Merge changes from topic "aosp_trunk_stable_cp" into udc-dev-plus-aosp
* changes:
Remove compatibility_matrix.9.xml from 'next' builds
Mark some HALs as updatable-via-apex retroactively
diff --git a/automotive/evs/OWNERS b/automotive/evs/OWNERS
index 15de48f..4787f0b 100644
--- a/automotive/evs/OWNERS
+++ b/automotive/evs/OWNERS
@@ -1,2 +1,2 @@
ankitarora@google.com
-jwhpryor@google.com
+changyeon@google.com
diff --git a/bluetooth/aidl/vts/Android.bp b/bluetooth/aidl/vts/Android.bp
index 5fc0b2e..ade3bef 100644
--- a/bluetooth/aidl/vts/Android.bp
+++ b/bluetooth/aidl/vts/Android.bp
@@ -16,10 +16,6 @@
srcs: [
"VtsHalBluetoothTargetTest.cpp",
":BluetoothPacketSources",
- ":BluetoothHciPacketSources",
- ],
- generated_headers: [
- "BluetoothGeneratedPackets_h",
],
include_dirs: [
"packages/modules/Bluetooth/system/gd",
@@ -31,7 +27,7 @@
],
static_libs: [
"android.hardware.bluetooth-V1-ndk",
- "libbluetooth-types",
+ "libbluetooth_hci_pdl",
],
test_config: "VtsHalBluetoothTargetTest.xml",
test_suites: [
@@ -57,6 +53,5 @@
],
tidy_disabled_srcs: [
":BluetoothPacketSources",
- ":BluetoothHciPacketSources",
],
}
diff --git a/camera/provider/aidl/vts/camera_aidl_test.cpp b/camera/provider/aidl/vts/camera_aidl_test.cpp
index 08ad0bb..5f9d605 100644
--- a/camera/provider/aidl/vts/camera_aidl_test.cpp
+++ b/camera/provider/aidl/vts/camera_aidl_test.cpp
@@ -120,7 +120,7 @@
ABinderProcess_startThreadPool();
SpAIBinder cameraProviderBinder =
- SpAIBinder(AServiceManager_getService(serviceDescriptor.c_str()));
+ SpAIBinder(AServiceManager_waitForService(serviceDescriptor.c_str()));
ASSERT_NE(cameraProviderBinder.get(), nullptr);
std::shared_ptr<ICameraProvider> cameraProvider =
diff --git a/security/README.md b/security/README.md
new file mode 100644
index 0000000..c5b5ba8
--- /dev/null
+++ b/security/README.md
@@ -0,0 +1,109 @@
+# Security-Related HALs
+
+The `security/` subdirectory holds various security-related HALs. (The final two sections of this
+document also describe security-related HALs that are in other places under `hardware/interfaces/`.)
+
+The most significant HAL is KeyMint (**`IKeyMintDevice`** in the
+`hardware/interfaces/security/keymint/` directory), which allows access to cryptographic
+functionality where the key material is restricted to a secure environment. This functionality is
+used by Android system services, and is also made available to apps via Android Keystore.
+
+A KeyMint implementation (or an implementation of its predecessor, Keymaster) that runs in an
+isolated execution environment (e.g. ARM TrustZone) is required for most Android devices; see [CDD
+9.11](https://source.android.com/docs/compatibility/13/android-13-cdd#911_keys_and_credentials).
+
+A device may optionally also support a second KeyMint instance, running in a dedicated secure
+processor; this is known as StrongBox ([CDD
+9.11.2](https://source.android.com/docs/compatibility/13/android-13-cdd#9112_strongbox)).
+
+Two specific features of KeyMint are worth highlighting, as they have an impact on the other
+security-related HALs:
+
+- KeyMint supports keys that can only be used when the operation is authenticated by the user,
+ either by their lock screen knowledge factor (LSKF, e.g. PIN or pattern) or by a strong biometric
+ (e.g. fingerprint).
+- KeyMint supports *attestation* of public keys: when an asymmetric keypair is created, the secure
+ environment produces a chain of signed certificates:
+ - starting from a trusted root certificate
+ - terminating in a leaf certificate that holds the public key; this leaf certificate may also
+ describe the state of the device and the policies attached to the key.
+
+## Authentication Verification
+
+User authentication must also take place in a secure environment (see the final section below), but
+the results of that authentication are communicated to KeyMint via Android. As such, the
+authentication result (a *hardware auth token*) is signed with a per-boot shared HMAC key known only
+to the secure components, so that it's authenticity can be verified.
+
+If an authenticator, for example GateKeeper (described by the **`IGatekeeper`** HAL in
+`hardware/interfaces/gatekeeper/`), is co-located in the same secure environment as KeyMint, it can
+use a local, vendor-specific, method to communicate the shared HMAC key.
+
+However, if the authenticator is in a different environment than the KeyMint instance then a local
+communication mechanism may not be possible. For example, a StrongBox KeyMint instance running in a
+separate secure processor may not have a communication channel with a TEE on the main processor.
+
+To allow for this, the **`ISharedSecret`** HAL (in `hardware/interfaces/security/sharedsecret`)
+describes an N-party shared key agreement protocol for per-boot derivation of the shared HMAC key,
+based on a pre-provisioned shared secret. This HAL can be implemented by any security component
+– whether KeyMint instance or authenticator – that needs access to the shared HMAC key.
+
+User authentication operations are also timestamped, but a StrongBox KeyMint instance may not have
+access to a secure time source that is aligned with the authenticator's time source.
+
+To allow for this, the **`ISecureClock`** HAL (in `hardware/interfaces/secureclock`) describes a
+challenge-based timestamp authentication protocol. This HAL is optional; it need only be
+implemented if there is a KeyMint instance without a secure source of time.
+
+## Attestation Key Provisioning
+
+As noted above, key generation may also generate an attestation certificate chain, which requires
+that the secure environment have access to a signing key which in turn chains back to the Google
+root.
+
+Historically these signing keys were created by Google and provided to vendors for installation in
+batches of devices (to prevent their use as unique device identifiers). However, this mechanism had
+significant disadvantages, as it required secure handling of key material and only allowed for
+coarse-grained revocation.
+
+The remote key provisioning HAL (**`IRemotelyProvisionedComponent`** in
+`hardware/interfaces/security/rkp/`) provides a mechanism whereby signing certificates for
+attestation can be retrieved at runtime from Google servers based on pre-registered device identity
+information. This mechanism is used to provision certificates for KeyMint's signing keys, but is
+not restricted to that purpose; it can also be used in other scenarios where keys need to be
+provisioned (for example, for [Widevine](https://developers.google.com/widevine/drm/overview)).
+
+## Keymaster
+
+The Keymaster HAL (**`IKeymasterDevice`** in `hardware/interfaces/keymaster/`) is the historical
+ancestor of many of the HALs here (and may still be present on older devices). Its functionality is
+effectively the union of the following current HALs:
+
+- **`IKeyMintDevice`**
+- **`ISharedSecret`**
+- **`ISecureClock`**
+
+## Related Authentication HALs
+
+Authentication of users needs to happen in a secure environment, using vendor-specific
+functionality, and so involves the use of one of the following HALs (all of which are outside the
+`security/` subdirectory).
+
+- The **`IGatekeeper`** HAL (in `hardware/interfaces/gatekeeper/`) provides user authentication
+ functionality based on the user's lock-screen knowledge factor (LSKF), including throttling
+ behaviour to prevent attacks. Authentication tokens produced by this HAL are consumed by KeyMint,
+ validated using the shared HMAC key described above.
+ - The optional **`IWeaver`** HAL (in `hardware/interfaces/weaver`) improves the security of LSKF
+ authentication by converting the user's LSKF into a *synthetic password* via hashing and
+ stretching. This is required to be implemented on a separate secure element, which prevents
+ offline attacks on Gatekeeper storage. Note that Weaver does not directly interact with KeyMint;
+ the synthetic password is fed into Gatekeeper in place of the plain user password, and then
+ Gatekeeper interacts with KeyMint as normal.
+- The **`IFingerprint`** and **`IFace`** HAL definitions (under `hardware/interfaces/biometrics/`)
+ allow access to biometric authentication functionality that is implemented in a secure
+ environment. Authentication tokens produced by these HALs are consumed by KeyMint, validated
+ using the shared HMAC key described above.
+- The optional **`IConfirmationUI`** HAL (in `hardware/interfaces/confirmationui`) supports
+ functionality where the user confirms that they have seen a specific message in a secure manner.
+ Confirmation tokens produced by this HAL are consumed by KeyMint, validated using the shared HMAC
+ key described above.
diff --git a/security/keymint/aidl/default/service.cpp b/security/keymint/aidl/default/service.cpp
index dc0c618..10cbf07 100644
--- a/security/keymint/aidl/default/service.cpp
+++ b/security/keymint/aidl/default/service.cpp
@@ -44,6 +44,8 @@
}
int main() {
+ // The global logger object required by keymaster's logging macros in keymaster/logger.h.
+ keymaster::SoftKeymasterLogger km_logger;
// Zero threads seems like a useless pool, but below we'll join this thread to it, increasing
// the pool size to 1.
ABinderProcess_setThreadPoolMaxThreadCount(0);
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index c9c3e4d..780c3d2 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+#include <iomanip>
#include <iterator>
#include <memory>
#include <set>
@@ -420,6 +421,36 @@
return entryName + " has an invalid value.\n";
}
+std::string checkMapPatchLevelEntry(bool isFactory, const cppbor::Map& devInfo,
+ const std::string& entryName) {
+ std::string error = checkMapEntry(isFactory, devInfo, cppbor::UINT, entryName);
+ if (!error.empty()) {
+ return error;
+ }
+
+ if (isFactory) {
+ return "";
+ }
+
+ const std::unique_ptr<cppbor::Item>& val = devInfo.get(entryName);
+ std::string dateString = std::to_string(val->asUint()->unsignedValue());
+ if (dateString.size() == 6) {
+ dateString += "01";
+ }
+ if (dateString.size() != 8) {
+ return entryName + " should in the format YYYYMMDD or YYYYMM\n";
+ }
+
+ std::tm t;
+ std::istringstream ss(dateString);
+ ss >> std::get_time(&t, "%Y%m%d");
+ if (!ss) {
+ return entryName + " should in the format YYYYMMDD or YYYYMM\n";
+ }
+
+ return "";
+}
+
bool isTeeDeviceInfo(const cppbor::Map& devInfo) {
return devInfo.get("security_level") && devInfo.get("security_level")->asTstr() &&
devInfo.get("security_level")->asTstr()->value() == "tee";
@@ -520,6 +551,10 @@
error += "Err: Unrecognized key entry: <" + key->asTstr()->value() + ">,\n";
}
}
+ // Checks that only apply to v3.
+ error += checkMapPatchLevelEntry(isFactory, *parsed, "system_patch_level");
+ error += checkMapPatchLevelEntry(isFactory, *parsed, "boot_patch_level");
+ error += checkMapPatchLevelEntry(isFactory, *parsed, "vendor_patch_level");
FALLTHROUGH_INTENDED;
case 2:
for (const auto& entry : kAttestationIdEntrySet) {
diff --git a/security/rkp/aidl/Android.bp b/security/rkp/aidl/Android.bp
index e2ce649..e9e2021 100644
--- a/security/rkp/aidl/Android.bp
+++ b/security/rkp/aidl/Android.bp
@@ -28,6 +28,10 @@
},
rust: {
enabled: true,
+ apex_available: [
+ "//apex_available:platform",
+ "com.android.virt",
+ ],
},
},
versions_with_info: [
diff --git a/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl b/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
index f8a5540..21c5315 100644
--- a/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
+++ b/security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl
@@ -185,77 +185,7 @@
*
* In either case, the root is self-signed.
*
- * EekChain = [ + SignedSignatureKey, SignedEek ]
- *
- * SignedSignatureKey = [ ; COSE_Sign1
- * protected: bstr .cbor {
- * 1 : AlgorithmEdDSA / AlgorithmES256, ; Algorithm
- * },
- * unprotected: {},
- * payload: bstr .cbor SignatureKeyEd25519 /
- * bstr .cbor SignatureKeyP256,
- * signature: bstr PureEd25519(.cbor SignatureKeySignatureInput) /
- * bstr ECDSA(.cbor SignatureKeySignatureInput)
- * ]
- *
- * SignatureKeyEd25519 = { ; COSE_Key
- * 1 : 1, ; Key type : Octet Key Pair
- * 3 : AlgorithmEdDSA, ; Algorithm
- * -1 : 6, ; Curve : Ed25519
- * -2 : bstr ; Ed25519 public key
- * }
- *
- * SignatureKeyP256 = { ; COSE_Key
- * 1 : 2, ; Key type : EC2
- * 3 : AlgorithmES256, ; Algorithm
- * -1 : 1, ; Curve: P256
- * -2 : bstr, ; X coordinate
- * -3 : bstr ; Y coordinate
- * }
- *
- * SignatureKeySignatureInput = [
- * context: "Signature1",
- * body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
- * external_aad: bstr .size 0,
- * payload: bstr .cbor SignatureKeyEd25519 /
- * bstr .cbor SignatureKeyP256
- * ]
- *
- * ; COSE_Sign1
- * SignedEek = [
- * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
- * unprotected: {},
- * payload: bstr .cbor EekX25519 / .cbor EekP256,
- * signature: bstr PureEd25519(.cbor EekSignatureInput) /
- * bstr ECDSA(.cbor EekSignatureInput)
- * ]
- *
- * EekX25519 = { ; COSE_Key
- * 1 : 1, ; Key type : Octet Key Pair
- * 2 : bstr ; KID : EEK ID
- * 3 : -25, ; Algorithm : ECDH-ES + HKDF-256
- * -1 : 4, ; Curve : X25519
- * -2 : bstr ; X25519 public key, little-endian
- * }
- *
- * EekP256 = { ; COSE_Key
- * 1 : 2, ; Key type : EC2
- * 2 : bstr ; KID : EEK ID
- * 3 : -25, ; Algorithm : ECDH-ES + HKDF-256
- * -1 : 1, ; Curve : P256
- * -2 : bstr ; Sender X coordinate
- * -3 : bstr ; Sender Y coordinate
- * }
- *
- * EekSignatureInput = [
- * context: "Signature1",
- * body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
- * external_aad: bstr .size 0,
- * payload: bstr .cbor EekX25519 / .cbor EekP256
- * ]
- *
- * AlgorithmES256 = -7 ; RFC 8152 section 8.1
- * AlgorithmEdDSA = -8 ; RFC 8152 section 8.2
+ * See generateCertificateRequest.cddl for CDDL definitions.
*
* If the contents of endpointEncryptionKey do not match the SignedEek structure above,
* the method must return STATUS_INVALID_EEK.
@@ -283,25 +213,9 @@
* HMAC-256(EK_mac, .cbor KeysToMacStructure)
*
* Where EK_mac is an ephemeral MAC key, found in ProtectedData (see below). The MACed
- * data is the "tag" field of a COSE_Mac0 structure like:
+ * data is the "tag" field of a MacedKeys COSE_Mac0 structure.
*
- * MacedKeys = [ ; COSE_Mac0
- * protected : bstr .cbor {
- * 1 : 5, ; Algorithm : HMAC-256
- * },
- * unprotected : {},
- * ; Payload is PublicKeys from keysToSign argument, in provided order.
- * payload: bstr .cbor [ * PublicKey ],
- * tag: bstr
- * ]
- *
- * KeysToMacStructure = [
- * context : "MAC0",
- * protected : bstr .cbor { 1 : 5 }, ; Algorithm : HMAC-256
- * external_aad : bstr .size 0,
- * ; Payload is PublicKeys from keysToSign argument, in provided order.
- * payload : bstr .cbor [ * PublicKey ]
- * ]
+ * See generateCertificateRequest.cddl for CDDL definitions.
*/
byte[] generateCertificateRequest(in boolean testMode, in MacedPublicKey[] keysToSign,
in byte[] endpointEncryptionCertChain, in byte[] challenge, out DeviceInfo deviceInfo,
@@ -322,168 +236,9 @@
* use different semantic data for this field, but the supported sizes must be between 0
* and 64 bytes, inclusive.
*
- * @return the following CBOR Certificate Signing Request (Csr) serialized into a byte array:
+ * @return a CBOR Certificate Signing Request (Csr) serialized into a byte array.
*
- * Csr = AuthenticatedRequest<CsrPayload>
- *
- * CsrPayload = [ ; CBOR Array defining the payload for Csr
- * version: 3, ; The CsrPayload CDDL Schema version.
- * CertificateType, ; The type of certificate being requested.
- * DeviceInfo, ; Defined in DeviceInfo.aidl
- * KeysToSign, ; Provided by the method parameters
- * ]
- *
- * ; A tstr identifying the type of certificate. The set of supported certificate types may
- * ; be extended without requiring a version bump of the HAL. Custom certificate types may
- * ; be used, but the provisioning server may reject the request for an unknown certificate
- * ; type. The currently defined certificate types are:
- * ; - "widevine"
- * ; - "keymint"
- * CertificateType = tstr
- *
- * KeysToSign = [ * PublicKey ] ; Please see MacedPublicKey.aidl for the PublicKey definition.
- *
- * AuthenticatedRequest<T> = [
- * version: 1, ; The AuthenticatedRequest CDDL Schema version.
- * UdsCerts,
- * DiceCertChain,
- * SignedData<[
- * challenge: bstr .size (0..64), ; Provided by the method parameters
- * bstr .cbor T,
- * ]>,
- * ]
- *
- * ; COSE_Sign1 (untagged)
- * SignedData<Data> = [
- * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
- * unprotected: {},
- * payload: bstr .cbor Data / nil,
- * signature: bstr ; PureEd25519(CDI_Leaf_Priv, SignedDataSigStruct<Data>) /
- * ; ECDSA(CDI_Leaf_Priv, SignedDataSigStruct<Data>)
- * ]
- *
- * ; Sig_structure for SignedData
- * SignedDataSigStruct<Data> = [
- * context: "Signature1",
- * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
- * external_aad: bstr .size 0,
- * payload: bstr .cbor Data / nil,
- * ]
- *
- * ; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For
- * ; example, this could be provided by the hardware vendor, who certifies all of their chips.
- * ; The SignerName is a free-form string describing who generated the signature. The root
- * ; certificate will need to be communicated to the verifier out of band, along with the
- * ; SignerName that is expected for the given root certificate.
- * UdsCerts = {
- * * SignerName => UdsCertChain
- * }
- *
- * ; SignerName is a string identifier that indicates both the signing authority as
- * ; well as the format of the UdsCertChain
- * SignerName = tstr
- *
- * UdsCertChain = [
- * 2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
- * ; cert, "Leaf" contains UDS_Public. There may also be
- * ; intermediate certificates between Root and Leaf.
- * ]
- *
- * ; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)
- * X509Certificate = bstr
- *
- * ; The DICE Chain contains measurements about the device firmware.
- * ; The first entry in the DICE Chain is the UDS_Pub, encoded as a COSE_key. All entries
- * ; after the first describe a link in the boot chain (e.g. bootloaders: BL1, BL2, ... BLN)
- * ; Note that there is no DiceChainEntry for UDS_pub, only a "bare" COSE_key.
- * DiceCertChain = [
- * PubKeyEd25519 / PubKeyECDSA256 / PubKeyECDSA384, ; UDS_Pub
- * + DiceChainEntry, ; First CDI_Certificate -> Last CDI_Certificate
- * ; Last certificate corresponds to KeyMint's DICE key.
- * ]
- *
- * ; This is the signed payload for each entry in the DICE chain. Note that the "Configuration
- * ; Input Values" described by the Open Profile are not used here. Instead, the DICE chain
- * ; defines its own configuration values for the Configuration Descriptor field. See
- * ; the Open Profile for DICE for more details on the fields. SHA256, SHA384 and SHA512 are
- * ; acceptable hash algorithms. The digest bstr values in the payload are the digest values
- * ; without any padding. Note that this implies that the digest is a 32-byte bstr for SHA256
- * ; and a 48-byte bstr for SHA384. This is an intentional, minor deviation from Open Profile
- * ; for DICE, which specifies all digests are 64 bytes.
- * DiceChainEntryPayload = { ; CWT [RFC8392]
- * 1 : tstr, ; Issuer
- * 2 : tstr, ; Subject
- * -4670552 : bstr .cbor PubKeyEd25519 /
- * bstr .cbor PubKeyECDSA256 /
- * bstr .cbor PubKeyECDSA384, ; Subject Public Key
- * -4670553 : bstr ; Key Usage
- *
- * ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
- * ; described above.
- * -4670545 : bstr, ; Code Hash
- * ? -4670546 : bstr, ; Code Descriptor
- * -4670547 : bstr, ; Configuration Hash
- * -4670548 : bstr .cbor { ; Configuration Descriptor
- * ? -70002 : tstr, ; Component name
- * ? -70003 : int / tstr, ; Component version
- * ? -70004 : null, ; Resettable
- * ? -70005 : uint, ; Security version
- * },
- * -4670549 : bstr, ; Authority Hash
- * ? -4670550 : bstr, ; Authority Descriptor
- * -4670551 : bstr, ; Mode
- * }
- *
- * ; Each entry in the DICE chain is a DiceChainEntryPayload signed by the key from the previous
- * ; entry in the DICE chain array.
- * DiceChainEntry = [ ; COSE_Sign1 (untagged)
- * protected : bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
- * unprotected: {},
- * payload: bstr .cbor DiceChainEntryPayload,
- * signature: bstr ; PureEd25519(SigningKey, DiceChainEntryInput) /
- * ; ECDSA(SigningKey, DiceChainEntryInput)
- * ; See RFC 8032 for details of how to encode the signature value
- * ; for Ed25519.
- * ]
- *
- * DiceChainEntryInput = [
- * context: "Signature1",
- * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
- * external_aad: bstr .size 0,
- * payload: bstr .cbor DiceChainEntryPayload
- * ]
- *
- * ; The following section defines some types that are reused throughout the above
- * ; data structures.
- * ; NOTE: Integer encoding is different for Ed25519 and P256 keys:
- * ; - Ed25519 is LE: https://www.rfc-editor.org/rfc/rfc8032#section-3.1
- * ; - P256 is BE: https://www.secg.org/sec1-v2.pdf#page=19 (section 2.3.7)
- * PubKeyEd25519 = { ; COSE_Key
- * 1 : 1, ; Key type : octet key pair
- * 3 : AlgorithmEdDSA, ; Algorithm : EdDSA
- * -1 : 6, ; Curve : Ed25519
- * -2 : bstr ; X coordinate, little-endian
- * }
- *
- * PubKeyECDSA256 = { ; COSE_Key
- * 1 : 2, ; Key type : EC2
- * 3 : AlgorithmES256, ; Algorithm : ECDSA w/ SHA-256
- * -1 : 1, ; Curve: P256
- * -2 : bstr, ; X coordinate, big-endian
- * -3 : bstr ; Y coordinate, big-endian
- * }
- *
- * PubKeyECDSA384 = { ; COSE_Key
- * 1 : 2, ; Key type : EC2
- * 3 : AlgorithmES384, ; Algorithm : ECDSA w/ SHA-384
- * -1 : 2, ; Curve: P384
- * -2 : bstr, ; X coordinate
- * -3 : bstr ; Y coordinate
- * }
- *
- * AlgorithmES256 = -7
- * AlgorithmES384 = -35
- * AlgorithmEdDSA = -8
+ * See generateCertificateRequestV2.cddl for CDDL definitions.
*/
byte[] generateCertificateRequestV2(in MacedPublicKey[] keysToSign, in byte[] challenge);
}
diff --git a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequest.cddl b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequest.cddl
new file mode 100644
index 0000000..82930bc
--- /dev/null
+++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequest.cddl
@@ -0,0 +1,92 @@
+; CDDL for the deprecated version 1 generateCertificateRequest method
+; in IRemotelyProvisionedComponent.aidl
+
+EekChain = [ + SignedSignatureKey, SignedEek ]
+
+SignedSignatureKey = [ ; COSE_Sign1
+ protected: bstr .cbor {
+ 1 : AlgorithmEdDSA / AlgorithmES256, ; Algorithm
+ },
+ unprotected: {},
+ payload: bstr .cbor SignatureKeyEd25519 /
+ bstr .cbor SignatureKeyP256,
+ signature: bstr PureEd25519(.cbor SignatureKeySignatureInput) /
+ bstr ECDSA(.cbor SignatureKeySignatureInput)
+]
+
+SignatureKeyEd25519 = { ; COSE_Key
+ 1 : 1, ; Key type : Octet Key Pair
+ 3 : AlgorithmEdDSA, ; Algorithm
+ -1 : 6, ; Curve : Ed25519
+ -2 : bstr ; Ed25519 public key
+}
+
+SignatureKeyP256 = { ; COSE_Key
+ 1 : 2, ; Key type : EC2
+ 3 : AlgorithmES256, ; Algorithm
+ -1 : 1, ; Curve: P256
+ -2 : bstr, ; X coordinate
+ -3 : bstr ; Y coordinate
+}
+
+SignatureKeySignatureInput = [
+ context: "Signature1",
+ body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
+ external_aad: bstr .size 0,
+ payload: bstr .cbor SignatureKeyEd25519 /
+ bstr .cbor SignatureKeyP256
+]
+
+; COSE_Sign1
+SignedEek = [
+ protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
+ unprotected: {},
+ payload: bstr .cbor EekX25519 / .cbor EekP256,
+ signature: bstr PureEd25519(.cbor EekSignatureInput) /
+ bstr ECDSA(.cbor EekSignatureInput)
+]
+
+EekX25519 = { ; COSE_Key
+ 1 : 1, ; Key type : Octet Key Pair
+ 2 : bstr ; KID : EEK ID
+ 3 : -25, ; Algorithm : ECDH-ES + HKDF-256
+ -1 : 4, ; Curve : X25519
+ -2 : bstr ; X25519 public key, little-endian
+}
+
+EekP256 = { ; COSE_Key
+ 1 : 2, ; Key type : EC2
+ 2 : bstr ; KID : EEK ID
+ 3 : -25, ; Algorithm : ECDH-ES + HKDF-256
+ -1 : 1, ; Curve : P256
+ -2 : bstr ; Sender X coordinate
+ -3 : bstr ; Sender Y coordinate
+}
+
+EekSignatureInput = [
+ context: "Signature1",
+ body_protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 },
+ external_aad: bstr .size 0,
+ payload: bstr .cbor EekX25519 / .cbor EekP256
+]
+
+AlgorithmES256 = -7 ; RFC 8152 section 8.1
+AlgorithmEdDSA = -8 ; RFC 8152 section 8.2
+
+MacedKeys = [ ; COSE_Mac0
+ protected : bstr .cbor {
+ 1 : 5, ; Algorithm : HMAC-256
+ },
+ unprotected : {},
+ ; Payload is PublicKeys from keysToSign argument, in provided order.
+ payload: bstr .cbor [ * PublicKey ],
+ tag: bstr
+]
+
+KeysToMacStructure = [
+ context : "MAC0",
+ protected : bstr .cbor { 1 : 5 }, ; Algorithm : HMAC-256
+ external_aad : bstr .size 0,
+ ; Payload is PublicKeys from keysToSign argument, in provided order.
+ payload : bstr .cbor [ * PublicKey ]
+]
diff --git a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
new file mode 100644
index 0000000..ea71f98
--- /dev/null
+++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
@@ -0,0 +1,163 @@
+; CDDL for the generateCertificateRequestV2 method in
+; IRemotelyProvisionedComponent.aidl
+
+Csr = AuthenticatedRequest<CsrPayload>
+
+CsrPayload = [ ; CBOR Array defining the payload for Csr
+ version: 3, ; The CsrPayload CDDL Schema version.
+ CertificateType, ; The type of certificate being requested.
+ DeviceInfo, ; Defined in DeviceInfo.aidl
+ KeysToSign, ; Provided by the method parameters
+]
+
+; A tstr identifying the type of certificate. The set of supported certificate types may
+; be extended without requiring a version bump of the HAL. Custom certificate types may
+; be used, but the provisioning server may reject the request for an unknown certificate
+; type. The currently defined certificate types are:
+; - "widevine"
+; - "keymint"
+CertificateType = tstr
+
+KeysToSign = [ * PublicKey ] ; Please see MacedPublicKey.aidl for the PublicKey definition.
+
+AuthenticatedRequest<T> = [
+ version: 1, ; The AuthenticatedRequest CDDL Schema version.
+ UdsCerts,
+ DiceCertChain,
+ SignedData<[
+ challenge: bstr .size (0..64), ; Provided by the method parameters
+ bstr .cbor T,
+ ]>,
+]
+
+; COSE_Sign1 (untagged)
+SignedData<Data> = [
+ protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
+ unprotected: {},
+ payload: bstr .cbor Data / nil,
+ signature: bstr ; PureEd25519(CDI_Leaf_Priv, SignedDataSigStruct<Data>) /
+ ; ECDSA(CDI_Leaf_Priv, SignedDataSigStruct<Data>)
+]
+
+; Sig_structure for SignedData
+SignedDataSigStruct<Data> = [
+ context: "Signature1",
+ protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
+ external_aad: bstr .size 0,
+ payload: bstr .cbor Data / nil,
+]
+
+; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For
+; example, this could be provided by the hardware vendor, who certifies all of their chips.
+; The SignerName is a free-form string describing who generated the signature. The root
+; certificate will need to be communicated to the verifier out of band, along with the
+; SignerName that is expected for the given root certificate.
+UdsCerts = {
+ * SignerName => UdsCertChain
+}
+
+; SignerName is a string identifier that indicates both the signing authority as
+; well as the format of the UdsCertChain
+SignerName = tstr
+
+UdsCertChain = [
+ 2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
+ ; cert, "Leaf" contains UDS_Public. There may also be
+ ; intermediate certificates between Root and Leaf.
+]
+
+; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)
+X509Certificate = bstr
+
+; The DICE Chain contains measurements about the device firmware.
+; The first entry in the DICE Chain is the UDS_Pub, encoded as a COSE_key. All entries
+; after the first describe a link in the boot chain (e.g. bootloaders: BL1, BL2, ... BLN)
+; Note that there is no DiceChainEntry for UDS_pub, only a "bare" COSE_key.
+DiceCertChain = [
+ PubKeyEd25519 / PubKeyECDSA256 / PubKeyECDSA384, ; UDS_Pub
+ + DiceChainEntry, ; First CDI_Certificate -> Last CDI_Certificate
+ ; Last certificate corresponds to KeyMint's DICE key.
+]
+
+; This is the signed payload for each entry in the DICE chain. Note that the "Configuration
+; Input Values" described by the Open Profile are not used here. Instead, the DICE chain
+; defines its own configuration values for the Configuration Descriptor field. See
+; the Open Profile for DICE for more details on the fields. SHA256, SHA384 and SHA512 are
+; acceptable hash algorithms. The digest bstr values in the payload are the digest values
+; without any padding. Note that this implies that the digest is a 32-byte bstr for SHA256
+; and a 48-byte bstr for SHA384. This is an intentional, minor deviation from Open Profile
+; for DICE, which specifies all digests are 64 bytes.
+DiceChainEntryPayload = { ; CWT [RFC8392]
+ 1 : tstr, ; Issuer
+ 2 : tstr, ; Subject
+ -4670552 : bstr .cbor PubKeyEd25519 /
+ bstr .cbor PubKeyECDSA256 /
+ bstr .cbor PubKeyECDSA384, ; Subject Public Key
+ -4670553 : bstr ; Key Usage
+
+ ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
+ ; described above.
+ -4670545 : bstr, ; Code Hash
+ ? -4670546 : bstr, ; Code Descriptor
+ -4670547 : bstr, ; Configuration Hash
+ -4670548 : bstr .cbor { ; Configuration Descriptor
+ ? -70002 : tstr, ; Component name
+ ? -70003 : int / tstr, ; Component version
+ ? -70004 : null, ; Resettable
+ ? -70005 : uint, ; Security version
+ },
+ -4670549 : bstr, ; Authority Hash
+ ? -4670550 : bstr, ; Authority Descriptor
+ -4670551 : bstr, ; Mode
+}
+
+; Each entry in the DICE chain is a DiceChainEntryPayload signed by the key from the previous
+; entry in the DICE chain array.
+DiceChainEntry = [ ; COSE_Sign1 (untagged)
+ protected : bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
+ unprotected: {},
+ payload: bstr .cbor DiceChainEntryPayload,
+ signature: bstr ; PureEd25519(SigningKey, DiceChainEntryInput) /
+ ; ECDSA(SigningKey, DiceChainEntryInput)
+ ; See RFC 8032 for details of how to encode the signature value
+ ; for Ed25519.
+]
+
+DiceChainEntryInput = [
+ context: "Signature1",
+ protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
+ external_aad: bstr .size 0,
+ payload: bstr .cbor DiceChainEntryPayload
+]
+
+; The following section defines some types that are reused throughout the above
+; data structures.
+; NOTE: Integer encoding is different for Ed25519 and P256 keys:
+; - Ed25519 is LE: https://www.rfc-editor.org/rfc/rfc8032#section-3.1
+; - P256 is BE: https://www.secg.org/sec1-v2.pdf#page=19 (section 2.3.7)
+PubKeyEd25519 = { ; COSE_Key
+ 1 : 1, ; Key type : octet key pair
+ 3 : AlgorithmEdDSA, ; Algorithm : EdDSA
+ -1 : 6, ; Curve : Ed25519
+ -2 : bstr ; X coordinate, little-endian
+}
+
+PubKeyECDSA256 = { ; COSE_Key
+ 1 : 2, ; Key type : EC2
+ 3 : AlgorithmES256, ; Algorithm : ECDSA w/ SHA-256
+ -1 : 1, ; Curve: P256
+ -2 : bstr, ; X coordinate, big-endian
+ -3 : bstr ; Y coordinate, big-endian
+}
+
+PubKeyECDSA384 = { ; COSE_Key
+ 1 : 2, ; Key type : EC2
+ 3 : AlgorithmES384, ; Algorithm : ECDSA w/ SHA-384
+ -1 : 2, ; Curve: P384
+ -2 : bstr, ; X coordinate
+ -3 : bstr ; Y coordinate
+}
+
+AlgorithmES256 = -7
+AlgorithmES384 = -35
+AlgorithmEdDSA = -8