Add KeystoreKeyEventReported atom for keystore logging.
This is for migrating keystore logging to using statsd.
Test: Adding tests for logging is yet to be decided.
Change-Id: I858ff1fe46fcdd5acbca0c5b7972632f35377002
Merged-In: I66fbc2b8ed98a34f243387f8550b6523b13cb9a2
diff --git a/cmds/statsd/src/atoms.proto b/cmds/statsd/src/atoms.proto
index c8f2efa..a70db7c 100644
--- a/cmds/statsd/src/atoms.proto
+++ b/cmds/statsd/src/atoms.proto
@@ -365,6 +365,7 @@
NetworkDhcpRenewReported network_dhcp_renew_reported = 291 [(log_from_module) = "network_stack"];
NetworkValidationReported network_validation_reported = 292 [(log_from_module) = "network_stack"];
NetworkStackQuirkReported network_stack_quirk_reported = 293 [(log_from_module) = "network_stack"];
+ KeystoreKeyEventReported keystore_key_event_reported = 302;
NetworkTetheringReported network_tethering_reported = 303 [(log_from_module) = "network_tethering"];
}
@@ -7903,3 +7904,111 @@
// See android.telephony.TelephonyManager.NetworkTypeBitMask.
optional int64 network_type_bitmask = 1;
}
+
+/**
+ * Logs: i) creation of different types of cryptographic keys in the keystore,
+ * ii) operations performed using the keys,
+ * iii) attestation of the keys
+ * Logged from: system/security/keystore/key_event_log_handler.cpp
+ */
+message KeystoreKeyEventReported {
+
+ enum Algorithm {
+ /** Asymmetric algorithms. */
+ RSA = 1;
+ // 2 removed, do not reuse.
+ EC = 3;
+ /** Block cipher algorithms */
+ AES = 32;
+ TRIPLE_DES = 33;
+ /** MAC algorithms */
+ HMAC = 128;
+ };
+ /** Algorithm associated with the key */
+ optional Algorithm algorithm = 1;
+
+ /** Size of the key */
+ optional int32 key_size = 2;
+
+ enum KeyOrigin {
+ /** Generated in keymaster. Should not exist outside the TEE. */
+ GENERATED = 0;
+ /** Derived inside keymaster. Likely exists off-device. */
+ DERIVED = 1;
+ /** Imported into keymaster. Existed as cleartext in Android. */
+ IMPORTED = 2;
+ /** Keymaster did not record origin. */
+ UNKNOWN = 3;
+ /** Securely imported into Keymaster. */
+ SECURELY_IMPORTED = 4;
+ };
+ /* Logs whether the key was generated, imported, securely imported, or derived.*/
+ optional KeyOrigin key_origin = 3;
+
+ enum HardwareAuthenticatorType {
+ NONE = 0;
+ PASSWORD = 1;
+ FINGERPRINT = 2;
+ // Additional entries must be powers of 2.
+ };
+ /**
+ * What auth types does this key require? If none,
+ * then no auth required.
+ */
+ optional HardwareAuthenticatorType user_auth_type = 4;
+
+ /**
+ * If user authentication is required, is the requirement time based? If it
+ * is not time based then this field will not be used and the key is per
+ * operation. Per operation keys must be user authenticated on each usage.
+ */
+ optional int32 user_auth_key_timeout_secs = 5;
+
+ /**
+ * padding mode, digest, block_mode and purpose should ideally be repeated
+ * fields. However, since statsd does not support repeated fields in
+ * pushed atoms, they are represented using bitmaps.
+ */
+
+ /** Track which padding mode is being used.*/
+ optional int32 padding_mode_bitmap = 6;
+
+ /** Track which digest is being used. */
+ optional int32 digest_bitmap = 7;
+
+ /** Track what block mode is being used (for encryption). */
+ optional int32 block_mode_bitmap = 8;
+
+ /** Track what purpose is this key serving. */
+ optional int32 purpose_bitmap = 9;
+
+ enum EcCurve {
+ P_224 = 0;
+ P_256 = 1;
+ P_384 = 2;
+ P_521 = 3;
+ };
+ /** Which ec curve was selected if elliptic curve cryptography is in use **/
+ optional EcCurve ec_curve = 10;
+
+ enum KeyBlobUsageRequirements {
+ STANDALONE = 0;
+ REQUIRES_FILE_SYSTEM = 1;
+ };
+ /** Standalone or is a file system required */
+ optional KeyBlobUsageRequirements key_blob_usage_reqs = 11;
+
+ enum Type {
+ KEY_OPERATION = 0;
+ KEY_CREATION = 1;
+ KEY_ATTESTATION = 2;
+ }
+ /** Key creation event, operation event or attestation event? */
+ optional Type type = 12;
+
+ /** Was the key creation, operation, or attestation successful? */
+ optional bool was_successful = 13;
+
+ /** Response code or error code */
+ optional int32 error_code = 14;
+}