Loading compatibility_matrices/compatibility_matrix.current.xml +2 −1 Original line number Diff line number Diff line Loading @@ -334,7 +334,7 @@ </hal> <hal format="aidl" optional="true"> <name>android.hardware.security.keymint</name> <version>1</version> <version>1-2</version> <interface> <name>IKeyMintDevice</name> <instance>default</instance> Loading @@ -343,6 +343,7 @@ </hal> <hal format="aidl" optional="true"> <name>android.hardware.security.keymint</name> <version>1-2</version> <interface> <name>IRemotelyProvisionedComponent</name> <instance>default</instance> Loading security/keymint/aidl/Android.bp +3 −3 Original line number Diff line number Diff line Loading @@ -45,14 +45,14 @@ aidl_interface { cc_defaults { name: "keymint_use_latest_hal_aidl_ndk_static", static_libs: [ "android.hardware.security.keymint-V1-ndk", "android.hardware.security.keymint-V2-ndk", ], } cc_defaults { name: "keymint_use_latest_hal_aidl_ndk_shared", shared_libs: [ "android.hardware.security.keymint-V1-ndk", "android.hardware.security.keymint-V2-ndk", ], } Loading @@ -62,6 +62,6 @@ cc_defaults { rust_defaults { name: "keymint_use_latest_hal_aidl_rust", rustlibs: [ "android.hardware.security.keymint-V1-rust", "android.hardware.security.keymint-V2-rust", ], } security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -39,4 +39,5 @@ enum EcCurve { P_256 = 1, P_384 = 2, P_521 = 3, CURVE_25519 = 4, } security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -27,4 +27,5 @@ enum EcCurve { P_256 = 1, P_384 = 2, P_521 = 3, CURVE_25519 = 4, } security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl +20 −4 Original line number Diff line number Diff line Loading @@ -93,6 +93,11 @@ import android.hardware.security.secureclock.TimeStampToken; * P-521. STRONGBOX IKeyMintDevices must support NIST curve P-256. * - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2 * 384 and SHA-2 512 digest modes. STRONGBOX IKeyMintDevices must support SHA-2 256. * - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519, * as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY * (X25519, as specified in RFC 7748). However, a key must have exactly one of these * purpose values; the same key cannot be used for multiple purposes. * STRONGBOX IKeyMintDevices do not support curve 25519. * * o AES * Loading Loading @@ -287,7 +292,7 @@ interface IKeyMintDevice { * except AGREE_KEY must be supported for RSA keys. * * o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE * IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA * keys. StrongBox IKeyMintDevice implementations must support SHA_2_256. * * o Tag::PADDING specifies the padding modes that may be used with the new Loading @@ -298,13 +303,24 @@ interface IKeyMintDevice { * == ECDSA Keys == * * Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey * must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support * all curves. StrongBox implementations must support P_256. * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE * IKeyMintDevice implementations must support all required curves. StrongBox implementations * must support P_256 and no other curves. * * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the * valid date range for the returned X.509 certificate holding the public key. If omitted, * generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER. * * Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set * {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}. Key generation with more * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE. * StrongBox implementation do not support CURVE_25519. * * Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must * support SHA_2_256. * * == AES Keys == * * Only Tag::KEY_SIZE is required to generate an AES key. If omitted, generateKey must return Loading Loading
compatibility_matrices/compatibility_matrix.current.xml +2 −1 Original line number Diff line number Diff line Loading @@ -334,7 +334,7 @@ </hal> <hal format="aidl" optional="true"> <name>android.hardware.security.keymint</name> <version>1</version> <version>1-2</version> <interface> <name>IKeyMintDevice</name> <instance>default</instance> Loading @@ -343,6 +343,7 @@ </hal> <hal format="aidl" optional="true"> <name>android.hardware.security.keymint</name> <version>1-2</version> <interface> <name>IRemotelyProvisionedComponent</name> <instance>default</instance> Loading
security/keymint/aidl/Android.bp +3 −3 Original line number Diff line number Diff line Loading @@ -45,14 +45,14 @@ aidl_interface { cc_defaults { name: "keymint_use_latest_hal_aidl_ndk_static", static_libs: [ "android.hardware.security.keymint-V1-ndk", "android.hardware.security.keymint-V2-ndk", ], } cc_defaults { name: "keymint_use_latest_hal_aidl_ndk_shared", shared_libs: [ "android.hardware.security.keymint-V1-ndk", "android.hardware.security.keymint-V2-ndk", ], } Loading @@ -62,6 +62,6 @@ cc_defaults { rust_defaults { name: "keymint_use_latest_hal_aidl_rust", rustlibs: [ "android.hardware.security.keymint-V1-rust", "android.hardware.security.keymint-V2-rust", ], }
security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -39,4 +39,5 @@ enum EcCurve { P_256 = 1, P_384 = 2, P_521 = 3, CURVE_25519 = 4, }
security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -27,4 +27,5 @@ enum EcCurve { P_256 = 1, P_384 = 2, P_521 = 3, CURVE_25519 = 4, }
security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl +20 −4 Original line number Diff line number Diff line Loading @@ -93,6 +93,11 @@ import android.hardware.security.secureclock.TimeStampToken; * P-521. STRONGBOX IKeyMintDevices must support NIST curve P-256. * - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2 * 384 and SHA-2 512 digest modes. STRONGBOX IKeyMintDevices must support SHA-2 256. * - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519, * as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY * (X25519, as specified in RFC 7748). However, a key must have exactly one of these * purpose values; the same key cannot be used for multiple purposes. * STRONGBOX IKeyMintDevices do not support curve 25519. * * o AES * Loading Loading @@ -287,7 +292,7 @@ interface IKeyMintDevice { * except AGREE_KEY must be supported for RSA keys. * * o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE * IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA * keys. StrongBox IKeyMintDevice implementations must support SHA_2_256. * * o Tag::PADDING specifies the padding modes that may be used with the new Loading @@ -298,13 +303,24 @@ interface IKeyMintDevice { * == ECDSA Keys == * * Tag::EC_CURVE must be provided to generate an ECDSA key. If it is not provided, generateKey * must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support * all curves. StrongBox implementations must support P_256. * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE * IKeyMintDevice implementations must support all required curves. StrongBox implementations * must support P_256 and no other curves. * * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the * valid date range for the returned X.509 certificate holding the public key. If omitted, * generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER. * * Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set * {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}. Key generation with more * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE. * StrongBox implementation do not support CURVE_25519. * * Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must * support SHA_2_256. * * == AES Keys == * * Only Tag::KEY_SIZE is required to generate an AES key. If omitted, generateKey must return Loading
