NameDateSize

..11-Jun-20184 KiB

Android.bp11-Jun-201855

Android.mk11-Jun-2018684

client/11-Jun-20184 KiB

core/11-Jun-20184 KiB

hal/11-Jun-20184 KiB

messages/11-Jun-20184 KiB

OWNERS11-Jun-201838

README.md11-Jun-20182.7 KiB

README.md

1# Access-controlled NVRAM implementation
2
3This repository contains various pieces related to the Access-controlled NVRAM
4HAL. In a nutshell, the Access-controlled NVRAM HAL allows creation of NVRAM
5spaces that can hold arbitrary data blobs of limited size. Access restrictions
6can be configured on each NVRAM space to prevent the contents from being
7accessed or modified, up to the point of requiring full hardware reset to clear
8a locked NVRAM space. This can be used for various security features that
9require a trusted storage location for critical data that an attacker can't
10tamper with. For details of the NVRAM HAL API, see
11[hardware/libhardware/include/hardware/nvram.h](https://android.googlesource.com/platform/hardware/libhardware/+/master/include/hardware/nvram.h).
12
13## [client](/client)
14
15Contains a simple command-line application to interact with the NVRAM HAL
16implementation. This is useful for experimentation and use in scripts.
17`nvram-client` receives commands and parameters on the command line and
18translates them to NVRAM HAL calls. Results are printed on stdout.
19
20## [core](/core)
21
22A reference implementation of the NVRAM functionality. This reference
23implementation can be used to create NVRAM HAL implementations that run in a
24trusted execution environment. It is also the basis for the testing NVRAM HAL
25module, which implements the entire NVRAM HAL API surface in userspace for the
26sake of illustration (but obviously doesn't meet the persistence and
27tamper-evidence requirements).
28
29Note that the reference implementation leaves persistent storage to be handled
30by the embedding code, which needs to provide an implementation of the storage
31interface defined in
32[system/nvram/core/include/nvram/core/storage.h](core/include/nvram/core/storage.h).
33
34## [hal](/hal)
35
36The [hal](/hal) directory contains glue code that simplifies creation of NVRAM
37HAL modules. The code implements the API surface specified by the nvram.h HAL
38header and translates calls into the request/response message format defined in
39the [messages](/messages) directory. Thus, to create a working NVRAM HAL module,
40it is sufficient to provide an implementation that understands `nvram::Request`
41and `nvram::Response` objects, the glue code will adapt it to the full NVRAM API
42surface.
43
44## [messages](/messages)
45
46Defines an IPC message format that can be used to serialize NVRAM HAL calls and
47their parameters in preparation for sending them elsewhere (e.g., a TEE) for
48execution. There is a request and a response struct corresponding to each NVRAM
49HAL function. The `nvram::Request` and `nvram::Response` wrappers keep track of
50the actual request or response type, respectively, as well as the request or
51response parameters specific to the type.
52