1*d9ecfb0fSAndroid Build Coastguard Worker# Hardware trust 2*d9ecfb0fSAndroid Build Coastguard Worker 3*d9ecfb0fSAndroid Build Coastguard WorkerReliable trust in a device's hardware is the basis of a growing set of features, 4*d9ecfb0fSAndroid Build Coastguard Workerfor example remote key provisioning. 5*d9ecfb0fSAndroid Build Coastguard Worker 6*d9ecfb0fSAndroid Build Coastguard Worker## `libhwtrust` 7*d9ecfb0fSAndroid Build Coastguard Worker 8*d9ecfb0fSAndroid Build Coastguard WorkerThe library for handling, inspecting and validating data realted to the hardware 9*d9ecfb0fSAndroid Build Coastguard Workerroot-of-trust and the features that rely on it is `libhwtrust`. 10*d9ecfb0fSAndroid Build Coastguard Worker 11*d9ecfb0fSAndroid Build Coastguard Worker## `hwtrust` 12*d9ecfb0fSAndroid Build Coastguard Worker 13*d9ecfb0fSAndroid Build Coastguard WorkerThere is a command-line utility that provides easy access to the logic in 14*d9ecfb0fSAndroid Build Coastguard Worker`libhwtrust` called `hwtrust`. 15*d9ecfb0fSAndroid Build Coastguard Worker 16*d9ecfb0fSAndroid Build Coastguard WorkerBuild it as part of Android with `m hwtrust` and run `hwtrust --help` to see a 17*d9ecfb0fSAndroid Build Coastguard Workerlist of its functions. 18*d9ecfb0fSAndroid Build Coastguard Worker 19*d9ecfb0fSAndroid Build Coastguard WorkerAlternatively, use Cargo by running `cargo run -- --help` in this directory to 20*d9ecfb0fSAndroid Build Coastguard Workerbuild and run the utility. If the Cargo build has errors, please help to keep it 21*d9ecfb0fSAndroid Build Coastguard Workerworking by sending fixes or reporting the problem. Building as part of Android 22*d9ecfb0fSAndroid Build Coastguard Workershould always work as a fallback. 23*d9ecfb0fSAndroid Build Coastguard Worker 24*d9ecfb0fSAndroid Build Coastguard Worker### Verifying DICE chains 25*d9ecfb0fSAndroid Build Coastguard Worker 26*d9ecfb0fSAndroid Build Coastguard Worker`hwtrust` can be used to validate that a DICE chain is well-formed and check 27*d9ecfb0fSAndroid Build Coastguard Workerthat the signatures verify correctly. To do so, place the CBOR-encoded DICE 28*d9ecfb0fSAndroid Build Coastguard Workerchain in a file, e.g. `chain.bin`, then call the tool. 29*d9ecfb0fSAndroid Build Coastguard Worker 30*d9ecfb0fSAndroid Build Coastguard Worker```shell 31*d9ecfb0fSAndroid Build Coastguard Workerhwtrust dice-chain chain.bin 32*d9ecfb0fSAndroid Build Coastguard Worker``` 33*d9ecfb0fSAndroid Build Coastguard Worker 34*d9ecfb0fSAndroid Build Coastguard WorkerThe exit code is zero if the chain passed verification and non-zero otherwise. 35*d9ecfb0fSAndroid Build Coastguard Worker 36*d9ecfb0fSAndroid Build Coastguard Worker### Verifying Factory Certificate Signing Requests 37*d9ecfb0fSAndroid Build Coastguard Worker 38*d9ecfb0fSAndroid Build Coastguard WorkerThe `rkp_factory_extraction_tool` is used in the manufacturing process to capture 39*d9ecfb0fSAndroid Build Coastguard Workera "CSR" that contains a full DICE chain and other device properties. The `factory-csr` 40*d9ecfb0fSAndroid Build Coastguard Workersubcommand parses and validates the output of `rkp_factory_extraction_tool`. 41*d9ecfb0fSAndroid Build Coastguard Worker 42*d9ecfb0fSAndroid Build Coastguard Worker 43*d9ecfb0fSAndroid Build Coastguard Worker```shell 44*d9ecfb0fSAndroid Build Coastguard Workerhwtrust factory-csr csr.json 45*d9ecfb0fSAndroid Build Coastguard Worker``` 46