Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5d301317 authored Jan 28, 2021 by Paul Crowley

Add MAX_BOOT_LEVEL tag, BOOT_LEVEL_EXCEEDED error

A key with the MAX_BOOT_LEVEL tag cannot be used past a particular
stage of device boot.

Test: Treehugger
Bug: 176450483
Change-Id: I113e3101734736a8621a01ed85969a4ecbe12a68

parent 8bfd260e

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -115,6 +115,7 @@ enum ErrorCode {
	MISSING_NOT_AFTER = -81,		MISSING_NOT_AFTER = -81,
	MISSING_ISSUER_SUBJECT = -82,		MISSING_ISSUER_SUBJECT = -82,
	INVALID_ISSUER_SUBJECT = -83,		INVALID_ISSUER_SUBJECT = -83,
			BOOT_LEVEL_EXCEEDED = -84,
	UNIMPLEMENTED = -100,		UNIMPLEMENTED = -100,
	VERSION_MISMATCH = -101,		VERSION_MISMATCH = -101,
	UNKNOWN_ERROR = -1000,		UNKNOWN_ERROR = -1000,

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -98,4 +98,5 @@ enum Tag {
	CERTIFICATE_SUBJECT = -1879047185,		CERTIFICATE_SUBJECT = -1879047185,
	CERTIFICATE_NOT_BEFORE = 1610613744,		CERTIFICATE_NOT_BEFORE = 1610613744,
	CERTIFICATE_NOT_AFTER = 1610613745,		CERTIFICATE_NOT_AFTER = 1610613745,
			MAX_BOOT_LEVEL = 805307378,
	}		}

security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -105,6 +105,7 @@ enum ErrorCode {
	MISSING_NOT_AFTER = -81,		MISSING_NOT_AFTER = -81,
	MISSING_ISSUER_SUBJECT = -82,		MISSING_ISSUER_SUBJECT = -82,
	INVALID_ISSUER_SUBJECT = -83,		INVALID_ISSUER_SUBJECT = -83,
			BOOT_LEVEL_EXCEEDED = -84,

	UNIMPLEMENTED = -100,		UNIMPLEMENTED = -100,
	VERSION_MISMATCH = -101,		VERSION_MISMATCH = -101,

security/keymint/aidl/android/hardware/security/keymint/Tag.aidl

+11 −0

Original line number	Original line	Diff line number	Diff line
	@@ -964,4 +964,15 @@ enum Tag {
	* or importKey.		* or importKey.
	*/		*/
	CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ \| 1009,		CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ \| 1009,

			/**
			* Tag::MAX_BOOT_LEVEL specifies a maximum boot level at which a key should function.
			*
			* Over the course of the init process, the boot level will be raised to
			* monotonically increasing integer values. Implementations MUST NOT allow the key
			* to be used once the boot level advances beyond the value of this tag.
			*
			* Cannot be hardware enforced in this version.
			*/
			MAX_BOOT_LEVEL = (3 << 28) /* TagType:UINT */ \| 1010,
	}		}

security/keymint/support/include/keymint_support/keymint_tags.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -130,6 +130,7 @@ DECLARE_TYPED_TAG(CERTIFICATE_SERIAL);
	DECLARE_TYPED_TAG(CERTIFICATE_SUBJECT);		DECLARE_TYPED_TAG(CERTIFICATE_SUBJECT);
	DECLARE_TYPED_TAG(CERTIFICATE_NOT_BEFORE);		DECLARE_TYPED_TAG(CERTIFICATE_NOT_BEFORE);
	DECLARE_TYPED_TAG(CERTIFICATE_NOT_AFTER);		DECLARE_TYPED_TAG(CERTIFICATE_NOT_AFTER);
			DECLARE_TYPED_TAG(MAX_BOOT_LEVEL);

	#undef DECLARE_TYPED_TAG		#undef DECLARE_TYPED_TAG