Merge "Keystore 2.0: Fix permission check for device attestation."
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 183096c..0db2f9d 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -55,6 +55,7 @@
         },
         ndk: {
             enabled: true,
+            apps_enabled: false,
         }
     },
 }
@@ -93,6 +94,7 @@
         },
         ndk: {
             enabled: true,
+            apps_enabled: false,
         }
     },
 }
@@ -135,6 +137,7 @@
         },
         ndk: {
             enabled: true,
+            apps_enabled: false,
         }
     },
 }
diff --git a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
index 86472eb..01616b1 100644
--- a/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
+++ b/keystore2/aidl/android/security/authorization/IKeystoreAuthorization.aidl
@@ -25,6 +25,7 @@
  * provide keystore with the information required to enforce authorizations on key usage.
  * @hide
  */
+ @SensitiveData
 interface IKeystoreAuthorization {
 
     /**
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index 280500c..21ddd9b 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -17,13 +17,12 @@
 import android.system.keystore2.Domain;
 import android.security.maintenance.UserState;
 
-// TODO: mark the interface with @SensitiveData when the annotation is ready (b/176110256).
-
 /**
  * IKeystoreMaintenance interface exposes the methods for adding/removing users and changing the
  * user's password.
  * @hide
  */
+ @SensitiveData
 interface IKeystoreMaintenance {
 
     /**
diff --git a/keystore2/src/km_compat/km_compat_type_conversion.h b/keystore2/src/km_compat/km_compat_type_conversion.h
index c2b4669..e3240e9 100644
--- a/keystore2/src/km_compat/km_compat_type_conversion.h
+++ b/keystore2/src/km_compat/km_compat_type_conversion.h
@@ -665,13 +665,19 @@
         }
         break;
     case KMV1::Tag::ATTESTATION_ID_SERIAL:
-        // TODO This tag is missing from 4.0 keymaster_tags.h
+        if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_SERIAL, kp)) {
+            return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_SERIAL, v->get());
+        }
         break;
     case KMV1::Tag::ATTESTATION_ID_IMEI:
-        // TODO This tag is missing from 4.0 keymaster_tags.h
+        if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_IMEI, kp)) {
+            return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_IMEI, v->get());
+        }
         break;
     case KMV1::Tag::ATTESTATION_ID_MEID:
-        // TODO This tag is missing from 4.0 keymaster_tags.h
+        if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_MEID, kp)) {
+            return V4_0::makeKeyParameter(V4_0::TAG_ATTESTATION_ID_MEID, v->get());
+        }
         break;
     case KMV1::Tag::ATTESTATION_ID_MANUFACTURER:
         if (auto v = KMV1::authorizationValue(KMV1::TAG_ATTESTATION_ID_MANUFACTURER, kp)) {
@@ -971,13 +977,19 @@
         }
         break;
     case V4_0::Tag::ATTESTATION_ID_SERIAL:
-        // TODO This tag is missing from 4.0 keymaster_tags.h
+        if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_SERIAL, kp))) {
+            return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_SERIAL, v->get());
+        }
         break;
     case V4_0::Tag::ATTESTATION_ID_IMEI:
-        // TODO This tag is missing from 4.0 keymaster_tags.h
+        if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_IMEI, kp))) {
+            return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_IMEI, v->get());
+        }
         break;
     case V4_0::Tag::ATTESTATION_ID_MEID:
-        // TODO This tag is missing from 4.0 keymaster_tags.h
+        if (auto v = unwrapper(V4_0::authorizationValue(V4_0::TAG_ATTESTATION_ID_MEID, kp))) {
+            return KMV1::makeKeyParameter(KMV1::TAG_ATTESTATION_ID_MEID, v->get());
+        }
         break;
     case V4_0::Tag::ATTESTATION_ID_MANUFACTURER:
         if (auto v =