Does the Android Keystore make use of the Trusted Execution Environment (TEE) and Secure Element (SE) automatically if it is available?

Question

Does the Android Keystore make use of the Trusted Execution Environment (TEE) and Secure Element (SE) automatically if it is available? Or are any further steps required?

score 4 · Accepted Answer · answered Apr 19 '17 at 13:55

4

Generally yes.

There is no requirement for the Keystore to be hardware backed on all device, but if it is hardware backed and if that is by a TEE (the common case) then it will be used whenever Keystore backed keys are used.

See the current CDD document for requirements around this. Section 9.11. Keys and Credentials

You may also find this answer interesting, as it talks about the keymaster & TEE implementations.

answered Apr 19 '17 at 13:55

Dori

18,283
17
74
116

For Android 9 and above, whether SE & TEE can be supported together? Do we need to manually choose to SE (if available) or TEE (if available) through API. I think it cannot be chosen automatically (even if available) by OS, right? – TJCLK Apr 05 '20 at 16:18

Does the Android Keystore make use of the Trusted Execution Environment (TEE) and Secure Element (SE) automatically if it is available?

1 Answers1

Linked