Merge "Add STORAGE_KEY tag to keymaster 4.1"

2026-02-01 10:44:41 +00:00 · 2020-01-22 22:00:46 +00:00
parent 363f96ac3e 9bc9059842
commit 79b9f5026d
3 changed files with 21 additions and 1 deletions
--- a/current.txt
+++ b/current.txt
@@ -647,7 +647,7 @@ bbeee9604128ede83ee755b67e73b5ad29e6e1dbac9ec41fea6ffe2745b0c50a android.hardwar
 6e1e28a96c90ba78d47257faea3f3bb4e6360affbbfa5822f0dc31211f9266ff android.hardware.identity@1.0::IWritableIdentityCredential
 27ae3724053940462114228872b3ffaf0b8e6177d5ba97f5a76339d12b8a99dd android.hardware.keymaster@4.1::IKeymasterDevice
 adb0efdf1462e9b2e742c0dcadd598666aac551f178be06e755bfcdf5797abd0 android.hardware.keymaster@4.1::IOperation
-ac429fca0da4ce91218768ec31b64ded88251f8a26d8c4f27c06abdc5b1926d9 android.hardware.keymaster@4.1::types
+ddcf89cd8ee2df0d32aee55050826446fb64f7aafde0a7cd946c64f61b1a364c android.hardware.keymaster@4.1::types
 df9c79c4fdde2821550c6d5c3d07f5ec0adfb1b702561ce543c906ddef698703 android.hardware.media.c2@1.1::IComponent
 a3eddd9bbdc87e8c22764070037dd1154f1cf006e6fba93364c4f85d4c134a19 android.hardware.media.c2@1.1::IComponentStore
 65c16331e57f6dd68b3971f06f78fe9e3209afb60630c31705aa355f9a52bf0d android.hardware.neuralnetworks@1.3::IBuffer
--- a/keymaster/4.1/support/include/keymasterV4_1/keymaster_tags.h
+++ b/keymaster/4.1/support/include/keymasterV4_1/keymaster_tags.h
@@ -100,6 +100,7 @@ using V4_0::TAG_VENDOR_PATCHLEVEL;

 DECLARE_KM_4_1_TYPED_TAG(EARLY_BOOT_ONLY);
 DECLARE_KM_4_1_TYPED_TAG(DEVICE_UNIQUE_ATTESTATION);
+DECLARE_KM_4_1_TYPED_TAG(STORAGE_KEY);

 }  // namespace android::hardware::keymaster::V4_1

--- a/keymaster/4.1/types.hal
+++ b/keymaster/4.1/types.hal
@@ -50,10 +50,29 @@ enum Tag : @4.0::Tag {
     * HAL attests to Credential Keys.  IIdentityCredential produces Keymaster-style attestations.
     */
    IDENTITY_CREDENTIAL_KEY = TagType:BOOL | 721,
+
+    /**
+     * To prevent keys from being compromised if an attacker acquires read access to system / kernel
+     * memory, some inline encryption hardware supports protecting storage encryption keys in hardware
+     * without software having access to or the ability to set the plaintext keys. Instead, software
+     * only sees wrapped version of these keys.
+     *
+     * STORAGE_KEY is used to denote that a key generated or imported is a key used for storage
+     * encryption. Keys of this type can either be generated or imported or secure imported using
+     * keymaster. exportKey() can be used to re-wrap storage key with a per-boot ephemeral key wrapped
+     * key once the key characteristics are enforced.
+     *
+     * Keys with this tag cannot be used for any operation within keymaster.
+     * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to
+     * begin().
+     */
+    STORAGE_KEY = TagType:BOOL | 722,
 };

 enum ErrorCode : @4.0::ErrorCode {
    EARLY_BOOT_ENDED = -73,
    ATTESTATION_KEYS_NOT_PROVISIONED = -74,
    ATTESTATION_IDS_NOT_PROVISIONED = -75,
+    INVALID_OPERATION = -76,
+    STORAGE_KEY_UNSUPPORTED = -77,
 };