diff --git a/core/java/android/security/IKeystoreService.aidl b/core/java/android/security/IKeystoreService.aidl
index 42282ac2858b1..57477f580a425 100644
--- a/core/java/android/security/IKeystoreService.aidl
+++ b/core/java/android/security/IKeystoreService.aidl
@@ -56,7 +56,7 @@ interface IKeystoreService {
     int clear_uid(long uid);
 
     // Keymaster 0.4 methods
-    int addRngEntropy(in byte[] data);
+    int addRngEntropy(in byte[] data, int flags);
     int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid,
         int flags, out KeyCharacteristics characteristics);
     int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId,
@@ -78,4 +78,8 @@ interface IKeystoreService {
     int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
     int attestDeviceIds(in KeymasterArguments params, out KeymasterCertificateChain chain);
     int onDeviceOffBody();
+    int importWrappedKey(in String wrappedKeyAlias, in byte[] wrappedKey,
+        in String wrappingKeyAlias, in byte[] maskingKey, in KeymasterArguments arguments,
+        in long rootSid, in long fingerprintSid,
+        out KeyCharacteristics characteristics);
 }
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 399dddd71a2ae..fabcdf008c470 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -94,6 +94,16 @@ public class KeyStore {
      */
     public static final int FLAG_ENCRYPTED = 1;
 
+    /**
+     * Select Software keymaster device, which as of this writing is the lowest security
+     * level available on an android device. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided
+     * A TEE based keymaster implementation is implied.
+     *
+     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
+     * For historical reasons this corresponds to the KEYSTORE_FLAG_FALLBACK flag.
+     */
+    public static final int FLAG_SOFTWARE = 1 << 1;
+
     /**
      * A private flag that's only available to system server to indicate that this key is part of
      * device encryption flow so it receives special treatment from keystore. For example this key
@@ -104,6 +114,16 @@ public class KeyStore {
      */
     public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3;
 
+    /**
+     * Select Strongbox keymaster device, which as of this writing the the highest security level
+     * available an android devices. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided
+     * A TEE based keymaster implementation is implied.
+     *
+     * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
+     */
+    public static final int FLAG_STRONGBOX = 1 << 4;
+
+
     // States
     public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
 
@@ -440,9 +460,9 @@ public class KeyStore {
         return mError;
     }
 
-    public boolean addRngEntropy(byte[] data) {
+    public boolean addRngEntropy(byte[] data, int flags) {
         try {
-            return mBinder.addRngEntropy(data) == NO_ERROR;
+            return mBinder.addRngEntropy(data, flags) == NO_ERROR;
         } catch (RemoteException e) {
             Log.w(TAG, "Cannot connect to keystore", e);
             return false;