tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add key parameter to deriveDicePolicyBoundKey

Browse source 
Adding a key parameter to deriveDicePolicyBoundKey to use it
as the base of the derived key.

Bug: 284152719
Test: qemu android build
Change-Id: Iab3ee341825f01345996bde3b0b62037e4ec45da
This commit is contained in:
Orlando Arbildo 2024-04-03 19:49:28 +00:00
parent fae563acb0
commit 287187f1d2
2 changed files with 44 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
View file

@ -33,9 +33,17 @@
package android.hardware.security.see.hwcrypto; package android.hardware.security.see.hwcrypto;
interface IHwCryptoKey { interface IHwCryptoKey {
android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(); android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey);
android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion); android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion);
android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters); android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters);
enum DeviceKeyId {
DEVICE_BOUND_KEY,
BATCH_KEY,
}
union DiceBoundDerivationKey {
android.hardware.security.see.hwcrypto.IOpaqueKey opaqueKey;
android.hardware.security.see.hwcrypto.IHwCryptoKey.DeviceKeyId keyId;
}
parcelable DiceCurrentBoundKeyResult { parcelable DiceCurrentBoundKeyResult {
android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey; android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
byte[] dicePolicyForKeyVersion; byte[] dicePolicyForKeyVersion;

36
staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl
View file

@ -22,6 +22,30 @@ import android.hardware.security.see.hwcrypto.KeyPolicy;
* Higher level interface to access and generate keys. * Higher level interface to access and generate keys.
*/ */
interface IHwCryptoKey { interface IHwCryptoKey {
/*
* Identifier for the requested device provided key. The currently supported identifiers are:
*
* DEVICE_BOUND_KEY:
* This is a key unique to the device.
* BATCH_KEY:
* This is a shared by a set of devices.
*/
enum DeviceKeyId {
DEVICE_BOUND_KEY,
BATCH_KEY,
}
union DiceBoundDerivationKey {
/*
* Opaque to be used to derive the DICE bound key.
*/
IOpaqueKey opaqueKey;
/*
* Device provided key to be used to derive the DICE bound key.
*/
DeviceKeyId keyId;
}
parcelable DiceCurrentBoundKeyResult { parcelable DiceCurrentBoundKeyResult {
/* /*
* Key cryptographically bound to a DICE policy. * Key cryptographically bound to a DICE policy.
@ -112,17 +136,24 @@ interface IHwCryptoKey {
* policy. It will return this current policy back to the caller * policy. It will return this current policy back to the caller
* along with the generated key. * along with the generated key.
* *
* @derivationKey:
* Key to be used to derive the new key using HKDF.
*
* Return: * Return:
* Ok(DiceCurrentBoundKeyResult) on success, service specific error based on * Ok(DiceCurrentBoundKeyResult) on success, service specific error based on
* <code>HalErrorCode</code> otherwise. * <code>HalErrorCode</code> otherwise.
*/ */
DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(); DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(
in DiceBoundDerivationKey derivationKey);
/* /*
* deriveDicePolicyBoundKey() - Derive a versioned key by checking the provided DICE policy * deriveDicePolicyBoundKey() - Derive a versioned key by checking the provided DICE policy
* against the caller and then using it as a context for deriving * against the caller and then using it as a context for deriving
* the returned key. * the returned key.
* *
* @derivationKey:
* Key to be used to derive the new key using HKDF.
*
* @dicePolicyForKeyVersion: * @dicePolicyForKeyVersion:
* Policy used to derive keys tied to specific versions. Using this parameter * Policy used to derive keys tied to specific versions. Using this parameter
* the caller can tie a derived key to a minimum version of itself, so in the future only * the caller can tie a derived key to a minimum version of itself, so in the future only
@ -137,7 +168,8 @@ interface IHwCryptoKey {
* Ok(DiceBoundKeyResult) on success, service specific error based on * Ok(DiceBoundKeyResult) on success, service specific error based on
* <code>HalErrorCode</code> otherwise. * <code>HalErrorCode</code> otherwise.
*/ */
DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion); DiceBoundKeyResult deriveDicePolicyBoundKey(
in DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion);
/* /*
* deriveKey() - Derive a new key based on the given key, policy and context. * deriveKey() - Derive a new key based on the given key, policy and context.