Clarify Secretkeeper comments

Various small wording changes to attempt to clarify some of the
details of the Secretkeeper API.

While I'm here: fix error code naming inconsistency.

Bug: 291224769
Test: N/A
Change-Id: I956b549bc5bf4d2b964dde9867430cb4778e445b
diff --git a/security/secretkeeper/aidl/android/hardware/security/secretkeeper/ISecretkeeper.aidl b/security/secretkeeper/aidl/android/hardware/security/secretkeeper/ISecretkeeper.aidl
index 49c3446..b07dba8 100644
--- a/security/secretkeeper/aidl/android/hardware/security/secretkeeper/ISecretkeeper.aidl
+++ b/security/secretkeeper/aidl/android/hardware/security/secretkeeper/ISecretkeeper.aidl
@@ -39,9 +39,14 @@
 
     /**
      * Retrieve the instance of the `IAuthGraphKeyExchange` HAL that should be used for shared
-     * session key establishment.  These keys are used to perform encryption of messages as
+     * session key establishment. These keys are used to perform encryption of messages as
      * described in SecretManagement.cddl, allowing the client and Secretkeeper to have a
-     * cryptographically secure channel.
+     * cryptographically secure channel. In the key exchange protocol the client acts as P1
+     * (source) and Secretkeeper as P2 (sink). The interface returned here can be used to invoke
+     * methods on the sink.
+     *
+     * The client's identity is its DICE chain; Secretkeeper's identity is a
+     * per-boot key pair.
      */
     IAuthGraphKeyExchange getAuthGraphKe();
 
@@ -56,8 +61,8 @@
      * ProtectedRequestPacket & ProtectedResponsePacket using symmetric keys agreed between
      * the client & service. This cryptographic protection is required because the messages are
      * ferried via Android, which is allowed to be outside the TCB of clients (for example protected
-     * Virtual Machines). For this, service (& client) must implement a key exchange protocol, which
-     * is critical for establishing the secure channel.
+     * Virtual Machines). For this, service (& client) must implement the AuthGraph key exchange
+     * protocol to establish a secure channel between them.
      *
      * If an encrypted response cannot be generated, then a service-specific Binder error using one
      * of the ERROR_ codes above will be returned.
diff --git a/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl b/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl
index 3d08078..a9e4351 100644
--- a/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl
+++ b/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl
@@ -82,7 +82,7 @@
     ; Requested Entry not found.
     ErrorCode_EntryNotFound: 3,
     ; Error happened while serialization or deserialization.
-    SerializationError: 4,
+    ErrorCode_SerializationError: 4,
     ; Indicates that Dice Policy matching did not succeed & hence access not granted.
     ErrorCode_DicePolicyError: 5,
 )
@@ -95,7 +95,7 @@
     GetSecretResult,
 )
 
-GetVersionResult = (version : uint)
+GetVersionResult = (1)
 
 StoreSecretResult = ()