Change KeyCharacteristics

Support key characteristics with three security levels, do not store
unenforced authorizations with keys or bind them to keys.

Bug: 163606833
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Idbc523f16d8ef66ec38e0d503ad579a93c49e7b4

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Algorithm.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BeginResult.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BlockMode.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ByteArray.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Certificate.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Digest.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthToken.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped
@@ -21,9 +22,9 @@ interface IKeyMintDevice {
   android.hardware.security.keymint.KeyMintHardwareInfo getHardwareInfo();
   android.hardware.security.keymint.VerificationToken verifyAuthorization(in long challenge, in android.hardware.security.keymint.HardwareAuthToken token);
   void addRngEntropy(in byte[] data);
-  void generateKey(in android.hardware.security.keymint.KeyParameter[] keyParams, out android.hardware.security.keymint.ByteArray generatedKeyBlob, out android.hardware.security.keymint.KeyCharacteristics generatedKeyCharacteristics, out android.hardware.security.keymint.Certificate[] outCertChain);
+  android.hardware.security.keymint.KeyCreationResult generateKey(in android.hardware.security.keymint.KeyParameter[] keyParams);
-  void importKey(in android.hardware.security.keymint.KeyParameter[] inKeyParams, in android.hardware.security.keymint.KeyFormat inKeyFormat, in byte[] inKeyData, out android.hardware.security.keymint.ByteArray outImportedKeyBlob, out android.hardware.security.keymint.KeyCharacteristics outImportedKeyCharacteristics, out android.hardware.security.keymint.Certificate[] outCertChain);
+  android.hardware.security.keymint.KeyCreationResult importKey(in android.hardware.security.keymint.KeyParameter[] keyParams, in android.hardware.security.keymint.KeyFormat keyFormat, in byte[] keyData);
-  void importWrappedKey(in byte[] inWrappedKeyData, in byte[] inWrappingKeyBlob, in byte[] inMaskingKey, in android.hardware.security.keymint.KeyParameter[] inUnwrappingParams, in long inPasswordSid, in long inBiometricSid, out android.hardware.security.keymint.ByteArray outImportedKeyBlob, out android.hardware.security.keymint.KeyCharacteristics outImportedKeyCharacteristics);
+  android.hardware.security.keymint.KeyCreationResult importWrappedKey(in byte[] wrappedKeyData, in byte[] wrappingKeyBlob, in byte[] maskingKey, in android.hardware.security.keymint.KeyParameter[] unwrappingParams, in long passwordSid, in long biometricSid);
   byte[] upgradeKey(in byte[] inKeyBlobToUpgrade, in android.hardware.security.keymint.KeyParameter[] inUpgradeParams);
   void deleteKey(in byte[] inKeyBlob);
   void deleteAllKeys();

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintOperation.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCharacteristics.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped
@@ -18,6 +19,6 @@
 package android.hardware.security.keymint;
 @VintfStability
 parcelable KeyCharacteristics {
-  android.hardware.security.keymint.KeyParameter[] softwareEnforced;
+  android.hardware.security.keymint.SecurityLevel securityLevel;
-  android.hardware.security.keymint.KeyParameter[] hardwareEnforced;
+  android.hardware.security.keymint.KeyParameter[] authorizations;
 }

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCreationResult.aidl

@@ -0,0 +1,25 @@
+///////////////////////////////////////////////////////////////////////////////
+// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
+///////////////////////////////////////////////////////////////////////////////
+
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
+// two cases:
+// 1). this is a frozen version file - do not edit this in any case.
+// 2). this is a 'current' file. If you make a backwards compatible change to
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
+//
+// You must not make a backward incompatible change to any AIDL file built
+// with the aidl_interface module type with versions property set. The module
+// type is used to build AIDL files in a way that they can be used across
+// independently updatable components of the system. If a device is shipped
+// with such a backward incompatible change, it has a high risk of breaking
+// later when a module using the interface is updated, e.g., Mainline modules.
+
+package android.hardware.security.keymint;
+@VintfStability
+parcelable KeyCreationResult {
+  byte[] keyBlob;
+  android.hardware.security.keymint.KeyCharacteristics[] keyCharacteristics;
+  android.hardware.security.keymint.Certificate[] certificateChain;
+}

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyFormat.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyMintHardwareInfo.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyOrigin.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameter.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterArray.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterValue.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyPurpose.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/PaddingMode.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Timestamp.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/VerificationToken.aidl

@@ -2,13 +2,14 @@
 // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //
 ///////////////////////////////////////////////////////////////////////////////
 
-// This file is a snapshot of an AIDL interface (or parcelable). Do not try to
+// This file is a snapshot of an AIDL file. Do not edit it manually. There are
-// edit this file. It looks like you are doing that because you have modified
+// two cases:
-// an AIDL interface in a backward-incompatible way, e.g., deleting a function
+// 1). this is a frozen version file - do not edit this in any case.
-// from an interface or a field from a parcelable and it broke the build. That
+// 2). this is a 'current' file. If you make a backwards compatible change to
-// breakage is intended.
+//     the interface (from the latest frozen version), the build system will
+//     prompt you to update this file with `m <name>-update-api`.
 //
-// You must not make a backward incompatible changes to the AIDL files built
+// You must not make a backward incompatible change to any AIDL file built
 // with the aidl_interface module type with versions property set. The module
 // type is used to build AIDL files in a way that they can be used across
 // independently updatable components of the system. If a device is shipped

security/keymint/aidl/android/hardware/security/keymint/Certificate.aidl

@@ -17,9 +17,8 @@
 package android.hardware.security.keymint;
 
 /**
- * This encodes the IKeyMintDevice attestation generated certificate.
+ * This encodes an IKeyMintDevice certificate, generated for a KeyMint asymmetric public key.
  */
-
 @VintfStability
 parcelable Certificate {
     /**

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -18,10 +18,9 @@ package android.hardware.security.keymint;
 
 import android.hardware.security.keymint.BeginResult;
 import android.hardware.security.keymint.ByteArray;
-import android.hardware.security.keymint.Certificate;
 import android.hardware.security.keymint.HardwareAuthToken;
 import android.hardware.security.keymint.IKeyMintOperation;
-import android.hardware.security.keymint.KeyCharacteristics;
+import android.hardware.security.keymint.KeyCreationResult;
 import android.hardware.security.keymint.KeyFormat;
 import android.hardware.security.keymint.KeyParameter;
 import android.hardware.security.keymint.KeyMintHardwareInfo;
@@ -126,16 +125,22 @@ import android.hardware.security.keymint.VerificationToken;
  * attacker can use them at will (though they're more secure than keys which can be
  * exfiltrated).  Therefore, IKeyMintDevice must enforce access controls.
  *
- * Access controls are defined as an "authorization list" of tag/value pairs.  Authorization tags
+ * Access controls are defined as "authorization lists" of tag/value pairs.  Authorization tags are
- * are 32-bit integers from the Tag enum, and the values are a variety of types, defined in the
+ * 32-bit integers from the Tag enum, and the values are a variety of types, defined in the TagType
- * TagType enum.  Some tags may be repeated to specify multiple values.  Whether a tag may be
+ * enum.  Some tags may be repeated to specify multiple values.  Whether a tag may be repeated is
- * repeated is specified in the documentation for the tag and in the TagType.  When a key is
+ * specified in the documentation for the tag and in the TagType.  When a key is created or
- * created or imported, the caller specifies an authorization list.  The IKeyMintDevice must divide
+ * imported, the caller specifies a `key_description` authorization list.  The IKeyMintDevice must
- * the caller-provided authorizations into two lists, those it enforces in tee secure zone and
+ * determine which tags it can and cannot enforce, and at what SecurityLevel, and return an array of
- * those enforced in the strongBox hardware.  These two lists are returned as the "teeEnforced"
+ * `KeyCharacteristics` structures that contains everything it will enforce, associated with the
- * and "strongboxEnforced" elements of the KeyCharacteristics struct. Note that software enforced
+ * appropriate security level, which is one of SOFTWARE, TRUSTED_ENVIRONMENT and STRONGBOX.
- * authorization list entries are not returned because they are not enforced by keymint.  The
+ * Typically, implementations will only return a single KeyCharacteristics structure, because
- * IKeyMintDevice must also add the following authorizations to the appropriate list:
+ * everything they enforce is enforced at the same security level.  There may be cases, however, for
+ * which multiple security levels are relevant. One example is that of a StrongBox IKeyMintDevice
+ * that relies on a TEE to enforce biometric user authentication.  In that case, the generate/import
+ * methods must return two KeyCharacteristics structs, one with SecurityLevel::TRUSTED_ENVIRONMENT
+ * and the biometric authentication-related tags, and another with SecurityLevel::STRONGBOX and
+ * everything else.  The IKeyMintDevice must also add the following authorizations to the
+ * appropriate list:
  *
  * o    Tag::OS_VERSION
  * o    Tag::OS_PATCHLEVEL
@@ -148,26 +153,27 @@ import android.hardware.security.keymint.VerificationToken;
  * The caller must always provide the current date time in the keyParameter CREATION_DATETIME
  * tags.
  *
- * All authorization tags and their values, both teeEnforced and strongboxEnforced, including
+ * All authorization tags and their values enforced by an IKeyMintDevice must be cryptographically
- * unknown tags, must be cryptographically bound to the private/secret key material such that any
+ * bound to the private/secret key material such that any modification of the portion of the key
- * modification of the portion of the key blob that contains the authorization list makes it
+ * blob that contains the authorization list makes it impossible for the secure environment to
- * impossible for the secure environment to obtain the private/secret key material.  The
+ * obtain the private/secret key material.  The recommended approach to meet this requirement is to
- * recommended approach to meet this requirement is to use the full set of authorization tags
+ * use the full set of authorization tags associated with a key as input to a secure key derivation
- * associated with a key as input to a secure key derivation function used to derive a key that
+ * function used to derive a key (the KEK) that is used to encrypt the private/secret key material.
- * is used to encrypt the private/secret key material.
+ * Note that it is NOT acceptable to use a static KEK to encrypt the private/secret key material
+ * with an AEAD cipher mode, using the enforced authorization tags as AAD.  This is because
+ * Tag::APPLICATION_DATA must not be included in the authorization tags stored in the key blob, but
+ * must be provided by the caller for every use.  Assuming the Tag::APPLICATION_DATA value has
+ * sufficient entropy, this provides a cryptographic guarantee that an attacker cannot use a key
+ * without knowing the Tag::APPLICATION_DATA value, even if they compromise the IKeyMintDevice.
  *
- * IKeyMintDevice implementations ignore any tags they cannot enforce and do not return them
+ * IKeyMintDevice implementations must ignore any tags they cannot enforce and must not return them
- * in KeyCharacteristics.  For example, Tag::ORIGINATION_EXPIRE_DATETIME provides the date and
+ * in KeyCharacteristics.  For example, Tag::ORIGINATION_EXPIRE_DATETIME provides the date and time
- * time after which a key may not be used to encrypt or sign new messages.  Unless the
+ * after which a key may not be used to encrypt or sign new messages.  Unless the IKeyMintDevice has
- * IKeyMintDevice has access to a secure source of current date/time information, it is not
+ * access to a secure source of current date/time information, it is not possible for the
- * possible for the IKeyMintDevice to enforce this tag.  An IKeyMintDevice implementation will
+ * IKeyMintDevice to enforce this tag.  An IKeyMintDevice implementation will not rely on the
- * not rely on the non-secure world's notion of time, because it could be controlled by an
+ * non-secure world's notion of time, because it could be controlled by an attacker. Similarly, it
- * attacker. Similarly, it cannot rely on GPSr time, even if it has exclusive control of the
+ * cannot rely on GPSr time, even if it has exclusive control of the GPSr, because that might be
- * GPSr, because that might be spoofed by attacker RF signals.
+ * spoofed by attacker RF signals.
- *
- * IKeyMintDevices do not use or enforce any tags they place in the softwareEnforced
- * list.  The IKeyMintDevice caller must enforce them, and it is unnecessary to enforce them
- * twice.
  *
  * Some tags must be enforced by the IKeyMintDevice.  See the detailed documentation on each Tag
  * in Tag.aidl.
@@ -337,38 +343,9 @@ interface IKeyMintDevice {
      *        provided in params.  See above for detailed specifications of which tags are required
      *        for which types of keys.
      *
-     * @return generatedKeyBlob Opaque descriptor of the generated key.  The recommended
+     * @return The result of key creation.  See KeyCreationResult.aidl.
-     *         implementation strategy is to include an encrypted copy of the key material, wrapped
-     *         in a key unavailable outside secure hardware.
-     *
-     * @return generatedKeyCharacteristics Description of the generated key, divided into two sets:
-     *         hardware-enforced and software-enforced.  The description here applies equally
-     *         to the key characteristics lists returned by generateKey, importKey and
-     *         importWrappedKey.  The characteristics returned by this parameter completely
-     *         describe the type and usage of the specified key.
-     *
-     *         The rule that IKeyMintDevice implementations must use for deciding whether a
-     *         given tag belongs in the hardware-enforced or software-enforced list is that if
-     *         the meaning of the tag is fully assured by secure hardware, it is hardware
-     *         enforced.  Otherwise, it's software enforced.
-     *
-     * @return outCertChain If the key is an asymmetric key, and proper keyparameters for
-     *         attestation (such as challenge) is provided, then this parameter will return the
-     *         attestation certificate.  If the signing of the attestation certificate is from a
-     *         factory key, additional certificates back to the root attestation certificate will
-     *         also be provided. Clients will need to check root certificate against a known-good
-     *         value. The certificates must be DER-encoded.  Caller needs to provide
-     *         CREATION_DATETIME as one of the attestation parameters, otherwise the attestation
-     *         certificate will not contain the creation datetime.  The first certificate in the
-     *         vector is the attestation for the generated key itself, the next certificate is
-     *         the key that signs the first certificate, and so forth.  The last certificate in
-     *         the chain is the root certificate.  If the key is a symmetric key, then no
-     *         certificate will be returned and this variable will return empty. TODO: change
-     *         certificate return to a single certificate and make it nullable b/163604282.
      */
-    void generateKey(in KeyParameter[] keyParams, out ByteArray generatedKeyBlob,
+    KeyCreationResult generateKey(in KeyParameter[] keyParams);
-                     out KeyCharacteristics generatedKeyCharacteristics,
-                     out Certificate[] outCertChain);
 
     /**
      * Imports key material into an IKeyMintDevice.  Key definition parameters and return values
@@ -396,29 +373,10 @@ interface IKeyMintDevice {
      *
      * @param inKeyData The key material to import, in the format specified in keyFormat.
      *
-     * @return outImportedKeyBlob descriptor of the imported key.  The format of the keyblob will
+     * @return The result of key creation.  See KeyCreationResult.aidl.
-     *         be the google specified keyblob format.
-     *
-     * @return outImportedKeyCharacteristics Description of the generated key.  See the
-     *         keyCharacteristics description in generateKey.
-     *
-     * @return outCertChain If the key is an asymmetric key, and proper keyparameters for
-     *         attestation (such as challenge) is provided, then this parameter will return the
-     *         attestation certificate.  If the signing of the attestation certificate is from a
-     *         factory key, additional certificates back to the root attestation certificate will
-     *         also be provided. Clients will need to check root certificate against a known-good
-     *         value. The certificates must be DER-encoded.  Caller needs to provide
-     *         CREATION_DATETIME as one of the attestation parameters, otherwise the attestation
-     *         certificate will not contain the creation datetime.  The first certificate in the
-     *         vector is the attestation for the generated key itself, the next certificate is
-     *         the key that signs the first certificate, and so forth.  The last certificate in
-     *         the chain is the root certificate.  If the key is a symmetric key, then no
-     *         certificate will be returned and this variable will return empty.
      */
-    void importKey(in KeyParameter[] inKeyParams, in KeyFormat inKeyFormat,
+    KeyCreationResult importKey(in KeyParameter[] keyParams, in KeyFormat keyFormat,
-                   in byte[] inKeyData, out ByteArray outImportedKeyBlob,
+                                in byte[] keyData);
-                   out KeyCharacteristics outImportedKeyCharacteristics,
-                   out Certificate[] outCertChain);
 
     /**
      * Securely imports a key, or key pair, returning a key blob and a description of the imported
@@ -474,45 +432,38 @@ interface IKeyMintDevice {
      *     5. Perform the equivalent of calling importKey(keyParams, keyFormat, keyData), except
      *        that the origin tag should be set to SECURELY_IMPORTED.
      *
-     * @param inWrappingKeyBlob The opaque key descriptor returned by generateKey() or importKey().
+     * @param wrappingKeyBlob The opaque key descriptor returned by generateKey() or importKey().
      *        This key must have been created with Purpose::WRAP_KEY.
      *
-     * @param inMaskingKey The 32-byte value XOR'd with the transport key in the SecureWrappedKey
+     * @param maskingKey The 32-byte value XOR'd with the transport key in the SecureWrappedKey
      *        structure.
      *
-     * @param inUnwrappingParams must contain any parameters needed to perform the unwrapping
+     * @param unwrappingParams must contain any parameters needed to perform the unwrapping
-     *        operation.  For example, if the wrapping key is an AES key the block and padding
+     *        operation.  For example, if the wrapping key is an AES key the block and padding modes
-     *        modes must be specified in this argument.
+     *        must be specified in this argument.
      *
-     * @param inPasswordSid specifies the password secure ID (SID) of the user that owns the key
+     * @param passwordSid specifies the password secure ID (SID) of the user that owns the key being
-     *        being installed.  If the authorization list in wrappedKeyData contains a
+     *        installed.  If the authorization list in wrappedKeyData contains a
-     *        Tag::USER_SECURE_IDwith a value that has the HardwareAuthenticatorType::PASSWORD
+     *        Tag::USER_SECURE_IDwith a value that has the HardwareAuthenticatorType::PASSWORD bit
-     *        bit set, the constructed key must be bound to the SID value provided by this
+     *        set, the constructed key must be bound to the SID value provided by this argument.  If
-     *        argument.  If the wrappedKeyData does not contain such a tag and value, this argument
+     *        the wrappedKeyData does not contain such a tag and value, this argument must be
-     *        must be ignored.
+     *        ignored.
      *
-     * @param inBiometricSid specifies the biometric secure ID (SID) of the user that owns the key
+     * @param biometricSid specifies the biometric secure ID (SID) of the user that owns the key
      *        being installed.  If the authorization list in wrappedKeyData contains a
      *        Tag::USER_SECURE_ID with a value that has the HardwareAuthenticatorType::FINGERPRINT
      *        bit set, the constructed key must be bound to the SID value provided by this argument.
      *        If the wrappedKeyData does not contain such a tag and value, this argument must be
      *        ignored.
      *
-     * @return outImportedKeyBlob Opaque descriptor of the imported key.  It is recommended that
+     * @return The result of key creation.  See KeyCreationResult.aidl.
-     *         the keyBlob contain a copy of the key material, wrapped in a key unavailable outside
-     *         secure hardware.
-     *
-     * @return outImportedKeyCharacteristics Description of the generated key.  See the description
-     *         of keyCharacteristics parameter in generateKey.
      */
-    void importWrappedKey(in byte[] inWrappedKeyData,
+     KeyCreationResult importWrappedKey(in byte[] wrappedKeyData,
-                          in byte[] inWrappingKeyBlob,
+                                        in byte[] wrappingKeyBlob,
-                          in byte[] inMaskingKey,
+                                        in byte[] maskingKey,
-                          in KeyParameter[] inUnwrappingParams,
+                                        in KeyParameter[] unwrappingParams,
-                          in long inPasswordSid,
+                                        in long passwordSid,
-                          in long inBiometricSid,
+                                        in long biometricSid);
-                          out ByteArray outImportedKeyBlob,
-                          out KeyCharacteristics outImportedKeyCharacteristics);
 
     /**
      * Upgrades an old key blob.  Keys can become "old" in two ways: IKeyMintDevice can be

security/keymint/aidl/android/hardware/security/keymint/KeyCharacteristics.aidl

@@ -17,25 +17,20 @@
 package android.hardware.security.keymint;
 
 import android.hardware.security.keymint.KeyParameter;
+import android.hardware.security.keymint.SecurityLevel;
 
 /**
- * KeyCharacteristics defines the attributes of a key, including cryptographic parameters, and usage
+ * KeyCharacteristics defines the attributes of a key that are enforced by KeyMint, and the security
- * restrictions.  It consits of two vectors of KeyParameters, one for "softwareEnforced" attributes
+ * level (see SecurityLevel.aidl) of that enforcement.
- * and one for "hardwareEnforced" attributes.
  *
- * KeyCharacteristics objects are returned by generateKey, importKey, importWrappedKey and
+ * The `generateKey` `importKey` and `importWrappedKey` methods each return an array of
- * getKeyCharacteristics.  The IKeyMintDevice secure environment is responsible for allocating the
+ * KeyCharacteristics, specifying the security levels of enforcement and the authorizations
- * parameters, all of which are Tags with associated values, to the correct vector.  The
+ * enforced.  Note that enforcement at a given security level means that the semantics of the tag
- * hardwareEnforced vector must contain only those attributes which are enforced by secure hardware.
+ * and value are fully enforced.  See the definition of individual tags for specifications of what
- * All others should be in the softwareEnforced vector.  See the definitions of individual Tag enums
+ * must be enforced.
- * for specification of which must be hardware-enforced, which may be software-enforced and which
- * must never appear in KeyCharacteristics.
  */
 @VintfStability
 parcelable KeyCharacteristics {
-    /* TODO(seleneh) get rid of the software enforced in keymint.  replace hardware enforced with
+    SecurityLevel securityLevel;
-     * tee enforced and strongbox enforced.
+    KeyParameter[] authorizations;
-     */
-    KeyParameter[] softwareEnforced;
-    KeyParameter[] hardwareEnforced;
 }

security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.hardware.security.keymint;
+
+import android.hardware.security.keymint.Certificate;
+import android.hardware.security.keymint.KeyCharacteristics;
+
+/**
+ * This structure is returned when a new key is created with generateKey(), importKey() or
+ * importWrappedKey().
+ */
+@VintfStability
+parcelable KeyCreationResult {
+    /**
+     * `keyBlob` is an descriptor of the generated/imported key key.
+     */
+    byte[] keyBlob;
+
+    /**
+     * `keyCharacteristics` is a description of the generated key in the form of authorization lists
+     * associated with security levels.  The rules that IKeyMintDevice implementations must use for
+     * deciding whether a given tag from `keyParams` argument to the generation/import method should
+     * be returned in `keyCharacteristics` are:
+     *
+     * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted.
+     * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any
+     *   assistance from components running at other security levels, it should be included in an
+     *   entry with the SecurityLevel of the IKeyMintDevice.
+     * - If the semantics of the tag are fully enforced, but with the assistance of components
+     *   running at another SecurityLevel, it should be included in an entry with the minimum
+     *   SecurityLevel of the involved components.  For example if a StrongBox IKeyMintDevice relies
+     *   on a TEE to validate biometric authentication, biometric authentication tags go in an entry
+     *   with SecurityLevel::TRUSTED_ENVIRONMENT.
+     */
+    KeyCharacteristics[] keyCharacteristics;
+
+    /**
+     * If the generated/imported key is an asymmetric key, `certificateChain` will contain a chain
+     * of one or more certificates.  If the key parameters provided to the generate/import method
+     * contains Tag::ATTESTATION_CHALLENGE the first certificate will contain an attestation
+     * extension, and will be signed by a factory-installed attestation key and followed by a chain
+     * of certificates leading to an authoritative root.  If there is no attestation challenge, only
+     * one certificate will be returned, and it will be self-signed or contain a fake signature,
+     * depending on whether the key has KeyPurpose::SIGN.  If the generated key is symmetric,
+     * certificateChain will be empty.
+     */
+    Certificate[] certificateChain;
+}

security/keymint/aidl/android/hardware/security/keymint/Tag.aidl

@@ -512,10 +512,10 @@ enum Tag {
 
     /**
      * Tag::APPLICATION_DATA.  When provided to generateKey or importKey, this tag specifies data
-     * that is necessary during all uses of the key.  In particular, calls to exportKey() and
+     * that is necessary during all uses of the key.  In particular, calls to begin() and
-     * getKeyCharacteristics() must provide the same value to the appData parameter, and calls to
+     * exportKey() must provide the same value to the appData parameter, and calls to begin must
-     * begin must provide this tag and the same associated data as part of the inParams set.  If
+     * provide this tag and the same associated data as part of the inParams set.  If the correct
-     * the correct data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB.
+     * data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB.
      *
      * The content of this tag msut be bound to the key cryptographically, meaning it must not be
      * possible for an adversary who has access to all of the secure world secrets but does not have

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

@@ -17,6 +17,7 @@
 #include "KeyMintAidlTestBase.h"
 
 #include <chrono>
+#include <unordered_set>
 #include <vector>
 
 #include <android-base/logging.h>
@@ -43,6 +44,34 @@ using std::optional;
 
 namespace test {
 
+namespace {
+
+// Predicate for testing basic characteristics validity in generation or import.
+bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel,
+                                      const vector<KeyCharacteristics>& key_characteristics) {
+    if (key_characteristics.empty()) return false;
+
+    std::unordered_set<SecurityLevel> levels_seen;
+    for (auto& entry : key_characteristics) {
+        if (entry.authorizations.empty()) return false;
+
+        if (levels_seen.find(entry.securityLevel) != levels_seen.end()) return false;
+        levels_seen.insert(entry.securityLevel);
+
+        // Generally, we should only have one entry, at the same security level as the KM
+        // instance.  There is an exception: StrongBox KM can have some authorizations that are
+        // enforced by the TEE.
+        bool isExpectedSecurityLevel = secLevel == entry.securityLevel ||
+                                       (secLevel == SecurityLevel::STRONGBOX &&
+                                        entry.securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT);
+
+        if (!isExpectedSecurityLevel) return false;
+    }
+    return true;
+}
+
+}  // namespace
+
 ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(const Status& result) {
     if (result.isOk()) return ErrorCode::OK;
 
@@ -78,35 +107,30 @@ void KeyMintAidlTestBase::SetUp() {
 }
 
 ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
-                                           vector<uint8_t>* keyBlob, KeyCharacteristics* keyChar) {
+                                           vector<uint8_t>* key_blob,
-    EXPECT_NE(keyBlob, nullptr) << "Key blob pointer must not be null.  Test bug";
+                                           vector<KeyCharacteristics>* key_characteristics) {
-    EXPECT_NE(keyChar, nullptr)
+    EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null.  Test bug";
+    EXPECT_NE(key_characteristics, nullptr)
             << "Previous characteristics not deleted before generating key.  Test bug.";
 
     // Aidl does not clear these output parameters if the function returns
     // error.  This is different from hal where output parameter is always
     // cleared due to hal returning void.  So now we need to do our own clearing
     // of the output variables prior to calling keyMint aidl libraries.
-    keyBlob->clear();
+    key_blob->clear();
-    keyChar->softwareEnforced.clear();
+    key_characteristics->clear();
-    keyChar->hardwareEnforced.clear();
+    cert_chain_.clear();
-    certChain_.clear();
 
-    Status result;
+    KeyCreationResult creationResult;
-    ByteArray blob;
+    Status result = keymint_->generateKey(key_desc.vector_data(), &creationResult);
 
-    result = keymint_->generateKey(key_desc.vector_data(), &blob, keyChar, &certChain_);
-
-    // On result, blob & characteristics should be empty.
     if (result.isOk()) {
-        if (SecLevel() != SecurityLevel::SOFTWARE) {
+        EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
-            EXPECT_GT(keyChar->hardwareEnforced.size(), 0);
+                     creationResult.keyCharacteristics);
-        }
+        EXPECT_GT(creationResult.keyBlob.size(), 0);
-        EXPECT_GT(keyChar->softwareEnforced.size(), 0);
+        *key_blob = std::move(creationResult.keyBlob);
-        // TODO(seleneh) in a later version where we return @nullable
+        *key_characteristics = std::move(creationResult.keyCharacteristics);
-        // single Certificate, check non-null single certificate is always
+        cert_chain_ = std::move(creationResult.certificateChain);
-        // non-empty.
-        *keyBlob = blob.data;
     }
 
     return GetReturnErrorCode(result);
@@ -118,25 +142,26 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
 
 ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
                                          const string& key_material, vector<uint8_t>* key_blob,
-                                         KeyCharacteristics* key_characteristics) {
+                                         vector<KeyCharacteristics>* key_characteristics) {
     Status result;
 
-    certChain_.clear();
+    cert_chain_.clear();
-    key_characteristics->softwareEnforced.clear();
+    key_characteristics->clear();
-    key_characteristics->hardwareEnforced.clear();
     key_blob->clear();
 
-    ByteArray blob;
+    KeyCreationResult creationResult;
     result = keymint_->importKey(key_desc.vector_data(), format,
-                                 vector<uint8_t>(key_material.begin(), key_material.end()), &blob,
+                                 vector<uint8_t>(key_material.begin(), key_material.end()),
-                                 key_characteristics, &certChain_);
+                                 &creationResult);
 
     if (result.isOk()) {
-        if (SecLevel() != SecurityLevel::SOFTWARE) {
+        EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
-            EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0);
+                     creationResult.keyCharacteristics);
-        }
+        EXPECT_GT(creationResult.keyBlob.size(), 0);
-        EXPECT_GT(key_characteristics->softwareEnforced.size(), 0);
+
-        *key_blob = blob.data;
+        *key_blob = std::move(creationResult.keyBlob);
+        *key_characteristics = std::move(creationResult.keyCharacteristics);
+        cert_chain_ = std::move(creationResult.certificateChain);
     }
 
     return GetReturnErrorCode(result);
@@ -151,25 +176,25 @@ ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapp
                                                 const AuthorizationSet& wrapping_key_desc,
                                                 string masking_key,
                                                 const AuthorizationSet& unwrapping_params) {
-    Status result;
     EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));
 
-    ByteArray outBlob;
+    key_characteristics_.clear();
-    key_characteristics_.softwareEnforced.clear();
-    key_characteristics_.hardwareEnforced.clear();
 
-    result = keymint_->importWrappedKey(vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()),
+    KeyCreationResult creationResult;
-                                        key_blob_,
+    Status result = keymint_->importWrappedKey(
-                                        vector<uint8_t>(masking_key.begin(), masking_key.end()),
+            vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,
-                                        unwrapping_params.vector_data(), 0 /* passwordSid */,
+            vector<uint8_t>(masking_key.begin(), masking_key.end()),
-                                        0 /* biometricSid */, &outBlob, &key_characteristics_);
+            unwrapping_params.vector_data(), 0 /* passwordSid */, 0 /* biometricSid */,
+            &creationResult);
 
     if (result.isOk()) {
-        key_blob_ = outBlob.data;
+        EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
-        if (SecLevel() != SecurityLevel::SOFTWARE) {
+                     creationResult.keyCharacteristics);
-            EXPECT_GT(key_characteristics_.hardwareEnforced.size(), 0);
+        EXPECT_GT(creationResult.keyBlob.size(), 0);
-        }
+
-        EXPECT_GT(key_characteristics_.softwareEnforced.size(), 0);
+        key_blob_ = std::move(creationResult.keyBlob);
+        key_characteristics_ = std::move(creationResult.keyCharacteristics);
+        cert_chain_ = std::move(creationResult.certificateChain);
     }
 
     return GetReturnErrorCode(result);
@@ -754,6 +779,15 @@ vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
     return {};
 }
 
+static const vector<KeyParameter> kEmptyAuthList{};
+
+const vector<KeyParameter>& KeyMintAidlTestBase::SecLevelAuthorizations(
+        const vector<KeyCharacteristics>& key_characteristics) {
+    auto found = std::find_if(key_characteristics.begin(), key_characteristics.end(),
+                              [this](auto& entry) { return entry.securityLevel == SecLevel(); });
+    return (found == key_characteristics.end()) ? kEmptyAuthList : found->authorizations;
+}
+
 }  // namespace test
 
 }  // namespace aidl::android::hardware::security::keymint

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

@@ -56,13 +56,13 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
 
     ErrorCode GetReturnErrorCode(const Status& result);
     ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,
-                          KeyCharacteristics* key_characteristics);
+                          vector<KeyCharacteristics>* key_characteristics);
 
     ErrorCode GenerateKey(const AuthorizationSet& key_desc);
 
     ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
                         const string& key_material, vector<uint8_t>* key_blob,
-                        KeyCharacteristics* key_characteristics);
+                        vector<KeyCharacteristics>* key_characteristics);
     ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
                         const string& key_material);
 
@@ -147,8 +147,8 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
 
     std::pair<ErrorCode, vector<uint8_t>> UpgradeKey(const vector<uint8_t>& key_blob);
 
-    bool IsSecure() { return securityLevel_ != SecurityLevel::SOFTWARE; }
+    bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; }
-    SecurityLevel SecLevel() { return securityLevel_; }
+    SecurityLevel SecLevel() const { return securityLevel_; }
 
     vector<uint32_t> ValidKeySizes(Algorithm algorithm);
     vector<uint32_t> InvalidKeySizes(Algorithm algorithm);
@@ -164,9 +164,15 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
     }
 
     std::shared_ptr<IKeyMintOperation> op_;
-    vector<Certificate> certChain_;
+    vector<Certificate> cert_chain_;
     vector<uint8_t> key_blob_;
-    KeyCharacteristics key_characteristics_;
+    vector<KeyCharacteristics> key_characteristics_;
+
+    const vector<KeyParameter>& SecLevelAuthorizations(
+            const vector<KeyCharacteristics>& key_characteristics);
+    inline const vector<KeyParameter>& SecLevelAuthorizations() {
+        return SecLevelAuthorizations(key_characteristics_);
+    }
 
   private:
     std::shared_ptr<IKeyMintDevice> keymint_;

security/keymint/aidl/vts/functional/KeyMintTest.cpp

@@ -56,18 +56,16 @@ using namespace aidl::android::hardware::security::keymint;
 template <>
 struct std::equal_to<KeyCharacteristics> {
     bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
-        // This isn't very efficient. Oh, well.
+        if (a.securityLevel != b.securityLevel) return false;
-        AuthorizationSet a_sw(a.softwareEnforced);
-        AuthorizationSet b_sw(b.softwareEnforced);
-        AuthorizationSet a_tee(b.hardwareEnforced);
-        AuthorizationSet b_tee(b.hardwareEnforced);
 
-        a_sw.Sort();
+        // this isn't very efficient. Oh, well.
-        b_sw.Sort();
+        AuthorizationSet a_auths(a.authorizations);
-        a_tee.Sort();
+        AuthorizationSet b_auths(b.authorizations);
-        b_tee.Sort();
 
-        return ((a_sw == b_sw) && (a_tee == b_tee));
+        a_auths.Sort();
+        b_auths.Sort();
+
+        return a_auths == b_auths;
     }
 };
 
@@ -229,19 +227,20 @@ class AidlBuf : public vector<uint8_t> {
 
 class NewKeyGenerationTest : public KeyMintAidlTestBase {
   protected:
-    void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) {
+    void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
         // TODO(swillden): Distinguish which params should be in which auth list.
 
-        AuthorizationSet auths(keyCharacteristics.hardwareEnforced);
+        AuthorizationSet auths;
-        auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced));
+        for (auto& entry : keyCharacteristics) {
+            auths.push_back(AuthorizationSet(entry.authorizations));
+        }
 
         EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
 
-        // Verify that App ID, App data and ROT are NOT included.
+        // Verify that App data and ROT are NOT included.
         EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
-        EXPECT_FALSE(auths.Contains(TAG_APPLICATION_ID));
         EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
 
         // Check that some unexpected tags/values are NOT present.
@@ -249,15 +248,13 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase {
         EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
         EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
 
-        // Now check that unspecified, defaulted tags are correct.
+        auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
-        EXPECT_TRUE(auths.Contains(TAG_CREATION_DATETIME));
+        ASSERT_TRUE(os_ver);
+        EXPECT_EQ(*os_ver, os_version());
 
-        EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version()))
+        auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
-                << "OS version is " << os_version() << " key reported "
+        ASSERT_TRUE(os_pl);
-                << auths.GetTagValue(TAG_OS_VERSION)->get();
+        EXPECT_EQ(*os_pl, os_patch_level());
-        EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level()))
-                << "OS patch level is " << os_patch_level() << " key reported "
-                << auths.GetTagValue(TAG_OS_PATCHLEVEL)->get();
     }
 };
 
@@ -270,7 +267,7 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase {
 TEST_P(NewKeyGenerationTest, Rsa) {
     for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
         vector<uint8_t> key_blob;
-        KeyCharacteristics key_characteristics;
+        vector<KeyCharacteristics> key_characteristics;
         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
                                                      .RsaSigningKey(key_size, 65537)
                                                      .Digest(Digest::NONE)
@@ -280,12 +277,7 @@ TEST_P(NewKeyGenerationTest, Rsa) {
         ASSERT_GT(key_blob.size(), 0U);
         CheckBaseParams(key_characteristics);
 
-        AuthorizationSet crypto_params;
+        AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
-        if (IsSecure()) {
-            crypto_params = key_characteristics.hardwareEnforced;
-        } else {
-            crypto_params = key_characteristics.softwareEnforced;
-        }
 
         EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
         EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
@@ -304,7 +296,7 @@ TEST_P(NewKeyGenerationTest, Rsa) {
 TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
     for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
         vector<uint8_t> key_blob;
-        KeyCharacteristics key_characteristics;
+        vector<KeyCharacteristics> key_characteristics;
         ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
                   GenerateKey(AuthorizationSetBuilder()
                                       .RsaSigningKey(key_size, 65537)
@@ -337,7 +329,7 @@ TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
 TEST_P(NewKeyGenerationTest, Ecdsa) {
     for (auto key_size : ValidKeySizes(Algorithm::EC)) {
         vector<uint8_t> key_blob;
-        KeyCharacteristics key_characteristics;
+        vector<KeyCharacteristics> key_characteristics;
         ASSERT_EQ(ErrorCode::OK,
                   GenerateKey(
                           AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE),
@@ -345,12 +337,7 @@ TEST_P(NewKeyGenerationTest, Ecdsa) {
         ASSERT_GT(key_blob.size(), 0U);
         CheckBaseParams(key_characteristics);
 
-        AuthorizationSet crypto_params;
+        AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
-        if (IsSecure()) {
-            crypto_params = key_characteristics.hardwareEnforced;
-        } else {
-            crypto_params = key_characteristics.softwareEnforced;
-        }
 
         EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
         EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
@@ -383,7 +370,7 @@ TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
 TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
     for (auto key_size : InvalidKeySizes(Algorithm::EC)) {
         vector<uint8_t> key_blob;
-        KeyCharacteristics key_characteristics;
+        vector<KeyCharacteristics> key_characteristics;
         ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
                   GenerateKey(
                           AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE),
@@ -454,7 +441,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
 TEST_P(NewKeyGenerationTest, Hmac) {
     for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
         vector<uint8_t> key_blob;
-        KeyCharacteristics key_characteristics;
+        vector<KeyCharacteristics> key_characteristics;
         constexpr size_t key_size = 128;
         ASSERT_EQ(ErrorCode::OK,
                   GenerateKey(
@@ -465,17 +452,10 @@ TEST_P(NewKeyGenerationTest, Hmac) {
         ASSERT_GT(key_blob.size(), 0U);
         CheckBaseParams(key_characteristics);
 
-        AuthorizationSet hardwareEnforced = key_characteristics.hardwareEnforced;
+        AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
-        AuthorizationSet softwareEnforced = key_characteristics.softwareEnforced;
+        EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
-        if (IsSecure()) {
+        EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
-            EXPECT_TRUE(hardwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
+                << "Key size " << key_size << "missing";
-            EXPECT_TRUE(hardwareEnforced.Contains(TAG_KEY_SIZE, key_size))
-                    << "Key size " << key_size << "missing";
-        } else {
-            EXPECT_TRUE(softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
-            EXPECT_TRUE(softwareEnforced.Contains(TAG_KEY_SIZE, key_size))
-                    << "Key size " << key_size << "missing";
-        }
 
         CheckedDeleteKey(&key_blob);
     }
@@ -600,7 +580,7 @@ TEST_P(SigningOperationsTest, RsaSuccess) {
 /*
  * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
  *
- * Verifies that using an RSA key requires the correct app ID/data.
+ * Verifies that using an RSA key requires the correct app data.
  */
 TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
@@ -1412,7 +1392,7 @@ TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
     string key_material = "HelloThisIsAKey";
 
     vector<uint8_t> signing_key, verification_key;
-    KeyCharacteristics signing_key_chars, verification_key_chars;
+    vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
     EXPECT_EQ(ErrorCode::OK,
               ImportKey(AuthorizationSetBuilder()
                                 .Authorization(TAG_NO_AUTH_REQUIRED)
@@ -1466,28 +1446,22 @@ class ImportKeyTest : public KeyMintAidlTestBase {
     template <TagType tag_type, Tag tag, typename ValueT>
     void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
         SCOPED_TRACE("CheckCryptoParam");
-        if (IsSecure()) {
+        for (auto& entry : key_characteristics_) {
-            EXPECT_TRUE(contains(key_characteristics_.hardwareEnforced, ttag, expected))
+            if (entry.securityLevel == SecLevel()) {
-                    << "Tag " << tag << " with value " << expected << " not found";
+                EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
-            EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag))
+                        << "Tag " << tag << " with value " << expected
-                    << "Tag " << tag << " found";
+                        << " not found at security level" << entry.securityLevel;
-        } else {
+            } else {
-            EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected))
+                EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
-                    << "Tag " << tag << " with value " << expected << " not found";
+                        << "Tag " << tag << " found at security level " << entry.securityLevel;
-            EXPECT_FALSE(contains(key_characteristics_.hardwareEnforced, ttag))
+            }
-                    << "Tag " << tag << " found";
         }
     }
 
     void CheckOrigin() {
         SCOPED_TRACE("CheckOrigin");
-        if (IsSecure()) {
+        // Origin isn't a crypto param, but it always lives with them.
-            EXPECT_TRUE(contains(key_characteristics_.hardwareEnforced, TAG_ORIGIN,
+        return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
-                                 KeyOrigin::IMPORTED));
-        } else {
-            EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN,
-                                 KeyOrigin::IMPORTED));
-        }
     }
 };
 
@@ -3950,7 +3924,7 @@ TEST_P(KeyDeletionTest, DeleteKey) {
 
     // Delete must work if rollback protection is implemented
     if (error == ErrorCode::OK) {
-        AuthorizationSet hardwareEnforced(key_characteristics_.hardwareEnforced);
+        AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
         ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
 
         ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
@@ -3983,8 +3957,8 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) {
 
     // Delete must work if rollback protection is implemented
     if (error == ErrorCode::OK) {
-        AuthorizationSet hardwareEnforced(key_characteristics_.hardwareEnforced);
+        AuthorizationSet enforced(SecLevelAuthorizations());
-        ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
+        ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
 
         // Delete the key we don't care about the result at this point.
         DeleteKey();
@@ -4019,7 +3993,7 @@ TEST_P(KeyDeletionTest, DeleteAllKeys) {
 
     // Delete must work if rollback protection is implemented
     if (error == ErrorCode::OK) {
-        AuthorizationSet hardwareEnforced(key_characteristics_.hardwareEnforced);
+        AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
         ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
 
         ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());

security/keymint/support/include/keymint_support/key_param_output.h

@@ -84,8 +84,10 @@ template <typename ValueT>
 ::std::ostream& operator<<(::std::ostream& os, const KeyParameter& param);
 
 inline ::std::ostream& operator<<(::std::ostream& os, const KeyCharacteristics& value) {
-    return os << "SW: " << value.softwareEnforced << ::std::endl
+    for (auto& entry : value.authorizations) {
-              << "HW: " << value.hardwareEnforced << ::std::endl;
+        os << value.securityLevel << ": " << entry;
+    }
+    return os;
 }
 
 inline ::std::ostream& operator<<(::std::ostream& os, KeyPurpose value) {