From eb69354d0e4aad52075aa55c7ef847adba416746 Mon Sep 17 00:00:00 2001
From: Karuna Wadhera <kwadhera@google.com>
Date: Tue, 12 Nov 2024 20:45:01 +0000
Subject: [PATCH] Add moduleHash to attestation cert documentation

Bug: 369375199
Test: n/a
Change-Id: I28457dbe661dacfe22dfc97d1c1c9c21068af656
---
 .../security/keymint/KeyCreationResult.aidl      | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index da8b513667..6ff66e77d6 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@@ -125,9 +125,9 @@ parcelable KeyCreationResult {
      * straightforward translation of the KeyMint tag/value parameter lists to ASN.1.
      *
      * KeyDescription ::= SEQUENCE {
-     *     attestationVersion         INTEGER, # Value 300
+     *     attestationVersion         INTEGER, # Value 400
      *     attestationSecurityLevel   SecurityLevel, # See below
-     *     keyMintVersion             INTEGER, # Value 300
+     *     keyMintVersion             INTEGER, # Value 400
      *     keymintSecurityLevel       SecurityLevel, # See below
      *     attestationChallenge       OCTET_STRING, # Tag::ATTESTATION_CHALLENGE from attestParams
      *     uniqueId                   OCTET_STRING, # Empty unless key has Tag::INCLUDE_UNIQUE_ID
@@ -158,6 +158,17 @@ parcelable KeyCreationResult {
      *     Failed                     (3),
      * }
      *
+     * # Modules contains version info about APEX modules that have been updated after the last OTA.
+     * # Note that the Modules information is DER-encoded before being hashed, which requires a
+     * # specific ordering (lexicographic by encoded value) for the constituent Module entries. This
+     * # ensures that the ordering of Module entries is predictable and that the resulting SHA-256
+     * # hash value is identical for the same set of modules.
+     * Modules ::= SET OF Module
+     * Module ::= SEQUENCE {
+     *     packageName                OCTET_STRING,
+     *     version                    INTEGER, # As determined at boot time
+     * }
+     *
      * -- Note that the AuthorizationList SEQUENCE is also used in IKeyMintDevice::importWrappedKey
      * -- as a way of describing the authorizations associated with a key that is being securely
      * -- imported.  As such, it includes the ability to describe tags that are only relevant for
@@ -210,6 +221,7 @@ parcelable KeyCreationResult {
      *     bootPatchLevel             [719] EXPLICIT INTEGER OPTIONAL,
      *     deviceUniqueAttestation    [720] EXPLICIT NULL OPTIONAL,
      *     attestationIdSecondImei    [723] EXPLICIT OCTET_STRING OPTIONAL,
+     *     moduleHash                 [724] EXPLICIT OCTET_STRING OPTIONAL, -- SHA-256 hash of DER-encoded `Modules`
      * }
      */
     Certificate[] certificateChain;