Merge "rkp: pull out remaining CDDL and make compliant" into main am: 05f682fd3d (46b80f12) · Commits · e / os / android_hardware_interfaces

security/rkp/aidl/android/hardware/security/keymint/DeviceInfo.aidl

+2 −72

Original line number	Original line	Diff line number	Diff line
	@@ -32,79 +32,9 @@ parcelable DeviceInfo {
	* non-canonical to group similar entries semantically.		* non-canonical to group similar entries semantically.
	*		*
	* The DeviceInfo has changed across versions 1, 2, and 3 of the HAL. All versions of the		* The DeviceInfo has changed across versions 1, 2, and 3 of the HAL. All versions of the
	* DeviceInfo CDDL are described as follows. Please refer to the CDDL structure version		* DeviceInfo CDDL are described in the DeviceInfoV*.cddl files. Please refer to the CDDL
	* that corresponds to the HAL version you are working with:		* structure version that corresponds to the HAL version you are working with.
	*		*
	* Version 3, introduced in Android 14:
	* DeviceInfo = {
	* "brand" : tstr,
	* "manufacturer" : tstr,
	* "product" : tstr,
	* "model" : tstr,
	* "device" : tstr,
	* "vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
	* "bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
	* "vbmeta_digest": bstr, ; Taken from the AVB values
	* ? "os_version" : tstr, ; Same as
	* ; android.os.Build.VERSION.release
	* ; Not optional for TEE.
	* "system_patch_level" : uint, ; YYYYMM, must match KeyMint OS_PATCHLEVEL
	* "boot_patch_level" : uint, ; YYYYMMDD, must match KeyMint BOOT_PATCHLEVEL
	* "vendor_patch_level" : uint, ; YYYYMMDD, must match KeyMint VENDOR_PATCHLEVEL
	* "security_level" : "tee" / "strongbox",
	* "fused": 1 / 0, ; 1 if secure boot is enforced for the processor that the IRPC
	* ; implementation is contained in. 0 otherwise.
	* }
	*
	* ---------------------------------------------------------------------------------------------
	*
	* Version 2, introduced in Android 13:
	* DeviceInfo = {
	* "brand" : tstr,
	* "manufacturer" : tstr,
	* "product" : tstr,
	* "model" : tstr,
	* "device" : tstr,
	* "vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
	* "bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
	* "vbmeta_digest": bstr, ; Taken from the AVB values
	* ? "os_version" : tstr, ; Same as
	* ; android.os.Build.VERSION.release
	* ; Not optional for TEE.
	* "system_patch_level" : uint, ; YYYYMM, must match KeyMint OS_PATCHLEVEL
	* "boot_patch_level" : uint, ; YYYYMMDD, must match KeyMint BOOT_PATCHLEVEL
	* "vendor_patch_level" : uint, ; YYYYMMDD, must match KeyMint VENDOR_PATCHLEVEL
	* "version" : 2, ; The CDDL schema version.
	* "security_level" : "tee" / "strongbox",
	* "fused": 1 / 0, ; 1 if secure boot is enforced for the processor that the IRPC
	* ; implementation is contained in. 0 otherwise.
	*
	* ---------------------------------------------------------------------------------------------
	*
	* Version 1, introduced in Android 12:
	* DeviceInfo = {
	* ? "brand" : tstr,
	* ? "manufacturer" : tstr,
	* ? "product" : tstr,
	* ? "model" : tstr,
	* ? "board" : tstr,
	* ? "vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
	* ? "bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
	* ? "vbmeta_digest": bstr, ; Taken from the AVB values
	* ? "os_version" : tstr, ; Same as
	* ; android.os.Build.VERSION.release
	* ? "system_patch_level" : uint, ; YYYYMM, must match KeyMint OS_PATCHLEVEL
	* ? "boot_patch_level" : uint, ; YYYYMMDD, must match KeyMint BOOT_PATCHLEVEL
	* ? "vendor_patch_level" : uint, ; YYYYMMDD, must match KeyMint VENDOR_PATCHLEVEL
	* "version" : 1, ; The CDDL schema version.
	* "security_level" : "tee" / "strongbox"
	* "att_id_state": "locked" / "open", ; Attestation IDs State. If "locked", this
	* ; indicates a device's attestable IDs are
	* ; factory-locked and immutable. If "open",
	* ; this indicates the device is still in a
	* ; provisionable state and the attestable IDs
	* ; are not yet frozen.
	* }
	*/		*/
	byte[] deviceInfo;		byte[] deviceInfo;
	}		}

security/rkp/aidl/android/hardware/security/keymint/DeviceInfoV1.cddl

0 → 100644

+24 −0

Original line number	Original line	Diff line number	Diff line
			; Version 1, introduced in Android 12:
			DeviceInfo = {
			? "brand" : tstr,
			? "manufacturer" : tstr,
			? "product" : tstr,
			? "model" : tstr,
			? "board" : tstr,
			? "vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
			? "bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
			? "vbmeta_digest": bstr, ; Taken from the AVB values
			? "os_version" : tstr, ; Same as
			; android.os.Build.VERSION.release
			? "system_patch_level" : uint, ; YYYYMM, must match KeyMint OS_PATCHLEVEL
			? "boot_patch_level" : uint, ; YYYYMMDD, must match KeyMint BOOT_PATCHLEVEL
			? "vendor_patch_level" : uint, ; YYYYMMDD, must match KeyMint VENDOR_PATCHLEVEL
			"version" : 1, ; The CDDL schema version.
			"security_level" : "tee" / "strongbox"
			"att_id_state": "locked" / "open", ; Attestation IDs State. If "locked", this
			; indicates a device's attestable IDs are
			; factory-locked and immutable. If "open",
			; this indicates the device is still in a
			; provisionable state and the attestable IDs
			; are not yet frozen.
			}

security/rkp/aidl/android/hardware/security/keymint/DeviceInfoV2.cddl

0 → 100644

+21 −0

Original line number	Original line	Diff line number	Diff line
			; Version 2, introduced in Android 13:
			DeviceInfo = {
			"brand" : tstr,
			"manufacturer" : tstr,
			"product" : tstr,
			"model" : tstr,
			"device" : tstr,
			"vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
			"bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
			"vbmeta_digest": bstr, ; Taken from the AVB values
			? "os_version" : tstr, ; Same as
			; android.os.Build.VERSION.release
			; Not optional for TEE.
			"system_patch_level" : uint, ; YYYYMM, must match KeyMint OS_PATCHLEVEL
			"boot_patch_level" : uint, ; YYYYMMDD, must match KeyMint BOOT_PATCHLEVEL
			"vendor_patch_level" : uint, ; YYYYMMDD, must match KeyMint VENDOR_PATCHLEVEL
			"version" : 2, ; The CDDL schema version.
			"security_level" : "tee" / "strongbox",
			"fused": 1 / 0, ; 1 if secure boot is enforced for the processor that the IRPC
			; implementation is contained in. 0 otherwise.
			}
			No newline at end of file

security/rkp/aidl/android/hardware/security/keymint/DeviceInfoV3.cddl

0 → 100644

+20 −0

Original line number	Original line	Diff line number	Diff line
			; Version 3, introduced in Android 14:
			DeviceInfo = {
			"brand" : tstr,
			"manufacturer" : tstr,
			"product" : tstr,
			"model" : tstr,
			"device" : tstr,
			"vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
			"bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
			"vbmeta_digest": bstr, ; Taken from the AVB values
			? "os_version" : tstr, ; Same as
			; android.os.Build.VERSION.release
			; Not optional for TEE.
			"system_patch_level" : uint, ; YYYYMM, must match KeyMint OS_PATCHLEVEL
			"boot_patch_level" : uint, ; YYYYMMDD, must match KeyMint BOOT_PATCHLEVEL
			"vendor_patch_level" : uint, ; YYYYMMDD, must match KeyMint VENDOR_PATCHLEVEL
			"security_level" : "tee" / "strongbox",
			"fused": 1 / 0, ; 1 if secure boot is enforced for the processor that the IRPC
			; implementation is contained in. 0 otherwise.
			}

security/rkp/aidl/android/hardware/security/keymint/MacedPublicKey.aidl

+1 −26

Original line number	Original line	Diff line number	Diff line
	@@ -28,33 +28,8 @@ parcelable MacedPublicKey {
	* only to the secure environment, as proof that the public key was generated by that		* only to the secure environment, as proof that the public key was generated by that
	* environment. In CDDL, assuming the contained key is a P-256 public key:		* environment. In CDDL, assuming the contained key is a P-256 public key:
	*		*
	* MacedPublicKey = [ ; COSE_Mac0		* See MacedPublicKey.cddl for CDDL definition.
	* protected: bstr .cbor { 1 : 5}, ; Algorithm : HMAC-256
	* unprotected: { },
	* payload : bstr .cbor PublicKey,
	* tag : bstr HMAC-256(K_mac, MAC_structure)
	* ]
	*		*
	* ; NOTE: -70000 is deprecated for v3 HAL implementations.
	* ; NOTE: Integer encoding is different for Ed25519 and P256 keys:
	* ; - Ed25519 is LE: https://www.rfc-editor.org/rfc/rfc8032#section-3.1
	* ; - P256 is BE: https://www.secg.org/sec1-v2.pdf#page=19 (section 2.3.7)
	* PublicKey = { ; COSE_Key
	* 1 : 2, ; Key type : EC2
	* 3 : -7, ; Algorithm : ES256
	* -1 : 1, ; Curve : P256
	* -2 : bstr, ; X coordinate, big-endian
	* -3 : bstr, ; Y coordinate, big-endian
	* -70000 : nil ; Presence indicates this is a test key. If set, K_mac is
	* ; all zeros.
	* },
	*
	* MAC_structure = [
	* context : "MAC0",
	* protected : bstr .cbor { 1 : 5 },
	* external_aad : bstr .size 0,
	* payload : bstr .cbor PublicKey
	* ]
	*/		*/
	byte[] macedKey;		byte[] macedKey;
	}		}