1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.hardware.keymaster@4.1;
import @4.0::ErrorCode;
import @4.0::Tag;
import @4.0::TagType;
enum Tag : @4.0::Tag {
/**
* Keys tagged with EARLY_BOOT_ONLY may only be used, or created, during early boot, until
* IKeymasterDevice::earlyBootEnded() is called.
*/
EARLY_BOOT_ONLY = TagType:BOOL | 305,
/**
* DEVICE_UNIQUE_ATTESTATION is an argument to IKeymasterDevice::attestKey(). It indicates that
* attestation using a device-unique key is requested, rather than a batch key. When a
* device-unique key is used, only the attestation certificate is returned; no additional
* chained certificates are provided. It's up to the caller to recognize the device-unique
* signing key. Only SecurityLevel::STRONGBOX IKeymasterDevices may support device-unique
* attestations. SecurityLevel::TRUSTED_ENVIRONMENT IKeymasterDevices must return
* ErrorCode::INVALID_ARGUMENT if they receive DEVICE_UNIQUE_ATTESTATION.
* SecurityLevel::STRONGBOX IKeymasterDevices need not support DEVICE_UNIQUE_ATTESTATION, and
* return ErrorCode::CANNOT_ATTEST_IDS if they do not support it.
*
* IKeymasterDevice implementations that support device-unique attestation MUST add the
* DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations.
*/
DEVICE_UNIQUE_ATTESTATION = TagType:BOOL | 720,
/**
* IDENTITY_CREDENTIAL_KEY is never used by IKeymasterDevice, is not a valid argument to key
* generation or any operation, is never returned by any method and is never used in a key
* attestation. It is used in attestations produced by the IIdentityCredential HAL when that
* HAL attests to Credential Keys. IIdentityCredential produces Keymaster-style attestations.
*/
IDENTITY_CREDENTIAL_KEY = TagType:BOOL | 721,
/**
* To prevent keys from being compromised if an attacker acquires read access to system / kernel
* memory, some inline encryption hardware supports protecting storage encryption keys in hardware
* without software having access to or the ability to set the plaintext keys. Instead, software
* only sees wrapped version of these keys.
*
* STORAGE_KEY is used to denote that a key generated or imported is a key used for storage
* encryption. Keys of this type can either be generated or imported or secure imported using
* keymaster. exportKey() can be used to re-wrap storage key with a per-boot ephemeral key wrapped
* key once the key characteristics are enforced.
*
* Keys with this tag cannot be used for any operation within keymaster.
* ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to
* begin().
*/
STORAGE_KEY = TagType:BOOL | 722,
};
enum ErrorCode : @4.0::ErrorCode {
EARLY_BOOT_ENDED = -73,
ATTESTATION_KEYS_NOT_PROVISIONED = -74,
ATTESTATION_IDS_NOT_PROVISIONED = -75,
INVALID_OPERATION = -76,
STORAGE_KEY_UNSUPPORTED = -77,
};
|
