On-device signing: Add boot level tag. To make sure the key can only be used in boot level 30, and not beyond. Bug: 165630556 Test: local Change-Id: I1c716fdd40ca6071da97c991804fc732f87e81d4

commit: 22da0523292da42f20a9713a15cbf15350bcafc4 [log] [tgz]
author: Martijn Coenen <maco@google.com> Tue Mar 09 10:52:30 2021 +0100
committer: Martijn Coenen <maco@google.com> Tue Mar 09 14:04:41 2021 +0100
tree: 572491f07addf5eaf8f6f267d42248393d9bea09
parent: dc05bb32d07183faeba06fc4be41fe1a4b782b75 [diff]
diff --git a/ondevice-signing/KeystoreKey.cpp b/ondevice-signing/KeystoreKey.cpp
index ea84183..cd5c398 100644
--- a/ondevice-signing/KeystoreKey.cpp
+++ b/ondevice-signing/KeystoreKey.cpp

@@ -53,6 +53,9 @@
 
 using android::base::unique_fd;
 
+// Keystore boot level that the odsign key uses
+static const int kOdsignBootLevel = 30;
+
 static KeyDescriptor getKeyDescriptor() {
     // AIDL parcelable objects don't have constructor
     static KeyDescriptor descriptor;
@@ -107,6 +110,11 @@
     auth.value = KeyParameterValue::make<KeyParameterValue::boolValue>(true);
     params.push_back(auth);
 
+    KeyParameter boot_level;
+    boot_level.tag = Tag::MAX_BOOT_LEVEL;
+    boot_level.value = KeyParameterValue::make<KeyParameterValue::integer>(kOdsignBootLevel);
+    params.push_back(boot_level);
+
     KeyMetadata metadata;
     auto status = mSecurityLevel->generateKey(descriptor, {}, params, 0, {}, &metadata);
     if (!status.isOk()) {
commit	22da0523292da42f20a9713a15cbf15350bcafc4	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Tue Mar 09 10:52:30 2021 +0100
committer	Martijn Coenen <maco@google.com>	Tue Mar 09 14:04:41 2021 +0100
tree	572491f07addf5eaf8f6f267d42248393d9bea09
parent	dc05bb32d07183faeba06fc4be41fe1a4b782b75 [diff]