diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl index 4fe3bd91c4..eb9d83de25 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl @@ -125,14 +125,25 @@ parcelable KeyCreationResult { * straightforward translation of the KeyMint tag/value parameter lists to ASN.1. * * KeyDescription ::= SEQUENCE { - * attestationVersion INTEGER, # Value 400 - * attestationSecurityLevel SecurityLevel, # See below - * keyMintVersion INTEGER, # Value 400 - * keymintSecurityLevel SecurityLevel, # See below - * attestationChallenge OCTET_STRING, # Tag::ATTESTATION_CHALLENGE from attestParams - * uniqueId OCTET_STRING, # Empty unless key has Tag::INCLUDE_UNIQUE_ID - * softwareEnforced AuthorizationList, # See below - * hardwareEnforced AuthorizationList, # See below + * -- attestationVersion must be 400. + * attestationVersion INTEGER, + * -- attestationSecurityLevel is the SecurityLevel of the location where the attested + * -- key is stored. Must match keymintSecurityLevel. + * attestationSecurityLevel SecurityLevel, + * -- keyMintVersion must be 400. + * keyMintVersion INTEGER, + * -- keyMintSecurityLevel is the SecurityLevel of the IKeyMintDevice. Must match + * -- attestationSecurityLevel. + * keyMintSecurityLevel SecurityLevel, + * -- attestationChallenge contains Tag::ATTESTATION_CHALLENGE from attestParams. + * attestationChallenge OCTET_STRING, + * -- uniqueId is empty unless the key has Tag::INCLUDE_UNIQUE_ID. + * uniqueId OCTET_STRING, + * -- softwareEnforced contains the authorization tags enforced by the Android system. + * softwareEnforced AuthorizationList, + * -- hardwareEnforced contains the authorization tags enforced by a secure environment + * -- (TEE or StrongBox). + * hardwareEnforced AuthorizationList, * } * * SecurityLevel ::= ENUMERATED { @@ -145,9 +156,9 @@ parcelable KeyCreationResult { * verifiedBootKey OCTET_STRING, * deviceLocked BOOLEAN, * verifiedBootState VerifiedBootState, - * # verifiedBootHash must contain a SHA-256 digest of all binaries and components validated - * # by Verified Boot. Updating any verified binary or component must cause this value to - * # change. + * -- verifiedBootHash must contain a SHA-256 digest of all binaries and components + * -- validated by Verified Boot. Updating any verified binary or component must cause this + * -- value to change. * verifiedBootHash OCTET_STRING, * } * @@ -158,15 +169,15 @@ parcelable KeyCreationResult { * Failed (3), * } * - * # Modules contains version information for APEX modules. - * # Note that the Modules information is DER-encoded before being hashed, which requires a - * # specific ordering (lexicographic by encoded value) for the constituent Module entries. This - * # ensures that the ordering of Module entries is predictable and that the resulting SHA-256 - * # hash value is identical for the same set of modules. + * -- Modules contains version information for APEX modules. + * -- Note that the Modules information is DER-encoded before being hashed, which requires a + * -- specific ordering (lexicographic by encoded value) for the constituent Module entries. + * -- This ensures that the ordering of Module entries is predictable and that the resulting + * -- SHA-256 hash value is identical for the same set of modules. * Modules ::= SET OF Module * Module ::= SEQUENCE { * packageName OCTET_STRING, - * version INTEGER, # As determined at boot time + * version INTEGER, -- As determined at boot time * } * * -- Note that the AuthorizationList SEQUENCE is also used in IKeyMintDevice::importWrappedKey @@ -181,11 +192,11 @@ parcelable KeyCreationResult { * purpose [1] EXPLICIT SET OF INTEGER OPTIONAL, * algorithm [2] EXPLICIT INTEGER OPTIONAL, * keySize [3] EXPLICIT INTEGER OPTIONAL, - * blockMode [4] EXPLICIT SET OF INTEGER OPTIONAL, -- symmetric only + * blockMode [4] EXPLICIT SET OF INTEGER OPTIONAL, -- Symmetric keys only * digest [5] EXPLICIT SET OF INTEGER OPTIONAL, * padding [6] EXPLICIT SET OF INTEGER OPTIONAL, - * callerNonce [7] EXPLICIT NULL OPTIONAL, -- symmetric only - * minMacLength [8] EXPLICIT INTEGER OPTIONAL, -- symmetric only + * callerNonce [7] EXPLICIT NULL OPTIONAL, -- Symmetric keys only + * minMacLength [8] EXPLICIT INTEGER OPTIONAL, -- Symmetric keys only * ecCurve [10] EXPLICIT INTEGER OPTIONAL, * rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL, * mgfDigest [203] EXPLICIT SET OF INTEGER OPTIONAL, @@ -195,7 +206,7 @@ parcelable KeyCreationResult { * originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL, * usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL, * usageCountLimit [405] EXPLICIT INTEGER OPTIONAL, - * userSecureId [502] EXPLICIT INTEGER OPTIONAL, -- only used on import + * userSecureId [502] EXPLICIT INTEGER OPTIONAL, -- Only used on key import * noAuthRequired [503] EXPLICIT NULL OPTIONAL, * userAuthType [504] EXPLICIT INTEGER OPTIONAL, * authTimeout [505] EXPLICIT INTEGER OPTIONAL, @@ -221,7 +232,8 @@ parcelable KeyCreationResult { * bootPatchLevel [719] EXPLICIT INTEGER OPTIONAL, * deviceUniqueAttestation [720] EXPLICIT NULL OPTIONAL, * attestationIdSecondImei [723] EXPLICIT OCTET_STRING OPTIONAL, - * moduleHash [724] EXPLICIT OCTET_STRING OPTIONAL, -- SHA-256 hash of DER-encoded `Modules` + * -- moduleHash contains a SHA-256 hash of DER-encoded `Modules` + * moduleHash [724] EXPLICIT OCTET_STRING OPTIONAL, * } */ Certificate[] certificateChain;