Loading security/rkp/CHANGELOG.md +6 −1 Original line number Diff line number Diff line Loading @@ -27,7 +27,7 @@ This document provides an exact description of which changes have occurred in th `"android.hardward.security.keymint"`). * ProtectedData has been removed. * DeviceInfo * `version` has moved to a top-level field within the CSR generated by the HAL * `version` has moved to a top-level field within the CSR generated by the HAL. * IRemotelyProvisionedComponent * The need for an EEK has been removed. There is no longer an encrypted portion of the CSR. * Test mode has been removed. Loading @@ -36,5 +36,10 @@ This document provides an exact description of which changes have occurred in th * the chain of signing, MACing, and encryption operations has been replaced with a single COSE_Sign1 object. * CertificateType has been added to identify the type of certificate being requested. * The structure has been composed to enable a clear split between what is required to validate a payload and the implementation-defined payload itself. This is done by creating a typed `AuthenticatedRequest<T>` object representing the top level data required to authenticate the data provided in the payload, `T`. * RpcHardwareInfo * `supportedNumKeysInCsr` added to report the maximum number of keys supported in a CSR. * `supportedEekCurve` is no longer used, due to the removal of the EEK from the scheme. security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl +6 −6 Original line number Diff line number Diff line Loading @@ -345,20 +345,20 @@ interface IRemotelyProvisionedComponent { * ] * * ; COSE_Sign1 (untagged) * SignedData<T> = [ * SignedData<Data> = [ * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 }, * unprotected: {}, * payload: bstr .cbor T / nil, * signature: bstr ; PureEd25519(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<T>) / * ; ECDSA(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<T>) * payload: bstr .cbor Data / nil, * signature: bstr ; PureEd25519(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<Data>) / * ; ECDSA(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<Data>) * ] * * ; Sig_structure for SignedData * SignedDataSigStruct<T> = [ * SignedDataSigStruct<Data> = [ * context: "Signature1", * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 }, * external_aad: bstr .size 0, * payload: bstr .cbor T * payload: bstr .cbor Data / nil, * ] * * ; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For Loading security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl +6 −3 Original line number Diff line number Diff line Loading @@ -29,9 +29,9 @@ parcelable RpcHardwareInfo { const int CURVE_25519 = 2; /** * Implementation version of the remotely provisioned component hardware. The version number is * implementation defined, and not necessarily globally meaningful. The version is used to * distinguish between different versions of a given implementation. * Implementation version of the remotely provisioned component hardware. The version provided * here must match the version reported in the CsrPayload produced by the HAL interface. This * field primarily acts as a convenience for the system components interacting with the HALs. */ int versionNumber; Loading @@ -43,6 +43,9 @@ parcelable RpcHardwareInfo { @utf8InCpp String rpcAuthorName; /** * NOTE: This field is no longer used as of version 3 of the HAL interface. This is because the * Endpoint Encryption Key is no longer used in the provisioning scheme. * * supportedEekCurve returns an int representing which curve is supported for validating * signatures over the Endpoint Encryption Key certificate chain and for using the corresponding * signed encryption key in ECDH. Only one curve should be supported, with preference for 25519 Loading Loading
security/rkp/CHANGELOG.md +6 −1 Original line number Diff line number Diff line Loading @@ -27,7 +27,7 @@ This document provides an exact description of which changes have occurred in th `"android.hardward.security.keymint"`). * ProtectedData has been removed. * DeviceInfo * `version` has moved to a top-level field within the CSR generated by the HAL * `version` has moved to a top-level field within the CSR generated by the HAL. * IRemotelyProvisionedComponent * The need for an EEK has been removed. There is no longer an encrypted portion of the CSR. * Test mode has been removed. Loading @@ -36,5 +36,10 @@ This document provides an exact description of which changes have occurred in th * the chain of signing, MACing, and encryption operations has been replaced with a single COSE_Sign1 object. * CertificateType has been added to identify the type of certificate being requested. * The structure has been composed to enable a clear split between what is required to validate a payload and the implementation-defined payload itself. This is done by creating a typed `AuthenticatedRequest<T>` object representing the top level data required to authenticate the data provided in the payload, `T`. * RpcHardwareInfo * `supportedNumKeysInCsr` added to report the maximum number of keys supported in a CSR. * `supportedEekCurve` is no longer used, due to the removal of the EEK from the scheme.
security/rkp/aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.aidl +6 −6 Original line number Diff line number Diff line Loading @@ -345,20 +345,20 @@ interface IRemotelyProvisionedComponent { * ] * * ; COSE_Sign1 (untagged) * SignedData<T> = [ * SignedData<Data> = [ * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 }, * unprotected: {}, * payload: bstr .cbor T / nil, * signature: bstr ; PureEd25519(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<T>) / * ; ECDSA(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<T>) * payload: bstr .cbor Data / nil, * signature: bstr ; PureEd25519(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<Data>) / * ; ECDSA(CDI_Leaf_Priv, bstr .cbor SignedDataSigStruct<Data>) * ] * * ; Sig_structure for SignedData * SignedDataSigStruct<T> = [ * SignedDataSigStruct<Data> = [ * context: "Signature1", * protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 }, * external_aad: bstr .size 0, * payload: bstr .cbor T * payload: bstr .cbor Data / nil, * ] * * ; UdsCerts allows the platform to provide additional certifications for the UDS_Pub. For Loading
security/rkp/aidl/android/hardware/security/keymint/RpcHardwareInfo.aidl +6 −3 Original line number Diff line number Diff line Loading @@ -29,9 +29,9 @@ parcelable RpcHardwareInfo { const int CURVE_25519 = 2; /** * Implementation version of the remotely provisioned component hardware. The version number is * implementation defined, and not necessarily globally meaningful. The version is used to * distinguish between different versions of a given implementation. * Implementation version of the remotely provisioned component hardware. The version provided * here must match the version reported in the CsrPayload produced by the HAL interface. This * field primarily acts as a convenience for the system components interacting with the HALs. */ int versionNumber; Loading @@ -43,6 +43,9 @@ parcelable RpcHardwareInfo { @utf8InCpp String rpcAuthorName; /** * NOTE: This field is no longer used as of version 3 of the HAL interface. This is because the * Endpoint Encryption Key is no longer used in the provisioning scheme. * * supportedEekCurve returns an int representing which curve is supported for validating * signatures over the Endpoint Encryption Key certificate chain and for using the corresponding * signed encryption key in ECDH. Only one curve should be supported, with preference for 25519 Loading
