Add module info AIDL changes and bump the KeyMint version

Bug: 369375199
Test: Manually checked that module info is added to the attestation when
 sent via IKeyMintDevice::setModuleInfo.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ea426cbf2e0b3064adf090e4cd3d6932b02ae54d)
Merged-In: Idb11823e6b65cf17d62ae8687febffee860565e3
Change-Id: Idb11823e6b65cf17d62ae8687febffee860565e3

compatibility_matrices/compatibility_matrix.202504.xml

@@ -313,7 +313,7 @@
     </hal>
     <hal format="aidl" updatable-via-apex="true">
         <name>android.hardware.security.keymint</name>
-        <version>1-3</version>
+        <version>1-4</version>
         <interface>
             <name>IKeyMintDevice</name>
             <instance>default</instance>

confirmationui/aidl/Android.bp

@@ -19,8 +19,8 @@ package {
 aidl_interface {
     name: "android.hardware.confirmationui",
     vendor_available: true,
-    imports: [
-        "android.hardware.security.keymint-V3",
+    defaults: [
+        "android.hardware.security.keymint-latest-defaults",
     ],
     srcs: ["android/hardware/confirmationui/*.aidl"],
     stability: "vintf",
@@ -38,7 +38,7 @@ aidl_interface {
     versions_with_info: [
         {
             version: "1",
-            imports: ["android.hardware.security.keymint-V3"],
+            imports: ["android.hardware.security.keymint-V4"],
         },
     ],
     frozen: true,

gatekeeper/aidl/Android.bp

@@ -10,8 +10,8 @@ package {
 aidl_interface {
     name: "android.hardware.gatekeeper",
     vendor_available: true,
-    imports: [
-        "android.hardware.security.keymint-V3",
+    defaults: [
+        "android.hardware.security.keymint-latest-defaults",
     ],
     srcs: ["android/hardware/gatekeeper/*.aidl"],
     stability: "vintf",
@@ -32,7 +32,7 @@ aidl_interface {
     versions_with_info: [
         {
             version: "1",
-            imports: ["android.hardware.security.keymint-V3"],
+            imports: ["android.hardware.security.keymint-V4"],
         },
     ],
     frozen: true,

security/keymint/aidl/Android.bp

@@ -17,7 +17,7 @@ aidl_interface {
         "android.hardware.security.secureclock-V1",
     ],
     stability: "vintf",
-    frozen: true,
+    frozen: false,
     backend: {
         java: {
             platform_apis: true,
@@ -51,34 +51,42 @@ aidl_interface {
 
 }
 
+// An aidl_interface_defaults that includes the latest KeyMint AIDL interface.
+// aidl_interface modules that depend on KeyMint directly can include this
+// aidl_interface_defaults to avoid managing dependency versions explicitly.
+aidl_interface_defaults {
+    name: "android.hardware.security.keymint-latest-defaults",
+    imports: ["android.hardware.security.keymint-V4"],
+}
+
 // cc_defaults that includes the latest KeyMint AIDL library.
 // Modules that depend on KeyMint directly can include this cc_defaults to avoid
 // managing dependency versions explicitly.
 cc_defaults {
     name: "keymint_use_latest_hal_aidl_ndk_static",
     static_libs: [
-        "android.hardware.security.keymint-V3-ndk",
+        "android.hardware.security.keymint-V4-ndk",
     ],
 }
 
 cc_defaults {
     name: "keymint_use_latest_hal_aidl_ndk_shared",
     shared_libs: [
-        "android.hardware.security.keymint-V3-ndk",
+        "android.hardware.security.keymint-V4-ndk",
     ],
 }
 
 cc_defaults {
     name: "keymint_use_latest_hal_aidl_cpp_static",
     static_libs: [
-        "android.hardware.security.keymint-V3-cpp",
+        "android.hardware.security.keymint-V4-cpp",
     ],
 }
 
 cc_defaults {
     name: "keymint_use_latest_hal_aidl_cpp_shared",
     shared_libs: [
-        "android.hardware.security.keymint-V3-cpp",
+        "android.hardware.security.keymint-V4-cpp",
     ],
 }
 
@@ -88,6 +96,6 @@ cc_defaults {
 rust_defaults {
     name: "keymint_use_latest_hal_aidl_rust",
     rustlibs: [
-        "android.hardware.security.keymint-V3-rust",
+        "android.hardware.security.keymint-V4-rust",
     ],
 }

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl

@@ -36,90 +36,91 @@ package android.hardware.security.keymint;
 @Backing(type="int") @VintfStability
 enum ErrorCode {
   OK = 0,
-  ROOT_OF_TRUST_ALREADY_SET = -1,
-  UNSUPPORTED_PURPOSE = -2,
-  INCOMPATIBLE_PURPOSE = -3,
-  UNSUPPORTED_ALGORITHM = -4,
-  INCOMPATIBLE_ALGORITHM = -5,
-  UNSUPPORTED_KEY_SIZE = -6,
-  UNSUPPORTED_BLOCK_MODE = -7,
-  INCOMPATIBLE_BLOCK_MODE = -8,
-  UNSUPPORTED_MAC_LENGTH = -9,
-  UNSUPPORTED_PADDING_MODE = -10,
-  INCOMPATIBLE_PADDING_MODE = -11,
-  UNSUPPORTED_DIGEST = -12,
-  INCOMPATIBLE_DIGEST = -13,
-  INVALID_EXPIRATION_TIME = -14,
-  INVALID_USER_ID = -15,
-  INVALID_AUTHORIZATION_TIMEOUT = -16,
-  UNSUPPORTED_KEY_FORMAT = -17,
-  INCOMPATIBLE_KEY_FORMAT = -18,
-  UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19,
-  UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20,
-  INVALID_INPUT_LENGTH = -21,
-  KEY_EXPORT_OPTIONS_INVALID = -22,
-  DELEGATION_NOT_ALLOWED = -23,
-  KEY_NOT_YET_VALID = -24,
-  KEY_EXPIRED = -25,
-  KEY_USER_NOT_AUTHENTICATED = -26,
-  OUTPUT_PARAMETER_NULL = -27,
-  INVALID_OPERATION_HANDLE = -28,
-  INSUFFICIENT_BUFFER_SPACE = -29,
-  VERIFICATION_FAILED = -30,
-  TOO_MANY_OPERATIONS = -31,
-  UNEXPECTED_NULL_POINTER = -32,
-  INVALID_KEY_BLOB = -33,
-  IMPORTED_KEY_NOT_ENCRYPTED = -34,
-  IMPORTED_KEY_DECRYPTION_FAILED = -35,
-  IMPORTED_KEY_NOT_SIGNED = -36,
-  IMPORTED_KEY_VERIFICATION_FAILED = -37,
-  INVALID_ARGUMENT = -38,
-  UNSUPPORTED_TAG = -39,
-  INVALID_TAG = -40,
-  MEMORY_ALLOCATION_FAILED = -41,
-  IMPORT_PARAMETER_MISMATCH = -44,
-  SECURE_HW_ACCESS_DENIED = -45,
-  OPERATION_CANCELLED = -46,
-  CONCURRENT_ACCESS_CONFLICT = -47,
-  SECURE_HW_BUSY = -48,
-  SECURE_HW_COMMUNICATION_FAILED = -49,
-  UNSUPPORTED_EC_FIELD = -50,
-  MISSING_NONCE = -51,
-  INVALID_NONCE = -52,
-  MISSING_MAC_LENGTH = -53,
-  KEY_RATE_LIMIT_EXCEEDED = -54,
-  CALLER_NONCE_PROHIBITED = -55,
-  KEY_MAX_OPS_EXCEEDED = -56,
-  INVALID_MAC_LENGTH = -57,
-  MISSING_MIN_MAC_LENGTH = -58,
-  UNSUPPORTED_MIN_MAC_LENGTH = -59,
-  UNSUPPORTED_KDF = -60,
-  UNSUPPORTED_EC_CURVE = -61,
-  KEY_REQUIRES_UPGRADE = -62,
-  ATTESTATION_CHALLENGE_MISSING = -63,
-  KEYMINT_NOT_CONFIGURED = -64,
-  ATTESTATION_APPLICATION_ID_MISSING = -65,
-  CANNOT_ATTEST_IDS = -66,
-  ROLLBACK_RESISTANCE_UNAVAILABLE = -67,
-  HARDWARE_TYPE_UNAVAILABLE = -68,
-  PROOF_OF_PRESENCE_REQUIRED = -69,
-  CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,
-  NO_USER_CONFIRMATION = -71,
-  DEVICE_LOCKED = -72,
-  EARLY_BOOT_ENDED = -73,
-  ATTESTATION_KEYS_NOT_PROVISIONED = -74,
-  ATTESTATION_IDS_NOT_PROVISIONED = -75,
-  INVALID_OPERATION = -76,
-  STORAGE_KEY_UNSUPPORTED = -77,
-  INCOMPATIBLE_MGF_DIGEST = -78,
-  UNSUPPORTED_MGF_DIGEST = -79,
-  MISSING_NOT_BEFORE = -80,
-  MISSING_NOT_AFTER = -81,
-  MISSING_ISSUER_SUBJECT = -82,
-  INVALID_ISSUER_SUBJECT = -83,
-  BOOT_LEVEL_EXCEEDED = -84,
-  HARDWARE_NOT_YET_AVAILABLE = -85,
-  UNIMPLEMENTED = -100,
-  VERSION_MISMATCH = -101,
-  UNKNOWN_ERROR = -1000,
+  ROOT_OF_TRUST_ALREADY_SET = (-1) /* -1 */,
+  UNSUPPORTED_PURPOSE = (-2) /* -2 */,
+  INCOMPATIBLE_PURPOSE = (-3) /* -3 */,
+  UNSUPPORTED_ALGORITHM = (-4) /* -4 */,
+  INCOMPATIBLE_ALGORITHM = (-5) /* -5 */,
+  UNSUPPORTED_KEY_SIZE = (-6) /* -6 */,
+  UNSUPPORTED_BLOCK_MODE = (-7) /* -7 */,
+  INCOMPATIBLE_BLOCK_MODE = (-8) /* -8 */,
+  UNSUPPORTED_MAC_LENGTH = (-9) /* -9 */,
+  UNSUPPORTED_PADDING_MODE = (-10) /* -10 */,
+  INCOMPATIBLE_PADDING_MODE = (-11) /* -11 */,
+  UNSUPPORTED_DIGEST = (-12) /* -12 */,
+  INCOMPATIBLE_DIGEST = (-13) /* -13 */,
+  INVALID_EXPIRATION_TIME = (-14) /* -14 */,
+  INVALID_USER_ID = (-15) /* -15 */,
+  INVALID_AUTHORIZATION_TIMEOUT = (-16) /* -16 */,
+  UNSUPPORTED_KEY_FORMAT = (-17) /* -17 */,
+  INCOMPATIBLE_KEY_FORMAT = (-18) /* -18 */,
+  UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = (-19) /* -19 */,
+  UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = (-20) /* -20 */,
+  INVALID_INPUT_LENGTH = (-21) /* -21 */,
+  KEY_EXPORT_OPTIONS_INVALID = (-22) /* -22 */,
+  DELEGATION_NOT_ALLOWED = (-23) /* -23 */,
+  KEY_NOT_YET_VALID = (-24) /* -24 */,
+  KEY_EXPIRED = (-25) /* -25 */,
+  KEY_USER_NOT_AUTHENTICATED = (-26) /* -26 */,
+  OUTPUT_PARAMETER_NULL = (-27) /* -27 */,
+  INVALID_OPERATION_HANDLE = (-28) /* -28 */,
+  INSUFFICIENT_BUFFER_SPACE = (-29) /* -29 */,
+  VERIFICATION_FAILED = (-30) /* -30 */,
+  TOO_MANY_OPERATIONS = (-31) /* -31 */,
+  UNEXPECTED_NULL_POINTER = (-32) /* -32 */,
+  INVALID_KEY_BLOB = (-33) /* -33 */,
+  IMPORTED_KEY_NOT_ENCRYPTED = (-34) /* -34 */,
+  IMPORTED_KEY_DECRYPTION_FAILED = (-35) /* -35 */,
+  IMPORTED_KEY_NOT_SIGNED = (-36) /* -36 */,
+  IMPORTED_KEY_VERIFICATION_FAILED = (-37) /* -37 */,
+  INVALID_ARGUMENT = (-38) /* -38 */,
+  UNSUPPORTED_TAG = (-39) /* -39 */,
+  INVALID_TAG = (-40) /* -40 */,
+  MEMORY_ALLOCATION_FAILED = (-41) /* -41 */,
+  IMPORT_PARAMETER_MISMATCH = (-44) /* -44 */,
+  SECURE_HW_ACCESS_DENIED = (-45) /* -45 */,
+  OPERATION_CANCELLED = (-46) /* -46 */,
+  CONCURRENT_ACCESS_CONFLICT = (-47) /* -47 */,
+  SECURE_HW_BUSY = (-48) /* -48 */,
+  SECURE_HW_COMMUNICATION_FAILED = (-49) /* -49 */,
+  UNSUPPORTED_EC_FIELD = (-50) /* -50 */,
+  MISSING_NONCE = (-51) /* -51 */,
+  INVALID_NONCE = (-52) /* -52 */,
+  MISSING_MAC_LENGTH = (-53) /* -53 */,
+  KEY_RATE_LIMIT_EXCEEDED = (-54) /* -54 */,
+  CALLER_NONCE_PROHIBITED = (-55) /* -55 */,
+  KEY_MAX_OPS_EXCEEDED = (-56) /* -56 */,
+  INVALID_MAC_LENGTH = (-57) /* -57 */,
+  MISSING_MIN_MAC_LENGTH = (-58) /* -58 */,
+  UNSUPPORTED_MIN_MAC_LENGTH = (-59) /* -59 */,
+  UNSUPPORTED_KDF = (-60) /* -60 */,
+  UNSUPPORTED_EC_CURVE = (-61) /* -61 */,
+  KEY_REQUIRES_UPGRADE = (-62) /* -62 */,
+  ATTESTATION_CHALLENGE_MISSING = (-63) /* -63 */,
+  KEYMINT_NOT_CONFIGURED = (-64) /* -64 */,
+  ATTESTATION_APPLICATION_ID_MISSING = (-65) /* -65 */,
+  CANNOT_ATTEST_IDS = (-66) /* -66 */,
+  ROLLBACK_RESISTANCE_UNAVAILABLE = (-67) /* -67 */,
+  HARDWARE_TYPE_UNAVAILABLE = (-68) /* -68 */,
+  PROOF_OF_PRESENCE_REQUIRED = (-69) /* -69 */,
+  CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = (-70) /* -70 */,
+  NO_USER_CONFIRMATION = (-71) /* -71 */,
+  DEVICE_LOCKED = (-72) /* -72 */,
+  EARLY_BOOT_ENDED = (-73) /* -73 */,
+  ATTESTATION_KEYS_NOT_PROVISIONED = (-74) /* -74 */,
+  ATTESTATION_IDS_NOT_PROVISIONED = (-75) /* -75 */,
+  INVALID_OPERATION = (-76) /* -76 */,
+  STORAGE_KEY_UNSUPPORTED = (-77) /* -77 */,
+  INCOMPATIBLE_MGF_DIGEST = (-78) /* -78 */,
+  UNSUPPORTED_MGF_DIGEST = (-79) /* -79 */,
+  MISSING_NOT_BEFORE = (-80) /* -80 */,
+  MISSING_NOT_AFTER = (-81) /* -81 */,
+  MISSING_ISSUER_SUBJECT = (-82) /* -82 */,
+  INVALID_ISSUER_SUBJECT = (-83) /* -83 */,
+  BOOT_LEVEL_EXCEEDED = (-84) /* -84 */,
+  HARDWARE_NOT_YET_AVAILABLE = (-85) /* -85 */,
+  MODULE_HASH_ALREADY_SET = (-86) /* -86 */,
+  UNIMPLEMENTED = (-100) /* -100 */,
+  VERSION_MISMATCH = (-101) /* -101 */,
+  UNKNOWN_ERROR = (-1000) /* -1000 */,
 }

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl

@@ -36,7 +36,7 @@ package android.hardware.security.keymint;
 @Backing(type="int") @VintfStability
 enum HardwareAuthenticatorType {
   NONE = 0,
-  PASSWORD = 1,
-  FINGERPRINT = 2,
-  ANY = -1,
+  PASSWORD = (1 << 0) /* 1 */,
+  FINGERPRINT = (1 << 1) /* 2 */,
+  ANY = 0xFFFFFFFF,
 }

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -52,5 +52,6 @@ interface IKeyMintDevice {
   byte[16] getRootOfTrustChallenge();
   byte[] getRootOfTrust(in byte[16] challenge);
   void sendRootOfTrust(in byte[] rootOfTrust);
+  void setAdditionalAttestationInfo(in android.hardware.security.keymint.KeyParameter[] info);
   const int AUTH_TOKEN_MAC_LENGTH = 32;
 }

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl

@@ -36,69 +36,70 @@ package android.hardware.security.keymint;
 @Backing(type="int") @VintfStability
 enum Tag {
   INVALID = 0,
-  PURPOSE = 536870913,
-  ALGORITHM = 268435458,
-  KEY_SIZE = 805306371,
-  BLOCK_MODE = 536870916,
-  DIGEST = 536870917,
-  PADDING = 536870918,
-  CALLER_NONCE = 1879048199,
-  MIN_MAC_LENGTH = 805306376,
-  EC_CURVE = 268435466,
-  RSA_PUBLIC_EXPONENT = 1342177480,
-  INCLUDE_UNIQUE_ID = 1879048394,
-  RSA_OAEP_MGF_DIGEST = 536871115,
-  BOOTLOADER_ONLY = 1879048494,
-  ROLLBACK_RESISTANCE = 1879048495,
-  HARDWARE_TYPE = 268435760,
-  EARLY_BOOT_ONLY = 1879048497,
-  ACTIVE_DATETIME = 1610613136,
-  ORIGINATION_EXPIRE_DATETIME = 1610613137,
-  USAGE_EXPIRE_DATETIME = 1610613138,
-  MIN_SECONDS_BETWEEN_OPS = 805306771,
-  MAX_USES_PER_BOOT = 805306772,
-  USAGE_COUNT_LIMIT = 805306773,
-  USER_ID = 805306869,
-  USER_SECURE_ID = -1610612234,
-  NO_AUTH_REQUIRED = 1879048695,
-  USER_AUTH_TYPE = 268435960,
-  AUTH_TIMEOUT = 805306873,
-  ALLOW_WHILE_ON_BODY = 1879048698,
-  TRUSTED_USER_PRESENCE_REQUIRED = 1879048699,
-  TRUSTED_CONFIRMATION_REQUIRED = 1879048700,
-  UNLOCKED_DEVICE_REQUIRED = 1879048701,
-  APPLICATION_ID = -1879047591,
-  APPLICATION_DATA = -1879047492,
-  CREATION_DATETIME = 1610613437,
-  ORIGIN = 268436158,
-  ROOT_OF_TRUST = -1879047488,
-  OS_VERSION = 805307073,
-  OS_PATCHLEVEL = 805307074,
-  UNIQUE_ID = -1879047485,
-  ATTESTATION_CHALLENGE = -1879047484,
-  ATTESTATION_APPLICATION_ID = -1879047483,
-  ATTESTATION_ID_BRAND = -1879047482,
-  ATTESTATION_ID_DEVICE = -1879047481,
-  ATTESTATION_ID_PRODUCT = -1879047480,
-  ATTESTATION_ID_SERIAL = -1879047479,
-  ATTESTATION_ID_IMEI = -1879047478,
-  ATTESTATION_ID_MEID = -1879047477,
-  ATTESTATION_ID_MANUFACTURER = -1879047476,
-  ATTESTATION_ID_MODEL = -1879047475,
-  VENDOR_PATCHLEVEL = 805307086,
-  BOOT_PATCHLEVEL = 805307087,
-  DEVICE_UNIQUE_ATTESTATION = 1879048912,
-  IDENTITY_CREDENTIAL_KEY = 1879048913,
-  STORAGE_KEY = 1879048914,
-  ATTESTATION_ID_SECOND_IMEI = -1879047469,
-  ASSOCIATED_DATA = -1879047192,
-  NONCE = -1879047191,
-  MAC_LENGTH = 805307371,
-  RESET_SINCE_ID_ROTATION = 1879049196,
-  CONFIRMATION_TOKEN = -1879047187,
-  CERTIFICATE_SERIAL = -2147482642,
-  CERTIFICATE_SUBJECT = -1879047185,
-  CERTIFICATE_NOT_BEFORE = 1610613744,
-  CERTIFICATE_NOT_AFTER = 1610613745,
-  MAX_BOOT_LEVEL = 805307378,
+  PURPOSE = (android.hardware.security.keymint.TagType.ENUM_REP | 1) /* 536870913 */,
+  ALGORITHM = (android.hardware.security.keymint.TagType.ENUM | 2) /* 268435458 */,
+  KEY_SIZE = (android.hardware.security.keymint.TagType.UINT | 3) /* 805306371 */,
+  BLOCK_MODE = (android.hardware.security.keymint.TagType.ENUM_REP | 4) /* 536870916 */,
+  DIGEST = (android.hardware.security.keymint.TagType.ENUM_REP | 5) /* 536870917 */,
+  PADDING = (android.hardware.security.keymint.TagType.ENUM_REP | 6) /* 536870918 */,
+  CALLER_NONCE = (android.hardware.security.keymint.TagType.BOOL | 7) /* 1879048199 */,
+  MIN_MAC_LENGTH = (android.hardware.security.keymint.TagType.UINT | 8) /* 805306376 */,
+  EC_CURVE = (android.hardware.security.keymint.TagType.ENUM | 10) /* 268435466 */,
+  RSA_PUBLIC_EXPONENT = (android.hardware.security.keymint.TagType.ULONG | 200) /* 1342177480 */,
+  INCLUDE_UNIQUE_ID = (android.hardware.security.keymint.TagType.BOOL | 202) /* 1879048394 */,
+  RSA_OAEP_MGF_DIGEST = (android.hardware.security.keymint.TagType.ENUM_REP | 203) /* 536871115 */,
+  BOOTLOADER_ONLY = (android.hardware.security.keymint.TagType.BOOL | 302) /* 1879048494 */,
+  ROLLBACK_RESISTANCE = (android.hardware.security.keymint.TagType.BOOL | 303) /* 1879048495 */,
+  HARDWARE_TYPE = (android.hardware.security.keymint.TagType.ENUM | 304) /* 268435760 */,
+  EARLY_BOOT_ONLY = (android.hardware.security.keymint.TagType.BOOL | 305) /* 1879048497 */,
+  ACTIVE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 400) /* 1610613136 */,
+  ORIGINATION_EXPIRE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 401) /* 1610613137 */,
+  USAGE_EXPIRE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 402) /* 1610613138 */,
+  MIN_SECONDS_BETWEEN_OPS = (android.hardware.security.keymint.TagType.UINT | 403) /* 805306771 */,
+  MAX_USES_PER_BOOT = (android.hardware.security.keymint.TagType.UINT | 404) /* 805306772 */,
+  USAGE_COUNT_LIMIT = (android.hardware.security.keymint.TagType.UINT | 405) /* 805306773 */,
+  USER_ID = (android.hardware.security.keymint.TagType.UINT | 501) /* 805306869 */,
+  USER_SECURE_ID = (android.hardware.security.keymint.TagType.ULONG_REP | 502) /* -1610612234 */,
+  NO_AUTH_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 503) /* 1879048695 */,
+  USER_AUTH_TYPE = (android.hardware.security.keymint.TagType.ENUM | 504) /* 268435960 */,
+  AUTH_TIMEOUT = (android.hardware.security.keymint.TagType.UINT | 505) /* 805306873 */,
+  ALLOW_WHILE_ON_BODY = (android.hardware.security.keymint.TagType.BOOL | 506) /* 1879048698 */,
+  TRUSTED_USER_PRESENCE_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 507) /* 1879048699 */,
+  TRUSTED_CONFIRMATION_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 508) /* 1879048700 */,
+  UNLOCKED_DEVICE_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 509) /* 1879048701 */,
+  APPLICATION_ID = (android.hardware.security.keymint.TagType.BYTES | 601) /* -1879047591 */,
+  APPLICATION_DATA = (android.hardware.security.keymint.TagType.BYTES | 700) /* -1879047492 */,
+  CREATION_DATETIME = (android.hardware.security.keymint.TagType.DATE | 701) /* 1610613437 */,
+  ORIGIN = (android.hardware.security.keymint.TagType.ENUM | 702) /* 268436158 */,
+  ROOT_OF_TRUST = (android.hardware.security.keymint.TagType.BYTES | 704) /* -1879047488 */,
+  OS_VERSION = (android.hardware.security.keymint.TagType.UINT | 705) /* 805307073 */,
+  OS_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 706) /* 805307074 */,
+  UNIQUE_ID = (android.hardware.security.keymint.TagType.BYTES | 707) /* -1879047485 */,
+  ATTESTATION_CHALLENGE = (android.hardware.security.keymint.TagType.BYTES | 708) /* -1879047484 */,
+  ATTESTATION_APPLICATION_ID = (android.hardware.security.keymint.TagType.BYTES | 709) /* -1879047483 */,
+  ATTESTATION_ID_BRAND = (android.hardware.security.keymint.TagType.BYTES | 710) /* -1879047482 */,
+  ATTESTATION_ID_DEVICE = (android.hardware.security.keymint.TagType.BYTES | 711) /* -1879047481 */,
+  ATTESTATION_ID_PRODUCT = (android.hardware.security.keymint.TagType.BYTES | 712) /* -1879047480 */,
+  ATTESTATION_ID_SERIAL = (android.hardware.security.keymint.TagType.BYTES | 713) /* -1879047479 */,
+  ATTESTATION_ID_IMEI = (android.hardware.security.keymint.TagType.BYTES | 714) /* -1879047478 */,
+  ATTESTATION_ID_MEID = (android.hardware.security.keymint.TagType.BYTES | 715) /* -1879047477 */,
+  ATTESTATION_ID_MANUFACTURER = (android.hardware.security.keymint.TagType.BYTES | 716) /* -1879047476 */,
+  ATTESTATION_ID_MODEL = (android.hardware.security.keymint.TagType.BYTES | 717) /* -1879047475 */,
+  VENDOR_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 718) /* 805307086 */,
+  BOOT_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 719) /* 805307087 */,
+  DEVICE_UNIQUE_ATTESTATION = (android.hardware.security.keymint.TagType.BOOL | 720) /* 1879048912 */,
+  IDENTITY_CREDENTIAL_KEY = (android.hardware.security.keymint.TagType.BOOL | 721) /* 1879048913 */,
+  STORAGE_KEY = (android.hardware.security.keymint.TagType.BOOL | 722) /* 1879048914 */,
+  ATTESTATION_ID_SECOND_IMEI = (android.hardware.security.keymint.TagType.BYTES | 723) /* -1879047469 */,
+  MODULE_HASH = (android.hardware.security.keymint.TagType.BYTES | 724) /* -1879047468 */,
+  ASSOCIATED_DATA = (android.hardware.security.keymint.TagType.BYTES | 1000) /* -1879047192 */,
+  NONCE = (android.hardware.security.keymint.TagType.BYTES | 1001) /* -1879047191 */,
+  MAC_LENGTH = (android.hardware.security.keymint.TagType.UINT | 1003) /* 805307371 */,
+  RESET_SINCE_ID_ROTATION = (android.hardware.security.keymint.TagType.BOOL | 1004) /* 1879049196 */,
+  CONFIRMATION_TOKEN = (android.hardware.security.keymint.TagType.BYTES | 1005) /* -1879047187 */,
+  CERTIFICATE_SERIAL = (android.hardware.security.keymint.TagType.BIGNUM | 1006) /* -2147482642 */,
+  CERTIFICATE_SUBJECT = (android.hardware.security.keymint.TagType.BYTES | 1007) /* -1879047185 */,
+  CERTIFICATE_NOT_BEFORE = (android.hardware.security.keymint.TagType.DATE | 1008) /* 1610613744 */,
+  CERTIFICATE_NOT_AFTER = (android.hardware.security.keymint.TagType.DATE | 1009) /* 1610613745 */,
+  MAX_BOOT_LEVEL = (android.hardware.security.keymint.TagType.UINT | 1010) /* 805307378 */,
 }

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl

@@ -35,15 +35,15 @@ package android.hardware.security.keymint;
 /* @hide */
 @Backing(type="int") @VintfStability
 enum TagType {
-  INVALID = 0,
-  ENUM = 268435456,
-  ENUM_REP = 536870912,
-  UINT = 805306368,
-  UINT_REP = 1073741824,
-  ULONG = 1342177280,
-  DATE = 1610612736,
-  BOOL = 1879048192,
-  BIGNUM = -2147483648,
-  BYTES = -1879048192,
-  ULONG_REP = -1610612736,
+  INVALID = (0 << 28) /* 0 */,
+  ENUM = (1 << 28) /* 268435456 */,
+  ENUM_REP = (2 << 28) /* 536870912 */,
+  UINT = (3 << 28) /* 805306368 */,
+  UINT_REP = (4 << 28) /* 1073741824 */,
+  ULONG = (5 << 28) /* 1342177280 */,
+  DATE = (6 << 28) /* 1610612736 */,
+  BOOL = (7 << 28) /* 1879048192 */,
+  BIGNUM = (8 << 28) /* -2147483648 */,
+  BYTES = (9 << 28) /* -1879048192 */,
+  ULONG_REP = (10 << 28) /* -1610612736 */,
 }

security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl

@@ -108,6 +108,7 @@ enum ErrorCode {
     INVALID_ISSUER_SUBJECT = -83,
     BOOT_LEVEL_EXCEEDED = -84,
     HARDWARE_NOT_YET_AVAILABLE = -85,
+    MODULE_HASH_ALREADY_SET = -86,
 
     UNIMPLEMENTED = -100,
     VERSION_MISMATCH = -101,

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -959,4 +959,17 @@ interface IKeyMintDevice {
      * not implemented.  TEE KeyMint implementations must return ErrorCode::UNIMPLEMENTED.
      */
     void sendRootOfTrust(in byte[] rootOfTrust);
+
+    /**
+     * Called by Android to deliver additional attestation information to the IKeyMintDevice.
+     *
+     * IKeyMintDevice must ignore KeyParameters with tags not included in the following list:
+     *
+     * o Tag::MODULE_HASH: holds a hash that must be included in attestations in the moduleHash
+     *   field of the software enforced authorization list. If Tag::MODULE_HASH is included in more
+     *   than one setAdditionalAttestationInfo call, the implementation should compare the initial
+     *   KeyParamValue with the more recent one. If they differ, the implementation should fail with
+     *   ErrorCode::MODULE_HASH_ALREADY_SET. If they are the same, no action needs to be taken.
+     */
+    void setAdditionalAttestationInfo(in KeyParameter[] info);
 }

security/keymint/aidl/android/hardware/security/keymint/Tag.aidl

@@ -900,6 +900,17 @@ enum Tag {
      */
     ATTESTATION_ID_SECOND_IMEI = TagType.BYTES | 723,
 
+    /**
+     * Tag::MODULE_HASH specifies the SHA-256 hash of the DER-encoded module information (see
+     * KeyCreationResult.aidl for the ASN.1 schema).
+     *
+     * This tag is never provided or returned from KeyMint in the key characteristics. It exists
+     * only to define the tag for use in the attestation record.
+     *
+     * Must never appear in KeyCharacteristics.
+     */
+    MODULE_HASH = TagType.BYTES | 724,
+
     /**
      * OBSOLETE: Do not use.
      *

security/keymint/aidl/default/android.hardware.hardware_keystore.xml

@@ -14,5 +14,5 @@
      limitations under the License.
 -->
 <permissions>
-  <feature name="android.hardware.hardware_keystore" version="300" />
+  <feature name="android.hardware.hardware_keystore" version="400" />
 </permissions>

security/keymint/aidl/default/android.hardware.security.keymint-service.xml

@@ -1,7 +1,7 @@
 <manifest version="1.0" type="device">
     <hal format="aidl">
         <name>android.hardware.security.keymint</name>
-        <version>3</version>
+        <version>4</version>
         <fqname>IKeyMintDevice/default</fqname>
     </hal>
     <hal format="aidl">