Add device id attestation
This adds device id attestation to KeyStoreService. The service
validates that the user holds the required permissions before
allowing attestation to proceed.
Bug: 34597337
Test: CTS CtsKeystoreTestCases and GTS DeviceIdAttestationHostTest
Change-Id: I6ff6146fad4656b8e1367650de922124b3d7f7b2
diff --git a/keystore/legacy_keymaster_device_wrapper.cpp b/keystore/legacy_keymaster_device_wrapper.cpp
index 9e36ae6..440eb50 100644
--- a/keystore/legacy_keymaster_device_wrapper.cpp
+++ b/keystore/legacy_keymaster_device_wrapper.cpp
@@ -348,6 +348,24 @@
hidl_vec<hidl_vec<uint8_t>> resultCertChain;
+ for (size_t i = 0; i < attestParams.size(); ++i) {
+ switch (attestParams[i].tag) {
+ case Tag::ATTESTATION_ID_BRAND:
+ case Tag::ATTESTATION_ID_DEVICE:
+ case Tag::ATTESTATION_ID_PRODUCT:
+ case Tag::ATTESTATION_ID_SERIAL:
+ case Tag::ATTESTATION_ID_IMEI:
+ case Tag::ATTESTATION_ID_MEID:
+ // Device id attestation may only be supported if the device is able to permanently
+ // destroy its knowledge of the ids. This device is unable to do this, so it must
+ // never perform any device id attestation.
+ _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain);
+ return Void();
+ default:
+ break;
+ }
+ }
+
keymaster_cert_chain_t cert_chain = {};
auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest);
@@ -404,6 +422,10 @@
return legacy_enum_conversion(keymaster_device_->delete_all_keys(keymaster_device_));
}
+Return<ErrorCode> LegacyKeymasterDeviceWrapper::destroyAttestationIds() {
+ return ErrorCode::UNIMPLEMENTED;
+}
+
Return<void> LegacyKeymasterDeviceWrapper::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,
const hidl_vec<KeyParameter>& inParams,
begin_cb _hidl_cb) {