如何查看Android手机是否支持TEE? [英] How to check whether Android phone supports TEE?
问题描述
I have read this two posts: One and Two, but I still have question.
我使用KeyStore(Android 9)生成AES密钥,并使用此处和
I use KeyStore (Android 9) to generate an AES key, and use isInsideSecureHardware() method to check whether the key isInsideSecureHardware. I got return False. Sample code can be found here, and here.
布尔布尔值isInsideSecureHardware()
public boolean isInsideSecureHardware ()
如果密钥位于安全硬件(例如,受信任的执行环境(TEE)或安全元素(SE))内部,则返回true.此类密钥的密钥材料仅在安全硬件内部以明文形式提供,而不会在其外部暴露.
Returns true if the key resides inside secure hardware (e.g., Trusted Execution Environment (TEE) or Secure Element (SE)). Key material of such keys is available in plaintext only inside the secure hardware and is not exposed outside of it.
因此,我想进一步确认我的电话设备(华为P20)是否支持TEE.
Thus, I want to further confirm whether my phone device (Huawei P20) supports TEE.
问题:
-
如果电话支持TEE,那么KeyStore生成的密钥会自动存储到TEE中吗?我需要在Java中进行任何手动配置吗?我听说密钥会自动存储在TEE中,只要您使用 KeyStore.getInstance() , KeyGenerator .getInstance(算法,密钥库名称) .但是我不确定这是对还是错?
If the phone supports TEE, the key generated by KeyStore will be store into TEE automatically? Do I Need any manually configuration in Java? I heard that keys will be automatically stored in TEE, as long as you use KeyStore.getInstance(), KeyGenerator .getInstance(algorithm, KeyStore Name). But I am not sure this is True or Not?
如果问题1的答案是需要手动配置",则成为 isInsideSecureHardware ()返回 False 的原因了吧?如果Q1的答案是自动",请忽略Q2.
If the answer of Q1 is "Need manually configuration", it becomes the reason of isInsideSecureHardware() returns False, right? If the answer of Q1 is "automatically", ignore Q2.
有什么方法可以直接检查电话是否支持Java中的TEE?
Any method to directly check whether the phone supports TEE, in Java?
推荐答案
来自 Android密钥库系统文档:
安装的受支持的运行Android 9(API级别28)或更高版本的设备可以具有StrongBox Keymaster,StrongBox Keymaster是位于硬件安全模块中的Keymaster HAL的实现.该模块包含以下内容:
[...]
*安全存储.
[...]
在检查存储在StrongBox Keymaster中的密钥时,系统会使用受信任的执行环境(TEE)确认密钥的完整性.
[...]
使用KeyStore类生成或导入密钥时,通过将true传递给setIsStrongBoxBacked()方法,可以指示将密钥存储在StrongBox Keymaster中的优先级.
Supported devices running Android 9 (API level 28) or higher installed can have a StrongBox Keymaster, an implementation of the Keymaster HAL that resides in a hardware security module. The module contains the following:
[...]
* Secure storage.
[...]
When checking keys stored in the StrongBox Keymaster, the system corroborates a key's integrity with the Trusted Execution Environment (TEE).
[...]
When generating or importing keys using the KeyStore class, you indicate a preference for storing the key in the StrongBox Keymaster by passing true to the setIsStrongBoxBacked() method.
据我所知,这意味着当您生成密钥并为密钥配置调用keyGenParameterSpecBuilder.setIsStrongBoxBacked(true)时,可以确保它得到TEE的支持.如果没有TEE可用,它将抛出StrongBoxUnavailableException.
In my understanding that means when you generate a Key and call keyGenParameterSpecBuilder.setIsStrongBoxBacked(true) for the key configuration you can ensure that it's backed by a TEE. If there is no TEE available, it'll throw a StrongBoxUnavailableException.
因此,要检查是否有TEE可用,您可以尝试以这种方式生成密钥并查看其是否有效.
So to check if there's a TEE available you could just attempt to generate a key this way and see if it works.
这篇关于如何查看Android手机是否支持TEE?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
