Remove Secure Storage AIDL tamper and A/B update
Remove tamper acknowledgement and A/B update write settings. This
also removes the need for a lot of the operation options parcelables.
Test: mmm hardware/interfaces/staging/security/see/storage/aidl/
Bug: 278779487
Change-Id: I003f960bc14e19661c7aabb581846c52156fc8b3
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl
similarity index 97%
rename from staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl
rename to staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl
index d339170..21a275c 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileAvailability.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Availability.aidl
@@ -16,7 +16,7 @@
package android.hardware.security.see.storage;
/** Determines how early during the boot process file is able to be accessed. */
-enum FileAvailability {
+enum Availability {
/** Available before userdata is mounted, but after android has booted. */
BEFORE_USERDATA,
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl
deleted file mode 100644
index 1a94eb2..0000000
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/DeleteOptions.aidl
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-import android.hardware.security.see.storage.ReadIntegrity;
-
-parcelable DeleteOptions {
- /**
- * Set to acknowledge possible files tampering.
- *
- * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_*
- * service-specific code.
- */
- ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER;
-
- /**
- * Allow writes to succeed while the filesystem is in the middle of an A/B update.
- *
- * If the A/B update fails, the operation will be rolled back. This rollback will not
- * cause subsequent operations fail with any ERR_FS_* code nor will need to be
- * acknowledged by setting the `readIntegrity`.
- */
- boolean allowWritesDuringAbUpdate = false;
-}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl
deleted file mode 100644
index 733b5b0..0000000
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileProperties.aidl
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-import android.hardware.security.see.storage.FileAvailability;
-import android.hardware.security.see.storage.FileIntegrity;
-
-parcelable FileProperties {
- FileIntegrity integrity = FileIntegrity.TAMPER_PROOF_AT_REST;
- FileAvailability availability = FileAvailability.BEFORE_USERDATA;
-
- /** Whether the file is reset when user data is wiped. */
- boolean persistent;
-}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl
new file mode 100644
index 0000000..ea8db53
--- /dev/null
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Filesystem.aidl
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.hardware.security.see.storage;
+
+import android.hardware.security.see.storage.Availability;
+import android.hardware.security.see.storage.Integrity;
+
+/**
+ * Specifies minimum security requirements for a Secure Storage filesystem.
+ */
+parcelable Filesystem {
+ Integrity integrity = Integrity.TAMPER_PROOF_AT_REST;
+ Availability availability = Availability.BEFORE_USERDATA;
+
+ /**
+ * Whether the file is reset on factory resets. Factory resets will not be reported as
+ * tampering.
+ */
+ boolean persistent;
+}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl
index a0a9f3d..5d9a761 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IDir.aidl
@@ -26,15 +26,15 @@
*
* @maxCount:
* the maximum number of filenames to return. A @maxCount of 0 signifies no limit on the
- * number of filenames returned.
+ * number of filenames returned.
*
* Returns:
* An ordered list of filenames. If @maxCount > 0, the length of the returned list will be
- * less than or equal to @maxCount.
+ * less than or equal to @maxCount.
*
* May return service-specific errors:
- * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
- * dir was opened with does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
@utf8InCpp String[] readNextFilenames(int maxCount);
}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl
index ff26aa4..fd2032e 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IFile.aidl
@@ -32,8 +32,8 @@
* the sequence of bytes at [offset, offset + size) in the file
*
* May return service-specific errors:
- * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
- * file was opened with does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
byte[] read(long size, long offset);
@@ -47,8 +47,8 @@
* the number of bytes written successfully
*
* May return service-specific errors:
- * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
- * file was opened with does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
long write(long offset, in byte[] buffer);
@@ -56,8 +56,8 @@
* Reads this file's size.
*
* May return service-specific errors:
- * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
- * file was opened with does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
long getSize();
@@ -71,8 +71,8 @@
* the file's new size
*
* May return service-specific errors:
- * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
- * file was opened with does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
void setSize(long newSize);
@@ -88,8 +88,8 @@
* - ERR_NOT_FOUND if no file exists at @destPath and @destCreateMode is `NO_CREATE`
* - ERR_ALREADY_EXISTS if a file already exists at @destPath and @destCreateMode is
* `CREATE_EXCLUSIVE`
- * - ERR_FS_* if the filesystem has been tampered with in a way that the `readIntegrity` the
- * file was opened with does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
void rename(in @utf8InCpp String destPath, in CreationMode destCreateMode);
}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl
index be3c045..022de9a 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ISecureStorage.aidl
@@ -15,7 +15,7 @@
*/
package android.hardware.security.see.storage;
-import android.hardware.security.see.storage.FileProperties;
+import android.hardware.security.see.storage.Filesystem;
import android.hardware.security.see.storage.IStorageSession;
/**
@@ -28,20 +28,18 @@
const int ERR_NOT_FOUND = 2;
const int ERR_ALREADY_EXISTS = 3;
const int ERR_BAD_TRANSACTION = 4;
-
- const int ERR_FS_RESET = 5;
- const int ERR_FS_ROLLED_BACK = 6;
- const int ERR_FS_TAMPERED = 7;
+ const int ERR_AB_UPDATE_IN_PROGRESS = 5;
+ const int ERR_FS_TAMPERED = 6;
/**
* Starts a storage session for a filesystem.
*
- * @properties:
- * the minimum filesystem properties requested for the session.
+ * @filesystem:
+ * The minimum filesystem properties requested.
*
* May return service-specific errors:
* - ERR_UNSUPPORTED_PROPERTIES if no filesystems exist which meet the minimum requested
- * requirements
+ * requirements
*/
- IStorageSession startSession(in FileProperties properties);
+ IStorageSession startSession(in Filesystem filesystem);
}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl
index cd126b8..1b70a0e 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/IStorageSession.aidl
@@ -15,12 +15,10 @@
*/
package android.hardware.security.see.storage;
-import android.hardware.security.see.storage.DeleteOptions;
+import android.hardware.security.see.storage.CreationMode;
import android.hardware.security.see.storage.IDir;
import android.hardware.security.see.storage.IFile;
import android.hardware.security.see.storage.OpenOptions;
-import android.hardware.security.see.storage.ReadIntegrity;
-import android.hardware.security.see.storage.RenameOptions;
/**
* Interface for a Secure Storage session
@@ -66,8 +64,8 @@
* May return service-specific errors:
* - ERR_NOT_FOUND
* - ERR_ALREADY_EXISTS
- * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity
- * does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
IFile openFile(in @utf8InCpp String filePath, in OpenOptions options);
@@ -81,10 +79,10 @@
*
* May return service-specific errors:
* - ERR_NOT_FOUND
- * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity
- * does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
- void deleteFile(in @utf8InCpp String filePath, in DeleteOptions options);
+ void deleteFile(in @utf8InCpp String filePath);
/**
* Renames an existing file.
@@ -95,19 +93,19 @@
* path to the file, relative to filesystem root
* @destPath:
* the file's new path, relative to filesystem root
- * @options:
- * options controlling rename behavior
+ * @destCreateMode:
+ * creation behavior for the dest file
*
* May return service-specific errors:
- * - ERR_NOT_FOUND if no file exists at @currentPath, or if @options.destCreateMode is
- * `NO_CREATE` and no file exists at @destPath
- * - ERR_ALREADY_EXISTS if @options.destCreateMode is `CREATE_EXCLUSIVE` and a file exists at
+ * - ERR_NOT_FOUND if no file exists at @currentPath, or if @destCreateMode is `NO_CREATE` and
+ * no file exists at @destPath
+ * - ERR_ALREADY_EXISTS if @destCreateMode is `CREATE_EXCLUSIVE` and a file exists at
* @destPath
- * - ERR_FS_* if the filesystem has been tampered with in a way that @options.readIntegrity
- * does not acknowledge
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
+ * acknowledge
*/
void renameFile(in @utf8InCpp String currentPath, in @utf8InCpp String destPath,
- in RenameOptions options);
+ in CreationMode destCreateMode);
/**
* Opens a directory from a filesystem with the given properties.
@@ -116,14 +114,11 @@
*
* @path:
* path to the directory, relative to filesystem root
- * @readIntegrity:
- * allow opening (and subsequent read/write operations) despite possible tampering for the
- * directory
*
* May return service-specific errors:
* - ERR_NOT_FOUND
- * - ERR_FS_* if the filesystem has been tampered with in a way that @readIntegrity does not
+ * - ERR_FS_* if the filesystem has been tampered with in a way that the session did not
* acknowledge
*/
- IDir openDir(in @utf8InCpp String path, in ReadIntegrity readIntegrity);
+ IDir openDir(in @utf8InCpp String path);
}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl
similarity index 83%
rename from staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl
rename to staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl
index 1879b16..2f7f7ab 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/FileIntegrity.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Integrity.aidl
@@ -15,7 +15,7 @@
*/
package android.hardware.security.see.storage;
-enum FileIntegrity {
+enum Integrity {
/** REE may prevent operations, but cannot alter data once written. */
TAMPER_PROOF_AT_REST,
@@ -24,10 +24,4 @@
* an error on read.
*/
TAMPER_DETECT,
-
- /**
- * REE may alter written data. Changes other than full filesystem resets will be detected and
- * reported.
- */
- TAMPER_DETECT_IGNORE_RESET,
}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl
index 997ca62..9fdf9e5 100644
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl
+++ b/staging/security/see/storage/aidl/android/hardware/security/see/storage/OpenOptions.aidl
@@ -17,7 +17,6 @@
import android.hardware.security.see.storage.CreationMode;
import android.hardware.security.see.storage.FileMode;
-import android.hardware.security.see.storage.ReadIntegrity;
parcelable OpenOptions {
/** Controls creation behavior of the to-be-opened file. See `CreationMode` docs for details. */
@@ -27,25 +26,8 @@
FileMode accessMode = FileMode.READ_WRITE;
/**
- * Set to acknowledge possible files tampering.
- *
- * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_*
- * service-specific code.
- */
- ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER;
-
- /**
* If this file already exists, discard existing content and open
* it as a new file. No semantic change if the file does not exist.
*/
boolean truncateOnOpen;
-
- /**
- * Allow writes to succeed while the filesystem is in the middle of an A/B update.
- *
- * If the A/B update fails, the operation will be rolled back. This rollback will not
- * cause subsequent operations fail with any ERR_FS_* code nor will need to be
- * acknowledged by setting the `readIntegrity`.
- */
- boolean allowWritesDuringAbUpdate = false;
}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl
deleted file mode 100644
index cc0e4f9..0000000
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/ReadIntegrity.aidl
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-enum ReadIntegrity {
- /**
- * Return an error on reads if any REE alteration of the written data
- * has been detected.
- */
- NO_TAMPER,
-
- /**
- * Return an error on reads if any REE alteration other than a reset
- * has been detected.
- */
- IGNORE_RESET,
-
- /**
- * Return an error if any REE alteration other than a rollback to a
- * valid checkpoint has been detected. (What makes a checkpoint valid is
- * implementation defined; an implementation might take a checkpoint on its
- * first post-factory boot. A reset is a rollback to the initial state.)
- */
- IGNORE_ROLLBACK,
-
- // There's no `IGNORE_ALL` because if REE has done any alteration other
- // than a rollback, the file contents will be known-bad data.
-}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl
deleted file mode 100644
index f55ea7f..0000000
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/RenameOptions.aidl
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-import android.hardware.security.see.storage.CreationMode;
-import android.hardware.security.see.storage.ReadIntegrity;
-
-parcelable RenameOptions {
- /** Controls creation behavior of the dest file. See `CreationMode` docs for details. */
- CreationMode destCreateMode = CreationMode.CREATE_EXCLUSIVE;
-
- /**
- * Set to acknowledge possible files tampering.
- *
- * If unacknowledged tampering is detected, the operation will fail with an ERR_FS_*
- * service-specific code.
- */
- ReadIntegrity readIntegrity = ReadIntegrity.NO_TAMPER;
-
- /**
- * Allow writes to succeed while the filesystem is in the middle of an A/B update.
- *
- * If the A/B update fails, the operation will be rolled back. This rollback will not
- * cause subsequent operations fail with any ERR_FS_* code nor will need to be
- * acknowledged by setting the `readIntegrity`.
- */
- boolean allowWritesDuringAbUpdate = false;
-}
diff --git a/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl b/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl
deleted file mode 100644
index 0a39fdd..0000000
--- a/staging/security/see/storage/aidl/android/hardware/security/see/storage/Tamper.aidl
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package android.hardware.security.see.storage;
-
-/** Specifies types of REE tampering the filesystem may detect */
-enum Tamper {
- /** REE has reset this file or the containing file system. */
- RESET,
-
- /** REE has rolled back this file or the containing file system to a previous state. */
- ROLLBACK,
-
- /** REE has made some other modification to the file. */
- OTHER,
-}