AndroidKeyStore: support platform use of rollback-resistant keys
The keystore2 binder API supports rollback resistance when KeyMint
supports it, but until now this wasn't exposed to Java code that uses
AndroidKeyStore. Add support for rollback-resistant keys to
KeyProtection and AndroidKeyStoreSpi.setSecretKeyEntry() so that
LockSettingsService can request it for SP protector keys.
This CL does *not* do any of the following:
- Add any non-hidden APIs. KeyMint implementations only support a
limited number of rollback-resistant keys; currently the available
space is reserved for platform use only. Note that other examples of
"hidden", platform-only key properties are
isCriticalToDeviceEncryption() and getBoundToSpecificSecureUserId().
- Support rollback resistance with keys directly generated by Keystore.
This isn't currently needed. Note that this would require changes
KeyGenParameterSpec and AndroidKeyStoreKeyGeneratorSpi.
- Allow querying the rollback resistance property of keys. This isn't
currently needed. Note that this would require changes to KeyInfo and
AndroidKeyStoreSecretKeyFactorySpi.
Bug: 239632930
Test: see I05f3b7e5c139471febe5c266a39e3dc3bca4831f
Change-Id: Ifcfd0b8f1bf440ef1ac80a9ac2b0e9c7f62106dd
2 files changed