Modifying HwKey::deriveKey parameter

Changing the providede opaque key policy type to a CBOR formatted
byte array.

Bug: 284152719
Test: qemu android build
Change-Id: I0933c69bbfa3eeee956465b34fc163ed9b638eba
diff --git a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index f0df507..3763f0a 100644
--- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -58,8 +58,8 @@
     int keySizeBytes;
   }
   union DerivedKeyPolicy {
-    android.hardware.security.see.hwcrypto.KeyPolicy opaqueKey;
     android.hardware.security.see.hwcrypto.IHwCryptoKey.ClearKeyPolicy clearKey;
+    byte[] opaqueKey;
   }
   parcelable DerivedKeyParameters {
     android.hardware.security.see.hwcrypto.IOpaqueKey derivationKey;
diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
index d2b5604..b5e7e9d 100644
--- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
@@ -90,15 +90,15 @@
 
     union DerivedKeyPolicy {
         /*
-         * Policy for the newly derived opaque key. Defines how the key can be used and its type.
-         */
-        KeyPolicy opaqueKey;
-
-        /*
          * If used we will derive a clear key and pass it back as an array of bytes on
          * <code>HwCryptoKeyMaterial::explicitKey</code>.
          */
         ClearKeyPolicy clearKey;
+
+        /*
+         * Policy for the newly derived opaque key. Defines how the key can be used and its type.
+         */
+        byte[] opaqueKey;
     }
 
     parcelable DerivedKeyParameters {
diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/KeyPolicy.cddl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/KeyPolicy.cddl
new file mode 100644
index 0000000..77b632b
--- /dev/null
+++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/KeyPolicy.cddl
@@ -0,0 +1,66 @@
+;
+; Copyright (C) 2024 The Android Open Source Project
+;
+; Licensed under the Apache License, Version 2.0 (the "License");
+; you may not use this file except in compliance with the License.
+; You may obtain a copy of the License at
+;
+;      http://www.apache.org/licenses/LICENSE-2.0
+;
+; Unless required by applicable law or agreed to in writing, software
+; distributed under the License is distributed on an "AS IS" BASIS,
+; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+; See the License for the specific language governing permissions and
+; limitations under the License.
+;
+
+KeyPolicy = [
+    -65701: KeyUse,           ;usage
+    -65702: KeyLifetime       ;keyLifetime
+    -65703: KeyPermissions    ;keyPermissions
+    -65704: KeyType           ;keyType
+    -65705: bool              ;keyManagementKey
+]
+
+KeyUse = &(
+    ENCRYPT: 1,
+    DECRYPT: 2,
+    ENCRYPT_DECRYPT: ENCRYPT | DECRYPT,
+    SIGN: 4,
+    DERIVE: 8,
+    WRAP: 16,
+)
+
+KeyLifetime = &(
+    EPHEMERAL: 0,
+    HARDWARE: 1,
+    PORTABLE: 2,
+)
+
+KeyPermissions = &(
+    ALLOW_EPHEMERAL_KEY_WRAPPING: 0,
+    ALLOW_HARDWARE_KEY_WRAPPING: 1,
+    ALLOW_PORTABLE_KEY_WRAPPING: 2,
+)
+
+enum KeyType = &(
+    AES_128_CBC_NO_PADDING: 0,
+    AES_128_CBC_PKCS7_PADDING: 1,
+    AES_128_CTR: 2,
+    AES_128_GCM: 3,
+    AES_128_CMAC: 4,
+    AES_256_CBC_NO_PADDING: 5,
+    AES_256_CBC_PKCS7_PADDING: 6,
+    AES_256_CTR: 7,
+    AES_256_GCM: 8,
+    AES_256_CMAC: 9,
+    HMAC_SHA256: 10,
+    HMAC_SHA512: 11,
+    RSA2048_PSS_SHA256: 12,
+    RSA2048_PKCS1_5_SHA256: 13,
+    ECC_NIST_P256_SIGN_NO_PADDING: 14,
+    ECC_NIST_P256_SIGN_SHA256: 15,
+    ECC_NIST_P521_SIGN_NO_PADDING: 16,
+    ECC_NIST_P521_SIGN_SHA512: 17,
+    ECC_ED25519_SIGN:18,
+)