ID attestation: Define tag for a second IMEI

Define a KeyMint tag for a second IMEI to be included in the attestation record. Also clarify that the IMEI tag is meant to include one, and only one, IMEI. Bug: 244732345 Test: android.keystore.cts.DeviceOwnerKeyManagementTest Merged-In: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5 Change-Id: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5
2026-02-01 15:58:43 +00:00 · 2022-10-31 12:22:10 +00:00
parent 652cf9c564
commit 210d3ea87b
2 changed files with 18 additions and 2 deletions
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
@@ -90,6 +90,7 @@ enum Tag {
  DEVICE_UNIQUE_ATTESTATION = 1879048912,
  IDENTITY_CREDENTIAL_KEY = 1879048913,
  STORAGE_KEY = 1879048914,
+  ATTESTATION_ID_SECOND_IMEI = -1879047469,
  ASSOCIATED_DATA = -1879047192,
  NONCE = -1879047191,
  MAC_LENGTH = 805307371,
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -726,9 +726,10 @@ enum Tag {
    ATTESTATION_ID_SERIAL = TagType.BYTES | 713,

    /**
-     * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key
+     * Tag::ATTESTATION_ID_IMEI provides the IMEI one of the radios on the device to attested key
     * generation/import operations.  This field must be set only when requesting attestation of the
-     * device's identifiers.
+     * device's identifiers. If the device has more than one IMEI, a second IMEI may be included
+     * by using the Tag::ATTESTATION_ID_SECOND_IMEI tag.
     *
     * If the device does not support ID attestation (or destroyAttestationIds() was previously
     * called and the device can no longer attest its IDs), any key attestation request that
@@ -882,6 +883,20 @@ enum Tag {
     */
    STORAGE_KEY = TagType.BOOL | 722,

+    /**
+     * Tag::ATTESTATION_ID_SECOND_IMEI provides an additional IMEI of one of the radios on the
+     * device to attested key generation/import operations. This field MUST be accompanied by
+     * the Tag::ATTESTATION_ID_IMEI tag. It would only be used to convery a second IMEI the device
+     * has, after Tag::ATTESTATION_ID_SECOND_IMEI has been used to convery the first IMEI.
+     *
+     * If the device does not support ID attestation (or destroyAttestationIds() was previously
+     * called and the device can no longer attest its IDs), any key attestation request that
+     * includes this tag must fail with ErrorCode::CANNOT_ATTEST_IDS.
+     *
+     * Must never appear in KeyCharacteristics.
+     */
+    ATTESTATION_ID_SECOND_IMEI = TagType.BYTES | 723,
+
    /**
     * OBSOLETE: Do not use.
     *