Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / bbbc278300f341978a49c8136360d509899c2bac^1..bbbc278300f341978a49c8136360d509899c2bac / .
commitbbbc278300f341978a49c8136360d509899c2bac[log] [tgz]
authorDavid Drysdale <drysdale@google.com>Tue Mar 22 09:50:14 2022 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Tue Mar 22 09:50:14 2022 +0000
tree6ba38bf40f1d56e8b41beea45bff7ed7eda069d7
parent9257a6573518f81f0b73e702276560a8372a93ce [diff]
parentafa73442b7cf5cb4513b7c657608b722fc84eaff [diff]
Merge "KeyMint HAL: clarify ATTEST_KEY is like SIGN" am: afa73442b7

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2033928

Change-Id: I2519c3a8525d4196b8a3969d6bdb0a0d73df3f8d

diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index 16bbc5c..a4cfb8b 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

@@ -78,15 +78,16 @@
      *     provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned.
      *
      * 3.  Asymmetric key non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not
-     *     provided and the generated/imported key has KeyPurpose::SIGN, then the returned
-     *     certificate chain must contain only a single self-signed certificate with no attestation
-     *     extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
+     *     provided and the generated/imported key has KeyPurpose::SIGN or KeyPurpose::ATTEST_KEY,
+     *     then the returned certificate chain must contain only a single self-signed certificate
+     *     with no attestation extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if
+     *     provided.
      *
      * 4.  Asymmetric key non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is
-     *     not provided and the generated/imported key does not have KeyPurpose::SIGN, then the
-     *     returned certificate chain must contain only a single certificate with an empty signature
-     *     and no attestation extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if
-     *     provided.
+     *     not provided and the generated/imported key does not have KeyPurpose::SIGN nor
+     *     KeyPurpose::ATTEST_KEY, then the returned certificate chain must contain only a single
+     *     certificate with an empty signature and no attestation extension.
+     *     Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
      *
      * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must
      *     return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs,