commit 287187f1d23aaa07543275049e745dd6fc16b78b
author Orlando Arbildo <oarbildo@google.com> Wed Apr 03 19:49:28 2024 +0000
committer Orlando Arbildo <oarbildo@google.com> Tue Apr 09 22:53:21 2024 +0000
tree 6e6c2e73566b494ad56cb1d1a2cf3ebab3ff4819
parent fae563acb079caf473f6cc719eec10f76c00ea8f

Add key parameter to deriveDicePolicyBoundKey

Adding a key parameter to deriveDicePolicyBoundKey to use it
as the base of the derived key.

Bug: 284152719
Test: qemu android build
Change-Id: Iab3ee341825f01345996bde3b0b62037e4ec45da

staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl

diff --git a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index 53d722c..7efcdd6 100644
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -33,9 +33,17 @@
 
 package android.hardware.security.see.hwcrypto;
 interface IHwCryptoKey {
-  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey();
-  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey);
+  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion);
   android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters);
+  enum DeviceKeyId {
+    DEVICE_BOUND_KEY,
+    BATCH_KEY,
+  }
+  union DiceBoundDerivationKey {
+    android.hardware.security.see.hwcrypto.IOpaqueKey opaqueKey;
+    android.hardware.security.see.hwcrypto.IHwCryptoKey.DeviceKeyId keyId;
+  }
   parcelable DiceCurrentBoundKeyResult {
     android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
     byte[] dicePolicyForKeyVersion;

staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl

diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index 08c3173..939014a 100644
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -22,6 +22,30 @@
  * Higher level interface to access and generate keys.
  */
 interface IHwCryptoKey {
+    /*
+     * Identifier for the requested device provided key. The currently supported identifiers are:
+     *
+     * DEVICE_BOUND_KEY:
+     *      This is a key unique to the device.
+     * BATCH_KEY:
+     *      This is a shared by a set of devices.
+     */
+    enum DeviceKeyId {
+        DEVICE_BOUND_KEY,
+        BATCH_KEY,
+    }
+    union DiceBoundDerivationKey {
+        /*
+         * Opaque to be used to derive the DICE bound key.
+         */
+        IOpaqueKey opaqueKey;
+
+        /*
+         * Device provided key to be used to derive the DICE bound key.
+         */
+        DeviceKeyId keyId;
+    }
+
     parcelable DiceCurrentBoundKeyResult {
         /*
          * Key cryptographically bound to a DICE policy.
@@ -112,17 +136,24 @@
      *                              policy. It will return this current policy back to the caller
      *                              along with the generated key.
      *
+     * @derivationKey:
+     *     Key to be used to derive the new key using HKDF.
+     *
      * Return:
      *      Ok(DiceCurrentBoundKeyResult) on success, service specific error based on
      *      <code>HalErrorCode</code> otherwise.
      */
-    DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey();
+    DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(
+            in DiceBoundDerivationKey derivationKey);
 
     /*
      * deriveDicePolicyBoundKey() - Derive a versioned key by checking the provided DICE policy
      *                              against the caller and then using it as a context for deriving
      *                              the returned key.
      *
+     * @derivationKey:
+     *     Key to be used to derive the new key using HKDF.
+     *
      * @dicePolicyForKeyVersion:
      *     Policy used to derive keys tied to specific versions. Using this parameter
      *     the caller can tie a derived key to a minimum version of itself, so in the future only
@@ -137,7 +168,8 @@
      *      Ok(DiceBoundKeyResult) on success, service specific error based on
      *      <code>HalErrorCode</code> otherwise.
      */
-    DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+    DiceBoundKeyResult deriveDicePolicyBoundKey(
+            in DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion);
 
     /*
      * deriveKey() - Derive a new key based on the given key, policy and context.