AnsweredAssumed Answered

Programming the attestation key

Question asked by Li Zhongyue on May 8, 2019
Latest reply on May 8, 2019 by Li Zhongyue

Dear NXP engineer:


I am trying to read document named "I.MX_Android_Security_User_Guide.pdf"

Following is the content mentioned in the doc.

3.3.6 Programming the attestation key
Attestation key is programmed in U-Boot. The keystore key attestation aims to provide a way to strongly determine if an
asymmetric key pair is hardware-backed, what the properties of the key are, and what constraints are applied to its usage.Google provides the attestation "keybox", which contains private keys (RSA and ECDSA) and the corresponding certificate chains to partners from the Android Partner Front End (APFE). After retrieving the "keybox" from Google, you need to parsethe "keybox", provision the keys and certificates to secure storage. Both keys and certificates should be encoded with Distinguished Encoding Rules (DER).
Fastboot commands are provided to provision the attestation keys and certificates. Make sure that the secure storage is
properly initialized for Trusty OS. 


Referring to above content,

I have two questions, could you help to check them?

1. Where is the secure storage mentioned in above content? 

    the attestation key will be stored in this secure storage?

2. How are the attestation keys used after provision?   



Thanks a lot.

Have a nice day.