From b8d8740cdf6b7216eda0ede4df2e84186d3a8973 Mon Sep 17 00:00:00 2001 From: Weston Carvalho Date: Wed, 10 May 2023 15:44:06 -0500 Subject: [PATCH] Create Secure Storage AIDL interface Test: mmm hardware/interfaces/staging/security/see/storage/aidl/ Bug: 278779487 Change-Id: I1aceb7fffcd9e8b60228d232cf1b610a07754ac0 --- staging/security/see/storage/aidl/Android.bp | 26 ++++ .../security/see/storage/CreationMode.aidl | 27 ++++ .../security/see/storage/DeleteOptions.aidl | 37 +++++ .../see/storage/FileAvailability.aidl | 25 ++++ .../security/see/storage/FileIntegrity.aidl | 33 +++++ .../security/see/storage/FileMode.aidl | 27 ++++ .../security/see/storage/FileProperties.aidl | 27 ++++ .../hardware/security/see/storage/IDir.aidl | 40 ++++++ .../hardware/security/see/storage/IFile.aidl | 95 +++++++++++++ .../security/see/storage/ISecureStorage.aidl | 47 +++++++ .../security/see/storage/IStorageSession.aidl | 129 ++++++++++++++++++ .../security/see/storage/OpenOptions.aidl | 51 +++++++ .../security/see/storage/ReadIntegrity.aidl | 41 ++++++ .../security/see/storage/RenameOptions.aidl | 41 ++++++ .../hardware/security/see/storage/Tamper.aidl | 28 ++++ 15 files changed, 674 insertions(+) create mode 100644 staging/security/see/storage/aidl/Android.bp create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/CreationMode.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/FileMode.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl create mode 100644 staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl diff --git a/staging/security/see/storage/aidl/Android.bp b/staging/security/see/storage/aidl/Android.bp new file mode 100644 index 0000000000..f669be820a --- /dev/null +++ b/staging/security/see/storage/aidl/Android.bp @@ -0,0 +1,26 @@ +package { + default_applicable_licenses: ["hardware_interfaces_license"], +} + +aidl_interface { + name: "android.hardware.security.see.storage", + unstable: true, + host_supported: true, + srcs: [ + "android/hardware/security/see/storage/*.aidl", + ], + backend: { + java: { + enabled: false, + }, + cpp: { + enabled: true, + }, + ndk: { + enabled: true, + }, + rust: { + enabled: true, + }, + }, +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/CreationMode.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/CreationMode.aidl new file mode 100644 index 0000000000..1c65038745 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/CreationMode.aidl @@ -0,0 +1,27 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +enum CreationMode { + /** Returns an error if the file does not already exist. */ + NO_CREATE, + + /** Creates the file or returns an error if it already exists. */ + CREATE_EXCLUSIVE, + + /** Creates the file if it does not already exist. */ + CREATE, +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl new file mode 100644 index 0000000000..1a94eb293e --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl @@ -0,0 +1,37 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.ReadIntegrity; + +parcelable DeleteOptions { + /** + * Set to acknowledge possible files tampering. + * + * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_* + * service-specific code. + */ + ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER; + + /** + * Allow writes to succeed while the filesystem is in the middle of an A/B update. + * + * If the A/B update fails, the operation will be rolled back. This rollback will not + * cause subsequent operations fail with any ERR_FS_* code nor will need to be + * acknowledged by setting the `readIntegrity`. + */ + boolean allowWritesDuringAbUpdate = false; +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl new file mode 100644 index 0000000000..d33917090f --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl @@ -0,0 +1,25 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +/** Determines how early during the boot process file is able to be accessed. */ +enum FileAvailability { + /** Available before userdata is mounted, but after android has booted. */ + BEFORE_USERDATA, + + /** Available after userdata is mounted. */ + AFTER_USERDATA, +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl new file mode 100644 index 0000000000..1879b1680d --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl @@ -0,0 +1,33 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +enum FileIntegrity { + /** REE may prevent operations, but cannot alter data once written. */ + TAMPER_PROOF_AT_REST, + + /** + * REE may alter written data, but changes will be detected and reported as + * an error on read. + */ + TAMPER_DETECT, + + /** + * REE may alter written data. Changes other than full filesystem resets will be detected and + * reported. + */ + TAMPER_DETECT_IGNORE_RESET, +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileMode.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileMode.aidl new file mode 100644 index 0000000000..18a2eae3c8 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileMode.aidl @@ -0,0 +1,27 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +enum FileMode { + /** The file may only be read from. */ + READ_ONLY, + + /** The file may only be written to. */ + WRITE_ONLY, + + /** The file may be both read from and written to. */ + READ_WRITE, +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl new file mode 100644 index 0000000000..733b5b06fa --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl @@ -0,0 +1,27 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.FileAvailability; +import android.hardware.security.see.storage.FileIntegrity; + +parcelable FileProperties { + FileIntegrity integrity = FileIntegrity.TAMPER_PROOF_AT_REST; + FileAvailability availability = FileAvailability.BEFORE_USERDATA; + + /** Whether the file is reset when user data is wiped. */ + boolean persistent; +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl new file mode 100644 index 0000000000..a0a9f3d25b --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl @@ -0,0 +1,40 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +/** The interface for an open directory */ +interface IDir { + /** + * Gets the next batch of filenames in this directory. + * + * Calling multiple times will return different results as the IDir iterates through all the + * files it contains. When all filenames have been returned, all successive calls will return an + * empty list. + * + * @maxCount: + * the maximum number of filenames to return. A @maxCount of 0 signifies no limit on the + * number of filenames returned. + * + * Returns: + * An ordered list of filenames. If @maxCount > 0, the length of the returned list will be + * less than or equal to @maxCount. + * + * May return service-specific errors: + * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the + * dir was opened with does not acknowledge + */ + @utf8InCpp String[] readNextFilenames(int maxCount); +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl new file mode 100644 index 0000000000..ff26aa4d01 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl @@ -0,0 +1,95 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.CreationMode; + +/** The interface for an open file */ +interface IFile { + /** + * Read bytes from this file. + * + * @size: + * the size (in bytes) of the segment to read. If @size is larger than the service's maximum + * read size, the call will return an error (EX_ILLEGAL_ARGUMENT). + * @offset: + * the offset (in bytes) at which to start reading + * + * Return: + * the sequence of bytes at [offset, offset + size) in the file + * + * May return service-specific errors: + * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the + * file was opened with does not acknowledge + */ + byte[] read(long size, long offset); + + /** + * Write the bytes in `buffer` to this file. + * + * @offset: + * the offset (in bytes) at which to start writing + * + * Return: + * the number of bytes written successfully + * + * May return service-specific errors: + * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the + * file was opened with does not acknowledge + */ + long write(long offset, in byte[] buffer); + + /** + * Reads this file's size. + * + * May return service-specific errors: + * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the + * file was opened with does not acknowledge + */ + long getSize(); + + /** + * Sets this file's size. + * + * Truncates the file if `new_size` is less than the current size. If `new_size` is greater than + * the current size, the file will be extended with zeroed data. + * + * @newSize: + * the file's new size + * + * May return service-specific errors: + * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the + * file was opened with does not acknowledge + */ + void setSize(long newSize); + + /** + * Renames this file. + * + * @destPath: + * the file's new path, relative to filesystem root + * @destCreateMode: + * controls creation behavior of the dest file + * + * May return service-specific errors: + * - ERR_NOT_FOUND if no file exists at @destPath and @destCreateMode is `NO_CREATE` + * - ERR_ALREADY_EXISTS if a file already exists at @destPath and @destCreateMode is + * `CREATE_EXCLUSIVE` + * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the + * file was opened with does not acknowledge + */ + void rename(in @utf8InCpp String destPath, in CreationMode destCreateMode); +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl new file mode 100644 index 0000000000..be3c045522 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl @@ -0,0 +1,47 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.FileProperties; +import android.hardware.security.see.storage.IStorageSession; + +/** + * Interface for the Secure Storage HAL + * + * Creates sessions which can be used to access storage. + */ +interface ISecureStorage { + const int ERR_UNSUPPORTED_PROPERTIES = 1; + const int ERR_NOT_FOUND = 2; + const int ERR_ALREADY_EXISTS = 3; + const int ERR_BAD_TRANSACTION = 4; + + const int ERR_FS_RESET = 5; + const int ERR_FS_ROLLED_BACK = 6; + const int ERR_FS_TAMPERED = 7; + + /** + * Starts a storage session for a filesystem. + * + * @properties: + * the minimum filesystem properties requested for the session. + * + * May return service-specific errors: + * - ERR_UNSUPPORTED_PROPERTIES if no filesystems exist which meet the minimum requested + * requirements + */ + IStorageSession startSession(in FileProperties properties); +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl new file mode 100644 index 0000000000..cd126b8a02 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl @@ -0,0 +1,129 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.DeleteOptions; +import android.hardware.security.see.storage.IDir; +import android.hardware.security.see.storage.IFile; +import android.hardware.security.see.storage.OpenOptions; +import android.hardware.security.see.storage.ReadIntegrity; +import android.hardware.security.see.storage.RenameOptions; + +/** + * Interface for a Secure Storage session + * + * When the connection is opened, it will start a transaction and any changes made through this + * session or the interfaces this session returns will be added to this transaction's pending + * changes. Calling `CommitChanges`/`AbandonChanges` will commit/abandon these pending changes, and + * start a new, empty transaction. The interfaces this session returns _remain_ valid across + * transactions; it is not necessary, for example, to reopen a file after a commit. + * + * Any changes still pending when the session is dropped will be abandoned. + */ +interface IStorageSession { + /** + * Commits any pending changes made through this session to storage. + * + * The session will no longer have pending changes after this call returns. Files may then still + * be modified through this session to create another commit. + * + * May return service-specific errors: + * - ERR_BAD_TRANSACTION + */ + void commitChanges(); + + /** + * Abandons any pending changes made through this session. + * + * The session can then be reused to make new changes. + */ + void abandonChanges(); + + /** + * Opens a secure file for writing and/or reading. + * + * Changes made to the file are part of the current transaction. Dropping this session + * invalidates the returned `IFile` interface + * + * @filePath: + * path to the file, relative to filesystem root + * @options: + * options controlling opening behavior + * + * May return service-specific errors: + * - ERR_NOT_FOUND + * - ERR_ALREADY_EXISTS + * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity + * does not acknowledge + */ + IFile openFile(in @utf8InCpp String filePath, in OpenOptions options); + + /** + * Delete a file. + * + * @filePath: + * path to the file, relative to filesystem root + * @options: + * options controlling deletion behavior + * + * May return service-specific errors: + * - ERR_NOT_FOUND + * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity + * does not acknowledge + */ + void deleteFile(in @utf8InCpp String filePath, in DeleteOptions options); + + /** + * Renames an existing file. + * + * The file must not already be opened. (If it is, use `IFile::rename`.) + * + * @currentPath: + * path to the file, relative to filesystem root + * @destPath: + * the file's new path, relative to filesystem root + * @options: + * options controlling rename behavior + * + * May return service-specific errors: + * - ERR_NOT_FOUND if no file exists at @currentPath, or if @options.destCreateMode is + * `NO_CREATE` and no file exists at @destPath + * - ERR_ALREADY_EXISTS if @options.destCreateMode is `CREATE_EXCLUSIVE` and a file exists at + * @destPath + * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity + * does not acknowledge + */ + void renameFile(in @utf8InCpp String currentPath, in @utf8InCpp String destPath, + in RenameOptions options); + + /** + * Opens a directory from a filesystem with the given properties. + * + * Dropping this session invalidates the returned `IDir` interface. + * + * @path: + * path to the directory, relative to filesystem root + * @readIntegrity: + * allow opening (and subsequent read/write operations) despite possible tampering for the + * directory + * + * May return service-specific errors: + * - ERR_NOT_FOUND + * - ERR_FS_* if the filesystem has been tampered with in a way that @readIntegrity does not + * acknowledge + */ + IDir openDir(in @utf8InCpp String path, in ReadIntegrity readIntegrity); +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl new file mode 100644 index 0000000000..997ca62e60 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl @@ -0,0 +1,51 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.CreationMode; +import android.hardware.security.see.storage.FileMode; +import android.hardware.security.see.storage.ReadIntegrity; + +parcelable OpenOptions { + /** Controls creation behavior of the to-be-opened file. See `CreationMode` docs for details. */ + CreationMode createMode = CreationMode.NO_CREATE; + + /** Controls access behavior of the to-be-opened file. See `FileMode` docs for details. */ + FileMode accessMode = FileMode.READ_WRITE; + + /** + * Set to acknowledge possible files tampering. + * + * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_* + * service-specific code. + */ + ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER; + + /** + * If this file already exists, discard existing content and open + * it as a new file. No semantic change if the file does not exist. + */ + boolean truncateOnOpen; + + /** + * Allow writes to succeed while the filesystem is in the middle of an A/B update. + * + * If the A/B update fails, the operation will be rolled back. This rollback will not + * cause subsequent operations fail with any ERR_FS_* code nor will need to be + * acknowledged by setting the `readIntegrity`. + */ + boolean allowWritesDuringAbUpdate = false; +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl new file mode 100644 index 0000000000..cc0e4f998d --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl @@ -0,0 +1,41 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +enum ReadIntegrity { + /** + * Return an error on reads if any REE alteration of the written data + * has been detected. + */ + NO_TAMPER, + + /** + * Return an error on reads if any REE alteration other than a reset + * has been detected. + */ + IGNORE_RESET, + + /** + * Return an error if any REE alteration other than a rollback to a + * valid checkpoint has been detected. (What makes a checkpoint valid is + * implementation defined; an implementation might take a checkpoint on its + * first post-factory boot. A reset is a rollback to the initial state.) + */ + IGNORE_ROLLBACK, + + // There's no `IGNORE_ALL` because if REE has done any alteration other + // than a rollback, the file contents will be known-bad data. +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl new file mode 100644 index 0000000000..f55ea7f60e --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl @@ -0,0 +1,41 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +import android.hardware.security.see.storage.CreationMode; +import android.hardware.security.see.storage.ReadIntegrity; + +parcelable RenameOptions { + /** Controls creation behavior of the dest file. See `CreationMode` docs for details. */ + CreationMode destCreateMode = CreationMode.CREATE_EXCLUSIVE; + + /** + * Set to acknowledge possible files tampering. + * + * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_* + * service-specific code. + */ + ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER; + + /** + * Allow writes to succeed while the filesystem is in the middle of an A/B update. + * + * If the A/B update fails, the operation will be rolled back. This rollback will not + * cause subsequent operations fail with any ERR_FS_* code nor will need to be + * acknowledged by setting the `readIntegrity`. + */ + boolean allowWritesDuringAbUpdate = false; +} diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl new file mode 100644 index 0000000000..0a39fdd371 --- /dev/null +++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl @@ -0,0 +1,28 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package android.hardware.security.see.storage; + +/** Specifies types of REE tampering the filesystem may detect */ +enum Tamper { + /** REE has reset this file or the containing file system. */ + RESET, + + /** REE has rolled back this file or the containing file system to a previous state. */ + ROLLBACK, + + /** REE has made some other modification to the file. */ + OTHER, +}