The Device Identifier Composition Engine (DICE) is an Android security feature that provides strong attestation and improves device integrity by creating a unique cryptographic identity for each device. DICE is especially useful for creating device identities that can be used in scenarios requiring strong proof of identity and secure communications.
Remote Key Provisioning (RKP)
There are several key benefits that come from using DICE for RKP.
Minimization of the attack surface
DICE enhances RKP by grounding the root of trust in the smallest possible trusted computing base (TCB) available on the device, usually the chip itself, rather than within the Trusted Execution Environment (TEE). This greatly reduces the attack surface and minimizes the risk of permanent RKP compromise.
Recovery from TEE compromises
DICE provides a mechanism to recover trust in devices even if there are compromises in the TEE or bootloader that could affect the validity of the key attestations generated by KeyMint.
Historically, vulnerabilities in the TEE or bootloader led to full revocation of attestation keys for all affected devices, with no path to recover trust even if the vulnerabilities were patched. This was because the TEE performed remote verification over the Android image being loaded through the Android Verified Boot, making it impossible to prove to a remote party that the patches had been applied. DICE addresses this issue by enabling remote verification of current firmware state, even outside of Android, allowing affected devices to recover trust.
Mutual authentication of isolated environments
Each application domain that the DICE process terminates in receives an identity in the form of a key with a certificate chain extending back to the shared root of trust derived by the ROM. The DICE derivation process separates into different branches as different loading paths diverge, forming a tree of certificates that all share the same root and creating an on-device public key infrastructure (PKI).
This PKI enables components in separate secure enclaves to mutually authenticate one another. One concrete example is Secretkeeper, a hardware abstraction layer (HAL) that allows privileged virtual machines (pVMs) to communicate with the TEE to receive a stable secret that can be used to securely store persistent data.