RPMB (Replay Protected Memory Block)
doc
eMMC security feature: password lock/unlock, write protect, RPMB
Hardware-Backed Mobile Secure Storage
Mobile Secure Data protection using eMMC RPMB Partition
background
AP (Application Processor)
CP (Communication Processor),也称为modem
AP <--- IPC ---> CP
eMMC (Embedded Multi Media Card) 存储软件、用户数据
RPMB是从eMMC划出一块特殊的区域,128KB的整数倍,进行访问控制,确保外部无法直接读取,而是需要通过hmac-sha256校验后由RPMB返回相关内容
modem 通过 IPC,请 AP 帮忙把某些数据(例如device id、subscriber id、call number)写入eMMC,这些信息一般是需要保密、且防篡改。
overview
RPMB Data frame的关键内容:Authentication Key,Data,Nonce,Write Counter, Address
产线阶段,Host生成HUK,基于HUK派生Authentication Key,并将Authentication Key写入RPMB。
read
Host生成nonce,向eMMC请求读取某个Address的内容
eMMC基于预置的Authentication Key,结合nonce、Data等信息,计算MAC
Host校验收到的MAC,确认Data内容未经篡改
write
Host生成nonce,并基于Authentication Key,结合nonce,计算MAC;向eMMC请求谋取某个Address的Write Counter
eMMC校验MAC,确认读取Write Counter请求的合法性
eMMC返回Write Counter,且返回的内容也要带MAC
Host校验收到的Write Counter未经篡改
Host基于预置的Authentication Key,结合Write Counter、新的Data等信息,计算MAC;发给eMMC
eMMC校验MAC,确认写入新的Data,并将Write Counter加1
eMMC基于预置的Authentication Key,结合新的Write Counter 以及Result,计算MAC;发给Host
Host校验MAC,确认写入成功
RPMB use case
anti-rollback, 存version number
fail unlock attempts,防止暴力破解
secure write protect