Loading keymaster/3.0/IKeymasterDevice.hal +15 −0 Original line number Diff line number Diff line Loading @@ -208,6 +208,21 @@ interface IKeymasterDevice { */ deleteAllKeys() generates(ErrorCode error); /** * Destroys knowledge of the device's ids. This prevents all device id attestation in the * future. The destruction must be permanent so that not even a factory reset will restore the * device ids. * * Device id attestation may be provided only if this method is fully implemented, allowing the * user to permanently disable device id attestation. If this cannot be guaranteed, the device * must never attest any device ids. * * This is a NOP if device id attestation is not supported. * * @return error See the ErrorCode enum. */ destroyAttestationIds() generates(ErrorCode error); /** * Begins a cryptographic operation using the specified key. If all is well, begin() will return * ErrorCode::OK and create an operation handle which must be passed to subsequent calls to Loading keymaster/3.0/default/KeymasterDevice.cpp +25 −0 Original line number Diff line number Diff line Loading @@ -516,6 +516,24 @@ Return<void> KeymasterDevice::attestKey(const hidl_vec<uint8_t>& keyToAttest, hidl_vec<hidl_vec<uint8_t>> resultCertChain; for (size_t i = 0; i < attestParams.size(); ++i) { switch (attestParams[i].tag) { case Tag::ATTESTATION_ID_BRAND: case Tag::ATTESTATION_ID_DEVICE: case Tag::ATTESTATION_ID_PRODUCT: case Tag::ATTESTATION_ID_SERIAL: case Tag::ATTESTATION_ID_IMEI: case Tag::ATTESTATION_ID_MEID: // Device id attestation may only be supported if the device is able to permanently // destroy its knowledge of the ids. This device is unable to do this, so it must // never perform any device id attestation. _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain); return Void(); default: break; } } keymaster_cert_chain_t cert_chain{nullptr, 0}; auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest); Loading Loading @@ -569,9 +587,16 @@ Return<ErrorCode> KeymasterDevice::deleteKey(const hidl_vec<uint8_t>& keyBlob) { } Return<ErrorCode> KeymasterDevice::deleteAllKeys() { if (keymaster_device_->delete_all_keys == nullptr) { return ErrorCode::UNIMPLEMENTED; } return legacy_enum_conversion(keymaster_device_->delete_all_keys(keymaster_device_)); } Return<ErrorCode> KeymasterDevice::destroyAttestationIds() { return ErrorCode::UNIMPLEMENTED; } Return<void> KeymasterDevice::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) { Loading keymaster/3.0/default/KeymasterDevice.h +1 −0 Original line number Diff line number Diff line Loading @@ -71,6 +71,7 @@ class KeymasterDevice : public IKeymasterDevice { upgradeKey_cb _hidl_cb) override; Return<ErrorCode> deleteKey(const hidl_vec<uint8_t>& keyBlob) override; Return<ErrorCode> deleteAllKeys() override; Return<ErrorCode> destroyAttestationIds() override; Return<void> begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) override; Return<void> update(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams, Loading keymaster/3.0/types.hal +14 −0 Original line number Diff line number Diff line Loading @@ -123,6 +123,19 @@ enum Tag : uint32_t { ATTESTATION_APPLICATION_ID = TagType:BYTES | 709, /* Used to identify the set of possible * applications of which one has initiated a * key attestation */ ATTESTATION_ID_BRAND = TagType:BYTES | 710, /* Used to provide the device's brand name to be included in attestation */ ATTESTATION_ID_DEVICE = TagType:BYTES | 711, /* Used to provide the device's device name to be included in attestation */ ATTESTATION_ID_PRODUCT = TagType:BYTES | 712, /* Used to provide the device's product name to be included in attestation */ ATTESTATION_ID_SERIAL = TagType:BYTES | 713, /* Used to provide the device's serial number to be included in attestation */ ATTESTATION_ID_IMEI = TagType:BYTES | 714, /* Used to provide the device's IMEI to be included in attestation */ ATTESTATION_ID_MEID = TagType:BYTES | 715, /* Used to provide the device's MEID to be included in attestation */ /* Tags used only to provide data to or receive data from operations */ ASSOCIATED_DATA = TagType:BYTES | 1000, /* Used to provide associated data for AEAD modes. */ Loading Loading @@ -312,6 +325,7 @@ enum ErrorCode : uint32_t { ATTESTATION_CHALLENGE_MISSING = -63, KEYMASTER_NOT_CONFIGURED = -64, ATTESTATION_APPLICATION_ID_MISSING = -65, CANNOT_ATTEST_IDS = -66, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, Loading Loading
keymaster/3.0/IKeymasterDevice.hal +15 −0 Original line number Diff line number Diff line Loading @@ -208,6 +208,21 @@ interface IKeymasterDevice { */ deleteAllKeys() generates(ErrorCode error); /** * Destroys knowledge of the device's ids. This prevents all device id attestation in the * future. The destruction must be permanent so that not even a factory reset will restore the * device ids. * * Device id attestation may be provided only if this method is fully implemented, allowing the * user to permanently disable device id attestation. If this cannot be guaranteed, the device * must never attest any device ids. * * This is a NOP if device id attestation is not supported. * * @return error See the ErrorCode enum. */ destroyAttestationIds() generates(ErrorCode error); /** * Begins a cryptographic operation using the specified key. If all is well, begin() will return * ErrorCode::OK and create an operation handle which must be passed to subsequent calls to Loading
keymaster/3.0/default/KeymasterDevice.cpp +25 −0 Original line number Diff line number Diff line Loading @@ -516,6 +516,24 @@ Return<void> KeymasterDevice::attestKey(const hidl_vec<uint8_t>& keyToAttest, hidl_vec<hidl_vec<uint8_t>> resultCertChain; for (size_t i = 0; i < attestParams.size(); ++i) { switch (attestParams[i].tag) { case Tag::ATTESTATION_ID_BRAND: case Tag::ATTESTATION_ID_DEVICE: case Tag::ATTESTATION_ID_PRODUCT: case Tag::ATTESTATION_ID_SERIAL: case Tag::ATTESTATION_ID_IMEI: case Tag::ATTESTATION_ID_MEID: // Device id attestation may only be supported if the device is able to permanently // destroy its knowledge of the ids. This device is unable to do this, so it must // never perform any device id attestation. _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain); return Void(); default: break; } } keymaster_cert_chain_t cert_chain{nullptr, 0}; auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest); Loading Loading @@ -569,9 +587,16 @@ Return<ErrorCode> KeymasterDevice::deleteKey(const hidl_vec<uint8_t>& keyBlob) { } Return<ErrorCode> KeymasterDevice::deleteAllKeys() { if (keymaster_device_->delete_all_keys == nullptr) { return ErrorCode::UNIMPLEMENTED; } return legacy_enum_conversion(keymaster_device_->delete_all_keys(keymaster_device_)); } Return<ErrorCode> KeymasterDevice::destroyAttestationIds() { return ErrorCode::UNIMPLEMENTED; } Return<void> KeymasterDevice::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) { Loading
keymaster/3.0/default/KeymasterDevice.h +1 −0 Original line number Diff line number Diff line Loading @@ -71,6 +71,7 @@ class KeymasterDevice : public IKeymasterDevice { upgradeKey_cb _hidl_cb) override; Return<ErrorCode> deleteKey(const hidl_vec<uint8_t>& keyBlob) override; Return<ErrorCode> deleteAllKeys() override; Return<ErrorCode> destroyAttestationIds() override; Return<void> begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) override; Return<void> update(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams, Loading
keymaster/3.0/types.hal +14 −0 Original line number Diff line number Diff line Loading @@ -123,6 +123,19 @@ enum Tag : uint32_t { ATTESTATION_APPLICATION_ID = TagType:BYTES | 709, /* Used to identify the set of possible * applications of which one has initiated a * key attestation */ ATTESTATION_ID_BRAND = TagType:BYTES | 710, /* Used to provide the device's brand name to be included in attestation */ ATTESTATION_ID_DEVICE = TagType:BYTES | 711, /* Used to provide the device's device name to be included in attestation */ ATTESTATION_ID_PRODUCT = TagType:BYTES | 712, /* Used to provide the device's product name to be included in attestation */ ATTESTATION_ID_SERIAL = TagType:BYTES | 713, /* Used to provide the device's serial number to be included in attestation */ ATTESTATION_ID_IMEI = TagType:BYTES | 714, /* Used to provide the device's IMEI to be included in attestation */ ATTESTATION_ID_MEID = TagType:BYTES | 715, /* Used to provide the device's MEID to be included in attestation */ /* Tags used only to provide data to or receive data from operations */ ASSOCIATED_DATA = TagType:BYTES | 1000, /* Used to provide associated data for AEAD modes. */ Loading Loading @@ -312,6 +325,7 @@ enum ErrorCode : uint32_t { ATTESTATION_CHALLENGE_MISSING = -63, KEYMASTER_NOT_CONFIGURED = -64, ATTESTATION_APPLICATION_ID_MISSING = -65, CANNOT_ATTEST_IDS = -66, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, Loading
