Merge "Define MACsec HAL and ref impl" into main (d1852a7e) · Commits · e / os / android_hardware_interfaces

compatibility_matrices/compatibility_matrix.9.xml

+8 −0

Original line number	Diff line number	Diff line
		@@ -84,6 +84,14 @@
		<regex-instance>[a-z]+/[0-9]+</regex-instance>
		</interface>
		</hal>
		<hal format="aidl" optional="true">
		<name>android.hardware.macsec</name>
		<version>1</version>
		<interface>
		<name>IMacsecPskPlugin</name>
		<instance>default</instance>
		</interface>
		</hal>
		<hal format="aidl" optional="true">
		<name>android.hardware.automotive.occupant_awareness</name>
		<version>1</version>

macsec/OWNERS

0 → 100644

+1 −0

Original line number	Diff line number	Diff line
		keithmok@google.com

macsec/aidl/Android.bp

0 → 100644

+40 −0

Original line number	Diff line number	Diff line
		//
		// Copyright (C) 2023 The Android Open Source Project
		//
		// Licensed under the Apache License, Version 2.0 (the "License");
		// you may not use this file except in compliance with the License.
		// You may obtain a copy of the License at
		//
		// http://www.apache.org/licenses/LICENSE-2.0
		//
		// Unless required by applicable law or agreed to in writing, software
		// distributed under the License is distributed on an "AS IS" BASIS,
		// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		// See the License for the specific language governing permissions and
		// limitations under the License.
		//

		package {
		// See: http://go/android-license-faq
		// A large-scale-change added 'default_applicable_licenses' to import
		// all of the 'license_kinds' from "hardware_interfaces_license"
		// to get the below license kinds:
		// SPDX-license-identifier-Apache-2.0
		default_applicable_licenses: ["hardware_interfaces_license"],
		}

		aidl_interface {
		name: "android.hardware.macsec",
		vendor_available: true,
		srcs: ["android/hardware/macsec/*.aidl"],
		stability: "vintf",
		host_supported: true,
		backend: {
		java: {
		enabled: false,
		},
		rust: {
		enabled: false,
		},
		},
		}

macsec/aidl/aidl_api/android.hardware.macsec/current/android/hardware/macsec/IMacsecPskPlugin.aidl

0 → 100644

+80 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2023 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/
		package android.hardware.macsec;

		/**
		* MACSEC (IEEE 802.1AE) pre-shared key plugin for wpa_supplicant
		*
		* The goal of this service is to provide function for using the MACSEC CAK
		*
		*/
		@VintfStability
		interface IMacsecPskPlugin {
		/**
		* For xTS test only inject a key to verify implementation correctness, not called in production
		*
		* @param keyId is key id to add
		* @param Connectivity Association Keys (CAK) to set
		* @param Connectivity Association Key Name (CKN) to set
		*
		*/
		void addTestKey(in byte[] keyId, in byte[] CAK, in byte[] CKN);

		/**
		* Use ICV key do AES CMAC
		* same as ieee802_1x_icv_aes_cmac in wpa_supplicant
		*
		* @param keyId is key id to be used for AES CMAC
		* @param data, a data pointer to the buffer for calculate the ICV
		*
		* @return Integrity check value (ICV).
		*/
		byte[] calcIcv(in byte[] keyId, in byte[] data);

		/**
		* KDF with CAK key to generate Secure Association Key (SAK)
		* same as ieee802_1x_sak_aes_cmac in wpa_supplicant
		*
		* @param keyId is key id to be used for KDF
		* @param data is key seed (random number)
		* @param sakLength generated SAK length (16 or 32)
		*
		* @return Secure Association Key (SAK).
		*/
		byte[] generateSak(in byte[] keyId, in byte[] data, in int sakLength);

		/**
		* Encrypt using KEK key, this is same as aes_wrap with kek.key in wpa_supplicant
		* which used to wrap a SAK key
		*
		* @param keyId is key id to be used for encryption
		* @param sak is the SAK key (16 or 32 bytes) to be wrapped.
		*
		* @return wrapped data using Key Encrypting Key (KEK).
		*/
		byte[] wrapSak(in byte[] keyId, in byte[] sak);

		/**
		* Decrypt using KEK key, this is same as aes_unwrap with kek.key in wpa_supplicant
		* which used to unwrap a SAK key
		*
		* @param keyId is key id to be used for decryption
		* @param sak is wrapped SAK key.
		*
		* @return unwrapped data using KEK key.
		*/
		byte[] unwrapSak(in byte[] keyId, in byte[] sak);
		}

macsec/aidl/android/hardware/macsec/IMacsecPskPlugin.aidl

0 → 100644

+91 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2023 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/
		package android.hardware.macsec;

		/**
		* MACSEC (IEEE 802.1AE) pre-shared key plugin for wpa_supplicant
		*
		* The goal of this service is to provide function for using the MACSEC CAK
		*
		*/
		@VintfStability
		interface IMacsecPskPlugin {
		/**
		* For xTS test only inject a key to verify implementation correctness, not called in production
		*
		* @param keyId is key id to add
		* @param Connectivity Association Keys (CAK) to set
		* @param Connectivity Association Key Name (CKN) to set
		* @throws EX_ILLEGAL_ARGUMENT If CAK size is not 16 or 32 or keyID size not equals to CAK size
		*/
		void addTestKey(in byte[] keyId, in byte[] CAK, in byte[] CKN);

		/**
		* Use ICV key do AES CMAC
		* same as ieee802_1x_icv_aes_cmac in wpa_supplicant
		*
		* @param keyId is key id to be used for AES CMAC
		* @param data, a data pointer to the buffer for calculate the ICV
		*
		* @return Integrity check value (ICV).
		* @throws EX_ILLEGAL_ARGUMENT If keyId does not exist
		*/
		byte[] calcIcv(in byte[] keyId, in byte[] data);

		/**
		* KDF with CAK key to generate Secure Association Key (SAK)
		* same as ieee802_1x_sak_aes_cmac in wpa_supplicant
		*
		* @param keyId is key id to be used for KDF
		* @param data is key seed (random number)
		* @param sakLength generated SAK length (16 or 32)
		*
		* @return Secure Association Key (SAK).
		* @throws EX_ILLEGAL_ARGUMENT In the following cases:
		* - If keyId does not exist
		* - sakLength != 16 or 32
		* - data length < sakLength
		*/
		byte[] generateSak(in byte[] keyId, in byte[] data, in int sakLength);

		/**
		* Encrypt using KEK key, this is same as aes_wrap with kek.key in wpa_supplicant
		* which used to wrap a SAK key
		*
		* @param keyId is key id to be used for encryption
		* @param sak is the SAK key (16 or 32 bytes) to be wrapped.
		*
		* @return wrapped data using Key Encrypting Key (KEK).
		* @throws EX_ILLEGAL_ARGUMENT In the following cases:
		* - If keyId does not exist
		* - sak size eqauls to 0 or not multiples of 8
		*/
		byte[] wrapSak(in byte[] keyId, in byte[] sak);

		/**
		* Decrypt using KEK key, this is same as aes_unwrap with kek.key in wpa_supplicant
		* which used to unwrap a SAK key
		*
		* @param keyId is key id to be used for decryption
		* @param sak is wrapped SAK key.
		*
		* @return unwrapped data using KEK key.
		* @throws EX_ILLEGAL_ARGUMENT In the following cases:
		* - If keyId does not exist
		* - sak size <= 8 or not multiples of 8
		*/
		byte[] unwrapSak(in byte[] keyId, in byte[] sak);
		}