Key usage in homebrew

[duckbill007]

I have a question about keys in homebrew .
Obviously hardcode keys to homebrew is not good.

But, what scenarios are good?
1. Ask user to provide keys (prod.keys, keys.txt file and so on). I think this is preferred.

2. If key can be created by some calls to splGenerate/splLoad and some key source. Is it ok for homebrew to hardcode that source and use spl calls to use key but not direct, because it will be created inside crypto module?

3. If key or mentioned above source stored as plaintext in some system module, for example FS or ES, is it ok for homebrew to hardcode hash of that key/source and using dnmt read that process memory to find string, that will have the same hash and use it as key?

 

[thesjaakspoiler]

According to the maker of Lockpick, the keys can only be obtained in the boot stage.
Once the operating system boots, access to the keys is blocked.
So I think you are left with only option 1.

Keys are not stored in plain text unless the user dumped them and left that file on the SD card.

Sharing keys can be considered a legal problem in many countries as well.

 

[StringIsNullOrEmpty]

There's also the possibility that the particular system is modified in a way that prevents the keys to be properly dumped. When my emmc module died I had to use a donor dump that had serials masked to fix it, and although it mostly works as expected the one thing that fails is dumping my own keys.

 

[duckbill007]

According to the maker of Lockpick, the keys can only be obtained in the boot stage.
Once the operating system boots, access to the keys is blocked.

I think you are talking about master keys.

Keys are not stored in plain text

Keys - maybe. But I am talking about key sources: data that is used to generate it.

For example Header source (0x1F, 0x12, 0x91, ...) is stored as plain text in FS module. And a lot of homebrew has it hardcoded and not read from external source.

So, I am asking - it it OK?