Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 7093431e82f0afe1ae7ce0f74802a107b962fd54^! / . / authsecret / 1.0 / IAuthSecret.hal
commit7093431e82f0afe1ae7ce0f74802a107b962fd54[log] [tgz]
authorAndrew Scull <ascull@google.com>Wed Jan 03 11:51:54 2018 +0000
committerAndrew Scull <ascull@google.com>Wed Jan 10 18:06:51 2018 +0000
tree54c3543bd2d6d2057dc460bdd966408a94c2fc87
parentb4216c54bea761c983d9815ad36d1e77b230d832 [diff] [blame]
AuthSecret HAL

A security HAL to allow vendor to cryptographically tie components to
the primary user's credential.

Test: AuthSecretHidlTest
Bug: 71527305
Change-Id: I67ebf423dfccb00415d1d79b54e3ded31256cfff

diff --git a/authsecret/1.0/IAuthSecret.hal b/authsecret/1.0/IAuthSecret.hal
new file mode 100644
index 0000000..d2cb5da
--- /dev/null
+++ b/authsecret/1.0/IAuthSecret.hal

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.hardware.authsecret@1.0;
+
+/**
+ * This security HAL allows vendor components to be cryptographically tied to
+ * the primary user's credential. For example, security hardware could require
+ * proof that the credential is known before applying updates.
+ *
+ * This HAL is optional so does not require an implementation on device.
+ */
+interface IAuthSecret {
+    /**
+     * When the primary user correctly enters their credential, this method is
+     * passed a secret derived from that credential to prove that their
+     * credential is known.
+     *
+     * The first time this is called, the secret must be used to provision state
+     * that depends on the primary user's credential. The same secret is passed
+     * on each call until a factory reset after which there must be a new
+     * secret.
+     *
+     * The secret must be at lesat 16 bytes.
+     *
+     * @param secret blob derived from the primary user's credential.
+     */
+    primaryUserCredential(vec<uint8_t> secret);
+
+    /**
+     * Called from recovery during factory reset. The secret is now lost and can
+     * no longer be derived. Any data linked to the secret must be destroyed and
+     * any dependence on the secret must be removed.
+     */
+    factoryReset();
+};