From 866d2752a9030ffdc442985471c7d9b629abcbbc Mon Sep 17 00:00:00 2001 From: Karuna Wadhera Date: Fri, 1 Nov 2024 21:23:04 +0000 Subject: [PATCH] Add module info AIDL changes and bump the KeyMint version Bug: 369375199 Test: Manually checked that module info is added to the attestation when sent via IKeyMintDevice::setModuleInfo. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ea426cbf2e0b3064adf090e4cd3d6932b02ae54d) Merged-In: Idb11823e6b65cf17d62ae8687febffee860565e3 Change-Id: Idb11823e6b65cf17d62ae8687febffee860565e3 --- .../compatibility_matrix.202504.xml | 2 +- confirmationui/aidl/Android.bp | 6 +- gatekeeper/aidl/Android.bp | 6 +- security/keymint/aidl/Android.bp | 20 +- .../hardware/security/keymint/ErrorCode.aidl | 173 +++++++++--------- .../keymint/HardwareAuthenticatorType.aidl | 6 +- .../security/keymint/IKeyMintDevice.aidl | 1 + .../hardware/security/keymint/Tag.aidl | 131 ++++++------- .../hardware/security/keymint/TagType.aidl | 22 +-- .../hardware/security/keymint/ErrorCode.aidl | 1 + .../security/keymint/IKeyMintDevice.aidl | 13 ++ .../hardware/security/keymint/Tag.aidl | 11 ++ .../android.hardware.hardware_keystore.xml | 2 +- ...roid.hardware.security.keymint-service.xml | 2 +- 14 files changed, 216 insertions(+), 180 deletions(-) diff --git a/compatibility_matrices/compatibility_matrix.202504.xml b/compatibility_matrices/compatibility_matrix.202504.xml index ced86a01e0..5589e54515 100644 --- a/compatibility_matrices/compatibility_matrix.202504.xml +++ b/compatibility_matrices/compatibility_matrix.202504.xml @@ -313,7 +313,7 @@ android.hardware.security.keymint - 1-3 + 1-4 IKeyMintDevice default diff --git a/confirmationui/aidl/Android.bp b/confirmationui/aidl/Android.bp index 51bde0a4a0..1f178661bf 100644 --- a/confirmationui/aidl/Android.bp +++ b/confirmationui/aidl/Android.bp @@ -19,8 +19,8 @@ package { aidl_interface { name: "android.hardware.confirmationui", vendor_available: true, - imports: [ - "android.hardware.security.keymint-V3", + defaults: [ + "android.hardware.security.keymint-latest-defaults", ], srcs: ["android/hardware/confirmationui/*.aidl"], stability: "vintf", @@ -38,7 +38,7 @@ aidl_interface { versions_with_info: [ { version: "1", - imports: ["android.hardware.security.keymint-V3"], + imports: ["android.hardware.security.keymint-V4"], }, ], frozen: true, diff --git a/gatekeeper/aidl/Android.bp b/gatekeeper/aidl/Android.bp index 169a7d5fa7..88c10b71ee 100644 --- a/gatekeeper/aidl/Android.bp +++ b/gatekeeper/aidl/Android.bp @@ -10,8 +10,8 @@ package { aidl_interface { name: "android.hardware.gatekeeper", vendor_available: true, - imports: [ - "android.hardware.security.keymint-V3", + defaults: [ + "android.hardware.security.keymint-latest-defaults", ], srcs: ["android/hardware/gatekeeper/*.aidl"], stability: "vintf", @@ -32,7 +32,7 @@ aidl_interface { versions_with_info: [ { version: "1", - imports: ["android.hardware.security.keymint-V3"], + imports: ["android.hardware.security.keymint-V4"], }, ], frozen: true, diff --git a/security/keymint/aidl/Android.bp b/security/keymint/aidl/Android.bp index e346610f91..a2e58acb29 100644 --- a/security/keymint/aidl/Android.bp +++ b/security/keymint/aidl/Android.bp @@ -17,7 +17,7 @@ aidl_interface { "android.hardware.security.secureclock-V1", ], stability: "vintf", - frozen: true, + frozen: false, backend: { java: { platform_apis: true, @@ -51,34 +51,42 @@ aidl_interface { } +// An aidl_interface_defaults that includes the latest KeyMint AIDL interface. +// aidl_interface modules that depend on KeyMint directly can include this +// aidl_interface_defaults to avoid managing dependency versions explicitly. +aidl_interface_defaults { + name: "android.hardware.security.keymint-latest-defaults", + imports: ["android.hardware.security.keymint-V4"], +} + // cc_defaults that includes the latest KeyMint AIDL library. // Modules that depend on KeyMint directly can include this cc_defaults to avoid // managing dependency versions explicitly. cc_defaults { name: "keymint_use_latest_hal_aidl_ndk_static", static_libs: [ - "android.hardware.security.keymint-V3-ndk", + "android.hardware.security.keymint-V4-ndk", ], } cc_defaults { name: "keymint_use_latest_hal_aidl_ndk_shared", shared_libs: [ - "android.hardware.security.keymint-V3-ndk", + "android.hardware.security.keymint-V4-ndk", ], } cc_defaults { name: "keymint_use_latest_hal_aidl_cpp_static", static_libs: [ - "android.hardware.security.keymint-V3-cpp", + "android.hardware.security.keymint-V4-cpp", ], } cc_defaults { name: "keymint_use_latest_hal_aidl_cpp_shared", shared_libs: [ - "android.hardware.security.keymint-V3-cpp", + "android.hardware.security.keymint-V4-cpp", ], } @@ -88,6 +96,6 @@ cc_defaults { rust_defaults { name: "keymint_use_latest_hal_aidl_rust", rustlibs: [ - "android.hardware.security.keymint-V3-rust", + "android.hardware.security.keymint-V4-rust", ], } diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl index b05a0f3d83..71d3651f98 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl @@ -36,90 +36,91 @@ package android.hardware.security.keymint; @Backing(type="int") @VintfStability enum ErrorCode { OK = 0, - ROOT_OF_TRUST_ALREADY_SET = -1, - UNSUPPORTED_PURPOSE = -2, - INCOMPATIBLE_PURPOSE = -3, - UNSUPPORTED_ALGORITHM = -4, - INCOMPATIBLE_ALGORITHM = -5, - UNSUPPORTED_KEY_SIZE = -6, - UNSUPPORTED_BLOCK_MODE = -7, - INCOMPATIBLE_BLOCK_MODE = -8, - UNSUPPORTED_MAC_LENGTH = -9, - UNSUPPORTED_PADDING_MODE = -10, - INCOMPATIBLE_PADDING_MODE = -11, - UNSUPPORTED_DIGEST = -12, - INCOMPATIBLE_DIGEST = -13, - INVALID_EXPIRATION_TIME = -14, - INVALID_USER_ID = -15, - INVALID_AUTHORIZATION_TIMEOUT = -16, - UNSUPPORTED_KEY_FORMAT = -17, - INCOMPATIBLE_KEY_FORMAT = -18, - UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, - UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, - INVALID_INPUT_LENGTH = -21, - KEY_EXPORT_OPTIONS_INVALID = -22, - DELEGATION_NOT_ALLOWED = -23, - KEY_NOT_YET_VALID = -24, - KEY_EXPIRED = -25, - KEY_USER_NOT_AUTHENTICATED = -26, - OUTPUT_PARAMETER_NULL = -27, - INVALID_OPERATION_HANDLE = -28, - INSUFFICIENT_BUFFER_SPACE = -29, - VERIFICATION_FAILED = -30, - TOO_MANY_OPERATIONS = -31, - UNEXPECTED_NULL_POINTER = -32, - INVALID_KEY_BLOB = -33, - IMPORTED_KEY_NOT_ENCRYPTED = -34, - IMPORTED_KEY_DECRYPTION_FAILED = -35, - IMPORTED_KEY_NOT_SIGNED = -36, - IMPORTED_KEY_VERIFICATION_FAILED = -37, - INVALID_ARGUMENT = -38, - UNSUPPORTED_TAG = -39, - INVALID_TAG = -40, - MEMORY_ALLOCATION_FAILED = -41, - IMPORT_PARAMETER_MISMATCH = -44, - SECURE_HW_ACCESS_DENIED = -45, - OPERATION_CANCELLED = -46, - CONCURRENT_ACCESS_CONFLICT = -47, - SECURE_HW_BUSY = -48, - SECURE_HW_COMMUNICATION_FAILED = -49, - UNSUPPORTED_EC_FIELD = -50, - MISSING_NONCE = -51, - INVALID_NONCE = -52, - MISSING_MAC_LENGTH = -53, - KEY_RATE_LIMIT_EXCEEDED = -54, - CALLER_NONCE_PROHIBITED = -55, - KEY_MAX_OPS_EXCEEDED = -56, - INVALID_MAC_LENGTH = -57, - MISSING_MIN_MAC_LENGTH = -58, - UNSUPPORTED_MIN_MAC_LENGTH = -59, - UNSUPPORTED_KDF = -60, - UNSUPPORTED_EC_CURVE = -61, - KEY_REQUIRES_UPGRADE = -62, - ATTESTATION_CHALLENGE_MISSING = -63, - KEYMINT_NOT_CONFIGURED = -64, - ATTESTATION_APPLICATION_ID_MISSING = -65, - CANNOT_ATTEST_IDS = -66, - ROLLBACK_RESISTANCE_UNAVAILABLE = -67, - HARDWARE_TYPE_UNAVAILABLE = -68, - PROOF_OF_PRESENCE_REQUIRED = -69, - CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70, - NO_USER_CONFIRMATION = -71, - DEVICE_LOCKED = -72, - EARLY_BOOT_ENDED = -73, - ATTESTATION_KEYS_NOT_PROVISIONED = -74, - ATTESTATION_IDS_NOT_PROVISIONED = -75, - INVALID_OPERATION = -76, - STORAGE_KEY_UNSUPPORTED = -77, - INCOMPATIBLE_MGF_DIGEST = -78, - UNSUPPORTED_MGF_DIGEST = -79, - MISSING_NOT_BEFORE = -80, - MISSING_NOT_AFTER = -81, - MISSING_ISSUER_SUBJECT = -82, - INVALID_ISSUER_SUBJECT = -83, - BOOT_LEVEL_EXCEEDED = -84, - HARDWARE_NOT_YET_AVAILABLE = -85, - UNIMPLEMENTED = -100, - VERSION_MISMATCH = -101, - UNKNOWN_ERROR = -1000, + ROOT_OF_TRUST_ALREADY_SET = (-1) /* -1 */, + UNSUPPORTED_PURPOSE = (-2) /* -2 */, + INCOMPATIBLE_PURPOSE = (-3) /* -3 */, + UNSUPPORTED_ALGORITHM = (-4) /* -4 */, + INCOMPATIBLE_ALGORITHM = (-5) /* -5 */, + UNSUPPORTED_KEY_SIZE = (-6) /* -6 */, + UNSUPPORTED_BLOCK_MODE = (-7) /* -7 */, + INCOMPATIBLE_BLOCK_MODE = (-8) /* -8 */, + UNSUPPORTED_MAC_LENGTH = (-9) /* -9 */, + UNSUPPORTED_PADDING_MODE = (-10) /* -10 */, + INCOMPATIBLE_PADDING_MODE = (-11) /* -11 */, + UNSUPPORTED_DIGEST = (-12) /* -12 */, + INCOMPATIBLE_DIGEST = (-13) /* -13 */, + INVALID_EXPIRATION_TIME = (-14) /* -14 */, + INVALID_USER_ID = (-15) /* -15 */, + INVALID_AUTHORIZATION_TIMEOUT = (-16) /* -16 */, + UNSUPPORTED_KEY_FORMAT = (-17) /* -17 */, + INCOMPATIBLE_KEY_FORMAT = (-18) /* -18 */, + UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = (-19) /* -19 */, + UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = (-20) /* -20 */, + INVALID_INPUT_LENGTH = (-21) /* -21 */, + KEY_EXPORT_OPTIONS_INVALID = (-22) /* -22 */, + DELEGATION_NOT_ALLOWED = (-23) /* -23 */, + KEY_NOT_YET_VALID = (-24) /* -24 */, + KEY_EXPIRED = (-25) /* -25 */, + KEY_USER_NOT_AUTHENTICATED = (-26) /* -26 */, + OUTPUT_PARAMETER_NULL = (-27) /* -27 */, + INVALID_OPERATION_HANDLE = (-28) /* -28 */, + INSUFFICIENT_BUFFER_SPACE = (-29) /* -29 */, + VERIFICATION_FAILED = (-30) /* -30 */, + TOO_MANY_OPERATIONS = (-31) /* -31 */, + UNEXPECTED_NULL_POINTER = (-32) /* -32 */, + INVALID_KEY_BLOB = (-33) /* -33 */, + IMPORTED_KEY_NOT_ENCRYPTED = (-34) /* -34 */, + IMPORTED_KEY_DECRYPTION_FAILED = (-35) /* -35 */, + IMPORTED_KEY_NOT_SIGNED = (-36) /* -36 */, + IMPORTED_KEY_VERIFICATION_FAILED = (-37) /* -37 */, + INVALID_ARGUMENT = (-38) /* -38 */, + UNSUPPORTED_TAG = (-39) /* -39 */, + INVALID_TAG = (-40) /* -40 */, + MEMORY_ALLOCATION_FAILED = (-41) /* -41 */, + IMPORT_PARAMETER_MISMATCH = (-44) /* -44 */, + SECURE_HW_ACCESS_DENIED = (-45) /* -45 */, + OPERATION_CANCELLED = (-46) /* -46 */, + CONCURRENT_ACCESS_CONFLICT = (-47) /* -47 */, + SECURE_HW_BUSY = (-48) /* -48 */, + SECURE_HW_COMMUNICATION_FAILED = (-49) /* -49 */, + UNSUPPORTED_EC_FIELD = (-50) /* -50 */, + MISSING_NONCE = (-51) /* -51 */, + INVALID_NONCE = (-52) /* -52 */, + MISSING_MAC_LENGTH = (-53) /* -53 */, + KEY_RATE_LIMIT_EXCEEDED = (-54) /* -54 */, + CALLER_NONCE_PROHIBITED = (-55) /* -55 */, + KEY_MAX_OPS_EXCEEDED = (-56) /* -56 */, + INVALID_MAC_LENGTH = (-57) /* -57 */, + MISSING_MIN_MAC_LENGTH = (-58) /* -58 */, + UNSUPPORTED_MIN_MAC_LENGTH = (-59) /* -59 */, + UNSUPPORTED_KDF = (-60) /* -60 */, + UNSUPPORTED_EC_CURVE = (-61) /* -61 */, + KEY_REQUIRES_UPGRADE = (-62) /* -62 */, + ATTESTATION_CHALLENGE_MISSING = (-63) /* -63 */, + KEYMINT_NOT_CONFIGURED = (-64) /* -64 */, + ATTESTATION_APPLICATION_ID_MISSING = (-65) /* -65 */, + CANNOT_ATTEST_IDS = (-66) /* -66 */, + ROLLBACK_RESISTANCE_UNAVAILABLE = (-67) /* -67 */, + HARDWARE_TYPE_UNAVAILABLE = (-68) /* -68 */, + PROOF_OF_PRESENCE_REQUIRED = (-69) /* -69 */, + CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = (-70) /* -70 */, + NO_USER_CONFIRMATION = (-71) /* -71 */, + DEVICE_LOCKED = (-72) /* -72 */, + EARLY_BOOT_ENDED = (-73) /* -73 */, + ATTESTATION_KEYS_NOT_PROVISIONED = (-74) /* -74 */, + ATTESTATION_IDS_NOT_PROVISIONED = (-75) /* -75 */, + INVALID_OPERATION = (-76) /* -76 */, + STORAGE_KEY_UNSUPPORTED = (-77) /* -77 */, + INCOMPATIBLE_MGF_DIGEST = (-78) /* -78 */, + UNSUPPORTED_MGF_DIGEST = (-79) /* -79 */, + MISSING_NOT_BEFORE = (-80) /* -80 */, + MISSING_NOT_AFTER = (-81) /* -81 */, + MISSING_ISSUER_SUBJECT = (-82) /* -82 */, + INVALID_ISSUER_SUBJECT = (-83) /* -83 */, + BOOT_LEVEL_EXCEEDED = (-84) /* -84 */, + HARDWARE_NOT_YET_AVAILABLE = (-85) /* -85 */, + MODULE_HASH_ALREADY_SET = (-86) /* -86 */, + UNIMPLEMENTED = (-100) /* -100 */, + VERSION_MISMATCH = (-101) /* -101 */, + UNKNOWN_ERROR = (-1000) /* -1000 */, } diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl index dfc98f0066..eb4f6215b7 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl @@ -36,7 +36,7 @@ package android.hardware.security.keymint; @Backing(type="int") @VintfStability enum HardwareAuthenticatorType { NONE = 0, - PASSWORD = 1, - FINGERPRINT = 2, - ANY = -1, + PASSWORD = (1 << 0) /* 1 */, + FINGERPRINT = (1 << 1) /* 2 */, + ANY = 0xFFFFFFFF, } diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl index dcc22c4ba7..2945dab100 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -52,5 +52,6 @@ interface IKeyMintDevice { byte[16] getRootOfTrustChallenge(); byte[] getRootOfTrust(in byte[16] challenge); void sendRootOfTrust(in byte[] rootOfTrust); + void setAdditionalAttestationInfo(in android.hardware.security.keymint.KeyParameter[] info); const int AUTH_TOKEN_MAC_LENGTH = 32; } diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl index 6ae2369fbf..79341ee2ad 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl @@ -36,69 +36,70 @@ package android.hardware.security.keymint; @Backing(type="int") @VintfStability enum Tag { INVALID = 0, - PURPOSE = 536870913, - ALGORITHM = 268435458, - KEY_SIZE = 805306371, - BLOCK_MODE = 536870916, - DIGEST = 536870917, - PADDING = 536870918, - CALLER_NONCE = 1879048199, - MIN_MAC_LENGTH = 805306376, - EC_CURVE = 268435466, - RSA_PUBLIC_EXPONENT = 1342177480, - INCLUDE_UNIQUE_ID = 1879048394, - RSA_OAEP_MGF_DIGEST = 536871115, - BOOTLOADER_ONLY = 1879048494, - ROLLBACK_RESISTANCE = 1879048495, - HARDWARE_TYPE = 268435760, - EARLY_BOOT_ONLY = 1879048497, - ACTIVE_DATETIME = 1610613136, - ORIGINATION_EXPIRE_DATETIME = 1610613137, - USAGE_EXPIRE_DATETIME = 1610613138, - MIN_SECONDS_BETWEEN_OPS = 805306771, - MAX_USES_PER_BOOT = 805306772, - USAGE_COUNT_LIMIT = 805306773, - USER_ID = 805306869, - USER_SECURE_ID = -1610612234, - NO_AUTH_REQUIRED = 1879048695, - USER_AUTH_TYPE = 268435960, - AUTH_TIMEOUT = 805306873, - ALLOW_WHILE_ON_BODY = 1879048698, - TRUSTED_USER_PRESENCE_REQUIRED = 1879048699, - TRUSTED_CONFIRMATION_REQUIRED = 1879048700, - UNLOCKED_DEVICE_REQUIRED = 1879048701, - APPLICATION_ID = -1879047591, - APPLICATION_DATA = -1879047492, - CREATION_DATETIME = 1610613437, - ORIGIN = 268436158, - ROOT_OF_TRUST = -1879047488, - OS_VERSION = 805307073, - OS_PATCHLEVEL = 805307074, - UNIQUE_ID = -1879047485, - ATTESTATION_CHALLENGE = -1879047484, - ATTESTATION_APPLICATION_ID = -1879047483, - ATTESTATION_ID_BRAND = -1879047482, - ATTESTATION_ID_DEVICE = -1879047481, - ATTESTATION_ID_PRODUCT = -1879047480, - ATTESTATION_ID_SERIAL = -1879047479, - ATTESTATION_ID_IMEI = -1879047478, - ATTESTATION_ID_MEID = -1879047477, - ATTESTATION_ID_MANUFACTURER = -1879047476, - ATTESTATION_ID_MODEL = -1879047475, - VENDOR_PATCHLEVEL = 805307086, - BOOT_PATCHLEVEL = 805307087, - DEVICE_UNIQUE_ATTESTATION = 1879048912, - IDENTITY_CREDENTIAL_KEY = 1879048913, - STORAGE_KEY = 1879048914, - ATTESTATION_ID_SECOND_IMEI = -1879047469, - ASSOCIATED_DATA = -1879047192, - NONCE = -1879047191, - MAC_LENGTH = 805307371, - RESET_SINCE_ID_ROTATION = 1879049196, - CONFIRMATION_TOKEN = -1879047187, - CERTIFICATE_SERIAL = -2147482642, - CERTIFICATE_SUBJECT = -1879047185, - CERTIFICATE_NOT_BEFORE = 1610613744, - CERTIFICATE_NOT_AFTER = 1610613745, - MAX_BOOT_LEVEL = 805307378, + PURPOSE = (android.hardware.security.keymint.TagType.ENUM_REP | 1) /* 536870913 */, + ALGORITHM = (android.hardware.security.keymint.TagType.ENUM | 2) /* 268435458 */, + KEY_SIZE = (android.hardware.security.keymint.TagType.UINT | 3) /* 805306371 */, + BLOCK_MODE = (android.hardware.security.keymint.TagType.ENUM_REP | 4) /* 536870916 */, + DIGEST = (android.hardware.security.keymint.TagType.ENUM_REP | 5) /* 536870917 */, + PADDING = (android.hardware.security.keymint.TagType.ENUM_REP | 6) /* 536870918 */, + CALLER_NONCE = (android.hardware.security.keymint.TagType.BOOL | 7) /* 1879048199 */, + MIN_MAC_LENGTH = (android.hardware.security.keymint.TagType.UINT | 8) /* 805306376 */, + EC_CURVE = (android.hardware.security.keymint.TagType.ENUM | 10) /* 268435466 */, + RSA_PUBLIC_EXPONENT = (android.hardware.security.keymint.TagType.ULONG | 200) /* 1342177480 */, + INCLUDE_UNIQUE_ID = (android.hardware.security.keymint.TagType.BOOL | 202) /* 1879048394 */, + RSA_OAEP_MGF_DIGEST = (android.hardware.security.keymint.TagType.ENUM_REP | 203) /* 536871115 */, + BOOTLOADER_ONLY = (android.hardware.security.keymint.TagType.BOOL | 302) /* 1879048494 */, + ROLLBACK_RESISTANCE = (android.hardware.security.keymint.TagType.BOOL | 303) /* 1879048495 */, + HARDWARE_TYPE = (android.hardware.security.keymint.TagType.ENUM | 304) /* 268435760 */, + EARLY_BOOT_ONLY = (android.hardware.security.keymint.TagType.BOOL | 305) /* 1879048497 */, + ACTIVE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 400) /* 1610613136 */, + ORIGINATION_EXPIRE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 401) /* 1610613137 */, + USAGE_EXPIRE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 402) /* 1610613138 */, + MIN_SECONDS_BETWEEN_OPS = (android.hardware.security.keymint.TagType.UINT | 403) /* 805306771 */, + MAX_USES_PER_BOOT = (android.hardware.security.keymint.TagType.UINT | 404) /* 805306772 */, + USAGE_COUNT_LIMIT = (android.hardware.security.keymint.TagType.UINT | 405) /* 805306773 */, + USER_ID = (android.hardware.security.keymint.TagType.UINT | 501) /* 805306869 */, + USER_SECURE_ID = (android.hardware.security.keymint.TagType.ULONG_REP | 502) /* -1610612234 */, + NO_AUTH_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 503) /* 1879048695 */, + USER_AUTH_TYPE = (android.hardware.security.keymint.TagType.ENUM | 504) /* 268435960 */, + AUTH_TIMEOUT = (android.hardware.security.keymint.TagType.UINT | 505) /* 805306873 */, + ALLOW_WHILE_ON_BODY = (android.hardware.security.keymint.TagType.BOOL | 506) /* 1879048698 */, + TRUSTED_USER_PRESENCE_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 507) /* 1879048699 */, + TRUSTED_CONFIRMATION_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 508) /* 1879048700 */, + UNLOCKED_DEVICE_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 509) /* 1879048701 */, + APPLICATION_ID = (android.hardware.security.keymint.TagType.BYTES | 601) /* -1879047591 */, + APPLICATION_DATA = (android.hardware.security.keymint.TagType.BYTES | 700) /* -1879047492 */, + CREATION_DATETIME = (android.hardware.security.keymint.TagType.DATE | 701) /* 1610613437 */, + ORIGIN = (android.hardware.security.keymint.TagType.ENUM | 702) /* 268436158 */, + ROOT_OF_TRUST = (android.hardware.security.keymint.TagType.BYTES | 704) /* -1879047488 */, + OS_VERSION = (android.hardware.security.keymint.TagType.UINT | 705) /* 805307073 */, + OS_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 706) /* 805307074 */, + UNIQUE_ID = (android.hardware.security.keymint.TagType.BYTES | 707) /* -1879047485 */, + ATTESTATION_CHALLENGE = (android.hardware.security.keymint.TagType.BYTES | 708) /* -1879047484 */, + ATTESTATION_APPLICATION_ID = (android.hardware.security.keymint.TagType.BYTES | 709) /* -1879047483 */, + ATTESTATION_ID_BRAND = (android.hardware.security.keymint.TagType.BYTES | 710) /* -1879047482 */, + ATTESTATION_ID_DEVICE = (android.hardware.security.keymint.TagType.BYTES | 711) /* -1879047481 */, + ATTESTATION_ID_PRODUCT = (android.hardware.security.keymint.TagType.BYTES | 712) /* -1879047480 */, + ATTESTATION_ID_SERIAL = (android.hardware.security.keymint.TagType.BYTES | 713) /* -1879047479 */, + ATTESTATION_ID_IMEI = (android.hardware.security.keymint.TagType.BYTES | 714) /* -1879047478 */, + ATTESTATION_ID_MEID = (android.hardware.security.keymint.TagType.BYTES | 715) /* -1879047477 */, + ATTESTATION_ID_MANUFACTURER = (android.hardware.security.keymint.TagType.BYTES | 716) /* -1879047476 */, + ATTESTATION_ID_MODEL = (android.hardware.security.keymint.TagType.BYTES | 717) /* -1879047475 */, + VENDOR_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 718) /* 805307086 */, + BOOT_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 719) /* 805307087 */, + DEVICE_UNIQUE_ATTESTATION = (android.hardware.security.keymint.TagType.BOOL | 720) /* 1879048912 */, + IDENTITY_CREDENTIAL_KEY = (android.hardware.security.keymint.TagType.BOOL | 721) /* 1879048913 */, + STORAGE_KEY = (android.hardware.security.keymint.TagType.BOOL | 722) /* 1879048914 */, + ATTESTATION_ID_SECOND_IMEI = (android.hardware.security.keymint.TagType.BYTES | 723) /* -1879047469 */, + MODULE_HASH = (android.hardware.security.keymint.TagType.BYTES | 724) /* -1879047468 */, + ASSOCIATED_DATA = (android.hardware.security.keymint.TagType.BYTES | 1000) /* -1879047192 */, + NONCE = (android.hardware.security.keymint.TagType.BYTES | 1001) /* -1879047191 */, + MAC_LENGTH = (android.hardware.security.keymint.TagType.UINT | 1003) /* 805307371 */, + RESET_SINCE_ID_ROTATION = (android.hardware.security.keymint.TagType.BOOL | 1004) /* 1879049196 */, + CONFIRMATION_TOKEN = (android.hardware.security.keymint.TagType.BYTES | 1005) /* -1879047187 */, + CERTIFICATE_SERIAL = (android.hardware.security.keymint.TagType.BIGNUM | 1006) /* -2147482642 */, + CERTIFICATE_SUBJECT = (android.hardware.security.keymint.TagType.BYTES | 1007) /* -1879047185 */, + CERTIFICATE_NOT_BEFORE = (android.hardware.security.keymint.TagType.DATE | 1008) /* 1610613744 */, + CERTIFICATE_NOT_AFTER = (android.hardware.security.keymint.TagType.DATE | 1009) /* 1610613745 */, + MAX_BOOT_LEVEL = (android.hardware.security.keymint.TagType.UINT | 1010) /* 805307378 */, } diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl index a7d1de5fd4..ca19e7ee27 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl @@ -35,15 +35,15 @@ package android.hardware.security.keymint; /* @hide */ @Backing(type="int") @VintfStability enum TagType { - INVALID = 0, - ENUM = 268435456, - ENUM_REP = 536870912, - UINT = 805306368, - UINT_REP = 1073741824, - ULONG = 1342177280, - DATE = 1610612736, - BOOL = 1879048192, - BIGNUM = -2147483648, - BYTES = -1879048192, - ULONG_REP = -1610612736, + INVALID = (0 << 28) /* 0 */, + ENUM = (1 << 28) /* 268435456 */, + ENUM_REP = (2 << 28) /* 536870912 */, + UINT = (3 << 28) /* 805306368 */, + UINT_REP = (4 << 28) /* 1073741824 */, + ULONG = (5 << 28) /* 1342177280 */, + DATE = (6 << 28) /* 1610612736 */, + BOOL = (7 << 28) /* 1879048192 */, + BIGNUM = (8 << 28) /* -2147483648 */, + BYTES = (9 << 28) /* -1879048192 */, + ULONG_REP = (10 << 28) /* -1610612736 */, } diff --git a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl index 137e6b6387..72fa773676 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl @@ -108,6 +108,7 @@ enum ErrorCode { INVALID_ISSUER_SUBJECT = -83, BOOT_LEVEL_EXCEEDED = -84, HARDWARE_NOT_YET_AVAILABLE = -85, + MODULE_HASH_ALREADY_SET = -86, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl index 4ebafee126..e8eed7174c 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -959,4 +959,17 @@ interface IKeyMintDevice { * not implemented. TEE KeyMint implementations must return ErrorCode::UNIMPLEMENTED. */ void sendRootOfTrust(in byte[] rootOfTrust); + + /** + * Called by Android to deliver additional attestation information to the IKeyMintDevice. + * + * IKeyMintDevice must ignore KeyParameters with tags not included in the following list: + * + * o Tag::MODULE_HASH: holds a hash that must be included in attestations in the moduleHash + * field of the software enforced authorization list. If Tag::MODULE_HASH is included in more + * than one setAdditionalAttestationInfo call, the implementation should compare the initial + * KeyParamValue with the more recent one. If they differ, the implementation should fail with + * ErrorCode::MODULE_HASH_ALREADY_SET. If they are the same, no action needs to be taken. + */ + void setAdditionalAttestationInfo(in KeyParameter[] info); } diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl index 996e4e3479..e56c19307b 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl @@ -900,6 +900,17 @@ enum Tag { */ ATTESTATION_ID_SECOND_IMEI = TagType.BYTES | 723, + /** + * Tag::MODULE_HASH specifies the SHA-256 hash of the DER-encoded module information (see + * KeyCreationResult.aidl for the ASN.1 schema). + * + * This tag is never provided or returned from KeyMint in the key characteristics. It exists + * only to define the tag for use in the attestation record. + * + * Must never appear in KeyCharacteristics. + */ + MODULE_HASH = TagType.BYTES | 724, + /** * OBSOLETE: Do not use. * diff --git a/security/keymint/aidl/default/android.hardware.hardware_keystore.xml b/security/keymint/aidl/default/android.hardware.hardware_keystore.xml index 4c755969e7..1ab21336d3 100644 --- a/security/keymint/aidl/default/android.hardware.hardware_keystore.xml +++ b/security/keymint/aidl/default/android.hardware.hardware_keystore.xml @@ -14,5 +14,5 @@ limitations under the License. --> - + diff --git a/security/keymint/aidl/default/android.hardware.security.keymint-service.xml b/security/keymint/aidl/default/android.hardware.security.keymint-service.xml index 0568ae6436..6bdd33ebfd 100644 --- a/security/keymint/aidl/default/android.hardware.security.keymint-service.xml +++ b/security/keymint/aidl/default/android.hardware.security.keymint-service.xml @@ -1,7 +1,7 @@ android.hardware.security.keymint - 3 + 4 IKeyMintDevice/default