Merge "Add new SecurityLevel::KEYSTORE"
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl
index 78da3e8..c720d6d 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl
@@ -36,4 +36,5 @@
SOFTWARE = 0,
TRUSTED_ENVIRONMENT = 1,
STRONGBOX = 2,
+ KEYSTORE = 100,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index b149ac9..69bec2d7 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@@ -36,7 +36,6 @@
* deciding whether a given tag from `keyParams` argument to the generation/import method should
* be returned in `keyCharacteristics` are:
*
- * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted.
* - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any
* assistance from components running at other security levels, it should be included in an
* entry with the SecurityLevel of the IKeyMintDevice.
@@ -45,6 +44,9 @@
* SecurityLevel of the involved components. For example if a StrongBox IKeyMintDevice relies
* on a TEE to validate biometric authentication, biometric authentication tags go in an entry
* with SecurityLevel::TRUSTED_ENVIRONMENT.
+ * - If the semantics are not enforced by KeyMint at all, SecurityLevel::KEYSTORE is used to
+ * indicate that Keystore should enforce. Note that in Keymaster (predecessor to KeyMint),
+ * these tags would have been in SecurityLevel::SOFTWARE.
*/
KeyCharacteristics[] keyCharacteristics;
diff --git a/security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl b/security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl
index 10363e9..c63859c 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl
@@ -17,16 +17,59 @@
package android.hardware.security.keymint;
/**
- * Device security levels.
+ * Device security levels. These enum values are used in two ways:
+ *
+ * 1. Returned from IKeyMintDevice::getHardwareInfo to identify the security level of the
+ * IKeyMintDevice. This characterizes the sort of environment in which the KeyMint
+ * implementation runs, and therefore the security of its operations.
+ *
+ * 2. Associated with individual KeyMint authorization Tags in KeyCharacteristics or in attestation
+ * certificates. This specifies the security level of the weakest environment involved in
+ * enforcing that particular tag, i.e. the sort of security environment an attacker would have
+ * to subvert in order to break the enforcement of that tag.
*/
@VintfStability
@Backing(type="int")
enum SecurityLevel {
+ /**
+ * The SOFTWARE security level represents a KeyMint implementation that runs in an Android
+ * process, or a tag enforced by such an implementation. An attacker who can compromise that
+ * process, or obtain root, or subvert the kernel on the device can defeat it.
+ *
+ * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device. For
+ * attestation purposes, these categories are combined into the software-enforced authorization
+ * list.
+ */
SOFTWARE = 0,
+
+ /**
+ * The TRUSTED_ENVIRONMENT security level represents a KeyMint implementation that runs in an
+ * Android process, or a tag enforced by such an implementation. An attacker who completely
+ * compromises Android, including the Linux kernel, does not have the ability to subvert it. At
+ * attacker who can find an exploit that gains them control of the trusted environment, or who
+ * has access to the physical device and can mount a sophisticated hardware attack, may be able
+ * to defeat it.
+ */
TRUSTED_ENVIRONMENT = 1,
/**
- * STRONGBOX specifies that the secure hardware satisfies the requirements specified in CDD
- * 9.11.2.
+ * The STRONGBOX security level represents a KeyMint implementation that runs in security
+ * hardware that satisfies the requirements specified in CDD 9.11.2. Roughly speaking, these
+ * are discrete, security-focus computing environments that are hardened against physical and
+ * side channel attack, and have had their security formally validated by a competent
+ * penetration testing lab.
*/
STRONGBOX = 2,
+
+ /**
+ * KeyMint implementations must never return the KEYSTORE security level from getHardwareInfo.
+ * It is used to specify tags that are not enforced by the IKeyMintDevice, but are instead
+ * to be enforced by Keystore. An attacker who can subvert the keystore process or gain root or
+ * subvert the kernel can prevent proper enforcement of these tags.
+ *
+ *
+ * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device. When
+ * KeyMint generates an attestation certificate, these categories are combined into the
+ * software-enforced authorization list.
+ */
+ KEYSTORE = 100
}