Merge "Remove Secure Storage AIDL tamper and A/B update" into main am: 5102a37278

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3076064

Change-Id: I5569c0de7fb60ce5fd960d050789bb42f3f887ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl

@@ -16,7 +16,7 @@
 package android.hardware.security.see.storage;
 
 /** Determines how early during the boot process file is able to be accessed. */
-enum FileAvailability {
+enum Availability {
     /** Available before userdata is mounted, but after android has booted. */
     BEFORE_USERDATA,
 

staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl

@@ -1,37 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-import android.hardware.security.see.storage.ReadIntegrity;
-
-parcelable DeleteOptions {
-    /**
-     * Set to acknowledge possible files tampering.
-     *
-     * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_*
-     * service-specific code.
-     */
-    ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER;
-
-    /**
-     * Allow writes to succeed while the filesystem is in the middle of an A/B update.
-     *
-     * If the A/B update fails, the operation will be rolled back. This rollback will not
-     * cause subsequent operations fail with any ERR_FS_* code nor will need to be
-     * acknowledged by setting the `readIntegrity`.
-     */
-    boolean allowWritesDuringAbUpdate = false;
-}

staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl

@@ -15,13 +15,19 @@
  */
 package android.hardware.security.see.storage;
 
-import android.hardware.security.see.storage.FileAvailability;
-import android.hardware.security.see.storage.FileIntegrity;
+import android.hardware.security.see.storage.Availability;
+import android.hardware.security.see.storage.Integrity;
 
-parcelable FileProperties {
-    FileIntegrity integrity = FileIntegrity.TAMPER_PROOF_AT_REST;
-    FileAvailability availability = FileAvailability.BEFORE_USERDATA;
+/**
+ * Specifies minimum security requirements for a Secure Storage filesystem.
+ */
+parcelable Filesystem {
+    Integrity integrity = Integrity.TAMPER_PROOF_AT_REST;
+    Availability availability = Availability.BEFORE_USERDATA;
 
-    /** Whether the file is reset when user data is wiped. */
+    /**
+     * Whether the file is reset on factory resets. Factory resets will not be reported as
+     * tampering.
+     */
     boolean persistent;
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl

@@ -26,15 +26,15 @@ interface IDir {
      *
      * @maxCount:
      *     the maximum number of filenames to return. A @maxCount of 0 signifies no limit on the
-     * number of filenames returned.
+     *     number of filenames returned.
      *
      * Returns:
      *     An ordered list of filenames. If @maxCount > 0, the length of the returned list will be
-     * less than or equal to @maxCount.
+     *     less than or equal to @maxCount.
      *
      * May return service-specific errors:
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
-     *       dir was opened with does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     @utf8InCpp String[] readNextFilenames(int maxCount);
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl

@@ -32,8 +32,8 @@ interface IFile {
      *     the sequence of bytes at [offset, offset + size) in the file
      *
      * May return service-specific errors:
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
-     *       file was opened with does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     byte[] read(long size, long offset);
 
@@ -47,8 +47,8 @@ interface IFile {
      *     the number of bytes written successfully
      *
      * May return service-specific errors:
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
-     *       file was opened with does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     long write(long offset, in byte[] buffer);
 
@@ -56,8 +56,8 @@ interface IFile {
      * Reads this file's size.
      *
      * May return service-specific errors:
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
-     *       file was opened with does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     long getSize();
 
@@ -71,8 +71,8 @@ interface IFile {
      *     the file's new size
      *
      * May return service-specific errors:
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
-     *       file was opened with does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     void setSize(long newSize);
 
@@ -88,8 +88,8 @@ interface IFile {
      *   - ERR_NOT_FOUND if no file exists at @destPath and @destCreateMode is `NO_CREATE`
      *   - ERR_ALREADY_EXISTS if a file already exists at @destPath and @destCreateMode is
      *       `CREATE_EXCLUSIVE`
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
-     *       file was opened with does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     void rename(in @utf8InCpp String destPath, in CreationMode destCreateMode);
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl

@@ -15,7 +15,7 @@
  */
 package android.hardware.security.see.storage;
 
-import android.hardware.security.see.storage.FileProperties;
+import android.hardware.security.see.storage.Filesystem;
 import android.hardware.security.see.storage.IStorageSession;
 
 /**
@@ -28,20 +28,18 @@ interface ISecureStorage {
     const int ERR_NOT_FOUND = 2;
     const int ERR_ALREADY_EXISTS = 3;
     const int ERR_BAD_TRANSACTION = 4;
-
-    const int ERR_FS_RESET = 5;
-    const int ERR_FS_ROLLED_BACK = 6;
-    const int ERR_FS_TAMPERED = 7;
+    const int ERR_AB_UPDATE_IN_PROGRESS = 5;
+    const int ERR_FS_TAMPERED = 6;
 
     /**
      * Starts a storage session for a filesystem.
      *
-     * @properties:
-     *     the minimum filesystem properties requested for the session.
+     * @filesystem:
+     *     The minimum filesystem properties requested.
      *
      * May return service-specific errors:
      *   - ERR_UNSUPPORTED_PROPERTIES if no filesystems exist which meet the minimum requested
-     * requirements
+     *       requirements
      */
-    IStorageSession startSession(in FileProperties properties);
+    IStorageSession startSession(in Filesystem filesystem);
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl

@@ -15,12 +15,10 @@
  */
 package android.hardware.security.see.storage;
 
-import android.hardware.security.see.storage.DeleteOptions;
+import android.hardware.security.see.storage.CreationMode;
 import android.hardware.security.see.storage.IDir;
 import android.hardware.security.see.storage.IFile;
 import android.hardware.security.see.storage.OpenOptions;
-import android.hardware.security.see.storage.ReadIntegrity;
-import android.hardware.security.see.storage.RenameOptions;
 
 /**
  * Interface for a Secure Storage session
@@ -66,8 +64,8 @@ interface IStorageSession {
      * May return service-specific errors:
      *   - ERR_NOT_FOUND
      *   - ERR_ALREADY_EXISTS
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity
-     *       does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     IFile openFile(in @utf8InCpp String filePath, in OpenOptions options);
 
@@ -81,10 +79,10 @@ interface IStorageSession {
      *
      * May return service-specific errors:
      *   - ERR_NOT_FOUND
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity
-     *       does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
-    void deleteFile(in @utf8InCpp String filePath, in DeleteOptions options);
+    void deleteFile(in @utf8InCpp String filePath);
 
     /**
      * Renames an existing file.
@@ -95,19 +93,19 @@ interface IStorageSession {
      *     path to the file, relative to filesystem root
      * @destPath:
      *     the file's new path, relative to filesystem root
-     * @options:
-     *     options controlling rename behavior
+     * @destCreateMode:
+     *     creation behavior for the dest file
      *
      * May return service-specific errors:
-     *   - ERR_NOT_FOUND if no file exists at @currentPath, or if @options.destCreateMode is
-     *       `NO_CREATE` and no file exists at @destPath
-     *   - ERR_ALREADY_EXISTS if @options.destCreateMode is `CREATE_EXCLUSIVE` and a file exists at
+     *   - ERR_NOT_FOUND if no file exists at @currentPath, or if @destCreateMode is `NO_CREATE` and
+     *       no file exists at @destPath
+     *   - ERR_ALREADY_EXISTS if @destCreateMode is `CREATE_EXCLUSIVE` and a file exists at
      *       @destPath
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity
-     *       does not acknowledge
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+     *       acknowledge
      */
     void renameFile(in @utf8InCpp String currentPath, in @utf8InCpp String destPath,
-            in RenameOptions options);
+            in CreationMode destCreateMode);
 
     /**
      * Opens a directory from a filesystem with the given properties.
@@ -116,14 +114,11 @@ interface IStorageSession {
      *
      * @path:
      *     path to the directory, relative to filesystem root
-     * @readIntegrity:
-     *     allow opening (and subsequent read/write operations) despite possible tampering for the
-     * directory
      *
      * May return service-specific errors:
      *   - ERR_NOT_FOUND
-     *   - ERR_FS_* if the filesystem has been tampered with in a way that @readIntegrity does not
+     *   - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
      *       acknowledge
      */
-    IDir openDir(in @utf8InCpp String path, in ReadIntegrity readIntegrity);
+    IDir openDir(in @utf8InCpp String path);
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl

@@ -15,7 +15,7 @@
  */
 package android.hardware.security.see.storage;
 
-enum FileIntegrity {
+enum Integrity {
     /** REE may prevent operations, but cannot alter data once written. */
     TAMPER_PROOF_AT_REST,
 
@@ -24,10 +24,4 @@ enum FileIntegrity {
      * an error on read.
      */
     TAMPER_DETECT,
-
-    /**
-     * REE may alter written data. Changes other than full filesystem resets will be detected and
-     * reported.
-     */
-    TAMPER_DETECT_IGNORE_RESET,
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl

@@ -17,7 +17,6 @@ package android.hardware.security.see.storage;
 
 import android.hardware.security.see.storage.CreationMode;
 import android.hardware.security.see.storage.FileMode;
-import android.hardware.security.see.storage.ReadIntegrity;
 
 parcelable OpenOptions {
     /** Controls creation behavior of the to-be-opened file. See `CreationMode` docs for details. */
@@ -26,26 +25,9 @@ parcelable OpenOptions {
     /** Controls access behavior of the to-be-opened file. See `FileMode` docs for details. */
     FileMode accessMode = FileMode.READ_WRITE;
 
-    /**
-     * Set to acknowledge possible files tampering.
-     *
-     * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_*
-     * service-specific code.
-     */
-    ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER;
-
     /**
      * If this file already exists, discard existing content and open
      * it as a new file. No semantic change if the file does not exist.
      */
     boolean truncateOnOpen;
-
-    /**
-     * Allow writes to succeed while the filesystem is in the middle of an A/B update.
-     *
-     * If the A/B update fails, the operation will be rolled back. This rollback will not
-     * cause subsequent operations fail with any ERR_FS_* code nor will need to be
-     * acknowledged by setting the `readIntegrity`.
-     */
-    boolean allowWritesDuringAbUpdate = false;
 }

staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl

@@ -1,41 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-enum ReadIntegrity {
-    /**
-     * Return an error on reads if any REE alteration of the written data
-     * has been detected.
-     */
-    NO_TAMPER,
-
-    /**
-     * Return an error on reads if any REE alteration other than a reset
-     * has been detected.
-     */
-    IGNORE_RESET,
-
-    /**
-     * Return an error if any REE alteration other than a rollback to a
-     * valid checkpoint has been detected. (What makes a checkpoint valid is
-     * implementation defined; an implementation might take a checkpoint on its
-     * first post-factory boot. A reset is a rollback to the initial state.)
-     */
-    IGNORE_ROLLBACK,
-
-    // There's no `IGNORE_ALL` because if REE has done any alteration other
-    // than a rollback, the file contents will be known-bad data.
-}

staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl

@@ -1,41 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-import android.hardware.security.see.storage.CreationMode;
-import android.hardware.security.see.storage.ReadIntegrity;
-
-parcelable RenameOptions {
-    /** Controls creation behavior of the dest file. See `CreationMode` docs for details. */
-    CreationMode destCreateMode = CreationMode.CREATE_EXCLUSIVE;
-
-    /**
-     * Set to acknowledge possible files tampering.
-     *
-     * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_*
-     * service-specific code.
-     */
-    ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER;
-
-    /**
-     * Allow writes to succeed while the filesystem is in the middle of an A/B update.
-     *
-     * If the A/B update fails, the operation will be rolled back. This rollback will not
-     * cause subsequent operations fail with any ERR_FS_* code nor will need to be
-     * acknowledged by setting the `readIntegrity`.
-     */
-    boolean allowWritesDuringAbUpdate = false;
-}

staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl

@@ -1,28 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-/** Specifies types of REE tampering the filesystem may detect */
-enum Tamper {
-    /** REE has reset this file or the containing file system. */
-    RESET,
-
-    /** REE has rolled back this file or the containing file system to a previous state. */
-    ROLLBACK,
-
-    /** REE has made some other modification to the file. */
-    OTHER,
-}