Google Posts Open Profile For DICE Linux Driver, Forwards Firmware Secrets To User-Space
Google is looking to upstream their Linux kernel driver for Open Profile for DICE, a secret derivation protocol used currently by some Android devices.
The proposed "DICE" driver is for exposing these "secrets" to user-space that were generated by the firmware/bootloader of the Android devices. While this passing of secrets from firmware to user-space may raise some security concerns and worries, the intended use-case of this Open Profile for DICE is around trusted computing with attestation and sealing as part of a verified boot system.
When it comes to this new Linux driver it's about claiming a reserved memory region containing secrets generated by the firmware/bootloader and exposing them to the Linux user-space as a character device. The secrets are expected to contain Compound Device Identity (CDI) certificates.
This Open Profile for DICE driver is currently out for review. Those interested in Google's Open Profile for DICE can find the specification documentation here for enhancing trusted computing capabilities on Android devices.
The proposed "DICE" driver is for exposing these "secrets" to user-space that were generated by the firmware/bootloader of the Android devices. While this passing of secrets from firmware to user-space may raise some security concerns and worries, the intended use-case of this Open Profile for DICE is around trusted computing with attestation and sealing as part of a verified boot system.
When it comes to this new Linux driver it's about claiming a reserved memory region containing secrets generated by the firmware/bootloader and exposing them to the Linux user-space as a character device. The secrets are expected to contain Compound Device Identity (CDI) certificates.
Open Profile for DICE
This Open Profile for DICE driver is currently out for review. Those interested in Google's Open Profile for DICE can find the specification documentation here for enhancing trusted computing capabilities on Android devices.
7 Comments