Android Basis - Google Keybox

2024-06-18 10:02:07
开发
7

什么是Keybox

Keybox 又称为Gooogle attestation key，是Google用于管理、统计运行GMS套件设备的一种手段。

通常我们会向Google申请keybox，结合可能得出货量，提供如下信息给到的Google。

1. fingerprint

2. device id 列表

举个例子，我预计将要生产1KK的设备，并销往欧美。那么需要为10个device id申请keybox。有余，单个device id的keybox可以生产并安装在100K的设备上，那么我们需要10个这样的device id。逻辑上讲，一种类型的设备，我为什么需要不同的device id？这里确实是个知识点，晚点提个google case 问一下。

Keybox内容

这里的DeviceID对应keybox中的DeviceID,通常就是对应key的名称。简单看一个我最新申请的keybox内容和简单的标注。

目前是单个Devcice ID可以在100K的设备上安装同一个keybox。那么n个Device ID也就是对应n*100K的设备。

Keybox 安装

KmInstallKeybox

有余使用的是QC code中自带的命令工具：KmInstallKeybox.

一般情况下，安装步骤如下：

adb root
adb push keybox.xml data/
adb shell LD_LIBIRARY_PATH=/vendor/lib64/hw KmInstallKeybox data/keybox.xml DeviceID false // 一共是5个参数，0，1，2，3，4

KminstallKeybox代码内容

using namespace keymasterdevice;
int main(int argc, char** argv) {
    if ((argc != 4) && (argc != 5) && (argc != 7) && (argc != 8)) {
        cout << "usage: LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox Keybox_file Device_ID "
                "provision_device_ids(true/false)"
                "Strongbox_Keybox_file Strongbox_Device_ID "
                "strongbox_provision_device_ids(true/false)"
             << endl;
        cout << "e.g.,: LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox keybox.xml "
                "mfgID_xxxx_0000 true"
                "strongbox_keybox.xml strongbox_mfgID_xxxx_0000 true"
             << endl;
        cout << "KmInstallKeybox will install the attestation"
                "keys (both RSA and ECC) along with all the device identifiers\n"
                "(brand, device, product, serial#, IMEI, MEID (if available), model"
                "and manufacturer).\n"
                "\n"
                "The tool will use KM HAL API's to genrate RSA / ECC keys and\n"
                "verify the attestation certificate signed with the provisioned keys.\n"
                "If the validation is successful, the tool will set 'Provisioning Success'"
                "to KM TA / KM Strongbox.\n"
                "Else all the provisioned keys are deleted and it can be re-provisioned"
                "\n"
                "Once 'Provisioning Success' state is set in KM TA / Strongbox,\n"
                "attestation keys / Device ID's cannot be re-provisioned\n"
                "\n"
                "\n"
                "**RMA Use Case **\n"
                "For RMA use case, OEM's can set the following devcfg parameter in "
                "'keymaster_oem_config.xml'\n"
                "Please ensure to sign this debug devcfg with the serial# of the device as this "
                "will enable\n"
                "re-provisioning of keys and if used incorrectly can open up the device to be "
                "re-provisioned.\n"
                "<props name=\"allow_reprovision\" type=DALPROP_ATTR_TYPE_UINT32>\n"
                "1"
                "Strongbox provisioning is optional and is only supported on chipsets SPU/ "
                "strongbox is supported."
             << endl;

        exit(-1);
    }

    std::string deviceId(argv[2]);
    // TEE
    bool provision_device_id = false;
    if (!memcmp(argv[3], "true", strlen("true")))
        provision_device_id = true;
    else if (!memcmp(argv[3], "false", strlen("false")))
        provision_device_id = false;
    else
        return GENERIC_FAILURE;

    bool provision_only_device_id = false;
    if (argc==5 && !memcmp(argv[4], "rkp", strlen("rkp")))
        provision_only_device_id = true;
    else if (argc==8 && !memcmp(argv[7], "rkp", strlen("rkp")))
        provision_only_device_id = true;

    int ret = GENERIC_FAILURE;

    // This is required only for offtarget emulator, will be compiled out.
    SetUpOffTarget();
    KeymasterHalDevice device(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);
    SetUpOffTargetConfig(&device, 0, 0, 0);

    InstallKeybox installer(argv[1], deviceId, provision_device_id,
                            KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);
    PROV_EXIT(installer.ParseFile(provision_only_device_id));
    if (!provision_only_device_id)
        PROV_EXIT(installer.ValidateProvisionedKeys());

    cout << "TEE done" << endl;
    if (argc == 7 || argc == 8) {
        std::string deviceIdSb(argv[5]);
        // SB
        bool provision_device_sb_id = false;
        if (!memcmp(argv[6], "true", strlen("true")))
            provision_device_sb_id = true;
        else if (!memcmp(argv[6], "false", strlen("false")))
            provision_device_sb_id = false;
        else
            return GENERIC_FAILURE;

        InstallKeybox installer_sb(argv[4], deviceIdSb, provision_device_sb_id,
                                   keymaster::KM_SECURITY_LEVEL_STRONGBOX);
        PROV_EXIT(installer_sb.ParseFile(false));
        PROV_EXIT(installer_sb.ValidateProvisionedKeys());
    }
    cout << "InstallKeybox is done!" << endl;
    return 0;
}

针对这个工具，其实我们也可以结合实际进行定制。

Keybox的相关原理

Google attestation key是如何工作的？

原文地址:https://blog.csdn.net/gu_student/article/details/139754680 本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：https://www.suanlizi.com/kf/1802884464733458432.html 如若内容造成侵权/违法违规/事实不符，请联系《酸梨子》网邮箱：1419361763@qq.com进行投诉反馈，一经查实，立即删除！

阅读全部