Add key parameter to deriveDicePolicyBoundKey am: 287187f1d2 am: adafb4ab7d

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3026286

Change-Id: I968b034688d5c36180ec10fe9265cbea1dc3f383
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

staging/security/see/hwcrypto/aidl/aidl_api/android.hardware.security.see/current/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl

@@ -33,9 +33,17 @@
 
 package android.hardware.security.see.hwcrypto;
 interface IHwCryptoKey {
-  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey();
-  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey);
+  android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundKeyResult deriveDicePolicyBoundKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion);
   android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKey deriveKey(in android.hardware.security.see.hwcrypto.IHwCryptoKey.DerivedKeyParameters parameters);
+  enum DeviceKeyId {
+    DEVICE_BOUND_KEY,
+    BATCH_KEY,
+  }
+  union DiceBoundDerivationKey {
+    android.hardware.security.see.hwcrypto.IOpaqueKey opaqueKey;
+    android.hardware.security.see.hwcrypto.IHwCryptoKey.DeviceKeyId keyId;
+  }
   parcelable DiceCurrentBoundKeyResult {
     android.hardware.security.see.hwcrypto.IOpaqueKey diceBoundKey;
     byte[] dicePolicyForKeyVersion;

staging/security/see/hwcrypto/aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.aidl

@@ -22,6 +22,30 @@ import android.hardware.security.see.hwcrypto.KeyPolicy;
  * Higher level interface to access and generate keys.
  */
 interface IHwCryptoKey {
+    /*
+     * Identifier for the requested device provided key. The currently supported identifiers are:
+     *
+     * DEVICE_BOUND_KEY:
+     *      This is a key unique to the device.
+     * BATCH_KEY:
+     *      This is a shared by a set of devices.
+     */
+    enum DeviceKeyId {
+        DEVICE_BOUND_KEY,
+        BATCH_KEY,
+    }
+    union DiceBoundDerivationKey {
+        /*
+         * Opaque to be used to derive the DICE bound key.
+         */
+        IOpaqueKey opaqueKey;
+
+        /*
+         * Device provided key to be used to derive the DICE bound key.
+         */
+        DeviceKeyId keyId;
+    }
+
     parcelable DiceCurrentBoundKeyResult {
         /*
          * Key cryptographically bound to a DICE policy.
@@ -112,17 +136,24 @@ interface IHwCryptoKey {
      *                              policy. It will return this current policy back to the caller
      *                              along with the generated key.
      *
+     * @derivationKey:
+     *     Key to be used to derive the new key using HKDF.
+     *
      * Return:
      *      Ok(DiceCurrentBoundKeyResult) on success, service specific error based on
      *      <code>HalErrorCode</code> otherwise.
      */
-    DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey();
+    DiceCurrentBoundKeyResult deriveCurrentDicePolicyBoundKey(
+            in DiceBoundDerivationKey derivationKey);
 
     /*
      * deriveDicePolicyBoundKey() - Derive a versioned key by checking the provided DICE policy
      *                              against the caller and then using it as a context for deriving
      *                              the returned key.
      *
+     * @derivationKey:
+     *     Key to be used to derive the new key using HKDF.
+     *
      * @dicePolicyForKeyVersion:
      *     Policy used to derive keys tied to specific versions. Using this parameter
      *     the caller can tie a derived key to a minimum version of itself, so in the future only
@@ -137,7 +168,8 @@ interface IHwCryptoKey {
      *      Ok(DiceBoundKeyResult) on success, service specific error based on
      *      <code>HalErrorCode</code> otherwise.
      */
-    DiceBoundKeyResult deriveDicePolicyBoundKey(in byte[] dicePolicyForKeyVersion);
+    DiceBoundKeyResult deriveDicePolicyBoundKey(
+            in DiceBoundDerivationKey derivationKey, in byte[] dicePolicyForKeyVersion);
 
     /*
      * deriveKey() - Derive a new key based on the given key, policy and context.