Updating CDDL schemas to match the finalized spec. (314b21f3) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/android/hardware/security/keymint/DeviceInfo.aidl

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -37,10 +37,13 @@ parcelable DeviceInfo {
	* ? "board" : tstr,		* ? "board" : tstr,
	* ? "vb_state" : "green" / "yellow" / "orange", // Taken from the AVB values		* ? "vb_state" : "green" / "yellow" / "orange", // Taken from the AVB values
	* ? "bootloader_state" : "locked" / "unlocked", // Taken from the AVB values		* ? "bootloader_state" : "locked" / "unlocked", // Taken from the AVB values
			* ? "vbmeta_digest": bstr, // Taken from the AVB values
	* ? "os_version" : tstr, // Same as android.os.Build.VERSION.release		* ? "os_version" : tstr, // Same as android.os.Build.VERSION.release
	* ? "system_patch_level" : uint, // YYYYMMDD		* ? "system_patch_level" : uint, // YYYYMMDD
	* ? "boot_patch_level" : uint, // YYYYMMDD		* ? "boot_patch_level" : uint, // YYYYMMDD
	* ? "vendor_patch_level" : uint, // YYYYMMDD		* ? "vendor_patch_level" : uint, // YYYYMMDD
			* "version" : 1, // The CDDL schema version.
			* "security_level" : "tee" / "strongbox"
	* }		* }
	*/		*/
	byte[] deviceInfo;		byte[] deviceInfo;

security/keymint/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl

+63 −40

Original line number	Original line	Diff line number	Diff line
	@@ -33,8 +33,8 @@ import android.hardware.security.keymint.RpcHardwareInfo;
	*		*
	* The root of trust for secure provisioning is something called the "Boot Certificate Chain", or		* The root of trust for secure provisioning is something called the "Boot Certificate Chain", or
	* BCC. The BCC is a chain of public key certificates, represented as COSE_Sign1 objects containing		* BCC. The BCC is a chain of public key certificates, represented as COSE_Sign1 objects containing
	* COSE_Key representations of the public keys. The "root" of the BCC is a self-signed certificate		* COSE_Key representations of the public keys. The "root" of the BCC is
	* for a device-unique public key, denoted DK_pub. All public keys in the BCC are device-unique. The		* a device-unique public key, denoted DK_pub. All public keys in the BCC are device-unique. The
	* public key from each certificate in the chain is used to sign the next certificate in the		* public key from each certificate in the chain is used to sign the next certificate in the
	* chain. The final, "leaf" certificate contains a public key, denoted KM_pub, whose corresponding		* chain. The final, "leaf" certificate contains a public key, denoted KM_pub, whose corresponding
	* private key, denoted KM_priv, is available for use by the IRemotelyProvisionedComponent.		* private key, denoted KM_priv, is available for use by the IRemotelyProvisionedComponent.
	@@ -58,12 +58,8 @@ import android.hardware.security.keymint.RpcHardwareInfo;
	* (given the necessary input), but no stage can compute the secret of any preceding stage. Updating		* (given the necessary input), but no stage can compute the secret of any preceding stage. Updating
	* the firmware or configuration of any stage changes the key pair of that stage, and of all		* the firmware or configuration of any stage changes the key pair of that stage, and of all
	* subsequent stages, and no attacker who compromised the previous version of the updated firmware		* subsequent stages, and no attacker who compromised the previous version of the updated firmware
	* can know or predict the post-update key pairs.		* can know or predict the post-update key pairs. It is recommended and expected that the BCC is
	*		* constructed using the Open Profile for DICE.
	* The first BCC certificate is special because its contained public key, DK_pub, will never change,
	* making it a permanent, device-unique identifier. Although the remaining keys in the BCC are also
	* device-unique, they are not necessarily permanent, since they can change when the device software
	* is updated.
	*		*
	* When the provisioning server receives a message signed by KM_priv and containing a BCC that		* When the provisioning server receives a message signed by KM_priv and containing a BCC that
	* chains from DK_pub to KM_pub, it can be certain that (barring vulnerabilities in some boot		* chains from DK_pub to KM_pub, it can be certain that (barring vulnerabilities in some boot
	@@ -78,7 +74,7 @@ import android.hardware.security.keymint.RpcHardwareInfo;
	* While a proper BCC, as described above, reflects the complete boot sequence from boot ROM to the		* While a proper BCC, as described above, reflects the complete boot sequence from boot ROM to the
	* secure area image of the IRemotelyProvisionedComponent, it's also possible to use a "degenerate"		* secure area image of the IRemotelyProvisionedComponent, it's also possible to use a "degenerate"
	* BCC which consists only of a single, self-signed certificate containing the public key of a		* BCC which consists only of a single, self-signed certificate containing the public key of a
	* hardware-bound key pair. This is an appropriate solution for devices which haven't implemented		* hardware-bound key pair. This is an appopriate solution for devices which haven't implemented
	* everything necessary to produce a proper BCC, but can derive a unique key pair in the secure		* everything necessary to produce a proper BCC, but can derive a unique key pair in the secure
	* area. In this degenerate case, DK_pub is the same as KM_pub.		* area. In this degenerate case, DK_pub is the same as KM_pub.
	*		*
	@@ -141,7 +137,7 @@ interface IRemotelyProvisionedComponent {
	* privateKeyHandle, that the contained public key is for remote certification.		* privateKeyHandle, that the contained public key is for remote certification.
	*		*
	* @return data representing a handle to the private key. The format is implementation-defined,		* @return data representing a handle to the private key. The format is implementation-defined,
	* but note that specific services may define a required format.		* but note that specific services may define a required format. KeyMint does.
	*/		*/
	byte[] generateEcdsaP256KeyPair(in boolean testMode, out MacedPublicKey macedPublicKey);		byte[] generateEcdsaP256KeyPair(in boolean testMode, out MacedPublicKey macedPublicKey);

	@@ -162,65 +158,90 @@ interface IRemotelyProvisionedComponent {
	* If testMode is false, the keysToCertify array must not contain any keys flagged as		* If testMode is false, the keysToCertify array must not contain any keys flagged as
	* test keys. Otherwise, the method must return STATUS_TEST_KEY_IN_PRODUCTION_REQUEST.		* test keys. Otherwise, the method must return STATUS_TEST_KEY_IN_PRODUCTION_REQUEST.
	*		*
	* @param in endpointEncryptionKey contains an X25519 public key which will be used to encrypt		* @param in endpointEncryptionKey contains an X22519 public key which will be used to encrypt
	* the BCC. For flexibility, this is represented as a certificate chain, represented as a		* the BCC. For flexibility, this is represented as a certificate chain, represented as a
	* CBOR array of COSE_Sign1 objects, ordered from root to leaf. The leaf contains the		* CBOR array of COSE_Sign1 objects, ordered from root to leaf. The leaf contains the
	* X25519 encryption key, each other element is an Ed25519 key signing the next in the		* X25519 encryption key, each other element is an Ed25519 key signing the next in the
	* chain. The root is self-signed.		* chain. The root is self-signed. An implementor may also choose to use P256 as an
			* alternative curve for signing and encryption instead of Curve 25519.
	*		*
	* EekChain = [ + SignedSignatureKey, SignedEek ]		* EekChain = [ + SignedSignatureKey, SignedEek ]
	*		*
	* SignedSignatureKey = [ // COSE_Sign1		* SignedSignatureKey = [ // COSE_Sign1
	* protected: bstr .cbor {		* protected: bstr .cbor {
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* unprotected: {},		* unprotected: {},
	* payload: bstr .cbor SignatureKey,		* payload: bstr .cbor SignatureKeyEd25519 /
	* signature: bstr PureEd25519(.cbor SignatureKeySignatureInput)		* bstr .cbor SignatureKeyP256,
			* signature: bstr PureEd25519(.cbor SignatureKeySignatureInput) /
			* bstr ECDSA(.cbor SignatureKeySignatureInput)
	* ]		* ]
	*		*
	* SignatureKey = { // COSE_Key		* SignatureKeyEd25519 = { // COSE_Key
	* 1 : 1, // Key type : Octet Key Pair		* 1 : 1, // Key type : Octet Key Pair
	* 3 : -8, // Algorithm : EdDSA		* 3 : AlgorithmEdDSA, // Algorithm
	* -1 : 6, // Curve : Ed25519		* -1 : 6, // Curve : Ed25519
	* -2 : bstr // Ed25519 public key		* -2 : bstr // Ed25519 public key
	* }		* }
	*		*
			* SignatureKeyP256 = {
			* 1 : 2, // Key type : EC2
			* 3 : AlgorithmES256, // Algorithm
			* -1 : 1, // Curve: P256
			* -2 : bstr, // X coordinate
			* -3 : bstr // Y coordinate
			* }
			*
	* SignatureKeySignatureInput = [		* SignatureKeySignatureInput = [
	* context: "Signature1",		* context: "Signature1",
	* body_protected: bstr .cbor {		* body_protected: bstr .cbor {
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* external_aad: bstr .size 0,		* external_aad: bstr .size 0,
	* payload: bstr .cbor SignatureKey		* payload: bstr .cbor SignatureKeyEd25519 /
			* bstr .cbor SignatureKeyP256
	* ]		* ]
	*		*
	* SignedEek = [ // COSE_Sign1		* SignedEek = [ // COSE_Sign1
	* protected: bstr .cbor {		* protected: bstr .cbor {
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* unprotected: {},		* unprotected: {},
	* payload: bstr .cbor Eek,		* payload: bstr .cbor EekX25519 / .cbor EekP256,
	* signature: bstr PureEd25519(.cbor EekSignatureInput)		* signature: bstr PureEd25519(.cbor EekSignatureInput) /
			* bstr ECDSA(.cbor EekSignatureInput)
	* ]		* ]
	*		*
	* Eek = { // COSE_Key		* EekX25519 = { // COSE_Key
	* 1 : 1, // Key type : Octet Key Pair		* 1 : 1, // Key type : Octet Key Pair
	* 2 : bstr // KID : EEK ID		* 2 : bstr // KID : EEK ID
	* 3 : -25, // Algorithm : ECDH-ES + HKDF-256		* 3 : -25, // Algorithm : ECDH-ES + HKDF-256
	* -1 : 4, // Curve : X25519		* -1 : 4, // Curve : X25519
	* -2 : bstr // X25519 public key		* -2 : bstr // Ed25519 public key
			* }
			*
			* EekP256 = { // COSE_Key
			* 1 : 2, // Key type : EC2
			* 2 : bstr // KID : EEK ID
			* 3 : -25, // Algorithm : ECDH-ES + HKDF-256
			* -1 : 1, // Curve : P256
			* -2 : bstr // Sender X coordinate
			* -3 : bstr // Sender Y coordinate
	* }		* }
	*		*
	* EekSignatureInput = [		* EekSignatureInput = [
	* context: "Signature1",		* context: "Signature1",
	* body_protected: bstr .cbor {		* body_protected: bstr .cbor {
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* external_aad: bstr .size 0,		* external_aad: bstr .size 0,
	* payload: bstr .cbor Eek		* payload: bstr .cbor EekX25519 / .cbor EekP256
	* ]		* ]
	*		*
			* AlgorithmES256 = -7
			* AlgorithmEdDSA = -8
			*
	* If the contents of endpointEncryptionKey do not match the SignedEek structure above,		* If the contents of endpointEncryptionKey do not match the SignedEek structure above,
	* the method must return STATUS_INVALID_EEK.		* the method must return STATUS_INVALID_EEK.
	*		*
	@@ -228,7 +249,7 @@ interface IRemotelyProvisionedComponent {
	* in the chain, which implies that it must not attempt to validate the signature.		* in the chain, which implies that it must not attempt to validate the signature.
	*		*
	* If testMode is false, the method must validate the chain signatures, and must verify		* If testMode is false, the method must validate the chain signatures, and must verify
	* that the public key in the root certificate is in its pre-configured set of		* that the public key in the root certifictate is in its pre-configured set of
	* authorized EEK root keys. If the public key is not in the database, or if signature		* authorized EEK root keys. If the public key is not in the database, or if signature
	* verification fails, the method must return STATUS_INVALID_EEK.		* verification fails, the method must return STATUS_INVALID_EEK.
	*		*
	@@ -236,8 +257,13 @@ interface IRemotelyProvisionedComponent {
	* by the secure area. See the description of the 'signature' output parameter for		* by the secure area. See the description of the 'signature' output parameter for
	* details.		* details.
	*		*
	* @param out keysToSignMac contains the MAC of KeysToSign in the CertificateRequest		* @param out DeviceInfo contains the VerifiedDeviceInfo portion of the DeviceInfo array in
	* structure. Specifically, it contains:		* CertificateRequest. The structure is described within the DeviceInfo.aidl file.
			*
			* @param out ProtectedData contains the encrypted BCC and the ephemeral MAC key used to
			* authenticate the keysToSign (see keysToSignMac output argument).
			*
			* @return The of KeysToSign in the CertificateRequest structure. Specifically, it contains:
	*		*
	* HMAC-256(EK_mac, .cbor KeysToMacStructure)		* HMAC-256(EK_mac, .cbor KeysToMacStructure)
	*		*
	@@ -261,9 +287,6 @@ interface IRemotelyProvisionedComponent {
	* // Payload is PublicKeys from keysToSign argument, in provided order.		* // Payload is PublicKeys from keysToSign argument, in provided order.
	* payload : bstr .cbor [ * PublicKey ]		* payload : bstr .cbor [ * PublicKey ]
	* ]		* ]
	*
	* @param out ProtectedData contains the encrypted BCC and the ephemeral MAC key used to
	* authenticate the keysToSign (see keysToSignMac output argument).
	*/		*/
	byte[] generateCertificateRequest(in boolean testMode, in MacedPublicKey[] keysToSign,		byte[] generateCertificateRequest(in boolean testMode, in MacedPublicKey[] keysToSign,
	in byte[] endpointEncryptionCertChain, in byte[] challenge, out DeviceInfo deviceInfo,		in byte[] endpointEncryptionCertChain, in byte[] challenge, out DeviceInfo deviceInfo,

security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl

+75 −35

Original line number	Original line	Diff line number	Diff line
	@@ -40,11 +40,7 @@ parcelable ProtectedData {
	* 1 : -25 // Algorithm : ECDH-ES + HKDF-256		* 1 : -25 // Algorithm : ECDH-ES + HKDF-256
	* },		* },
	* unprotected : {		* unprotected : {
	* -1 : { // COSE_Key		* -1 : PubKeyX25519 / PubKeyEcdhP256 // Of the sender
	* 1 : 1, // Key type : Octet Key Pair
	* -1 : 4, // Curve : X25519
	* -2 : bstr // Sender X25519 public key
	* }
	* 4 : bstr, // KID : EEK ID		* 4 : bstr, // KID : EEK ID
	* },		* },
	* ciphertext : nil		* ciphertext : nil
	@@ -67,7 +63,7 @@ parcelable ProtectedData {
	* other : bstr // EEK pubkey		* other : bstr // EEK pubkey
	* ],		* ],
	* SuppPubInfo : [		* SuppPubInfo : [
	* 128, // Output key length		* 256, // Output key length
	* protected : bstr .size 0		* protected : bstr .size 0
	* ]		* ]
	* ]		* ]
	@@ -75,21 +71,35 @@ parcelable ProtectedData {
	* ProtectedDataPayload [		* ProtectedDataPayload [
	* SignedMac,		* SignedMac,
	* Bcc,		* Bcc,
			* ? AdditionalDKSignatures,
			* ]
			* AdditionalDKSignatures = {
			* + SignerName => DKCertChain
			* }
			*
			* SignerName = tstr
			*
			* DKCertChain = [
			* 2* Certificate // Root -> Leaf. Root is the vendor
			* // self-signed cert, leaf contains DK_pub
	* ]		* ]
	*		*
			* Certificate = COSE_Sign1 of a public key
			*
	* SignedMac = [ // COSE_Sign1		* SignedMac = [ // COSE_Sign1
	* bstr .cbor { // Protected params		* bstr .cbor { // Protected params
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* {}, // Unprotected params		* {}, // Unprotected params
	* bstr .size 32, // MAC key		* bstr .size 32, // MAC key
	* bstr PureEd25519(DK_priv, .cbor SignedMac_structure)		* bstr PureEd25519(KM_priv, .cbor SignedMac_structure) /
			* ECDSA(KM_priv, bstr .cbor SignedMac_structure)
	* ]		* ]
	*		*
	* SignedMac_structure = [		* SignedMac_structure = [
	* "Signature1",		* "Signature1",
	* bstr .cbor { // Protected params		* bstr .cbor { // Protected params
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* bstr .cbor SignedMacAad		* bstr .cbor SignedMacAad
	* bstr .size 32 // MAC key		* bstr .size 32 // MAC key
	@@ -97,11 +107,14 @@ parcelable ProtectedData {
	*		*
	* SignedMacAad = [		* SignedMacAad = [
	* challenge : bstr,		* challenge : bstr,
	* DeviceInfo		* VerifiedDeviceInfo,
			* tag: bstr // This is the tag from COSE_Mac0 of
			* // KeysToCertify, to tie the key set to
			* // the signature.
	* ]		* ]
	*		*
	* Bcc = [		* Bcc = [
	* PubKey, // DK_pub		* PubKeyEd25519 / PubKeyECDSA256, // DK_pub
	* + BccEntry, // Root -> leaf (KM_pub)		* + BccEntry, // Root -> leaf (KM_pub)
	* ]		* ]
	*		*
	@@ -120,44 +133,38 @@ parcelable ProtectedData {
	* ? -4670549 : bstr, // Authority Hash		* ? -4670549 : bstr, // Authority Hash
	* ? -4670550 : bstr, // Authority Descriptor		* ? -4670550 : bstr, // Authority Descriptor
	* ? -4670551 : bstr, // Mode		* ? -4670551 : bstr, // Mode
	* -4670552 : bstr .cbor PubKey // Subject Public Key		* -4670552 : bstr .cbor PubKeyEd25519 /
			* bstr .cbor PubKeyECDSA256 // Subject Public Key
	* -4670553 : bstr // Key Usage		* -4670553 : bstr // Key Usage
	* }		* }
	*		*
	* BccEntry = [ // COSE_Sign1		* BccEntry = [ // COSE_Sign1 (untagged)
	* protected : bstr .cbor {		* protected : bstr .cbor {
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* unprotected: {},		* unprotected: {},
	* payload: bstr .cbor BccPayload,		* payload: bstr .cbor BccPayload,
	* // First entry in the chain is signed by DK_pub, the others are each signed by their		* signature: bstr .cbor PureEd25519(SigningKey, bstr .cbor BccEntryInput) /
	* // immediate predecessor. See RFC 8032 for signature representation.		* bstr .cbor ECDSA(SigningKey, bstr .cbor BccEntryInput)
	* signature: bstr .cbor PureEd25519(SigningKey, bstr .cbor BccEntryInput)		* // See RFC 8032 for details of how to encode the signature value for Ed25519.
	* ]		* ]
	*		*
	* PubKey = { // COSE_Key
	* 1 : 1, // Key type : octet key pair
	* 3 : -8, // Algorithm : EdDSA
	* 4 : 2, // Ops: Verify
	* -1 : 6, // Curve : Ed25519
	* -2 : bstr // X coordinate, little-endian
	* }
	*
	* BccEntryInput = [		* BccEntryInput = [
	* context: "Signature1",		* context: "Signature1",
	* protected: bstr .cbor {		* protected: bstr .cbor {
	* 1 : -8, // Algorithm : EdDSA		* 1 : AlgorithmEdDSA / AlgorithmES256, // Algorithm
	* },		* },
	* external_aad: bstr .size 0,		* external_aad: bstr .size 0,
	* payload: bstr .cbor BccPayload		* payload: bstr .cbor BccPayload
	* ]		* ]
	*		*
	* DeviceInfo = {		* VerifiedDeviceInfo = {
	* ? "brand" : tstr,		* ? "brand" : tstr,
	* ? "manufacturer" : tstr,		* ? "manufacturer" : tstr,
	* ? "product" : tstr,		* ? "product" : tstr,
	* ? "model" : tstr,		* ? "model" : tstr,
	* ? "board" : tstr,		* ? "board" : tstr,
			* ? "device" : tstr,
	* ? "vb_state" : "green" / "yellow" / "orange",		* ? "vb_state" : "green" / "yellow" / "orange",
	* ? "bootloader_state" : "locked" / "unlocked",		* ? "bootloader_state" : "locked" / "unlocked",
	* ? "os_version" : tstr,		* ? "os_version" : tstr,
	@@ -165,6 +172,39 @@ parcelable ProtectedData {
	* ? "boot_patch_level" : uint, // YYYYMMDD		* ? "boot_patch_level" : uint, // YYYYMMDD
	* ? "vendor_patch_level" : uint, // YYYYMMDD		* ? "vendor_patch_level" : uint, // YYYYMMDD
	* }		* }
			*
			* PubKeyX25519 = { // COSE_Key
			* 1 : 1, // Key type : Octet Key Pair
			* -1 : 4, // Curve : X25519
			* -2 : bstr // Sender X25519 public key
			* }
			*
			* PubKeyEd25519 = { // COSE_Key
			* 1 : 1, // Key type : octet key pair
			* 3 : AlgorithmEdDSA, // Algorithm : EdDSA
			* 4 : 2, // Ops: Verify
			* -1 : 6, // Curve : Ed25519
			* -2 : bstr // X coordinate, little-endian
			* }
			*
			* PubKeyEcdhP256 = { // COSE_Key
			* 1 : 2, // Key type : EC2
			* -1 : 1, // Curve : P256
			* -2 : bstr // Sender X coordinate
			* -3 : bstr // Sender Y coordinate
			* }
			*
			* PubKeyECDSA256 = { // COSE_Key
			* 1 : 2, // Key type : EC2
			* 3 : AlgorithmES256, // Algorithm : ECDSA w/ SHA-256
			* 4 : 2, // Ops: Verify
			* -1 : 1, // Curve: P256
			* -2 : bstr, // X coordinate
			* -3 : bstr // Y coordinate
			* }
			*
			* AlgorithmES256 = -7
			* AlgorithmEdDSA = -8
	*/		*/
	byte[] protectedData;		byte[] protectedData;
	}		}