for 59 DICE](android-profile-for-dice). 60* SoC vendor certified DICE (Phase 3): This is identical to Phase 2, except the 61 SoC vendor also does the UDS\_pub extraction or certification in their 62 facilities, along with the OEM doing it in the factory. This tightens up the 63 "supply chain" and aims to make key upload management more secure. 64 65### Privacy considerations 66 67Because the UDS, CDIs and derived values are unique, immutable, unspoofable 68hardware-bound identifiers for the device, we must limit access to them. We 69require that the values are never exposed in public APIs and are only available 70to the minimum set of system components that require access to them to function 71correctly. 72 73### Key and cryptographic message formatting 74 75For simplicity of generation and parsing, compactness of wire representation, 76and flexibility and standardization, we've settled on using the CBOR Object 77Signing and Encryption (COSE) standard, defined in [RFC 788152](https://tools.ietf.org/html/rfc8152). COSE provides compact and reasonably 79simple, yet easily-extensible, wire formats for: 80 81* Keys, 82* MACed messages, 83* Signed messages, and 84* Encrypted messages 85 86COSE enables easy layering of these message formats, such as using a COSE\_Sign 87structure to contain a COSE\_Key with a public key in it. We call this a 88"certificate". 89 90Due to the complexity of the standard, we'll spell out the COSE structures 91completely in this document and in the HAL and other documentation, so that 92although implementors will need to understand CBOR and the CBOR Data Definition 93Language ([CDDL, defined in RFC 8610](https://tools.ietf.org/html/rfc8610)), 94they shouldn't need to understand COSE. 95 96Note, however, that the certificate chains returned from the provisioning server 97are standard X.509 certificates. 98 99### Algorithm choices 100 101This document uses: 102 103* ECDSA P-256 for attestation signing keys; 104* Remote provisioning protocol signing keys: 105 * Ed25519 / P-256 / P-384 106* ECDH keys: 107 * X25519 / P-256 108* AES-GCM for all encryption; 109* SHA-256 / SHA-384 / SHA-512 for message digesting; 110* HMAC with a supported message digest for all MACing; and 111* HKDF with a supported message digest for all key derivation. 112 113We believe that Curve25519 offers the best tradeoff in terms of security, 114efficiency and global trustworthiness, and that it is now sufficiently 115widely-used and widely-implemented to make it a practical choice. 116 117However, since hardware such as Secure Elements (SE) do not currently offer 118support for curve 25519, we are allowing implementations to instead make use of 119ECDSA and ECDH. 120 121The CDDL in the rest of the document will use the '/' operator to show areas 122where either curve 25519, P-256 or P-384 may be used. Since there is no easy way 123to bind choices across different CDDL groups, it is important that the 124implementor stays consistent in which type is chosen. E.g. taking ES256 as the 125choice for algorithm implies the implementor should also choose the P256 public 126key group further down in the COSE structure. 127 128## UDS certificates 129 130As noted in the section [General approach](#general-approach), the UDS\_pub may 131be authenticated by an OEM using an x.509 certificate chain. Additionally, 132[RKP Phase 3](#phases) depends on the chip vendor signing the UDS\_pub and 133issuing an x.509 certificate chain. This section describes the requirements for 134both the signing keys and the resulting certificate chain. 135 136### X.509 Certificates 137 138X.509v3 public key certificates are the only supported mechanism for 139authenticating a UDS\_pub. Certificates must be formatted according to 140[RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), and certificate 141chains must satisfy the certificate path validation described in the RFC. RFC 1425280 covers most requirements for the chain, but this specification has some 143additional requirements that must be met for the certificates: 144 145* [`BasicConstraints`](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9) 146 * All CA certificates must include this as a critical extension. 147 * `pathLenConstraint` must be set correctly in each CA certificate to 148 limit the maximum chain length. 149 * `cA` must be set to true for all certificates except the leaf 150 certificate. 151 * `BasicConstraints` must be absent for the leaf/UDS certificate. 152 * Consider the chain `root -> intermediate -> UDS_pub`. In such a chain, 153 `BasicConstraints` must be: 154 * `{ cA: TRUE, pathLenConstraint: 1}` for the root certificate 155 * `{ cA: TRUE, pathLenConstraint: 0}` for the intermediate certificate 156 * Absent for the UDS certificate 157* [`KeyUsage`](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) 158 * All certificates in a UDS certificate chain must include this as a 159 critical extension. 160 * CA certificates must set `KeyUsage` to only `keyCertSign`. 161 * The UDS certificate must set `KeyUsage` to only `digitalSignature`. 162 163### Supported Algorithms 164 165UDS certificates must be signed using one of the following allowed algorithms: 166 167* `ecdsa-with-SHA256` 168 ([RFC 5758](https://www.rfc-editor.org/rfc/rfc5758#section-3.2)) 169 * Note: this algorithm is only usable with ECDSA P-256 keys 170* `ecdsa-with-SHA384` 171 ([RFC 5758](https://www.rfc-editor.org/rfc/rfc5758#section-3.2)) 172 * Note: this algorithm is only usable with ECDSA P-384 keys 173* `id-Ed25519` ([RFC 8410](https://www.rfc-editor.org/rfc/rfc8410#section-3)) 174 175## Design 176 177### Certificate provisioning flow 178 179TODO(jbires): Replace this with a `.png` containing a sequence diagram. The 180provisioning flow looks something like this: 181 182rkpd -> KeyMint: generateKeyPair 183KeyMint -> KeyMint: Generate key pair 184KeyMint --> rkpd: key\_blob,pubkey 185rkpd -> rkpd: Store key\_blob,pubkey 186rkpd -> Server: Get challenge 187Server --> rkpd: challenge 188rkpd -> KeyMint: genCertReq(pubkeys, challenge) 189KeyMint -> KeyMint: Sign CSR 190KeyMint --> rkpd: signed CSR 191rkpd --> Server: CSR 192Server -> Server: Validate CSR 193Server -> Server: Generate certificates 194Server --> rkpd: certificates 195rkpd -> rkpd: Store certificates 196 197The actors in the above diagram are: 198 199* **Server** is the backend certificate provisioning server. It has access to 200 the uploaded device public keys and is responsible for providing encryption 201 keys, decrypting and validating requests, and generating certificates in 202 response to requests. 203* **rkpd** is, optionally, a modular system component that is responsible for 204 communicating with the server and all of the system components that require 205 key certificates from the server. It also implements the policy that defines 206 how many key pairs each client should keep in their pool. When a system 207 ships with rkpd as a modular component, it may be updated independently from 208 the rest of the system. 209* **Keystore** is the [Android keystore 210 daemon](https://developer.android.com/training/articles/keystore) (or, more 211 generally, whatever system component manages communications with a 212 particular secure aread component). 213* **KeyMint** is the secure area component that manages cryptographic keys and 214 performs attestations (or perhaps some other secure area component). 215 216### HAL 217 218The remote provisioning HAL provides a simple interface that can be implemented 219by multiple secure components that require remote provisioning. It would be 220slightly simpler to extend the KeyMint API, but that approach would only serve 221the needs of KeyMint, this is more general. 222 223NOTE the data structures defined in this HAL may look a little bloated and 224complex. This is because the COSE data structures are fully spelled-out; we 225could make it much more compact by not re-specifying the standardized elements 226and instead just referencing the standard, but it seems better to fully specify 227them. If the apparent complexity seems daunting, consider what the same would 228look like if traditional ASN.1 DER-based structures from X.509 and related 229standards were used and also fully elaborated. 230 231Please see the related HAL documentation directly in the source code at the 232following links: 233 234* [IRemotelyProvisionedComponent 235 HAL](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl) 236* [ProtectedData](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl) 237* [MacedPublicKey](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl) 238* [RpcHardwareInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl) 239* [DeviceInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/DeviceInfo.aidl) 240 241### Support for Android Virtualization Framework 242 243The Android Virtualization Framwork (AVF) relies on RKP to provision keys for VMs. A 244privileged vm, the RKP VM, is reponsible for generating and managing the keys for client 245VMs that run virtualized workloads. See the following for more background information on the 246RKP VM: 247* [rkp-vm](https://android.googlesource.com/platform/packages/modules/Virtualization/+/main/service_vm/README.md#rkp-vm-remote-key-provisioning-virtual-machine) 248* [rkp-service](https://source.android.com/docs/core/ota/modular-system/remote-key-provisioning#stack-architecture) 249 250It is important to distinquish the RKP VM from other components, such as KeyMint. An 251[RKP VM marker](https://pigweed.googlesource.com/open-dice/+/HEAD/docs/android.md#configuration-descriptor) 252(key `-70006`) is used for this purpose. The existence or absence of this marker is used to 253identify the type of component decribed by a given DICE chain. 254 255The following describes which certificate types may be request based on the RKP VM marker: 2561. "rkp-vm": If a DICE chain has zero or more certificates without the RKP VM 257 marker followed by one or more certificates with the marker, then that chain 258 describes an RKP VM. If there are further certificates without the RKP VM 259 marker, then the chain does not describe an RKP VM. 260 261 Implementations must include the first RKP VM marker as early as possible 262 after the point of divergence between TEE and non-TEE components in the DICE 263 chain, prior to loading the Android Bootloader (ABL). 2642. "widevine" or "keymint": If there are no certificates with the RKP VM 265 marker then it describes a TEE component. 2663. None: Any component described by a DICE chain that does not match the above 267 two categories. 268