commit 9c43af16e41c9b3dcb2f95e37480785c25fd4174
author Orlando Arbildo <oarbildo@google.com> Mon Apr 08 23:19:02 2024 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Mon Apr 08 23:19:02 2024 +0000
tree a5d1220471a2a12a3e3f8d90e3a9fce3ec7adc99
parent 298463c3f38ff4b983d00a3f64e7b867945f2d8d
parent d2fd1cb0257ed72adbd33fb0f48194796c2e0ebb

Merge "Add deriveKey function" into main am: 4761ae94fd am: d2fd1cb025

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2714707

Change-Id: I87f430a21bd4268bae5561eb12fd331035fedf41
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl

diff --git a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index 0951fb2..53d722c 100644
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -35,6 +35,7 @@
 interface IHwCryptoKey {
   android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey();
   android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+  android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters);
   parcelable DiceCurrentBoundKeyResult {
     android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
     byte[] dicePolicyForKeyVersion;
@@ -43,4 +44,20 @@
     android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
     boolean dicePolicyWasCurrent;
   }
+  parcelable ClearKeyPolicy {
+    int keySizeBytes;
+  }
+  union DerivedKeyPolicy {
+    android.hardware.security.see.hwcrypto.KeyPolicy opaqueKey;
+    android.hardware.security.see.hwcrypto.IHwCryptoKey.ClearKeyPolicy clearKey;
+  }
+  parcelable DerivedKeyParameters {
+    android.hardware.security.see.hwcrypto.IOpaqueKey derivationKey;
+    android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyPolicy keyPolicy;
+    byte[] context;
+  }
+  union DerivedKey {
+    byte[] explicitKey = {};
+    android.hardware.security.see.hwcrypto.IOpaqueKey opaque;
+  }
 }

staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl

diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index 9cf1880..08c3173 100644
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -54,6 +54,59 @@
         boolean dicePolicyWasCurrent;
     }
 
+    parcelable ClearKeyPolicy {
+        /*
+         * Indicates the desired key size. It will be used to calculate how many bytes of key
+         * material should be returned.
+         */
+        int keySizeBytes;
+    }
+
+    union DerivedKeyPolicy {
+        /*
+         * Policy for the newly derived opaque key. Defines how the key can be used and its type.
+         */
+        KeyPolicy opaqueKey;
+
+        /*
+         * If used we will derive a clear key and pass it back as an array of bytes on
+         * <code>HwCryptoKeyMaterial::explicitKey</code>.
+         */
+        ClearKeyPolicy clearKey;
+    }
+
+    parcelable DerivedKeyParameters {
+        /*
+         * Key to be used to derive the new key using HKDF.
+         */
+        IOpaqueKey derivationKey;
+
+        /*
+         * Policy for the newly derived key. Depending on its type, either a clear or opaque key
+         * will be derived.
+         */
+        DerivedKeyPolicy keyPolicy;
+
+        /*
+         * An arbitrary set of bytes incorporated into the key derivation. May have
+         * an implementation-specific maximum length, but it is guaranteed to accept
+         * at least 32 bytes.
+         */
+        byte[] context;
+    }
+
+    union DerivedKey {
+        /*
+         * Derived key in clear format.
+         */
+        byte[] explicitKey = {};
+
+        /*
+         * Derived key as a key token to be used only through the HWCrypto service.
+         */
+        IOpaqueKey opaque;
+    }
+
     /*
      * deriveCurrentDicePolicyBoundKey() - Derives a versioned key tied to the caller's current DICE
      *                              policy. It will return this current policy back to the caller
@@ -85,4 +138,17 @@
      *      <code>HalErrorCode</code> otherwise.
      */
     DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+
+    /*
+     * deriveKey() - Derive a new key based on the given key, policy and context.
+     *
+     * @parameters:
+     *      Parameters used for the key derivation. See <code>DerivedKeyParameters</code> on this
+     *      file for more information.
+     *
+     * Return:
+     *      Ok(HwCryptoKeyMaterial) on success, service specific error based on
+     *      <code>HalErrorCode</code> otherwise.
+     */
+    DerivedKey deriveKey(in DerivedKeyParameters parameters);
 }