Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fa09d071 authored by Eran Messeri's avatar Eran Messeri Committed by Seth Moore
Browse files

ID attestation: Define tag for a second IMEI 

Define a KeyMint tag for a second IMEI to be included in the attestation
record.

Also clarify that the IMEI tag is meant to include one, and only one,
IMEI.

Bug: 244732345
Test: android.keystore.cts.DeviceOwnerKeyManagementTest
Change-Id: I70ecbb0245ba2e517e5d0db0cfdce4525846f3e5
parent b3443dda

security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl

+1 −0
Original line number Diff line number Diff line
@@ -90,6 +90,7 @@ enum Tag { 
  DEVICE_UNIQUE_ATTESTATION = 1879048912,

  IDENTITY_CREDENTIAL_KEY = 1879048913,

  STORAGE_KEY = 1879048914,

  ATTESTATION_ID_SECOND_IMEI = -1879047469,

  ASSOCIATED_DATA = -1879047192,

  NONCE = -1879047191,

  MAC_LENGTH = 805307371,

security/keymint/aidl/android/hardware/security/keymint/Tag.aidl

+17 −2
Original line number Diff line number Diff line
@@ -726,9 +726,10 @@ enum Tag { 
    ATTESTATION_ID_SERIAL = TagType.BYTES | 713,



    /**

     * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key

     * Tag::ATTESTATION_ID_IMEI provides the IMEI one of the radios on the device to attested key

     * generation/import operations.  This field must be set only when requesting attestation of the

     * device's identifiers.

     * device's identifiers. If the device has more than one IMEI, a second IMEI may be included

     * by using the Tag::ATTESTATION_ID_SECOND_IMEI tag.

     *

     * If the device does not support ID attestation (or destroyAttestationIds() was previously

     * called and the device can no longer attest its IDs), any key attestation request that
@@ -882,6 +883,20 @@ enum Tag { 
     */

    STORAGE_KEY = TagType.BOOL | 722,



    /**

     * Tag::ATTESTATION_ID_SECOND_IMEI provides an additional IMEI of one of the radios on the

     * device to attested key generation/import operations. This field MUST be accompanied by

     * the Tag::ATTESTATION_ID_IMEI tag. It would only be used to convery a second IMEI the device

     * has, after Tag::ATTESTATION_ID_SECOND_IMEI has been used to convery the first IMEI.

     *

     * If the device does not support ID attestation (or destroyAttestationIds() was previously

     * called and the device can no longer attest its IDs), any key attestation request that

     * includes this tag must fail with ErrorCode::CANNOT_ATTEST_IDS.

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_SECOND_IMEI = TagType.BYTES | 723,



    /**

     * OBSOLETE: Do not use.

     *