Merge "Merge Android 12 QPR1"
diff --git a/authsecret/aidl/default/service.cpp b/authsecret/aidl/default/service.cpp
index efecf10..a7d8678 100644
--- a/authsecret/aidl/default/service.cpp
+++ b/authsecret/aidl/default/service.cpp
@@ -28,7 +28,7 @@
const std::string instance = std::string() + AuthSecret::descriptor + "/default";
binder_status_t status = AServiceManager_addService(authsecret->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return -1; // Should never be reached
diff --git a/automotive/audiocontrol/aidl/default/main.cpp b/automotive/audiocontrol/aidl/default/main.cpp
index 9b259fc..cc15ccb 100644
--- a/automotive/audiocontrol/aidl/default/main.cpp
+++ b/automotive/audiocontrol/aidl/default/main.cpp
@@ -31,7 +31,7 @@
const std::string instance = std::string() + AudioControl::descriptor + "/default";
binder_status_t status =
AServiceManager_addService(audioControl->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
std::shared_ptr<PowerPolicyClient> powerPolicyClient =
::ndk::SharedRefBase::make<PowerPolicyClient>(audioControl);
diff --git a/biometrics/face/aidl/default/main.cpp b/biometrics/face/aidl/default/main.cpp
index 80b153e..b7274e3 100644
--- a/biometrics/face/aidl/default/main.cpp
+++ b/biometrics/face/aidl/default/main.cpp
@@ -29,7 +29,7 @@
const std::string instance = std::string(Face::descriptor) + "/default";
binder_status_t status = AServiceManager_addService(hal->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/biometrics/fingerprint/aidl/default/main.cpp b/biometrics/fingerprint/aidl/default/main.cpp
index 4690d73..c985201 100644
--- a/biometrics/fingerprint/aidl/default/main.cpp
+++ b/biometrics/fingerprint/aidl/default/main.cpp
@@ -29,7 +29,7 @@
const std::string instance = std::string(Fingerprint::descriptor) + "/default";
binder_status_t status = AServiceManager_addService(hal->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/compatibility_matrices/compatibility_matrix.current.xml b/compatibility_matrices/compatibility_matrix.current.xml
index f0311c7..8db8f7e 100644
--- a/compatibility_matrices/compatibility_matrix.current.xml
+++ b/compatibility_matrices/compatibility_matrix.current.xml
@@ -334,7 +334,7 @@
</hal>
<hal format="aidl" optional="true">
<name>android.hardware.security.keymint</name>
- <version>1</version>
+ <version>1-2</version>
<interface>
<name>IKeyMintDevice</name>
<instance>default</instance>
@@ -343,6 +343,7 @@
</hal>
<hal format="aidl" optional="true">
<name>android.hardware.security.keymint</name>
+ <version>1-2</version>
<interface>
<name>IRemotelyProvisionedComponent</name>
<instance>default</instance>
diff --git a/dumpstate/aidl/default/main.cpp b/dumpstate/aidl/default/main.cpp
index 2451752..5bc85b4 100644
--- a/dumpstate/aidl/default/main.cpp
+++ b/dumpstate/aidl/default/main.cpp
@@ -29,7 +29,7 @@
const std::string instance = std::string() + Dumpstate::descriptor + "/default";
binder_status_t status =
AServiceManager_registerLazyService(dumpstate->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // Unreachable
diff --git a/gnss/aidl/default/service.cpp b/gnss/aidl/default/service.cpp
index 09f1ad2..bbe34f1 100644
--- a/gnss/aidl/default/service.cpp
+++ b/gnss/aidl/default/service.cpp
@@ -42,7 +42,7 @@
const std::string instance = std::string() + Gnss::descriptor + "/default";
binder_status_t status =
AServiceManager_addService(gnssAidl->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
sp<IGnss> gnss = new GnssHidlHal(gnssAidl);
configureRpcThreadpool(1, true /* will join */);
diff --git a/identity/aidl/default/service.cpp b/identity/aidl/default/service.cpp
index c290c08..78f4fbc 100644
--- a/identity/aidl/default/service.cpp
+++ b/identity/aidl/default/service.cpp
@@ -43,7 +43,7 @@
const std::string instance = std::string() + IdentityCredentialStore::descriptor + "/default";
binder_status_t status = AServiceManager_addService(store->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/light/aidl/default/main.cpp b/light/aidl/default/main.cpp
index a860bf4..54e1316 100644
--- a/light/aidl/default/main.cpp
+++ b/light/aidl/default/main.cpp
@@ -28,7 +28,7 @@
const std::string instance = std::string() + Lights::descriptor + "/default";
binder_status_t status = AServiceManager_addService(lights->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reached
diff --git a/memtrack/aidl/default/main.cpp b/memtrack/aidl/default/main.cpp
index d063d2a..5cf5f94 100644
--- a/memtrack/aidl/default/main.cpp
+++ b/memtrack/aidl/default/main.cpp
@@ -29,7 +29,7 @@
const std::string instance = std::string() + Memtrack::descriptor + "/default";
binder_status_t status =
AServiceManager_addService(memtrack->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // Unreachable
diff --git a/oemlock/aidl/default/service.cpp b/oemlock/aidl/default/service.cpp
index af828a0..9fa7d63 100644
--- a/oemlock/aidl/default/service.cpp
+++ b/oemlock/aidl/default/service.cpp
@@ -28,7 +28,7 @@
const std::string instance = std::string() + OemLock::descriptor + "/default";
binder_status_t status = AServiceManager_addService(oemlock->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return -1; // Should never be reached
diff --git a/power/aidl/default/main.cpp b/power/aidl/default/main.cpp
index 964bd96..306b91b 100644
--- a/power/aidl/default/main.cpp
+++ b/power/aidl/default/main.cpp
@@ -28,7 +28,7 @@
const std::string instance = std::string() + Power::descriptor + "/default";
binder_status_t status = AServiceManager_addService(vib->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/power/stats/aidl/default/main.cpp b/power/stats/aidl/default/main.cpp
index 2fe3d2e..9e78247 100644
--- a/power/stats/aidl/default/main.cpp
+++ b/power/stats/aidl/default/main.cpp
@@ -73,7 +73,7 @@
const std::string instance = std::string() + PowerStats::descriptor + "/default";
binder_status_t status = AServiceManager_addService(p->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/rebootescrow/aidl/default/service.cpp b/rebootescrow/aidl/default/service.cpp
index 8a8086b..dc06c71 100644
--- a/rebootescrow/aidl/default/service.cpp
+++ b/rebootescrow/aidl/default/service.cpp
@@ -34,7 +34,7 @@
auto re = ndk::SharedRefBase::make<RebootEscrow>(rebootEscrowDevicePath);
const std::string instance = std::string() + RebootEscrow::descriptor + "/default";
binder_status_t status = AServiceManager_addService(re->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE;
diff --git a/security/keymint/aidl/Android.bp b/security/keymint/aidl/Android.bp
index 3cf6ff2..dcbe9c1 100644
--- a/security/keymint/aidl/Android.bp
+++ b/security/keymint/aidl/Android.bp
@@ -45,14 +45,14 @@
cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_static",
static_libs: [
- "android.hardware.security.keymint-V1-ndk",
+ "android.hardware.security.keymint-V2-ndk",
],
}
cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_shared",
shared_libs: [
- "android.hardware.security.keymint-V1-ndk",
+ "android.hardware.security.keymint-V2-ndk",
],
}
@@ -62,6 +62,6 @@
rust_defaults {
name: "keymint_use_latest_hal_aidl_rust",
rustlibs: [
- "android.hardware.security.keymint-V1-rust",
+ "android.hardware.security.keymint-V2-rust",
],
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
index 6b4a9ae..ffc7efe 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl
@@ -39,4 +39,5 @@
P_256 = 1,
P_384 = 2,
P_521 = 3,
+ CURVE_25519 = 4,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl b/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
index 5b1c10c..e9f81d8 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl
@@ -27,4 +27,5 @@
P_256 = 1,
P_384 = 2,
P_521 = 3,
+ CURVE_25519 = 4,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index cd8cfc5..9846ee9 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -93,6 +93,11 @@
* P-521. STRONGBOX IKeyMintDevices must support NIST curve P-256.
* - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2
* 384 and SHA-2 512 digest modes. STRONGBOX IKeyMintDevices must support SHA-2 256.
+ * - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,
+ * as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY
+ * (X25519, as specified in RFC 7748). However, a key must have exactly one of these
+ * purpose values; the same key cannot be used for multiple purposes.
+ * STRONGBOX IKeyMintDevices do not support curve 25519.
*
* o AES
*
@@ -287,7 +292,7 @@
* except AGREE_KEY must be supported for RSA keys.
*
* o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
- * IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA
+ * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA
* keys. StrongBox IKeyMintDevice implementations must support SHA_2_256.
*
* o Tag::PADDING specifies the padding modes that may be used with the new
@@ -298,13 +303,24 @@
* == ECDSA Keys ==
*
* Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey
- * must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support
- * all curves. StrongBox implementations must support P_256.
-
+ * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE
+ * IKeyMintDevice implementations must support all required curves. StrongBox implementations
+ * must support P_256 and no other curves.
+ *
* Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the
* valid date range for the returned X.509 certificate holding the public key. If omitted,
* generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.
*
+ * Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set
+ * {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}. Key generation with more
+ * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE.
+ * StrongBox implementation do not support CURVE_25519.
+ *
+ * Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
+ * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA
+ * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must
+ * support SHA_2_256.
+ *
* == AES Keys ==
*
* Only Tag::KEY_SIZE is required to generate an AES key. If omitted, generateKey must return
diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
index da3d521..3faef38 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyFormat.aidl
@@ -25,8 +25,10 @@
enum KeyFormat {
/** X.509 certificate format, for public key export. */
X509 = 0,
- /** PCKS#8 format, asymmetric key pair import. */
+ /** PKCS#8 format, asymmetric key pair import. */
PKCS8 = 1,
- /** Raw bytes, for symmetric key import. */
+ /**
+ * Raw bytes, for symmetric key import, and for import of raw asymmetric keys for curve 25519.
+ */
RAW = 3,
}
diff --git a/security/keymint/aidl/default/service.cpp b/security/keymint/aidl/default/service.cpp
index 8092e34..dc0c618 100644
--- a/security/keymint/aidl/default/service.cpp
+++ b/security/keymint/aidl/default/service.cpp
@@ -39,7 +39,7 @@
LOG(INFO) << "adding keymint service instance: " << instanceName;
binder_status_t status =
AServiceManager_addService(ser->asBinder().get(), instanceName.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
return ser;
}
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index dc14771..161531d 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -6618,7 +6618,7 @@
typedef KeyMintAidlTestBase KeyAgreementTest;
-int CurveToOpenSslCurveName(EcCurve curve) {
+static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
switch (curve) {
case EcCurve::P_224:
return NID_secp224r1;
@@ -6628,6 +6628,8 @@
return NID_secp384r1;
case EcCurve::P_521:
return NID_secp521r1;
+ case EcCurve::CURVE_25519:
+ return NID_X25519;
}
}
@@ -6649,7 +6651,7 @@
for (auto localCurve : ValidCurves()) {
// Generate EC key locally (with access to private key material)
auto ecKey = EC_KEY_Ptr(EC_KEY_new());
- int curveName = CurveToOpenSslCurveName(localCurve);
+ int curveName = EcdhCurveToOpenSslCurveName(localCurve);
auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
ASSERT_NE(group, nullptr);
ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
diff --git a/vibrator/aidl/default/main.cpp b/vibrator/aidl/default/main.cpp
index bd834d2..feba2c7 100644
--- a/vibrator/aidl/default/main.cpp
+++ b/vibrator/aidl/default/main.cpp
@@ -31,14 +31,14 @@
auto vib = ndk::SharedRefBase::make<Vibrator>();
const std::string vibName = std::string() + Vibrator::descriptor + "/default";
binder_status_t status = AServiceManager_addService(vib->asBinder().get(), vibName.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
// make the vibrator manager service with a different vibrator
auto managedVib = ndk::SharedRefBase::make<Vibrator>();
auto vibManager = ndk::SharedRefBase::make<VibratorManager>(std::move(managedVib));
const std::string vibManagerName = std::string() + VibratorManager::descriptor + "/default";
status = AServiceManager_addService(vibManager->asBinder().get(), vibManagerName.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return EXIT_FAILURE; // should not reach
diff --git a/weaver/aidl/default/service.cpp b/weaver/aidl/default/service.cpp
index 1495bc9..2099ffd 100644
--- a/weaver/aidl/default/service.cpp
+++ b/weaver/aidl/default/service.cpp
@@ -28,7 +28,7 @@
const std::string instance = std::string() + Weaver::descriptor + "/default";
binder_status_t status = AServiceManager_addService(weaver->asBinder().get(), instance.c_str());
- CHECK(status == STATUS_OK);
+ CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
return -1; // Should never be reached