Resources | Resources |



Root certificates

Brew MP requires that all code must be explicitly authorized in order to be installed or run on the device. The principal method for authorizing dynamic code is by issuing a digital signature under a code authorization root certificate that has been embedded on the device.

Brew MP supports the inclusion and configuration in the device image of multiple root certificates. Each root certificate identifies a certificate authority that may issue signing certificates to one or more signing authorities. These signing authorities can establish digital signing services for authorizing code to run on the device. Code that has not been digitally signed by a signing authority under a root certificate configured in the device image will not execute.

A certificate authority first generates their root key pair, then creates the root certificate by signing the public root key with the private root key. For commercial environments, the private root key is securely managed and stored to preserve its confidentiality. It is typically brought out only when subordinate certificates (for example, signing certificates) need to be issued under the root. The root certificate is not a confidential value. It is trusted through device policy configured by device manufacturers who trust the issuing certificate authority.

The Brew MP root is a commercial code authorization root provided by Qualcomm that ships in every Brew MP device and authorizes code associated with the platform. The Brew MP root can be thought of as Qualcomm's platform root. All Brew MP dynamic modules are signed during the Qualcomm release process using the Brew MP root. The Brew MP Root is configured in all Brew MP devices, authorizing the dynamic portions of Brew MP, as well as authorizing DES. DES allows developers to work on devices using the Brew MP root. Credentials and API privileges are administered according to credentials. Developer Enablement Signatures are issued under the Brew MP root for FFA's and pre-commercial devices. This root is not used to authorize third party code. Disabling this root is not recommended, though there is an OEM option for it. Disabling the Brew MP root would require resigning Brew MP dynamic modules.