Device Identifier Composition Engine (DICE) is a Trusted Computing Group specification that has been adopted into Android. DICE aims to create an immutable cryptographic identity for a device, along with a remotely verifiable measurement of the firmware that is loaded during boot. This process additionally creates cryptographic identities for each piece of firmware that is loaded. These identities are entirely dependent on the base identity and each firmware image loaded during a given boot.
DICE starts when the ROM for the chipset loads a unique device secret (UDS) from a bank of immutable data, typically fuses, that was securely provisioned with a cryptographically random value during the chip production process. When ROM has read this secret, it shuts off any further access to the UDS using some vendor dependent hardware locking mechanism like a latch. Access to the UDS is not restored until the next boot process.
The ROM uses the UDS as input to a key derivation function (KDF) to generate the permanent asymmetric key pair that identifies that particular device. The ROM loads and measures the next stage of firmware in the boot sequence, while specifying additional metadata about the environment for the particular boot, such as if secure boot is enabled. The ROM processes the measurement, configuration, and UDS with a KDF to derive the secret for the next stage to be loaded. This secret is referred to as a compound device identifier (CDI).
The process then repeats. The CDI acts as the next stage's UDS, that stage derives a keypair, and the CDI is input into a KDF along with the hash of the next image to be loaded to form another derived CDI value.
The loaded firmware uses the generated keypairs to sign CBOR Object Signing and Encryption (COSE) Sign1 certificates. Each stage signs a certificate over the next stage to be loaded. This certificate includes information such as the measurement of that stage, the mode that boot is in, the CDI public key for that stage, and other associated metadata.
Figure 1. Simplified DICE derivation process.
This process helps ensure that any change in a loaded firmware image changes both its own CDI value and the CDI values of all subsequent stages. This means that every combination of loaded firmware generates unique identities and associated keys. Further, the signing is done in such a way that it guarantees that each stage is measured and certified by the preceding stage, preventing any stage from evading measurement by forging its own certificate. This means that as long as the ROM isn't compromised, the device's security posture can be patched and remotely verified off-device.