Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 15:58:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge "KeyMint HAL: add curve 25519, bump version" am: f21e1a5c4a am: 5a63e3ea57 am: e373da49f8

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1900930

Change-Id: I056c55e445fcedc90a6d238b9907225932d465aa
This commit is contained in:
David Drysdale
2021-12-13 15:34:45 +00:00
committed by Automerger Merge Worker
parent ab61ace977 e373da49f8
commit e274e87d59
7 changed files with 35 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
compatibility_matrices/compatibility_matrix.current.xml
View File

@@ -343,7 +343,7 @@
</hal> </hal>
<hal format="aidl" optional="true"> <hal format="aidl" optional="true">
<name>android.hardware.security.keymint</name> <name>android.hardware.security.keymint</name>
<version>1</version> <version>1-2</version>
<interface> <interface>
<name>IKeyMintDevice</name> <name>IKeyMintDevice</name>
<instance>default</instance> <instance>default</instance>
@@ -352,6 +352,7 @@
</hal> </hal>
<hal format="aidl" optional="true"> <hal format="aidl" optional="true">
<name>android.hardware.security.keymint</name> <name>android.hardware.security.keymint</name>
<version>1-2</version>
<interface> <interface>
<name>IRemotelyProvisionedComponent</name> <name>IRemotelyProvisionedComponent</name>
<instance>default</instance> <instance>default</instance>

6
security/keymint/aidl/Android.bp
View File

@@ -45,14 +45,14 @@ aidl_interface {
cc_defaults { cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_static", name: "keymint_use_latest_hal_aidl_ndk_static",
static_libs: [ static_libs: [
"android.hardware.security.keymint-V1-ndk", "android.hardware.security.keymint-V2-ndk",
], ],
} }
cc_defaults { cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_shared", name: "keymint_use_latest_hal_aidl_ndk_shared",
shared_libs: [ shared_libs: [
"android.hardware.security.keymint-V1-ndk", "android.hardware.security.keymint-V2-ndk",
], ],
} }
@@ -62,6 +62,6 @@ cc_defaults {
rust_defaults { rust_defaults {
name: "keymint_use_latest_hal_aidl_rust", name: "keymint_use_latest_hal_aidl_rust",
rustlibs: [ rustlibs: [
"android.hardware.security.keymint-V1-rust", "android.hardware.security.keymint-V2-rust",
], ],
} }

1
security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
View File

@@ -39,4 +39,5 @@ enum EcCurve {
P_256 = 1, P_256 = 1,
P_384 = 2, P_384 = 2,
P_521 = 3, P_521 = 3,
CURVE_25519 = 4,
} }

1
security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
View File

@@ -27,4 +27,5 @@ enum EcCurve {
P_256 = 1, P_256 = 1,
P_384 = 2, P_384 = 2,
P_521 = 3, P_521 = 3,
CURVE_25519 = 4,
} }

24
security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
View File

@@ -93,6 +93,11 @@ import android.hardware.security.secureclock.TimeStampToken;
* P-521. STRONGBOX IKeyMintDevices must support NIST curve P-256. * P-521. STRONGBOX IKeyMintDevices must support NIST curve P-256.
* - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2 * - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2
* 384 and SHA-2 512 digest modes. STRONGBOX IKeyMintDevices must support SHA-2 256. * 384 and SHA-2 512 digest modes. STRONGBOX IKeyMintDevices must support SHA-2 256.
* - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,
* as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY
* (X25519, as specified in RFC 7748). However, a key must have exactly one of these
* purpose values; the same key cannot be used for multiple purposes.
* STRONGBOX IKeyMintDevices do not support curve 25519.
* *
* o AES * o AES
* *
@@ -287,7 +292,7 @@ interface IKeyMintDevice {
* except AGREE_KEY must be supported for RSA keys. * except AGREE_KEY must be supported for RSA keys.
* *
* o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE * o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
* IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA
* keys. StrongBox IKeyMintDevice implementations must support SHA_2_256. * keys. StrongBox IKeyMintDevice implementations must support SHA_2_256.
* *
* o Tag::PADDING specifies the padding modes that may be used with the new * o Tag::PADDING specifies the padding modes that may be used with the new
@@ -298,13 +303,24 @@ interface IKeyMintDevice {
* == ECDSA Keys == * == ECDSA Keys ==
* *
* Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey * Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey
* must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE
* all curves. StrongBox implementations must support P_256. * IKeyMintDevice implementations must support all required curves. StrongBox implementations
* must support P_256 and no other curves.
*
* Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the
* valid date range for the returned X.509 certificate holding the public key. If omitted, * valid date range for the returned X.509 certificate holding the public key. If omitted,
* generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER. * generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.
* *
* Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set
* {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}. Key generation with more
* than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE.
* StrongBox implementation do not support CURVE_25519.
*
* Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
* IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA
* keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must
* support SHA_2_256.
*
* == AES Keys == * == AES Keys ==
* *
* Only Tag::KEY_SIZE is required to generate an AES key. If omitted, generateKey must return * Only Tag::KEY_SIZE is required to generate an AES key. If omitted, generateKey must return

6
security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
View File

@@ -25,8 +25,10 @@ package android.hardware.security.keymint;
enum KeyFormat { enum KeyFormat {
/** X.509 certificate format, for public key export. */ /** X.509 certificate format, for public key export. */
X509 = 0, X509 = 0,
/** PCKS#8 format, asymmetric key pair import. */ /** PKCS#8 format, asymmetric key pair import. */
PKCS8 = 1, PKCS8 = 1,
/** Raw bytes, for symmetric key import. */ /**
* Raw bytes, for symmetric key import, and for import of raw asymmetric keys for curve 25519.
*/
RAW = 3, RAW = 3,
} }

6
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View File

@@ -6566,7 +6566,7 @@ INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
typedef KeyMintAidlTestBase KeyAgreementTest; typedef KeyMintAidlTestBase KeyAgreementTest;
int CurveToOpenSslCurveName(EcCurve curve) { static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
switch (curve) { switch (curve) {
case EcCurve::P_224: case EcCurve::P_224:
return NID_secp224r1; return NID_secp224r1;
@@ -6576,6 +6576,8 @@ int CurveToOpenSslCurveName(EcCurve curve) {
return NID_secp384r1; return NID_secp384r1;
case EcCurve::P_521: case EcCurve::P_521:
return NID_secp521r1; return NID_secp521r1;
case EcCurve::CURVE_25519:
return NID_X25519;
} }
} }
@@ -6597,7 +6599,7 @@ TEST_P(KeyAgreementTest, Ecdh) {
for (auto localCurve : ValidCurves()) { for (auto localCurve : ValidCurves()) {
// Generate EC key locally (with access to private key material) // Generate EC key locally (with access to private key material)
auto ecKey = EC_KEY_Ptr(EC_KEY_new()); auto ecKey = EC_KEY_Ptr(EC_KEY_new());
int curveName = CurveToOpenSslCurveName(localCurve); int curveName = EcdhCurveToOpenSslCurveName(localCurve);
auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName)); auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
ASSERT_NE(group, nullptr); ASSERT_NE(group, nullptr);
ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1); ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);