| Janis Danisevskis | 8fe0cfb | 2020-01-13 14:24:32 -0800 | [diff] [blame^] | 1 | ## Secure UI Architecture |
| 2 | |
| 3 | To implement confirmationui a secure UI architecture is required. This entails a way |
| 4 | to display the confirmation dialog driven by a reduced trusted computing base, typically |
| 5 | a trusted execution environment (TEE), without having to rely on Linux and the Android |
| 6 | system for integrity and authenticity of input events. This implementation provides |
| 7 | neither. But it provides most of the functionlity required to run a full Android Protected |
| 8 | Confirmation feature when integrated into a secure UI architecture. |
| 9 | |
| 10 | ## Secure input (NotSoSecureInput) |
| 11 | |
| 12 | This implementation does not provide any security guaranties. |
| 13 | The input method (NotSoSecureInput) runs a cryptographic protocols that is |
| 14 | sufficiently secure IFF the end point is implemented on a trustworthy |
| 15 | secure input device. But since the endpoint is currently in the HAL |
| 16 | service itself this implementation is not secure. |
| 17 | |
| 18 | NOTE that a secure input device end point needs a good source of entropy |
| 19 | for generating nonces. The current implementation (NotSoSecureInput.cpp#generateNonce) |
| 20 | uses a constant nonce. |