Loading security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -36,4 +36,5 @@ enum SecurityLevel { SOFTWARE = 0, TRUSTED_ENVIRONMENT = 1, STRONGBOX = 2, KEYSTORE = 100, } security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +3 −1 Original line number Diff line number Diff line Loading @@ -36,7 +36,6 @@ parcelable KeyCreationResult { * deciding whether a given tag from `keyParams` argument to the generation/import method should * be returned in `keyCharacteristics` are: * * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted. * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any * assistance from components running at other security levels, it should be included in an * entry with the SecurityLevel of the IKeyMintDevice. Loading @@ -45,6 +44,9 @@ parcelable KeyCreationResult { * SecurityLevel of the involved components. For example if a StrongBox IKeyMintDevice relies * on a TEE to validate biometric authentication, biometric authentication tags go in an entry * with SecurityLevel::TRUSTED_ENVIRONMENT. * - If the semantics are not enforced by KeyMint at all, SecurityLevel::KEYSTORE is used to * indicate that Keystore should enforce. Note that in Keymaster (predecessor to KeyMint), * these tags would have been in SecurityLevel::SOFTWARE. */ KeyCharacteristics[] keyCharacteristics; Loading security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl +46 −3 Original line number Diff line number Diff line Loading @@ -17,16 +17,59 @@ package android.hardware.security.keymint; /** * Device security levels. * Device security levels. These enum values are used in two ways: * * 1. Returned from IKeyMintDevice::getHardwareInfo to identify the security level of the * IKeyMintDevice. This characterizes the sort of environment in which the KeyMint * implementation runs, and therefore the security of its operations. * * 2. Associated with individual KeyMint authorization Tags in KeyCharacteristics or in attestation * certificates. This specifies the security level of the weakest environment involved in * enforcing that particular tag, i.e. the sort of security environment an attacker would have * to subvert in order to break the enforcement of that tag. */ @VintfStability @Backing(type="int") enum SecurityLevel { /** * The SOFTWARE security level represents a KeyMint implementation that runs in an Android * process, or a tag enforced by such an implementation. An attacker who can compromise that * process, or obtain root, or subvert the kernel on the device can defeat it. * * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device. For * attestation purposes, these categories are combined into the software-enforced authorization * list. */ SOFTWARE = 0, /** * The TRUSTED_ENVIRONMENT security level represents a KeyMint implementation that runs in an * Android process, or a tag enforced by such an implementation. An attacker who completely * compromises Android, including the Linux kernel, does not have the ability to subvert it. At * attacker who can find an exploit that gains them control of the trusted environment, or who * has access to the physical device and can mount a sophisticated hardware attack, may be able * to defeat it. */ TRUSTED_ENVIRONMENT = 1, /** * STRONGBOX specifies that the secure hardware satisfies the requirements specified in CDD * 9.11.2. * The STRONGBOX security level represents a KeyMint implementation that runs in security * hardware that satisfies the requirements specified in CDD 9.11.2. Roughly speaking, these * are discrete, security-focus computing environments that are hardened against physical and * side channel attack, and have had their security formally validated by a competent * penetration testing lab. */ STRONGBOX = 2, /** * KeyMint implementations must never return the KEYSTORE security level from getHardwareInfo. * It is used to specify tags that are not enforced by the IKeyMintDevice, but are instead * to be enforced by Keystore. An attacker who can subvert the keystore process or gain root or * subvert the kernel can prevent proper enforcement of these tags. * * * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device. When * KeyMint generates an attestation certificate, these categories are combined into the * software-enforced authorization list. */ KEYSTORE = 100 } Loading
security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -36,4 +36,5 @@ enum SecurityLevel { SOFTWARE = 0, TRUSTED_ENVIRONMENT = 1, STRONGBOX = 2, KEYSTORE = 100, }
security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +3 −1 Original line number Diff line number Diff line Loading @@ -36,7 +36,6 @@ parcelable KeyCreationResult { * deciding whether a given tag from `keyParams` argument to the generation/import method should * be returned in `keyCharacteristics` are: * * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted. * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any * assistance from components running at other security levels, it should be included in an * entry with the SecurityLevel of the IKeyMintDevice. Loading @@ -45,6 +44,9 @@ parcelable KeyCreationResult { * SecurityLevel of the involved components. For example if a StrongBox IKeyMintDevice relies * on a TEE to validate biometric authentication, biometric authentication tags go in an entry * with SecurityLevel::TRUSTED_ENVIRONMENT. * - If the semantics are not enforced by KeyMint at all, SecurityLevel::KEYSTORE is used to * indicate that Keystore should enforce. Note that in Keymaster (predecessor to KeyMint), * these tags would have been in SecurityLevel::SOFTWARE. */ KeyCharacteristics[] keyCharacteristics; Loading
security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl +46 −3 Original line number Diff line number Diff line Loading @@ -17,16 +17,59 @@ package android.hardware.security.keymint; /** * Device security levels. * Device security levels. These enum values are used in two ways: * * 1. Returned from IKeyMintDevice::getHardwareInfo to identify the security level of the * IKeyMintDevice. This characterizes the sort of environment in which the KeyMint * implementation runs, and therefore the security of its operations. * * 2. Associated with individual KeyMint authorization Tags in KeyCharacteristics or in attestation * certificates. This specifies the security level of the weakest environment involved in * enforcing that particular tag, i.e. the sort of security environment an attacker would have * to subvert in order to break the enforcement of that tag. */ @VintfStability @Backing(type="int") enum SecurityLevel { /** * The SOFTWARE security level represents a KeyMint implementation that runs in an Android * process, or a tag enforced by such an implementation. An attacker who can compromise that * process, or obtain root, or subvert the kernel on the device can defeat it. * * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device. For * attestation purposes, these categories are combined into the software-enforced authorization * list. */ SOFTWARE = 0, /** * The TRUSTED_ENVIRONMENT security level represents a KeyMint implementation that runs in an * Android process, or a tag enforced by such an implementation. An attacker who completely * compromises Android, including the Linux kernel, does not have the ability to subvert it. At * attacker who can find an exploit that gains them control of the trusted environment, or who * has access to the physical device and can mount a sophisticated hardware attack, may be able * to defeat it. */ TRUSTED_ENVIRONMENT = 1, /** * STRONGBOX specifies that the secure hardware satisfies the requirements specified in CDD * 9.11.2. * The STRONGBOX security level represents a KeyMint implementation that runs in security * hardware that satisfies the requirements specified in CDD 9.11.2. Roughly speaking, these * are discrete, security-focus computing environments that are hardened against physical and * side channel attack, and have had their security formally validated by a competent * penetration testing lab. */ STRONGBOX = 2, /** * KeyMint implementations must never return the KEYSTORE security level from getHardwareInfo. * It is used to specify tags that are not enforced by the IKeyMintDevice, but are instead * to be enforced by Keystore. An attacker who can subvert the keystore process or gain root or * subvert the kernel can prevent proper enforcement of these tags. * * * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device. When * KeyMint generates an attestation certificate, these categories are combined into the * software-enforced authorization list. */ KEYSTORE = 100 }
