Android TZ Keymaster

key-master is a newly introduced key management hardware abstraction layer(hal) component.It defines all apisthat must be supported by the OEM. ARM trust zone (TZ) keymasterapplication includes the following:

1.generation of keys - this involves generating a public keyand a private keyfor cryptography.
2.signing and verification - this allows signingofgiven data with a key storedand accessible by TZ softwareas well as verifying signed datawith a key thatis also only accessible by TZ software.

Types of keymaster HAL are as follows:
- Software-based keymaster - uses openssl software implementation. Jelly bean comes with a default soft key-master modulethat does all key operationsin software only.
- Hardware-based keymaster - uses TZ application apis(keymasterapplication).hardware key master support essentially ensuresthat the key storedis not accessiblein HLOS.
Regardless of key type(RSA/EC),the key blob generate dis encryptedby a key accessible by TZ software onlyand stored inthe file system (FS)on the HLOS end.

Hardware key-master 1.0 implementationon android marshmallow 

key master is an access control-based key service with accessto trusted hardware-bound crypto.It is implemented as a trustzone-based trusted appllication(TA). Key master cannot be compromised by any kernelor userland bug.all keys generated are bound tothe device cryptographically.
keymaster support on android marshmallow requiresthe following modules:
keymaster TA
gatekeeper.<chipset>.so
keystore.<chipset>.so

Gatekeeper is a trusted source to verify the authenticated state of the device. gatekeeper does the following:

- provides apis to enroll and verify a password

- returns a signed auth token with a timestampto unlock keystore/key-master

- provides rollback protection on passwords

The gatekeeper architecture includes the following:

- gatekeeper daemon

- gatekeeper HAL API

- hardware gatekeeper