Trusted Platform Module access

[Jim Borden]

I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

[Dan Albert]

Could you file a bug? I don't know about the actual availability asking the various Kernel versions, but we can get CTS tests added and probably add the library that exposes the sys all wrappers, assuming there isn't a reason we've avoided adding this other than just being overlooked :)

On Thu, Jun 18, 2020, 20:27 'Jim Borden' via android-ndk <andro...@googlegroups.com> wrote:

I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/4c334e71-ee30-4329-8a0c-b52c4124b911o%40googlegroups.com.

[Jim Borden]

Ok, I wasn't quite sure how to word it but -> https://github.com/android/ndk/issues/1284

If it makes things simpler, this could be translated to "I want to do what the Android KeyStore does, but completely inside the NDK" (not sure of the exact implementation and I know it varies by API level and hardware availability).

On Friday, June 19, 2020 at 4:16:22 AM UTC, Dan Albert wrote:

Could you file a bug? I don't know about the actual availability asking the various Kernel versions, but we can get CTS tests added and probably add the library that exposes the sys all wrappers, assuming there isn't a reason we've avoided adding this other than just being overlooked :)

On Thu, Jun 18, 2020, 20:27 'Jim Borden' via android-ndk <andro...@googlegroups.com> wrote:

I am working on a C / C++ implementation that involves generating private keys without exposing them to userland.  This ability has been in the Linux kernel for quite some time, and a look at recent Android kernels indicate that its support is enabled (CONFIG_KEYS=y) but the keyutils library is not in the sysroot and the keyctl function is nowhere to be found.  Is this something that we are not allowed to use in the NDK?  Are there any other methods to achieve this goal?  I'd love to avoid going through JNI into Java just to use the Android KeyStore class, which I am assuming simply calls back into the JRE to use keyutils anyway (seems like a waste of an expensive trip across the managed / unmanaged border twice). 

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.

To unsubscribe from this group and stop receiving emails from it, send an email to andro...@googlegroups.com.

[Dan Albert]

Thanks! We'll see what we can do and continue the conversation on the bug. 

To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/c61fc400-ac63-4b88-adba-6f30bddfd1b1o%40googlegroups.com.