How to check whether Android phone supports TEE?

Question

I have read this two posts: One and Two, but I still have question.

I use KeyStore (Android 9) to generate an AES key, and use isInsideSecureHardware() method to check whether the key isInsideSecureHardware. I got return False. Sample code can be found here, and here.

public boolean isInsideSecureHardware ()

Returns true if the key resides inside secure hardware (e.g., Trusted Execution Environment (TEE) or Secure Element (SE)). Key material of such keys is available in plaintext only inside the secure hardware and is not exposed outside of it.

Thus, I want to further confirm whether my phone device (Huawei P20) supports TEE.

Question:

1. If the phone supports TEE, the key generated by KeyStore will be store into TEE automatically? Do I Need any manually configuration in Java? I heard that keys will be automatically stored in TEE, as long as you use KeyStore.getInstance(), KeyGenerator .getInstance(algorithm, KeyStore Name). But I am not sure this is True or Not?

2. If the answer of Q1 is "Need manually configuration", it becomes the reason of isInsideSecureHardware() returns False, right? If the answer of Q1 is "automatically", ignore Q2.

3. Any method to directly check whether the phone supports TEE, in Java?

Answer 1

@JensV is correct: if you set setIsStrongBoxBacked on the keyGenParameterSpecBuilder, key generation will fail with a StrongBoxUnavailableException if StrongBox is not supported. However, the intermediate case - where there is a TEE (i.e. keys are generated and used within secure HW), but no support for StrongBox - is more tricky to discern.

In general, the way to go is to actually generate a key on the device, and then perform HW key attestation on it at the server - consulting the signed key properties to examine the exact degree of HW backing:

• generate a nonce (random byte string) ON The SERVER, pass it to the device
• generate a key on the device, requesting HW attestation by calling setAttestationChallenge on the KeyGenParameterSpec builder and passing in the nonce you get from the server (DO NOT USE A NONCE PRODUCED ON THE DEVICE)
• request the attestation chain for the key from the Android Key Store
• pass the attestation data (cert chain) to your server
• verify the attestation (signature) chain on your server
• confirm that the root cert matches a published Google root cert
• confirm that no cert in the chain hasn been revoked (check against CRL @ https://android.googleapis.com/attestation/status)
• examine the properties of the Google Key Attestation extension (OID 1.3.6.1.4.1.11129.2.1.17) of the leaf cert
  • confirm the nonce matches (attestationChallenge)
  • consult the attestationSecurityLevel of KeyDescription

SecurityLevel ::= ENUMERATED {
    Software  (0),
    TrustedEnvironment  (1),
    StrongBox  (2),
}

TrustedEnvironment and StrongBox both correspond to hardware-backed keys and crypto operations.