From 287187f1d23aaa07543275049e745dd6fc16b78b Mon Sep 17 00:00:00 2001 From: Orlando Arbildo Date: Wed, 3 Apr 2024 19:49:28 +0000 Subject: [PATCH] Add key parameter to deriveDicePolicyBoundKey Adding a key parameter to deriveDicePolicyBoundKey to use it as the base of the derived key. Bug: 284152719 Test: qemu android build Change-Id: Iab3ee341825f01345996bde3b0b62037e4ec45da --- .../security/see/hwcrypto/IHwCryptoKey.aidl | 12 +++++-- .../security/see/hwcrypto/IHwCryptoKey.aidl | 36 +++++++++++++++++-- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl index 53d722c3ca..7efcdd65b0 100644 --- a/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl +++ b/staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl @@ -33,9 +33,17 @@ package android.hardware.security.see.hwcrypto; interface IHwCryptoKey { - android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(); - android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion); + android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey); + android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion); android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters); + enum DeviceKeyId { + DEVICE_BOUND_KEY, + BATCH_KEY, + } + union DiceBoundDerivationKey { + android.hardware.security.see.hwcrypto.IOpaqueKey opaqueKey; + android.hardware.security.see.hwcrypto.IHwCryptoKey.DeviceKeyId keyId; + } parcelable DiceCurrentBoundKeyResult { android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey; byte[] dicePolicyForKeyVersion; diff --git a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl index 08c3173b17..939014a554 100644 --- a/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl +++ b/staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl @@ -22,6 +22,30 @@ import android.hardware.security.see.hwcrypto.KeyPolicy; * Higher level interface to access and generate keys. */ interface IHwCryptoKey { + /* + * Identifier for the requested device provided key. The currently supported identifiers are: + * + * DEVICE_BOUND_KEY: + * This is a key unique to the device. + * BATCH_KEY: + * This is a shared by a set of devices. + */ + enum DeviceKeyId { + DEVICE_BOUND_KEY, + BATCH_KEY, + } + union DiceBoundDerivationKey { + /* + * Opaque to be used to derive the DICE bound key. + */ + IOpaqueKey opaqueKey; + + /* + * Device provided key to be used to derive the DICE bound key. + */ + DeviceKeyId keyId; + } + parcelable DiceCurrentBoundKeyResult { /* * Key cryptographically bound to a DICE policy. @@ -112,17 +136,24 @@ interface IHwCryptoKey { * policy. It will return this current policy back to the caller * along with the generated key. * + * @derivationKey: + * Key to be used to derive the new key using HKDF. + * * Return: * Ok(DiceCurrentBoundKeyResult) on success, service specific error based on * HalErrorCode otherwise. */ - DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(); + DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey( + in DiceBoundDerivationKey derivationKey); /* * deriveDicePolicyBoundKey() - Derive a versioned key by checking the provided DICE policy * against the caller and then using it as a context for deriving * the returned key. * + * @derivationKey: + * Key to be used to derive the new key using HKDF. + * * @dicePolicyForKeyVersion: * Policy used to derive keys tied to specific versions. Using this parameter * the caller can tie a derived key to a minimum version of itself, so in the future only @@ -137,7 +168,8 @@ interface IHwCryptoKey { * Ok(DiceBoundKeyResult) on success, service specific error based on * HalErrorCode otherwise. */ - DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion); + DiceBoundKeyResult deriveDicePolicyBoundKey( + in DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion); /* * deriveKey() - Derive a new key based on the given key, policy and context.