Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d9cbeba0 authored by David Zeuthen's avatar David Zeuthen
Browse files

PackageManager: Add FEATURE_HARDWARE_KEYSTORE, modify FEATURE_STRONGBOX_KEYSTORE. 

These feature flags will hold the KeyMint version for the default and
StrongBox HALs. They can be used by apps to convey that they'll only
work on devices which have a recent enough version of KeyMint.

For example, if an application requires ECDH to be implemented in
Secure Hardware it can convey this requirement by indicated that it
needs FEATURE_HARDWARE_KEYSTORE >= 100. Or if it needs this in the
StrongBox it can use FEATURE_STRONGBOX_KEYSTORE >= 100. As with other
feature flags, this can be used to only show the app on devices which
satisfy such requirements.

Test: Compiles
Bug: 160616951
Change-Id: I582e50fba92de0d598d7e86fcc3b1b2b4a91b103
parent 4eca6d0c

core/api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -12139,6 +12139,7 @@ package android.content.pm { 
    field public static final String FEATURE_FINGERPRINT = "android.hardware.fingerprint";

    field public static final String FEATURE_FREEFORM_WINDOW_MANAGEMENT = "android.software.freeform_window_management";

    field public static final String FEATURE_GAMEPAD = "android.hardware.gamepad";

    field public static final String FEATURE_HARDWARE_KEYSTORE = "android.hardware.hardware_keystore";

    field public static final String FEATURE_HIFI_SENSORS = "android.hardware.sensor.hifi_sensors";

    field public static final String FEATURE_HOME_SCREEN = "android.software.home_screen";

    field public static final String FEATURE_IDENTITY_CREDENTIAL_HARDWARE = "android.hardware.identity_credential";

core/java/android/content/pm/PackageManager.java

+51 −2
Original line number Diff line number Diff line
@@ -3167,8 +3167,57 @@ public abstract class PackageManager { 
    public static final String FEATURE_VR_HEADTRACKING = "android.hardware.vr.headtracking";



    /**

     * Feature for {@link #getSystemAvailableFeatures} and {@link #hasSystemFeature}:

     * The device has a StrongBox hardware-backed Keystore.

     * Feature for {@link #getSystemAvailableFeatures} and

     * {@link #hasSystemFeature(String, int)}: If this feature is supported, the device implements

     * the Android Keystore backed by an isolated execution environment. The version indicates

     * which features are implemented in the isolated execution environment:

     * <ul>

     * <li>100: Hardware support for ECDH (see {@link javax.crypto.KeyAgreement}) and support

     * for app-generated attestation keys (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setAttestKeyAlias(String)}).

     * <li>41: Hardware enforcement of device-unlocked keys (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setUnlockedDeviceRequired(boolean)}).

     * <li>40: Support for wrapped key import (see {@link

     * android.security.keystore.WrappedKeyEntry}), optional support for ID attestation (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setDevicePropertiesAttestationIncluded(boolean)}),

     * attestation (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setAttestationChallenge(byte[])}),

     * AES, HMAC, ECDSA and RSA support where the secret or private key never leaves secure

     * hardware, and support for requiring user authentication before a key can be used.

     * </ul>

     * This feature version is guaranteed to be set for all devices launching with Android 12 and

     * may be set on devices launching with an earlier version. If the feature version is set, it

     * will at least have the value 40. If it's not set the device may have a version of

     * hardware-backed keystore but it may not support all features listed above.

     */

    @SdkConstant(SdkConstantType.FEATURE)

    public static final String FEATURE_HARDWARE_KEYSTORE = "android.hardware.hardware_keystore";



    /**

     * Feature for {@link #getSystemAvailableFeatures}, {@link #hasSystemFeature(String)}, and

     * {@link #hasSystemFeature(String, int)}: If this feature is supported, the device implements

     * the Android Keystore backed by a dedicated secure processor referred to as

     * <a href="https://source.android.com/security/best-practices/hardware#strongbox-keymaster">

     * StrongBox</a>. If this feature has a version, the version number indicates which features are

     * implemented in StrongBox:

     * <ul>

     * <li>100: Hardware support for ECDH (see {@link javax.crypto.KeyAgreement}) and support

     * for app-generated attestation keys (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setAttestKeyAlias(String)}).

     * <li>41: Hardware enforcement of device-unlocked keys (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setUnlockedDeviceRequired(boolean)}).

     * <li>40: Support for wrapped key import (see {@link

     * android.security.keystore.WrappedKeyEntry}), optional support for ID attestation (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setDevicePropertiesAttestationIncluded(boolean)}),

     * attestation (see {@link

     * android.security.keystore.KeyGenParameterSpec.Builder#setAttestationChallenge(byte[])}),

     * AES, HMAC, ECDSA and RSA support where the secret or private key never leaves secure

     * hardware, and support for requiring user authentication before a key can be used.

     * </ul>

     * If a device has StrongBox, this feature version number is guaranteed to be set for all

     * devices launching with Android 12 and may be set on devices launching with an earlier

     * version. If the feature version is set, it will at least have the value 40. If it's not

     * set the device may have StrongBox but it may not support all features listed above.

     */

    @SdkConstant(SdkConstantType.FEATURE)

    public static final String FEATURE_STRONGBOX_KEYSTORE =