Add STORAGE_KEY tag to keymaster 4.1
These are keymaster keys used specifically for storage
encryption. This provides the ability for keymaster implementations to
securely protect storage encryption keys.
Test: VtsHalKeymasterV4_1TargetTest
Bug: 147733587
Change-Id: I5f7f83755fcbed96d8f38fa51812aa6d2eb0927b
diff --git a/current.txt b/current.txt
index f6ec7fa..fd87484 100644
--- a/current.txt
+++ b/current.txt
@@ -647,7 +647,7 @@
6e1e28a96c90ba78d47257faea3f3bb4e6360affbbfa5822f0dc31211f9266ff android.hardware.identity@1.0::IWritableIdentityCredential
27ae3724053940462114228872b3ffaf0b8e6177d5ba97f5a76339d12b8a99dd android.hardware.keymaster@4.1::IKeymasterDevice
adb0efdf1462e9b2e742c0dcadd598666aac551f178be06e755bfcdf5797abd0 android.hardware.keymaster@4.1::IOperation
-ac429fca0da4ce91218768ec31b64ded88251f8a26d8c4f27c06abdc5b1926d9 android.hardware.keymaster@4.1::types
+ddcf89cd8ee2df0d32aee55050826446fb64f7aafde0a7cd946c64f61b1a364c android.hardware.keymaster@4.1::types
df9c79c4fdde2821550c6d5c3d07f5ec0adfb1b702561ce543c906ddef698703 android.hardware.media.c2@1.1::IComponent
a3eddd9bbdc87e8c22764070037dd1154f1cf006e6fba93364c4f85d4c134a19 android.hardware.media.c2@1.1::IComponentStore
65c16331e57f6dd68b3971f06f78fe9e3209afb60630c31705aa355f9a52bf0d android.hardware.neuralnetworks@1.3::IBuffer
diff --git a/keymaster/4.1/support/include/keymasterV4_1/keymaster_tags.h b/keymaster/4.1/support/include/keymasterV4_1/keymaster_tags.h
index c5ce950..6c186f6 100644
--- a/keymaster/4.1/support/include/keymasterV4_1/keymaster_tags.h
+++ b/keymaster/4.1/support/include/keymasterV4_1/keymaster_tags.h
@@ -100,6 +100,7 @@
DECLARE_KM_4_1_TYPED_TAG(EARLY_BOOT_ONLY);
DECLARE_KM_4_1_TYPED_TAG(DEVICE_UNIQUE_ATTESTATION);
+DECLARE_KM_4_1_TYPED_TAG(STORAGE_KEY);
} // namespace android::hardware::keymaster::V4_1
diff --git a/keymaster/4.1/types.hal b/keymaster/4.1/types.hal
index 9e8b30e..f3bdcc6 100644
--- a/keymaster/4.1/types.hal
+++ b/keymaster/4.1/types.hal
@@ -50,10 +50,29 @@
* HAL attests to Credential Keys. IIdentityCredential produces Keymaster-style attestations.
*/
IDENTITY_CREDENTIAL_KEY = TagType:BOOL | 721,
+
+ /**
+ * To prevent keys from being compromised if an attacker acquires read access to system / kernel
+ * memory, some inline encryption hardware supports protecting storage encryption keys in hardware
+ * without software having access to or the ability to set the plaintext keys. Instead, software
+ * only sees wrapped version of these keys.
+ *
+ * STORAGE_KEY is used to denote that a key generated or imported is a key used for storage
+ * encryption. Keys of this type can either be generated or imported or secure imported using
+ * keymaster. exportKey() can be used to re-wrap storage key with a per-boot ephemeral key wrapped
+ * key once the key characteristics are enforced.
+ *
+ * Keys with this tag cannot be used for any operation within keymaster.
+ * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to
+ * begin().
+ */
+ STORAGE_KEY = TagType:BOOL | 722,
};
enum ErrorCode : @4.0::ErrorCode {
EARLY_BOOT_ENDED = -73,
ATTESTATION_KEYS_NOT_PROVISIONED = -74,
ATTESTATION_IDS_NOT_PROVISIONED = -75,
+ INVALID_OPERATION = -76,
+ STORAGE_KEY_UNSUPPORTED = -77,
};