Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 71a28b72 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Add new SecurityLevel::KEYSTORE" am: 06e5b50f am: e8302feb am: d245a5b9 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1551234

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I59e8f1e3690b1fe8c33889831400cb04776934f1
parents b0b0665f d245a5b9

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/SecurityLevel.aidl

+1 −0
Original line number Diff line number Diff line
@@ -36,4 +36,5 @@ enum SecurityLevel { 
  SOFTWARE = 0,

  TRUSTED_ENVIRONMENT = 1,

  STRONGBOX = 2,

  KEYSTORE = 100,

}

security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

+3 −1
Original line number Diff line number Diff line
@@ -36,7 +36,6 @@ parcelable KeyCreationResult { 
     * deciding whether a given tag from `keyParams` argument to the generation/import method should

     * be returned in `keyCharacteristics` are:

     *

     * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted.

     * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any

     *   assistance from components running at other security levels, it should be included in an

     *   entry with the SecurityLevel of the IKeyMintDevice.
@@ -45,6 +44,9 @@ parcelable KeyCreationResult { 
     *   SecurityLevel of the involved components.  For example if a StrongBox IKeyMintDevice relies

     *   on a TEE to validate biometric authentication, biometric authentication tags go in an entry

     *   with SecurityLevel::TRUSTED_ENVIRONMENT.

     * - If the semantics are not enforced by KeyMint at all, SecurityLevel::KEYSTORE is used to

     *   indicate that Keystore should enforce.  Note that in Keymaster (predecessor to KeyMint),

     *   these tags would have been in SecurityLevel::SOFTWARE.

     */

    KeyCharacteristics[] keyCharacteristics;

security/keymint/aidl/android/hardware/security/keymint/SecurityLevel.aidl

+46 −3
Original line number Diff line number Diff line
@@ -17,16 +17,59 @@ 
package android.hardware.security.keymint;



/**

 * Device security levels.

 * Device security levels.  These enum values are used in two ways:

 *

 * 1.  Returned from IKeyMintDevice::getHardwareInfo to identify the security level of the

 *     IKeyMintDevice.  This characterizes the sort of environment in which the KeyMint

 *     implementation runs, and therefore the security of its operations.

 *

 * 2.  Associated with individual KeyMint authorization Tags in KeyCharacteristics or in attestation

 *     certificates.  This specifies the security level of the weakest environment involved in

 *     enforcing that particular tag, i.e. the sort of security environment an attacker would have

 *     to subvert in order to break the enforcement of that tag.

 */

@VintfStability

@Backing(type="int")

enum SecurityLevel {

    /**

     * The SOFTWARE security level represents a KeyMint implementation that runs in an Android

     * process, or a tag enforced by such an implementation.  An attacker who can compromise that

     * process, or obtain root, or subvert the kernel on the device can defeat it.

     *

     * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device.  For

     * attestation purposes, these categories are combined into the software-enforced authorization

     * list.

     */

    SOFTWARE = 0,



    /**

     * The TRUSTED_ENVIRONMENT security level represents a KeyMint implementation that runs in an

     * Android process, or a tag enforced by such an implementation.  An attacker who completely

     * compromises Android, including the Linux kernel, does not have the ability to subvert it.  At

     * attacker who can find an exploit that gains them control of the trusted environment, or who

     * has access to the physical device and can mount a sophisticated hardware attack, may be able

     * to defeat it.

     */

    TRUSTED_ENVIRONMENT = 1,

    /**

     * STRONGBOX specifies that the secure hardware satisfies the requirements specified in CDD

     * 9.11.2.

     * The STRONGBOX security level represents a KeyMint implementation that runs in security

     * hardware that satisfies the requirements specified in CDD 9.11.2.  Roughly speaking, these

     * are discrete, security-focus computing environments that are hardened against physical and

     * side channel attack, and have had their security formally validated by a competent

     * penetration testing lab.

     */

    STRONGBOX = 2,



    /**

     * KeyMint implementations must never return the KEYSTORE security level from getHardwareInfo.

     * It is used to specify tags that are not enforced by the IKeyMintDevice, but are instead

     * to be enforced by Keystore.  An attacker who can subvert the keystore process or gain root or

     * subvert the kernel can prevent proper enforcement of these tags.

     *

     *

     * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device.  When

     * KeyMint generates an attestation certificate, these categories are combined into the

     * software-enforced authorization list.

     */

    KEYSTORE = 100

}