On Tue, Mar 3, 2015 at 9:11 PM, Shawn Willden <[email protected]> wrote: > I don't think any of the non-ARM devices have TEE implementations. I expect > this to change soon, at least for Intel devices, and we may see some that > use an SE-based or TPM-based HW keystore, but I don't think any of that has > happened yet.
We have shipping devices in field with HW backed keystores. Cheers > On Tue, Mar 3, 2015, 9:32 PM Leibowitz, Michael > <[email protected]> wrote: >> >> On Tue, Mar 3, 2015 at 7:35 PM, 'Shawn Willden' via Android Security >> Discussions <[email protected]> wrote: >> > "Hardware-backed" means "in ARM TrustZone" on all existing devices. >> > Since >> >> Most. Not all devices are ARM. >> >> Cheers >> >> > TrustZone isn't separate hardware but a secure mode of the main CPU, key >> > generation should be almost exactly as fast as a software key, since the >> > only additional cost is the context switches in and out of secure mode. >> > If >> > KeyChain.isAlgorithmSupported returns true for an algorithm, that means >> > that >> > algorithm is supported in secure hardware (actually, TrustZone) on your >> > device. >> > >> > On Nexus 5, keystore.msm8974.so is the HAL module that talks to the >> > Qualcomm >> > trusted OS. >> > >> > On Tue, Mar 3, 2015 at 8:25 PM William Roberts >> > <[email protected]> >> > wrote: >> >> >> >> Without rooting an image, is there a way to test if AKS is hardware >> >> backed? KeyChain.isKeyAlgorithmSupported("RSA")) returns true, but >> >> others >> >> suspect the generation times are too fast (1.2-1.7 seconds). >> >> >> >> On Kitkat Nexus 5, I see /system/lib/hw contains 2 keymaster >> >> implementations: >> >> >> >> keystore.default.so >> >> keystore.msm8974.so >> >> >> >> I initially was going to look at the memmap of keystored to see what >> >> was >> >> loaded. Any comments, much appreciated. >> >> >> >> Thanks. >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Android Security Discussions" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> To post to this group, send email to >> >> [email protected]. >> >> Visit this group at >> >> http://groups.google.com/group/android-security-discuss. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Android Security Discussions" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > To post to this group, send email to >> > [email protected]. >> > Visit this group at >> > http://groups.google.com/group/android-security-discuss. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> Michael Leibowitz -- Michael Leibowitz -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
