Add moduleHash to attestation cert documentation

Bug: 369375199 Test: n/a Change-Id: I28457dbe661dacfe22dfc97d1c1c9c21068af656
2026-02-01 11:36:00 +00:00 · 2024-11-12 20:45:01 +00:00
parent 3ba252f1a2
commit eb69354d0e
1 changed files with 14 additions and 2 deletions
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@@ -125,9 +125,9 @@ parcelable KeyCreationResult {
     * straightforward translation of the KeyMint tag/value parameter lists to ASN.1.
     *
     * KeyDescription ::= SEQUENCE {
-     *     attestationVersion         INTEGER, # Value 300
+     *     attestationVersion         INTEGER, # Value 400
     *     attestationSecurityLevel   SecurityLevel, # See below
-     *     keyMintVersion             INTEGER, # Value 300
+     *     keyMintVersion             INTEGER, # Value 400
     *     keymintSecurityLevel       SecurityLevel, # See below
     *     attestationChallenge       OCTET_STRING, # Tag::ATTESTATION_CHALLENGE from attestParams
     *     uniqueId                   OCTET_STRING, # Empty unless key has Tag::INCLUDE_UNIQUE_ID
@@ -158,6 +158,17 @@ parcelable KeyCreationResult {
     *     Failed                     (3),
     * }
     *
+     * # Modules contains version info about APEX modules that have been updated after the last OTA.
+     * # Note that the Modules information is DER-encoded before being hashed, which requires a
+     * # specific ordering (lexicographic by encoded value) for the constituent Module entries. This
+     * # ensures that the ordering of Module entries is predictable and that the resulting SHA-256
+     * # hash value is identical for the same set of modules.
+     * Modules ::= SET OF Module
+     * Module ::= SEQUENCE {
+     *     packageName                OCTET_STRING,
+     *     version                    INTEGER, # As determined at boot time
+     * }
+     *
     * -- Note that the AuthorizationList SEQUENCE is also used in IKeyMintDevice::importWrappedKey
     * -- as a way of describing the authorizations associated with a key that is being securely
     * -- imported.  As such, it includes the ability to describe tags that are only relevant for
@@ -210,6 +221,7 @@ parcelable KeyCreationResult {
     *     bootPatchLevel             [719] EXPLICIT INTEGER OPTIONAL,
     *     deviceUniqueAttestation    [720] EXPLICIT NULL OPTIONAL,
     *     attestationIdSecondImei    [723] EXPLICIT OCTET_STRING OPTIONAL,
+     *     moduleHash                 [724] EXPLICIT OCTET_STRING OPTIONAL, -- SHA-256 hash of DER-encoded `Modules`
     * }
     */
    Certificate[] certificateChain;