Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 6a1223f227220d954ec31e9243abcc9ad1d51d05^! / .
commit6a1223f227220d954ec31e9243abcc9ad1d51d05[log] [tgz]
authorSeth Moore <sethmo@google.com>Thu Jun 24 16:29:38 2021 -0700
committerSeth Moore <sethmo@google.com>Thu Jul 08 16:05:41 2021 -0700
treee6d1c8242c87ce78c21074f59451c5a173a296c2
parent9c3bd29cabe02772a460d8862946c4337f8c1a92 [diff]
Add Attestation IDs State to DeviceInfo

We will use the 'Attestation IDs State' field in DeviceInfo to
determine whether a device is still provisionable or not. Once a
production device has left the factory, certain attestated device ids
should be fixed, and 'Attestation IDs State' should reflect this
by reporting "locked".

Remove stale, duplicated DeviceInfo description from ProtectedData.aidl

Test: None, just a doc change
Bug: 192017485
Change-Id: I4e0a840a8f415b3b410801805a158c46be30ec6a
Merged-In: I4e0a840a8f415b3b410801805a158c46be30ec6a

diff --git a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
index 32d69cd..b0761bf 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl

@@ -44,6 +44,12 @@
      *         ? "vendor_patch_level" : uint,                   // YYYYMMDD
      *         "version" : 1,                      // The CDDL schema version.
      *         "security_level" : "tee" / "strongbox"
+     *         "att_id_state": "locked" / "open",  // Attestation IDs State. If "locked", this
+     *                                             // indicates a device's attestable IDs are
+     *                                             // factory-locked and immutable. If "open",
+     *                                             // this indicates the device is still in a
+     *                                             // provisionable state and the attestable IDs
+     *                                             // are not yet frozen.
      *     }
      */
     byte[] deviceInfo;

diff --git a/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl b/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl
index 31dbb28..24cdbc1 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl

@@ -158,20 +158,7 @@
      *         payload: bstr .cbor BccPayload
      *     ]
      *
-     *     VerifiedDeviceInfo = {
-     *         ? "brand" : tstr,
-     *         ? "manufacturer" : tstr,
-     *         ? "product" : tstr,
-     *         ? "model" : tstr,
-     *         ? "board" : tstr,
-     *         ? "device" : tstr,
-     *         ? "vb_state" : "green" / "yellow" / "orange",
-     *         ? "bootloader_state" : "locked" / "unlocked",
-     *         ? "os_version" : tstr,
-     *         ? "system_patch_level" : uint,        // YYYYMMDD
-     *         ? "boot_patch_level" : uint,          // YYYYMMDD
-     *         ? "vendor_patch_level" : uint,        // YYYYMMDD
-     *     }
+     *     VerifiedDeviceInfo = DeviceInfo  // See DeviceInfo.aidl
      *
      *     PubKeyX25519 = {                 // COSE_Key
      *          1 : 1,                      // Key type : Octet Key Pair