From 0aadf935cbaa0a0f3b1570e162790fd04cbef530 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Mon, 18 Dec 2017 17:28:52 -0800 Subject: [PATCH 1/2] Keystore: Use security levels In anticipation of the availability of Keymaster implementations with multiple security levels this patch adds the additional keystore flags FLAG_SOFTWARE and FLAG_STROGBOX. Also, the IKeystore method addRngEntropy got a new flags parameter for the caller to express which implementation shall be awarded the precious entropy. Test: Keystore CTS tests Bug: 63931634 Change-Id: I4a4eafbdbe1290f0c7bd2bfa2ce3e5fbb06c2dd8 --- .../android/security/IKeystoreService.aidl | 2 +- keystore/java/android/security/KeyStore.java | 24 +++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/core/java/android/security/IKeystoreService.aidl b/core/java/android/security/IKeystoreService.aidl index 42282ac2858b1..79e77b9b852bb 100644 --- a/core/java/android/security/IKeystoreService.aidl +++ b/core/java/android/security/IKeystoreService.aidl @@ -56,7 +56,7 @@ interface IKeystoreService { int clear_uid(long uid); // Keymaster 0.4 methods - int addRngEntropy(in byte[] data); + int addRngEntropy(in byte[] data, int flags); int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid, int flags, out KeyCharacteristics characteristics); int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId, diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java index 399dddd71a2ae..fabcdf008c470 100644 --- a/keystore/java/android/security/KeyStore.java +++ b/keystore/java/android/security/KeyStore.java @@ -94,6 +94,16 @@ public class KeyStore { */ public static final int FLAG_ENCRYPTED = 1; + /** + * Select Software keymaster device, which as of this writing is the lowest security + * level available on an android device. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided + * A TEE based keymaster implementation is implied. + * + * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h + * For historical reasons this corresponds to the KEYSTORE_FLAG_FALLBACK flag. + */ + public static final int FLAG_SOFTWARE = 1 << 1; + /** * A private flag that's only available to system server to indicate that this key is part of * device encryption flow so it receives special treatment from keystore. For example this key @@ -104,6 +114,16 @@ public class KeyStore { */ public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3; + /** + * Select Strongbox keymaster device, which as of this writing the the highest security level + * available an android devices. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided + * A TEE based keymaster implementation is implied. + * + * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h + */ + public static final int FLAG_STRONGBOX = 1 << 4; + + // States public enum State { UNLOCKED, LOCKED, UNINITIALIZED }; @@ -440,9 +460,9 @@ public class KeyStore { return mError; } - public boolean addRngEntropy(byte[] data) { + public boolean addRngEntropy(byte[] data, int flags) { try { - return mBinder.addRngEntropy(data) == NO_ERROR; + return mBinder.addRngEntropy(data, flags) == NO_ERROR; } catch (RemoteException e) { Log.w(TAG, "Cannot connect to keystore", e); return false; From 03dd82792e41ed76602ca5f2ea32446da741c737 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Tue, 19 Dec 2017 16:29:45 -0800 Subject: [PATCH 2/2] Add importWrappedKey to IKeystoreService.aidl Test: pending Bug: 63931634 Change-Id: If7fde024f9388bd85045902761d8fa7bf1c42e7d --- core/java/android/security/IKeystoreService.aidl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/java/android/security/IKeystoreService.aidl b/core/java/android/security/IKeystoreService.aidl index 79e77b9b852bb..57477f580a425 100644 --- a/core/java/android/security/IKeystoreService.aidl +++ b/core/java/android/security/IKeystoreService.aidl @@ -78,4 +78,8 @@ interface IKeystoreService { int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain); int attestDeviceIds(in KeymasterArguments params, out KeymasterCertificateChain chain); int onDeviceOffBody(); + int importWrappedKey(in String wrappedKeyAlias, in byte[] wrappedKey, + in String wrappingKeyAlias, in byte[] maskingKey, in KeymasterArguments arguments, + in long rootSid, in long fingerprintSid, + out KeyCharacteristics characteristics); }