Merge "Changing libcppbor dependency"
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 183096c..0db2f9d 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -55,6 +55,7 @@
},
ndk: {
enabled: true,
+ apps_enabled: false,
}
},
}
@@ -93,6 +94,7 @@
},
ndk: {
enabled: true,
+ apps_enabled: false,
}
},
}
@@ -135,6 +137,7 @@
},
ndk: {
enabled: true,
+ apps_enabled: false,
}
},
}
diff --git a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
index 86472eb..01616b1 100644
--- a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
+++ b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
@@ -25,6 +25,7 @@
* provide keystore with the information required to enforce authorizations on key usage.
* @hide
*/
+ @SensitiveData
interface IKeystoreAuthorization {
/**
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index 280500c..21ddd9b 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -17,13 +17,12 @@
import android.system.keystore2.Domain;
import android.security.maintenance.UserState;
-// TODO: mark the interface with @SensitiveData when the annotation is ready (b/176110256).
-
/**
* IKeystoreMaintenance interface exposes the methods for adding/removing users and changing the
* user's password.
* @hide
*/
+ @SensitiveData
interface IKeystoreMaintenance {
/**
diff --git a/keystore2/src/crypto/zvec.rs b/keystore2/src/crypto/zvec.rs
index 4af7b5a..78b474e 100644
--- a/keystore2/src/crypto/zvec.rs
+++ b/keystore2/src/crypto/zvec.rs
@@ -104,12 +104,16 @@
impl TryFrom<Vec<u8>> for ZVec {
type Error = Error;
- fn try_from(v: Vec<u8>) -> Result<Self, Self::Error> {
+ fn try_from(mut v: Vec<u8>) -> Result<Self, Self::Error> {
+ let len = v.len();
+ // into_boxed_slice calls shrink_to_fit, which may move the pointer.
+ // But sometimes the contents of the Vec are already sensitive and
+ // mustn't be copied. So ensure the shrink_to_fit call is a NOP.
+ v.resize(v.capacity(), 0);
let b = v.into_boxed_slice();
if !b.is_empty() {
unsafe { mlock(b.as_ptr() as *const std::ffi::c_void, b.len()) }?;
}
- let len = b.len();
Ok(Self { elems: b, len })
}
}
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 174a928..6a07716 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -3025,7 +3025,7 @@
where
F: Fn(&Uuid, &[u8]) -> Result<()> + Send + 'static,
{
- let super_key = Arc::new(SuperKeyManager::new());
+ let super_key: Arc<SuperKeyManager> = Default::default();
let gc_db = KeystoreDB::new(path, None).expect("Failed to open test gc db_connection.");
let gc = Gc::new_init_with(Default::default(), move || (Box::new(cb), gc_db, super_key));
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index 54f7dc7..58142a4 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -278,8 +278,10 @@
let secure_clock_available =
secureclock_instances.as_vec()?.iter().any(|instance| *instance == "default");
+ let default_time_stamp_service_name = format!("{}/default", TIME_STAMP_SERVICE_NAME);
+
let secureclock = if secure_clock_available {
- map_binder_status_code(binder::get_interface(TIME_STAMP_SERVICE_NAME))
+ map_binder_status_code(binder::get_interface(&default_time_stamp_service_name))
.context("In connect_secureclock: Trying to connect to genuine secure clock service.")
} else {
// This is a no-op if it was called before.
diff --git a/keystore2/src/km_compat/km_compat_type_conversion.h b/keystore2/src/km_compat/km_compat_type_conversion.h
index c2b4669..e3240e9 100644
--- a/keystore2/src/km_compat/km_compat_type_conversion.h
+++ b/keystore2/src/km_compat/km_compat_type_conversion.h
@@ -665,13 +665,19 @@
}
break;
case KMV1::Tag::ATTESTATION_ID_SERIAL:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_SERIAL, kp)) {
+ return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_SERIAL, v->get());
+ }
break;
case KMV1::Tag::ATTESTATION_ID_IMEI:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_IMEI, kp)) {
+ return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_IMEI, v->get());
+ }
break;
case KMV1::Tag::ATTESTATION_ID_MEID:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_MEID, kp)) {
+ return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_MEID, v->get());
+ }
break;
case KMV1::Tag::ATTESTATION_ID_MANUFACTURER:
if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_MANUFACTURER, kp)) {
@@ -971,13 +977,19 @@
}
break;
case V4_0::Tag::ATTESTATION_ID_SERIAL:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_SERIAL, kp))) {
+ return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_SERIAL, v->get());
+ }
break;
case V4_0::Tag::ATTESTATION_ID_IMEI:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_IMEI, kp))) {
+ return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_IMEI, v->get());
+ }
break;
case V4_0::Tag::ATTESTATION_ID_MEID:
- // TODO This tag is missing from 4.0 keymaster_tags.h
+ if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_MEID, kp))) {
+ return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_MEID, v->get());
+ }
break;
case V4_0::Tag::ATTESTATION_ID_MANUFACTURER:
if (auto v =
diff --git a/keystore2/src/legacy_blob.rs b/keystore2/src/legacy_blob.rs
index 7c8a909..c108b32 100644
--- a/keystore2/src/legacy_blob.rs
+++ b/keystore2/src/legacy_blob.rs
@@ -1285,7 +1285,7 @@
CACERT_NON_AUTHBOUND,
)?;
- let key_manager = crate::super_key::SuperKeyManager::new();
+ let key_manager: SuperKeyManager = Default::default();
let mut db = crate::database::KeystoreDB::new(temp_dir.path(), None)?;
let legacy_blob_loader = LegacyBlobLoader::new(temp_dir.path());
diff --git a/keystore2/src/metrics.rs b/keystore2/src/metrics.rs
index 9524cb2..c5dd582 100644
--- a/keystore2/src/metrics.rs
+++ b/keystore2/src/metrics.rs
@@ -20,14 +20,16 @@
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
HardwareAuthenticatorType::HardwareAuthenticatorType, KeyOrigin::KeyOrigin,
KeyParameter::KeyParameter, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+ SecurityLevel::SecurityLevel,
};
use statslog_rust::keystore2_key_creation_event_reported::{
Algorithm as StatsdAlgorithm, EcCurve as StatsdEcCurve, KeyOrigin as StatsdKeyOrigin,
- Keystore2KeyCreationEventReported, UserAuthType as StatsdUserAuthType,
+ Keystore2KeyCreationEventReported, SecurityLevel as StatsdKeyCreationSecurityLevel,
+ UserAuthType as StatsdUserAuthType,
};
-
use statslog_rust::keystore2_key_operation_event_reported::{
Keystore2KeyOperationEventReported, Outcome as StatsdOutcome, Purpose as StatsdKeyPurpose,
+ SecurityLevel as StatsdKeyOperationSecurityLevel,
};
fn create_default_key_creation_atom() -> Keystore2KeyCreationEventReported {
@@ -52,6 +54,7 @@
// as per keystore2/ResponseCode.aidl, 1 is reserved for NO_ERROR
error_code: 1,
attestation_requested: false,
+ security_level: StatsdKeyCreationSecurityLevel::SecurityLevelUnspecified,
}
}
@@ -64,12 +67,18 @@
outcome: StatsdOutcome::OutcomeUnspecified,
error_code: 1,
key_upgraded: false,
+ security_level: StatsdKeyOperationSecurityLevel::SecurityLevelUnspecified,
}
}
/// Log key creation events via statsd API.
-pub fn log_key_creation_event_stats<U>(key_params: &[KeyParameter], result: &anyhow::Result<U>) {
- let key_creation_event_stats = construct_key_creation_event_stats(key_params, result);
+pub fn log_key_creation_event_stats<U>(
+ sec_level: SecurityLevel,
+ key_params: &[KeyParameter],
+ result: &anyhow::Result<U>,
+) {
+ let key_creation_event_stats =
+ construct_key_creation_event_stats(sec_level, key_params, result);
let logging_result = key_creation_event_stats.stats_write();
@@ -83,13 +92,19 @@
/// Log key operation events via statsd API.
pub fn log_key_operation_event_stats(
+ sec_level: SecurityLevel,
key_purpose: KeyPurpose,
op_params: &[KeyParameter],
op_outcome: &Outcome,
key_upgraded: bool,
) {
- let key_operation_event_stats =
- construct_key_operation_event_stats(key_purpose, op_params, op_outcome, key_upgraded);
+ let key_operation_event_stats = construct_key_operation_event_stats(
+ sec_level,
+ key_purpose,
+ op_params,
+ op_outcome,
+ key_upgraded,
+ );
let logging_result = key_operation_event_stats.stats_write();
@@ -102,6 +117,7 @@
}
fn construct_key_creation_event_stats<U>(
+ sec_level: SecurityLevel,
key_params: &[KeyParameter],
result: &anyhow::Result<U>,
) -> Keystore2KeyCreationEventReported {
@@ -111,6 +127,16 @@
key_creation_event_atom.error_code = get_error_code(e);
}
+ key_creation_event_atom.security_level = match sec_level {
+ SecurityLevel::SOFTWARE => StatsdKeyCreationSecurityLevel::SecurityLevelSoftware,
+ SecurityLevel::TRUSTED_ENVIRONMENT => {
+ StatsdKeyCreationSecurityLevel::SecurityLevelTrustedEnvironment
+ }
+ SecurityLevel::STRONGBOX => StatsdKeyCreationSecurityLevel::SecurityLevelStrongbox,
+ //KEYSTORE is not a valid variant here
+ _ => StatsdKeyCreationSecurityLevel::SecurityLevelUnspecified,
+ };
+
for key_param in key_params.iter().map(KsKeyParamValue::from) {
match key_param {
KsKeyParamValue::Algorithm(a) => {
@@ -183,6 +209,7 @@
}
fn construct_key_operation_event_stats(
+ sec_level: SecurityLevel,
key_purpose: KeyPurpose,
op_params: &[KeyParameter],
op_outcome: &Outcome,
@@ -190,6 +217,16 @@
) -> Keystore2KeyOperationEventReported {
let mut key_operation_event_atom = create_default_key_operation_atom();
+ key_operation_event_atom.security_level = match sec_level {
+ SecurityLevel::SOFTWARE => StatsdKeyOperationSecurityLevel::SecurityLevelSoftware,
+ SecurityLevel::TRUSTED_ENVIRONMENT => {
+ StatsdKeyOperationSecurityLevel::SecurityLevelTrustedEnvironment
+ }
+ SecurityLevel::STRONGBOX => StatsdKeyOperationSecurityLevel::SecurityLevelStrongbox,
+ //KEYSTORE is not a valid variant here
+ _ => StatsdKeyOperationSecurityLevel::SecurityLevelUnspecified,
+ };
+
key_operation_event_atom.key_upgraded = key_upgraded;
key_operation_event_atom.purpose = match key_purpose {
diff --git a/keystore2/src/operation.rs b/keystore2/src/operation.rs
index f71577b..c2539a7 100644
--- a/keystore2/src/operation.rs
+++ b/keystore2/src/operation.rs
@@ -131,6 +131,7 @@
use crate::utils::Asp;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
IKeyMintOperation::IKeyMintOperation, KeyParameter::KeyParameter, KeyPurpose::KeyPurpose,
+ SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
IKeystoreOperation::BnKeystoreOperation, IKeystoreOperation::IKeystoreOperation,
@@ -181,6 +182,7 @@
/// Keeps track of the information required for logging operations.
#[derive(Debug)]
pub struct LoggingInfo {
+ sec_level: SecurityLevel,
purpose: KeyPurpose,
op_params: Vec<KeyParameter>,
key_upgraded: bool,
@@ -189,11 +191,12 @@
impl LoggingInfo {
/// Constructor
pub fn new(
+ sec_level: SecurityLevel,
purpose: KeyPurpose,
op_params: Vec<KeyParameter>,
key_upgraded: bool,
) -> LoggingInfo {
- Self { purpose, op_params, key_upgraded }
+ Self { sec_level, purpose, op_params, key_upgraded }
}
}
@@ -468,6 +471,7 @@
fn drop(&mut self) {
let guard = self.outcome.lock().expect("In drop.");
log_key_operation_event_stats(
+ self.logging_info.sec_level,
self.logging_info.purpose,
&(self.logging_info.op_params),
&guard,
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index ec6c4d7..50d697e 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -326,7 +326,8 @@
let operation = match begin_result.operation {
Some(km_op) => {
self.operation_db.create_operation(km_op, caller_uid, auth_info, forced,
- LoggingInfo::new(purpose, op_params, upgraded_blob.is_some()))
+ LoggingInfo::new(self.security_level, purpose, op_params,
+ upgraded_blob.is_some()))
},
None => return Err(Error::sys()).context("In create_operation: Begin operation returned successfully, but did not return a valid operation."),
};
@@ -371,7 +372,7 @@
if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
"In add_certificate_parameters: ",
- "Caller does not have the permission for device unique attestation."
+ "Caller does not have the permission to generate a unique ID"
))?;
}
@@ -832,7 +833,7 @@
entropy: &[u8],
) -> binder::public_api::Result<KeyMetadata> {
let result = self.generate_key(key, attestation_key, params, flags, entropy);
- log_key_creation_event_stats(params, &result);
+ log_key_creation_event_stats(self.security_level, params, &result);
map_or_log_err(result, Ok)
}
fn importKey(
@@ -844,7 +845,7 @@
key_data: &[u8],
) -> binder::public_api::Result<KeyMetadata> {
let result = self.import_key(key, attestation_key, params, flags, key_data);
- log_key_creation_event_stats(params, &result);
+ log_key_creation_event_stats(self.security_level, params, &result);
map_or_log_err(result, Ok)
}
fn importWrappedKey(
@@ -857,7 +858,7 @@
) -> binder::public_api::Result<KeyMetadata> {
let result =
self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
- log_key_creation_event_stats(params, &result);
+ log_key_creation_event_stats(self.security_level, params, &result);
map_or_log_err(result, Ok)
}
fn convertStorageKeyToEphemeral(
diff --git a/keystore2/src/super_key.rs b/keystore2/src/super_key.rs
index d490354..3fa4cf0 100644
--- a/keystore2/src/super_key.rs
+++ b/keystore2/src/super_key.rs
@@ -92,22 +92,6 @@
ScreenLockBound,
}
-#[derive(Default)]
-struct UserSuperKeys {
- /// The per boot key is used for LSKF binding of authentication bound keys. There is one
- /// key per android user. The key is stored on flash encrypted with a key derived from a
- /// secret, that is itself derived from the user's lock screen knowledge factor (LSKF).
- /// When the user unlocks the device for the first time, this key is unlocked, i.e., decrypted,
- /// and stays memory resident until the device reboots.
- per_boot: Option<Arc<SuperKey>>,
- /// The screen lock key works like the per boot key with the distinction that it is cleared
- /// from memory when the screen lock is engaged.
- screen_lock_bound: Option<Arc<SuperKey>>,
- /// When the device is locked, screen-lock-bound keys can still be encrypted, using
- /// ECDH public-key encryption. This field holds the decryption private key.
- screen_lock_bound_private: Option<Arc<SuperKey>>,
-}
-
pub struct SuperKey {
algorithm: SuperEncryptionAlgorithm,
key: ZVec,
@@ -130,10 +114,22 @@
Err(Error::sys()).context("In aes_gcm_decrypt: Key is not an AES key")
}
}
+}
- pub fn get_id(&self) -> i64 {
- self.id
- }
+#[derive(Default)]
+struct UserSuperKeys {
+ /// The per boot key is used for LSKF binding of authentication bound keys. There is one
+ /// key per android user. The key is stored on flash encrypted with a key derived from a
+ /// secret, that is itself derived from the user's lock screen knowledge factor (LSKF).
+ /// When the user unlocks the device for the first time, this key is unlocked, i.e., decrypted,
+ /// and stays memory resident until the device reboots.
+ per_boot: Option<Arc<SuperKey>>,
+ /// The screen lock key works like the per boot key with the distinction that it is cleared
+ /// from memory when the screen lock is engaged.
+ screen_lock_bound: Option<Arc<SuperKey>>,
+ /// When the device is locked, screen-lock-bound keys can still be encrypted, using
+ /// ECDH public-key encryption. This field holds the decryption private key.
+ screen_lock_bound_private: Option<Arc<SuperKey>>,
}
#[derive(Default)]
@@ -154,10 +150,6 @@
}
impl SuperKeyManager {
- pub fn new() -> Self {
- Default::default()
- }
-
pub fn forget_all_keys_for_user(&self, user: UserId) {
let mut data = self.data.lock().unwrap();
data.user_keys.remove(&user);
@@ -169,7 +161,7 @@
data.user_keys.entry(user).or_default().per_boot = Some(super_key);
}
- fn get_key(&self, key_id: &i64) -> Option<Arc<SuperKey>> {
+ fn lookup_key(&self, key_id: &i64) -> Option<Arc<SuperKey>> {
self.data.lock().unwrap().key_index.get(key_id).and_then(|k| k.upgrade())
}
@@ -225,23 +217,25 @@
/// Unwraps an encrypted key blob given metadata identifying the encryption key.
/// The function queries `metadata.encrypted_by()` to determine the encryption key.
- /// It then check if the required key is memory resident, and if so decrypts the
+ /// It then checks if the required key is memory resident, and if so decrypts the
/// blob.
pub fn unwrap_key<'a>(&self, blob: &'a [u8], metadata: &BlobMetaData) -> Result<KeyBlob<'a>> {
- match metadata.encrypted_by() {
- Some(EncryptedBy::KeyId(key_id)) => match self.get_key(key_id) {
- Some(super_key) => Ok(KeyBlob::Sensitive {
- key: Self::unwrap_key_with_key(blob, metadata, &super_key)
- .context("In unwrap_key: unwrap_key_with_key failed")?,
- reencrypt_with: super_key.reencrypt_with.as_ref().unwrap_or(&super_key).clone(),
- force_reencrypt: super_key.reencrypt_with.is_some(),
- }),
- None => Err(Error::Rc(ResponseCode::LOCKED))
- .context("In unwrap_key: Required super decryption key is not in memory."),
- },
- _ => Err(Error::Rc(ResponseCode::VALUE_CORRUPTED))
- .context("In unwrap_key: Cannot determined wrapping key."),
- }
+ let key_id = if let Some(EncryptedBy::KeyId(key_id)) = metadata.encrypted_by() {
+ key_id
+ } else {
+ return Err(Error::Rc(ResponseCode::VALUE_CORRUPTED))
+ .context("In unwrap_key: Cannot determine wrapping key.");
+ };
+ let super_key = self
+ .lookup_key(&key_id)
+ .ok_or(Error::Rc(ResponseCode::LOCKED))
+ .context("In unwrap_key: Required super decryption key is not in memory.")?;
+ Ok(KeyBlob::Sensitive {
+ key: Self::unwrap_key_with_key(blob, metadata, &super_key)
+ .context("In unwrap_key: unwrap_key_with_key failed")?,
+ reencrypt_with: super_key.reencrypt_with.as_ref().unwrap_or(&super_key).clone(),
+ force_reencrypt: super_key.reencrypt_with.is_some(),
+ })
}
/// Unwraps an encrypted key blob given an encryption key.
@@ -427,9 +421,9 @@
return Err(Error::Rc(ResponseCode::VALUE_CORRUPTED)).context(format!(
concat!(
"In extract_super_key_from_key_entry: Super key has incomplete metadata.",
- "Present: encrypted_by: {}, salt: {}, iv: {}, aead_tag: {}."
+ "encrypted_by: {:?}; Present: salt: {}, iv: {}, aead_tag: {}."
),
- enc_by.is_some(),
+ enc_by,
salt.is_some(),
iv.is_some(),
tag.is_some()
@@ -523,19 +517,19 @@
) -> Result<(Vec<u8>, BlobMetaData)> {
match Enforcements::super_encryption_required(domain, key_parameters, flags) {
SuperEncryptionType::None => Ok((key_blob.to_vec(), BlobMetaData::new())),
- SuperEncryptionType::LskfBound => {
- self.super_encrypt_on_key_init(db, legacy_migrator, user_id, &key_blob).context(
- "In handle_super_encryption_on_key_init.
- Failed to super encrypt the key.",
- )
- }
+ SuperEncryptionType::LskfBound => self
+ .super_encrypt_on_key_init(db, legacy_migrator, user_id, &key_blob)
+ .context(concat!(
+ "In handle_super_encryption_on_key_init. ",
+ "Failed to super encrypt with LskfBound key."
+ )),
SuperEncryptionType::ScreenLockBound => {
let mut data = self.data.lock().unwrap();
let entry = data.user_keys.entry(user_id).or_default();
if let Some(super_key) = entry.screen_lock_bound.as_ref() {
Self::encrypt_with_aes_super_key(key_blob, &super_key).context(concat!(
"In handle_super_encryption_on_key_init. ",
- "Failed to encrypt the key with screen_lock_bound key."
+ "Failed to encrypt with ScreenLockBound key."
))
} else {
// Symmetric key is not available, use public key encryption
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 7b58205..48e9bfb 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -91,7 +91,13 @@
/// This function checks whether a given tag corresponds to the access of device identifiers.
pub fn is_device_id_attestation_tag(tag: Tag) -> bool {
- matches!(tag, Tag::ATTESTATION_ID_IMEI | Tag::ATTESTATION_ID_MEID | Tag::ATTESTATION_ID_SERIAL)
+ matches!(
+ tag,
+ Tag::ATTESTATION_ID_IMEI
+ | Tag::ATTESTATION_ID_MEID
+ | Tag::ATTESTATION_ID_SERIAL
+ | Tag::DEVICE_UNIQUE_ATTESTATION
+ )
}
/// This function checks whether the calling app has the Android permissions needed to attest device