Merge "Add device id attestation"
diff --git a/keymaster/3.0/IKeymasterDevice.hal b/keymaster/3.0/IKeymasterDevice.hal
index 19669c8..50a41ec 100644
--- a/keymaster/3.0/IKeymasterDevice.hal
+++ b/keymaster/3.0/IKeymasterDevice.hal
@@ -209,6 +209,21 @@
deleteAllKeys() generates(ErrorCode error);
/**
+ * Destroys knowledge of the device's ids. This prevents all device id attestation in the
+ * future. The destruction must be permanent so that not even a factory reset will restore the
+ * device ids.
+ *
+ * Device id attestation may be provided only if this method is fully implemented, allowing the
+ * user to permanently disable device id attestation. If this cannot be guaranteed, the device
+ * must never attest any device ids.
+ *
+ * This is a NOP if device id attestation is not supported.
+ *
+ * @return error See the ErrorCode enum.
+ */
+ destroyAttestationIds() generates(ErrorCode error);
+
+ /**
* Begins a cryptographic operation using the specified key. If all is well, begin() will return
* ErrorCode::OK and create an operation handle which must be passed to subsequent calls to
* update(), finish() or abort().
diff --git a/keymaster/3.0/default/KeymasterDevice.cpp b/keymaster/3.0/default/KeymasterDevice.cpp
index 1208b8d..563ff84 100644
--- a/keymaster/3.0/default/KeymasterDevice.cpp
+++ b/keymaster/3.0/default/KeymasterDevice.cpp
@@ -516,6 +516,24 @@
hidl_vec<hidl_vec<uint8_t>> resultCertChain;
+ for (size_t i = 0; i < attestParams.size(); ++i) {
+ switch (attestParams[i].tag) {
+ case Tag::ATTESTATION_ID_BRAND:
+ case Tag::ATTESTATION_ID_DEVICE:
+ case Tag::ATTESTATION_ID_PRODUCT:
+ case Tag::ATTESTATION_ID_SERIAL:
+ case Tag::ATTESTATION_ID_IMEI:
+ case Tag::ATTESTATION_ID_MEID:
+ // Device id attestation may only be supported if the device is able to permanently
+ // destroy its knowledge of the ids. This device is unable to do this, so it must
+ // never perform any device id attestation.
+ _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain);
+ return Void();
+ default:
+ break;
+ }
+ }
+
keymaster_cert_chain_t cert_chain{nullptr, 0};
auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest);
@@ -569,9 +587,16 @@
}
Return<ErrorCode> KeymasterDevice::deleteAllKeys() {
+ if (keymaster_device_->delete_all_keys == nullptr) {
+ return ErrorCode::UNIMPLEMENTED;
+ }
return legacy_enum_conversion(keymaster_device_->delete_all_keys(keymaster_device_));
}
+Return<ErrorCode> KeymasterDevice::destroyAttestationIds() {
+ return ErrorCode::UNIMPLEMENTED;
+}
+
Return<void> KeymasterDevice::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,
const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) {
diff --git a/keymaster/3.0/default/KeymasterDevice.h b/keymaster/3.0/default/KeymasterDevice.h
index 23767ef..382f45f 100644
--- a/keymaster/3.0/default/KeymasterDevice.h
+++ b/keymaster/3.0/default/KeymasterDevice.h
@@ -71,6 +71,7 @@
upgradeKey_cb _hidl_cb) override;
Return<ErrorCode> deleteKey(const hidl_vec<uint8_t>& keyBlob) override;
Return<ErrorCode> deleteAllKeys() override;
+ Return<ErrorCode> destroyAttestationIds() override;
Return<void> begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,
const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) override;
Return<void> update(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams,
diff --git a/keymaster/3.0/types.hal b/keymaster/3.0/types.hal
index 7123e57..9f29b6a 100644
--- a/keymaster/3.0/types.hal
+++ b/keymaster/3.0/types.hal
@@ -123,6 +123,19 @@
ATTESTATION_APPLICATION_ID = TagType:BYTES | 709, /* Used to identify the set of possible
* applications of which one has initiated a
* key attestation */
+ ATTESTATION_ID_BRAND = TagType:BYTES | 710, /* Used to provide the device's brand name to be
+ included in attestation */
+ ATTESTATION_ID_DEVICE = TagType:BYTES | 711, /* Used to provide the device's device name to be
+ included in attestation */
+ ATTESTATION_ID_PRODUCT = TagType:BYTES | 712, /* Used to provide the device's product name to be
+ included in attestation */
+ ATTESTATION_ID_SERIAL = TagType:BYTES | 713, /* Used to provide the device's serial number to be
+ included in attestation */
+ ATTESTATION_ID_IMEI = TagType:BYTES | 714, /* Used to provide the device's IMEI to be included
+ in attestation */
+ ATTESTATION_ID_MEID = TagType:BYTES | 715, /* Used to provide the device's MEID to be included
+ in attestation */
+
/* Tags used only to provide data to or receive data from operations */
ASSOCIATED_DATA = TagType:BYTES | 1000, /* Used to provide associated data for AEAD modes. */
@@ -312,6 +325,7 @@
ATTESTATION_CHALLENGE_MISSING = -63,
KEYMASTER_NOT_CONFIGURED = -64,
ATTESTATION_APPLICATION_ID_MISSING = -65,
+ CANNOT_ATTEST_IDS = -66,
UNIMPLEMENTED = -100,
VERSION_MISMATCH = -101,