Merge "Update IRemotelyProvisionedComponent HAL to v3" am: 26a548500f (ae25b737) · Commits · e / os / android_hardware_interfaces

security/keymint/RKP_CHANGELOG.md

+21 −6

Original line number	Diff line number	Diff line
		@@ -6,6 +6,7 @@ This document provides an exact description of which changes have occurred in th
		## Releases
		* Android S (12): IRemotelyProvisionedComponent v1
		* Android T (13): IRemotelyProvisionedComponent v2
		* Android U (14): IRemotelyProvisionedComponent v3

		## IRemotelyProvisionedComponent 1 -> 2
		* DeviceInfo
		@@ -16,3 +17,17 @@ This document provides an exact description of which changes have occurred in th
		* `device` has been added.
		* RpcHardwareInfo
		* `uniqueId` String added as a field in order to differentiate IRPC instances on device.

		## IRemotelyProvisionedComponent 2 -> 3
		* ProtectedData has been removed.
		* DeviceInfo
		* `cert_type` has been added, with values corresponding to `widevine` or `keymint`
		* `version` has moved to a top-level field within the CSR generated by the HAL
		* IRemotelyProvisionedComponent
		* The need for an EEK has been removed. There is no longer an encrypted portion of the CSR.
		* Test mode has been removed.
		* The schema for the CSR itself has been significantly simplified, please see
		IRemotelyProvisionedComponent.aidl for more details.
		* Notably, the chain of signing, MACing, and encryption operations has been replaced with a single
		COSE_Sign1 object.

+2 −0

Original line number	Diff line number	Diff line
		@@ -38,9 +38,11 @@ interface IRemotelyProvisionedComponent {
		android.hardware.security.keymint.RpcHardwareInfo getHardwareInfo();
		byte[] generateEcdsaP256KeyPair(in boolean testMode, out android.hardware.security.keymint.MacedPublicKey macedPublicKey);
		byte[] generateCertificateRequest(in boolean testMode, in android.hardware.security.keymint.MacedPublicKey[] keysToSign, in byte[] endpointEncryptionCertChain, in byte[] challenge, out android.hardware.security.keymint.DeviceInfo deviceInfo, out android.hardware.security.keymint.ProtectedData protectedData);
		byte[] generateCertificateRequestV2(in android.hardware.security.keymint.MacedPublicKey[] keysToSign, in byte[] challenge);
		const int STATUS_FAILED = 1;
		const int STATUS_INVALID_MAC = 2;
		const int STATUS_PRODUCTION_KEY_IN_TEST_REQUEST = 3;
		const int STATUS_TEST_KEY_IN_PRODUCTION_REQUEST = 4;
		const int STATUS_INVALID_EEK = 5;
		const int STATUS_REMOVED = 6;
		}

+12 −12

Original line number	Diff line number	Diff line
		@@ -37,19 +37,19 @@ parcelable DeviceInfo {
		* "product" : tstr,
		* "model" : tstr,
		* "device" : tstr,
		* "vb_state" : "green" / "yellow" / "orange", // Taken from the AVB values
		* "bootloader_state" : "locked" / "unlocked", // Taken from the AVB values
		* "vbmeta_digest": bstr, // Taken from the AVB values
		* ? "os_version" : tstr, // Same as
		* // android.os.Build.VERSION.release
		* // Not optional for TEE.
		* "system_patch_level" : uint, // YYYYMMDD
		* "boot_patch_level" : uint, // YYYYMMDD
		* "vendor_patch_level" : uint, // YYYYMMDD
		* "version" : 2, // The CDDL schema version.
		* "vb_state" : "green" / "yellow" / "orange", ; Taken from the AVB values
		* "bootloader_state" : "locked" / "unlocked", ; Taken from the AVB values
		* "vbmeta_digest": bstr, ; Taken from the AVB values
		* ? "os_version" : tstr, ; Same as
		* ; android.os.Build.VERSION.release
		* ; Not optional for TEE.
		* "system_patch_level" : uint, ; YYYYMMDD
		* "boot_patch_level" : uint, ; YYYYMMDD
		* "vendor_patch_level" : uint, ; YYYYMMDD
		* "security_level" : "tee" / "strongbox",
		* "fused": 1 / 0, // 1 if secure boot is enforced for the processor that the IRPC
		* // implementation is contained in. 0 otherwise.
		* "fused": 1 / 0, ; 1 if secure boot is enforced for the processor that the IRPC
		* ; implementation is contained in. 0 otherwise.
		* "cert_type": "widevine" / "keymint"
		* }
		*/
		byte[] deviceInfo;