CN-121980622-A - Efficient offline googlekey burning tool scheme

Abstract

The invention discloses an efficient offline googlekey burning tool scheme, which comprises the steps of automatically reading an offline security package after an external storage medium is accessed, carrying out integrity check and signature verification on a list, an encrypted load and a signature, deriving a deblocking key based on hardware unique information in a trusted environment, carrying out equipment binding deblocking and matching control on a key material, obtaining and verifying a platform capability proof, selecting a write strategy by combining a list strategy, carrying out front detection, writing an identification if AttentionID condition is not met, writing the key into a security storage domain by calling a hardware abstraction layer through interprocess communication, generating a write abstract and carrying out consistency verification, writing an unrepeatable record after writing, generating a consumed response piece and a write-back medium, marking the consumed and recorded progress of the security package after writing back is successful, realizing that the offline burning can be automatically completed after the medium is inserted, and obviously improving the field efficiency and reducing manual misoperation.

Inventors

• LI JIAXIANG
• LUO YIFENG
• XIE KAIKAI

Assignees

• 广州朗国电子科技股份有限公司

Dates

Publication Date

20260505

Application Date

20260123

Claims (10)

1. 1. An efficient offline googlekey burn tool solution, the solution comprising: s1, after detecting that an external storage medium is accessed, reading an offline security packet from a mounting path, and carrying out integrity verification and signature verification on the offline security packet; s2, deriving an unpacking key based on the unique information of the hardware when verification is passed, obtaining an authentication key material based on the offline security package, and controlling an output state according to the matching relation between the unpacking key and the authentication key material; s3, acquiring and checking a platform capability evidence generated by the trusted environment signature, selecting a write strategy based on platform capability information represented by the platform capability evidence and strategy description in a list, and executing preposed state detection; s4, after the detection of the preposed state is passed, calling a hardware abstraction layer interface through a communication interface between the system processes, writing the authentication key material into a secure storage domain according to the write strategy, generating a write result abstract, and carrying out consistency verification on the write result abstract; And S5, when the consistency verification is passed, writing an unrepeatable record in the trusted environment and generating a consumption receipt, writing the consumption receipt back to an external storage medium, executing consumption marking processing on the offline security package only after the writing back is successful, and recording the execution progress.
2. 2. An efficient offline googlekey burn tool solution according to claim 1, wherein the external storage medium is a USB storage device, and the access detection includes receiving a USB mount related system broadcast or callback and automatically triggering execution of steps S1 to S5 by a background service.
3. 3. The method for reading offline googlekey writing tool according to claim 1, wherein the method for reading offline security in S1 specifically includes detecting a preset directory under the mounting path, and scanning a key file with a preset suffix in the preset directory to obtain an authentication key material to be written, where the preset directory includes a directory to be written.
4. 4. An efficient offline googlekey burning tool scheme according to claim 1, characterized in that in S2 the output state is controlled by the matching relationship between the unpacking key and the authentication key material, allowing the output of the authentication key material only if a match is established.
5. 5. The efficient offline googlekey programming tool solution of claim 1, wherein in S3, the pre-state detection includes: Detecting whether a target authentication key is written in the electronic equipment or not and whether a pre-identification writing condition is met or not; when the target authentication key is detected to be written, terminating the burning process; when it is detected that the pre-identification writing condition is not satisfied, writing of the pre-identification is performed first, and then writing of the authentication key material is performed.
6. 6. An efficient offline googlekey burn tool solution according to claim 1, characterized in that in step S4, the system inter-process communication interface is used to interact with a hardware abstraction layer interface.
7. 7. The efficient offline googlekey writing tool solution according to claim 6, wherein the pre-label is attention label AttentionID, and writing of AttentionID is completed through the hardware abstraction layer interface when the pre-label condition is detected not to be satisfied, and writing of the authentication key material is performed.
8. 8. The efficient offline googlekey burn tool solution of claim 1, wherein in S5 the non-playable recording meets at least one of: repeated submissions of the same package identity are denied by the trusted environment; The monotonic counter is incremented unidirectionally and the rollback is rejected each time a successful commit occurs; the binding relationship of the packet identity and the monotonic counter is stored in a trusted environmental security store.
9. 9. An efficient offline googlekey writing tool solution according to claim 1, wherein in S5 the recording execution progress is writing phase identification and/or phase results at a plurality of phases of the writing process, respectively, the phases at least including pre-check, unpacking, capability verification, writing, verification, and receipt writing back.
10. 10. An efficient offline googlekey burn system, the system comprising: The reading and signature verification module is used for reading the off-line security packet from the mounting path after detecting that the external storage medium is accessed, and carrying out integrity verification and signature verification on the off-line security packet; The deblocking control module is used for deriving a deblocking key based on the unique information of hardware when verification passes, obtaining an authentication key material based on the offline security package, and controlling an output state according to the matching relationship between the deblocking key and the authentication key material; The capability policy module is used for acquiring and checking a platform capability evidence generated by the trusted environment signature, selecting a write-in policy based on platform capability information represented by the platform capability evidence and policy description in the list, and executing preposed state detection; The consistency verification module is used for calling a hardware abstraction layer interface through a communication interface between system processes after the detection of the front state is passed, writing the authentication key material into a secure storage domain according to the write strategy, generating a write result abstract, and carrying out consistency verification on the write result abstract; And the receipt consumption module is used for writing non-playable records in the trusted environment and generating consumption receipts when the consistency verification is passed, writing the consumption receipts back to an external storage medium, executing consumption marking processing on the offline security package only after the writing back is successful, and recording the execution progress.

Description

Efficient offline googlekey burning tool scheme Technical Field The invention belongs to the technical field of information security, and particularly relates to an efficient offline googlekey burning tool scheme. Background In the delivery and after-sales maintenance process of android terminals such as smart televisions and set-top boxes, writing/writing of Google EDLA authentication related key materials (such as googlekey) is often required to be performed on equipment so as to meet the requirements of compliance authentication, capability opening or service on-line of the equipment. In practical engineering application, a common situation exists that partial equipment cannot complete key preprocessing in a delivery or batch delivery stage due to firmware progress, market rhythm and the like, or a small amount of equipment needs to be subjected to repair burning in an after-sale stage. Such operations typically occur in a field environment, where operators are mostly operation and maintenance or after-market personnel, and it is desirable to quickly complete key writing and form a traceable result record in an offline manner, while avoiding the security and compliance risks associated with repeated burning. The existing scheme is dependent on engineering burning tools/debugging links (such as a professional is required to board, walk a complex flow, call a bottom interface and the like), and has high cost and time overhead in a scene of small-batch supplementary burning, so that an offline burning technical scheme which is more efficient, can be automated, can be traced and can be adapted across platforms is required. Disclosure of Invention The present invention is directed to an efficient offline googlekey programming tool solution, which solves one or more of the technical problems of the prior art, and at least provides a beneficial choice or creation condition. To achieve the above object, according to an aspect of the present invention, there is provided an efficient offline googlekey burning tool solution, including: s1, after detecting that an external storage medium is accessed, reading an offline security packet from a mounting path, and carrying out integrity verification and signature verification on the offline security packet; s2, deriving an unpacking key based on the unique information of the hardware when verification is passed, obtaining an authentication key material based on the offline security package, and controlling an output state according to the matching relation between the unpacking key and the authentication key material; s3, acquiring and checking a platform capability evidence generated by the trusted environment signature, selecting a write strategy based on platform capability information represented by the platform capability evidence and strategy description in a list, and executing preposed state detection; further, the pre-state detection comprises detecting whether a target authentication key has been written in the electronic device or not and whether a pre-identification writing condition is satisfied or not; when the target authentication key is detected to be written, terminating the burning process; when it is detected that the pre-identification writing condition is not satisfied, writing of the pre-identification is performed first, and then writing of the authentication key material is performed. S4, after the detection of the preposed state is passed, calling a hardware abstraction layer interface through a communication interface between the system processes, writing the authentication key material into a secure storage domain according to the write strategy, generating a write result abstract, and carrying out consistency verification on the write result abstract; And S5, when the consistency verification is passed, writing an unrepeatable record in the trusted environment and generating a consumption receipt, writing the consumption receipt back to an external storage medium, executing consumption marking processing on the offline security package only after the writing back is successful, and recording the execution progress. Further, in S1, the offline security package includes a manifest, an encryption payload, and a signature. Further, in S2, the trusted environment is a secure execution/storage environment with isolation and tamper-proof protection with respect to a general-purpose operating system execution environment; Further, in S2, the trusted environment is at least one of a trusted execution environment TEE, a secure element SE/eSE, a trusted platform module TPM, or a secure firmware/secure service module protected by a secure boot chain; further, in S2, the trusted environment is configured to perform at least one of deriving a decapsulation key based on hardware unique information, performing device binding decapsulation on the encrypted payload, generating a platform capability attestation by signing platform capability information, writi