Add module info AIDL changes and bump the KeyMint version
Bug: 369375199
Test: Manually checked that module info is added to the attestation when
sent via IKeyMintDevice::setModuleInfo.
Ignore-AOSP-First: Lands with other HAL version bump changes to avoid
build failure. At least one of the changes is internal. Will
cherry-pick to AOSP ASAP.
Change-Id: Idb11823e6b65cf17d62ae8687febffee860565e3
diff --git a/compatibility_matrices/compatibility_matrix.202504.xml b/compatibility_matrices/compatibility_matrix.202504.xml
index 10f73f1..8d7703c 100644
--- a/compatibility_matrices/compatibility_matrix.202504.xml
+++ b/compatibility_matrices/compatibility_matrix.202504.xml
@@ -313,7 +313,7 @@
</hal>
<hal format="aidl" updatable-via-apex="true">
<name>android.hardware.security.keymint</name>
- <version>1-3</version>
+ <version>1-4</version>
<interface>
<name>IKeyMintDevice</name>
<instance>default</instance>
diff --git a/confirmationui/aidl/Android.bp b/confirmationui/aidl/Android.bp
index 51bde0a..1f17866 100644
--- a/confirmationui/aidl/Android.bp
+++ b/confirmationui/aidl/Android.bp
@@ -19,8 +19,8 @@
aidl_interface {
name: "android.hardware.confirmationui",
vendor_available: true,
- imports: [
- "android.hardware.security.keymint-V3",
+ defaults: [
+ "android.hardware.security.keymint-latest-defaults",
],
srcs: ["android/hardware/confirmationui/*.aidl"],
stability: "vintf",
@@ -38,7 +38,7 @@
versions_with_info: [
{
version: "1",
- imports: ["android.hardware.security.keymint-V3"],
+ imports: ["android.hardware.security.keymint-V4"],
},
],
frozen: true,
diff --git a/gatekeeper/aidl/Android.bp b/gatekeeper/aidl/Android.bp
index 169a7d5..88c10b7 100644
--- a/gatekeeper/aidl/Android.bp
+++ b/gatekeeper/aidl/Android.bp
@@ -10,8 +10,8 @@
aidl_interface {
name: "android.hardware.gatekeeper",
vendor_available: true,
- imports: [
- "android.hardware.security.keymint-V3",
+ defaults: [
+ "android.hardware.security.keymint-latest-defaults",
],
srcs: ["android/hardware/gatekeeper/*.aidl"],
stability: "vintf",
@@ -32,7 +32,7 @@
versions_with_info: [
{
version: "1",
- imports: ["android.hardware.security.keymint-V3"],
+ imports: ["android.hardware.security.keymint-V4"],
},
],
frozen: true,
diff --git a/security/keymint/aidl/Android.bp b/security/keymint/aidl/Android.bp
index e346610..a2e58ac 100644
--- a/security/keymint/aidl/Android.bp
+++ b/security/keymint/aidl/Android.bp
@@ -17,7 +17,7 @@
"android.hardware.security.secureclock-V1",
],
stability: "vintf",
- frozen: true,
+ frozen: false,
backend: {
java: {
platform_apis: true,
@@ -51,34 +51,42 @@
}
+// An aidl_interface_defaults that includes the latest KeyMint AIDL interface.
+// aidl_interface modules that depend on KeyMint directly can include this
+// aidl_interface_defaults to avoid managing dependency versions explicitly.
+aidl_interface_defaults {
+ name: "android.hardware.security.keymint-latest-defaults",
+ imports: ["android.hardware.security.keymint-V4"],
+}
+
// cc_defaults that includes the latest KeyMint AIDL library.
// Modules that depend on KeyMint directly can include this cc_defaults to avoid
// managing dependency versions explicitly.
cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_static",
static_libs: [
- "android.hardware.security.keymint-V3-ndk",
+ "android.hardware.security.keymint-V4-ndk",
],
}
cc_defaults {
name: "keymint_use_latest_hal_aidl_ndk_shared",
shared_libs: [
- "android.hardware.security.keymint-V3-ndk",
+ "android.hardware.security.keymint-V4-ndk",
],
}
cc_defaults {
name: "keymint_use_latest_hal_aidl_cpp_static",
static_libs: [
- "android.hardware.security.keymint-V3-cpp",
+ "android.hardware.security.keymint-V4-cpp",
],
}
cc_defaults {
name: "keymint_use_latest_hal_aidl_cpp_shared",
shared_libs: [
- "android.hardware.security.keymint-V3-cpp",
+ "android.hardware.security.keymint-V4-cpp",
],
}
@@ -88,6 +96,6 @@
rust_defaults {
name: "keymint_use_latest_hal_aidl_rust",
rustlibs: [
- "android.hardware.security.keymint-V3-rust",
+ "android.hardware.security.keymint-V4-rust",
],
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
index b05a0f3..71d3651 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
@@ -36,90 +36,91 @@
@Backing(type="int") @VintfStability
enum ErrorCode {
OK = 0,
- ROOT_OF_TRUST_ALREADY_SET = -1,
- UNSUPPORTED_PURPOSE = -2,
- INCOMPATIBLE_PURPOSE = -3,
- UNSUPPORTED_ALGORITHM = -4,
- INCOMPATIBLE_ALGORITHM = -5,
- UNSUPPORTED_KEY_SIZE = -6,
- UNSUPPORTED_BLOCK_MODE = -7,
- INCOMPATIBLE_BLOCK_MODE = -8,
- UNSUPPORTED_MAC_LENGTH = -9,
- UNSUPPORTED_PADDING_MODE = -10,
- INCOMPATIBLE_PADDING_MODE = -11,
- UNSUPPORTED_DIGEST = -12,
- INCOMPATIBLE_DIGEST = -13,
- INVALID_EXPIRATION_TIME = -14,
- INVALID_USER_ID = -15,
- INVALID_AUTHORIZATION_TIMEOUT = -16,
- UNSUPPORTED_KEY_FORMAT = -17,
- INCOMPATIBLE_KEY_FORMAT = -18,
- UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19,
- UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20,
- INVALID_INPUT_LENGTH = -21,
- KEY_EXPORT_OPTIONS_INVALID = -22,
- DELEGATION_NOT_ALLOWED = -23,
- KEY_NOT_YET_VALID = -24,
- KEY_EXPIRED = -25,
- KEY_USER_NOT_AUTHENTICATED = -26,
- OUTPUT_PARAMETER_NULL = -27,
- INVALID_OPERATION_HANDLE = -28,
- INSUFFICIENT_BUFFER_SPACE = -29,
- VERIFICATION_FAILED = -30,
- TOO_MANY_OPERATIONS = -31,
- UNEXPECTED_NULL_POINTER = -32,
- INVALID_KEY_BLOB = -33,
- IMPORTED_KEY_NOT_ENCRYPTED = -34,
- IMPORTED_KEY_DECRYPTION_FAILED = -35,
- IMPORTED_KEY_NOT_SIGNED = -36,
- IMPORTED_KEY_VERIFICATION_FAILED = -37,
- INVALID_ARGUMENT = -38,
- UNSUPPORTED_TAG = -39,
- INVALID_TAG = -40,
- MEMORY_ALLOCATION_FAILED = -41,
- IMPORT_PARAMETER_MISMATCH = -44,
- SECURE_HW_ACCESS_DENIED = -45,
- OPERATION_CANCELLED = -46,
- CONCURRENT_ACCESS_CONFLICT = -47,
- SECURE_HW_BUSY = -48,
- SECURE_HW_COMMUNICATION_FAILED = -49,
- UNSUPPORTED_EC_FIELD = -50,
- MISSING_NONCE = -51,
- INVALID_NONCE = -52,
- MISSING_MAC_LENGTH = -53,
- KEY_RATE_LIMIT_EXCEEDED = -54,
- CALLER_NONCE_PROHIBITED = -55,
- KEY_MAX_OPS_EXCEEDED = -56,
- INVALID_MAC_LENGTH = -57,
- MISSING_MIN_MAC_LENGTH = -58,
- UNSUPPORTED_MIN_MAC_LENGTH = -59,
- UNSUPPORTED_KDF = -60,
- UNSUPPORTED_EC_CURVE = -61,
- KEY_REQUIRES_UPGRADE = -62,
- ATTESTATION_CHALLENGE_MISSING = -63,
- KEYMINT_NOT_CONFIGURED = -64,
- ATTESTATION_APPLICATION_ID_MISSING = -65,
- CANNOT_ATTEST_IDS = -66,
- ROLLBACK_RESISTANCE_UNAVAILABLE = -67,
- HARDWARE_TYPE_UNAVAILABLE = -68,
- PROOF_OF_PRESENCE_REQUIRED = -69,
- CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = -70,
- NO_USER_CONFIRMATION = -71,
- DEVICE_LOCKED = -72,
- EARLY_BOOT_ENDED = -73,
- ATTESTATION_KEYS_NOT_PROVISIONED = -74,
- ATTESTATION_IDS_NOT_PROVISIONED = -75,
- INVALID_OPERATION = -76,
- STORAGE_KEY_UNSUPPORTED = -77,
- INCOMPATIBLE_MGF_DIGEST = -78,
- UNSUPPORTED_MGF_DIGEST = -79,
- MISSING_NOT_BEFORE = -80,
- MISSING_NOT_AFTER = -81,
- MISSING_ISSUER_SUBJECT = -82,
- INVALID_ISSUER_SUBJECT = -83,
- BOOT_LEVEL_EXCEEDED = -84,
- HARDWARE_NOT_YET_AVAILABLE = -85,
- UNIMPLEMENTED = -100,
- VERSION_MISMATCH = -101,
- UNKNOWN_ERROR = -1000,
+ ROOT_OF_TRUST_ALREADY_SET = (-1) /* -1 */,
+ UNSUPPORTED_PURPOSE = (-2) /* -2 */,
+ INCOMPATIBLE_PURPOSE = (-3) /* -3 */,
+ UNSUPPORTED_ALGORITHM = (-4) /* -4 */,
+ INCOMPATIBLE_ALGORITHM = (-5) /* -5 */,
+ UNSUPPORTED_KEY_SIZE = (-6) /* -6 */,
+ UNSUPPORTED_BLOCK_MODE = (-7) /* -7 */,
+ INCOMPATIBLE_BLOCK_MODE = (-8) /* -8 */,
+ UNSUPPORTED_MAC_LENGTH = (-9) /* -9 */,
+ UNSUPPORTED_PADDING_MODE = (-10) /* -10 */,
+ INCOMPATIBLE_PADDING_MODE = (-11) /* -11 */,
+ UNSUPPORTED_DIGEST = (-12) /* -12 */,
+ INCOMPATIBLE_DIGEST = (-13) /* -13 */,
+ INVALID_EXPIRATION_TIME = (-14) /* -14 */,
+ INVALID_USER_ID = (-15) /* -15 */,
+ INVALID_AUTHORIZATION_TIMEOUT = (-16) /* -16 */,
+ UNSUPPORTED_KEY_FORMAT = (-17) /* -17 */,
+ INCOMPATIBLE_KEY_FORMAT = (-18) /* -18 */,
+ UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = (-19) /* -19 */,
+ UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = (-20) /* -20 */,
+ INVALID_INPUT_LENGTH = (-21) /* -21 */,
+ KEY_EXPORT_OPTIONS_INVALID = (-22) /* -22 */,
+ DELEGATION_NOT_ALLOWED = (-23) /* -23 */,
+ KEY_NOT_YET_VALID = (-24) /* -24 */,
+ KEY_EXPIRED = (-25) /* -25 */,
+ KEY_USER_NOT_AUTHENTICATED = (-26) /* -26 */,
+ OUTPUT_PARAMETER_NULL = (-27) /* -27 */,
+ INVALID_OPERATION_HANDLE = (-28) /* -28 */,
+ INSUFFICIENT_BUFFER_SPACE = (-29) /* -29 */,
+ VERIFICATION_FAILED = (-30) /* -30 */,
+ TOO_MANY_OPERATIONS = (-31) /* -31 */,
+ UNEXPECTED_NULL_POINTER = (-32) /* -32 */,
+ INVALID_KEY_BLOB = (-33) /* -33 */,
+ IMPORTED_KEY_NOT_ENCRYPTED = (-34) /* -34 */,
+ IMPORTED_KEY_DECRYPTION_FAILED = (-35) /* -35 */,
+ IMPORTED_KEY_NOT_SIGNED = (-36) /* -36 */,
+ IMPORTED_KEY_VERIFICATION_FAILED = (-37) /* -37 */,
+ INVALID_ARGUMENT = (-38) /* -38 */,
+ UNSUPPORTED_TAG = (-39) /* -39 */,
+ INVALID_TAG = (-40) /* -40 */,
+ MEMORY_ALLOCATION_FAILED = (-41) /* -41 */,
+ IMPORT_PARAMETER_MISMATCH = (-44) /* -44 */,
+ SECURE_HW_ACCESS_DENIED = (-45) /* -45 */,
+ OPERATION_CANCELLED = (-46) /* -46 */,
+ CONCURRENT_ACCESS_CONFLICT = (-47) /* -47 */,
+ SECURE_HW_BUSY = (-48) /* -48 */,
+ SECURE_HW_COMMUNICATION_FAILED = (-49) /* -49 */,
+ UNSUPPORTED_EC_FIELD = (-50) /* -50 */,
+ MISSING_NONCE = (-51) /* -51 */,
+ INVALID_NONCE = (-52) /* -52 */,
+ MISSING_MAC_LENGTH = (-53) /* -53 */,
+ KEY_RATE_LIMIT_EXCEEDED = (-54) /* -54 */,
+ CALLER_NONCE_PROHIBITED = (-55) /* -55 */,
+ KEY_MAX_OPS_EXCEEDED = (-56) /* -56 */,
+ INVALID_MAC_LENGTH = (-57) /* -57 */,
+ MISSING_MIN_MAC_LENGTH = (-58) /* -58 */,
+ UNSUPPORTED_MIN_MAC_LENGTH = (-59) /* -59 */,
+ UNSUPPORTED_KDF = (-60) /* -60 */,
+ UNSUPPORTED_EC_CURVE = (-61) /* -61 */,
+ KEY_REQUIRES_UPGRADE = (-62) /* -62 */,
+ ATTESTATION_CHALLENGE_MISSING = (-63) /* -63 */,
+ KEYMINT_NOT_CONFIGURED = (-64) /* -64 */,
+ ATTESTATION_APPLICATION_ID_MISSING = (-65) /* -65 */,
+ CANNOT_ATTEST_IDS = (-66) /* -66 */,
+ ROLLBACK_RESISTANCE_UNAVAILABLE = (-67) /* -67 */,
+ HARDWARE_TYPE_UNAVAILABLE = (-68) /* -68 */,
+ PROOF_OF_PRESENCE_REQUIRED = (-69) /* -69 */,
+ CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = (-70) /* -70 */,
+ NO_USER_CONFIRMATION = (-71) /* -71 */,
+ DEVICE_LOCKED = (-72) /* -72 */,
+ EARLY_BOOT_ENDED = (-73) /* -73 */,
+ ATTESTATION_KEYS_NOT_PROVISIONED = (-74) /* -74 */,
+ ATTESTATION_IDS_NOT_PROVISIONED = (-75) /* -75 */,
+ INVALID_OPERATION = (-76) /* -76 */,
+ STORAGE_KEY_UNSUPPORTED = (-77) /* -77 */,
+ INCOMPATIBLE_MGF_DIGEST = (-78) /* -78 */,
+ UNSUPPORTED_MGF_DIGEST = (-79) /* -79 */,
+ MISSING_NOT_BEFORE = (-80) /* -80 */,
+ MISSING_NOT_AFTER = (-81) /* -81 */,
+ MISSING_ISSUER_SUBJECT = (-82) /* -82 */,
+ INVALID_ISSUER_SUBJECT = (-83) /* -83 */,
+ BOOT_LEVEL_EXCEEDED = (-84) /* -84 */,
+ HARDWARE_NOT_YET_AVAILABLE = (-85) /* -85 */,
+ MODULE_HASH_ALREADY_SET = (-86) /* -86 */,
+ UNIMPLEMENTED = (-100) /* -100 */,
+ VERSION_MISMATCH = (-101) /* -101 */,
+ UNKNOWN_ERROR = (-1000) /* -1000 */,
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl
index dfc98f0..eb4f621 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/HardwareAuthenticatorType.aidl
@@ -36,7 +36,7 @@
@Backing(type="int") @VintfStability
enum HardwareAuthenticatorType {
NONE = 0,
- PASSWORD = 1,
- FINGERPRINT = 2,
- ANY = -1,
+ PASSWORD = (1 << 0) /* 1 */,
+ FINGERPRINT = (1 << 1) /* 2 */,
+ ANY = 0xFFFFFFFF,
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl
index dcc22c4..2945dab 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -52,5 +52,6 @@
byte[16] getRootOfTrustChallenge();
byte[] getRootOfTrust(in byte[16] challenge);
void sendRootOfTrust(in byte[] rootOfTrust);
+ void setAdditionalAttestationInfo(in android.hardware.security.keymint.KeyParameter[] info);
const int AUTH_TOKEN_MAC_LENGTH = 32;
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
index 6ae2369..79341ee 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
@@ -36,69 +36,70 @@
@Backing(type="int") @VintfStability
enum Tag {
INVALID = 0,
- PURPOSE = 536870913,
- ALGORITHM = 268435458,
- KEY_SIZE = 805306371,
- BLOCK_MODE = 536870916,
- DIGEST = 536870917,
- PADDING = 536870918,
- CALLER_NONCE = 1879048199,
- MIN_MAC_LENGTH = 805306376,
- EC_CURVE = 268435466,
- RSA_PUBLIC_EXPONENT = 1342177480,
- INCLUDE_UNIQUE_ID = 1879048394,
- RSA_OAEP_MGF_DIGEST = 536871115,
- BOOTLOADER_ONLY = 1879048494,
- ROLLBACK_RESISTANCE = 1879048495,
- HARDWARE_TYPE = 268435760,
- EARLY_BOOT_ONLY = 1879048497,
- ACTIVE_DATETIME = 1610613136,
- ORIGINATION_EXPIRE_DATETIME = 1610613137,
- USAGE_EXPIRE_DATETIME = 1610613138,
- MIN_SECONDS_BETWEEN_OPS = 805306771,
- MAX_USES_PER_BOOT = 805306772,
- USAGE_COUNT_LIMIT = 805306773,
- USER_ID = 805306869,
- USER_SECURE_ID = -1610612234,
- NO_AUTH_REQUIRED = 1879048695,
- USER_AUTH_TYPE = 268435960,
- AUTH_TIMEOUT = 805306873,
- ALLOW_WHILE_ON_BODY = 1879048698,
- TRUSTED_USER_PRESENCE_REQUIRED = 1879048699,
- TRUSTED_CONFIRMATION_REQUIRED = 1879048700,
- UNLOCKED_DEVICE_REQUIRED = 1879048701,
- APPLICATION_ID = -1879047591,
- APPLICATION_DATA = -1879047492,
- CREATION_DATETIME = 1610613437,
- ORIGIN = 268436158,
- ROOT_OF_TRUST = -1879047488,
- OS_VERSION = 805307073,
- OS_PATCHLEVEL = 805307074,
- UNIQUE_ID = -1879047485,
- ATTESTATION_CHALLENGE = -1879047484,
- ATTESTATION_APPLICATION_ID = -1879047483,
- ATTESTATION_ID_BRAND = -1879047482,
- ATTESTATION_ID_DEVICE = -1879047481,
- ATTESTATION_ID_PRODUCT = -1879047480,
- ATTESTATION_ID_SERIAL = -1879047479,
- ATTESTATION_ID_IMEI = -1879047478,
- ATTESTATION_ID_MEID = -1879047477,
- ATTESTATION_ID_MANUFACTURER = -1879047476,
- ATTESTATION_ID_MODEL = -1879047475,
- VENDOR_PATCHLEVEL = 805307086,
- BOOT_PATCHLEVEL = 805307087,
- DEVICE_UNIQUE_ATTESTATION = 1879048912,
- IDENTITY_CREDENTIAL_KEY = 1879048913,
- STORAGE_KEY = 1879048914,
- ATTESTATION_ID_SECOND_IMEI = -1879047469,
- ASSOCIATED_DATA = -1879047192,
- NONCE = -1879047191,
- MAC_LENGTH = 805307371,
- RESET_SINCE_ID_ROTATION = 1879049196,
- CONFIRMATION_TOKEN = -1879047187,
- CERTIFICATE_SERIAL = -2147482642,
- CERTIFICATE_SUBJECT = -1879047185,
- CERTIFICATE_NOT_BEFORE = 1610613744,
- CERTIFICATE_NOT_AFTER = 1610613745,
- MAX_BOOT_LEVEL = 805307378,
+ PURPOSE = (android.hardware.security.keymint.TagType.ENUM_REP | 1) /* 536870913 */,
+ ALGORITHM = (android.hardware.security.keymint.TagType.ENUM | 2) /* 268435458 */,
+ KEY_SIZE = (android.hardware.security.keymint.TagType.UINT | 3) /* 805306371 */,
+ BLOCK_MODE = (android.hardware.security.keymint.TagType.ENUM_REP | 4) /* 536870916 */,
+ DIGEST = (android.hardware.security.keymint.TagType.ENUM_REP | 5) /* 536870917 */,
+ PADDING = (android.hardware.security.keymint.TagType.ENUM_REP | 6) /* 536870918 */,
+ CALLER_NONCE = (android.hardware.security.keymint.TagType.BOOL | 7) /* 1879048199 */,
+ MIN_MAC_LENGTH = (android.hardware.security.keymint.TagType.UINT | 8) /* 805306376 */,
+ EC_CURVE = (android.hardware.security.keymint.TagType.ENUM | 10) /* 268435466 */,
+ RSA_PUBLIC_EXPONENT = (android.hardware.security.keymint.TagType.ULONG | 200) /* 1342177480 */,
+ INCLUDE_UNIQUE_ID = (android.hardware.security.keymint.TagType.BOOL | 202) /* 1879048394 */,
+ RSA_OAEP_MGF_DIGEST = (android.hardware.security.keymint.TagType.ENUM_REP | 203) /* 536871115 */,
+ BOOTLOADER_ONLY = (android.hardware.security.keymint.TagType.BOOL | 302) /* 1879048494 */,
+ ROLLBACK_RESISTANCE = (android.hardware.security.keymint.TagType.BOOL | 303) /* 1879048495 */,
+ HARDWARE_TYPE = (android.hardware.security.keymint.TagType.ENUM | 304) /* 268435760 */,
+ EARLY_BOOT_ONLY = (android.hardware.security.keymint.TagType.BOOL | 305) /* 1879048497 */,
+ ACTIVE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 400) /* 1610613136 */,
+ ORIGINATION_EXPIRE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 401) /* 1610613137 */,
+ USAGE_EXPIRE_DATETIME = (android.hardware.security.keymint.TagType.DATE | 402) /* 1610613138 */,
+ MIN_SECONDS_BETWEEN_OPS = (android.hardware.security.keymint.TagType.UINT | 403) /* 805306771 */,
+ MAX_USES_PER_BOOT = (android.hardware.security.keymint.TagType.UINT | 404) /* 805306772 */,
+ USAGE_COUNT_LIMIT = (android.hardware.security.keymint.TagType.UINT | 405) /* 805306773 */,
+ USER_ID = (android.hardware.security.keymint.TagType.UINT | 501) /* 805306869 */,
+ USER_SECURE_ID = (android.hardware.security.keymint.TagType.ULONG_REP | 502) /* -1610612234 */,
+ NO_AUTH_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 503) /* 1879048695 */,
+ USER_AUTH_TYPE = (android.hardware.security.keymint.TagType.ENUM | 504) /* 268435960 */,
+ AUTH_TIMEOUT = (android.hardware.security.keymint.TagType.UINT | 505) /* 805306873 */,
+ ALLOW_WHILE_ON_BODY = (android.hardware.security.keymint.TagType.BOOL | 506) /* 1879048698 */,
+ TRUSTED_USER_PRESENCE_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 507) /* 1879048699 */,
+ TRUSTED_CONFIRMATION_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 508) /* 1879048700 */,
+ UNLOCKED_DEVICE_REQUIRED = (android.hardware.security.keymint.TagType.BOOL | 509) /* 1879048701 */,
+ APPLICATION_ID = (android.hardware.security.keymint.TagType.BYTES | 601) /* -1879047591 */,
+ APPLICATION_DATA = (android.hardware.security.keymint.TagType.BYTES | 700) /* -1879047492 */,
+ CREATION_DATETIME = (android.hardware.security.keymint.TagType.DATE | 701) /* 1610613437 */,
+ ORIGIN = (android.hardware.security.keymint.TagType.ENUM | 702) /* 268436158 */,
+ ROOT_OF_TRUST = (android.hardware.security.keymint.TagType.BYTES | 704) /* -1879047488 */,
+ OS_VERSION = (android.hardware.security.keymint.TagType.UINT | 705) /* 805307073 */,
+ OS_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 706) /* 805307074 */,
+ UNIQUE_ID = (android.hardware.security.keymint.TagType.BYTES | 707) /* -1879047485 */,
+ ATTESTATION_CHALLENGE = (android.hardware.security.keymint.TagType.BYTES | 708) /* -1879047484 */,
+ ATTESTATION_APPLICATION_ID = (android.hardware.security.keymint.TagType.BYTES | 709) /* -1879047483 */,
+ ATTESTATION_ID_BRAND = (android.hardware.security.keymint.TagType.BYTES | 710) /* -1879047482 */,
+ ATTESTATION_ID_DEVICE = (android.hardware.security.keymint.TagType.BYTES | 711) /* -1879047481 */,
+ ATTESTATION_ID_PRODUCT = (android.hardware.security.keymint.TagType.BYTES | 712) /* -1879047480 */,
+ ATTESTATION_ID_SERIAL = (android.hardware.security.keymint.TagType.BYTES | 713) /* -1879047479 */,
+ ATTESTATION_ID_IMEI = (android.hardware.security.keymint.TagType.BYTES | 714) /* -1879047478 */,
+ ATTESTATION_ID_MEID = (android.hardware.security.keymint.TagType.BYTES | 715) /* -1879047477 */,
+ ATTESTATION_ID_MANUFACTURER = (android.hardware.security.keymint.TagType.BYTES | 716) /* -1879047476 */,
+ ATTESTATION_ID_MODEL = (android.hardware.security.keymint.TagType.BYTES | 717) /* -1879047475 */,
+ VENDOR_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 718) /* 805307086 */,
+ BOOT_PATCHLEVEL = (android.hardware.security.keymint.TagType.UINT | 719) /* 805307087 */,
+ DEVICE_UNIQUE_ATTESTATION = (android.hardware.security.keymint.TagType.BOOL | 720) /* 1879048912 */,
+ IDENTITY_CREDENTIAL_KEY = (android.hardware.security.keymint.TagType.BOOL | 721) /* 1879048913 */,
+ STORAGE_KEY = (android.hardware.security.keymint.TagType.BOOL | 722) /* 1879048914 */,
+ ATTESTATION_ID_SECOND_IMEI = (android.hardware.security.keymint.TagType.BYTES | 723) /* -1879047469 */,
+ MODULE_HASH = (android.hardware.security.keymint.TagType.BYTES | 724) /* -1879047468 */,
+ ASSOCIATED_DATA = (android.hardware.security.keymint.TagType.BYTES | 1000) /* -1879047192 */,
+ NONCE = (android.hardware.security.keymint.TagType.BYTES | 1001) /* -1879047191 */,
+ MAC_LENGTH = (android.hardware.security.keymint.TagType.UINT | 1003) /* 805307371 */,
+ RESET_SINCE_ID_ROTATION = (android.hardware.security.keymint.TagType.BOOL | 1004) /* 1879049196 */,
+ CONFIRMATION_TOKEN = (android.hardware.security.keymint.TagType.BYTES | 1005) /* -1879047187 */,
+ CERTIFICATE_SERIAL = (android.hardware.security.keymint.TagType.BIGNUM | 1006) /* -2147482642 */,
+ CERTIFICATE_SUBJECT = (android.hardware.security.keymint.TagType.BYTES | 1007) /* -1879047185 */,
+ CERTIFICATE_NOT_BEFORE = (android.hardware.security.keymint.TagType.DATE | 1008) /* 1610613744 */,
+ CERTIFICATE_NOT_AFTER = (android.hardware.security.keymint.TagType.DATE | 1009) /* 1610613745 */,
+ MAX_BOOT_LEVEL = (android.hardware.security.keymint.TagType.UINT | 1010) /* 805307378 */,
}
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl
index a7d1de5..ca19e7e 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/TagType.aidl
@@ -35,15 +35,15 @@
/* @hide */
@Backing(type="int") @VintfStability
enum TagType {
- INVALID = 0,
- ENUM = 268435456,
- ENUM_REP = 536870912,
- UINT = 805306368,
- UINT_REP = 1073741824,
- ULONG = 1342177280,
- DATE = 1610612736,
- BOOL = 1879048192,
- BIGNUM = -2147483648,
- BYTES = -1879048192,
- ULONG_REP = -1610612736,
+ INVALID = (0 << 28) /* 0 */,
+ ENUM = (1 << 28) /* 268435456 */,
+ ENUM_REP = (2 << 28) /* 536870912 */,
+ UINT = (3 << 28) /* 805306368 */,
+ UINT_REP = (4 << 28) /* 1073741824 */,
+ ULONG = (5 << 28) /* 1342177280 */,
+ DATE = (6 << 28) /* 1610612736 */,
+ BOOL = (7 << 28) /* 1879048192 */,
+ BIGNUM = (8 << 28) /* -2147483648 */,
+ BYTES = (9 << 28) /* -1879048192 */,
+ ULONG_REP = (10 << 28) /* -1610612736 */,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
index 137e6b6..72fa773 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
@@ -108,6 +108,7 @@
INVALID_ISSUER_SUBJECT = -83,
BOOT_LEVEL_EXCEEDED = -84,
HARDWARE_NOT_YET_AVAILABLE = -85,
+ MODULE_HASH_ALREADY_SET = -86,
UNIMPLEMENTED = -100,
VERSION_MISMATCH = -101,
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 4ebafee..e8eed71 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -959,4 +959,17 @@
* not implemented. TEE KeyMint implementations must return ErrorCode::UNIMPLEMENTED.
*/
void sendRootOfTrust(in byte[] rootOfTrust);
+
+ /**
+ * Called by Android to deliver additional attestation information to the IKeyMintDevice.
+ *
+ * IKeyMintDevice must ignore KeyParameters with tags not included in the following list:
+ *
+ * o Tag::MODULE_HASH: holds a hash that must be included in attestations in the moduleHash
+ * field of the software enforced authorization list. If Tag::MODULE_HASH is included in more
+ * than one setAdditionalAttestationInfo call, the implementation should compare the initial
+ * KeyParamValue with the more recent one. If they differ, the implementation should fail with
+ * ErrorCode::MODULE_HASH_ALREADY_SET. If they are the same, no action needs to be taken.
+ */
+ void setAdditionalAttestationInfo(in KeyParameter[] info);
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index 996e4e3..e56c193 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -901,6 +901,17 @@
ATTESTATION_ID_SECOND_IMEI = TagType.BYTES | 723,
/**
+ * Tag::MODULE_HASH specifies the SHA-256 hash of the DER-encoded module information (see
+ * KeyCreationResult.aidl for the ASN.1 schema).
+ *
+ * This tag is never provided or returned from KeyMint in the key characteristics. It exists
+ * only to define the tag for use in the attestation record.
+ *
+ * Must never appear in KeyCharacteristics.
+ */
+ MODULE_HASH = TagType.BYTES | 724,
+
+ /**
* OBSOLETE: Do not use.
*
* This tag value is included for historical reasons -- in Keymaster it was used to hold
diff --git a/security/keymint/aidl/default/android.hardware.hardware_keystore.xml b/security/keymint/aidl/default/android.hardware.hardware_keystore.xml
index 4c75596..1ab2133 100644
--- a/security/keymint/aidl/default/android.hardware.hardware_keystore.xml
+++ b/security/keymint/aidl/default/android.hardware.hardware_keystore.xml
@@ -14,5 +14,5 @@
limitations under the License.
-->
<permissions>
- <feature name="android.hardware.hardware_keystore" version="300" />
+ <feature name="android.hardware.hardware_keystore" version="400" />
</permissions>
diff --git a/security/keymint/aidl/default/android.hardware.security.keymint-service.xml b/security/keymint/aidl/default/android.hardware.security.keymint-service.xml
index 0568ae6..6bdd33e 100644
--- a/security/keymint/aidl/default/android.hardware.security.keymint-service.xml
+++ b/security/keymint/aidl/default/android.hardware.security.keymint-service.xml
@@ -1,7 +1,7 @@
<manifest version="1.0" type="device">
<hal format="aidl">
<name>android.hardware.security.keymint</name>
- <version>3</version>
+ <version>4</version>
<fqname>IKeyMintDevice/default</fqname>
</hal>
<hal format="aidl">