1 page.title=Key Attestation 2 page.metaDescription=A tool for verifying security properties of hardware-backed key pairs. 3 page.keywords="security", "TEE", "hardware-backed", "keystore", "certificate", "key attestation" 4 5 @jd:body 6 7 <div id="tb-wrapper"> 8 <div id="tb"> 9 <h2>In this document</h2> 10 <ol> 11 <li><a href="#verifying">Retrieving and Verifying a Hardware-backed Key Pair</a></li> 12 <li><a href="#certificate_schema">Certificate Extension Data Schema</a></li> 13 </ol> 14 </div> 15 </div> 16 17 <p> 18 Key Attestation gives you more confidence that the keys you use in your app 19 are stored in a device's hardware-backed keystore. The following sections 20 describe how to verify the properties of hardware-backed keys and how to 21 interpret the schema of the attestation certificate's extension data. 22 </p> 23 24 <p class="note"> 25 <strong>Note: </strong>Only a small number of devices running Android 7.0 (API 26 level 24) support hardware-level key attestation; all other devices running 27 Android 7.0 use software-level key attestation instead. Before you verify the 28 properties of a device's hardware-backed keys in a production-level 29 environment, you should make sure that the device supports hardware-level key 30 attestation. To do so, you should check that the attestation certificate chain 31 contains a root certificate that is signed by the Google attestation root key 32 and that the <code>attestationSecurityLevel</code> element within the <a 33 href="#certificate_schema_keydescription">key description</a> data structure 34 is set to the TrustedEnvironment security level. 35 </p> 36 37 <h2 id="verifying"> 38 Retrieving and Verifying a Hardware-backed Key Pair 39 </h2> 40 41 <p> 42 During key attestation, you specify the alias of a key pair. The attestation 43 tool, in return, provides a certificate chain, which you can use to verify 44 the properties of that key pair. 45 </p> 46 47 <p> 48 If the device supports hardware-level key attestation, the root certificate 49 within this chain is signed using an attestation root key, which the device 50 manufacturer injects into the devices hardware-backed keystore at the 51 factory. 52 </p> 53 54 <p class="note"> 55 <strong>Note:</strong> On devices that ship with hardware-level key 56 attestation, Android 7.0 (API level 24), and Google Play services, the root 57 certificate is signed by the Google attestation root key. You should verify 58 that this root certificate appears within Googles list of root certificates. 59 </p> 60 61 <p> 62 To implement key attestation, complete the following steps: 63 </p> 64 65 <ol> 66 <li> 67 Use a {@link java.security.KeyStore KeyStore} object's 68 {@link java.security.KeyStore#getCertificateChain getCertificateChain()} 69 method to get a reference to the chain of X.509 certificates associated with 70 the hardware-backed keystore. 71 </li> 72 73 <li> 74 <p> 75 Check each certificates validity using a 76 {@link java.security.cert.CRL CRL} object's 77 {@link java.security.cert.CRL#isRevoked isRevoked()} method. 78 </p> 79 80 <p class="caution"> 81 <strong>Caution:</strong> Although you can complete this process within 82 your app directly, its safer to check the certificates revocation lists 83 on a separate server that you trust. 84 </p> 85 </li> 86 87 <li> 88 <p> 89 Create an <code>Attestation</code> object, passing in the first element of 90 the certificate chain as an argument:</p> 91 92 <pre> 93 // "certificates" contains the certificate chain associated with a specific key 94 // pair in the device's hardware-backed keystore. 95 X509Certificate attestationCert = (X509Certificate) certificates[0]; 96 Attestation hardwareKeyAttestation = new Attestation(attestationCert); 97 </pre> 98 99 <p> 100 An attestation object extracts the extension data within this certificate 101 and stores this information in a more accessible format. For more details 102 about the schema of the extension data, see <a href= 103 "#certificate_schema">Certificate Extension Data Schema</a>. 104 </p> 105 </li> 106 107 <li> 108 <p> 109 Use the accessor methods within the <code>Attestation</code> class to 110 retrieve the extension data from the certificate. These methods use the 111 same names and structure hierarchy as in the certificate extension data 112 schema. 113 </p> 114 115 <p> 116 For example, to view the verified boot key for the devices TEE, use the 117 following method sequence: 118 </p> 119 120 <pre> 121 // "hardwareKeyAttestation" contains the first element of the attestation 122 // certificate chain. 123 AuthorizationList teeAuthList = hardwareKeyAttestation.getTeeEnforced(); 124 RootOfTrust teeRootOfTrust = teeAuthList.getRootOfTrust(); 125 byte[] teeVerifiedBootKey = teeRootOfTrust.getVerifiedBootKey(); 126 </pre> 127 128 </li> 129 130 <li> 131 <p> 132 Compare the extension data from the <code>Attestation</code> object with 133 the set of values that you expect the hardware-backed key to contain. 134 </p> 135 136 <p class="caution"> 137 <strong>Caution:</strong> Although you can complete this process within 138 your app directly, its safer to check the certificates extension data 139 on a separate server that you trust. 140 </p> 141 </li> 142 </ol> 143 144 <h2 id="certificate_schema"> 145 Certificate Extension Data Schema 146 </h2> 147 148 <p> 149 Key attestation verifies the extension data that appears in the first 150 certificate within the chain in a devices hardware-backed keystore. The 151 certificate stores the information according to the following ASN.1 schema: 152 </p> 153 154 <pre class="no-pretty-print"> 155 KeyDescription ::= SEQUENCE { 156 attestationVersion INTEGER, 157 attestationSecurityLevel SecurityLevel, 158 keymasterVersion INTEGER, 159 keymasterSecurityLevel SecurityLevel, 160 attestationChallenge OCTET_STRING, 161 <var>reserved OCTET_STRING</var>, 162 softwareEnforced AuthorizationList, 163 teeEnforced AuthorizationList, 164 } 165 166 SecurityLevel ::= ENUMERATED { 167 Software (0), 168 TrustedEnvironment (1), 169 } 170 171 AuthorizationList ::= SEQUENCE { 172 purpose [1] EXPLICIT SET OF INTEGER OPTIONAL, 173 algorithm [2] EXPLICIT INTEGER OPTIONAL, 174 keySize [3] EXPLICIT INTEGER OPTIONAL, 175 digest [5] EXPLICIT SET OF INTEGER OPTIONAL, 176 padding [6] EXPLICIT SET OF INTEGER OPTIONAL, 177 ecCurve [10] EXPLICIT INTEGER OPTIONAL, 178 rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL, 179 activeDateTime [400] EXPLICIT INTEGER OPTIONAL, 180 originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL, 181 usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL, 182 noAuthRequired [503] EXPLICIT NULL OPTIONAL, 183 userAuthType [504] EXPLICIT INTEGER OPTIONAL, 184 authTimeout [505] EXPLICIT INTEGER OPTIONAL, 185 allowWhileOnBody [506] EXPLICIT NULL OPTIONAL, 186 allApplications [600] EXPLICIT NULL OPTIONAL, 187 applicationId [601] EXPLICIT OCTET_STRING OPTIONAL, 188 creationDateTime [701] EXPLICIT INTEGER OPTIONAL, 189 origin [702] EXPLICIT INTEGER OPTIONAL, 190 rollbackResistant [703] EXPLICIT NULL OPTIONAL, 191 rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL, 192 osVersion [705] EXPLICIT INTEGER OPTIONAL, 193 osPatchLevel [706] EXPLICIT INTEGER OPTIONAL, 194 attestationChallenge [708] EXPLICIT INTEGER OPTIONAL, 195 attestationApplicationId [709] EXPLICIT OCTET_STRING OPTIONAL, 196 } 197 198 RootOfTrust ::= SEQUENCE { 199 verifiedBootKey OCTET_STRING, 200 deviceLocked BOOLEAN, 201 verifiedBootState VerifiedBootState, 202 } 203 204 VerifiedBootState ::= ENUMERATED { 205 Verified (0), 206 SelfSigned (1), 207 Unverified (2), 208 Failed (3), 209 } 210 </pre> 211 212 <p> 213 The following list presents a description of each element within the schema: 214 </p> 215 216 <h3 id="certificate_schema_keydescription"> 217 KeyDescription 218 </h3> 219 220 <p> 221 This sequence of values presents general information about the key pair being 222 verified through key attestation and provides easy access to additional 223 details. 224 </p> 225 226 <dl> 227 <dt> 228 <code>attestationVersion</code> 229 </dt> 230 231 <dd> 232 The version of the key attestation feature. Should be set to 1. 233 </dd> 234 235 <dt> 236 <code>attestationSecurityLevel</code> 237 </dt> 238 239 <dd> 240 <p> 241 The <a href="#certificate_schema_securitylevel">security 242 level</a> of the attestation. 243 </p> 244 245 <p class="caution"> 246 <strong>Warning:</strong> Although it is possible to attest keys that are 247 stored in the Android system—that is, if the value of 248 <code>attestationSecurityLevel</code> is set to Software—you 249 cannot trust these attestations if the Android system becomes compromised. 250 </p> 251 </dd> 252 253 <dt> 254 <code>keymasterVersion</code> 255 </dt> 256 257 <dd> 258 The version of the Keymaster hardware abstraction layer (HAL). Use 0 to 259 represent version 0.2 or 0.3, 1 to represent version 1.0, and 2 to represent 260 version 2.0. 261 </dd> 262 263 <dt> 264 <code>keymasterSecurityLevel</code> 265 </dt> 266 267 <dd> 268 The <a href="#certificate_schema_securitylevel">security 269 level</a> of the Keymaster implementation. 270 </dd> 271 272 <dt> 273 <code>attestationChallenge</code> 274 </dt> 275 276 <dd> 277 The challenge string associated with a key pair that is verified using key 278 attestation. 279 </dd> 280 281 <dt> 282 <code><var>reserved</var></code> 283 </dt> 284 285 <dd> 286 Only system apps use this value. In all other apps, this value is empty. 287 </dd> 288 289 <dt> 290 <code>softwareEnforced</code> 291 </dt> 292 293 <dd> 294 Optional. The Keymaster <a href= 295 "#certificate_schema_authorizationlist">authorization 296 list</a> that is enforced by the Android system, not by the devices TEE. 297 </dd> 298 299 <dt> 300 <code>teeEnforced</code> 301 </dt> 302 303 <dd> 304 Optional. The Keymaster <a href= 305 "#certificate_schema_authorizationlist">authorization 306 list</a> that is enforced by the devices TEE. 307 </dd> 308 </dl> 309 310 <h3 id="certificate_schema_securitylevel"> 311 SecurityLevel 312 </h3> 313 314 <p> 315 This data structure indicates the extent to which a software feature, such as 316 a key pair, is protected based on its location within the device. 317 </p> 318 319 <p> 320 Because the data structure is an enumeration, it takes on exactly one of the 321 following values: 322 </p> 323 324 <dl> 325 <dt> 326 Software 327 </dt> 328 329 <dd> 330 The logic for creating and managing the feature is implemented in the 331 Android system. For the purposes of creating and storing key pairs, this 332 location is less secure than the TEE but is more secure than your app's 333 process space. 334 </dd> 335 336 <dt> 337 TrustedEnvironment 338 </dt> 339 340 <dd> 341 The logic for creating and managing the feature is implemented in secure 342 hardware, such as a TEE. For the purposes of creating and storing key pairs, 343 this location is more secure because secure hardware is highly resistant to 344 remote compromise. 345 </dd> 346 </dl> 347 348 <h3 id="certificate_schema_authorizationlist"> 349 AuthorizationList 350 </h3> 351 352 <p> 353 This data structure contains the key pairs properties themselves, as defined 354 in the Keymaster hardware abstraction layer (HAL). You compare these values 355 to the devices current state or to a set of expected values to verify that a 356 key pair is still valid for use in your app. 357 </p> 358 359 <p> 360 Each field name corresponds to a similarly-named Keymaster tag. For example, 361 the <code>keySize</code> field in an authorization list corresponds to the 362 <a href="https://source.android.com/security/keystore/implementer-ref.html#km_tag_key_size"> 363 <code>KM_TAG_KEY_SIZE</code></a> Keymaster tag. 364 </p> 365 366 <p> 367 Each field in the following list is optional: 368 </p> 369 370 <dl> 371 <dt> 372 <code>purpose</code> 373 </dt> 374 375 <dd> 376 Corresponds to the <code><a href= 377 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_purpose"> 378 KM_TAG_PURPOSE</a></code> Keymaster tag, which uses a tag ID value of 1. 379 </dd> 380 381 <dt> 382 <code>algorithm</code> 383 </dt> 384 385 <dd> 386 <p> 387 Corresponds to the <code><a href= 388 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_algorithm"> 389 KM_TAG_ALGORITHM</a></code> Keymaster tag, which uses a tag ID value of 390 2. 391 </p> 392 393 <p> 394 When an <code>AuthorizationList</code> object is associated with key 395 attestation, this value is always <code>KM_ALGORITHM_RSA</code> or 396 <code>KM_ALGORITHM_EC</code>. 397 </p> 398 </dd> 399 400 <dt> 401 <code>keySize</code> 402 </dt> 403 404 <dd> 405 Corresponds to the <code><a href= 406 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_key_size"> 407 KM_TAG_KEY_SIZE</a></code> Keymaster tag, which uses a tag ID value of 3. 408 </dd> 409 410 <dt> 411 <code>digest</code> 412 </dt> 413 414 <dd> 415 Corresponds to the <code><a href= 416 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_digest"> 417 KM_TAG_DIGEST</a></code> Keymaster tag, which uses a tag ID value of 5. 418 </dd> 419 420 <dt> 421 <code>padding</code> 422 </dt> 423 424 <dd> 425 Corresponds to the <code><a href= 426 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_padding"> 427 KM_TAG_PADDING</a></code> Keymaster tag, which uses a tag ID value of 6. 428 </dd> 429 430 <dt> 431 <code>ecCurve</code> 432 </dt> 433 434 <dd> 435 <p> 436 Corresponds to the <code>KM_TAG_EC_CURVE</code> Keymaster tag, which uses 437 a tag ID value of 10. 438 </p> 439 440 <p> 441 The set of parameters used to generate an elliptic curve (EC) key pair, 442 which uses ECDSA for signing and verification, within the Android system 443 keystore. 444 </p> 445 </dd> 446 447 <dt> 448 <code>rsaPublicExponent</code> 449 </dt> 450 451 <dd> 452 Corresponds to the <code><a href= 453 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_rsa_public_exponent"> 454 KM_TAG_RSA_PUBLIC_EXPONENT</a></code> Keymaster tag, which uses a tag ID 455 value of 200. 456 </dd> 457 458 <dt> 459 <code>activeDateTime</code> 460 </dt> 461 462 <dd> 463 Corresponds to the <code><a href= 464 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_active_datetime"> 465 KM_TAG_ACTIVE_DATETIME</a></code> Keymaster tag, which uses a tag ID value 466 of 400. 467 </dd> 468 469 <dt> 470 <code>originationExpireDateTime</code> 471 </dt> 472 473 <dd> 474 Corresponds to the <code><a href= 475 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_origination_expire_datetime"> 476 KM_TAG_ORIGINATION_EXPIRE_DATETIME</a></code> Keymaster tag, which uses a 477 tag ID value of 401. 478 </dd> 479 480 <dt> 481 <code>usageExpireDateTime</code> 482 </dt> 483 484 <dd> 485 Corresponds to the <code><a href= 486 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_usage_expire_datetime"> 487 KM_TAG_USAGE_EXPIRE_DATETIME</a></code> Keymaster tag, which uses a tag ID 488 value of 402. 489 </dd> 490 491 <dt> 492 <code>noAuthRequired</code> 493 </dt> 494 495 <dd> 496 <p> 497 Corresponds to the <code><a href= 498 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_no_auth_required"> 499 KM_TAG_NO_AUTH_REQUIRED</a></code> Keymaster tag, which uses a tag ID 500 value of 503. 501 </p> 502 503 <p> 504 When an <code>AuthorizationList</code> object is associated with key 505 attestation, this value is always true. 506 </p> 507 </dd> 508 509 <dt> 510 <code>userAuthType</code> 511 </dt> 512 513 <dd> 514 Corresponds to the <code><a href= 515 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_user_auth_type"> 516 KM_TAG_USER_AUTH_TYPE</a></code> Keymaster tag, which uses a tag ID value 517 of 504. 518 </dd> 519 520 <dt> 521 <code>authTimeout</code> 522 </dt> 523 524 <dd> 525 Corresponds to the <code><a href= 526 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_auth_timeout"> 527 KM_TAG_AUTH_TIMEOUT</a></code> Keymaster tag, which uses a tag ID value of 528 505. 529 </dd> 530 531 <dt> 532 <code>allowWhileOnBody</code> 533 </dt> 534 535 <dd> 536 <p> 537 Corresponds to the <code>KM_TAG_ALLOW_WHILE_ON_BODY</code> Keymaster tag, 538 which uses a tag ID value of 506. 539 </p> 540 541 <p> 542 Allows the key to be used after its authentication timeout period if the 543 user is still wearing the device on their body. Note that a secure 544 on-body sensor determines whether the device is being worn on the users 545 body. 546 </p> 547 548 <p> 549 When an <code>AuthorizationList</code> object is associated with key 550 attestation, this value is always true. 551 </p> 552 </dd> 553 554 <dt> 555 <code>allApplications</code> 556 </dt> 557 558 <dd> 559 <p> 560 Corresponds to the <code>KM_TAG_ALL_APPLICATIONS</code> Keymaster tag, 561 which uses a tag ID value of 600. 562 </p> 563 564 <p> 565 Indicates whether all apps on a device can access the key pair. 566 </p> 567 568 <p> 569 When an <code>AuthorizationList</code> object is associated with key 570 attestation, this value is always true. 571 </p> 572 </dd> 573 574 <dt> 575 <code>applicationId</code> 576 </dt> 577 578 <dd> 579 Corresponds to the <code><a href= 580 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_application_id"> 581 KM_TAG_APPLICATION_ID</a></code> Keymaster tag, which uses a tag ID value 582 of 601. 583 </dd> 584 585 <dt> 586 <code>creationDateTime</code> 587 </dt> 588 589 <dd> 590 Corresponds to the <code><a href= 591 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_creation_datetime"> 592 KM_TAG_CREATION_DATETIME</a></code> Keymaster tag, which uses a tag ID 593 value of 701. 594 </dd> 595 596 <dt> 597 <code>origin</code> 598 </dt> 599 600 <dd> 601 <p> 602 Corresponds to the <code><a href= 603 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_origin"> 604 KM_TAG_ORIGIN</a></code> Keymaster tag, which uses a tag ID value of 702. 605 </p> 606 607 <p> 608 When an <code>AuthorizationList</code> object is associated with key 609 attestation, this value is usually set to 610 <code>KM_ORIGIN_GENERATED</code>. If the attestation uses Keymaster 611 version 0.2 or 0.3, however, the origin may be set to 612 <code>KM_ORIGIN_UNKNOWN</code> instead. 613 </p> 614 </dd> 615 616 <dt> 617 <code>rollbackResistant</code> 618 </dt> 619 620 <dd> 621 Corresponds to the <code><a href= 622 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_rollback_resistant"> 623 KM_TAG_ROLLBACK_RESISTANT</a></code> Keymaster tag, which uses a tag ID 624 value of 703. 625 </dd> 626 627 <dt> 628 <code>rootOfTrust</code> 629 </dt> 630 631 <dd> 632 <p> 633 Corresponds to the <code><a href= 634 "https://source.android.com/security/keystore/implementer-ref.html#km_tag_root_of_trust"> 635 KM_TAG_ROOT_OF_TRUST</a></code> Keymaster tag, which uses a tag ID value 636 of 704. 637 </p> 638 639 <p> 640 For more details, see the section describing the <code><a href= 641 "#certificate_schema_rootoftrust">RootOfTrust</a></code> 642 data structure. 643 </p> 644 </dd> 645 646 <dt> 647 <code>osVersion</code> 648 </dt> 649 650 <dd> 651 <p> 652 Corresponds to the <code>KM_TAG_OS_VERSION</code> Keymaster tag, which 653 uses a tag ID value of 705. 654 </p> 655 656 <p> 657 The version of the Android operating system associated with the 658 Keymaster, specified as a six-digit integer. For example, version 6.0.1 659 is represented as 060001. 660 </p> 661 662 <p> 663 Only Keymaster version 1.0 or higher includes this value in the 664 authorization list. 665 </p> 666 </dd> 667 668 <dt> 669 <code>osPatchLevel</code> 670 </dt> 671 672 <dd> 673 <p> 674 Corresponds to the <code>KM_TAG_PATCHLEVEL</code> Keymaster tag, which 675 uses a tag ID value of 706. 676 </p> 677 678 <p> 679 The month and year associated with the security patch that is being used 680 within the Keymaster, specified as a six-digit integer. For example, the 681 June 2016 patch is represented as 201606. 682 </p> 683 684 <p> 685 Only Keymaster version 1.0 or higher includes this value in the 686 authorization list. 687 </p> 688 </dd> 689 690 <dt> 691 <code>attestationChallenge</code> 692 </dt> 693 694 <dd> 695 <p> 696 Corresponds to the <code>KM_TAG_ATTESTATION_CHALLENGE</code> Keymaster 697 tag, which uses a tag ID value of 708. 698 </p> 699 700 <p> 701 The challenge string associated with the key pair that is defined in the 702 Keymaster. 703 </p> 704 </dd> 705 706 <dt> 707 <code>attestationApplicationId</code> 708 </dt> 709 710 <dd> 711 <p> 712 Corresponds to the <code>KM_TAG_ATTESTATION_APPLICATION_ID</code> 713 Keymaster tag, which uses a tag ID value of 709. 714 </p> 715 716 <p> 717 The unique ID of the attestation certificate that signed the key pair 718 that is in the Keymaster. 719 </p> 720 </dd> 721 </dl> 722 723 <h3 id="certificate_schema_rootoftrust"> 724 RootOfTrust 725 </h3> 726 727 <p> 728 This collection of values defines key information about the devices status. 729 </p> 730 731 <p> 732 Each field in the following list is required: 733 </p> 734 735 <dl> 736 <dt> 737 <code>verifiedBootKey</code> 738 </dt> 739 740 <dd> 741 <p> 742 A secure hash of the key that verifies the system image. It is recommended 743 that you use the SHA-256 algorithm for this hash. 744 </p> 745 </dd> 746 747 <dt> 748 <code>deviceLocked</code> 749 </dt> 750 751 <dd> 752 True if the devices bootloader is locked, which enables Verified Boot 753 checking and prevents an unsigned device image from being flashed onto the 754 device. For more information about this feature, see the <a class= 755 "external-link" href= 756 "https://source.android.com/security/verifiedboot/verified-boot.html">Verifying 757 Boot</a> documentation. 758 </dd> 759 760 <dt> 761 <code>verifiedBootState</code> 762 </dt> 763 764 <dd> 765 The <a href="#certificate_schema_verifiedbootstate">boot 766 state</a> of the device, according to the Verified Boot feature. 767 </dd> 768 769 <dt> 770 <code>osVersion</code> 771 </dt> 772 773 <dd> 774 The current version of the Android operating system on the device, 775 specified as a six-digit integer. For example, version 6.0.1 is represented 776 as 060001. 777 </dd> 778 779 <dt> 780 <code>patchMonthYear</code> 781 </dt> 782 783 <dd> 784 The month and year associated with the security patch that is currently 785 installed on the device, specified as a six-digit integer. For example, the 786 August 2016 patch is represented as 201608. 787 </dd> 788 </dl> 789 790 <h3 id="certificate_schema_verifiedbootstate"> 791 VerifiedBootState 792 </h3> 793 794 <p> 795 This data structure provides the devices current boot state, which 796 represents the level of protection provided to the user and to apps after the 797 device finishes booting. For more information about this feature, see the 798 <a class="external-link" href= 799 "https://source.android.com/security/verifiedboot/verified-boot.html#boot_state"> 800 Boot State</a> section within the Verifying Boot documentation. 801 </p> 802 803 <p> 804 This data structure is an enumeration, so it takes on exactly one of the 805 following values: 806 </p> 807 808 <dl> 809 <dt> 810 Verified 811 </dt> 812 813 <dd> 814 <p> 815 Indicates a full chain of trust, which includes the bootloader, the boot 816 partition, and all verified partitions. 817 </p> 818 819 <p> 820 When the device is in this boot state, the <code>verifiedBootKey</code> is 821 the hash of the device-embedded certificate, which the device manufacturer 822 adds to the device's ROM at the factory. 823 </p> 824 </dd> 825 826 <dt> 827 SelfSigned 828 </dt> 829 830 <dd> 831 <p> 832 Indicates that the device-embedded certificate has verified the devices 833 boot partition and that the signature is valid. 834 </p> 835 836 <p> 837 When the device is in this boot state, the <code>verifiedBootKey</code> is 838 the hash of a user-installed certificate, which signs a boot partition 839 that the user adds to the device in place of the original, 840 manufacturer-provided boot partition. 841 </p> 842 </dd> 843 844 <dt> 845 Unverified 846 </dt> 847 848 <dd> 849 Indicates that the user can modify the device freely. Therefore, the user is 850 responsible for verifying the devices integrity. 851 </dd> 852 853 <dt> 854 Failed 855 </dt> 856 857 <dd> 858 Indicates that the device has failed verification. The attestation 859 certificate should never use this value for <code>VerifiedBootState</code>. 860 </dd> 861 </dl> 862
