ModuleHash

Undocumented, ChatGPT-generated! Take with a grain of salt!

In the context of Android's Keymaster and Keystore systems, the moduleHash is a component within the attestation data structure, specifically in the KeyDescription sequence. It provides a cryptographic representation of the software environment associated with the key's creation and usage.

Computation of moduleHash:

1. Modules Collection:

• The system gathers a set of Module entries, each representing an APEX (Android Pony EXpress) module.

• Each Module includes:

• Package Name (packageName): An octet string identifying the module.

• Version (version): An integer indicating the module's version at boot time.

2. DER Encoding:

• The Modules set is encoded using Distinguished Encoding Rules (DER), a binary encoding format for data structures described by ASN.1.

• DER encoding ensures a unique, unambiguous representation of the data, which is crucial for consistent hashing.

3. Ordering:

• Within the DER encoding process, the Module entries are ordered lexicographically by their encoded value.

• This deterministic ordering guarantees that the same set of modules will always produce the same encoded output, ensuring consistency in the hash computation.

4. SHA-256 Hashing:

• The system computes the SHA-256 hash of the DER-encoded Modules set.

• The resulting 256-bit hash value is the moduleHash.

This moduleHash serves as a fingerprint of the software environment, allowing verification processes to detect any unauthorized changes to the modules. By including the moduleHash in the attestation data, the system provides assurance that the key is used within a trusted and unaltered software environment.

For a detailed definition of the Modules and Module structures, as well as the computation of moduleHash, you can refer to the Android Open Source Project's documentation on Keymaster's attestation process.