Skip to content

Keymaster 4.1 Release V3.1

Pre-release
Pre-release
Compare
Choose a tag to compare
@mdwivedi mdwivedi released this 18 Jun 02:25
· 3 commits to Javacard_KM_41_AOSP_UPMERGE_0630 since this release
JC_KM_41_V3.1
9971f23
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This is the Version 3.0 release for Javacard 4.1 Keymaster. Please refer to the following release notes for details.

Relese Tag : JC_KM_41_V3.1
Branch: master, Javacard_KM_41_AOSP_UPMERGE_0630
Keymaster Version: 4.1

Detailed Release Notes: https://drive.google.com/file/d/1BjKo2co6hut5qHv6YlqLAmCjKi-abxbn/view?usp=sharing
Release Documents: https://drive.google.com/drive/folders/14UKN80LtEnTpC-xsGETqNkcnQ9sXgaIf?usp=sharing
Folder Contains :

  • Detailed Release Notes
  • VTS Setup Guide
  • Integration Guide
  • StrongBox RMA Document
  • Applet State Machine

Highlights of the changes as below: - Please refer to detailed release notes for complete list.

  • Support for RMA
  • Introduced SE Lock, OEM Lock, OEM Unlock in the provision flow.
  • Provision OEM Root public key to authenticate OEM Unlock or OEM Lock.

Please refer to the “[External] Android Ready SE - StrongBox RMA.pdf” document for more information

  • Fixed the issue with parallel operation execution with each operation overriding the previous KeyObject.
  • Changes in the KeyBlob structure, the KeyBlob’s version is changed from 0 to 1.

Added a Version variable inside the KeyBlob.
Added a new entry for custom tags inside the KeyBlob.
Changes in the KeyBlob’s hidden parameters: The Root of Trust.

  • Root of Trust binding, contains only Verified Boot Key, Verified Boot State and lock state of the device. ( No Verified Boot Hash)
  • Maximum size limit validation for all the Byte tags
  • Integrated OMAPI in the HAL and added a patch to remove the changes in [aosp_12]
  • Open the OMAPI session and channel indefinitely.
  • Updated the JCard functional tests.
  • Support of Version jump while Keymaster Applet upgrade.
  • Critical bug fixes from Keymint

Updated tags in hardware & software enforced in attestation record.

  • Digest value validation depending on the purpose.
  • Follow X509 standard in representing ASN.1 UTC time.
  • Clear the transient buffer (heap) after reclaiming it back.
  • Don't allow commands till the shared secret is negotiated (Keymaster is ready).
Assets 2
Loading