diff options
author | Xin Li <delphij@google.com> | 2024-01-17 22:13:55 -0800 |
---|---|---|
committer | Xin Li <delphij@google.com> | 2024-01-17 22:13:55 -0800 |
commit | b10481fa1e700cf4715bf262d4bfb364bbff0ef3 (patch) | |
tree | 02c02738ec837576e81b8715ec8abb6552bba8f7 | |
parent | b7becf5397e41ea243f508a39b7152126fcdd47a (diff) | |
parent | 714c84a9225098abc2895d210bd4d56112802416 (diff) | |
download | generic-b10481fa1e700cf4715bf262d4bfb364bbff0ef3.tar.gz |
Merge Android 24Q1 Release (ab/11220357)temp_319669529
Bug: 319669529
Merged-In: I76db301a3b41e8735576fcfdbf2156b27c8349d1
Change-Id: Ia5632ff284dfd3993ba39d97a3b34a7d940898ea
-rw-r--r-- | OWNERS | 4 | ||||
-rw-r--r-- | nugget/include/app_nugget.h | 23 | ||||
-rw-r--r-- | nugget/include/feature_map.h | 8 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/ctdl/Android.bp | 75 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/ctdl/keymaster.options | 21 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto | 658 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto | 340 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options | 12 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto | 136 | ||||
-rw-r--r-- | nugget/proto/nugget/app/keymaster/keymaster_types.options | 2 |
10 files changed, 1273 insertions, 6 deletions
@@ -2,6 +2,6 @@ # or people with more than 10 commits last year. # Please update this list if you find better owner candidates. wfrichar@google.com +tommychiu@google.com +zhakevin@google.com kroot@google.com -dybertwang@google.com -byi@google.com diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h index 8852b18..49ca2de 100644 --- a/nugget/include/app_nugget.h +++ b/nugget/include/app_nugget.h @@ -462,10 +462,27 @@ struct gsa_gsc_psk_persist_storage { /* * GSA key provision command * - * @param args gsa unique public key + * We use the same command id to support multiple GSA-GSC PSK + * provision handshaking. List possible args and reply usage by + * each case. + * + * Non-secure PSK provision case: + * @param args GSA-GSC PSK (plaintext) * @param arg_len 32 - * @param reply gsc public key + sha256(pre-shared key) - * @param reply_len 64 + 32 + * @param reply GSA-GSC PSK (plaintext) + * @param reply_len 32 + * + * Ephemeral ec key handshaking case: + * @param args GSA public key + * @param arg_len 64 + * @param reply GSC public key + signature + * @param reply_len 64 + 64 + * + * Secure PSK provision case: + * @param args encrypted GSA-GSC PSK (nonce + PSK + tag) + * @param arg_len 12 + 32 + 16 + * @param reply <none> + * @param reply_len 0 */ /** diff --git a/nugget/include/feature_map.h b/nugget/include/feature_map.h index 141b52d..7ff697b 100644 --- a/nugget/include/feature_map.h +++ b/nugget/include/feature_map.h @@ -50,6 +50,14 @@ enum km_feature_list { km_feature_max = FEATURE_MASK, // 24-bit FEATURE_FIELD }; +enum nugget_feature_list { + nugget_feature_test_image = 0, + + /* Please do not change numbers after they've been released */ + + nugget_feature_max = FEATURE_MASK, // 24-bit FEATURE_FIELD +}; + enum weaver_feature_list { weaver_feature_api_no_proto = 0, diff --git a/nugget/proto/nugget/app/keymaster/ctdl/Android.bp b/nugget/proto/nugget/app/keymaster/ctdl/Android.bp new file mode 100644 index 0000000..480cceb --- /dev/null +++ b/nugget/proto/nugget/app/keymaster/ctdl/Android.bp @@ -0,0 +1,75 @@ +// +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "external_nos_host_generic_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["external_nos_host_generic_license"], +} + +// For keymaster 3/4/4.1 @ citadel +genrule { + name: "nos_app_keymaster_service_ctdl_genc++", + out: ["Keymaster.client.cpp"], + srcs: [ + "keymaster.proto", + "keymaster_defs.proto", + "keymaster_types.proto", + ":nugget_options_proto", + ":libprotobuf-internal-protos", + ], + tools: ["aprotoc", "protoc-gen-nos-client-cpp"], + cmd: GEN_SERVICE_SOURCE, +} + +genrule { + name: "nos_app_keymaster_service_ctdl_genc++_headers", + out: ["Keymaster.client.h"], + srcs: [ + "keymaster.proto", + "keymaster_defs.proto", + "keymaster_types.proto", + ":nugget_options_proto", + ":libprotobuf-internal-protos", + ], + tools: ["aprotoc", "protoc-gen-nos-client-cpp"], + cmd: GEN_SERVICE_HEADER, +} + +genrule { + name: "nos_app_keymaster_service_ctdl_genc++_mock", + out: ["MockKeymaster.client.h"], + srcs: [ + "keymaster.proto", + "keymaster_defs.proto", + "keymaster_types.proto", + ":nugget_options_proto", + ":libprotobuf-internal-protos", + ], + tools: ["aprotoc", "protoc-gen-nos-client-cpp"], + cmd: GEN_SERVICE_MOCK, +} + +cc_library { + name: "nos_app_keymaster_ctdl", + generated_sources: ["nos_app_keymaster_service_ctdl_genc++"], + generated_headers: ["nos_app_keymaster_service_ctdl_genc++_headers"], + defaults: ["nos_app_service_defaults"], + export_generated_headers: ["nos_app_keymaster_service_ctdl_genc++_headers"], +} diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster.options b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.options new file mode 100644 index 0000000..daec677 --- /dev/null +++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.options @@ -0,0 +1,21 @@ +nugget.app.keymaster.ctdl.ImportWrappedKeyRequest.initialization_vector max_size:12 +nugget.app.keymaster.ctdl.ImportWrappedKeyRequest.gcm_tag max_size:16 +nugget.app.keymaster.ctdl.ImportWrappedKeyRequest.masking_key max_size:32 +nugget.app.keymaster.ctdl.SetRootOfTrustRequest.digest max_size:32 +nugget.app.keymaster.ctdl.SetBootStateRequest.public_key max_size:32 +nugget.app.keymaster.ctdl.SetBootStateRequest.boot_hash max_size:32 +nugget.app.keymaster.ctdl.ComputeSharedHmacRequest.hmac_sharing_params max_count:10 +nugget.app.keymaster.ctdl.ComputeSharedHmacResponse.sharing_check max_size:32 +nugget.app.keymaster.ctdl.DTupHandshakeRequest.nonce_client max_size:32 +nugget.app.keymaster.ctdl.DTupHandshakeResponse.nonce_citadel max_size:32 +nugget.app.keymaster.ctdl.DTupHandshakeResponse.signature max_size:32 +nugget.app.keymaster.ctdl.DTupFetchInputEventResponse.signature max_size:32 +nugget.app.keymaster.ctdl.GetBootInfoResponse.boot_key max_size:32 +nugget.app.keymaster.ctdl.GetBootInfoResponse.boot_hash max_size:32 +nugget.app.keymaster.ctdl.ProvisionPresharedSecretRequest.preshared_secret max_size:32 +nugget.app.keymaster.ctdl.StartAttestKeyRequest.not_before max_size:15 +nugget.app.keymaster.ctdl.StartAttestKeyRequest.not_after max_size:15 +nugget.app.keymaster.ctdl.StartAttestKeyRequest.caller_issuer_subj_name max_size:100 +nugget.app.keymaster.ctdl.ProvisionPresharedSecretResponse.digest max_size:32 +nugget.app.keymaster.ctdl.ProvisionCertificatesRequest.cert_block max_size: 1024 +nugget.app.keymaster.ctdl.ProvisionCertificatesRequest.digest max_size: 32 diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto new file mode 100644 index 0000000..49f18b1 --- /dev/null +++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto @@ -0,0 +1,658 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +syntax = "proto3"; + +package nugget.app.keymaster.ctdl; + +import "nugget/app/keymaster/ctdl/keymaster_defs.proto"; +import "nugget/app/keymaster/ctdl/keymaster_types.proto"; +import "nugget/protobuf/options.proto"; + +/* + * Keymaster service methods. + * + * TODO: some methods may be implemented in the host side HAL implementation. + */ +service Keymaster { + option (nugget.protobuf.app_id) = "KEYMASTER"; + option (nugget.protobuf.app_name) = "Keymaster"; + option (nugget.protobuf.app_version) = 1; + /* + * Both request and response buffers are sized such + * that a key-blob may be fully contained. + * + * TODO: revisit this choice in the event that memory + * is running out. Supporting smaller buffers will + * require that the keymaster app switch from the + * transport API to the datagram API. + */ + option (nugget.protobuf.request_buffer_size) = 3072; + option (nugget.protobuf.response_buffer_size) = 2048; + + /* + * KM3 methods, from: + * ::android::hardware::keymaster::V3_0::IKeymasterDevice + */ + rpc AddRngEntropy (AddRngEntropyRequest) returns (AddRngEntropyResponse); + rpc GenerateKey (GenerateKeyRequest) returns (GenerateKeyResponse); + rpc GetKeyCharacteristics (GetKeyCharacteristicsRequest) returns (GetKeyCharacteristicsResponse); + rpc ImportKey (ImportKeyRequest) returns (ImportKeyResponse); + rpc ExportKey (ExportKeyRequest) returns (ExportKeyResponse); + rpc StartAttestKey (StartAttestKeyRequest) returns (StartAttestKeyResponse); + rpc UpgradeKey (UpgradeKeyRequest) returns (UpgradeKeyResponse); + rpc DeleteKey (DeleteKeyRequest) returns (DeleteKeyResponse); + rpc DeleteAllKeys (DeleteAllKeysRequest) returns (DeleteAllKeysResponse); + rpc DestroyAttestationIds (DestroyAttestationIdsRequest) returns (DestroyAttestationIdsResponse); + rpc BeginOperation (BeginOperationRequest) returns (BeginOperationResponse); + rpc UpdateOperation (UpdateOperationRequest) returns (UpdateOperationResponse); + rpc FinishOperation (FinishOperationRequest) returns (FinishOperationResponse); + rpc AbortOperation (AbortOperationRequest) returns (AbortOperationResponse); + + /* + * KM4 methods. + */ + rpc ImportWrappedKey (ImportWrappedKeyRequest) returns (ImportKeyResponse); + + /* + * Vendor specific methods (bootloader, manufacturing, status, + * factory reset, upgrade). + */ + // Only callable by the Bootloader. + rpc SetRootOfTrust (SetRootOfTrustRequest) returns (SetRootOfTrustResponse); + // Only callable by the Bootloader. + rpc SetBootState (SetBootStateRequest) returns (SetBootStateResponse); + // Only callable at the Device Factory. + rpc ProvisionDeviceIds (ProvisionDeviceIdsRequest) returns (ProvisionDeviceIdsResponse); + // Only callable at the Device Factory. + rpc ReadTeeBatchCertificate (ReadTeeBatchCertificateRequest) returns (ReadTeeBatchCertificateResponse); + + /* + * More KM4 methods. + */ + rpc GetHmacSharingParameters (GetHmacSharingParametersRequest) returns (GetHmacSharingParametersResponse); + rpc ComputeSharedHmac (ComputeSharedHmacRequest) returns (ComputeSharedHmacResponse); + + /* + * DTup input session methods. + */ + rpc HandshakeDTup (DTupHandshakeRequest) returns (DTupHandshakeResponse); + rpc FetchDTupInputEvent (DTupFetchInputEventRequest) returns (DTupFetchInputEventResponse); + + /* + * More vendor specific methods. + */ + // Only callable once per boot. + rpc SetSystemVersionInfo (SetSystemVersionInfoRequest) returns (SetSystemVersionInfoResponse); + rpc GetBootInfo (GetBootInfoRequest) returns (GetBootInfoResponse); + + /* + * Called during provisioning by the CitadelProvision tool. + */ + rpc ProvisionPresharedSecret (ProvisionPresharedSecretRequest) returns (ProvisionPresharedSecretResponse); + + /* + * Additional attestation methods. + */ + rpc ContinueAttestKey(ContinueAttestKeyRequest) returns (ContinueAttestKeyResponse); + rpc FinishAttestKey(FinishAttestKeyRequest) returns (FinishAttestKeyResponse); + + /* + * More vendor specific methods. + */ + rpc ProvisionCertificates(ProvisionCertificatesRequest) returns (ProvisionCertificatesResponse); + + /* + * KM4.1 methods. + */ + rpc DeviceLocked(DeviceLockedRequest) returns (DeviceLockedResponse); + rpc EarlyBootEnded(EarlyBootEndedRequest) returns (EarlyBootEndedResponse); + + /* + * More vendor specific methods. + */ + rpc ReadCertificate(ReadCertificateRequest) returns (ReadCertificateResponse); + rpc IdentityStartAttestKey (IdentityStartAttestKeyRequest) returns (IdentityStartAttestKeyResponse); + rpc IdentityFinishAttestKey (IdentityFinishAttestKeyRequest) returns (IdentityFinishAttestKeyResponse); + + /* + * Resume-on-Reboot implementation. + */ + rpc VigoReadVS(VigoReadVSRequest) returns (VigoReadVSResponse); + rpc VigoStartChannel(VigoStartChannelRequest) + returns (VigoStartChannelResponse); + rpc VigoStoreSecret(VigoStoreSecretRequest) returns (VigoStoreSecretResponse); + rpc VigoReleaseSecret(VigoReleaseSecretRequest) + returns (VigoReleaseSecretResponse); + + /* + * pKVM implementation + */ + rpc GetPerFactoryResetValue(GetPerFactoryResetValueRequest) returns (GetPerFactoryResetValueResponse); + + /* + * RKP implementation + */ + rpc GenerateRkpKey(GenerateRkpKeyRequest) returns (GenerateRkpKeyResponse); + rpc GenerateRkpCsr(GenerateRkpCsrRequest) returns (GenerateRkpCsrResponse); + + /* + * Vendor specific method. To export IMEI/DSU to trusty only + */ + rpc ExportDeviceIds(ExportDeviceIdsRequest) returns (ExportDeviceIdsResponse); + + /* + * RKP v3 implementation + */ + rpc GenerateRkpCsrV2(GenerateRkpCsrV2Request) returns (GenerateRkpCsrV2Response); + // These are implemented with a enum, so new RPCs must be appended, and + // deprecated RPCs need placeholders. +} + +/* + * KM3 messages. + */ + +// AddEntropy +message AddRngEntropyRequest { + bytes data = 1; +} +message AddRngEntropyResponse { + ErrorCode error_code = 1; +} + +// GenerateKey +message GenerateKeyRequest { + KeyParameters params = 1; + uint64 creation_time_ms = 2; // Rough current time (ms since epoch). +} +message GenerateKeyResponse { + ErrorCode error_code = 1; + KeyBlob blob = 2; + KeyCharacteristics characteristics = 3; +} + +// GetKeyCharacteristics +message GetKeyCharacteristicsRequest { + KeyBlob blob = 1; + bytes client_id = 2; + bytes app_data = 3; +} +message GetKeyCharacteristicsResponse { + ErrorCode error_code = 1; + KeyCharacteristics characteristics = 2; +} + +// ImportKey +message ImportKeyRequest { + KeyParameters params = 1; + RSAKey rsa = 2; + ECKey ec = 3; + SymmetricKey symmetric_key = 4; + uint64 creation_time_ms = 5; // Rough current time (ms since epoch). +}; +message ImportKeyResponse { + ErrorCode error_code = 1; + KeyBlob blob = 2; + KeyCharacteristics characteristics = 3; +}; + +// ExportKey +message ExportKeyRequest { + KeyFormat format = 1; + KeyBlob blob = 2; + bytes client_id = 3; + bytes app_data = 4; +}; +message ExportKeyResponse { + ErrorCode error_code = 1; + Algorithm algorithm = 2; + RSAKey rsa = 3; + ECKey ec = 4; +}; + +// StartAttestKey +message StartAttestKeyRequest { + KeyBlob blob = 1; + KeyParameters params = 2; + uint32 attestation_app_id_len = 3; + AttestationSelector selector = 4; + bytes not_before = 5; // strftime('%Y%m%d%H%M%SZ') [15 octects] + bytes not_after = 6; // strftime('%Y%m%d%H%M%SZ') [15 octects] + bytes caller_issuer_subj_name = 7; + KeyParameters caller_key_params = 8; +} +message StartAttestKeyResponse { + ErrorCode error_code = 1; + OperationHandle handle = 2; + bytes certificate_prologue = 3; +} + +// ContinueAttestKeyRequest +message ContinueAttestKeyRequest { + OperationHandle handle = 1; + // bytes attestation_app_id = 2; // Unused, contained within params + KeyParameters params = 3; +} +message ContinueAttestKeyResponse { + ErrorCode error_code = 1; + bytes certificate_body = 2; +} + +// FinishAttestKeyRequest +message FinishAttestKeyRequest { + OperationHandle handle = 1; + KeyBlob caller_blob = 2; + KeyParameters caller_key_params = 3; +} +message FinishAttestKeyResponse { + ErrorCode error_code = 1; + bytes certificate_epilogue = 2; + ChipFusing chip_fusing = 3; + bool nodelocked_ro = 4; +} + +// UpgradeKey +message UpgradeKeyRequest { + KeyBlob blob = 1; + KeyParameters params = 2; +} +message UpgradeKeyResponse { + ErrorCode error_code = 1; + KeyBlob blob = 2; +} + +// DeleteKey +message DeleteKeyRequest { + KeyBlob blob = 1; +} +message DeleteKeyResponse { + ErrorCode error_code = 1; +} + +// DeleteAllKeys +message DeleteAllKeysRequest {} +message DeleteAllKeysResponse { + ErrorCode error_code = 1; +} + +// DestroyAttestationIds +message DestroyAttestationIdsRequest {} +message DestroyAttestationIdsResponse { + ErrorCode error_code = 1; +} + +// BeginOperation +message BeginOperationRequest { + KeyPurpose purpose = 1; + KeyBlob blob = 2; + KeyParameters params = 3; + HardwareAuthToken auth_token = 4; +} +message BeginOperationResponse { + ErrorCode error_code = 1; + KeyParameters params = 2; + OperationHandle handle = 3; + Algorithm algorithm = 4; + uint32 key_bits = 5; +} + +// UpdateOperation +message UpdateOperationRequest { + OperationHandle handle = 1; + KeyParameters params = 2; + bytes input = 3; + HardwareAuthToken auth_token = 4; + VerificationToken verification_token = 5; +} +message UpdateOperationResponse { + ErrorCode error_code = 1; + uint32 consumed = 2; + KeyParameters params = 3; + bytes output = 4; +} + +// FinishOperation +message FinishOperationRequest { + OperationHandle handle = 1; + KeyParameters params = 2; + bytes input = 3; + bytes signature = 4; + HardwareAuthToken auth_token = 5; + VerificationToken verification_token = 6; +}; +message FinishOperationResponse { + ErrorCode error_code = 1; + KeyParameters params = 2; + bytes output = 3; +}; + +// AbortOperation +message AbortOperationRequest { + OperationHandle handle = 1; +}; +message AbortOperationResponse { + ErrorCode error_code = 1; +}; + +/* + * KM4 messages. + */ + +// ImportWrappedKey +message ImportWrappedKeyRequest { + uint32 key_format = 1; + KeyParameters params = 2; + bytes rsa_envelope = 3; + bytes initialization_vector = 4; // Fixed sized array. + bytes encrypted_import_key = 5; + bytes aad = 6; + bytes gcm_tag = 7; // Fixed sized array. + KeyBlob wrapping_key_blob = 8; + bytes masking_key = 9; // Fixed sized array. + uint64 creation_time_ms = 10; // Rough current time (ms since epoch). +} +// ImportWrappedKey returns a ImportKeyResponse. + +// GetHmacSharingParametersRequest +message GetHmacSharingParametersRequest { +} +message GetHmacSharingParametersResponse { + ErrorCode error_code = 1; + HmacSharingParameters hmac_sharing_params = 2; +} + +// ComputeSharedHmacRequest +message ComputeSharedHmacRequest { + repeated HmacSharingParameters hmac_sharing_params = 1; +} +message ComputeSharedHmacResponse { + ErrorCode error_code = 1; + bytes sharing_check = 2; +} + +// DeviceLockedRequest +message DeviceLockedRequest { + bool password_only = 1; + VerificationToken verification_token = 2; +} +message DeviceLockedResponse { + ErrorCode error_code = 1; +} + +// DeviceLockedRequest +message EarlyBootEndedRequest {} +message EarlyBootEndedResponse { + ErrorCode error_code = 1; +} + +/* + * Vendor HAL. + */ + +// SetRootOfTrustRequest +// Only callable by the Bootloader. +message SetRootOfTrustRequest { + bytes digest = 1; // This is a SHA256 digest. +} +message SetRootOfTrustResponse { + // Specified in keymaster_defs.proto:ErrorCode + ErrorCode error_code = 1; +} + +// SetBootStateRequest +// Only callable by the Bootloader. +message SetBootStateRequest { + bool is_unlocked = 1; + bytes public_key = 2; // This is a SHA256 digest. + BootColor color = 3; + uint32 system_version = 4; // Deprecated. + uint32 system_security_level = 5; // Patch level of the boot partition. + bytes boot_hash = 6; // This is a SHA256 digest. + uint32 boot_security_level = 7; +} +message SetBootStateResponse { + // Specified in keymaster_defs.proto:ErrorCode + ErrorCode error_code = 1; +} + +// ProvisionDeviceIds +// Only callable at the Device Factory +message ProvisionDeviceIdsRequest { + bytes product_brand = 1; + bytes product_device = 2; + bytes product_name = 3; + bytes serialno = 4; + bytes product_manufacturer = 5; + bytes product_model = 6; + bytes imei = 7; + bytes meid = 8; + bytes imei2 = 9; +} +message ProvisionDeviceIdsResponse { + // Specified in keymaster_defs.proto:ErrorCode + ErrorCode error_code = 1; + ChipFusing chip_fusing = 2; + bool nodelocked_ro = 3; +} + +message ExportDeviceIdsRequest { + bytes challenge = 1; + bytes challenge_hmac = 2; +} + +message ExportDeviceIdsResponse { + ErrorCode error_code = 1; + bytes product_brand = 2; + bytes product_device = 3; + bytes product_name = 4; + bytes serialno = 5; + bytes product_manufacturer = 6; + bytes product_model = 7; + bytes imei = 8; + bytes meid = 9; + bytes ids_hmac = 10; +} + +// ReadTeeBatchCertificate +// Only callable at the Device Factory +message ReadTeeBatchCertificateRequest { + Algorithm algorithm = 1; +} +message ReadTeeBatchCertificateResponse { + ErrorCode error_code = 1; + RSAKey rsa = 2; // rsa or ec set based on request algorithm selector. + ECKey ec = 3; + bytes batch_cert = 4; +} + +message DTupHandshakeRequest { + bytes nonce_client = 1; +} + +message DTupHandshakeResponse { + DTupError error_code = 1; + bytes nonce_citadel = 2; + bytes signature = 3; +} + +message DTupFetchInputEventRequest {} + +message DTupFetchInputEventResponse { + DTupError error_code = 1; + DTupKeyEvent event = 2; + bytes signature = 3; +} + +message SetSystemVersionInfoRequest { + uint32 system_version = 1; // getprop "ro.build.version.release" + uint32 system_security_level = 2; // getprop "ro.build.version.security_patch" + uint32 vendor_security_level = 3; // getprop "ro.vendor.build.security_patch" + uint32 vendor_api_level = 4; +} + +message SetSystemVersionInfoResponse { + // Specified in keymaster_defs.proto:ErrorCode + ErrorCode error_code = 1; +} + +message GetBootInfoRequest {} + +message GetBootInfoResponse { + ErrorCode error_code = 1; + bool is_unlocked = 2; + BootColor boot_color = 3; + bytes boot_key = 4; // This is a SHA256 digest. + bytes boot_hash = 5; // This is a SHA256 digest. +} + +message ProvisionPresharedSecretRequest { + bytes preshared_secret = 1; + bool get_status = 2; +} +message ProvisionPresharedSecretResponse { + ErrorCode error_code = 1; + PresharedSecretStatus status = 2; + BootColor color = 3; + bytes digest = 4; +} + +message ProvisionCertificatesRequest { + uint32 block_number = 1; + bytes cert_block = 2; + bytes digest = 3; +} +message ProvisionCertificatesResponse { + ErrorCode error_code = 1; + CertificateStatus cert_status = 2; +} + +message ReadCertificateRequest { + AttestationSelector selector = 1; + Algorithm algorithm = 2; +} +message ReadCertificateResponse { + ErrorCode error_code = 1; + Certificate cert = 2; +} + +message VigoReadVSRequest {} +message VigoReadVSResponse { + ErrorCode error_code = 1; + VigoKey vs_key = 2; +} +message VigoStartChannelRequest { + VigoKey client_key = 1; +} +message VigoStartChannelResponse { + ErrorCode error_code = 1; + VigoKey server_key = 2; + VigoSignature channel_signature = 3; +} +message VigoStoreSecretRequest { + VigoKey rs_key = 1; + VigoSecret secret_encrypted = 2; +} +message VigoStoreSecretResponse { + ErrorCode error_code = 1; +} +message VigoReleaseSecretRequest { + VigoSignature rs_signature = 1; +} +message VigoReleaseSecretResponse { + ErrorCode error_code = 1; + VigoSecret secret_encrypted = 2; +} + +// IdentityStartAttestKey +message IdentityStartAttestKeyRequest { + bytes pubkey = 1; + KeyParameters params = 2; + uint32 attestation_app_id_len = 3; + AttestationSelector selector = 4; + bytes not_before = 5; // strftime('%y%m%d%H%M%SZ') [15 octects] + bytes not_after = 6; // strftime('%y%m%d%H%M%SZ') [15 octects] + uint64 creation_time_ms = 7; // Rough current time (ms since epoch). + bool use_km_attest_key = 8; + bytes caller_issuer_subj_name = 9; +} +message IdentityStartAttestKeyResponse { + ErrorCode error_code = 1; + OperationHandle handle = 2; + bytes certificate_prologue = 3; +} + +// IdentityFinishAttestKeyRequest +message IdentityFinishAttestKeyRequest { + OperationHandle handle = 1; + bool use_km_attest_key = 2; + KeyBlob caller_blob = 3; +} +message IdentityFinishAttestKeyResponse { + ErrorCode error_code = 1; + bytes certificate_epilogue = 2; + ChipFusing chip_fusing = 3; + bool nodelocked_ro = 4; +} + +// pKVM messages +message GetPerFactoryResetValueRequest { + bool bootloader_only = 1; + bytes input = 2; +} +message GetPerFactoryResetValueResponse { + ErrorCode error_code = 1; + bytes output = 2; +} + +// RKP messages +message GenerateRkpKeyRequest{ + bool test_mode = 1; + KeyParameters params = 2; + KeyBlob blob = 3; +} +message GenerateRkpKeyResponse{ + ErrorCode error_code = 1; + bytes maced_public_key = 2; +} + +message GenerateRkpCsrRequest{ + bool test_mode = 1; + KeysToSign keys_to_sign = 2; + bytes endpoint_enc_cert_chain = 3; + bytes challenge = 4; +} +message GenerateRkpCsrResponse{ + ErrorCode error_code = 1; + bytes keys_to_sign_mac = 2; + bytes device_info_blob = 3; + bytes protected_data_blob = 4; +} + +message GenerateRkpCsrV2Request{ + RkpCsrV2Operation step = 1; + bytes challenge = 2; + uint32 num_of_public_keys = 3; + MacedKey key_to_sign = 4; + OperationHandle handle = 5; +} +message GenerateRkpCsrV2Response{ + ErrorCode error_code = 1; + OperationHandle handle = 2; + bytes device_info_blob = 3; + bytes dice_cert_chain = 4; + bytes signature = 5; +} diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto new file mode 100644 index 0000000..1927026 --- /dev/null +++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto @@ -0,0 +1,340 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +syntax = "proto3"; + +package nugget.app.keymaster.ctdl; + +/* + * Minimal type definitions required for building protos. Sourced from: + * ::android::hardware::keymaster::V3_0 + */ +enum TagType { + TAG_TYPE_INVALID = 0x0; /* 0 << 16 */ + ENUM = 0x10000; /* 1 << 16 */ + ENUM_REP = 0x20000; /* 2 << 16 */ + UINT = 0x30000; /* 3 << 16 */ + UINT_REP = 0x40000; /* 4 << 16 */ + ULONG = 0x50000; /* 5 << 16 */ + DATE = 0x60000; /* 6 << 16 */ + BOOL = 0x70000; /* 7 << 16 */ + BIGNUM_ = 0x80000; /* 8 << 16 */ + BYTES = 0x90000; /* 9 << 16 */ + ULONG_REP = 0xA0000; /* 10 << 16 */ +}; + +enum Tag { + TAG_INVALID = 0; // (TagType:INVALID | 0) + PURPOSE = 0x20001; // (TagType:ENUM_REP | 1) + ALGORITHM = 0x10002; // (TagType:ENUM | 2) + KEY_SIZE = 0x30003; // (TagType:UINT | 3) + BLOCK_MODE = 0x20004; // (TagType:ENUM_REP | 4) + DIGEST = 0x20005; // (TagType:ENUM_REP | 5) + PADDING = 0x20006; // (TagType:ENUM_REP | 6) + CALLER_NONCE = 0x70007; // (TagType:BOOL | 7) + MIN_MAC_LENGTH = 0x30008; // (TagType:UINT | 8) + /* RESERVED: KDF = 0x20009; // (TagType:ENUM_REP | 9) */ + EC_CURVE = 0x1000a; // (TagType:ENUM | 10) + RSA_PUBLIC_EXPONENT = 0x500c8; // (TagType:ULONG | 200) + /* RESERVED: ECIES_SINGLE_HASH_MODE = 0x700c9; // (TagType:BOOL | 201) */ + INCLUDE_UNIQUE_ID = 0x700ca; // (TagType:BOOL | 202) + RSA_OAEP_MGF_DIGEST = 0x200cb; // (TagType:ENUM_REP | 203) + BLOB_USAGE_REQUIREMENTS = 0x1012d; // (TagType:ENUM | 301) + BOOTLOADER_ONLY = 0x7012e; // (TagType:BOOL | 302) + ROLLBACK_RESISTANCE = 0x7012f; // (TagType:BOOL | 303) + HARDWARE_TYPE = 0x10130; // TagType:ENUM | 304, + EARLY_BOOT_ONLY = 0x70131; // TagType:BOOL | 305, + ACTIVE_DATETIME = 0x60190; // (TagType:DATE | 400) + ORIGINATION_EXPIRE_DATETIME = 0x60191; // (TagType:DATE | 401) + USAGE_EXPIRE_DATETIME = 0x60192; // (TagType:DATE | 402) + MIN_SECONDS_BETWEEN_OPS = 0x30193; // (TagType:UINT | 403) + MAX_USES_PER_BOOT = 0x30194; // (TagType:UINT | 404) + USAGE_COUNT_LIMIT = 0x30195; // (TagType:UINT | 405) + /* RESERVED: ALL_USERS = 0x701f4; // (TagType:BOOL | 500) */ + USER_ID = 0x301f5; // (TagType:UINT | 501) + USER_SECURE_ID = 0xa01f6; // (TagType:ULONG_REP | 502) + NO_AUTH_REQUIRED = 0x701f7; // (TagType:BOOL | 503) + USER_AUTH_TYPE = 0x101f8; // (TagType:ENUM | 504) + AUTH_TIMEOUT = 0x301f9; // (TagType:UINT | 505) + ALLOW_WHILE_ON_BODY = 0x701fa; // (TagType:BOOL | 506) + TRUSTED_USER_PRESENCE_REQUIRED = 0x701fb; // (TagType:BOOL | 507) + TRUSTED_CONFIRMATION_REQUIRED = 0x701fc; // (TagType:BOOL | 508) + UNLOCKED_DEVICE_REQUIRED = 0x701fd; // (TagType:BOOL | 509) + /* RESERVED: ALL_APPLICATIONS = 0x70258; // (TagType:BOOL | 600) */ + APPLICATION_ID = 0x90259; // (TagType:BYTES | 601) + /* RESERVED: EXPORTABLE = 0x7025a; // (TagType:BOOL | 602) */ + APPLICATION_DATA = 0x902bc; // (TagType:BYTES | 700) + CREATION_DATETIME = 0x602bd; // (TagType:DATE | 701) + ORIGIN = 0x102be; // (TagType:ENUM | 702) + /* RESERVED: ROLLBACK_RESISTANT = 0x702bf; // (TagType:BOOL | 703) */ + ROOT_OF_TRUST = 0x902c0; // (TagType:BYTES | 704) + OS_VERSION = 0x302c1; // (TagType:UINT | 705) + OS_PATCHLEVEL = 0x302c2; // (TagType:UINT | 706) + UNIQUE_ID = 0x902c3; // (TagType:BYTES | 707) + ATTESTATION_CHALLENGE = 0x902c4; // (TagType:BYTES | 708) + ATTESTATION_APPLICATION_ID = 0x902c5; // (TagType:BYTES | 709) + ATTESTATION_ID_BRAND = 0x902c6; // (TagType:BYTES | 710) + ATTESTATION_ID_DEVICE = 0x902c7; // (TagType:BYTES | 711) + ATTESTATION_ID_PRODUCT = 0x902c8; // (TagType:BYTES | 712) + ATTESTATION_ID_SERIAL = 0x902c9; // (TagType:BYTES | 713) + ATTESTATION_ID_IMEI = 0x902ca; // (TagType:BYTES | 714) + ATTESTATION_ID_MEID = 0x902cb; // (TagType:BYTES | 715) + ATTESTATION_ID_MANUFACTURER = 0x902cc; // (TagType:BYTES | 716) + ATTESTATION_ID_MODEL = 0x902cd; // (TagType:BYTES | 717) + VENDOR_PATCHLEVEL = 0x302ce; // (TagType:UINT | 718) + BOOT_PATCHLEVEL = 0x302cf; // (TagType:UINT | 719) + DEVICE_UNIQUE_ATTESTATION = 0x702d0; // (TagType:BOOL | 720) + IDENTITY_CREDENTIAL_KEY = 0x702d1; // (TagType:BOOL | 721) + STORAGE_KEY = 0x702d2; // (TagType:BOOL | 722) + ATTESTATION_ID_SECOND_IMEI = 0x902d3; // (TagType:BYTES | 723) + ASSOCIATED_DATA = 0x903e8; // (TagType:BYTES | 1000) + NONCE = 0x903e9; // (TagType:BYTES | 1001) + /* RESERVED: AUTH_TOKEN = 0x903ea; // (TagType:BYTES | 1002) */ + MAC_LENGTH = 0x303eb; // (TagType:UINT | 1003) + RESET_SINCE_ID_ROTATION = 0x703ec; // (TagType:BOOL | 1004) + CONFIRMATION_TOKEN = 0x903ed; // (TagType:BYTES | 1005) + CERTIFICATE_SERIAL = 0x803ee; // (TagType:BIGNUM | 1006) + CERTIFICATE_SUBJECT = 0x903ef; // (TagType:BYTES | 1007) +}; + +enum Algorithm { + RSA = 0; + EC = 1; + AES = 2; + DES = 3; + HMAC = 4; + ALGORITHM_MAX = 5; +}; + +enum BlockMode { + ECB = 0; + CBC = 1; + CTR = 2; + GCM = 3; + BLOCK_MODE_MAX = 4; +}; + +enum PaddingMode { + PADDING_NONE = 0; + PADDING_RSA_OAEP = 1; + PADDING_RSA_PSS = 2; + PADDING_RSA_PKCS1_1_5_ENCRYPT = 3; + PADDING_RSA_PKCS1_1_5_SIGN = 4; + PADDING_PKCS7 = 5; + PADDING_MODE_MAX = 6; +}; + +enum Digest { + DIGEST_NONE = 0; + DIGEST_MD5 = 1; + DIGEST_SHA1 = 2; + DIGEST_SHA_2_224 = 3; + DIGEST_SHA_2_256 = 4; + DIGEST_SHA_2_384 = 5; + DIGEST_SHA_2_512 = 6; + DIGEST_MAX = 7; +}; + +enum EcCurve { + P_224 = 0; + P_256 = 1; + P_384 = 2; + P_521 = 3; + EC_CURVE_MAX = 4; +}; + +enum KeyOrigin { + GENERATED = 0; + DERIVED = 1; + IMPORTED = 2; + UNKNOWN = 3; + SECURELY_IMPORTED = 4; + KEY_ORIGIN_MAX = 5; +}; + +enum KeyBlobUsageRequirements { + STANDALONE = 0; + REQUIRES_FILE_SYSTEM = 1; + KEY_USAGE_MAX = 2; +}; + +enum KeyPurpose { + ENCRYPT = 0; + DECRYPT = 1; + SIGN = 2; + VERIFY = 3; + /* RESERVED: DERIVE_KEY = 4; */ + WRAP_KEY = 5; + AGREE_KEY = 6; + ATTEST_KEY = 7; + PURPOSE_MAX = 8; +}; + +enum ErrorCode { + OK = 0; + ROOT_OF_TRUST_ALREADY_SET = 1; + UNSUPPORTED_PURPOSE = 2; + INCOMPATIBLE_PURPOSE = 3; + UNSUPPORTED_ALGORITHM = 4; + INCOMPATIBLE_ALGORITHM = 5; + UNSUPPORTED_KEY_SIZE = 6; + UNSUPPORTED_BLOCK_MODE = 7; + INCOMPATIBLE_BLOCK_MODE = 8; + UNSUPPORTED_MAC_LENGTH = 9; + UNSUPPORTED_PADDING_MODE = 10; + INCOMPATIBLE_PADDING_MODE = 11; + UNSUPPORTED_DIGEST = 12; + INCOMPATIBLE_DIGEST = 13; + INVALID_EXPIRATION_TIME = 14; + INVALID_USER_ID = 15; + INVALID_AUTHORIZATION_TIMEOUT = 16; + UNSUPPORTED_KEY_FORMAT = 17; + INCOMPATIBLE_KEY_FORMAT = 18; + UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = 19; + UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = 20; + INVALID_INPUT_LENGTH = 21; + KEY_EXPORT_OPTIONS_INVALID = 22; + DELEGATION_NOT_ALLOWED = 23; + KEY_NOT_YET_VALID = 24; + KEY_EXPIRED = 25; + KEY_USER_NOT_AUTHENTICATED = 26; + OUTPUT_PARAMETER_NULL = 27; + INVALID_OPERATION_HANDLE = 28; + INSUFFICIENT_BUFFER_SPACE = 29; + VERIFICATION_FAILED = 30; + TOO_MANY_OPERATIONS = 31; + UNEXPECTED_NULL_POINTER = 32; + INVALID_KEY_BLOB = 33; + IMPORTED_KEY_NOT_ENCRYPTED = 34; + IMPORTED_KEY_DECRYPTION_FAILED = 35; + IMPORTED_KEY_NOT_SIGNED = 36; + IMPORTED_KEY_VERIFICATION_FAILED = 37; + INVALID_ARGUMENT = 38; + UNSUPPORTED_TAG = 39; + INVALID_TAG = 40; + MEMORY_ALLOCATION_FAILED = 41; + IMPORT_PARAMETER_MISMATCH = 42; + SECURE_HW_ACCESS_DENIED = 43; + OPERATION_CANCELLED = 44; + CONCURRENT_ACCESS_CONFLICT = 45; + SECURE_HW_BUSY = 46; + SECURE_HW_COMMUNICATION_FAILED = 47; + UNSUPPORTED_EC_FIELD = 48; + MISSING_NONCE = 49; + INVALID_NONCE = 50; + MISSING_MAC_LENGTH = 51; + KEY_RATE_LIMIT_EXCEEDED = 52; + CALLER_NONCE_PROHIBITED = 53; + KEY_MAX_OPS_EXCEEDED = 54; + INVALID_MAC_LENGTH = 55; + MISSING_MIN_MAC_LENGTH = 56; + UNSUPPORTED_MIN_MAC_LENGTH = 57; + UNSUPPORTED_KDF = 58; + UNSUPPORTED_EC_CURVE = 59; + KEY_REQUIRES_UPGRADE = 60; + ATTESTATION_CHALLENGE_MISSING = 61; + KEYMASTER_NOT_CONFIGURED = 62; + ATTESTATION_APPLICATION_ID_MISSING = 63; + CANNOT_ATTEST_IDS = 64; + UNIMPLEMENTED = 65; + VERSION_MISMATCH = 66; + ROLLBACK_RESISTANCE_UNAVAILABLE = 67; + HARDWARE_TYPE_UNAVAILABLE = 68; + PROOF_OF_PRESENCE_REQUIRED = 69; + CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = 70; + UNKNOWN_ERROR = 71; + INVALID_DEVICE_IDS = 72; // Vendor specific. + PRODUCTION_MODE_PROVISIONING = 73; // Vendor specific. + NO_USER_CONFIRMATION = 74; + KEY_UPGRADE_NOT_REQUIRED = 75; // Vendor specific. + DEVICE_LOCKED = 76; + EARLY_BOOT_ENDED = 77; + ATTESTATION_KEYS_NOT_PROVISIONED = 78; + ATTESTATION_IDS_NOT_PROVISIONED = 79; + INVALID_OPERATION = 80; + STORAGE_KEY_UNSUPPORTED = 81; + INCOMPATIBLE_MGF_DIGEST = 82; + UNSUPPORTED_MGF_DIGEST = 83; + INVALID_MAC = 84; // RKP specific. + PRODUCTION_KEY_IN_TEST_REQUEST = 85; // RKP specific. + TEST_KEY_IN_PRODUCTION_REQUEST = 86; // RKP specific. + INVALID_EEK = 87; // RKP specific. +}; + +enum SecurityLevel { + SOFTWARE = 0; + TRUSTED_ENVIRONMENT = 1; + STRONGBOX = 2; +}; + +// NOTE: these enum values must be kept in sync with the HAL, +// as they are used in an HMAC calculation. +enum HardwareAuthenticatorType { + HW_AUTH_NONE = 0; + HW_AUTH_PASSWORD = 1; + HW_AUTH_FINGERPRINT = 2; + // Additional entries must be powers of 2. +}; + +enum KeyFormat { + X509 = 0; /* for public key export */ + PKCS8 = 1; /* for asymmetric key pair import */ + RAW = 3; /* for symmetric key import and export*/ +} + +enum DTupError { + DTUP_OK = 0; + DTUP_NO_EVENT = 1; +} + +/* matches Linux event device codes */ +enum DTupKeyEvent { + DTUP_RESERVED = 0; + DTUP_VOL_DOWN = 114; + DTUP_VOL_UP = 115; + DTUP_PWR = 116; +} + +enum BootColor { + BOOT_VERIFIED_GREEN = 0; + BOOT_SELFSIGNED_YELLOW = 1; + BOOT_UNVERIFIED_ORANGE = 2; + BOOT_VERIFY_FAILED_RED = 3; +} + +enum ChipFusing { + FUSING_PROTO = 0; + FUSING_DVT = 1; + FUSING_PVT = 2; // Strongbox gen v0 certs. + FUSING_PVT_1 = 3; // Strongbox gen v1 certs. + FUSING_D_PVT = 4; // Dauntless gen v0 certs. + FUSING_D_PVT_1 = 5; // Dauntless gen v1 certs. + FUSING_D_PVT_2 = 6; // Dauntless gen v2 certs (D3M2). +} + +enum CertificateStatus { + CERT_PREVIOUSLY_PROVISIONED = 0; + CERT_MISSING = 1; + CERT_CHECKSUM = 2; + CERT_UNKNOWN_ERROR = 3; + CERT_WRONG_PACKET = 4; +} + +enum RkpCsrV2Operation { + RKP_CSR_V2_BEGIN = 0; + RKP_CSR_V2_UPDATE = 1; + RKP_CSR_V2_FINISH = 2; +} diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options new file mode 100644 index 0000000..b38e786 --- /dev/null +++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options @@ -0,0 +1,12 @@ +nugget.app.keymaster.ctdl.KeyParameters.params max_count:20 +nugget.app.keymaster.ctdl.HmacSharingParameters.seed max_size:32 +nugget.app.keymaster.ctdl.HmacSharingParameters.nonce max_size:32 +nugget.app.keymaster.ctdl.HardwareAuthToken.mac max_size:32 +nugget.app.keymaster.ctdl.VerificationToken.mac max_size:32 +nugget.app.keymaster.ctdl.VigoKey.x max_size:64 +nugget.app.keymaster.ctdl.VigoSignature.r max_size:32 +nugget.app.keymaster.ctdl.VigoSignature.s max_size:32 +nugget.app.keymaster.ctdl.VigoSecret.material max_size:32 +nugget.app.keymaster.ctdl.VigoSecret.iv max_size:16 +nugget.app.keymaster.ctdl.VigoSecret.tag max_size:16 +nugget.app.keymaster.ctdl.KeysToSign.keys max_count:20 diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto new file mode 100644 index 0000000..6a8f5a8 --- /dev/null +++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto @@ -0,0 +1,136 @@ +/* + * Copyright (C) 2017 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +syntax = "proto3"; + +package nugget.app.keymaster.ctdl; + +import "nugget/app/keymaster/ctdl/keymaster_defs.proto"; + +message KeyParameter { + Tag tag = 1; /* Possible values defined here + * ::android::hardware::keymaster::V3_0::Tag + */ + uint32 integer = 2; + uint64 long_integer = 3; + bytes blob = 4; +} + +message KeyParameters { + repeated KeyParameter params = 1; +} + +message KeyBlob { + bytes blob = 1; +} + +message OperationHandle { + uint64 handle = 1; +} + +message Certificate { + bytes data = 1; +} + +message CertificateChain { + repeated Certificate certificates = 1; +} + +message KeyCharacteristics { + KeyParameters software_enforced = 1; + KeyParameters tee_enforced = 2; +} + +message HmacSharingParameters { + bytes seed = 1; + bytes nonce = 2; +} + +message HardwareAuthToken { + uint64 challenge = 1; + uint64 user_id = 2; + uint64 authenticator_id = 3; + // Deprecated in favor of tag 7. + // HardwareAuthenticatorType authenticator_type = 4; + uint64 timestamp = 5; + bytes mac = 6; + uint32 authenticator_type = 7; +} + +message VerificationToken { + uint64 challenge = 1; + uint64 timestamp = 2; + KeyParameters params_verified = 3; + SecurityLevel security_level = 4; + bytes mac = 5; +} + +/* + * Internal types. + */ +message RSAKey { + uint32 e = 1; + bytes d = 2; + bytes n = 3; +} + +message ECKey { + /* TODO: should this be EcCurve. */ + uint32 curve_id = 1; + bytes d = 2; + bytes x = 3; + bytes y = 4; +} + +message SymmetricKey { + bytes material = 1; +} + +enum PresharedSecretStatus { + NOT_SET = 0; + ALREADY_SET = 1; +} + +enum AttestationSelector { + ATTEST_TEST = 0; + ATTEST_BATCH = 1; + ATTEST_INDIVIDUAL = 2; + ATTEST_SELF = 3; + ATTEST_CALLER = 4; +} + +message VigoKey { + bytes x = 1; +} + +message VigoSignature { + bytes r = 1; + bytes s = 2; +} + +message VigoSecret { + bytes material = 1; + bytes iv = 2; + bytes tag = 3; +} + +message MacedKey{ + bytes blob = 1; +} + +message KeysToSign { + repeated MacedKey keys = 1; +} diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.options b/nugget/proto/nugget/app/keymaster/keymaster_types.options index 417e181..6ffce96 100644 --- a/nugget/proto/nugget/app/keymaster/keymaster_types.options +++ b/nugget/proto/nugget/app/keymaster/keymaster_types.options @@ -1,4 +1,4 @@ -nugget.app.keymaster.KeyParameters.params max_count:20 +nugget.app.keymaster.KeyParameters.params max_count:25 nugget.app.keymaster.HmacSharingParameters.seed max_size:32 nugget.app.keymaster.HmacSharingParameters.nonce max_size:32 nugget.app.keymaster.HardwareAuthToken.mac max_size:32 |