Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e41208c9 authored by Seth Moore's avatar Seth Moore Committed by Automerger Merge Worker
Browse files

Merge "Revert^2 "KeyMint HAL: add curve 25519, bump version"" am: 0834ba69 am: 07069c9e 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1920687

Change-Id: I339a10f59fda9025e2476cf5368025e420ce8e4a
parents f711c9d4 07069c9e

compatibility_matrices/compatibility_matrix.current.xml

+2 −1
Original line number Diff line number Diff line
@@ -334,7 +334,7 @@ 
    </hal>

    <hal format="aidl" optional="true">

        <name>android.hardware.security.keymint</name>

        <version>1</version>

        <version>1-2</version>

        <interface>

            <name>IKeyMintDevice</name>

            <instance>default</instance>
@@ -343,6 +343,7 @@ 
    </hal>

    <hal format="aidl" optional="true">

        <name>android.hardware.security.keymint</name>

        <version>1-2</version>

        <interface>

            <name>IRemotelyProvisionedComponent</name>

            <instance>default</instance>

security/keymint/aidl/Android.bp

+3 −3
Original line number Diff line number Diff line
@@ -45,14 +45,14 @@ aidl_interface { 
cc_defaults {

    name: "keymint_use_latest_hal_aidl_ndk_static",

    static_libs: [

        "android.hardware.security.keymint-V1-ndk",

        "android.hardware.security.keymint-V2-ndk",

    ],

}



cc_defaults {

    name: "keymint_use_latest_hal_aidl_ndk_shared",

    shared_libs: [

        "android.hardware.security.keymint-V1-ndk",

        "android.hardware.security.keymint-V2-ndk",

    ],

}
@@ -62,6 +62,6 @@ cc_defaults { 
rust_defaults {

    name: "keymint_use_latest_hal_aidl_rust",

    rustlibs: [

        "android.hardware.security.keymint-V1-rust",

        "android.hardware.security.keymint-V2-rust",

    ],

}

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/EcCurve.aidl

+1 −0
Original line number Diff line number Diff line
@@ -39,4 +39,5 @@ enum EcCurve { 
  P_256 = 1,

  P_384 = 2,

  P_521 = 3,

  CURVE_25519 = 4,

}

security/keymint/aidl/android/hardware/security/keymint/EcCurve.aidl

+1 −0
Original line number Diff line number Diff line
@@ -27,4 +27,5 @@ enum EcCurve { 
    P_256 = 1,

    P_384 = 2,

    P_521 = 3,

    CURVE_25519 = 4,

}

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+20 −4
Original line number Diff line number Diff line
@@ -93,6 +93,11 @@ import android.hardware.security.secureclock.TimeStampToken; 
 *        P-521.  STRONGBOX IKeyMintDevices must support NIST curve P-256.

 *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support SHA1, SHA-2 224, SHA-2 256, SHA-2

 *        384 and SHA-2 512 digest modes.  STRONGBOX IKeyMintDevices must support SHA-2 256.

 *      - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,

 *        as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY

 *        (X25519, as specified in RFC 7748).  However, a key must have exactly one of these

 *        purpose values; the same key cannot be used for multiple purposes.

 *        STRONGBOX IKeyMintDevices do not support curve 25519.

 *

 * o   AES

 *
@@ -287,7 +292,7 @@ interface IKeyMintDevice { 
     *   except AGREE_KEY must be supported for RSA keys.

     *

     * o Tag::DIGEST specifies digest algorithms that may be used with the new key.  TEE

     *   IKeyMintDevice implementations must support all Digest values (see digest.aidl) for RSA

     *   IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for RSA

     *   keys.  StrongBox IKeyMintDevice implementations must support SHA_2_256.

     *

     * o Tag::PADDING specifies the padding modes that may be used with the new
@@ -298,13 +303,24 @@ interface IKeyMintDevice { 
     * == ECDSA Keys ==

     *

     * Tag::EC_CURVE must be provided to generate an ECDSA key.  If it is not provided, generateKey

     * must return ErrorCode::UNSUPPORTED_KEY_SIZE. TEE IKeyMintDevice implementations must support

     * all curves.  StrongBox implementations must support P_256.



     * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE. TEE

     * IKeyMintDevice implementations must support all required curves.  StrongBox implementations

     * must support P_256 and no other curves.

     *

     * Tag::CERTIFICATE_NOT_BEFORE and Tag::CERTIFICATE_NOT_AFTER must be provided to specify the

     * valid date range for the returned X.509 certificate holding the public key. If omitted,

     * generateKey must return ErrorCode::MISSING_NOT_BEFORE or ErrorCode::MISSING_NOT_AFTER.

     *

     * Keys with EC_CURVE of EcCurve::CURVE_25519 must have exactly one purpose in the set

     * {KeyPurpose::SIGN, KeyPurpose::ATTEST_KEY, KeyPurpose::AGREE_KEY}.  Key generation with more

     * than one purpose should be rejected with ErrorCode::INCOMPATIBLE_PURPOSE.

     * StrongBox implementation do not support CURVE_25519.

     *

     * Tag::DIGEST specifies digest algorithms that may be used with the new key.  TEE

     * IKeyMintDevice implementations must support all Digest values (see Digest.aidl) for ECDSA

     * keys; Ed25519 keys only support Digest::NONE. StrongBox IKeyMintDevice implementations must

     * support SHA_2_256.

     *

     * == AES Keys ==

     *

     * Only Tag::KEY_SIZE is required to generate an AES key.  If omitted, generateKey must return