From c160ae682edb6a7bfde040d426b6abaf462c28dd Mon Sep 17 00:00:00 2001 From: Chirag Pathak Date: Mon, 7 Dec 2020 22:14:34 +0000 Subject: [PATCH] The aidl definition for Secure Clock keymint service. Test: N/A Bug: b/168673523 Change-Id: I6134d8b4ce620ecceccc0ea88a234f01e6915798 --- security/secureclock/aidl/Android.bp | 24 ++++++++ .../security/secureclock/ISecureClock.aidl | 24 ++++++++ .../security/secureclock/TimeStampToken.aidl | 26 ++++++++ .../security/secureclock/ISecureClock.aidl | 48 +++++++++++++++ .../security/secureclock/TimeStampToken.aidl | 61 +++++++++++++++++++ 5 files changed, 183 insertions(+) create mode 100644 security/secureclock/aidl/Android.bp create mode 100644 security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/ISecureClock.aidl create mode 100644 security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/TimeStampToken.aidl create mode 100644 security/secureclock/aidl/android/hardware/security/secureclock/ISecureClock.aidl create mode 100644 security/secureclock/aidl/android/hardware/security/secureclock/TimeStampToken.aidl diff --git a/security/secureclock/aidl/Android.bp b/security/secureclock/aidl/Android.bp new file mode 100644 index 0000000000..7d26a9bd58 --- /dev/null +++ b/security/secureclock/aidl/Android.bp @@ -0,0 +1,24 @@ +aidl_interface { + name: "android.hardware.security.secureclock", + vendor_available: true, + srcs: [ + "android/hardware/security/secureclock/*.aidl", + ], + stability: "vintf", + imports: [ + "android.hardware.security.keymint", + ], + backend: { + java: { + sdk_version: "module_current", + }, + ndk: { + vndk: { + enabled: true, + }, + }, + rust: { + enabled: true, + }, + }, +} diff --git a/security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/ISecureClock.aidl b/security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/ISecureClock.aidl new file mode 100644 index 0000000000..c16b312cda --- /dev/null +++ b/security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/ISecureClock.aidl @@ -0,0 +1,24 @@ +/////////////////////////////////////////////////////////////////////////////// +// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // +/////////////////////////////////////////////////////////////////////////////// + +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. +// +// You must not make a backward incompatible change to any AIDL file built +// with the aidl_interface module type with versions property set. The module +// type is used to build AIDL files in a way that they can be used across +// independently updatable components of the system. If a device is shipped +// with such a backward incompatible change, it has a high risk of breaking +// later when a module using the interface is updated, e.g., Mainline modules. + +package android.hardware.security.secureclock; +@VintfStability +interface ISecureClock { + android.hardware.security.secureclock.TimeStampToken generateTimeStamp(in long challenge); + const String TIME_STAMP_MAC_LABEL = "Time Verification"; +} diff --git a/security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/TimeStampToken.aidl b/security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/TimeStampToken.aidl new file mode 100644 index 0000000000..c23ddca2c9 --- /dev/null +++ b/security/secureclock/aidl/aidl_api/android.hardware.security.secureclock/current/android/hardware/security/secureclock/TimeStampToken.aidl @@ -0,0 +1,26 @@ +/////////////////////////////////////////////////////////////////////////////// +// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // +/////////////////////////////////////////////////////////////////////////////// + +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. +// +// You must not make a backward incompatible change to any AIDL file built +// with the aidl_interface module type with versions property set. The module +// type is used to build AIDL files in a way that they can be used across +// independently updatable components of the system. If a device is shipped +// with such a backward incompatible change, it has a high risk of breaking +// later when a module using the interface is updated, e.g., Mainline modules. + +package android.hardware.security.secureclock; +@VintfStability +parcelable TimeStampToken { + long challenge; + android.hardware.security.keymint.Timestamp timestamp; + android.hardware.security.keymint.SecurityLevel securityLevel; + byte[] mac; +} diff --git a/security/secureclock/aidl/android/hardware/security/secureclock/ISecureClock.aidl b/security/secureclock/aidl/android/hardware/security/secureclock/ISecureClock.aidl new file mode 100644 index 0000000000..7d416dda7a --- /dev/null +++ b/security/secureclock/aidl/android/hardware/security/secureclock/ISecureClock.aidl @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * limitations under the License. + */ + +package android.hardware.security.secureclock; +import android.hardware.security.secureclock.TimeStampToken; + +/** + * Secure Clock definition. + * + * An ISecureClock provides a keymint service to generate secure timestamp using a secure platform. + * The secure time stamp contains time in milliseconds. This time stamp also contains a 256-bit MAC + * which provides integrity protection. The MAC is generated using HMAC-SHA-256 and a shared + * secret. The shared secret must be available to secure clock service by implementing + * ISharedSecret aidl. Note: ISecureClock depends on the shared secret, without which the secure + * time stamp token cannot be generated. + */ + +@VintfStability +interface ISecureClock { + /** + * String used as context in the HMAC computation signing the generated time stamp. + * See TimeStampToken.mac for details. + */ + const String TIME_STAMP_MAC_LABEL = "Time Verification"; + + /** + * Generates an authenticated timestamp. + * + * @param A challenge value provided by the relying party. It will be included in the generated + * TimeStampToken to ensure freshness. The relying service must ensure that the + * challenge cannot be specified or predicted by an attacker. + * + * @return the TimeStampToken, see the definition for details. + */ + TimeStampToken generateTimeStamp(in long challenge); +} diff --git a/security/secureclock/aidl/android/hardware/security/secureclock/TimeStampToken.aidl b/security/secureclock/aidl/android/hardware/security/secureclock/TimeStampToken.aidl new file mode 100644 index 0000000000..76a2d28780 --- /dev/null +++ b/security/secureclock/aidl/android/hardware/security/secureclock/TimeStampToken.aidl @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.hardware.security.secureclock; + +import android.hardware.security.keymint.SecurityLevel; +import android.hardware.security.keymint.Timestamp; + +/** + * TimeStampToken instances are used for secure environments that requires secure time information. + */ + +@VintfStability +parcelable TimeStampToken { + /** + * The challenge that was provided as argument to ISecureClock.generateTimeStamp by the client. + */ + long challenge; + + /** + * The current time of the secure environment that generates the TimeStampToken. + */ + Timestamp timestamp; + + /** + * SecurityLevel of the secure environment that generated the token. + */ + SecurityLevel securityLevel; + + /** + * 32-byte HMAC-SHA256 of the above values, computed as: + * + * HMAC(H, + * ISecureClock.TIME_STAMP_MAC_LABEL || challenge || timestamp) + * + * where: + * + * ``ISecureClock.TIME_STAMP_MAC_LABEL'' is a sting constant defined in ISecureClock.aidl. + * + * ``H'' is the shared HMAC key (see computeSharedHmac() in ISharedHmacSecret). + * + * ``||'' represents concatenation + * + * The representation of challenge and timestamp is as 64-bit unsigned integers in big-endian + * order. securityLevel is represented as a 32-bit unsigned integer in big-endian order. + */ + byte[] mac; +}