Add new SecurityLevel::KEYSTORE

  SOFTWARE = 0,

  SOFTWARE = 0,

  TRUSTED_ENVIRONMENT = 1,

  TRUSTED_ENVIRONMENT = 1,

  STRONGBOX = 2,

  STRONGBOX = 2,

  KEYSTORE = 100,

}

}

     * deciding whether a given tag from `keyParams` argument to the generation/import method should

     * deciding whether a given tag from `keyParams` argument to the generation/import method should

     * be returned in `keyCharacteristics` are:

     * be returned in `keyCharacteristics` are:

     *

     *

     * - If the IKeyMintDevice cannot fully enforce the semantics of the tag, it should be omitted.

     * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any

     * - If the semantics of the tag are fully enforced by the IKeyMintDevice, without any

     *   assistance from components running at other security levels, it should be included in an

     *   assistance from components running at other security levels, it should be included in an

     *   entry with the SecurityLevel of the IKeyMintDevice.

     *   entry with the SecurityLevel of the IKeyMintDevice.

     *   SecurityLevel of the involved components.  For example if a StrongBox IKeyMintDevice relies

     *   SecurityLevel of the involved components.  For example if a StrongBox IKeyMintDevice relies

     *   on a TEE to validate biometric authentication, biometric authentication tags go in an entry

     *   on a TEE to validate biometric authentication, biometric authentication tags go in an entry

     *   with SecurityLevel::TRUSTED_ENVIRONMENT.

     *   with SecurityLevel::TRUSTED_ENVIRONMENT.

     * - If the semantics are not enforced by KeyMint at all, SecurityLevel::KEYSTORE is used to

     *   indicate that Keystore should enforce.  Note that in Keymaster (predecessor to KeyMint),

     *   these tags would have been in SecurityLevel::SOFTWARE.

     */

     */

    KeyCharacteristics[] keyCharacteristics;

    KeyCharacteristics[] keyCharacteristics;

package android.hardware.security.keymint;

package android.hardware.security.keymint;

/**

/**

 * Device security levels.

 * Device security levels.  These enum values are used in two ways:

 *

 * 1.  Returned from IKeyMintDevice::getHardwareInfo to identify the security level of the

 *     IKeyMintDevice.  This characterizes the sort of environment in which the KeyMint

 *     implementation runs, and therefore the security of its operations.

 *

 * 2.  Associated with individual KeyMint authorization Tags in KeyCharacteristics or in attestation

 *     certificates.  This specifies the security level of the weakest environment involved in

 *     enforcing that particular tag, i.e. the sort of security environment an attacker would have

 *     to subvert in order to break the enforcement of that tag.

 */

 */

@VintfStability

@VintfStability

@Backing(type="int")

@Backing(type="int")

enum SecurityLevel {

enum SecurityLevel {

    /**

     * The SOFTWARE security level represents a KeyMint implementation that runs in an Android

     * process, or a tag enforced by such an implementation.  An attacker who can compromise that

     * process, or obtain root, or subvert the kernel on the device can defeat it.

     *

     * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device.  For

     * attestation purposes, these categories are combined into the software-enforced authorization

     * list.

     */

    SOFTWARE = 0,

    SOFTWARE = 0,

    /**

     * The TRUSTED_ENVIRONMENT security level represents a KeyMint implementation that runs in an

     * Android process, or a tag enforced by such an implementation.  An attacker who completely

     * compromises Android, including the Linux kernel, does not have the ability to subvert it.  At

     * attacker who can find an exploit that gains them control of the trusted environment, or who

     * has access to the physical device and can mount a sophisticated hardware attack, may be able

     * to defeat it.

     */

    TRUSTED_ENVIRONMENT = 1,

    TRUSTED_ENVIRONMENT = 1,

    /**

    /**

     * STRONGBOX specifies that the secure hardware satisfies the requirements specified in CDD

     * The STRONGBOX security level represents a KeyMint implementation that runs in security

     * 9.11.2.

     * hardware that satisfies the requirements specified in CDD 9.11.2.  Roughly speaking, these

     * are discrete, security-focus computing environments that are hardened against physical and

     * side channel attack, and have had their security formally validated by a competent

     * penetration testing lab.

     */

     */

    STRONGBOX = 2,

    STRONGBOX = 2,

    /**

     * KeyMint implementations must never return the KEYSTORE security level from getHardwareInfo.

     * It is used to specify tags that are not enforced by the IKeyMintDevice, but are instead

     * to be enforced by Keystore.  An attacker who can subvert the keystore process or gain root or

     * subvert the kernel can prevent proper enforcement of these tags.

     *

     *

     * Note that the distinction between SOFTWARE and KEYSTORE is only relevant on-device.  When

     * KeyMint generates an attestation certificate, these categories are combined into the

     * software-enforced authorization list.

     */

    KEYSTORE = 100

}

}