ID attestation: Define tag for a second IMEI
Define a KeyMint tag for a second IMEI to be included in the attestation
record.
Also clarify that the IMEI tag is meant to include one, and only one,
IMEI.
Bug: 244732345
Test: android.keystore.cts.DeviceOwnerKeyManagementTest
Merged-In: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5
Change-Id: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
index e310b44..6ae2369 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
@@ -90,6 +90,7 @@
DEVICE_UNIQUE_ATTESTATION = 1879048912,
IDENTITY_CREDENTIAL_KEY = 1879048913,
STORAGE_KEY = 1879048914,
+ ATTESTATION_ID_SECOND_IMEI = -1879047469,
ASSOCIATED_DATA = -1879047192,
NONCE = -1879047191,
MAC_LENGTH = 805307371,
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index 47361d5..837fc81 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -726,9 +726,10 @@
ATTESTATION_ID_SERIAL = TagType.BYTES | 713,
/**
- * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key
+ * Tag::ATTESTATION_ID_IMEI provides the IMEI one of the radios on the device to attested key
* generation/import operations. This field must be set only when requesting attestation of the
- * device's identifiers.
+ * device's identifiers. If the device has more than one IMEI, a second IMEI may be included
+ * by using the Tag::ATTESTATION_ID_SECOND_IMEI tag.
*
* If the device does not support ID attestation (or destroyAttestationIds() was previously
* called and the device can no longer attest its IDs), any key attestation request that
@@ -883,6 +884,20 @@
STORAGE_KEY = TagType.BOOL | 722,
/**
+ * Tag::ATTESTATION_ID_SECOND_IMEI provides an additional IMEI of one of the radios on the
+ * device to attested key generation/import operations. This field MUST be accompanied by
+ * the Tag::ATTESTATION_ID_IMEI tag. It would only be used to convery a second IMEI the device
+ * has, after Tag::ATTESTATION_ID_SECOND_IMEI has been used to convery the first IMEI.
+ *
+ * If the device does not support ID attestation (or destroyAttestationIds() was previously
+ * called and the device can no longer attest its IDs), any key attestation request that
+ * includes this tag must fail with ErrorCode::CANNOT_ATTEST_IDS.
+ *
+ * Must never appear in KeyCharacteristics.
+ */
+ ATTESTATION_ID_SECOND_IMEI = TagType.BYTES | 723,
+
+ /**
* OBSOLETE: Do not use.
*
* This tag value is included for historical reasons -- in Keymaster it was used to hold