hwcrypto: Add get_keyslot_data to HWCryptoKey AIDL definition
Adding getKeyslotData function to access device specific
keys.
Bug: 284152719
Test: qemu android build
Change-Id: I75d7a3694a5b0330e1721a671621763917295867
diff --git a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index 6837a2f..5b34572 100644
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -40,10 +40,14 @@
android.hardware.security.see.hwcrypto.IOpaqueKey importClearKey(in android.hardware.security.see.hwcrypto.types.ExplicitKeyMaterial keyMaterial, in android.hardware.security.see.hwcrypto.KeyPolicy newKeyPolicy);
byte[] getCurrentDicePolicy();
android.hardware.security.see.hwcrypto.IOpaqueKey keyTokenImport(in android.hardware.security.see.hwcrypto.types.OpaqueKeyToken requestedKey, in byte[] sealingDicePolicy);
+ android.hardware.security.see.hwcrypto.IOpaqueKey getKeyslotData(android.hardware.security.see.hwcrypto.IHwCryptoKey.KeySlot slotId);
enum DeviceKeyId {
DEVICE_BOUND_KEY,
BATCH_KEY,
}
+ enum KeySlot {
+ KEYMINT_SHARED_HMAC_KEY,
+ }
union DiceBoundDerivationKey {
android.hardware.security.see.hwcrypto.IOpaqueKey opaqueKey;
android.hardware.security.see.hwcrypto.IHwCryptoKey.DeviceKeyId keyId;
diff --git a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl
index cd8b3c6..742314c 100644
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl
@@ -41,4 +41,5 @@
const int ALLOCATION_ERROR = (-5) /* -5 */;
const int INVALID_KEY = (-6) /* -6 */;
const int BAD_PARAMETER = (-7) /* -7 */;
+ const int UNAUTHORIZED = (-8) /* -8 */;
}
diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index e472f4c..bb194a3 100644
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -37,6 +37,19 @@
DEVICE_BOUND_KEY,
BATCH_KEY,
}
+
+ /*
+ * Identifier for the requested key slot. The currently supported identifiers are:
+ *
+ * KEYMINT_SHARED_HMAC_KEY:
+ * This is the shared HMAC key that will now be computed by HwCryptoKey after participating
+ * in the ISharedSecret protocol that can be shared with KeyMint and authenticators. See
+ * ISharedSecret.aidl for more information.
+ */
+ enum KeySlot {
+ KEYMINT_SHARED_HMAC_KEY,
+ }
+
union DiceBoundDerivationKey {
/*
* Opaque to be used to derive the DICE bound key.
@@ -256,4 +269,21 @@
* success, service specific error based on <code>HalErrorCode</code> otherwise.
*/
IOpaqueKey keyTokenImport(in OpaqueKeyToken requestedKey, in byte[] sealingDicePolicy);
+
+ /*
+ * getKeyslotData() - Gets the keyslot key material referenced by slotId.
+ *
+ * @slotId:
+ * Identifier for the requested keyslot
+ *
+ * This interface is used to access device specific keys with known types and uses. Because the
+ * returned key is opaque, it can only be used through the different HwCrypto interfaces.
+ * Because the keys live in a global namespace the identity of the caller needs to be
+ * checked to verify that it has permission to accesses the requested key.
+ *
+ * Return:
+ * Ok(IOpaqueKey) on success, UNAUTHORIZED if the caller cannot access the requested key,
+ * another specific error code otherwise.
+ */
+ IOpaqueKey getKeyslotData(KeySlot slotId);
}
diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl
index e8e8539..f536c0e 100644
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/types/HalErrorCode.aidl
@@ -42,4 +42,7 @@
/* Bad parameter supplied for the desired operation */
const int BAD_PARAMETER = -7;
+
+ /* Caller is not authorized to make this call */
+ const int UNAUTHORIZED = -8;
}