Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / eb69354d0e4aad52075aa55c7ef847adba416746^! / .
commiteb69354d0e4aad52075aa55c7ef847adba416746[log] [tgz]
authorKaruna Wadhera <kwadhera@google.com>Tue Nov 12 20:45:01 2024 +0000
committerKaruna Wadhera <kwadhera@google.com>Tue Nov 19 18:34:05 2024 +0000
treee9eddfeb3d48d2f00f89a28dcb46b6bc8ce708e3
parent3ba252f1a2f2ef5d33da52d87561fb57dc114d79 [diff]
Add moduleHash to attestation cert documentation

Bug: 369375199
Test: n/a
Change-Id: I28457dbe661dacfe22dfc97d1c1c9c21068af656

diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index da8b513..6ff66e7 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

@@ -125,9 +125,9 @@
      * straightforward translation of the KeyMint tag/value parameter lists to ASN.1.
      *
      * KeyDescription ::= SEQUENCE {
-     *     attestationVersion         INTEGER, # Value 300
+     *     attestationVersion         INTEGER, # Value 400
      *     attestationSecurityLevel   SecurityLevel, # See below
-     *     keyMintVersion             INTEGER, # Value 300
+     *     keyMintVersion             INTEGER, # Value 400
      *     keymintSecurityLevel       SecurityLevel, # See below
      *     attestationChallenge       OCTET_STRING, # Tag::ATTESTATION_CHALLENGE from attestParams
      *     uniqueId                   OCTET_STRING, # Empty unless key has Tag::INCLUDE_UNIQUE_ID
@@ -158,6 +158,17 @@
      *     Failed                     (3),
      * }
      *
+     * # Modules contains version info about APEX modules that have been updated after the last OTA.
+     * # Note that the Modules information is DER-encoded before being hashed, which requires a
+     * # specific ordering (lexicographic by encoded value) for the constituent Module entries. This
+     * # ensures that the ordering of Module entries is predictable and that the resulting SHA-256
+     * # hash value is identical for the same set of modules.
+     * Modules ::= SET OF Module
+     * Module ::= SEQUENCE {
+     *     packageName                OCTET_STRING,
+     *     version                    INTEGER, # As determined at boot time
+     * }
+     *
      * -- Note that the AuthorizationList SEQUENCE is also used in IKeyMintDevice::importWrappedKey
      * -- as a way of describing the authorizations associated with a key that is being securely
      * -- imported.  As such, it includes the ability to describe tags that are only relevant for
@@ -210,6 +221,7 @@
      *     bootPatchLevel             [719] EXPLICIT INTEGER OPTIONAL,
      *     deviceUniqueAttestation    [720] EXPLICIT NULL OPTIONAL,
      *     attestationIdSecondImei    [723] EXPLICIT OCTET_STRING OPTIONAL,
+     *     moduleHash                 [724] EXPLICIT OCTET_STRING OPTIONAL, -- SHA-256 hash of DER-encoded `Modules`
      * }
      */
     Certificate[] certificateChain;