commit dc9505de44c70e701cdf27c7f7d8d9de5217f4b6
author Brian C. Young <bcyoung@google.com> Thu Nov 16 15:45:19 2017 -0800
committer Brian C. Young <bcyoung@google.com> Thu Jan 25 08:43:13 2018 -0800
tree 248caf8badec9fcb1b59f71380283de32d2378fd
parent bc04a28238082241973fce57a7c3fe2cb2bccd9e

Add "Unlocked device required" parameter to keys

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: go/asym-write-test-plan

Bug: 67752510

Change-Id: Ic1ec3bde05f8a28e20b9443b7f0078749921f297

include/hardware/keymaster_defs.h

diff --git a/include/hardware/keymaster_defs.h b/include/hardware/keymaster_defs.h
index 6e812f2..25a4faa 100644
--- a/include/hardware/keymaster_defs.h
+++ b/include/hardware/keymaster_defs.h
@@ -112,6 +112,8 @@
     KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506, /* Allow key to be used after authentication timeout
                                                  * if device is still on-body (requires secure
                                                  * on-body sensor. */
+    KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 508, /* Require the device screen to be unlocked if the
+                                                      * key is used. */
 
     /* Application access control */
     KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* Specified to indicate key is usable by all
@@ -452,6 +454,7 @@
     KM_ERROR_KEYMASTER_NOT_CONFIGURED = -64,
     KM_ERROR_ATTESTATION_APPLICATION_ID_MISSING = -65,
     KM_ERROR_CANNOT_ATTEST_IDS = -66,
+    KM_ERROR_DEVICE_LOCKED = -71,
 
     KM_ERROR_UNIMPLEMENTED = -100,
     KM_ERROR_VERSION_MISMATCH = -101,