Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b270369 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge changes from topics "wrapped_key_import", "keystore_seclevels" 

* changes:
  Add importWrappedKey to IKeystoreService.aidl
  Keystore: Use security levels
parents 43fce46b 03dd8279

core/java/android/security/IKeystoreService.aidl

+5 −1
Original line number Diff line number Diff line
@@ -56,7 +56,7 @@ interface IKeystoreService { 
    int clear_uid(long uid);



    // Keymaster 0.4 methods

    int addRngEntropy(in byte[] data);

    int addRngEntropy(in byte[] data, int flags);

    int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid,

        int flags, out KeyCharacteristics characteristics);

    int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId,
@@ -78,4 +78,8 @@ interface IKeystoreService { 
    int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);

    int attestDeviceIds(in KeymasterArguments params, out KeymasterCertificateChain chain);

    int onDeviceOffBody();

    int importWrappedKey(in String wrappedKeyAlias, in byte[] wrappedKey,

        in String wrappingKeyAlias, in byte[] maskingKey, in KeymasterArguments arguments,

        in long rootSid, in long fingerprintSid,

        out KeyCharacteristics characteristics);

}

keystore/java/android/security/KeyStore.java

+22 −2
Original line number Diff line number Diff line
@@ -94,6 +94,16 @@ public class KeyStore { 
     */

    public static final int FLAG_ENCRYPTED = 1;



    /**

     * Select Software keymaster device, which as of this writing is the lowest security

     * level available on an android device. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided

     * A TEE based keymaster implementation is implied.

     *

     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h

     * For historical reasons this corresponds to the KEYSTORE_FLAG_FALLBACK flag.

     */

    public static final int FLAG_SOFTWARE = 1 << 1;



    /**

     * A private flag that's only available to system server to indicate that this key is part of

     * device encryption flow so it receives special treatment from keystore. For example this key
@@ -104,6 +114,16 @@ public class KeyStore { 
     */

    public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3;



    /**

     * Select Strongbox keymaster device, which as of this writing the the highest security level

     * available an android devices. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided

     * A TEE based keymaster implementation is implied.

     *

     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h

     */

    public static final int FLAG_STRONGBOX = 1 << 4;





    // States

    public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
@@ -440,9 +460,9 @@ public class KeyStore { 
        return mError;

    }



    public boolean addRngEntropy(byte[] data) {

    public boolean addRngEntropy(byte[] data, int flags) {

        try {

            return mBinder.addRngEntropy(data) == NO_ERROR;

            return mBinder.addRngEntropy(data, flags) == NO_ERROR;

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

            return false;