Add deriveKey function

Adding a function to HWCryptoKey AIDL definition to derive a key given another. This will be used with deriveDicePolicyBoundKey to create device bound keys. Bug: 284152719 Test: qemu android build Change-Id: Ie1e8552846df73325c2428471ca007fca217b675
2026-02-01 11:36:00 +00:00 · 2024-04-03 17:37:53 +00:00
parent 6a82aa921e
commit cfcdb0b4b9
2 changed files with 83 additions and 0 deletions
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -35,6 +35,7 @@ package android.hardware.security.see.hwcrypto;
 interface IHwCryptoKey {
  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey();
  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+  android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters);
  parcelable DiceCurrentBoundKeyResult {
    android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
    byte[] dicePolicyForKeyVersion;
@@ -43,4 +44,20 @@ interface IHwCryptoKey {
    android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
    boolean dicePolicyWasCurrent;
  }
+  parcelable ClearKeyPolicy {
+    int keySizeBytes;
+  }
+  union DerivedKeyPolicy {
+    android.hardware.security.see.hwcrypto.KeyPolicy opaqueKey;
+    android.hardware.security.see.hwcrypto.IHwCryptoKey.ClearKeyPolicy clearKey;
+  }
+  parcelable DerivedKeyParameters {
+    android.hardware.security.see.hwcrypto.IOpaqueKey derivationKey;
+    android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyPolicy keyPolicy;
+    byte[] context;
+  }
+  union DerivedKey {
+    byte[] explicitKey = {};
+    android.hardware.security.see.hwcrypto.IOpaqueKey opaque;
+  }
 }
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -54,6 +54,59 @@ interface IHwCryptoKey {
        boolean dicePolicyWasCurrent;
    }

+    parcelable ClearKeyPolicy {
+        /*
+         * Indicates the desired key size. It will be used to calculate how many bytes of key
+         * material should be returned.
+         */
+        int keySizeBytes;
+    }
+
+    union DerivedKeyPolicy {
+        /*
+         * Policy for the newly derived opaque key. Defines how the key can be used and its type.
+         */
+        KeyPolicy opaqueKey;
+
+        /*
+         * If used we will derive a clear key and pass it back as an array of bytes on
+         * <code>HwCryptoKeyMaterial::explicitKey</code>.
+         */
+        ClearKeyPolicy clearKey;
+    }
+
+    parcelable DerivedKeyParameters {
+        /*
+         * Key to be used to derive the new key using HKDF.
+         */
+        IOpaqueKey derivationKey;
+
+        /*
+         * Policy for the newly derived key. Depending on its type, either a clear or opaque key
+         * will be derived.
+         */
+        DerivedKeyPolicy keyPolicy;
+
+        /*
+         * An arbitrary set of bytes incorporated into the key derivation. May have
+         * an implementation-specific maximum length, but it is guaranteed to accept
+         * at least 32 bytes.
+         */
+        byte[] context;
+    }
+
+    union DerivedKey {
+        /*
+         * Derived key in clear format.
+         */
+        byte[] explicitKey = {};
+
+        /*
+         * Derived key as a key token to be used only through the HWCrypto service.
+         */
+        IOpaqueKey opaque;
+    }
+
    /*
     * deriveCurrentDicePolicyBoundKey() - Derives a versioned key tied to the caller's current DICE
     *                              policy. It will return this current policy back to the caller
@@ -85,4 +138,17 @@ interface IHwCryptoKey {
     *      <code>HalErrorCode</code> otherwise.
     */
    DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+
+    /*
+     * deriveKey() - Derive a new key based on the given key, policy and context.
+     *
+     * @parameters:
+     *      Parameters used for the key derivation. See <code>DerivedKeyParameters</code> on this
+     *      file for more information.
+     *
+     * Return:
+     *      Ok(HwCryptoKeyMaterial) on success, service specific error based on
+     *      <code>HalErrorCode</code> otherwise.
+     */
+    DerivedKey deriveKey(in DerivedKeyParameters parameters);
 }