Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ce5fc87 authored by David Drysdale's avatar David Drysdale Committed by Automerger Merge Worker
Browse files

Merge "Clarify requirement for ECDH functionality" into main am: 81f075b2 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3444768



Change-Id: I8a9fdaeaa3eee9320a6ebd26f9561715a6c2024b
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 2c955711 81f075b2

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+14 −12
Original line number Diff line number Diff line
@@ -87,12 +87,14 @@ import android.hardware.security.secureclock.TimeStampToken; 
 *        SHA-2 256.

 *      - Unpadded, RSAES-OAEP and RSAES-PKCS1-v1_5 padding modes for RSA encryption.

 *

 * o   ECDSA

 * o   ECDSA and ECDH

 *

 *      - IKeyMintDevices must support elliptic curve signing (Purpose::SIGN, Purpose::ATTEST_KEY)

 *        and key agreement operations (Purpose::AGREE_KEY).

 *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support NIST curves P-224, P-256, P-384 and

 *        P-521.  STRONGBOX IKeyMintDevices must support NIST curve P-256.

 *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2

 *        384 and SHA-2 512 digest modes.  STRONGBOX IKeyMintDevices must support SHA-2 256.

 *      - For signing, TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256,

 *        SHA-2 384 and SHA-2 512 digest modes.  STRONGBOX IKeyMintDevices must support SHA-2 256.

 *      - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,

 *        as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY

 *        (X25519, as specified in RFC 7748).  However, a key must have exactly one of these
@@ -302,12 +304,12 @@ interface IKeyMintDevice { 
     *   PaddingMode::RSA_OAEP, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_ENCRYPT and

     *   PaddingMode::RSA_PKCS1_1_5_SIGN for RSA keys.

     *

     * == ECDSA Keys ==

     * == ECDSA/ECDH Keys ==

     *

     * Tag::EC_CURVE must be provided to generate an ECDSA key.  If it is not provided, generateKey

     * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE

     * IKeyMintDevice implementations must support all required curves.  StrongBox implementations

     * must support P_256 and no other curves.

     * Tag::EC_CURVE must be provided to generate an elliptic curve key.  If it is not provided,

     * generateKey must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE.

     * TEE IKeyMintDevice implementations must support all required curves.  StrongBox

     * implementations must support P_256 and no other curves.

     *

     * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the

     * valid date range for the returned X.509 certificate holding the public key. If omitted,
@@ -318,10 +320,10 @@ interface IKeyMintDevice { 
     * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE.

     * StrongBox implementation do not support CURVE_25519.

     *

     * Tag::DIGEST specifies digest algorithms that may be used with the new key.  TEE

     * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA

     * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must

     * support SHA_2_256.

     * Tag::DIGEST specifies digest algorithms that may be used with the new key when used for

     * signing.  TEE IKeyMintDevice implementations must support all Digest values (see Digest.aidl)

     * for ECDSA keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice

     * implementations must support SHA_2_256.

     *

     * == AES Keys ==

     *