diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl index 58e02b35b2..861084eb23 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl @@ -18,10 +18,6 @@ package android.hardware.security.keymint; import android.hardware.security.keymint.TagType; -// TODO(seleneh) : note aidl currently does not support double nested enum definitions such as -// ROOT_OF_TRUST = TagType:BYTES | 704. So we are forced to write definitions as -// ROOT_OF_TRUST = (9 << 28) for now. Will need to flip this back later when aidl support is added. - /** * Tag specifies various kinds of tags that can be set in KeyParameter to identify what kind of * data are stored in KeyParameter. @@ -33,7 +29,7 @@ enum Tag { /** * Tag::INVALID should never be set. It means you hit an error. */ - INVALID = (0 << 28) | 0, + INVALID = 0, /** * Tag::PURPOSE specifies the set of purposes for which the key may be used. Possible values @@ -47,7 +43,7 @@ enum Tag { * * Must be hardware-enforced. */ - PURPOSE = (2 << 28) /* TagType:ENUM_REP */ | 1, + PURPOSE = TagType.ENUM_REP | 1, /** * Tag::ALGORITHM specifies the cryptographic algorithm with which the key is used. This tag @@ -56,7 +52,7 @@ enum Tag { * * Must be hardware-enforced. */ - ALGORITHM = (1 << 28) /* TagType:ENUM */ | 2, + ALGORITHM = TagType.ENUM | 2, /** * Tag::KEY_SIZE specifies the size, in bits, of the key, measuring in the normal way for the @@ -68,7 +64,7 @@ enum Tag { * * Must be hardware-enforced. */ - KEY_SIZE = (3 << 28) /* TagType:UINT */ | 3, + KEY_SIZE = TagType.UINT | 3, /** * Tag::BLOCK_MODE specifies the block cipher mode(s) with which the key may be used. This tag @@ -81,7 +77,7 @@ enum Tag { * * Must be hardware-enforced. */ - BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4, + BLOCK_MODE = TagType.ENUM_REP | 4, /** * Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing @@ -95,7 +91,7 @@ enum Tag { * * Must be hardware-enforced. */ - DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 5, + DIGEST = TagType.ENUM_REP | 5, /** * Tag::PADDING specifies the padding modes that may be used with the key. This tag is relevant @@ -123,7 +119,7 @@ enum Tag { * * Must be hardware-enforced. */ - PADDING = (2 << 28) /* TagType:ENUM_REP */ | 6, + PADDING = TagType.ENUM_REP | 6, /** * Tag::CALLER_NONCE specifies that the caller can provide a nonce for nonce-requiring @@ -136,7 +132,7 @@ enum Tag { * * Must be hardware-enforced. */ - CALLER_NONCE = (7 << 28) /* TagType:BOOL */ | 7, + CALLER_NONCE = TagType.BOOL | 7, /** * Tag::MIN_MAC_LENGTH specifies the minimum length of MAC that can be requested or verified @@ -149,7 +145,7 @@ enum Tag { * * Must be hardware-enforced. */ - MIN_MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 8, + MIN_MAC_LENGTH = TagType.UINT | 8, // Tag 9 reserved @@ -159,7 +155,7 @@ enum Tag { * * Must be hardware-enforced. */ - EC_CURVE = (1 << 28) /* TagType:ENUM */ | 10, + EC_CURVE = TagType.ENUM | 10, /** * Tag::RSA_PUBLIC_EXPONENT specifies the value of the public exponent for an RSA key pair. @@ -173,7 +169,7 @@ enum Tag { * * Must be hardware-enforced. */ - RSA_PUBLIC_EXPONENT = (5 << 28) /* TagType:ULONG */ | 200, + RSA_PUBLIC_EXPONENT = TagType.ULONG | 200, // Tag 201 reserved @@ -184,7 +180,7 @@ enum Tag { * * Must be hardware-enforced. */ - INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202, + INCLUDE_UNIQUE_ID = TagType.BOOL | 202, /** * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with RSA @@ -197,7 +193,7 @@ enum Tag { * * Must be hardware-enforced. */ - RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203, + RSA_OAEP_MGF_DIGEST = TagType.ENUM_REP | 203, // Tag 301 reserved @@ -209,7 +205,7 @@ enum Tag { * * Must be hardware-enforced. */ - BOOTLOADER_ONLY = (7 << 28) /* TagType:BOOL */ | 302, + BOOTLOADER_ONLY = TagType.BOOL | 302, /** * Tag::ROLLBACK_RESISTANCE specifies that the key has rollback resistance, meaning that when @@ -224,10 +220,10 @@ enum Tag { * * Must be hardware-enforced. */ - ROLLBACK_RESISTANCE = (7 << 28) /* TagType:BOOL */ | 303, + ROLLBACK_RESISTANCE = TagType.BOOL | 303, // Reserved for future use. - HARDWARE_TYPE = (1 << 28) /* TagType:ENUM */ | 304, + HARDWARE_TYPE = TagType.ENUM | 304, /** * Keys tagged with EARLY_BOOT_ONLY may only be used during early boot, until @@ -236,7 +232,7 @@ enum Tag { * provided to IKeyMintDevice::importKey, the import must fail with * ErrorCode::EARLY_BOOT_ENDED. */ - EARLY_BOOT_ONLY = (7 << 28) /* TagType:BOOL */ | 305, + EARLY_BOOT_ONLY = TagType.BOOL | 305, /** * Tag::ACTIVE_DATETIME specifies the date and time at which the key becomes active, in @@ -245,7 +241,7 @@ enum Tag { * * Need not be hardware-enforced. */ - ACTIVE_DATETIME = (6 << 28) /* TagType:DATE */ | 400, + ACTIVE_DATETIME = TagType.DATE | 400, /** * Tag::ORIGINATION_EXPIRE_DATETIME specifies the date and time at which the key expires for @@ -257,7 +253,7 @@ enum Tag { * * Need not be hardware-enforced. */ - ORIGINATION_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 401, + ORIGINATION_EXPIRE_DATETIME = TagType.DATE | 401, /** * Tag::USAGE_EXPIRE_DATETIME specifies the date and time at which the key expires for @@ -269,7 +265,7 @@ enum Tag { * * Need not be hardware-enforced. */ - USAGE_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 402, + USAGE_EXPIRE_DATETIME = TagType.DATE | 402, /** * TODO(seleneh) this tag need to be deleted. @@ -294,7 +290,7 @@ enum Tag { * * Must be hardware-enforced. */ - MIN_SECONDS_BETWEEN_OPS = (3 << 28) /* TagType:UINT */ | 403, + MIN_SECONDS_BETWEEN_OPS = TagType.UINT | 403, /** * Tag::MAX_USES_PER_BOOT specifies the maximum number of times that a key may be used between @@ -314,7 +310,7 @@ enum Tag { * * Must be hardware-enforced. */ - MAX_USES_PER_BOOT = (3 << 28) /* TagType:UINT */ | 404, + MAX_USES_PER_BOOT = TagType.UINT | 404, /** * Tag::USAGE_COUNT_LIMIT specifies the number of times that a key may be used. This can be @@ -343,14 +339,14 @@ enum Tag { * record. This tag must have the same SecurityLevel as the tag that is added to the key * characteristics. */ - USAGE_COUNT_LIMIT = (3 << 28) | 405, /* TagType:UINT */ + USAGE_COUNT_LIMIT = TagType.UINT | 405, /** * Tag::USER_ID specifies the ID of the Android user that is permitted to use the key. * * Must not be hardware-enforced. */ - USER_ID = (3 << 28) /* TagType:UINT */ | 501, + USER_ID = TagType.UINT | 501, /** * Tag::USER_SECURE_ID specifies that a key may only be used under a particular secure user @@ -383,7 +379,7 @@ enum Tag { * * Must be hardware-enforced. */ - USER_SECURE_ID = (10 << 28) /* TagType:ULONG_REP */ | 502, + USER_SECURE_ID = TagType.ULONG_REP | 502, /** * Tag::NO_AUTH_REQUIRED specifies that no authentication is required to use this key. This tag @@ -391,7 +387,7 @@ enum Tag { * * Must be hardware-enforced. */ - NO_AUTH_REQUIRED = (7 << 28) /* TagType:BOOL */ | 503, + NO_AUTH_REQUIRED = TagType.BOOL | 503, /** * Tag::USER_AUTH_TYPE specifies the types of user authenticators that may be used to authorize @@ -410,7 +406,7 @@ enum Tag { * * Must be hardware-enforced. */ - USER_AUTH_TYPE = (1 << 28) /* TagType:ENUM */ | 504, + USER_AUTH_TYPE = TagType.ENUM | 504, /** * Tag::AUTH_TIMEOUT specifies the time in seconds for which the key is authorized for use, @@ -424,7 +420,7 @@ enum Tag { * * Must be hardware-enforced. */ - AUTH_TIMEOUT = (3 << 28) /* TagType:UINT */ | 505, + AUTH_TIMEOUT = TagType.UINT | 505, /** * Tag::ALLOW_WHILE_ON_BODY specifies that the key may be used after authentication timeout if @@ -432,7 +428,7 @@ enum Tag { * * Cannot be hardware-enforced. */ - ALLOW_WHILE_ON_BODY = (7 << 28) /* TagType:BOOL */ | 506, + ALLOW_WHILE_ON_BODY = TagType.BOOL | 506, /** * TRUSTED_USER_PRESENCE_REQUIRED is an optional feature that specifies that this key must be @@ -479,7 +475,7 @@ enum Tag { * * Must be hardware-enforced. */ - TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507, + TRUSTED_USER_PRESENCE_REQUIRED = TagType.BOOL | 507, /** * Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and @@ -493,7 +489,7 @@ enum Tag { * * Must be hardware-enforced. */ - TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) /* TagType:BOOL */ | 508, + TRUSTED_CONFIRMATION_REQUIRED = TagType.BOOL | 508, /** * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is @@ -501,7 +497,7 @@ enum Tag { * * Must be software-enforced. */ - UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509, + UNLOCKED_DEVICE_REQUIRED = TagType.BOOL | 509, /** * Tag::APPLICATION_ID. When provided to generateKey or importKey, this tag specifies data @@ -517,7 +513,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 601, + APPLICATION_ID = TagType.BYTES | 601, /* * Semantically unenforceable tags, either because they have no specific meaning or because @@ -538,7 +534,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - APPLICATION_DATA = (9 << 28) /* TagType:BYTES */ | 700, + APPLICATION_DATA = TagType.BYTES | 700, /** * Tag::CREATION_DATETIME specifies the date and time the key was created, in milliseconds since @@ -546,7 +542,7 @@ enum Tag { * * Must be in the software-enforced list, if provided. */ - CREATION_DATETIME = (6 << 28) /* TagType:DATE */ | 701, + CREATION_DATETIME = TagType.DATE | 701, /** * Tag::ORIGIN specifies where the key was created, if known. This tag must not be specified @@ -555,7 +551,7 @@ enum Tag { * * Must be hardware-enforced. */ - ORIGIN = (1 << 28) /* TagType:ENUM */ | 702, + ORIGIN = TagType.ENUM | 702, // 703 is unused. @@ -567,7 +563,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ROOT_OF_TRUST = (9 << 28) /* TagType:BYTES */ | 704, + ROOT_OF_TRUST = TagType.BYTES | 704, /** * Tag::OS_VERSION specifies the system OS version with which the key may be used. This tag is @@ -590,7 +586,7 @@ enum Tag { * * Must be hardware-enforced. */ - OS_VERSION = (3 << 28) /* TagType:UINT */ | 705, + OS_VERSION = TagType.UINT | 705, /** * Tag::OS_PATCHLEVEL specifies the system security patch level with which the key may be used. @@ -611,7 +607,7 @@ enum Tag { * * Must be hardware-enforced. */ - OS_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 706, + OS_PATCHLEVEL = TagType.UINT | 706, /** * Tag::UNIQUE_ID specifies a unique, time-based identifier. This tag is never provided to or @@ -646,7 +642,7 @@ enum Tag { * * Must be hardware-enforced. */ - UNIQUE_ID = (9 << 28) /* TagType:BYTES */ | 707, + UNIQUE_ID = TagType.BYTES | 707, /** * Tag::ATTESTATION_CHALLENGE is used to deliver a "challenge" value to the attested key @@ -655,7 +651,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_CHALLENGE = (9 << 28) /* TagType:BYTES */ | 708, + ATTESTATION_CHALLENGE = TagType.BYTES | 708, /** * Tag::ATTESTATION_APPLICATION_ID identifies the set of applications which may use a key, used @@ -681,7 +677,7 @@ enum Tag { * * Cannot be hardware-enforced. */ - ATTESTATION_APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 709, + ATTESTATION_APPLICATION_ID = TagType.BYTES | 709, /** * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in @@ -694,7 +690,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_BRAND = (9 << 28) /* TagType:BYTES */ | 710, + ATTESTATION_ID_BRAND = TagType.BYTES | 710, /** * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in @@ -707,7 +703,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_DEVICE = (9 << 28) /* TagType:BYTES */ | 711, + ATTESTATION_ID_DEVICE = TagType.BYTES | 711, /** * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT @@ -720,7 +716,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_PRODUCT = (9 << 28) /* TagType:BYTES */ | 712, + ATTESTATION_ID_PRODUCT = TagType.BYTES | 712, /** * Tag::ATTESTATION_ID_SERIAL the device's serial number. This field must be set only when @@ -732,7 +728,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_SERIAL = (9 << 28) /* TagType:BYTES */ | 713, + ATTESTATION_ID_SERIAL = TagType.BYTES | 713, /** * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key @@ -745,7 +741,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_IMEI = (9 << 28) /* TagType:BYTES */ | 714, + ATTESTATION_ID_IMEI = TagType.BYTES | 714, /** * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attested key @@ -758,7 +754,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_MEID = (9 << 28) /* TagType:BYTES */ | 715, + ATTESTATION_ID_MEID = TagType.BYTES | 715, /** * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by @@ -771,7 +767,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_MANUFACTURER = (9 << 28) /* TagType:BYTES */ | 716, + ATTESTATION_ID_MANUFACTURER = TagType.BYTES | 716, /** * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in @@ -784,7 +780,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - ATTESTATION_ID_MODEL = (9 << 28) /* TagType:BYTES */ | 717, + ATTESTATION_ID_MODEL = TagType.BYTES | 717, /** * Tag::VENDOR_PATCHLEVEL specifies the vendor image security patch level with which the key may @@ -806,7 +802,7 @@ enum Tag { * * Must be hardware-enforced. */ - VENDOR_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 718, + VENDOR_PATCHLEVEL = TagType.UINT | 718, /** * Tag::BOOT_PATCHLEVEL specifies the boot image (kernel) security patch level with which the @@ -826,7 +822,7 @@ enum Tag { * * Must be hardware-enforced. */ - BOOT_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 719, + BOOT_PATCHLEVEL = TagType.UINT | 719, /** * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import @@ -852,7 +848,7 @@ enum Tag { * IKeyMintDevice implementations that support device-unique attestation MUST add the * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations. */ - DEVICE_UNIQUE_ATTESTATION = (7 << 28) /* TagType:BOOL */ | 720, + DEVICE_UNIQUE_ATTESTATION = TagType.BOOL | 720, /** * IDENTITY_CREDENTIAL_KEY is never used by IKeyMintDevice, is not a valid argument to key @@ -860,7 +856,7 @@ enum Tag { * attestation. It is used in attestations produced by the IIdentityCredential HAL when that * HAL attests to Credential Keys. IIdentityCredential produces KeyMint-style attestations. */ - IDENTITY_CREDENTIAL_KEY = (7 << 28) /* TagType:BOOL */ | 721, + IDENTITY_CREDENTIAL_KEY = TagType.BOOL | 721, /** * To prevent keys from being compromised if an attacker acquires read access to system / kernel @@ -877,12 +873,12 @@ enum Tag { * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to * begin(). */ - STORAGE_KEY = (7 << 28) /* TagType:BOOL */ | 722, + STORAGE_KEY = TagType.BOOL | 722, /** * TODO: Delete when keystore1 is deleted. */ - ASSOCIATED_DATA = (9 << 28) /* TagType:BYTES */ | 1000, + ASSOCIATED_DATA = TagType.BYTES | 1000, /** * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM, @@ -897,7 +893,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - NONCE = (9 << 28) /* TagType:BYTES */ | 1001, + NONCE = TagType.BYTES | 1001, /** * Tag::MAC_LENGTH provides the requested length of a MAC or GCM authentication tag, in bits. @@ -908,7 +904,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 1003, + MAC_LENGTH = TagType.UINT | 1003, /** * Tag::RESET_SINCE_ID_ROTATION specifies whether the device has been factory reset since the @@ -916,7 +912,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004, + RESET_SINCE_ID_ROTATION = TagType.BOOL | 1004, /** * Tag::CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user @@ -925,7 +921,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ - CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005, + CONFIRMATION_TOKEN = TagType.BYTES | 1005, /** * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the attestation @@ -933,7 +929,7 @@ enum Tag { * keyMint in the attestation parameters during generateKey() and importKey(). If not provided, * the serial shall default to 1. */ - CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006, + CERTIFICATE_SERIAL = TagType.BIGNUM | 1006, /** * Tag::CERTIFICATE_SUBJECT the certificate subject. The value is a DER encoded X509 NAME. @@ -941,7 +937,7 @@ enum Tag { * during generateKey and importKey. If not provided the subject name shall default to * CN="Android Keystore Key". */ - CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007, + CERTIFICATE_SUBJECT = TagType.BYTES | 1007, /** * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch @@ -949,7 +945,7 @@ enum Tag { * certificates. ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if * this tag is not provided to generateKey or importKey. */ - CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008, + CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008, /** * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in @@ -957,7 +953,7 @@ enum Tag { * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or * importKey. */ - CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009, + CERTIFICATE_NOT_AFTER = TagType.DATE | 1009, /** * Tag::MAX_BOOT_LEVEL specifies a maximum boot level at which a key should function. @@ -968,5 +964,5 @@ enum Tag { * * Cannot be hardware enforced in this version. */ - MAX_BOOT_LEVEL = (3 << 28) /* TagType:UINT */ | 1010, + MAX_BOOT_LEVEL = TagType.UINT | 1010, }