Modifying HwKey::deriveKey parameter

Changing the providede opaque key policy type to a CBOR formatted byte array. Bug: 284152719 Test: qemu android build Change-Id: I0933c69bbfa3eeee956465b34fc163ed9b638eba
2026-02-01 11:36:00 +00:00 · 2024-05-17 20:14:10 +00:00
parent 89a16d0762
commit d52788fcfc
3 changed files with 72 additions and 6 deletions
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -58,8 +58,8 @@ interface IHwCryptoKey {
    int keySizeBytes;
  }
  union DerivedKeyPolicy {
-    android.hardware.security.see.hwcrypto.KeyPolicy opaqueKey;
    android.hardware.security.see.hwcrypto.IHwCryptoKey.ClearKeyPolicy clearKey;
+    byte[] opaqueKey;
  }
  parcelable DerivedKeyParameters {
    android.hardware.security.see.hwcrypto.IOpaqueKey derivationKey;
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -89,16 +89,16 @@ interface IHwCryptoKey {
    }

    union DerivedKeyPolicy {
-        /*
-         * Policy for the newly derived opaque key. Defines how the key can be used and its type.
-         */
-        KeyPolicy opaqueKey;
-
        /*
         * If used we will derive a clear key and pass it back as an array of bytes on
         * <code>HwCryptoKeyMaterial::explicitKey</code>.
         */
        ClearKeyPolicy clearKey;
+
+        /*
+         * Policy for the newly derived opaque key. Defines how the key can be used and its type.
+         */
+        byte[] opaqueKey;
    }

    parcelable DerivedKeyParameters {
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/KeyPolicy.cddl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/KeyPolicy.cddl
@@ -0,0 +1,66 @@
+;
+; Copyright (C) 2024 The Android Open Source Project
+;
+; Licensed under the Apache License, Version 2.0 (the "License");
+; you may not use this file except in compliance with the License.
+; You may obtain a copy of the License at
+;
+;      http://www.apache.org/licenses/LICENSE-2.0
+;
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+;
+
+KeyPolicy = [
+    -65701: KeyUse,           ;usage
+    -65702: KeyLifetime       ;keyLifetime
+    -65703: KeyPermissions    ;keyPermissions
+    -65704: KeyType           ;keyType
+    -65705: bool              ;keyManagementKey
+]
+
+KeyUse = &(
+    ENCRYPT: 1,
+    DECRYPT: 2,
+    ENCRYPT_DECRYPT: ENCRYPT | DECRYPT,
+    SIGN: 4,
+    DERIVE: 8,
+    WRAP: 16,
+)
+
+KeyLifetime = &(
+    EPHEMERAL: 0,
+    HARDWARE: 1,
+    PORTABLE: 2,
+)
+
+KeyPermissions = &(
+    ALLOW_EPHEMERAL_KEY_WRAPPING: 0,
+    ALLOW_HARDWARE_KEY_WRAPPING: 1,
+    ALLOW_PORTABLE_KEY_WRAPPING: 2,
+)
+
+enum KeyType = &(
+    AES_128_CBC_NO_PADDING: 0,
+    AES_128_CBC_PKCS7_PADDING: 1,
+    AES_128_CTR: 2,
+    AES_128_GCM: 3,
+    AES_128_CMAC: 4,
+    AES_256_CBC_NO_PADDING: 5,
+    AES_256_CBC_PKCS7_PADDING: 6,
+    AES_256_CTR: 7,
+    AES_256_GCM: 8,
+    AES_256_CMAC: 9,
+    HMAC_SHA256: 10,
+    HMAC_SHA512: 11,
+    RSA2048_PSS_SHA256: 12,
+    RSA2048_PKCS1_5_SHA256: 13,
+    ECC_NIST_P256_SIGN_NO_PADDING: 14,
+    ECC_NIST_P256_SIGN_SHA256: 15,
+    ECC_NIST_P521_SIGN_NO_PADDING: 16,
+    ECC_NIST_P521_SIGN_SHA512: 17,
+    ECC_ED25519_SIGN:18,
+)