diff --git a/identity/aidl/Android.bp b/identity/aidl/Android.bp index f568f7ac54..c05dd33dc9 100644 --- a/identity/aidl/Android.bp +++ b/identity/aidl/Android.bp @@ -15,10 +15,10 @@ aidl_interface { ], imports: [ "android.hardware.keymaster-V3", - "android.hardware.security.keymint-V3", + "android.hardware.security.rkp-V3", ], stability: "vintf", - frozen: false, + frozen: true, backend: { java: { platform_apis: true, @@ -32,28 +32,28 @@ aidl_interface { version: "1", imports: [ "android.hardware.keymaster-V3", - "android.hardware.security.keymint-V1", + "android.hardware.security.rkp-V1", ], }, { version: "2", imports: [ "android.hardware.keymaster-V3", - "android.hardware.security.keymint-V1", + "android.hardware.security.rkp-V1", ], }, { version: "3", imports: [ "android.hardware.keymaster-V3", - "android.hardware.security.keymint-V1", + "android.hardware.security.rkp-V1", ], }, { version: "4", imports: [ "android.hardware.keymaster-V3", - "android.hardware.security.keymint-V2", + "android.hardware.security.rkp-V3", ], }, diff --git a/identity/aidl/default/Android.bp b/identity/aidl/default/Android.bp index a57875aee5..7bc3c8de8e 100644 --- a/identity/aidl/default/Android.bp +++ b/identity/aidl/default/Android.bp @@ -45,6 +45,7 @@ cc_library_static { "libpuresoftkeymasterdevice", "android.hardware.identity-support-lib", "android.hardware.keymaster-V3-ndk", + "android.hardware.security.rkp-V3-ndk", ], } @@ -112,6 +113,7 @@ cc_binary { "android.hardware.keymaster-V3-ndk", "android.hardware.identity-libeic-hal-common", "android.hardware.identity-libeic-library", + "android.hardware.security.rkp-V3-ndk", ], srcs: [ "service.cpp", diff --git a/identity/aidl/vts/Android.bp b/identity/aidl/vts/Android.bp index 54bf88739b..5e303bb7cf 100644 --- a/identity/aidl/vts/Android.bp +++ b/identity/aidl/vts/Android.bp @@ -39,6 +39,8 @@ cc_test { "libcrypto", ], static_libs: [ + "android.hardware.security.rkp-V3-cpp", + "android.hardware.security.rkp-V3-ndk", "android.hardware.security.secureclock-V1-ndk", "libcppbor_external", "libcppcose_rkp", diff --git a/security/keymint/README.md b/security/keymint/README.md new file mode 100644 index 0000000000..54647af659 --- /dev/null +++ b/security/keymint/README.md @@ -0,0 +1,10 @@ +# KeyMint HAL + +This directory contains the HAL definition for KeyMint. KeyMint provides +cryptographic services in a hardware-isolated environment. + +Note that the `IRemotelyProvisionedComponent` HAL, and it's associated types, +used to also be defined in this directory. As of Android U, this HAL has been +moved to a different directory (../rkp). This move is ABI compatible, as the +interfaces have been maintained. The build is split so that the generated +code may be built with different options. diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/.hash b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/.hash index b712a5231b..3a6d4157d1 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/.hash +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/.hash @@ -1 +1,2 @@ 976674616001f714f4a4df49ee45f548de828524 +cd862ae2e49b54fc965dc1b99c218eb729c93bb1 diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/.hash b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/.hash index 69ba9a6bc5..b4c2b78a70 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/.hash +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/.hash @@ -1 +1,2 @@ 207c9f218b9b9e4e74ff5232eb16511eca9d7d2e +70c734fbd5cac5b36676d66d8d9aa941967e1e7b diff --git a/security/keymint/aidl/default/Android.bp b/security/keymint/aidl/default/Android.bp index 1a17fd4f71..17520b73c7 100644 --- a/security/keymint/aidl/default/Android.bp +++ b/security/keymint/aidl/default/Android.bp @@ -25,6 +25,7 @@ cc_binary { "keymint_use_latest_hal_aidl_ndk_shared", ], shared_libs: [ + "android.hardware.security.rkp-V3-ndk", "android.hardware.security.sharedsecret-V1-ndk", "android.hardware.security.secureclock-V1-ndk", "libbase", diff --git a/security/keymint/aidl/vts/functional/Android.bp b/security/keymint/aidl/vts/functional/Android.bp index ef5b0bda73..13143bf620 100644 --- a/security/keymint/aidl/vts/functional/Android.bp +++ b/security/keymint/aidl/vts/functional/Android.bp @@ -35,6 +35,7 @@ cc_defaults { "libcrypto", ], static_libs: [ + "android.hardware.security.rkp-V3-ndk", "android.hardware.security.secureclock-V1-ndk", "libcppbor_external", "libcppcose_rkp", diff --git a/security/keymint/support/Android.bp b/security/keymint/support/Android.bp index d7226cdaa0..efd6fc7800 100644 --- a/security/keymint/support/Android.bp +++ b/security/keymint/support/Android.bp @@ -63,6 +63,9 @@ cc_library { defaults: [ "keymint_use_latest_hal_aidl_ndk_shared", ], + static_libs: [ + "android.hardware.security.rkp-V3-ndk", + ], shared_libs: [ "libbase", "libbinder_ndk", diff --git a/security/keymint/RKP_CHANGELOG.md b/security/rkp/CHANGELOG.md similarity index 79% rename from security/keymint/RKP_CHANGELOG.md rename to security/rkp/CHANGELOG.md index 243fc26525..eb2041d146 100644 --- a/security/keymint/RKP_CHANGELOG.md +++ b/security/rkp/CHANGELOG.md @@ -19,6 +19,12 @@ This document provides an exact description of which changes have occurred in th * `uniqueId` String added as a field in order to differentiate IRPC instances on device. ## IRemotelyProvisionedComponent 2 -> 3 +* The RKP HAL now builds separately from KeyMint. + * The HAL remains under the `android.hardware.security.keymint` package for + compatibility with previous releases. ABI compatibility requires this. + * Dependencies on the RKP HAL must add a dependency on + `"android.hardware.security.rkp"` generated code (instead of + `"android.hardward.security.keymint"`). * ProtectedData has been removed. * DeviceInfo * `version` has moved to a top-level field within the CSR generated by the HAL diff --git a/security/keymint/RKP_README.md b/security/rkp/README.md similarity index 95% rename from security/keymint/RKP_README.md rename to security/rkp/README.md index 89a2598f66..5fb49486ce 100644 --- a/security/keymint/RKP_README.md +++ b/security/rkp/README.md @@ -6,8 +6,8 @@ Design a HAL to support over-the-air provisioning of certificates for asymmetric keys. The HAL must interact effectively with Keystore (and other daemons) and protect device privacy and security. -Note that this API is designed for KeyMint, but with the intention that it -should be usable for other HALs that require certificate provisioning. +Note that this API was originally designed for KeyMint, with the intention that +it should be usable for other HALs that require certificate provisioning. Throughout this document we'll refer to the Keystore and KeyMint (formerly called Keymaster) components, but only for concreteness and convenience; those labels could be replaced with the names of any system and secure area @@ -312,7 +312,7 @@ the range \[-70000, -70999\] (these are reserved for future additions here). ``` Please see -[ProtectedData.aidl](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl) +[ProtectedData.aidl](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl) for a full CDDL definition of the BCC. ### `CertificateRequest` @@ -366,9 +366,9 @@ Please see the related HAL documentation directly in the source code at the following links: * [IRemotelyProvisionedComponent - HAL](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl) -* [ProtectedData](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl) -* [MacedPublicKey](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/MacedPublicKey.aidl) -* [RpcHardwareInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl) -* [DeviceInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl) + HAL](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl) +* [ProtectedData](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl) +* [MacedPublicKey](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl) +* [RpcHardwareInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl) +* [DeviceInfo](https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/DeviceInfo.aidl) diff --git a/security/rkp/aidl/Android.bp b/security/rkp/aidl/Android.bp new file mode 100644 index 0000000000..4c479f4642 --- /dev/null +++ b/security/rkp/aidl/Android.bp @@ -0,0 +1,37 @@ +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "hardware_interfaces_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["hardware_interfaces_license"], +} + +aidl_interface { + name: "android.hardware.security.rkp", + vendor_available: true, + srcs: [ + // This HAL was originally part of keymint. + "android/hardware/security/keymint/*.aidl", + + // in the future + // "android/hardware/security/rkp/*.aidl", + ], + stability: "vintf", + backend: { + java: { + min_sdk_version: "33", + }, + rust: { + enabled: true, + }, + }, + versions_with_info: [ + { + version: "1", + }, + { + version: "2", + }, + ], +} diff --git a/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/.hash b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/.hash new file mode 100644 index 0000000000..404553bf36 --- /dev/null +++ b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/.hash @@ -0,0 +1 @@ +d285480d2e0002adc0ace80edf34aa725679512e diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/DeviceInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/DeviceInfo.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/DeviceInfo.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/DeviceInfo.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/MacedPublicKey.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/MacedPublicKey.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/MacedPublicKey.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/MacedPublicKey.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/ProtectedData.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/ProtectedData.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/ProtectedData.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/ProtectedData.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/RpcHardwareInfo.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/1/android/hardware/security/keymint/RpcHardwareInfo.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/1/android/hardware/security/keymint/RpcHardwareInfo.aidl diff --git a/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/.hash b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/.hash new file mode 100644 index 0000000000..8700d33656 --- /dev/null +++ b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/.hash @@ -0,0 +1 @@ +c8d34e56ae0807b61f028019622d8b60a37e0a8b diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/DeviceInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/DeviceInfo.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/DeviceInfo.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/DeviceInfo.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/MacedPublicKey.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/MacedPublicKey.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/MacedPublicKey.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/MacedPublicKey.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/ProtectedData.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/ProtectedData.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/ProtectedData.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/ProtectedData.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/RpcHardwareInfo.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/2/android/hardware/security/keymint/RpcHardwareInfo.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/2/android/hardware/security/keymint/RpcHardwareInfo.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/DeviceInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/DeviceInfo.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/DeviceInfo.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/DeviceInfo.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/MacedPublicKey.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/MacedPublicKey.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/MacedPublicKey.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/MacedPublicKey.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ProtectedData.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/ProtectedData.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ProtectedData.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/ProtectedData.aidl diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl similarity index 100% rename from security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/RpcHardwareInfo.aidl rename to security/rkp/aidl/aidl_api/android.hardware.security.rkp/current/android/hardware/security/keymint/RpcHardwareInfo.aidl diff --git a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl b/security/rkp/aidl/android/hardware/security/keymint/DeviceInfo.aidl similarity index 100% rename from security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl rename to security/rkp/aidl/android/hardware/security/keymint/DeviceInfo.aidl diff --git a/security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl b/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl similarity index 100% rename from security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl rename to security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl diff --git a/security/keymint/aidl/android/hardware/security/keymint/MacedPublicKey.aidl b/security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl similarity index 100% rename from security/keymint/aidl/android/hardware/security/keymint/MacedPublicKey.aidl rename to security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl diff --git a/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl b/security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl similarity index 100% rename from security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl rename to security/rkp/aidl/android/hardware/security/keymint/ProtectedData.aidl diff --git a/security/keymint/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl b/security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl similarity index 100% rename from security/keymint/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl rename to security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl