Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0aadf935 authored by Janis Danisevskis's avatar Janis Danisevskis
Browse files

Keystore: Use security levels 

In anticipation of the availability of Keymaster implementations with
multiple security levels this patch adds the additional
keystore flags FLAG_SOFTWARE and FLAG_STROGBOX.

Also, the IKeystore method addRngEntropy got a new flags parameter
for the caller to express which implementation shall be awarded the
precious entropy.

Test: Keystore CTS tests
Bug: 63931634
Change-Id: I4a4eafbdbe1290f0c7bd2bfa2ce3e5fbb06c2dd8
parent 39b4499d

core/java/android/security/IKeystoreService.aidl

+1 −1
Original line number Diff line number Diff line
@@ -56,7 +56,7 @@ interface IKeystoreService { 
    int clear_uid(long uid);



    // Keymaster 0.4 methods

    int addRngEntropy(in byte[] data);

    int addRngEntropy(in byte[] data, int flags);

    int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid,

        int flags, out KeyCharacteristics characteristics);

    int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId,

keystore/java/android/security/KeyStore.java

+22 −2
Original line number Diff line number Diff line
@@ -94,6 +94,16 @@ public class KeyStore { 
     */

    public static final int FLAG_ENCRYPTED = 1;



    /**

     * Select Software keymaster device, which as of this writing is the lowest security

     * level available on an android device. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided

     * A TEE based keymaster implementation is implied.

     *

     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h

     * For historical reasons this corresponds to the KEYSTORE_FLAG_FALLBACK flag.

     */

    public static final int FLAG_SOFTWARE = 1 << 1;



    /**

     * A private flag that's only available to system server to indicate that this key is part of

     * device encryption flow so it receives special treatment from keystore. For example this key
@@ -104,6 +114,16 @@ public class KeyStore { 
     */

    public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3;



    /**

     * Select Strongbox keymaster device, which as of this writing the the highest security level

     * available an android devices. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided

     * A TEE based keymaster implementation is implied.

     *

     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h

     */

    public static final int FLAG_STRONGBOX = 1 << 4;





    // States

    public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
@@ -440,9 +460,9 @@ public class KeyStore { 
        return mError;

    }



    public boolean addRngEntropy(byte[] data) {

    public boolean addRngEntropy(byte[] data, int flags) {

        try {

            return mBinder.addRngEntropy(data) == NO_ERROR;

            return mBinder.addRngEntropy(data, flags) == NO_ERROR;

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

            return false;