Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b5b69f0e authored by Seth Moore's avatar Seth Moore
Browse files

Add remote key provisioning to the IC HAL 

The IIdentityCredentialStore can now advertise the correct
IRemotelyProvisionedComponent that is used for getting remotely
provisioned attestation keys.

IWritableIdentityCredential has a new method so it can accept remotely
provisioned keys.

Update the VTS tests to check the new RKP functionality.

Support RKP in the default identity cred service

Test: VtsHalIdentityTargetTest
Bug: 194696876
Change-Id: I96dcf3027e0f21790c35900ddf8cc0953bd3b1ca
parent 3200496e

identity/aidl/Android.bp

+2 −0
Original line number Diff line number Diff line
@@ -15,6 +15,7 @@ aidl_interface { 
    ],

    imports: [

        "android.hardware.keymaster",

        "android.hardware.security.keymint",

    ],

    stability: "vintf",

    backend: {
@@ -25,6 +26,7 @@ aidl_interface { 
            vndk: {

                enabled: true,

            },

            apps_enabled: false,

        },

    },

    versions: [

identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/HardwareInformation.aidl

+1 −0
Original line number Diff line number Diff line
@@ -39,4 +39,5 @@ parcelable HardwareInformation { 
  int dataChunkSize;

  boolean isDirectAccess;

  @utf8InCpp String[] supportedDocTypes;

  boolean isRemoteKeyProvisioningSupported = false;

}

identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IIdentityCredentialStore.aidl

+1 −0
Original line number Diff line number Diff line
@@ -38,6 +38,7 @@ interface IIdentityCredentialStore { 
  android.hardware.identity.IWritableIdentityCredential createCredential(in @utf8InCpp String docType, in boolean testCredential);

  android.hardware.identity.IIdentityCredential getCredential(in android.hardware.identity.CipherSuite cipherSuite, in byte[] credentialData);

  android.hardware.identity.IPresentationSession createPresentationSession(in android.hardware.identity.CipherSuite cipherSuite);

  android.hardware.security.keymint.IRemotelyProvisionedComponent getRemotelyProvisionedComponent();

  const int STATUS_OK = 0;

  const int STATUS_FAILED = 1;

  const int STATUS_CIPHER_SUITE_NOT_SUPPORTED = 2;

identity/aidl/aidl_api/android.hardware.identity/current/android/hardware/identity/IWritableIdentityCredential.aidl

+1 −0
Original line number Diff line number Diff line
@@ -41,4 +41,5 @@ interface IWritableIdentityCredential { 
  byte[] addEntryValue(in byte[] content);

  @SuppressWarnings(value={"out-array"}) void finishAddingEntries(out byte[] credentialData, out byte[] proofOfProvisioningSignature);

  void setExpectedProofOfProvisioningSize(in int expectedProofOfProvisioningSize);

  void setRemotelyProvisionedAttestationKey(in byte[] attestationKeyBlob, in byte[] attestationCertificate);

}

identity/aidl/android/hardware/identity/HardwareInformation.aidl

+15 −0
Original line number Diff line number Diff line
@@ -51,4 +51,19 @@ parcelable HardwareInformation { 
     *

     */

    @utf8InCpp String[] supportedDocTypes;



    /**

     * isRemoteKeyProvisioningSupported indicates whether or not the underlying implementation

     * supports a remotely provisioned key for attestation or not. If this field is false, then

     * the implementation only uses a factory-installed, fixed attestation key. If this field is

     * true, then an IRemotelyProvisionedComponent is associated with the IIdentityCredentialStore,

     * and a remotely provisioned key blob may be provided for credential key attestation.

     *

     * Note that remote provisioning is not required, even when it is supported. Implementations

     * MUST use a factory-installed attestation key as a fallback for when there are no

     * remotely provisioned keys available. This behavior mirrors keystore key attestation.

     *

     * This field was added in API version 4.

     */

    boolean isRemoteKeyProvisioningSupported = false;

}