Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 690919a5 authored by Keith Mok's avatar Keith Mok
Browse files

Define MACsec HAL and ref impl 

Add MACsec HAL interface and reference implementation.
This allow OEM to store MACsec PSK key in secure storage and provide
functions to use that key,

Bug: 254108688
Test: atest VtsHalMacsecPSKPluginV1_0Test
Change-Id: Iecfe4828839a1dab81989bf9b178ae41c6f46b82
parent 59414af0

compatibility_matrices/compatibility_matrix.9.xml

+8 −0
Original line number Diff line number Diff line
@@ -84,6 +84,14 @@ 
            <regex-instance>[a-z]+/[0-9]+</regex-instance>

        </interface>

    </hal>

    <hal format="aidl" optional="true">

        <name>android.hardware.macsec</name>

        <version>1</version>

        <interface>

            <name>IMacsecPskPlugin</name>

            <instance>default</instance>

        </interface>

    </hal>

    <hal format="aidl" optional="true">

        <name>android.hardware.automotive.occupant_awareness</name>

        <version>1</version>

macsec/OWNERS

0 → 100644
+1 −0
Original line number Diff line number Diff line 
keithmok@google.com

macsec/aidl/Android.bp

0 → 100644
+40 −0
Original line number Diff line number Diff line 
//

// Copyright (C) 2023 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//      http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//



package {

    // See: http://go/android-license-faq

    // A large-scale-change added 'default_applicable_licenses' to import

    // all of the 'license_kinds' from "hardware_interfaces_license"

    // to get the below license kinds:

    //   SPDX-license-identifier-Apache-2.0

    default_applicable_licenses: ["hardware_interfaces_license"],

}



aidl_interface {

    name: "android.hardware.macsec",

    vendor_available: true,

    srcs: ["android/hardware/macsec/*.aidl"],

    stability: "vintf",

    host_supported: true,

    backend: {

        java: {

            enabled: false,

        },

        rust: {

            enabled: false,

        },

    },

}

macsec/aidl/aidl_api/android.hardware.macsec/current/android/hardware/macsec/IMacsecPskPlugin.aidl

0 → 100644
+80 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2023 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.hardware.macsec;



/**

 * MACSEC (IEEE 802.1AE) pre-shared key plugin for wpa_supplicant

 *

 * The goal of this service is to provide function for using the MACSEC CAK

 *

 */

@VintfStability

interface IMacsecPskPlugin {

    /**

     * For xTS test only inject a key to verify implementation correctness, not called in production

     *

     * @param keyId is key id to add

     * @param Connectivity Association Keys (CAK) to set

     * @param Connectivity Association Key Name (CKN) to set

     *

     */

    void addTestKey(in byte[] keyId, in byte[] CAK, in byte[] CKN);



    /**

     * Use ICV key do AES CMAC

     * same as ieee802_1x_icv_aes_cmac in wpa_supplicant

     *

     * @param keyId is key id to be used for AES CMAC

     * @param data, a data pointer to the buffer for calculate the ICV

     *

     * @return Integrity check value (ICV).

     */

    byte[] calcIcv(in byte[] keyId, in byte[] data);



    /**

     * KDF with CAK key to generate Secure Association Key (SAK)

     * same as ieee802_1x_sak_aes_cmac in wpa_supplicant

     *

     * @param keyId is key id to be used for KDF

     * @param data is key seed (random number)

     * @param sakLength generated SAK length (16 or 32)

     *

     * @return Secure Association Key (SAK).

     */

    byte[] generateSak(in byte[] keyId, in byte[] data, in int sakLength);



    /**

     * Encrypt using KEK key, this is same as aes_wrap with kek.key in wpa_supplicant

     * which used to wrap a SAK key

     *

     * @param keyId is key id to be used for encryption

     * @param sak is the SAK key (16 or 32 bytes) to be wrapped.

     *

     * @return wrapped data using Key Encrypting Key (KEK).

     */

    byte[] wrapSak(in byte[] keyId, in byte[] sak);



    /**

     * Decrypt using KEK key, this is same as aes_unwrap with kek.key in wpa_supplicant

     * which used to unwrap a SAK key

     *

     * @param keyId is key id to be used for decryption

     * @param sak is wrapped SAK key.

     *

     * @return unwrapped data using KEK key.

     */

    byte[] unwrapSak(in byte[] keyId, in byte[] sak);

}

macsec/aidl/android/hardware/macsec/IMacsecPskPlugin.aidl

0 → 100644
+91 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2023 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.hardware.macsec;



/**

 * MACSEC (IEEE 802.1AE) pre-shared key plugin for wpa_supplicant

 *

 * The goal of this service is to provide function for using the MACSEC CAK

 *

 */

@VintfStability

interface IMacsecPskPlugin {

    /**

     * For xTS test only inject a key to verify implementation correctness, not called in production

     *

     * @param keyId is key id to add

     * @param Connectivity Association Keys (CAK) to set

     * @param Connectivity Association Key Name (CKN) to set

     * @throws EX_ILLEGAL_ARGUMENT If CAK size is not 16 or 32 or keyID size not equals to CAK size

     */

    void addTestKey(in byte[] keyId, in byte[] CAK, in byte[] CKN);



    /**

     * Use ICV key do AES CMAC

     * same as ieee802_1x_icv_aes_cmac in wpa_supplicant

     *

     * @param keyId is key id to be used for AES CMAC

     * @param data, a data pointer to the buffer for calculate the ICV

     *

     * @return Integrity check value (ICV).

     * @throws EX_ILLEGAL_ARGUMENT If keyId does not exist

     */

    byte[] calcIcv(in byte[] keyId, in byte[] data);



    /**

     * KDF with CAK key to generate Secure Association Key (SAK)

     * same as ieee802_1x_sak_aes_cmac in wpa_supplicant

     *

     * @param keyId is key id to be used for KDF

     * @param data is key seed (random number)

     * @param sakLength generated SAK length (16 or 32)

     *

     * @return Secure Association Key (SAK).

     * @throws EX_ILLEGAL_ARGUMENT In the following cases:

     *                             - If keyId does not exist

     *                             - sakLength != 16 or 32

     *                             - data length < sakLength

     */

    byte[] generateSak(in byte[] keyId, in byte[] data, in int sakLength);



    /**

     * Encrypt using KEK key, this is same as aes_wrap with kek.key in wpa_supplicant

     * which used to wrap a SAK key

     *

     * @param keyId is key id to be used for encryption

     * @param sak is the SAK key (16 or 32 bytes) to be wrapped.

     *

     * @return wrapped data using Key Encrypting Key (KEK).

     * @throws EX_ILLEGAL_ARGUMENT In the following cases:

     *                             - If keyId does not exist

     *                             - sak size eqauls to 0 or not multiples of 8

     */

    byte[] wrapSak(in byte[] keyId, in byte[] sak);



    /**

     * Decrypt using KEK key, this is same as aes_unwrap with kek.key in wpa_supplicant

     * which used to unwrap a SAK key

     *

     * @param keyId is key id to be used for decryption

     * @param sak is wrapped SAK key.

     *

     * @return unwrapped data using KEK key.

     * @throws EX_ILLEGAL_ARGUMENT In the following cases:

     *                             - If keyId does not exist

     *                             - sak size <= 8 or not multiples of 8

     */

    byte[] unwrapSak(in byte[] keyId, in byte[] sak);

}