Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Migrated "key attestation" page to a new location (for N OTA).

Browse Source 
Updated page location, TOC entry, and URL redirect in preparation
for Android Nougat OTA release.

Bug: 28851641
Change-Id: I8be252d79b0b5ad3c7d814175e6bfbfb98e95daf
This commit is contained in:
Kevin Hufnagle
2016-07-20 14:14:55 -07:00
parent 83fb75ded3
commit c946f9d103
3 changed files with 37 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/html/_redirects.yaml
View File

@@ -1201,3 +1201,8 @@ redirects:
to: /studio/intro/index.html?utm_medium=android-studio
- from: /r/studio-ui/menu-start.html
to: /training/index.html?utm_medium=android-studio
# N Preview redirects
- from: /preview/features/key-attestation.html
to: /training/articles/security-key-attestation.html

5
docs/html/training/_book.yaml
View File

@@ -1373,6 +1373,11 @@ toc:
path_attributes:
- name: description
value: How to use the SafetyNet service to analyze a device where your app is running and get information about its compatibility with your app.
- title: Verifying Hardware-backed Key Pairs with Key Attestation
path: /training/articles/security-key-attestation.html
path_attributes:
- name: description
value: How to retrieve and verify the properties of a device's hardware-backed key pair.
- title: Enhancing Security with Device Management Policies
path: /work/device-management-policy.html
path_attributes:

51
docs/html/preview/features/key-attestation.jd → docs/html/training/articles/security-key-attestation.jd
View File

@@ -1,11 +1,11 @@
page.title=Key Attestation
page.metaDescription=New support in Android N for verifying security properties of hardware-backed keys.
page.keywords="android N", "security", "TEE", "hardware-backed", "keystore", "certificate", "key attestation"
page.metaDescription=A tool for verifying security properties of hardware-backed key pairs.
page.keywords="security", "TEE", "hardware-backed", "keystore", "certificate", "key attestation"
@jd:body
<div id="qv-wrapper">
<div id="qv">
<div id="tb-wrapper">
<div id="tb">
<h2>In this document</h2>
<ol>
<li><a href="#verifying">Retrieving and Verifying a Hardware-backed Key Pair</a></li>
@@ -22,14 +22,14 @@ page.keywords="android N", "security", "TEE", "hardware-backed", "keystore", "ce
</p>
<p class="note">
<strong>Note: </strong>Only a small number of devices running Android N
support hardware-level key attestation; all other devices running Android N
use software-level key attestation instead. Before you verify the properties
of a device's hardware-backed keys in a production-level environment, you
should make sure that the device supports hardware-level key attestation. To
do so, you should check that the attestation certificate chain contains a root
certificate that is signed by the Google attestation root key and that the
<code>attestationSecurityLevel</code> element within the <a
<strong>Note: </strong>Only a small number of devices running Android 7.0 (API
level 24) support hardware-level key attestation; all other devices running
Android 7.0 use software-level key attestation instead. Before you verify the
properties of a device's hardware-backed keys in a production-level
environment, you should make sure that the device supports hardware-level key
attestation. To do so, you should check that the attestation certificate chain
contains a root certificate that is signed by the Google attestation root key
and that the <code>attestationSecurityLevel</code> element within the <a
href="#certificate_schema_keydescription">key description</a> data structure
is set to the TrustedEnvironment security level.
</p>
@@ -45,15 +45,17 @@ page.keywords="android N", "security", "TEE", "hardware-backed", "keystore", "ce
</p>
<p>
The root certificate within this chain is signed using an attestation key,
which the device manufacturer injects into the devices hardware-backed
keystore at the factory.
If the device supports hardware-level key attestation, the root certificate
within this chain is signed using an attestation root key, which the device
manufacturer injects into the devices hardware-backed keystore at the
factory.
</p>
<p class="note">
<strong>Note:</strong> On devices that ship with Android N and Google Play
services, the root certificate is issued by Google. You should verify that
this root certificate appears within Googles list of root certificates.
<strong>Note:</strong> On devices that ship with hardware-level key
attestation, Android 7.0 (API level 24), and Google Play services, the root
certificate is signed by the Google attestation root key. You should verify
that this root certificate appears within Googles list of root certificates.
</p>
<p>
@@ -231,7 +233,7 @@ VerifiedBootState ::= ENUMERATED {
</dd>
<dt>
<code>attestationSecurity</code>
<code>attestationSecurityLevel</code>
</dt>
<dd>
@@ -242,8 +244,8 @@ VerifiedBootState ::= ENUMERATED {
<p class="caution">
<strong>Warning:</strong> Although it is possible to attest keys that are
stored in the Android system&mdash;that is, if the
<code>attestationSecurity</code> value is set to Software&mdash;you
stored in the Android system&mdash;that is, if the value of
<code>attestationSecurityLevel</code> is set to Software&mdash;you
cannot trust these attestations if the Android system becomes compromised.
</p>
</dd>
@@ -259,7 +261,7 @@ VerifiedBootState ::= ENUMERATED {
</dd>
<dt>
<code>keymasterSecurity</code>
<code>keymasterSecurityLevel</code>
</dt>
<dd>
@@ -357,7 +359,8 @@ VerifiedBootState ::= ENUMERATED {
<p>
Each field name corresponds to a similarly-named Keymaster tag. For example,
the <code>keySize</code> field in an authorization list corresponds to the
<code>KM_TAG_KEY_SIZE</code> Keymaster tag.
<a href="https://source.android.com/security/keystore/implementer-ref.html#km_tag_key_size">
<code>KM_TAG_KEY_SIZE</code></a> Keymaster tag.
</p>
<p>
@@ -780,7 +783,7 @@ VerifiedBootState ::= ENUMERATED {
<dd>
The month and year associated with the security patch that is currently
installed on the device, specified as a six-digit integer. For example, the
June 2016 patch is represented as 201606.
August 2016 patch is represented as 201608.
</dd>
</dl>