Merge "[Secretkeeper] Add maintenance methods" into main

interface ISecretkeeper {

  android.hardware.security.authgraph.IAuthGraphKeyExchange getAuthGraphKe();

  byte[] processSecretManagementRequest(in byte[] request);

  void deleteIds(in android.hardware.security.secretkeeper.SecretId[] ids);

  void deleteAll();

  const int ERROR_UNKNOWN_KEY_ID = 1;

  const int ERROR_INTERNAL_ERROR = 2;

  const int ERROR_REQUEST_MALFORMED = 3;

}

package android.hardware.security.secretkeeper;

/* @hide */

@Backing(type="int") @VintfStability

enum ErrorCode {

  OK = 0,

  UNKNOWN_KEY_ID = 1,

  INTERNAL_ERROR = 2,

  REQUEST_MALFORMED = 3,

@VintfStability

parcelable SecretId {

  byte[] id;

}

package android.hardware.security.secretkeeper;

import android.hardware.security.authgraph.IAuthGraphKeyExchange;

import android.hardware.security.secretkeeper.SecretId;

@VintfStability

/**

 * - A trusted execution environment such as ARM TrustZone.

 * - A completely separate, purpose-built and certified secure CPU.

 *

 * TODO(b/291224769): Extend the HAL interface to include:

 * 1. Dice policy operation - These allow sealing of the secrets with a class of Dice chains.

 * Typical operations are (securely) updating the dice policy sealing the Secrets above. These

 * operations are core to AntiRollback protected secrets - ie, ensuring secrets of a pVM are only

 * accessible to same or higher versions of the images.

 * 2. Maintenance API: This is required for removing the Secretkeeper entries for obsolete pVMs.

 */

interface ISecretkeeper {

    const int ERROR_UNKNOWN_KEY_ID = 1;

    const int ERROR_INTERNAL_ERROR = 2;

    const int ERROR_REQUEST_MALFORMED = 3;

    /**

     * Retrieve the instance of the `IAuthGraphKeyExchange` HAL that should be used for shared

     * session key establishment.  These keys are used to perform encryption of messages as

     * Virtual Machines). For this, service (& client) must implement a key exchange protocol, which

     * is critical for establishing the secure channel.

     *

     * If an encrypted response cannot be generated, then a service-specific Binder error using an

     * error code from ErrorCode.aidl will be returned.

     * If an encrypted response cannot be generated, then a service-specific Binder error using one

     * of the ERROR_ codes above will be returned.

     *

     * Secretkeeper database should guarantee the following properties:

     *

     * @return CBOR-encoded ProtectedResponsePacket. See SecretManagement.cddl for its definition

     */

    byte[] processSecretManagementRequest(in byte[] request);

    /**

     * Delete the data corresponding to a collection of IDs.

     *

     * Note that unlike `processSecretManagementRequest`, the contents of this method are in

     * plaintext, and no client authentication is required.

     *

     * @param Secret identifiers to delete.

     */

    void deleteIds(in SecretId[] ids);

    /**

     * Delete data of all clients.

     */

    void deleteAll();

}

package android.hardware.security.secretkeeper;

/**

 * Secretkeeper unencrypted error code, returned via AIDL as service specific errors in

 * EX_SERVICE_SPECIFIC.

 * SecretId contains an identifier for a secret held by Secretkeeper.

 * @hide

 */

@VintfStability

@Backing(type="int")

enum ErrorCode {

    OK = 0,

    UNKNOWN_KEY_ID = 1,

    INTERNAL_ERROR = 2,

    REQUEST_MALFORMED = 3,

    // TODO(b/291224769): Create a more exhaustive set of error code values.

parcelable SecretId {

    /**

     * 64-byte identifier for a secret.

     */

    byte[] id;

}

CryptoPayload<Payload, Key> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]

    protected: bstr .cbor {

        1 : 3,                  ; Algorithm: AES-GCM mode w/ 256-bit key, 128-bit tag

        4 : bstr                ; key identifier, uniquely identifies the session

                                ; TODO(b/291228560): Refer to the Key Exchange spec.

        4 : bstr                ; key identifier set to session ID produced

                                ; by AuthGraph key exchange.

    },

    unprotected: {

        5 : bstr .size 12       ; IV

StoreSecretOpcode = 2           ; Store a secret

GetSecretOpcode = 3             ; Get the secret

; Retrieve Secretkeeper version.

GetVersionParams = ()

; Store a secret identified by the given ID, with access to the secret policed

; by the associated sealing policy.

StoreSecretParams = (

    id : SecretId,

    secret : Secret,

; INCLUDE DicePolicy.cddl for: DicePolicy

; Retrieve a secret identified by the given ID, policed according to the sealing

; policy that was associated with the secret.  If successful, optionally also

; update the sealing policy for the secret.

GetSecretParams = (

    id : SecretId,

    ; Retrieving the value of a secret may optionally also update the sealing

; An error code in the inner response message indicates a failure in

; secret management processing.

; TODO(b/291224769): Create a more exhaustive set of ErrorCodes

ErrorCode = &(

    ; Use this as if no other error code can be used.

    ErrorCode_UnexpectedServerError: 1,