From 6a1223f227220d954ec31e9243abcc9ad1d51d05 Mon Sep 17 00:00:00 2001
From: Seth Moore <sethmo@google.com>
Date: Thu, 24 Jun 2021 16:29:38 -0700
Subject: [PATCH] Add Attestation IDs State to DeviceInfo

We will use the 'Attestation IDs State' field in DeviceInfo to
determine whether a device is still provisionable or not. Once a
production device has left the factory, certain attestated device ids
should be fixed, and 'Attestation IDs State' should reflect this
by reporting "locked".

Remove stale, duplicated DeviceInfo description from ProtectedData.aidl

Test: None, just a doc change
Bug: 192017485
Change-Id: I4e0a840a8f415b3b410801805a158c46be30ec6a
Merged-In: I4e0a840a8f415b3b410801805a158c46be30ec6a
---
 .../hardware/security/keymint/DeviceInfo.aidl     |  6 ++++++
 .../hardware/security/keymint/ProtectedData.aidl  | 15 +--------------
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
index 32d69cd227..b0761bf828 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
@@ -44,6 +44,12 @@ parcelable DeviceInfo {
      *         ? "vendor_patch_level" : uint,                   // YYYYMMDD
      *         "version" : 1,                      // The CDDL schema version.
      *         "security_level" : "tee" / "strongbox"
+     *         "att_id_state": "locked" / "open",  // Attestation IDs State. If "locked", this
+     *                                             // indicates a device's attestable IDs are
+     *                                             // factory-locked and immutable. If "open",
+     *                                             // this indicates the device is still in a
+     *                                             // provisionable state and the attestable IDs
+     *                                             // are not yet frozen.
      *     }
      */
     byte[] deviceInfo;
diff --git a/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl b/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl
index 31dbb288ab..24cdbc1fa7 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl
@@ -158,20 +158,7 @@ parcelable ProtectedData {
      *         payload: bstr .cbor BccPayload
      *     ]
      *
-     *     VerifiedDeviceInfo = {
-     *         ? "brand" : tstr,
-     *         ? "manufacturer" : tstr,
-     *         ? "product" : tstr,
-     *         ? "model" : tstr,
-     *         ? "board" : tstr,
-     *         ? "device" : tstr,
-     *         ? "vb_state" : "green" / "yellow" / "orange",
-     *         ? "bootloader_state" : "locked" / "unlocked",
-     *         ? "os_version" : tstr,
-     *         ? "system_patch_level" : uint,        // YYYYMMDD
-     *         ? "boot_patch_level" : uint,          // YYYYMMDD
-     *         ? "vendor_patch_level" : uint,        // YYYYMMDD
-     *     }
+     *     VerifiedDeviceInfo = DeviceInfo  // See DeviceInfo.aidl
      *
      *     PubKeyX25519 = {                 // COSE_Key
      *          1 : 1,                      // Key type : Octet Key Pair