Merge changes from topics "wrapped_key_import", "keystore_seclevels"

* changes: Add importWrappedKey to IKeystoreService.aidl Keystore: Use security levels
2017-12-28 02:16:55 +00:00
parent 43fce46bcd 03dd82792e
commit 7b27036950
2 changed files with 27 additions and 3 deletions
--- a/core/java/android/security/IKeystoreService.aidl
+++ b/core/java/android/security/IKeystoreService.aidl
@@ -56,7 +56,7 @@ interface IKeystoreService {
    int clear_uid(long uid);

    // Keymaster 0.4 methods
-    int addRngEntropy(in byte[] data);
+    int addRngEntropy(in byte[] data, int flags);
    int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid,
        int flags, out KeyCharacteristics characteristics);
    int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId,
@@ -78,4 +78,8 @@ interface IKeystoreService {
    int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
    int attestDeviceIds(in KeymasterArguments params, out KeymasterCertificateChain chain);
    int onDeviceOffBody();
+    int importWrappedKey(in String wrappedKeyAlias, in byte[] wrappedKey,
+        in String wrappingKeyAlias, in byte[] maskingKey, in KeymasterArguments arguments,
+        in long rootSid, in long fingerprintSid,
+        out KeyCharacteristics characteristics);
 }
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -94,6 +94,16 @@ public class KeyStore {
     */
    public static final int FLAG_ENCRYPTED = 1;

+    /**
+     * Select Software keymaster device, which as of this writing is the lowest security
+     * level available on an android device. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided
+     * A TEE based keymaster implementation is implied.
+     *
+     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
+     * For historical reasons this corresponds to the KEYSTORE_FLAG_FALLBACK flag.
+     */
+    public static final int FLAG_SOFTWARE = 1 << 1;
+
    /**
     * A private flag that's only available to system server to indicate that this key is part of
     * device encryption flow so it receives special treatment from keystore. For example this key
@@ -104,6 +114,16 @@ public class KeyStore {
     */
    public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3;

+    /**
+     * Select Strongbox keymaster device, which as of this writing the the highest security level
+     * available an android devices. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided
+     * A TEE based keymaster implementation is implied.
+     *
+     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
+     */
+    public static final int FLAG_STRONGBOX = 1 << 4;
+
+
    // States
    public enum State { UNLOCKED, LOCKED, UNINITIALIZED };

@@ -440,9 +460,9 @@ public class KeyStore {
        return mError;
    }

-    public boolean addRngEntropy(byte[] data) {
+    public boolean addRngEntropy(byte[] data, int flags) {
        try {
-            return mBinder.addRngEntropy(data) == NO_ERROR;
+            return mBinder.addRngEntropy(data, flags) == NO_ERROR;
        } catch (RemoteException e) {
            Log.w(TAG, "Cannot connect to keystore", e);
            return false;