diff options
author | Jiachen Zhao <zhaojiac@google.com> | 2020-06-08 21:22:01 +0000 |
---|---|---|
committer | Gina Dimino <gdimino@google.com> | 2020-08-26 23:11:38 +0000 |
commit | 6f30047d867111f616c44c9d168a5b1078a2bbec (patch) | |
tree | 2969aa966cd96045a9bcd564ec0600b1c2e6ef2e /9_security-model | |
parent | ca55e5cc150f37d34ebf4fa37519d6a6e321dd09 (diff) | |
download | platform_compatibility_cdd-6f30047d867111f616c44c9d168a5b1078a2bbec.tar.gz platform_compatibility_cdd-6f30047d867111f616c44c9d168a5b1078a2bbec.tar.bz2 platform_compatibility_cdd-6f30047d867111f616c44c9d168a5b1078a2bbec.zip |
CDD: Require OTA Resume On Reboot feature.
Update File-based encryption to included content related to Resume On Reboot requirements.
Bug: b/145144304
Change-Id: Ifd18665d28e26e9afa7ac63011e1484f2559d6cc
Diffstat (limited to '9_security-model')
-rw-r--r-- | 9_security-model/9_9_full-disk-encryption.md | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/9_security-model/9_9_full-disk-encryption.md b/9_security-model/9_9_full-disk-encryption.md index 55d6f19d..61fbdbbf 100644 --- a/9_security-model/9_9_full-disk-encryption.md +++ b/9_security-model/9_9_full-disk-encryption.md @@ -45,8 +45,10 @@ after the `ACTION_LOCKED_BOOT_COMPLETED` message is broadcasted. the user has unlocked the device by supplying their credentials (eg. passcode, pin, pattern or fingerprint) and the `ACTION_USER_UNLOCKED` message is broadcasted. -* [C-1-3] MUST NOT offer any method to unlock the CE protected storage -without either the user-supplied credentials or a registered escrow key. +* [C-1-13] MUST NOT offer any method to unlock the CE protected storage +without either the user-supplied credentials, a registered escrow key or a +resume on reboot implementation meeting the requirements in +[section 9.9.4](#9_9_4_resume_on_reboot). * [C-1-4] MUST use Verified Boot and ensure that DE keys are cryptographically bound to the device's hardware root of trust. * [C-1-5] MUST encrypt file contents using AES-256-XTS or @@ -81,3 +83,37 @@ Direct Boot aware. The upstream Android Open Source project provides a preferred implementation of this feature based on the Linux kernel "fscrypt" encryption feature. + +### 9.9.4\. Resume on Reboot + +Resume on Reboot allows unlocking the CE storage of all apps, including those +that do not yet support Direct Boot, after a reboot initiated by an OTA. This +feature enables users to receive notifications from installed apps after the +reboot. + +An implementation of Resume-on-Reboot must continue to ensure that when a +device falls into an attacker’s hands, it is extremely difficult for that +attacker to recover the user’s CE-encrypted data, even if the device is powered +on, CE storage is unlocked, and the user has unlocked the device after receiving +an OTA. For insider attack resistance, we also assume the attacker gains access +to broadcast cryptographic signing keys. + +Specifically: + +* [C-0-1] CE storage MUST NOT be readable even for the attacker who physically has +the device and then has these capabilities and limitations: + + * Can use the signing key of any vendor or company to sign arbitrary + messages. + * Can cause an OTA to be received by the device. + * Can modify the operation of any hardware (AP, flash etc) except as + detailed below, but such modification involves a delay of at least an + hour and a power cycle that destroys RAM contents. + * Cannot modify the operation of tamper-resistant hardware (eg Titan M). + * Cannot read the RAM of the live device. + * Cannot obtain the user’s credential (PIN, pattern, password) or + otherwise cause it to be entered. + +By way of example, a device implementation that implements and complies with all +of the descriptions found [here](https://source.android.com/devices/tech/ota/resume-on-reboot) +will be compliant with [C-0-1].
\ No newline at end of file |