I am relatively new to Android development and have never used the Android Keystore before. But I am familiar with the (theoretical) concepts.
My problem is that I have to generate and store a secret key and later use this key to run cryptographic primitives on some data. Ideally, the key is protected against extraction in best possible way, e.i. key generation and all cryptographic operations only run inside a secure enclave, such that only the payload leaves the trusted zone.
As far as I understand this happens automatically, if the "correct" Keystore API is used, the hardware device supports it and the key's usage is flagged appropriately. However, the supported algoritms are limited.
The question: Can I write own custom code that is executed inside the Trust Zone? If yes, could you point me to a good resource or tutorial?
Background: I need to do some fancy modern stuff over elliptic curves (Barreto-Naehrig curve) with Optimal Structure-Preserving Signatures by Abe and SXDH-based Groth-Sahai-Proofs. Obviously, this is not supported by the Keystore API out-of-the-box. At the moment the code is implemented as C++-code and compiled as native Android code. The implementation is semantical correct but does not take any special care of secure key storage on the implementation level, because it is all academic prototype development. At the moment the key is just read/written to/from a plain file and all operations are executed in the same user-land (main) process.
The TEE is, in most cases, only available to the OEM and there's no SDK to access the TEE. The exception to this is Kinibi from Trustonic who do provide an SDK to their TEE. In order to access this you would need to have the SDK to develop the Trusted App and some form of development board (HIKEY) to test it. To deploy into a handset you would need to have some form of agreement with Trustonic that would allow users to download and install the app using an OTA server to manage the key exchange.