Manage ODE decryption keys

Your UCM storage plugin can be used on a device that is secured with Samsung’s On-Device Encryption (ODE). In such a case, the decryption key for ODE can be stored in your space, which means you must ensure that the decryption key is available to the Samsung boot loader early enough in the boot process to decrypt the device. To do so, implement the following.

Command-response APDU sequence

When the Samsung boot loader issues the following command APDU, your plugin must respond with the correct response APDU. The format of these APDUs closely follows the ISO/IEC 7816-4 specification but are not an exact implementation.

Command APDU Fields and Meaning

Field Name	Description
CLA	The type of command, instruction class
INS	The specific command, instruction code
P1-P2	Instruction parameters for the command
Lc	The number of bytes of command data
Data	The command data
Le	The maximum number of response bytes expected
Response data	Response data
SW1-SW2	Command processing status

Command APDU: Get status of plugin

The following APDUs enable the boot loader to determine the lock state of the plugin as well as how many remaining attempts are available to unlock it.

Field Name	Acceptable Values
CLA	0x80 - data on plugin is not encrypted 0x84 - data on plugin is encrypted
INS	0xCA
P1	0x00
P2	0xE2
Lc	0
Data	None
Le	Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes	Description
Data Field (BER-TLV)	TAG = 0x8A indicates the plugin state Len = 1 DATA = 0x83: unlocked, 0x84: locked, 0x85: blocked TAG = 0xC2 remaining number of attempts to get the plugin's state Len = 1 DATA = count TAG = 0xC3 miscellaneous information Len = n indicates the number of characters, with a maximum of 10 DATA = string length of n
SW1-SW2	0x9000: Success 0x6B00: Invalid P1 0x6A82: Invalid P2

Command APDU: Verify PIN

The following APDUs enable the boot loader to verify the input PIN number and return the current state and remaining retry count. This requires two consecutive APDU commands. The first is a VERIFY APDU command, followed by the GET DATA APDU command (defined in getStatus) to get the applet state and miscellaneous information.

Field Name	Acceptable Values
CLA	0x80 - data on plugin is not encrypted 0x84 - data on plugin is encrypted
INS	0x20
P1	0x00
P2	0x00
Lc	Length of PIN
Data	User PIN
Le	Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes	Description
Data Field (BER-TLV)	None
SW1-SW2	0x9000: Success - PIN is valid 0x63CX: Error - PIN is not valid, X encondes the number of remaining retires 0x6B00: Invalid P1, P2 0x6A80: The command data-field is empty or contains incorrect data. 0x6982: The plugin's current state does not allow this to be processed.

Command APDU: Generate device encryption key (DEK)

The following APDUs enable the boot loader to generate the DEK, which is stored in the plugin.

Field Name	Acceptable Values
CLA	0x80 - data on plugin is not encrypted 0x84 - data on plugin is encrypted
INS	0xCA
P1	0x00
P2	0xCE
Lc	0
Data	None
Le	Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes	Description
Data Field (BER-TLV)	None
SW1-SW2	0x9000: Success 0x6B00: invalid P1 0x6A82: Invalid P2 0x6982: The plugin's current state does not allow this to be processed.

Command APDU: Generate DEK and return wrapped DEK

The following APDUs enable the boot loader to generate the DEK and return the wrapped DEK. ODE stores the DEK on the device’s non-volatile memory.

Field Name	Acceptable Values
CLA	0x80 - data on plugin is not encrypted 0x84 - data on plugin is encrypted
INS	0xCA
P1	0x00
P2	0xCF
Lc	0
Data	None
Le	Absent for encoding, Ne = 0 (will be ignored if present)

Response APDU

Response Bytes	Description
Data Field (BER-TLV)	TAG = 0xCF to indicate wrapped DEK LEN = length of wrapped DEK Data = wrapped DEK
SW1-SW2	0x9000: Success 0x6B00: invalid P1 0x6A82: Invalid P2 0x6982: The plugin's current state does not allow this to be processed.