Add "Unlocked device required" parameter to keys

Add a keymaster parameter for keys that should be inaccessible when the device screen is locked. "Locked" here is a state where the device can be used or accessed without any further trust factor such as a PIN, password, fingerprint, or trusted face or voice. This parameter is added to the Java keystore interface for key creation and import, as well as enums specified by and for the native keystore process. Test: go/asym-write-test-plan Bug: 67752510 Change-Id: Ic1ec3bde05f8a28e20b9443b7f0078749921f297
2017-11-16 15:45:19 -08:00 · 2017-11-16 15:45:19 -08:00 · dc9505de44
commit dc9505de44
parent bc04a28238
1 changed files with 3 additions and 0 deletions
--- a/include/hardware/keymaster_defs.h
+++ b/include/hardware/keymaster_defs.h
@ -112,6 +112,8 @@ typedef enum {
    KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506, /* Allow key to be used after authentication timeout
                                                 * if device is still on-body (requires secure
                                                 * on-body sensor. */
+    KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 508, /* Require the device screen to be unlocked if the
+                                                      * key is used. */

    /* Application access control */
    KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* Specified to indicate key is usable by all
@ -452,6 +454,7 @@ typedef enum {
    KM_ERROR_KEYMASTER_NOT_CONFIGURED = -64,
    KM_ERROR_ATTESTATION_APPLICATION_ID_MISSING = -65,
    KM_ERROR_CANNOT_ATTEST_IDS = -66,
+    KM_ERROR_DEVICE_LOCKED = -71,

    KM_ERROR_UNIMPLEMENTED = -100,
    KM_ERROR_VERSION_MISMATCH = -101,