Trusted Platform Module access

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Trusted Platform Module access

Jim Borden
I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Trusted Platform Module access

Dan Albert
Could you file a bug? I don't know about the actual availability asking the various Kernel versions, but we can get CTS tests added and probably add the library that exposes the sys all wrappers, assuming there isn't a reason we've avoided adding this other than just being overlooked :)

On Thu, Jun 18, 2020, 20:27 'Jim Borden' via android-ndk <[hidden email]> wrote:
I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CAFVaGhs6THrjXhWBufogUSa%3D0_PGxEEfVgrwEqx_mvp2EBsR-Q%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Trusted Platform Module access

Jim Borden
Ok, I wasn't quite sure how to word it but -> https://github.com/android/ndk/issues/1284

If it makes things simpler, this could be translated to "I want to do what the Android KeyStore does, but completely inside the NDK" (not sure of the exact implementation and I know it varies by API level and hardware availability).

On Friday, June 19, 2020 at 4:16:22 AM UTC, Dan Albert wrote:
Could you file a bug? I don't know about the actual availability asking the various Kernel versions, but we can get CTS tests added and probably add the library that exposes the sys all wrappers, assuming there isn't a reason we've avoided adding this other than just being overlooked :)

On Thu, Jun 18, 2020, 20:27 'Jim Borden' via android-ndk <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="YLwNQQGFCAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">andro...@...> wrote:
I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="YLwNQQGFCAAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">andro...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/c61fc400-ac63-4b88-adba-6f30bddfd1b1o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Trusted Platform Module access

Dan Albert
Thanks! We'll see what we can do and continue the conversation on the bug. 

On Thu, Jun 18, 2020, 22:16 'Jim Borden' via android-ndk <[hidden email]> wrote:
Ok, I wasn't quite sure how to word it but -> https://github.com/android/ndk/issues/1284

If it makes things simpler, this could be translated to "I want to do what the Android KeyStore does, but completely inside the NDK" (not sure of the exact implementation and I know it varies by API level and hardware availability).

On Friday, June 19, 2020 at 4:16:22 AM UTC, Dan Albert wrote:
Could you file a bug? I don't know about the actual availability asking the various Kernel versions, but we can get CTS tests added and probably add the library that exposes the sys all wrappers, assuming there isn't a reason we've avoided adding this other than just being overlooked :)

On Thu, Jun 18, 2020, 20:27 'Jim Borden' via android-ndk <[hidden email]> wrote:
I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/c61fc400-ac63-4b88-adba-6f30bddfd1b1o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/CAFVaGhvhpbbqxN65fECo6ntnQcdNE5KQ9137MkeX_rsV%2BTQftQ%40mail.gmail.com.