From c757c1ba395dea58dd324e65cae366c1b0261a75 Mon Sep 17 00:00:00 2001 From: Satya Tangirala Date: Fri, 5 Mar 2021 16:10:29 -0800 Subject: [PATCH] Keystore 2.0: add convertStorageKeyToEphemeral() to IKeymintDevice Add a function convertStorageKeyToEphemeral to IKeymintDevice that vold can use to get a per-boot ephemeral key from a wrapped storage key. Bug: 181806377 Bug: 181910578 Change-Id: I1b008423e3e24797132c8eb79ab3899e2b1c68e8 --- .../security/keymint/IKeyMintDevice.aidl | 1 + .../security/keymint/IKeyMintDevice.aidl | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl index bb186694ce..1ffbf245f5 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -46,6 +46,7 @@ interface IKeyMintDevice { android.hardware.security.keymint.BeginResult begin(in android.hardware.security.keymint.KeyPurpose purpose, in byte[] keyBlob, in android.hardware.security.keymint.KeyParameter[] params, in android.hardware.security.keymint.HardwareAuthToken authToken); void deviceLocked(in boolean passwordOnly, in @nullable android.hardware.security.secureclock.TimeStampToken timestampToken); void earlyBootEnded(); + byte[] convertStorageKeyToEphemeral(in byte[] storageKeyBlob); byte[] performOperation(in byte[] request); const int AUTH_TOKEN_MAC_LENGTH = 32; } diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl index 384416e692..9a4baa784f 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -761,6 +761,27 @@ interface IKeyMintDevice { */ void earlyBootEnded(); + /* + * Called by the client to get a wrapped per-boot ephemeral key from a wrapped storage key. + * Clients will then use the returned per-boot ephemeral key in place of the wrapped storage + * key. Whenever the hardware is presented with a per-boot ephemeral key for an operation, it + * must use the storage key associated with that ephemeral key to perform the requested + * operation. + * + * Implementations should return ErrorCode::UNIMPLEMENTED if they don't support wrapped storage + * keys. + * + * Implementations should return ErrorCode::INVALID_ARGUMENT (as a ServiceSpecificException) + * if the input key blob doesn't represent a valid long-lived wrapped storage key. + * + * @param storageKeyBlob is the wrapped storage key for which the client wants a per-boot + * ephemeral key + * + * @return a buffer containing the per-boot ephemeral keyblob that should henceforth be used in + * place of the input storageKeyBlob + */ + byte[] convertStorageKeyToEphemeral(in byte[] storageKeyBlob); + /** * Called by the client to perform a KeyMint operation. *