Merge "Revert "KeyMint HAL: add curve 25519, bump version"" am: 391a772300 am: f121b2c2bb

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1918632 Change-Id: I2cb8d4e77e93be8c0bfa84abf31190a30005f4b2
2026-02-01 11:36:00 +00:00 · 2021-12-13 16:36:59 +00:00
parent a7ee9f53ed f121b2c2bb
commit 4df4387267
7 changed files with 12 additions and 35 deletions
--- a/compatibility_matrices/compatibility_matrix.current.xml
+++ b/compatibility_matrices/compatibility_matrix.current.xml
@@ -343,7 +343,7 @@
    </hal>
    <hal format="aidl" optional="true">
        <name>android.hardware.security.keymint</name>
-        <version>1-2</version>
+        <version>1</version>
        <interface>
            <name>IKeyMintDevice</name>
            <instance>default</instance>
@@ -352,7 +352,6 @@
    </hal>
    <hal format="aidl" optional="true">
        <name>android.hardware.security.keymint</name>
-        <version>1-2</version>
        <interface>
            <name>IRemotelyProvisionedComponent</name>
            <instance>default</instance>
--- a/security/keymint/aidl/Android.bp
+++ b/security/keymint/aidl/Android.bp
@@ -45,14 +45,14 @@ aidl_interface {
 cc_defaults {
    name: "keymint_use_latest_hal_aidl_ndk_static",
    static_libs: [
-        "android.hardware.security.keymint-V2-ndk",
+        "android.hardware.security.keymint-V1-ndk",
    ],
 }

 cc_defaults {
    name: "keymint_use_latest_hal_aidl_ndk_shared",
    shared_libs: [
-        "android.hardware.security.keymint-V2-ndk",
+        "android.hardware.security.keymint-V1-ndk",
    ],
 }

@@ -62,6 +62,6 @@ cc_defaults {
 rust_defaults {
    name: "keymint_use_latest_hal_aidl_rust",
    rustlibs: [
-        "android.hardware.security.keymint-V2-rust",
+        "android.hardware.security.keymint-V1-rust",
    ],
 }
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
@@ -39,5 +39,4 @@ enum EcCurve {
  P_256 = 1,
  P_384 = 2,
  P_521 = 3,
-  CURVE_25519 = 4,
 }
--- a/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
@@ -27,5 +27,4 @@ enum EcCurve {
    P_256 = 1,
    P_384 = 2,
    P_521 = 3,
-    CURVE_25519 = 4,
 }
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -93,11 +93,6 @@ import android.hardware.security.secureclock.TimeStampToken;
 *        P-521.  STRONGBOX IKeyMintDevices must support NIST curve P-256.
 *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2
 *        384 and SHA-2 512 digest modes.  STRONGBOX IKeyMintDevices must support SHA-2 256.
- *      - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,
- *        as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY
- *        (X25519, as specified in RFC 7748).  However, a key must have exactly one of these
- *        purpose values; the same key cannot be used for multiple purposes.
- *        STRONGBOX IKeyMintDevices do not support curve 25519.
 *
 * o   AES
 *
@@ -292,7 +287,7 @@ interface IKeyMintDevice {
     *   except AGREE_KEY must be supported for RSA keys.
     *
     * o Tag::DIGEST specifies digest algorithms that may be used with the new key.  TEE
-     *   IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA
+     *   IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA
     *   keys.  StrongBox IKeyMintDevice implementations must support SHA_2_256.
     *
     * o Tag::PADDING specifies the padding modes that may be used with the new
@@ -303,24 +298,13 @@ interface IKeyMintDevice {
     * == ECDSA Keys ==
     *
     * Tag::EC_CURVE must be provided to generate an ECDSA key.  If it is not provided, generateKey
-     * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE
-     * IKeyMintDevice implementations must support all required curves.  StrongBox implementations
-     * must support P_256 and no other curves.
-     *
+     * must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support
+     * all curves.  StrongBox implementations must support P_256.
+
     * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the
     * valid date range for the returned X.509 certificate holding the public key. If omitted,
     * generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.
     *
-     * Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set
-     * {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}.  Key generation with more
-     * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE.
-     * StrongBox implementation do not support CURVE_25519.
-     *
-     * Tag::DIGEST specifies digest algorithms that may be used with the new key.  TEE
-     * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA
-     * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must
-     * support SHA_2_256.
-     *
     * == AES Keys ==
     *
     * Only Tag::KEY_SIZE is required to generate an AES key.  If omitted, generateKey must return
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
@@ -25,10 +25,8 @@ package android.hardware.security.keymint;
 enum KeyFormat {
    /** X.509 certificate format, for public key export. */
    X509 = 0,
-    /** PKCS#8 format, asymmetric key pair import. */
+    /** PCKS#8 format, asymmetric key pair import. */
    PKCS8 = 1,
-    /**
-     * Raw bytes, for symmetric key import, and for import of raw asymmetric keys for curve 25519.
-     */
+    /** Raw bytes, for symmetric key import. */
    RAW = 3,
 }
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -6618,7 +6618,7 @@ INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);

 typedef KeyMintAidlTestBase KeyAgreementTest;

-static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
+int CurveToOpenSslCurveName(EcCurve curve) {
    switch (curve) {
        case EcCurve::P_224:
            return NID_secp224r1;
@@ -6628,8 +6628,6 @@ static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
            return NID_secp384r1;
        case EcCurve::P_521:
            return NID_secp521r1;
-        case EcCurve::CURVE_25519:
-            return NID_X25519;
    }
 }

@@ -6651,7 +6649,7 @@ TEST_P(KeyAgreementTest, Ecdh) {
        for (auto localCurve : ValidCurves()) {
            // Generate EC key locally (with access to private key material)
            auto ecKey = EC_KEY_Ptr(EC_KEY_new());
-            int curveName = EcdhCurveToOpenSslCurveName(localCurve);
+            int curveName = CurveToOpenSslCurveName(localCurve);
            auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
            ASSERT_NE(group, nullptr);
            ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);