Skip to main content

Signing & Enforcing Security

TODO

This article is a work in progress.

Signing keys for the Apostrophy OS platform and its updates exist in precisely two places;

  • an air-gapped workstation at Apostrophy Technology HQ,

  • a bank vault.

The process of releasing updates to the platform (and its system packages) is therefore relatively involved.

Signing Processes

We distinguish the following categories of processes:

  • Android Platform developers, including those for system apps

    Developers must be able to repeatedly and reliably (...)

  • Intermediate releases not intended for public consumption

    These include builds for feature preview releases, proof-of-concept implementations and acceptance testing, but must not be applicable to general public devices

  • General Availability Releases

    For both the platform and intermediate updates to associated system packages

Boot Security

Authenticated Download Agent

In vendor/vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/mt6878/flash/make_script/mode/DA_BR.mak, ensure the following settings are available;

C_OPTION += -DDA_ENABLE_SECURITY=1
C_OPTION += -DDA_ENABLE_ANTI_ROLLBACK=1

Preloader

In vendor/vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k6878v1_64/k6878v1_64.mk, ensure the following settings are available;

MTK_SECURITY_SW_SUPPORT=yes
MTK_SECURITY_ANTI_ROLLBACK=yes
MTK_SEC_BOOT=ATTR_SBOOT_ENABLE   # alternative ATTR_SBOOT_ONLY_ENABLE_ON_SCHIP
MTK_SEC_USBDL=ATTR_SUSBDL_ENABLE # alternative ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP

The above alternative configuration values make the effectiveness of the configured setting depend on SBC_EN.

Little Kernel

In vendor/vendor/mediatek/proprietary/bootable/bootloader/lk2/project/k6878v1_64.mk, ensure the following settings are available;

MTK_SECURITY_SW_SUPPORT=yes
MTK_SECURITY_ANTI_ROLLBACK=yes

Kernel

In vendor/kernel-6.1/arch/arm64/configs/gki_defconfig and vendor/kernel-6.1/arch/arm64/configs/gki_debug_defconfig, ensure the following setting is available;

CONFIG_MTK_SECURITY_SW_SUPPORT=y

// // build tested up to here //

In vendor/device/mediateksample/k6878v1_64/ko_order_table.csv and vendor/kernel/kernel_device_modules-6.1/arch/arm64/configs/mgk_64_k61_defconfig, ensure the following setting is present:

sec.ko,/../kernel_device_modules-6.1/drivers/misc/mediatek/masp/sec.ko,vendor,Y,Y,user/userdebug/eng