diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Algorithm.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Algorithm.aidl index 46e0ae0f2f..a6c3e65a3b 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Algorithm.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Algorithm.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BeginResult.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BeginResult.aidl index ed96485a0d..84395afec8 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BeginResult.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BeginResult.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BlockMode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BlockMode.aidl index dddc9d8d3c..e914823007 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BlockMode.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/BlockMode.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ByteArray.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ByteArray.aidl index 3d18a26cf7..cef8eca8a9 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ByteArray.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ByteArray.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Certificate.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Certificate.aidl index 9e0f8dcff9..2277831c73 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Certificate.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Certificate.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Digest.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Digest.aidl index 8fc4d428db..2e583ce104 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Digest.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Digest.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl index 7c3f2f38eb..b37282242a 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl index 8694b32aa9..aa8c071bf4 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthToken.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthToken.aidl index 9ea24f5ebe..0d43d8d648 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthToken.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthToken.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl index aef5ee049f..9ab00c100f 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl index 3d08cfef08..07c28446b3 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped @@ -21,9 +22,9 @@ interface IKeyMintDevice { android.hardware.security.keymint.KeyMintHardwareInfo getHardwareInfo(); android.hardware.security.keymint.VerificationToken verifyAuthorization(in long challenge, in android.hardware.security.keymint.HardwareAuthToken token); void addRngEntropy(in byte[] data); - void generateKey(in android.hardware.security.keymint.KeyParameter[] keyParams, out android.hardware.security.keymint.ByteArray generatedKeyBlob, out android.hardware.security.keymint.KeyCharacteristics generatedKeyCharacteristics, out android.hardware.security.keymint.Certificate[] outCertChain); - void importKey(in android.hardware.security.keymint.KeyParameter[] inKeyParams, in android.hardware.security.keymint.KeyFormat inKeyFormat, in byte[] inKeyData, out android.hardware.security.keymint.ByteArray outImportedKeyBlob, out android.hardware.security.keymint.KeyCharacteristics outImportedKeyCharacteristics, out android.hardware.security.keymint.Certificate[] outCertChain); - void importWrappedKey(in byte[] inWrappedKeyData, in byte[] inWrappingKeyBlob, in byte[] inMaskingKey, in android.hardware.security.keymint.KeyParameter[] inUnwrappingParams, in long inPasswordSid, in long inBiometricSid, out android.hardware.security.keymint.ByteArray outImportedKeyBlob, out android.hardware.security.keymint.KeyCharacteristics outImportedKeyCharacteristics); + android.hardware.security.keymint.KeyCreationResult generateKey(in android.hardware.security.keymint.KeyParameter[] keyParams); + android.hardware.security.keymint.KeyCreationResult importKey(in android.hardware.security.keymint.KeyParameter[] keyParams, in android.hardware.security.keymint.KeyFormat keyFormat, in byte[] keyData); + android.hardware.security.keymint.KeyCreationResult importWrappedKey(in byte[] wrappedKeyData, in byte[] wrappingKeyBlob, in byte[] maskingKey, in android.hardware.security.keymint.KeyParameter[] unwrappingParams, in long passwordSid, in long biometricSid); byte[] upgradeKey(in byte[] inKeyBlobToUpgrade, in android.hardware.security.keymint.KeyParameter[] inUpgradeParams); void deleteKey(in byte[] inKeyBlob); void deleteAllKeys(); diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintOperation.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintOperation.aidl index 8e3b0fcf9b..08aa00a494 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintOperation.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintOperation.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCharacteristics.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCharacteristics.aidl index fb4214cd43..49ea8af911 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCharacteristics.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCharacteristics.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped @@ -18,6 +19,6 @@ package android.hardware.security.keymint; @VintfStability parcelable KeyCharacteristics { - android.hardware.security.keymint.KeyParameter[] softwareEnforced; - android.hardware.security.keymint.KeyParameter[] hardwareEnforced; + android.hardware.security.keymint.SecurityLevel securityLevel; + android.hardware.security.keymint.KeyParameter[] authorizations; } diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCreationResult.aidl new file mode 100644 index 0000000000..4b9ac79711 --- /dev/null +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyCreationResult.aidl @@ -0,0 +1,25 @@ +/////////////////////////////////////////////////////////////////////////////// +// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // +/////////////////////////////////////////////////////////////////////////////// + +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. +// +// You must not make a backward incompatible change to any AIDL file built +// with the aidl_interface module type with versions property set. The module +// type is used to build AIDL files in a way that they can be used across +// independently updatable components of the system. If a device is shipped +// with such a backward incompatible change, it has a high risk of breaking +// later when a module using the interface is updated, e.g., Mainline modules. + +package android.hardware.security.keymint; +@VintfStability +parcelable KeyCreationResult { + byte[] keyBlob; + android.hardware.security.keymint.KeyCharacteristics[] keyCharacteristics; + android.hardware.security.keymint.Certificate[] certificateChain; +} diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyFormat.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyFormat.aidl index f701c808a2..4eb5a7829f 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyFormat.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyFormat.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyMintHardwareInfo.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyMintHardwareInfo.aidl index 5e9f7ae635..0390ec9fa4 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyMintHardwareInfo.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyMintHardwareInfo.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyOrigin.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyOrigin.aidl index 9728bf92b7..e84cf74b1a 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyOrigin.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyOrigin.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameter.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameter.aidl index 498576825c..6829a2b0f6 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameter.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameter.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterArray.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterArray.aidl index 2c3b768756..882ca89c2e 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterArray.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterArray.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterValue.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterValue.aidl index ecf20ad75b..6c11a924e7 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterValue.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyParameterValue.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyPurpose.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyPurpose.aidl index a6fd8c3737..ff8d85a31a 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyPurpose.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/KeyPurpose.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/PaddingMode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/PaddingMode.aidl index 2ecfa1e8f6..6c61312314 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/PaddingMode.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/PaddingMode.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl index 601693f127..c4812ed67a 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl index 814405c8c4..ce12fed082 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl index bb2766c6bf..41c8832a0b 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Timestamp.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Timestamp.aidl index 4d5b6598b5..963e66ef1d 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Timestamp.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Timestamp.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/VerificationToken.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/VerificationToken.aidl index 5c76816a52..7dc556c113 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/VerificationToken.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/VerificationToken.aidl @@ -2,13 +2,14 @@ // THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // /////////////////////////////////////////////////////////////////////////////// -// This file is a snapshot of an AIDL interface (or parcelable). Do not try to -// edit this file. It looks like you are doing that because you have modified -// an AIDL interface in a backward-incompatible way, e.g., deleting a function -// from an interface or a field from a parcelable and it broke the build. That -// breakage is intended. +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. // -// You must not make a backward incompatible changes to the AIDL files built +// You must not make a backward incompatible change to any AIDL file built // with the aidl_interface module type with versions property set. The module // type is used to build AIDL files in a way that they can be used across // independently updatable components of the system. If a device is shipped diff --git a/security/keymint/aidl/android/hardware/security/keymint/Certificate.aidl b/security/keymint/aidl/android/hardware/security/keymint/Certificate.aidl index a9538590eb..0e5d898804 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/Certificate.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/Certificate.aidl @@ -17,9 +17,8 @@ package android.hardware.security.keymint; /** - * This encodes the IKeyMintDevice attestation generated certificate. + * This encodes an IKeyMintDevice certificate, generated for a KeyMint asymmetric public key. */ - @VintfStability parcelable Certificate { /** diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl index 4944acb1b1..820e135738 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl @@ -18,10 +18,9 @@ package android.hardware.security.keymint; import android.hardware.security.keymint.BeginResult; import android.hardware.security.keymint.ByteArray; -import android.hardware.security.keymint.Certificate; import android.hardware.security.keymint.HardwareAuthToken; import android.hardware.security.keymint.IKeyMintOperation; -import android.hardware.security.keymint.KeyCharacteristics; +import android.hardware.security.keymint.KeyCreationResult; import android.hardware.security.keymint.KeyFormat; import android.hardware.security.keymint.KeyParameter; import android.hardware.security.keymint.KeyMintHardwareInfo; @@ -126,16 +125,22 @@ import android.hardware.security.keymint.VerificationToken; * attacker can use them at will (though they're more secure than keys which can be * exfiltrated). Therefore, IKeyMintDevice must enforce access controls. * - * Access controls are defined as an "authorization list" of tag/value pairs. Authorization tags - * are 32-bit integers from the Tag enum, and the values are a variety of types, defined in the - * TagType enum. Some tags may be repeated to specify multiple values. Whether a tag may be - * repeated is specified in the documentation for the tag and in the TagType. When a key is - * created or imported, the caller specifies an authorization list. The IKeyMintDevice must divide - * the caller-provided authorizations into two lists, those it enforces in tee secure zone and - * those enforced in the strongBox hardware. These two lists are returned as the "teeEnforced" - * and "strongboxEnforced" elements of the KeyCharacteristics struct. Note that software enforced - * authorization list entries are not returned because they are not enforced by keymint. The - * IKeyMintDevice must also add the following authorizations to the appropriate list: + * Access controls are defined as "authorization lists" of tag/value pairs. Authorization tags are + * 32-bit integers from the Tag enum, and the values are a variety of types, defined in the TagType + * enum. Some tags may be repeated to specify multiple values. Whether a tag may be repeated is + * specified in the documentation for the tag and in the TagType. When a key is created or + * imported, the caller specifies a `key_description` authorization list. The IKeyMintDevice must + * determine which tags it can and cannot enforce, and at what SecurityLevel, and return an array of + * `KeyCharacteristics` structures that contains everything it will enforce, associated with the + * appropriate security level, which is one of SOFTWARE, TRUSTED_ENVIRONMENT and STRONGBOX. + * Typically, implementations will only return a single KeyCharacteristics structure, because + * everything they enforce is enforced at the same security level. There may be cases, however, for + * which multiple security levels are relevant. One example is that of a StrongBox IKeyMintDevice + * that relies on a TEE to enforce biometric user authentication. In that case, the generate/import + * methods must return two KeyCharacteristics structs, one with SecurityLevel::TRUSTED_ENVIRONMENT + * and the biometric authentication-related tags, and another with SecurityLevel::STRONGBOX and + * everything else. The IKeyMintDevice must also add the following authorizations to the + * appropriate list: * * o Tag::OS_VERSION * o Tag::OS_PATCHLEVEL @@ -148,26 +153,27 @@ import android.hardware.security.keymint.VerificationToken; * The caller must always provide the current date time in the keyParameter CREATION_DATETIME * tags. * - * All authorization tags and their values, both teeEnforced and strongboxEnforced, including - * unknown tags, must be cryptographically bound to the private/secret key material such that any - * modification of the portion of the key blob that contains the authorization list makes it - * impossible for the secure environment to obtain the private/secret key material. The - * recommended approach to meet this requirement is to use the full set of authorization tags - * associated with a key as input to a secure key derivation function used to derive a key that - * is used to encrypt the private/secret key material. + * All authorization tags and their values enforced by an IKeyMintDevice must be cryptographically + * bound to the private/secret key material such that any modification of the portion of the key + * blob that contains the authorization list makes it impossible for the secure environment to + * obtain the private/secret key material. The recommended approach to meet this requirement is to + * use the full set of authorization tags associated with a key as input to a secure key derivation + * function used to derive a key (the KEK) that is used to encrypt the private/secret key material. + * Note that it is NOT acceptable to use a static KEK to encrypt the private/secret key material + * with an AEAD cipher mode, using the enforced authorization tags as AAD. This is because + * Tag::APPLICATION_DATA must not be included in the authorization tags stored in the key blob, but + * must be provided by the caller for every use. Assuming the Tag::APPLICATION_DATA value has + * sufficient entropy, this provides a cryptographic guarantee that an attacker cannot use a key + * without knowing the Tag::APPLICATION_DATA value, even if they compromise the IKeyMintDevice. * - * IKeyMintDevice implementations ignore any tags they cannot enforce and do not return them - * in KeyCharacteristics. For example, Tag::ORIGINATION_EXPIRE_DATETIME provides the date and - * time after which a key may not be used to encrypt or sign new messages. Unless the - * IKeyMintDevice has access to a secure source of current date/time information, it is not - * possible for the IKeyMintDevice to enforce this tag. An IKeyMintDevice implementation will - * not rely on the non-secure world's notion of time, because it could be controlled by an - * attacker. Similarly, it cannot rely on GPSr time, even if it has exclusive control of the - * GPSr, because that might be spoofed by attacker RF signals. - * - * IKeyMintDevices do not use or enforce any tags they place in the softwareEnforced - * list. The IKeyMintDevice caller must enforce them, and it is unnecessary to enforce them - * twice. + * IKeyMintDevice implementations must ignore any tags they cannot enforce and must not return them + * in KeyCharacteristics. For example, Tag::ORIGINATION_EXPIRE_DATETIME provides the date and time + * after which a key may not be used to encrypt or sign new messages. Unless the IKeyMintDevice has + * access to a secure source of current date/time information, it is not possible for the + * IKeyMintDevice to enforce this tag. An IKeyMintDevice implementation will not rely on the + * non-secure world's notion of time, because it could be controlled by an attacker. Similarly, it + * cannot rely on GPSr time, even if it has exclusive control of the GPSr, because that might be + * spoofed by attacker RF signals. * * Some tags must be enforced by the IKeyMintDevice. See the detailed documentation on each Tag * in Tag.aidl. @@ -337,38 +343,9 @@ interface IKeyMintDevice { * provided in params. See above for detailed specifications of which tags are required * for which types of keys. * - * @return generatedKeyBlob Opaque descriptor of the generated key. The recommended - * implementation strategy is to include an encrypted copy of the key material, wrapped - * in a key unavailable outside secure hardware. - * - * @return generatedKeyCharacteristics Description of the generated key, divided into two sets: - * hardware-enforced and software-enforced. The description here applies equally - * to the key characteristics lists returned by generateKey, importKey and - * importWrappedKey. The characteristics returned by this parameter completely - * describe the type and usage of the specified key. - * - * The rule that IKeyMintDevice implementations must use for deciding whether a - * given tag belongs in the hardware-enforced or software-enforced list is that if - * the meaning of the tag is fully assured by secure hardware, it is hardware - * enforced. Otherwise, it's software enforced. - * - * @return outCertChain If the key is an asymmetric key, and proper keyparameters for - * attestation (such as challenge) is provided, then this parameter will return the - * attestation certificate. If the signing of the attestation certificate is from a - * factory key, additional certificates back to the root attestation certificate will - * also be provided. Clients will need to check root certificate against a known-good - * value. The certificates must be DER-encoded. Caller needs to provide - * CREATION_DATETIME as one of the attestation parameters, otherwise the attestation - * certificate will not contain the creation datetime. The first certificate in the - * vector is the attestation for the generated key itself, the next certificate is - * the key that signs the first certificate, and so forth. The last certificate in - * the chain is the root certificate. If the key is a symmetric key, then no - * certificate will be returned and this variable will return empty. TODO: change - * certificate return to a single certificate and make it nullable b/163604282. + * @return The result of key creation. See KeyCreationResult.aidl. */ - void generateKey(in KeyParameter[] keyParams, out ByteArray generatedKeyBlob, - out KeyCharacteristics generatedKeyCharacteristics, - out Certificate[] outCertChain); + KeyCreationResult generateKey(in KeyParameter[] keyParams); /** * Imports key material into an IKeyMintDevice. Key definition parameters and return values @@ -396,29 +373,10 @@ interface IKeyMintDevice { * * @param inKeyData The key material to import, in the format specified in keyFormat. * - * @return outImportedKeyBlob descriptor of the imported key. The format of the keyblob will - * be the google specified keyblob format. - * - * @return outImportedKeyCharacteristics Description of the generated key. See the - * keyCharacteristics description in generateKey. - * - * @return outCertChain If the key is an asymmetric key, and proper keyparameters for - * attestation (such as challenge) is provided, then this parameter will return the - * attestation certificate. If the signing of the attestation certificate is from a - * factory key, additional certificates back to the root attestation certificate will - * also be provided. Clients will need to check root certificate against a known-good - * value. The certificates must be DER-encoded. Caller needs to provide - * CREATION_DATETIME as one of the attestation parameters, otherwise the attestation - * certificate will not contain the creation datetime. The first certificate in the - * vector is the attestation for the generated key itself, the next certificate is - * the key that signs the first certificate, and so forth. The last certificate in - * the chain is the root certificate. If the key is a symmetric key, then no - * certificate will be returned and this variable will return empty. + * @return The result of key creation. See KeyCreationResult.aidl. */ - void importKey(in KeyParameter[] inKeyParams, in KeyFormat inKeyFormat, - in byte[] inKeyData, out ByteArray outImportedKeyBlob, - out KeyCharacteristics outImportedKeyCharacteristics, - out Certificate[] outCertChain); + KeyCreationResult importKey(in KeyParameter[] keyParams, in KeyFormat keyFormat, + in byte[] keyData); /** * Securely imports a key, or key pair, returning a key blob and a description of the imported @@ -474,45 +432,38 @@ interface IKeyMintDevice { * 5. Perform the equivalent of calling importKey(keyParams, keyFormat, keyData), except * that the origin tag should be set to SECURELY_IMPORTED. * - * @param inWrappingKeyBlob The opaque key descriptor returned by generateKey() or importKey(). + * @param wrappingKeyBlob The opaque key descriptor returned by generateKey() or importKey(). * This key must have been created with Purpose::WRAP_KEY. * - * @param inMaskingKey The 32-byte value XOR'd with the transport key in the SecureWrappedKey + * @param maskingKey The 32-byte value XOR'd with the transport key in the SecureWrappedKey * structure. * - * @param inUnwrappingParams must contain any parameters needed to perform the unwrapping - * operation. For example, if the wrapping key is an AES key the block and padding - * modes must be specified in this argument. + * @param unwrappingParams must contain any parameters needed to perform the unwrapping + * operation. For example, if the wrapping key is an AES key the block and padding modes + * must be specified in this argument. * - * @param inPasswordSid specifies the password secure ID (SID) of the user that owns the key - * being installed. If the authorization list in wrappedKeyData contains a - * Tag::USER_SECURE_IDwith a value that has the HardwareAuthenticatorType::PASSWORD - * bit set, the constructed key must be bound to the SID value provided by this - * argument. If the wrappedKeyData does not contain such a tag and value, this argument - * must be ignored. + * @param passwordSid specifies the password secure ID (SID) of the user that owns the key being + * installed. If the authorization list in wrappedKeyData contains a + * Tag::USER_SECURE_IDwith a value that has the HardwareAuthenticatorType::PASSWORD bit + * set, the constructed key must be bound to the SID value provided by this argument. If + * the wrappedKeyData does not contain such a tag and value, this argument must be + * ignored. * - * @param inBiometricSid specifies the biometric secure ID (SID) of the user that owns the key + * @param biometricSid specifies the biometric secure ID (SID) of the user that owns the key * being installed. If the authorization list in wrappedKeyData contains a * Tag::USER_SECURE_ID with a value that has the HardwareAuthenticatorType::FINGERPRINT * bit set, the constructed key must be bound to the SID value provided by this argument. * If the wrappedKeyData does not contain such a tag and value, this argument must be * ignored. * - * @return outImportedKeyBlob Opaque descriptor of the imported key. It is recommended that - * the keyBlob contain a copy of the key material, wrapped in a key unavailable outside - * secure hardware. - * - * @return outImportedKeyCharacteristics Description of the generated key. See the description - * of keyCharacteristics parameter in generateKey. + * @return The result of key creation. See KeyCreationResult.aidl. */ - void importWrappedKey(in byte[] inWrappedKeyData, - in byte[] inWrappingKeyBlob, - in byte[] inMaskingKey, - in KeyParameter[] inUnwrappingParams, - in long inPasswordSid, - in long inBiometricSid, - out ByteArray outImportedKeyBlob, - out KeyCharacteristics outImportedKeyCharacteristics); + KeyCreationResult importWrappedKey(in byte[] wrappedKeyData, + in byte[] wrappingKeyBlob, + in byte[] maskingKey, + in KeyParameter[] unwrappingParams, + in long passwordSid, + in long biometricSid); /** * Upgrades an old key blob. Keys can become "old" in two ways: IKeyMintDevice can be diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCharacteristics.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCharacteristics.aidl index 0801868825..edd4d8f841 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/KeyCharacteristics.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCharacteristics.aidl @@ -17,25 +17,20 @@ package android.hardware.security.keymint; import android.hardware.security.keymint.KeyParameter; +import android.hardware.security.keymint.SecurityLevel; /** - * KeyCharacteristics defines the attributes of a key, including cryptographic parameters, and usage - * restrictions. It consits of two vectors of KeyParameters, one for "softwareEnforced" attributes - * and one for "hardwareEnforced" attributes. + * KeyCharacteristics defines the attributes of a key that are enforced by KeyMint, and the security + * level (see SecurityLevel.aidl) of that enforcement. * - * KeyCharacteristics objects are returned by generateKey, importKey, importWrappedKey and - * getKeyCharacteristics. The IKeyMintDevice secure environment is responsible for allocating the - * parameters, all of which are Tags with associated values, to the correct vector. The - * hardwareEnforced vector must contain only those attributes which are enforced by secure hardware. - * All others should be in the softwareEnforced vector. See the definitions of individual Tag enums - * for specification of which must be hardware-enforced, which may be software-enforced and which - * must never appear in KeyCharacteristics. + * The `generateKey` `importKey` and `importWrappedKey` methods each return an array of + * KeyCharacteristics, specifying the security levels of enforcement and the authorizations + * enforced. Note that enforcement at a given security level means that the semantics of the tag + * and value are fully enforced. See the definition of individual tags for specifications of what + * must be enforced. */ @VintfStability parcelable KeyCharacteristics { - /* TODO(seleneh) get rid of the software enforced in keymint. replace hardware enforced with - * tee enforced and strongbox enforced. - */ - KeyParameter[] softwareEnforced; - KeyParameter[] hardwareEnforced; + SecurityLevel securityLevel; + KeyParameter[] authorizations; } diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl new file mode 100644 index 0000000000..b149ac9975 --- /dev/null +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.hardware.security.keymint; + +import android.hardware.security.keymint.Certificate; +import android.hardware.security.keymint.KeyCharacteristics; + +/** + * This structure is returned when a new key is created with generateKey(), importKey() or + * importWrappedKey(). + */ +@VintfStability +parcelable KeyCreationResult { + /** + * `keyBlob` is an descriptor of the generated/imported key key. + */ + byte[] keyBlob; + + /** + * `keyCharacteristics` is a description of the generated key in the form of authorization lists + * associated with security levels. The rules that IKeyMintDevice implementations must use for + * deciding whether a given tag from `keyParams` argument to the generation/import method should + * be returned in `keyCharacteristics` are: + * + * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted. + * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any + * assistance from components running at other security levels, it should be included in an + * entry with the SecurityLevel of the IKeyMintDevice. + * - If the semantics of the tag are fully enforced, but with the assistance of components + * running at another SecurityLevel, it should be included in an entry with the minimum + * SecurityLevel of the involved components. For example if a StrongBox IKeyMintDevice relies + * on a TEE to validate biometric authentication, biometric authentication tags go in an entry + * with SecurityLevel::TRUSTED_ENVIRONMENT. + */ + KeyCharacteristics[] keyCharacteristics; + + /** + * If the generated/imported key is an asymmetric key, `certificateChain` will contain a chain + * of one or more certificates. If the key parameters provided to the generate/import method + * contains Tag::ATTESTATION_CHALLENGE the first certificate will contain an attestation + * extension, and will be signed by a factory-installed attestation key and followed by a chain + * of certificates leading to an authoritative root. If there is no attestation challenge, only + * one certificate will be returned, and it will be self-signed or contain a fake signature, + * depending on whether the key has KeyPurpose::SIGN. If the generated key is symmetric, + * certificateChain will be empty. + */ + Certificate[] certificateChain; +} diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl index 9f41b4e957..f92bf008ed 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl @@ -512,10 +512,10 @@ enum Tag { /** * Tag::APPLICATION_DATA. When provided to generateKey or importKey, this tag specifies data - * that is necessary during all uses of the key. In particular, calls to exportKey() and - * getKeyCharacteristics() must provide the same value to the appData parameter, and calls to - * begin must provide this tag and the same associated data as part of the inParams set. If - * the correct data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB. + * that is necessary during all uses of the key. In particular, calls to begin() and + * exportKey() must provide the same value to the appData parameter, and calls to begin must + * provide this tag and the same associated data as part of the inParams set. If the correct + * data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB. * * The content of this tag msut be bound to the key cryptographically, meaning it must not be * possible for an adversary who has access to all of the secure world secrets but does not have diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index 94bc199ca7..93a216f27e 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -17,6 +17,7 @@ #include "KeyMintAidlTestBase.h" #include +#include #include #include @@ -43,6 +44,34 @@ using std::optional; namespace test { +namespace { + +// Predicate for testing basic characteristics validity in generation or import. +bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel, + const vector& key_characteristics) { + if (key_characteristics.empty()) return false; + + std::unordered_set levels_seen; + for (auto& entry : key_characteristics) { + if (entry.authorizations.empty()) return false; + + if (levels_seen.find(entry.securityLevel) != levels_seen.end()) return false; + levels_seen.insert(entry.securityLevel); + + // Generally, we should only have one entry, at the same security level as the KM + // instance. There is an exception: StrongBox KM can have some authorizations that are + // enforced by the TEE. + bool isExpectedSecurityLevel = secLevel == entry.securityLevel || + (secLevel == SecurityLevel::STRONGBOX && + entry.securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT); + + if (!isExpectedSecurityLevel) return false; + } + return true; +} + +} // namespace + ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(const Status& result) { if (result.isOk()) return ErrorCode::OK; @@ -78,35 +107,30 @@ void KeyMintAidlTestBase::SetUp() { } ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, - vector* keyBlob, KeyCharacteristics* keyChar) { - EXPECT_NE(keyBlob, nullptr) << "Key blob pointer must not be null. Test bug"; - EXPECT_NE(keyChar, nullptr) + vector* key_blob, + vector* key_characteristics) { + EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug"; + EXPECT_NE(key_characteristics, nullptr) << "Previous characteristics not deleted before generating key. Test bug."; // Aidl does not clear these output parameters if the function returns // error. This is different from hal where output parameter is always // cleared due to hal returning void. So now we need to do our own clearing // of the output variables prior to calling keyMint aidl libraries. - keyBlob->clear(); - keyChar->softwareEnforced.clear(); - keyChar->hardwareEnforced.clear(); - certChain_.clear(); + key_blob->clear(); + key_characteristics->clear(); + cert_chain_.clear(); - Status result; - ByteArray blob; + KeyCreationResult creationResult; + Status result = keymint_->generateKey(key_desc.vector_data(), &creationResult); - result = keymint_->generateKey(key_desc.vector_data(), &blob, keyChar, &certChain_); - - // On result, blob & characteristics should be empty. if (result.isOk()) { - if (SecLevel() != SecurityLevel::SOFTWARE) { - EXPECT_GT(keyChar->hardwareEnforced.size(), 0); - } - EXPECT_GT(keyChar->softwareEnforced.size(), 0); - // TODO(seleneh) in a later version where we return @nullable - // single Certificate, check non-null single certificate is always - // non-empty. - *keyBlob = blob.data; + EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(), + creationResult.keyCharacteristics); + EXPECT_GT(creationResult.keyBlob.size(), 0); + *key_blob = std::move(creationResult.keyBlob); + *key_characteristics = std::move(creationResult.keyCharacteristics); + cert_chain_ = std::move(creationResult.certificateChain); } return GetReturnErrorCode(result); @@ -118,25 +142,26 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) { ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, vector* key_blob, - KeyCharacteristics* key_characteristics) { + vector* key_characteristics) { Status result; - certChain_.clear(); - key_characteristics->softwareEnforced.clear(); - key_characteristics->hardwareEnforced.clear(); + cert_chain_.clear(); + key_characteristics->clear(); key_blob->clear(); - ByteArray blob; + KeyCreationResult creationResult; result = keymint_->importKey(key_desc.vector_data(), format, - vector(key_material.begin(), key_material.end()), &blob, - key_characteristics, &certChain_); + vector(key_material.begin(), key_material.end()), + &creationResult); if (result.isOk()) { - if (SecLevel() != SecurityLevel::SOFTWARE) { - EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0); - } - EXPECT_GT(key_characteristics->softwareEnforced.size(), 0); - *key_blob = blob.data; + EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(), + creationResult.keyCharacteristics); + EXPECT_GT(creationResult.keyBlob.size(), 0); + + *key_blob = std::move(creationResult.keyBlob); + *key_characteristics = std::move(creationResult.keyCharacteristics); + cert_chain_ = std::move(creationResult.certificateChain); } return GetReturnErrorCode(result); @@ -151,25 +176,25 @@ ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapp const AuthorizationSet& wrapping_key_desc, string masking_key, const AuthorizationSet& unwrapping_params) { - Status result; EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key)); - ByteArray outBlob; - key_characteristics_.softwareEnforced.clear(); - key_characteristics_.hardwareEnforced.clear(); + key_characteristics_.clear(); - result = keymint_->importWrappedKey(vector(wrapped_key.begin(), wrapped_key.end()), - key_blob_, - vector(masking_key.begin(), masking_key.end()), - unwrapping_params.vector_data(), 0 /* passwordSid */, - 0 /* biometricSid */, &outBlob, &key_characteristics_); + KeyCreationResult creationResult; + Status result = keymint_->importWrappedKey( + vector(wrapped_key.begin(), wrapped_key.end()), key_blob_, + vector(masking_key.begin(), masking_key.end()), + unwrapping_params.vector_data(), 0 /* passwordSid */, 0 /* biometricSid */, + &creationResult); if (result.isOk()) { - key_blob_ = outBlob.data; - if (SecLevel() != SecurityLevel::SOFTWARE) { - EXPECT_GT(key_characteristics_.hardwareEnforced.size(), 0); - } - EXPECT_GT(key_characteristics_.softwareEnforced.size(), 0); + EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(), + creationResult.keyCharacteristics); + EXPECT_GT(creationResult.keyBlob.size(), 0); + + key_blob_ = std::move(creationResult.keyBlob); + key_characteristics_ = std::move(creationResult.keyCharacteristics); + cert_chain_ = std::move(creationResult.certificateChain); } return GetReturnErrorCode(result); @@ -754,6 +779,15 @@ vector KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) { return {}; } +static const vector kEmptyAuthList{}; + +const vector& KeyMintAidlTestBase::SecLevelAuthorizations( + const vector& key_characteristics) { + auto found = std::find_if(key_characteristics.begin(), key_characteristics.end(), + [this](auto& entry) { return entry.securityLevel == SecLevel(); }); + return (found == key_characteristics.end()) ? kEmptyAuthList : found->authorizations; +} + } // namespace test } // namespace aidl::android::hardware::security::keymint diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h index f73c26d9e1..f36c3971f8 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h @@ -56,13 +56,13 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { ErrorCode GetReturnErrorCode(const Status& result); ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector* key_blob, - KeyCharacteristics* key_characteristics); + vector* key_characteristics); ErrorCode GenerateKey(const AuthorizationSet& key_desc); ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, vector* key_blob, - KeyCharacteristics* key_characteristics); + vector* key_characteristics); ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material); @@ -147,8 +147,8 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { std::pair> UpgradeKey(const vector& key_blob); - bool IsSecure() { return securityLevel_ != SecurityLevel::SOFTWARE; } - SecurityLevel SecLevel() { return securityLevel_; } + bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; } + SecurityLevel SecLevel() const { return securityLevel_; } vector ValidKeySizes(Algorithm algorithm); vector InvalidKeySizes(Algorithm algorithm); @@ -164,9 +164,15 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { } std::shared_ptr op_; - vector certChain_; + vector cert_chain_; vector key_blob_; - KeyCharacteristics key_characteristics_; + vector key_characteristics_; + + const vector& SecLevelAuthorizations( + const vector& key_characteristics); + inline const vector& SecLevelAuthorizations() { + return SecLevelAuthorizations(key_characteristics_); + } private: std::shared_ptr keymint_; diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index eeb74915dc..bd36b8ef25 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -56,18 +56,16 @@ using namespace aidl::android::hardware::security::keymint; template <> struct std::equal_to { bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const { - // This isn't very efficient. Oh, well. - AuthorizationSet a_sw(a.softwareEnforced); - AuthorizationSet b_sw(b.softwareEnforced); - AuthorizationSet a_tee(b.hardwareEnforced); - AuthorizationSet b_tee(b.hardwareEnforced); + if (a.securityLevel != b.securityLevel) return false; - a_sw.Sort(); - b_sw.Sort(); - a_tee.Sort(); - b_tee.Sort(); + // this isn't very efficient. Oh, well. + AuthorizationSet a_auths(a.authorizations); + AuthorizationSet b_auths(b.authorizations); - return ((a_sw == b_sw) && (a_tee == b_tee)); + a_auths.Sort(); + b_auths.Sort(); + + return a_auths == b_auths; } }; @@ -229,19 +227,20 @@ class AidlBuf : public vector { class NewKeyGenerationTest : public KeyMintAidlTestBase { protected: - void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) { + void CheckBaseParams(const vector& keyCharacteristics) { // TODO(swillden): Distinguish which params should be in which auth list. - AuthorizationSet auths(keyCharacteristics.hardwareEnforced); - auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced)); + AuthorizationSet auths; + for (auto& entry : keyCharacteristics) { + auths.push_back(AuthorizationSet(entry.authorizations)); + } EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED)); EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN)); EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY)); - // Verify that App ID, App data and ROT are NOT included. + // Verify that App data and ROT are NOT included. EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST)); - EXPECT_FALSE(auths.Contains(TAG_APPLICATION_ID)); EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA)); // Check that some unexpected tags/values are NOT present. @@ -249,15 +248,13 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase { EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT)); EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U)); - // Now check that unspecified, defaulted tags are correct. - EXPECT_TRUE(auths.Contains(TAG_CREATION_DATETIME)); + auto os_ver = auths.GetTagValue(TAG_OS_VERSION); + ASSERT_TRUE(os_ver); + EXPECT_EQ(*os_ver, os_version()); - EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version())) - << "OS version is " << os_version() << " key reported " - << auths.GetTagValue(TAG_OS_VERSION)->get(); - EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level())) - << "OS patch level is " << os_patch_level() << " key reported " - << auths.GetTagValue(TAG_OS_PATCHLEVEL)->get(); + auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL); + ASSERT_TRUE(os_pl); + EXPECT_EQ(*os_pl, os_patch_level()); } }; @@ -270,7 +267,7 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase { TEST_P(NewKeyGenerationTest, Rsa) { for (auto key_size : ValidKeySizes(Algorithm::RSA)) { vector key_blob; - KeyCharacteristics key_characteristics; + vector key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(key_size, 65537) .Digest(Digest::NONE) @@ -280,12 +277,7 @@ TEST_P(NewKeyGenerationTest, Rsa) { ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); - AuthorizationSet crypto_params; - if (IsSecure()) { - crypto_params = key_characteristics.hardwareEnforced; - } else { - crypto_params = key_characteristics.softwareEnforced; - } + AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA)); EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)) @@ -304,7 +296,7 @@ TEST_P(NewKeyGenerationTest, Rsa) { TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) { for (auto key_size : InvalidKeySizes(Algorithm::RSA)) { vector key_blob; - KeyCharacteristics key_characteristics; + vector key_characteristics; ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder() .RsaSigningKey(key_size, 65537) @@ -337,7 +329,7 @@ TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) { TEST_P(NewKeyGenerationTest, Ecdsa) { for (auto key_size : ValidKeySizes(Algorithm::EC)) { vector key_blob; - KeyCharacteristics key_characteristics; + vector key_characteristics; ASSERT_EQ(ErrorCode::OK, GenerateKey( AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE), @@ -345,12 +337,7 @@ TEST_P(NewKeyGenerationTest, Ecdsa) { ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); - AuthorizationSet crypto_params; - if (IsSecure()) { - crypto_params = key_characteristics.hardwareEnforced; - } else { - crypto_params = key_characteristics.softwareEnforced; - } + AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC)); EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)) @@ -383,7 +370,7 @@ TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) { TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) { for (auto key_size : InvalidKeySizes(Algorithm::EC)) { vector key_blob; - KeyCharacteristics key_characteristics; + vector key_characteristics; ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey( AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE), @@ -454,7 +441,7 @@ TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) { TEST_P(NewKeyGenerationTest, Hmac) { for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) { vector key_blob; - KeyCharacteristics key_characteristics; + vector key_characteristics; constexpr size_t key_size = 128; ASSERT_EQ(ErrorCode::OK, GenerateKey( @@ -465,17 +452,10 @@ TEST_P(NewKeyGenerationTest, Hmac) { ASSERT_GT(key_blob.size(), 0U); CheckBaseParams(key_characteristics); - AuthorizationSet hardwareEnforced = key_characteristics.hardwareEnforced; - AuthorizationSet softwareEnforced = key_characteristics.softwareEnforced; - if (IsSecure()) { - EXPECT_TRUE(hardwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC)); - EXPECT_TRUE(hardwareEnforced.Contains(TAG_KEY_SIZE, key_size)) - << "Key size " << key_size << "missing"; - } else { - EXPECT_TRUE(softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC)); - EXPECT_TRUE(softwareEnforced.Contains(TAG_KEY_SIZE, key_size)) - << "Key size " << key_size << "missing"; - } + AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics); + EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC)); + EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)) + << "Key size " << key_size << "missing"; CheckedDeleteKey(&key_blob); } @@ -600,7 +580,7 @@ TEST_P(SigningOperationsTest, RsaSuccess) { /* * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData * - * Verifies that using an RSA key requires the correct app ID/data. + * Verifies that using an RSA key requires the correct app data. */ TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() @@ -1412,7 +1392,7 @@ TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) { string key_material = "HelloThisIsAKey"; vector signing_key, verification_key; - KeyCharacteristics signing_key_chars, verification_key_chars; + vector signing_key_chars, verification_key_chars; EXPECT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) @@ -1466,28 +1446,22 @@ class ImportKeyTest : public KeyMintAidlTestBase { template void CheckCryptoParam(TypedTag ttag, ValueT expected) { SCOPED_TRACE("CheckCryptoParam"); - if (IsSecure()) { - EXPECT_TRUE(contains(key_characteristics_.hardwareEnforced, ttag, expected)) - << "Tag " << tag << " with value " << expected << " not found"; - EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag)) - << "Tag " << tag << " found"; - } else { - EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected)) - << "Tag " << tag << " with value " << expected << " not found"; - EXPECT_FALSE(contains(key_characteristics_.hardwareEnforced, ttag)) - << "Tag " << tag << " found"; + for (auto& entry : key_characteristics_) { + if (entry.securityLevel == SecLevel()) { + EXPECT_TRUE(contains(entry.authorizations, ttag, expected)) + << "Tag " << tag << " with value " << expected + << " not found at security level" << entry.securityLevel; + } else { + EXPECT_FALSE(contains(entry.authorizations, ttag, expected)) + << "Tag " << tag << " found at security level " << entry.securityLevel; + } } } void CheckOrigin() { SCOPED_TRACE("CheckOrigin"); - if (IsSecure()) { - EXPECT_TRUE(contains(key_characteristics_.hardwareEnforced, TAG_ORIGIN, - KeyOrigin::IMPORTED)); - } else { - EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, - KeyOrigin::IMPORTED)); - } + // Origin isn't a crypto param, but it always lives with them. + return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED); } }; @@ -3950,7 +3924,7 @@ TEST_P(KeyDeletionTest, DeleteKey) { // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { - AuthorizationSet hardwareEnforced(key_characteristics_.hardwareEnforced); + AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */)); @@ -3983,8 +3957,8 @@ TEST_P(KeyDeletionTest, DeleteInvalidKey) { // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { - AuthorizationSet hardwareEnforced(key_characteristics_.hardwareEnforced); - ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); + AuthorizationSet enforced(SecLevelAuthorizations()); + ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE)); // Delete the key we don't care about the result at this point. DeleteKey(); @@ -4019,7 +3993,7 @@ TEST_P(KeyDeletionTest, DeleteAllKeys) { // Delete must work if rollback protection is implemented if (error == ErrorCode::OK) { - AuthorizationSet hardwareEnforced(key_characteristics_.hardwareEnforced); + AuthorizationSet hardwareEnforced(SecLevelAuthorizations()); ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE)); ASSERT_EQ(ErrorCode::OK, DeleteAllKeys()); diff --git a/security/keymint/support/include/keymint_support/key_param_output.h b/security/keymint/support/include/keymint_support/key_param_output.h index 5f004fe529..c2b0029cae 100644 --- a/security/keymint/support/include/keymint_support/key_param_output.h +++ b/security/keymint/support/include/keymint_support/key_param_output.h @@ -84,8 +84,10 @@ template ::std::ostream& operator<<(::std::ostream& os, const KeyParameter& param); inline ::std::ostream& operator<<(::std::ostream& os, const KeyCharacteristics& value) { - return os << "SW: " << value.softwareEnforced << ::std::endl - << "HW: " << value.hardwareEnforced << ::std::endl; + for (auto& entry : value.authorizations) { + os << value.securityLevel << ": " << entry; + } + return os; } inline ::std::ostream& operator<<(::std::ostream& os, KeyPurpose value) {