Skip to content

Javacard KeyMint 100 Release v2.0 Pre-Release

Pre-release
Pre-release
Compare
Choose a tag to compare
@mdwivedi mdwivedi released this 06 Jul 14:28
· 26 commits to Javacard_KeyMint_100_master since this release
JC_Keymint_100_v2.0-Pre-Release
1a627b1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This is the Version 2.0 release for Javacard KeyMint 100. Please refer to the following release notes for details.

Previous Release Tag : JC_Keymint_100_v1.1
Current Release Tag : JC_Keymint_100_v2.0-Pre-Release
Branch: Javacard_KeyMint_100_master
KeyMint Spec Version: 1.0

Release Documents:
https://drive.google.com/drive/folders/1FD5NejzmUu7nFjdacJJH9JPNK3hW_DI8?usp=sharing)

Release Folder Contents

  • [External] Android Ready SE - StrongBox RMA.pdf
  • [External] Javacard KeyBlob Versioning.pdf
  • [External] Javacard Keymint 1.0 v2.0 Release Notes.pdf
  • [External] KeyMint Applet Ready State.pdf
  • [External] Keymint Provisioning.pdf
  • [External] xTS Setup Guide for Keymint100.pdf

Release Highlights
Please refer to detailed release notes for complete list.

  • Support for RMA

Note: OEMs must provision the OEM root public key using the provision tool after the upgrade.

  • Changes in the KeyBlob encryption, the KeyBlob’s version is changed from 2 to 3.

In this version, the AuthData is considered only for deriving key and not for KeyBlob encryption and decryption.
AuthData is a Cbor array containing HARDWARE_PARAMETERS, HIDDEN_PARAMETERS, VERSION, CUSTOM_TAGS, PUB_KEY.

  • Moved UNLOCKED_DEVICE_REQUIRED and TRUSTED_CONFIRMATION_REQUIRED tags from strongbox enforced list to TEE enforced list
  • Maximum size limit validation for all the Byte tags
  • In this version only provision data, Provision status, Master key and RPK Mac key are saved and restored during applet upgrade.
  • Added the JCard functional tests.
  • Support of Version jump while KeyMint Applet upgrade.
  • Integrated OMAPI in the HAL. Open the OMAPI session and channel indefinitely.
  • Optimized NVM memory usage.

Avoided initialization of arrays inside the functions and declared them as global transient arrays.

  • Critical bug fixes from KeyMint

Updated tags in hardware & software enforced in attestation record.
Digest value validation depending on the purpose.
GPIO supports changes in KeyMint. Accept setBootParamters only once after boot
Corrected Keyblob version V1 offsets.
Corrected validation of OS version and OS patch level during Keyblob upgrade.
Added Buffering of input data for RSA decryption operation in HAL

  • Don't allow commands untill all the provisiong parameters (including ROT/Pre-shared secret) are available to Keymint device post device reboot (KeyMint is ready).
Assets 2
Loading