Merge "Diced: Add android.security.dice interface definition." am: 5b32aadaa0 am: 08da5bafad
Original change: https://android-review.googlesource.com/c/platform/system/security/+/1839093
Change-Id: If4e23174e1d4ece0755f5f2b52e33271c627ec8c
diff --git a/diced/aidl/Android.bp b/diced/aidl/Android.bp
new file mode 100644
index 0000000..2fedc3c
--- /dev/null
+++ b/diced/aidl/Android.bp
@@ -0,0 +1,42 @@
+// Copyright 2021, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "system_security_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["system_security_license"],
+}
+
+aidl_interface {
+ name: "android.security.dice",
+ srcs: [ "android/security/dice/*.aidl" ],
+ unstable: true,
+ imports: ["android.hardware.security.dice-V1"],
+ backend: {
+ java: {
+ enabled: false,
+ platform_apis: false,
+ },
+ rust: {
+ enabled: true,
+ },
+ ndk: {
+ enabled: true,
+ apps_enabled: false,
+ }
+ },
+}
diff --git a/diced/aidl/android/security/dice/IDiceNode.aidl b/diced/aidl/android/security/dice/IDiceNode.aidl
new file mode 100644
index 0000000..2b3ef76
--- /dev/null
+++ b/diced/aidl/android/security/dice/IDiceNode.aidl
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.dice;
+
+import android.hardware.security.dice.Bcc;
+import android.hardware.security.dice.BccHandover;
+import android.hardware.security.dice.InputValues;
+import android.hardware.security.dice.Signature;
+
+/**
+ * An implementation of IDiceNode provides access to DICE secrets to its clients. It
+ * uses binder's caller UID and security context to identify its callers and assures
+ * That clients can only access their specific DICE secrets.
+ * It may operate in two different modes, resident mode and proxy mode.
+ *
+ * ## Resident mode.
+ * In resident mode, the node is in possession of the secrets corresponding to its level in
+ * the dice tree. It can act as root of the sub tree that it serves. The secrets are memory
+ * resident in the node. It identifies its callers and prepends the caller's identity to the
+ * request's vector of input values. It then derives the required secrets by iterating through
+ * the request's vector of input values in ascending order.
+ *
+ * ## Proxy mode.
+ * In proxy mode, the node has a connection to a parent node. It serves its callers by verifying
+ * their identity, by prefixing the client's vector of input values with client's identity, and
+ * forwarding the request to the next level up.
+ *
+ * The modes are implementation details that are completely transparent to the clients.
+ *
+ * Privacy: Unprivileged apps may not use this service ever because it may provide access to a
+ * device specific id that is stable across reinstalls, reboots, and applications.
+ *
+ * @hide
+ */
+@SensitiveData
+interface IDiceNode {
+ /**
+ * Uses the a key derived from the caller's attestation secret to sign the payload using
+ * RFC 8032 PureEd25519 and returns the signature. The payload is limited to 1024 bytes.
+ *
+ * ## Error as service specific exception:
+ * ResponseCode::PERMISSION_DENIED if the caller does not have the use_sign permission.
+ */
+ Signature sign(in InputValues[] id, in byte[] payload);
+
+ /**
+ * Returns the attestation certificate chain of the caller if `inputValues` is empty or the
+ * chain to the given child of the caller identified by the `inputValues` vector.
+ *
+ * ## Error as service specific exception:
+ * ResponseCode::PERMISSION_DENIED if the caller does not have the get_attestation_chain
+ * permission.
+ */
+ Bcc getAttestationChain(in InputValues[] inputValues);
+
+ /**
+ * This function allows a client to become a resident node. Called with empty InputValues
+ * vectors, an implementation returns the client's DICE secrets. If inputValues is
+ * not empty, the appropriate derivations are performed starting from the client's level.
+ * The function must never return secrets pertaining to the implementation or a parent
+ * thereof in the DICE hierarchy.
+ *
+ * ## Error as service specific exception:
+ * ResponseCode::PERMISSION_DENIED if the implementation does not allow resident nodes
+ * at the client's level.
+ */
+ BccHandover derive(in InputValues[] inputValues);
+
+ /**
+ * The client demotes itself to the given identity. When serving the calling client,
+ * the implementation must append the given identities. Essentially, the client assumes
+ * the identity of one of its children. This operation is not reversible, i.e., there
+ * is no promotion. Further demotion is possible.
+ *
+ * If the operation fails for any reason. No further services must be provided. Ideally,
+ * a device shutdown/reboot is triggered.
+ *
+ * ## Error as service specific exception:
+ * ResponseCode::PERMISSION_DENIED if the caller does not have the demote permission.
+ */
+ void demote(in InputValues[] inputValues);
+}
diff --git a/diced/aidl/android/security/dice/ResponseCode.aidl b/diced/aidl/android/security/dice/ResponseCode.aidl
new file mode 100644
index 0000000..7c66058
--- /dev/null
+++ b/diced/aidl/android/security/dice/ResponseCode.aidl
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2021, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.dice;
+
+@Backing(type="int")
+/**
+ * Service specific error codes.
+ * @hide
+ */
+enum ResponseCode {
+ /**
+ * The caller has insufficient privilege to access the DICE API.
+ */
+ PERMISSION_DENIED = 1,
+ /**
+ * An unexpected error occurred, likely with IO or IPC.
+ */
+ SYSTEM_ERROR = 2,
+ /**
+ * Returned if the called function is not implemented.
+ */
+ NOT_IMPLEMENTED = 3,
+}