Merge "Docs: Fixing link for cryptsetup, minor formatting"
am: 99734e912a
* commit '99734e912a049ec4a6abc0c8b35523e2ab3ee741':
Docs: Fixing link for cryptsetup, minor formatting
diff --git a/src/accessories/accessories_toc.cs b/src/accessories/accessories_toc.cs
index 616cc5e..f4954a0 100644
--- a/src/accessories/accessories_toc.cs
+++ b/src/accessories/accessories_toc.cs
@@ -52,7 +52,7 @@
</div>
<ul>
<li class="nav-section">
- <div class="nav-section-header"><a href="<?cs var:toroot ?>accessories/protocol.html"><span class="en">Open Accessory Protocol</span>
+ <div class="nav-section-header"><a href="<?cs var:toroot ?>accessories/protocol.html"><span class="en">AOA</span>
</a>
</div>
<ul>
@@ -60,8 +60,11 @@
<li><a href="<?cs var:toroot ?>accessories/aoa.html">AOA 1.0</a></li>
</ul>
</li>
+ <div class="nav-section-header"><a href="<?cs var:toroot ?>accessories/stylus.html"><span class="en">Stylus</span>
+ </a>
+ </div>
</ul>
</li>
</li>
<!-- End Accessories -->
-</ul>
+</ul>
\ No newline at end of file
diff --git a/src/accessories/stylus.jd b/src/accessories/stylus.jd
new file mode 100644
index 0000000..03c2e14
--- /dev/null
+++ b/src/accessories/stylus.jd
@@ -0,0 +1,121 @@
+page.title=Stylus
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>Android 6.0 and higher supports a standard data format for Bluetooth stylus
+connections over Bluetooth (BT), Bluetooth Low Energy (BTLE), or USB. The
+platform correlates timing between touch input and stylus data then provides
+stylus data to render MotionEvents to the active application. The following
+sections provide guidelines for OEM partners, stylus accessory creators, and
+stylus application developers.</p>
+
+<h2 id="guide-partners">Guidelines for OEM partners</h2>
+<p>To enable Bluetooth stylus support, OEM partners must support Bluetooth
+(and should support BTLE for wider compatibility). The platform handles data
+collection, timing correlation, and rendering to the application for supported
+stylus events.</p>
+
+<p>At this time, the Android CTS <strong>does not</strong> include tests to
+ensure existing APIs for touch events support default behavior. As a
+workaround, we recommend creating a stylus accessory or emulator that can
+simulate stylus events.</p>
+
+<h2 id="guide-creators">Guidelines for stylus accessory creators</h2>
+<p>To implement support on a stylus device, partners must use the Stylus
+Human Interface Device (HID) Descriptor shown below to describe how stylus data
+(pressure sensitivity, eraser, side buttons, device ID, etc.) is represented.
+The stylus device sends the HID information to the Android mobile device,
+enabling the platform to correlate HID data with touch data from the touchscreen
+to produce stylus events via MotionEvent. Data can be sent over Bluetooth (BT),
+Bluetooth Low Energy (BTLE), or USB.</p>
+
+<h3 id="hid-descriptor">HID descriptor</h3>
+
+<p><pre>
+UsagePage(Digitizer)
+Usage(Pen)
+Collection(Application)
+ Usage(Stylus)
+ Collection(Logical)
+ Usage(Tip Pressure)
+ Logical Minimum(0)
+ Logical Maximum(1023)
+ Report Count(1)
+ Report Size(10)
+ Input(Data, Variable, Absolute, No Null)
+
+ Usage(Barrel Switch)
+ Usage(Secondary Barrel Switch)
+ Usage(Tip Switch)
+ Usage(Invert)
+ Logical Maximum(1)
+ Report Count(4)
+ Report Size(1)
+ Input(Data, Variable, Absolute, No Null)
+
+ Usage(Transducer Serial Number)
+ Report Count(1)
+ Report Size(128)
+ Feature(Constant, Variable)
+ EndCollection
+EndCollection
+
+unsigned char HID_DESC[] = {
+ 0x05, 0x0D, // UsagePage(Digitizer)
+ 0x09, 0x02, // Usage(Pen)
+ 0xA1, 0x01, // Collection(Application)
+ 0x09, 0x20, // Usage(Stylus)
+ 0xA1, 0x02, // Collection(Logical)
+ 0x09, 0x30, // Usage(Tip Pressure)
+ 0x15, 0x00, // Logical Minimum(0)
+ 0x26, 0xFF, 0x03, // Logical Maximum(1023)
+ 0x95, 0x01, // Report Count(1)
+ 0x75, 0x0A, // Report Size(10)
+ 0x81, 0x02, // Input(Data, Variable, Absolute, No Null)
+
+ 0x09, 0x44, // Usage(Barrel Switch)
+ 0x09, 0x5A, // Usage(Secondary Barrel Switch)
+ 0x09, 0x42, // Usage(Tip Switch)
+ 0x09, 0x3C, // Usage(Invert)
+ 0x25, 0x01, // Logical Maximum(1)
+ 0x95, 0x04, // Report Count(4)
+ 0x75, 0x01, // Report Size(1)
+ 0x81, 0x02, // Input(Data, Variable, Absolute, No Null)
+
+ 0x09, 0x5B, // Usage(Transducer Serial Number)
+ 0x95, 0x01, // Report Count(1)
+ 0x75, 0x80, // Report Size(128)
+ 0xB1, 0x03, // Feature(Constant, Variable)
+ 0xC0, // End Collection
+ 0xC0, // End Collection
+}
+</pre></p>
+
+<h2 id="guidelines-devs">Guidelines for stylus application developers</h2>
+<p>The Android 6.0 platform automatically handles pairing and event correlation,
+so both existing and new applications running on Android 6.0 support Bluetooth
+stylus by default. For details on Bluetooth stylus APIs, refer to
+<a href="http://developer.android.com/about/versions/marshmallow/android-6.0.html#bluetooth-stylus">developer.android.com</a>.
\ No newline at end of file
diff --git a/src/compatibility/6.0/versions.jd b/src/compatibility/6.0/versions.jd
new file mode 100644
index 0000000..d0c9eca
--- /dev/null
+++ b/src/compatibility/6.0/versions.jd
@@ -0,0 +1,18 @@
+page.title=Permitted Version Strings for Android 6.0
+@jd:body
+
+<p>As described in Section 3.2.2 of the <a
+href="/compatibility/android-6.0-cdd.pdf">Android 6.0 Compatibility Definition</a>,
+only certain strings are allowable for the system property
+<code>android.os.Build.VERSION.RELEASE</code>. The reason for this is that
+applications and web sites may rely on predictable values for this string, and
+so that end users can easily and reliably identify the version of Android
+running on their devices.</p>
+<p>Because subsequent releases of the Android software may revise this string,
+but not change any API behavior, such releases may not be accompanied by a new
+Compatibility Definition Document. This page lists the versions that are
+allowable by an Android 6.0-based system. The only permitted values for
+<code>android.os.Build.VERSION.RELEASE</code> for Android 6.0 are:</p>
+<ul>
+<li>6.0</li>
+</ul>
diff --git a/src/compatibility/android-cdd.html b/src/compatibility/android-cdd.html
index ac1867b..fa14930 100644
--- a/src/compatibility/android-cdd.html
+++ b/src/compatibility/android-cdd.html
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<head>
<title>Android ANDROID_VERSION Compatibility Definition</title>
-<link rel="stylesheet" type="text/css" href="source/android-cdd.css"/>
+<link rel="stylesheet" type="text/css" href="android-cdd.css"/>
</head>
<body>
@@ -80,28 +80,41 @@
<p class="toc_h3"><a href="#3_8_10_lock_screen_media_control">3.8.10. Lock Screen Media Control</a></p>
+</div>
+
+<div id="toc_right">
+
<p class="toc_h3"><a href="#3_8_11_dreams">3.8.11. Dreams</a></p>
<p class="toc_h3"><a href="#3_8_12_location">3.8.12. Location</a></p>
<p class="toc_h3"><a href="#3_8_13_unicode_and_font">3.8.13. Unicode and Font</a></p>
-
-
-</div>
-
-<div id="toc_right"><br>
-
-
-
<p class="toc_h2"><a href="#3_9_device_administration">3.9. Device Administration</a></p>
+<p class="toc_h3"><a href="#3_9_1_device_provisioning">3.9.1 Device Provisioning</a></p>
+
+<p class="toc_h4"><a href="#3_9_1_2_device_owner_provisioning">3.9.1.1 Device Owner provisioning</a></p>
+
+<p class="toc_h4"><a href="#3_9_1_2_managed_profile_provisioning">3.9.1.2 Managed profile provisioning</a></p>
+
+<p class="toc_h3"><a href="#3_9_2_managed_profile_support">3.9.2. Managed Profile Support</a></p>
+
+
<p class="toc_h2"><a href="#3_10_accessibility">3.10. Accessibility</a></p>
<p class="toc_h2"><a href="#3_11_text-to-speech">3.11. Text-to-Speech</a></p>
<p class="toc_h2"><a href="#3_12_tv_input_framework">3.12. TV Input Framework</a></p>
+<p class="toc_h3"><a href="#3_12_1_tv_app">3.12.1. TV App</a></p>
+
+<p class="toc_h4"><a href="#3_12_1_1_electronic_program_guide">3.12.1.1. Electronic Program Guide</a></p>
+
+<p class="toc_h4"><a href="#3_12_1_2_navigation">3.12.1.2. Navigation</a></p>
+
+<p class="toc_h4"><a href="#3_12_1_3_tv_input_app_linking">3.12.1.3. TV input app linking</a></p>
+
<p class="toc_h1"><a href="#4_application_packaging_compatibility">4. Application Packaging Compatibility</a></p>
<p class="toc_h1"><a href="#5_multimedia_compatibility">5. Multimedia Compatibility</a></p>
@@ -142,6 +155,14 @@
<p class="toc_h2"><a href="#5_9_midi">5.9. Musical Instrument Digital Interface (MIDI)</a></p>
+<p class="toc_h2"><a href="#5_10_pro_audio">5.10. Professional Audio</a></p>
+
+</div>
+
+<div style="clear: both; page-break-after:always; height:1px"></div>
+
+<div id="toc_left">
+
<p class="toc_h1"><a href="#6_developer_tools_and_options_compatibility">6. Developer Tools and Options Compatibility</a></p>
<p class="toc_h2"><a href="#6_1_developer_tools">6.1. Developer Tools</a></p>
@@ -160,14 +181,6 @@
<p class="toc_h4"><a href="#7_1_1_3_screen_density">7.1.1.3. Screen Density</a></p>
-
-</div>
-
-<div style="clear: both; page-break-after:always; height:1px"></div>
-
-
-<div id="toc_left_2">
-
<p class="toc_h3"><a href="#7_1_2_display_metrics">7.1.2. Display Metrics</a></p>
<p class="toc_h3"><a href="#7_1_3_screen_orientation">7.1.3. Screen Orientation</a></p>
@@ -206,6 +219,10 @@
<p class="toc_h3"><a href="#7_3_3_gps">7.3.3. GPS</a></p>
+</div>
+
+<div id="toc_right">
+
<p class="toc_h3"><a href="#7_3_4_gyroscope">7.3.4. Gyroscope</a></p>
<p class="toc_h3"><a href="#7_3_5_barometer">7.3.5. Barometer</a></p>
@@ -216,6 +233,10 @@
<p class="toc_h3"><a href="#7_3_8_proximity_sensor">7.3.8. Proximity Sensor</a></p>
+<p class="toc_h3"><a href="#7_3_9_hifi_sensors">7.3.9. High Fidelity Sensors</a></p>
+
+<p class="toc_h3"><a href="#7_3_10_fingerprint">7.3.10. Fingerprint Sensor</a></p>
+
<p class="toc_h2"><a href="#7_4_data_connectivity">7.4. Data Connectivity</a></p>
<p class="toc_h3"><a href="#7_4_1_telephony">7.4.1. Telephony</a></p>
@@ -244,14 +265,6 @@
<p class="toc_h3"><a href="#7_5_4_camera_api_behavior">7.5.4. Camera API Behavior</a></p>
-
-
-
-
-</div>
-
-<div id="toc_right_2">
-
<p class="toc_h3"><a href="#7_5_5_camera_orientation">7.5.5. Camera Orientation</a></p>
<p class="toc_h2"><a href="#7_6_memory_and_storage">7.6. Memory and Storage</a></p>
@@ -260,6 +273,8 @@
<p class="toc_h3"><a href="#7_6_2_application_shared_storage">7.6.2. Application Shared Storage</a></p>
+<p class="toc_h3"><a href="#7_6_3_adoptable_storage">7.6.3. Adoptable Storage</a></p>
+
<p class="toc_h2"><a href="#7_7_usb">7.7. USB</a></p>
<p class="toc_h2"><a href="#7_8_audio">7.8. Audio</a></p>
@@ -270,11 +285,19 @@
<p class="toc_h4"><a href="#7_8_2_1_analog_audio_ports">7.8.2.1. Analog Audio Ports</a></p>
+<p class="toc_h3"><a href="#7_8_3_near_ultrasound">7.8.3. Near-Ultrasound</a></p>
+
<p class="toc_h1"><a href="#8_performance_compatibility">8. Performance Compatibility</a></p>
<p class="toc_h2"><a href="#8_1_user_experience_consistency">8.1. User Experience Consistency</a></p>
-<p class="toc_h2"><a href="#8_2_memory_performance">8.2. Memory Performance</a></p>
+<p class="toc_h2"><a href="#8_2_file_i_o_access_performance">8.2. File I/O Access Performance</a></p>
+
+</div>
+
+<div style="clear: both; page-break-after:always; height:1px"></div>
+
+<div id="toc_left">
<p class="toc_h1"><a href="#9_security_model_compatibility">9. Security Model Compatibility</a></p>
@@ -298,6 +321,10 @@
<p class="toc_h2"><a href="#9_10_verified_boot">9.10. Verified Boot</a></p>
+<p class="toc_h2"><a href="#9_11_keys_and_credentials">9.11. Keys and Credentials</a></p>
+
+<p class="toc_h2"><a href="#9_12_data_deletion">9.12. Data Deletion</a></p>
+
<p class="toc_h1"><a href="#10_software_compatibility_testing">10. Software Compatibility Testing</a></p>
<p class="toc_h2"><a href="#10_1_compatibility_test_suite">10.1. Compatibility Test Suite</a></p>
@@ -326,7 +353,7 @@
<p>This document enumerates the requirements that must be met in order for devices
to be compatible with Android ANDROID_VERSION.</p>
-<p>The use of “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,“SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” is per the IETF standard
+<p>The use of “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” is per the IETF standard
defined in RFC2119 [<a href="http://www.ietf.org/rfc/rfc2119.txt">Resources, 1</a>].</p>
<p>As used in this document, a “device implementer” or “implementer” is a person
@@ -342,10 +369,10 @@
implementer to ensure compatibility with existing implementations.</p>
<p>For this reason, the Android Open Source Project [<a href="http://source.android.com/">Resources, 2</a>] is both the reference and preferred implementation of Android. Device
-implementers are strongly encouraged to base their implementations to the
+implementers are STRONGLY RECOMMENDED to base their implementations to the
greatest extent possible on the “upstream” source code available from the
Android Open Source Project. While some components can hypothetically be
-replaced with alternate implementations this practice is strongly discouraged,
+replaced with alternate implementations, it is STRONGLY RECOMMENDED to not follow this practice,
as passing the software tests will become substantially more difficult. It is
the implementer’s responsibility to ensure full behavioral compatibility with
the standard Android implementation, including and beyond the Compatibility
@@ -400,8 +427,15 @@
<p><strong>Android Automotive implementation</strong> refers to a vehicle head
unit running Android as an operating system for part or all of the system and/or
-infotainment functionality. Android Automotive implementations MUST support
-uiMode = UI_MODE_TYPE_CAR [<a href="http://developer.android.com/reference/android/content/res/Configuration.html#UI_MODE_TYPE_CAR">Resources, 111</a>].</p>
+infotainment functionality. Android Automotive implementations:</p>
+
+<ul>
+ <li>MUST declare the feature android.hardware.type.automotive.</li>
+ <li>MUST support
+uiMode = UI_MODE_TYPE_CAR [<a
+href="http://developer.android.com/reference/android/content/res/Configuration.html#UI_MODE_TYPE_CAR">Resources,
+ 111</a>].</li>
+<ul>
<p>All Android device implementations that do not fit into any of the above device
types still MUST meet all requirements in this document to be Android ANDROID_VERSION
@@ -587,13 +621,13 @@
<td>VERSION.SDK</td>
<td>The version of the currently-executing Android system, in a format accessible
to third-party application code. For Android ANDROID_VERSION, this field MUST have the
-integer value 22.</td>
+integer value ANDROID_VERSION_INT.</td>
</tr>
<tr>
<td>VERSION.SDK_INT</td>
<td>The version of the currently-executing Android system, in a format accessible
to third-party application code. For Android ANDROID_VERSION, this field MUST have the
-integer value 22.</td>
+integer value ANDROID_VERSION_INT.</td>
</tr>
<tr>
<td>VERSION.INCREMENTAL</td>
@@ -653,17 +687,17 @@
<tr>
<td>FINGERPRINT</td>
<td>A string that uniquely identifies this build. It SHOULD be reasonably
-human-readable. It MUST follow this template:</p>
-
-<p class="small">$(BRAND)/$(PRODUCT)/$(DEVICE):$(VERSION.RELEASE)/$(ID)/$(VERSION.INCREMENTAL):$(TYPE)/$(TAGS)</p>
-
-<p>For example: acme/myproduct/mydevice:ANDROID_VERSION/LMYXX/3359:userdebug/test-keys</p>
-
+human-readable. It MUST follow this template:
+<p class="small">$(BRAND)/$(PRODUCT)/<br>
+ $(DEVICE):$(VERSION.RELEASE)/$(ID)/$(VERSION.INCREMENTAL):$(TYPE)/$(TAGS)</p>
+<p>For example:</p>
+<p class="small">acme/myproduct/<br>
+ mydevice:ANDROID_VERSION/LMYXX/3359:userdebug/test-keys</p>
<p>The fingerprint MUST NOT include whitespace characters. If other fields
included in the template above have whitespace characters, they MUST be
replaced in the build fingerprint with another character, such as the
underscore ("_") character. The value of this field MUST be encodable as 7-bit
-ASCII.</td>
+ASCII.</p></td>
</tr>
<tr>
<td>HARDWARE</td>
@@ -708,7 +742,8 @@
</tr>
<tr>
<td>SERIAL</td>
- <td>A hardware serial number, which MUST be available. The value of this field MUST
+ <td>A hardware serial number, which MUST be available and unique across
+devices with the same MODEL and MANUFACTURER. The value of this field MUST
be encodable as 7-bit ASCII and match the regular expression “^([a-zA-Z0-9]{6,20})$”.</td>
</tr>
<tr>
@@ -734,6 +769,20 @@
There are no requirements on the specific format of this field, except that it
MUST NOT be null or the empty string ("").</td>
</tr>
+ <tr>
+ <td>SECURITY_PATCH</td>
+ <td>An value indicating the security patch level of a build. It MUST signify that the
+build includes all security patches issued up through the designated Android Public
+Security Bulletin. It MUST be in the format, [YYYY-MM-DD], matching the Public Security
+Bulletin's broadcast date, for example [2015-10-01].</td>
+ </tr>
+ <tr>
+ <td>BASE_OS</td>
+ <td>An value representing the FINGERPRINT parameter of the build that is otherwise
+ identical to this build except for the patches provided in the Android Public
+ Security Bulletin. It MUST report the correct value and if such a build does not
+ exist, report an emtpy string ("").</td>
+ </tr>
</table>
@@ -862,9 +911,13 @@
android.os.Build.SUPPORTED_32_BIT_ABIS, and
android.os.Build.SUPPORTED_64_BIT_ABIS parameters, each a comma separated list
of ABIs ordered from the most to the least preferred one</li>
- <li>MUST report, via the above parameters, only those ABIs documented in the latest
-version of the Android NDK, “NDK Programmer’s Guide | ABI Management” in docs/
-directory</li>
+ <li>MUST report, via the above parameters, only those ABIs documented and
+described in the latest version of the Android NDK ABI Management documentation
+[<a href="https://developer.android.com/ndk/guides/abis.html">Resources, XX</a>],
+and MUST include support for the Advanced SIMD (a.k.a. NEON)
+[<a href="http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0388f/Beijfcja.html">Resources,XX</a>]
+extension
+ </li>
<li>SHOULD be built using the source code and header files available in the
upstream Android Open Source Project</li>
</ul>
@@ -903,8 +956,11 @@
versions and extensions actually supported by the device must be fully
implemented.</p>
+<p>Device implementations MUST NOT include a native library with the
+name libvulkan.so.</p>
+
<p>Native code compatibility is challenging. For this reason, device implementers
-are <strong>very strongly encouraged</strong> to use the implementations of the libraries listed above from the upstream
+are <strong>STRONGLY RECOMMENDED</strong> to use the implementations of the libraries listed above from the upstream
Android Open Source Project. </p>
<h3 id="3_3_2_32-bit_arm_native_code_compatibility">
@@ -962,14 +1018,12 @@
build from the upstream Android Open Source Project for Android ANDROID_VERSION. This build
includes a specific set of functionality and security fixes for the WebView [<a href="http://www.chromium.org/">Resources, 13</a>].</li>
<li>The user agent string reported by the WebView MUST be in this format:
-<p>Mozilla/5.0 (Linux; Android $(VERSION); $(MODEL) Build/$(BUILD)$(WEBVIEW))
+<p>Mozilla/5.0 (Linux; Android $(VERSION); $(MODEL) Build/$(BUILD); wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 $(CHROMIUM_VER) Mobile
Safari/537.36</p>
<ul>
<li>The value of the $(VERSION) string MUST be the same as the value for
android.os.Build.VERSION.RELEASE.</li>
- <li>The $(WEBVIEW) string MAY be omitted, but if included MUST be "; wv" to
- note that this is a webview</li>
<li>The value of the $(MODEL) string MUST be the same as the value for
android.os.Build.MODEL.</li>
<li>The value of the $(BUILD) string MUST be the same as the value for
@@ -1116,7 +1170,52 @@
<th>Minimum Application Memory</th>
</tr>
<tr>
- <td rowspan="10">small/normal</td>
+ <td rowspan="12">Android Watch</td>
+ <td>120 dpi (ldpi)</td>
+ <td rowspan="3">32MB</td>
+ </tr>
+ <tr>
+ <td>160 dpi (mdpi)</td>
+ </tr>
+ <tr>
+ <td>213 dpi (tvdpi)</td>
+ </tr>
+ <tr>
+ <td>240 dpi (hdpi)</td>
+ <td rowspan="2">36MB</td>
+ </tr>
+ <tr>
+ <td>280 dpi (280dpi)</td>
+ </tr>
+ <tr>
+ <td>320 dpi (xhdpi)</td>
+ <td rowspan="2">48MB</td>
+ </tr>
+ <tr>
+ <td>360 dpi (360dpi)</td>
+ </tr>
+ <tr>
+ <td>400 dpi (400dpi)</td>
+ <td>56MB</td>
+ </tr>
+ <tr>
+ <td>420 dpi (420dpi)</td>
+ <td>64MB</td>
+ </tr>
+ <tr>
+ <td>480 dpi (xxhdpi)</td>
+ <td>88MB</td>
+ </tr>
+ <tr>
+ <td>560 dpi (560dpi)</td>
+ <td>112MB</td>
+ </tr>
+ <tr>
+ <td>640 dpi (xxxhdpi)</td>
+ <td>154MB</td>
+ </tr>
+ <tr>
+ <td rowspan="12">small/normal</td>
<td>120 dpi (ldpi)</td>
<td rowspan="2">32MB</td>
</tr>
@@ -1135,13 +1234,20 @@
</tr>
<tr>
<td>320 dpi (xhdpi)</td>
- <td>80MB</td>
+ <td rowspan="2">80MB</td>
+ </tr>
+ <tr>
+ <td>360 dpi (360dpi)</td>
</tr>
<tr>
<td>400 dpi (400dpi)</td>
<td>96MB</td>
</tr>
<tr>
+ <td>420 dpi (420dpi)</td>
+ <td>112MB</td>
+ </tr>
+ <tr>
<td>480 dpi (xxhdpi)</td>
<td>128MB</td>
</tr>
@@ -1154,7 +1260,7 @@
<td>256MB</td>
</tr>
<tr>
- <td rowspan="10">large</td>
+ <td rowspan="12">large</td>
<td>120 dpi (ldpi)</td>
<td>32MB</td>
</tr>
@@ -1178,10 +1284,18 @@
<td>128MB</td>
</tr>
<tr>
+ <td>360 dpi (360dpi)</td>
+ <td>160MB</td>
+ </tr>
+ <tr>
<td>400 dpi (400dpi)</td>
<td>192MB</td>
</tr>
<tr>
+ <td>420 dpi (420dpi)</td>
+ <td>228MB</td>
+ </tr>
+ <tr>
<td>480 dpi (xxhdpi)</td>
<td>256MB</td>
</tr>
@@ -1194,7 +1308,7 @@
<td>512MB</td>
</tr>
<tr>
- <td rowspan="10">xlarge</td>
+ <td rowspan="12">xlarge</td>
<td>120 dpi (ldpi)</td>
<td>48MB</td>
</tr>
@@ -1218,10 +1332,18 @@
<td>192MB</td>
</tr>
<tr>
+ <td>360 dpi (360dpi)</td>
+ <td>240MB</td>
+ </tr>
+ <tr>
<td>400 dpi (400dpi)</td>
<td>288MB</td>
</tr>
<tr>
+ <td>420 dpi (420dpi)</td>
+ <td>336MB</td>
+ </tr>
+ <tr>
<td>480 dpi (xxhdpi)</td>
<td>384MB</td>
</tr>
@@ -1256,7 +1378,7 @@
<p>Android defines a component type and corresponding API and lifecycle that
-allows applications to expose an “AppWidget” to the end user [<a href="http://developer.android.com/guide/practices/ui_guidelines/widget_design.html">Resources, 21</a>] a feature that is strongly RECOMMENDED to be supported on Handheld Device
+allows applications to expose an “AppWidget” to the end user [<a href="http://developer.android.com/guide/practices/ui_guidelines/widget_design.html">Resources, 21</a>] a feature that is STRONGLY RECOMMENDED to be supported on Handheld Device
implementations. Device implementations that support embedding widgets on the
home screen MUST meet the following requirements and declare support for
platform feature android.software.app_widgets.</p>
@@ -1367,14 +1489,17 @@
implementations MAY modify the Device Default theme attributes exposed to
applications [<a href="http://developer.android.com/reference/android/R.style.html">Resources, 29</a>].</p>
-<p>Android supports a new variant theme with translucent system bars, which allows
+<p>Android supports a variant theme with translucent system bars, which allows
application developers to fill the area behind the status and navigation bar
with their app content. To enable a consistent developer experience in this
configuration, it is important the status bar icon style is maintained across
different device implementations. Therefore, Android device implementations
MUST use white for system status icons (such as signal strength and battery
level) and notifications issued by the system, unless the icon is indicating a
-problematic status [<a href="http://developer.android.com/reference/android/R.style.html">Resources, 29</a>].</p>
+problematic status or an app requests a light status bar using the
+SYSTEM_UI_FLAG_LIGHT_STATUS_BAR flag. When an app requests a light status bar,
+Android device implementations MUST change the color of the system status icons
+to black [<a href="http://developer.android.com/reference/android/R.style.html">Resources, 29</a>].</p>
<h3 id="3_8_7_live_wallpapers">3.8.7. Live Wallpapers</h3>
@@ -1422,7 +1547,7 @@
interacts with screens.</li>
</ul>
-<p>Device implementations are STRONGLY ENCOURAGED to use the upstream Android user
+<p>Device implementations are STRONGLY RECOMMENDED to use the upstream Android user
interface (or a similar thumbnail-based interface) for the overview screen.</p>
<h3 id="3_8_9_input_management">3.8.9. Input Management</h3>
@@ -1480,7 +1605,6 @@
<h2 id="3_9_device_administration">3.9. Device Administration</h2>
-
<p>Android includes features that allow security-aware applications to perform
device administration functions at the system level, such as enforcing password
policies or performing remote wipe, through the Android Device Administration
@@ -1493,9 +1617,86 @@
[<a href="http://developer.android.com/guide/topics/admin/device-admin.html">Resources, 39</a>]
and report the platform feature android.software.device_admin.</p>
-<p>Device implementations MAY have a preinstalled application performing device
-administration functions but this application MUST NOT be set out-of-the box as
-the default Device Owner app [<a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isDeviceOwnerApp(java.lang.String)">Resources, 41</a>].</p>
+<h3 id="3_9_1_device_provisioning">3.9.1 Device Provisioning</h3>
+<h4 id="3_9_1_1_device_owner_provisioning">3.9.1.1 Device owner provisioning</h4>
+<p>If a device implementation declares the android.software.device_admin feature,
+the out of box setup flow MUST make it possible to enroll a Device Policy
+Controller (DPC) application as the Device Owner app
+[<a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isDeviceOwnerApp(java.lang.String)">
+Resources, XX</a>]. Device implementations MAY have a preinstalled application
+performing device administration functions but this application MUST NOT be set
+as the Device Owner app without explicit consent or action from the user or the
+administrator of the device.</p>
+
+<p>The device owner provisioning process (the flow initiated by
+android.app.action.PROVISION_MANAGED_DEVICE
+[<a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE">
+Resources, XX</a>]) user experience MUST align with the AOSP implementation</p>
+
+<p>If the device implementation reports android.hardware.nfc, it MUST have NFC
+enabled, even during the out-of-box setup flow, in order to allow for NFC
+provisioning of Device owners
+<a href="https://source.android.com/devices/tech/admin/provision.html#device_owner_provisioning_via_nfc">[Resources, XX]</a>.
+</p>
+
+<h4 id="3_9_1_2_managed_profile_provisioning">3.9.1.2 Managed profile provisioning</h4>
+<p>If a device implementation declares the android.software.managed_users,
+it MUST be possible to enroll a Device Policy Controller (DPC) application
+as the owner of a new Managed Profile
+[<a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isProfileOwnerApp(java.lang.String)">
+Resources, XX</a>]</p>
+
+<p>The managed profile provisioning process (the flow initiated by
+android.app.action.PROVISION_MANAGED_PROFILE
+[<a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE">
+Resources, XX</a>]) user experience MUST align with the AOSP implementation
+</p>
+
+
+<h2 id="3_9_2_managed_profile_support">3.9.2 Managed Profile Support</h2>
+
+<p>Managed profile capable devices are those devices that:</p>
+<ul>
+ <li>Declare android.software.device_admin (see <a href="#3_9_device_administration">section 3.9 Device Administration)</a></li>
+ <li>Are not low RAM devices (see <a href="#7_6_1_minimum_memory_and_storage">section 7.6.1</a></li>
+ <li>Allocate internal (non-removable) storage as shared storage (see
+ <a href="#7_6_2_application_shared_storage">section 7.6.2</a>)</li>
+</ul>
+<p>Managed profile capable devices MUST:</p>
+<ul>
+ <li>Declare the platform feature flag android.software.managed_users.</li>
+ <li>Support managed profiles via the android.app.admin.DevicePolicyManager APIs</li>
+ <li>Allow a managed profile to be created [<a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE"> Resources, XX</a>]</li>
+ <li>Use an icon badge (similar to the AOSP upstream work badge) to represent
+the managed applications and widgets and other badged UI elements like Recents
+& Notifications</li>
+ <li>Display a notification icon (similar to the AOSP upstream work badge) to
+indicate when user is within a managed profile application</li>
+ <li>Display a toast indicating that the user is in the managed profile if and when the
+device wakes up (ACTION_USER_PRESENT) and the foreground application is within
+the managed profile</li>
+ <li>Where a managed profile exists, show a visual affordance in the Intent
+'Chooser' to allow the user to forward the intent from the managed to the personal
+profiles or vice versa, if enabled by the Device Policy Controller</li>
+ <li>Expose the following user affordances for both primary and managed profiles
+(when they exist):
+ <ul>
+ <li>Separate accounting for battery, location, mobile data and storage usage
+ for the primary and managed profiles</li>
+ <li>Independent management of VPN Applications installed within the primary
+ or managed profiles</li>
+ <li>Independent management of applications installed within the primary or
+ managed profiles</li>
+ <li>Independent management of user accounts within the primary or managed
+ profiles</li>
+ </ul>
+ </li>
+ <li>Ensure the default dialer can look up caller information from the managed
+profile (if one exists) alongside those from the primary profile</li>
+ <li>Ensure that all the security requirements for multi user (see
+<a href="#9_5_multi-user_support">section 9.5</a>) apply to
+managed profiles.</li>
+</ul>
<h2 id="3_10_accessibility">3.10. Accessibility</h2>
@@ -1569,11 +1770,72 @@
<p>The Android Television Input Framework (TIF) simplifies the delivery of live
content to Android Television devices. TIF provides a standard API to create
input modules that control Android Television devices. Android Television
-device implementations MUST support Television Input Framework [<a href="http://source.android.com/devices/tv/index.html">Resources, 46</a>].</p>
+device implementations MUST support TV Input Framework
+[<a href="http://source.android.com/devices/tv/index.html">Resources, 46</a>].</p>
<p>Device implementations that support TIF MUST declare the platform feature
android.software.live_tv.</p>
+<h3 id="3_12_1_tv_app">3.12.1. TV App</h3>
+
+<p>Any device implementation that declares support for Live TV MUST have an
+installed TV application (TV App). The Android Open Source Project provides an implementation of the TV
+App.</p>
+
+<p>The TV App MUST provide facilities to install and use TV Channels
+[<a href="http://developer.android.com/reference/android/media/tv/TvContract.Channels.html">Resources, XX</a>]
+ and meet the following requirements:</p>
+
+<ul>
+ <li>Device implementations MUST allow third-party TIF-based inputs (third-party inputs)
+[<a href="https://source.android.com/devices/tv/index.html#third-party_input_example">Resources, XX</a>]
+ to be installed and managed.
+ <li>Device implementations MAY provide visual separation between pre-installed
+ TIF-based inputs (installed inputs)
+[<a href="https://source.android.com/devices/tv/index.html#tv_inputs">Resources, XX</a>]
+ and third-party inputs.
+ <li>The device implementations MUST NOT display the third-party inputs more than a
+single navigation action away from the TV App (i.e. expanding a list of
+third-party inputs from the TV App).
+</ul>
+
+<h4 id="3_12_1_1_electronic_program_guide">3.12.1.1. Electronic Program Guide</h4>
+
+<p>Android Television device implementations MUST show an informational and
+interactive overlay, which MUST include an electronic program guide (EPG)
+generated from the values in the TvContract.Programs fields
+[<a href="https://developer.android.com/reference/android/media/tv/TvContract.Programs.html">Resources, XX</a>].
+ The EPG MUST meet the following requirements:</p>
+
+<ul>
+ <li>The EPG MUST display information from all installed inputs and third-party
+inputs.
+ <li>The EPG MAY provide visual separation between the installed inputs and
+third-party inputs.
+ <li>The EPG is STRONGLY RECOMMENDED to display installed inputs and third-party
+inputs with equal prominence. The EPG MUST NOT display the third-party inputs
+more than a single navigation action away from the installed inputs on the EPG.
+ <li>On channel change, device implementations MUST display EPG data for the
+currently playing program.
+</ul>
+
+<h4 id="3_12_1_2_navigation">3.12.1.2. Navigation</h4>
+
+<p>Android Television device input devices (i.e. remote control, remote control
+application, or game controller) MUST allow navigation to all actionable
+sections of the screen via the D-pad. D-pad up and down MUST be used to change
+live TV channels when there is no actionable section on the screen.</p>
+
+<p>The TV App SHOULD pass key events to HDMI inputs through CEC.</p>
+
+<h4 id="3_12_1_3_tv_input_app_linking">3.12.1.3. TV input app linking</h4>
+
+<p>Android Television device implementations MUST support TV input app linking,
+which allows all inputs to provide activity links from the current activity to
+another activity (i.e. a link from live programming to related content)
+[<a href="http://developer.android.com/reference/android/media/tv/TvContract.Channels.html#COLUMN_APP_LINK_INTENT_URI">Resources, XX</a>].
+ The TV App MUST show TV input app linking when it is provided.</p>
+
<h1 id="4_application_packaging_compatibility">4. Application Packaging Compatibility</h1>
@@ -1590,13 +1852,14 @@
<p>Device implementations MUST support the core media formats specified in the
-Android SDK documentation [<a href="http://developer.android.com/guide/appendix/media-formats.html">Resources, 50</a>] except where explicitly permitted in this document. Specifically, device
+Android SDK documentation [<a href="http://developer.android.com/guide/appendix/media-formats.html">Resources, 50</a>]
+except where explicitly permitted in this document. Specifically, device
implementations MUST support the media formats, encoders, decoders, file types,
and container formats defined in the tables below and reported via MediaCodecList
[<a href="http://developer.android.com/reference/android/media/MediaCodecList.html">Resources,112</a>].
Device implementations MUST also be able to decode all profiles reported in its CamcorderProfile
[<a href="http://developer.android.com/reference/android/media/CamcorderProfile.html">Resources,
-113</a>].
+113</a>] and MUST be able to decode all formats it can encode.
All of these codecs are
provided as software implementations in the preferred Android implementation
@@ -1619,9 +1882,9 @@
<th>Supported File Types/Container Formats</th>
</tr>
<tr>
- <td>MPEG-4 AAC Profile</p>
+ <td>MPEG-4 AAC Profile<br />
-<p>(AAC LC)</td>
+(AAC LC)</td>
<td>REQUIRED<sup>1</sup></td>
<td>REQUIRED</td>
<td>Support for mono/stereo/5.0/5.1<sup>2</sup> content with standard sampling rates from 8 to
@@ -1643,9 +1906,9 @@
<td></td>
</tr>
<tr>
- <td>MPEG-4 HE AACv2</p>
+ <td>MPEG-4 HE AACv2<br />
-<p>Profile (enhanced AAC+)</td>
+Profile (enhanced AAC+)</td>
<td> </td>
<td>REQUIRED</td>
<td>Support for mono/stereo/5.0/5.1<sup>2</sup> content with standard sampling rates from 16
@@ -1654,12 +1917,12 @@
</tr>
<tr>
<td>AAC ELD (enhanced low delay AAC)</td>
- <td>REQUIRED<sup>1</sup> </p>
+ <td>REQUIRED<sup>1</sup> <br />
-<p>(Android 4.1+)</td>
- <td>REQUIRED</p>
+(Android 4.1+)</td>
+ <td>REQUIRED<br />
-<p>(Android 4.1+)</td>
+(Android 4.1+)</td>
<td>Support for mono/stereo content with standard sampling rates from 16 to 48 kHz.</td>
<td></td>
</tr>
@@ -1667,14 +1930,14 @@
<td>AMR-NB</td>
<td>REQUIRED<sup>3</sup></td>
<td>REQUIRED<sup>3</sup></td>
- <td>4.75 to 12.2 kbps sampled @ 8kHz</td>
+ <td>4.75 to 12.2 kbps sampled @ 8 kHz</td>
<td>3GPP (.3gp)</td>
</tr>
<tr>
<td>AMR-WB</td>
<td>REQUIRED<sup>3</sup></td>
<td>REQUIRED<sup>3</sup></td>
- <td>9 rates from 6.60 kbit/s to 23.85 kbit/s sampled @ 16kHz</td>
+ <td>9 rates from 6.60 kbit/s to 23.85 kbit/s sampled @ 16 kHz</td>
<td></td>
</tr>
<tr>
@@ -1682,8 +1945,8 @@
<td></td>
<td>REQUIRED <br>(Android 3.1+)</td>
<td>Mono/Stereo (no multichannel). Sample rates up to 48 kHz (but up to 44.1 kHz is
-recommended on devices with 44.1 kHz output, as the 48 to 44.1 kHz downsampler
-does not include a low-pass filter). 16-bit recommended; no dither applied for
+RECOMMENDED on devices with 44.1 kHz output, as the 48 to 44.1 kHz downsampler
+does not include a low-pass filter). 16-bit RECOMMENDED; no dither applied for
24-bit.</td>
<td>FLAC (.flac) only</td>
</tr>
@@ -1795,8 +2058,6 @@
<h3 id="5_1_3_video_codecs">5.1.3. Video Codecs</h3>
-<p>Video codecs are optional for Android Watch device implementations.</p>
-
<table>
<tr>
<th>Format/Codec</th>
@@ -1822,7 +2083,7 @@
<td><ul>
<li class="table_list">3GPP (.3gp)</li>
<li class="table_list">MPEG-4 (.mp4)</li>
- <li class="table_list">MPEG-TS (.ts, AAC audio only, not seekable, Android 3.0+)</li></ul></td>
+ <li class="table_list">MPEG-2 TS (.ts, AAC audio only, not seekable, Android 3.0+)</li></ul></td>
</tr>
<tr>
<td>H.265 HEVC</td>
@@ -1831,6 +2092,13 @@
<td>See <a href="#5_3_video_decoding">section 5.3</a> for details</td>
<td>MPEG-4 (.mp4)</td>
</tr>
+<tr>
+ <td>MPEG-2</td>
+ <td></td>
+ <td>STRONGLY RECOMMENDED<sup>6</sup></td>
+ <td>Main Profile</td>
+ <td>MPEG2-TS</td>
+</tr>
<tr>
<td>MPEG-4 SP</td>
<td></td>
@@ -1840,12 +2108,12 @@
</tr>
<tr>
<td>VP8<sup>3</sup></td>
- <td>REQUIRED<sup>2</sup></p>
+ <td>REQUIRED<sup>2</sup><br />
-<p>(Android 4.3+)</td>
- <td>REQUIRED<sup>2</sup></p>
+(Android 4.3+)</td>
+ <td>REQUIRED<sup>2</sup><br />
-<p>(Android 2.3.3+)</td>
+(Android 2.3.3+)</td>
<td>See <a href="#5_2_video_encoding">section 5.2</a> and <a href="#5_3_video_decoding">5.3</a> for details</td>
<td><ul>
<li class="table_list">WebM (.webm) [<a href="http://www.webmproject.org/">Resources, 110</a></li>
@@ -1874,7 +2142,9 @@
<p class="table_footnote">4 Device implementations SHOULD support writing Matroska WebM files.</p>
-<p class="table_footnote">5 Strongly recommended for Android Automotive, optional for Android Watch, and required for all other device types.</p>
+<p class="table_footnote">5 STRONGLY RECOMMENDED for Android Automotive, optional for Android Watch, and required for all other device types.</p>
+
+<p class="table_footnote">6 Applies only to Android Television device implementations.</p>
<h2 id="5_2_video_encoding">5.2. Video Encoding</h2>
@@ -1882,19 +2152,20 @@
<p>Video codecs are optional for Android Watch device implementations.</p>
</div>
+<p>Android device implementations with H.263 encoders, MUST support Baseline Profile Level 45.</p>
<p>Android device implementations with H.264 codec support, MUST support Baseline
Profile Level 3 and the following SD (Standard Definition) video encoding
profiles and SHOULD support Main Profile Level 4 and the following HD (High
-Definition) video encoding profiles. Android Television devices are STRONGLY
-RECOMMENDED to encode HD 1080p video at 30 fps.</p>
+Definition) video encoding profiles. Android Television devices are STRONGLY RECOMMENDED
+to encode HD 1080p video at 30 fps.</p>
<table>
<tr>
<th></th>
<th>SD (Low quality)</th>
<th>SD (High quality)</th>
- <th>HD 720p1</th>
- <th>HD 1080p1</th>
+ <th>HD 720p<sup>1</sup></th>
+ <th>HD 1080p<sup>1</sup></th>
</tr>
<tr>
<th>Video resolution</th>
@@ -1931,8 +2202,8 @@
<th></th>
<th>SD (Low quality)</th>
<th>SD (High quality)</th>
- <th>HD 720p1</th>
- <th>HD 1080p1</th>
+ <th>HD 720p<sup>1</sup></th>
+ <th>HD 1080p<sup>1</sup></th>
</tr>
<tr>
<th>Video resolution</th>
@@ -1965,22 +2236,27 @@
<p>Video codecs are optional for Android Watch device implementations.</p>
</div>
-
<p>Device implementations MUST support dynamic video resolution switching within
the same stream for all VP8, VP9, H.264, and H.265 codecs exposed through the
standard Android APIs.</p>
-<p>Android device implementations with H.264 decoders, MUST support Baseline
-Profile Level 3 and the following SD video decoding profiles and SHOULD support
-the HD decoding profiles. Android Television devices MUST support High Profile
+<p>Android device implementations with H.263 decoders, MUST support Baseline
+Profile Level 30.</p>
+
+<p>Android device implementations with MPEG-4 decoders, MUST support Simple
+Profile Level 3.</p>
+
+<p>Android device implementations with H.264 decoders, MUST support Main Profile
+Level 3 and the following SD video decoding profiles and SHOULD support the
+HD decoding profiles. Android Television devices MUST support High Profile
Level 4.2 and the HD 1080p decoding profile.</p>
<table>
<tr>
<th></th>
<th>SD (Low quality)</th>
<th>SD (High quality)</th>
- <th>HD 720p1</th>
- <th>HD 1080p1</th>
+ <th>HD 720p<sup>1</sup></th>
+ <th>HD 1080p<sup>1</sup></th>
</tr>
<tr>
<th>Video resolution</th>
@@ -1993,8 +2269,8 @@
<th>Video frame rate</th>
<td>30 fps</td>
<td>30 fps</td>
- <td>30 fps / 60 fps2</td>
- <td>30 fps / 60 fps2</td>
+ <td>60 fps</td>
+ <td>30 fps / 60 fps<sup>2</sup></td>
</tr>
<tr>
<th>Video bitrate</th>
@@ -2019,8 +2295,8 @@
<th></th>
<th>SD (Low quality)</th>
<th>SD (High quality)</th>
- <th>HD 720p1</th>
- <th>HD 1080p1</th>
+ <th>HD 720p<sup>1</sup></th>
+ <th>HD 1080p<sup>1</sup></th>
</tr>
<tr>
<th>Video resolution</th>
@@ -2033,8 +2309,8 @@
<th>Video frame rate</th>
<td>30 fps</td>
<td>30 fps</td>
- <td>30 fps / 60 fps2</td>
- <td>30 / 60 fps2</td>
+ <td>30 fps / 60 fps<sup>2</sup></td>
+ <td>30 / 60 fps<sup>2</sup></td>
</tr>
<tr>
<th>Video bitrate</th>
@@ -2054,16 +2330,16 @@
<p>Android device implementations, when supporting VP9 codec as described in <a href="#5_1_3_video_codecs">section 5.1.3</a>, MUST support the following SD video decoding profiles and SHOULD support the
HD decoding profiles. Android Television devices are STRONGLY RECOMMENDED to
support the HD 1080p decoding profile and SHOULD support the UHD decoding
-profile. When the UHD video decoding profile is supported, it MUST support 8
-bit color depth.</p>
+profile. When the UHD video decoding profile is supported, it MUST support 8-bit
+color depth and SHOULD support VP9 Profile 2 (10-bit).</p>
<table>
<tr>
<th></th>
<th>SD (Low quality)</th>
<th>SD (High quality)</th>
- <th>HD 720p 1</th>
- <th>HD 1080p 2</th>
- <th>UHD 2</th>
+ <th>HD 720p<sup>1</sup></th>
+ <th>HD 1080p<sup>2</sup></th>
+ <th>UHD<sup>2</sup></th>
</tr>
<tr>
<th>Video resolution</th>
@@ -2078,8 +2354,55 @@
<td>30 fps</td>
<td>30 fps</td>
<td>30 fps</td>
+ <td>60 fps</td>
+ <td>60 fps</td>
+ </tr>
+ <tr>
+ <th>Video bitrate</th>
+ <td>600 Kbps</td>
+ <td>1.6 Mbps</td>
+ <td>4 Mbps</td>
+ <td>10 Mbps</td>
+ <td>20 Mbps</td>
+ </tr>
+</table>
+
+
+<p class="table_footnote">1 Required for Android Television device implementations, but for other type of
+devices only when supported by hardware.</p>
+
+<p class="table_footnote">2 STRONGLY RECOMMENDED for existing Android Television device implementations when
+supported by hardware.</p>
+
+<p>Android device implementations, when supporting H.265 codec as described in <a href="#5_1_3_video_codecs">section 5.1.3</a>, MUST support the Main Profile Level 3 Main tier and the following SD video
+decoding profiles and SHOULD support the HD decoding profiles. Android
+Television devices MUST support the Main Profile Level 4.1 Main tier and the HD
+1080p decoding profile and SHOULD support Main10 Level 5 Main Tier profile and
+the UHD decoding profile.</p>
+<table>
+ <tr>
+ <th></th>
+ <th>SD (Low quality)</th>
+ <th>SD (High quality)</th>
+ <th>HD 720p<sup>1</sup></th>
+ <th>HD 1080p<sup>1</sup></th>
+ <th>UHD<sup>2</sup></th>
+ </tr>
+ <tr>
+ <th>Video resolution</th>
+ <td>352 x 288 px</td>
+ <td>640 x 360 px</td>
+ <td>1280 x 720 px</td>
+ <td>1920 x 1080 px</td>
+ <td>3840 x 2160 px</td>
+ </tr>
+ <tr>
+ <th>Video frame rate</th>
<td>30 fps</td>
<td>30 fps</td>
+ <td>30 fps</td>
+ <td>60 fps<sup>2</sup></td>
+ <td>60 fps</td>
</tr>
<tr>
<th>Video bitrate</th>
@@ -2095,63 +2418,17 @@
<p class="table_footnote">1 Required for Android Television device implementations, but for other type of
devices only when supported by hardware.</p>
-<p class="table_footnote">2 STRONGLY RECOMMENDED for Android Television device implementations when
-supported by hardware.</p>
-
-<p>Android device implementations, when supporting H.265 codec as described in <a href="#5_1_3_video_codecs">section 5.1.3</a>, MUST support the Main Profile Level 3 Main tier and the following SD video
-decoding profiles and SHOULD support the HD decoding profiles. Android
-Television devices MUST support the Main Profile Level 4.1 Main tier and the HD
-1080p decoding profile and SHOULD support Main10 Level 5 Main Tier profile and
-the UHD decoding profile.</p>
-<table>
- <tr>
- <th></th>
- <th>SD (Low quality)</th>
- <th>SD (High quality)</th>
- <th>HD 720p </strong>1 </td>
- <th>HD 1080p </strong>1 </td>
- <th>UHD </strong>2</td>
- </tr>
- <tr>
- <th>Video resolution</th>
- <td>352 x 288 px</td>
- <td>640 x 360 px</td>
- <td>1280 x 720 px</td>
- <td>1920 x 1080 px</td>
- <td>3840 x 2160 px</td>
- </tr>
- <tr>
- <th>Video frame rate</th>
- <td>30 fps</td>
- <td>30 fps</td>
- <td>30 fps</td>
- <td>30 fps</td>
- <td>30 fps</td>
- </tr>
- <tr>
- <th>Video bitrate</th>
- <td>600 Kbps </td>
- <td>1.6 Mbps</td>
- <td>4 Mbps</td>
- <td>10 Mbps</td>
- <td>20 Mbps</td>
- </tr>
-</table>
-
-
-<p class="table_footnote">1 Required for Android Television device implementation, but for other type of
-devices only when supported by hardware.</p>
-
-<p class="table_footnote">2 Required for Android Television device implementations when supported by
-hardware.</p>
+<p class="table_footnote">2 STRONGLY RECOMMENDED
+for existing Android Television device implementations when supported by hardware.</p>
<h2 id="5_4_audio_recording">5.4. Audio Recording</h2>
<p>While some of the requirements outlined in this section are stated as SHOULD
since Android 4.3, the Compatibility Definition for a future version is planned
-to change these to MUST. Existing and new Android devices are <strong>very strongly encouraged</strong> to meet these requirements, or they will not be able to attain Android
-compatibility when upgraded to the future version.</p>
+to change these to MUST. Existing and new Android devices are <strong>STRONGLY RECOMMENDED</strong>
+to meet these requirements, or they will not be able to attain Android compatibility when upgraded
+to the future version.</p>
<h3 id="5_4_1_raw_audio_capture">5.4.1. Raw Audio Capture</h3>
@@ -2165,6 +2442,9 @@
<li><strong>Channels</strong>: Mono
</ul>
+<p>The capture for the above sample rates MUST be done without up-sampling, and
+any down-sampling MUST include an appropriate anti-aliasing filter.</p>
+
<p>Device implementations that declare android.hardware.microphone SHOULD allow
capture of raw audio content with the following characteristics:</p>
@@ -2174,6 +2454,11 @@
<li><strong>Channels</strong>: Stereo
</ul>
+<p>If capture for the above sample rates is supported,
+then the capture MUST be done without up-sampling at any ratio higher than 16000:22050
+or 44100:48000.
+Any up-sampling or down-sampling MUST include an appropriate anti-aliasing filter.</p>
+
<h3 id="5_4_2_capture_for_voice_recognition">5.4.2. Capture for Voice Recognition</h3>
@@ -2188,7 +2473,7 @@
source at 1000 Hz yields RMS of 2500 for 16-bit samples.
<li>PCM amplitude levels SHOULD linearly track input SPL changes over at least a 30
dB range from -18 dB to +12 dB re 90 dB SPL at the microphone.
- <li>Total harmonic distortion SHOULD be less than 1% for 1Khz at 90 dB SPL input
+ <li>Total harmonic distortion SHOULD be less than 1% for 1 kHz at 90 dB SPL input
level at the microphone.
<li>Noise reduction processing, if present, MUST be disabled.
<li>Automatic gain control, if present, MUST be disabled
@@ -2289,13 +2574,16 @@
<li><strong>continuous input latency</strong>. The input latency for subsequent frames, while the device is capturing audio.</li>
<li><strong>cold output jitter</strong>. The variance among separate measurements of cold output latency values.</li>
<li><strong>cold input jitter</strong>. The variance among separate measurements of cold input latency values.</li>
- <li><strong>continuous round-trip latency</strong>. The sum of continuous input latency plus continuous output latency plus 5
-milliseconds.</li>
+ <li><strong>continuous round-trip latency</strong>. The sum of continuous input latency plus continuous output latency plus
+ one buffer period.
+ The buffer period term allows processing time for the app and for the app to
+ mitigate phase difference between input and output streams.
+ </li>
<li><strong>OpenSL ES PCM buffer queue API</strong>. The set of PCM-related OpenSL ES APIs within Android NDK; see
NDK_root/docs/opensles/index.html.</li>
</ul>
-<p>Device implementations that declare android.hardware.audio.output SHOULD meet
+<p>Device implementations that declare android.hardware.audio.output are STRONGLY RECOMMENDED to meet
or exceed these audio output requirements:</p>
<ul>
@@ -2307,12 +2595,12 @@
<p>If a device implementation meets the requirements of this section after any
initial calibration when using the OpenSL ES PCM buffer queue API, for
continuous output latency and cold output latency over at least one supported
-audio output device, it MAY report support for low-latency audio, by reporting
+audio output device, it is STRONGLY RECOMMENDED to report support for low-latency audio, by reporting
the feature android.hardware.audio.low_latency via the
android.content.pm.PackageManager class [<a href="http://developer.android.com/reference/android/content/pm/PackageManager.html">Resources, 53</a>]. Conversely, if the device implementation does not meet these requirements it
MUST NOT report support for low-latency audio.</p>
-<p>Device implementations that include android.hardware.microphone SHOULD meet
+<p>Device implementations that include android.hardware.microphone are STRONGLY RECOMMENDED to meet
these input audio requirements:</p>
<ul>
@@ -2355,7 +2643,7 @@
If a device implementation supports the inter-app MIDI software transport
(virtual MIDI devices), and it supports MIDI over
<em>all</em> of the following MIDI-capable hardware transports
-for which it provides generic non-MIDI connectivity, it MAY report
+for which it provides generic non-MIDI connectivity, it is STRONGLY RECOMMENDED to report
support for feature android.software.midi via the
android.content.pm.PackageManager class
[<a href="http://developer.android.com/reference/android/content/pm/PackageManager.html">Resources, 53</a>].
@@ -2380,6 +2668,61 @@
over Bluetooth LE, SHOULD support MIDI over Bluetooth LE.
</p>
+<h2 id="5_10_pro_audio">5.10. Professional Audio</h2>
+
+<p>
+If a device implementation meets <em>all</em> of the following requirements,
+it is STRONGLY RECOMMENDED to report support for feature android.hardware.audio.pro via the
+android.content.pm.PackageManager class
+[<a href="http://developer.android.com/reference/android/content/pm/PackageManager.html">Resources, 53</a>].
+</p>
+
+<ul>
+
+<li>
+The device implementation MUST report support for feature android.hardware.audio.low_latency.
+</li>
+
+<li> The continuous round-trip audio latency, as defined in section 5.6 Audio Latency,
+MUST be 20 milliseconds or less and SHOULD be 10 milliseconds or less over at least one
+supported path.
+</li>
+
+<li>
+If the device includes a 4 conductor 3.5mm audio jack,
+the continuous round-trip audio latency MUST be 20 milliseconds or less over the audio jack path,
+and SHOULD be 10 milliseconds or less over at the audio jack path.
+</li>
+
+<li>
+The device implementation MUST include a USB port(s) supporting USB host mode and
+USB peripheral mode.
+</li>
+
+<li>
+The USB host mode MUST implement the USB audio class.
+</li>
+
+<li>
+If the device includes an HDMI port, the device implementation
+MUST support output in stereo and eight channels
+at 20-bit or 24-bit depth and 192 kHz without bit-depth loss or resampling.
+</li>
+
+<li>
+The device implementation MUST report support for feature android.software.midi.
+</li>
+
+<li>
+If the device includes a 4 conductor 3.5mm audio jack,
+the device implementation is STRONGLY RECOMMENDED to comply with section
+<a href="https://source.android.com/accessories/headset/specification.html#mobile_device_jack_specifications">Mobile device (jack) specifications</a>
+of the
+<a href="https://source.android.com/accessories/headset/specification.html">Wired Audio Headset Specification (v1.1)</a>.
+</li>
+
+</ul>
+
<h1 id="6_developer_tools_and_options_compatibility">6. Developer Tools and Options Compatibility</h1>
<h2 id="6_1_developer_tools">6.1. Developer Tools</h2>
@@ -2432,7 +2775,8 @@
adb tool as provided in the standard Android SDK, device implementers MUST
provide Windows drivers allowing developers to connect to the device using the
adb protocol. These drivers MUST be provided for Windows XP, Windows Vista,
-Windows 7, Windows 8, and Windows 9 in both 32-bit and 64-bit versions.</p>
+Windows 7, Windows 8 and Windows 10 in both 32-bit and 64-bit versions.
+</p>
<h2 id="6_2_developer_options">6.2. Developer Options</h2>
@@ -2573,7 +2917,9 @@
<li>240 dpi (hdpi)</li>
<li>280 dpi (280dpi)</li>
<li>320 dpi (xhdpi)</li>
+ <li>360 dpi (360dpi)</li>
<li>400 dpi (400dpi)</li>
+ <li>420 dpi (420dpi)</li>
<li>480 dpi (xxhdpi)</li>
<li>560 dpi (560dpi)</li>
<li>640 dpi (xxxhdpi)</li>
@@ -2949,7 +3295,7 @@
<table>
<tr>
<th>Button</th>
- <th>HID Usage</strong><sup>2</sup></td>
+ <th>HID Usage<sup>2</sup></th>
<th>Android Button</th>
</tr>
<tr>
@@ -2973,16 +3319,16 @@
<td>KEYCODE_BUTTON_Y (100)</td>
</tr>
<tr>
- <td><a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_UP">D-pad up</a><sup>1</sup></p>
+ <td><a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_UP">D-pad up</a><sup>1</sup><br />
-<p><a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_DOWN">D-pad down</a><sup>1</sup></td>
+<a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_DOWN">D-pad down</a><sup>1</sup></td>
<td>0x01 0x0039<sup>3</sup></td>
<td><a href="http://developer.android.com/reference/android/view/MotionEvent.html#AXIS_HAT_Y">AXIS_HAT_Y</a><sup>4</sup></td>
</tr>
<tr>
- <td><a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_LEFT">D-pad left</a>1</p>
+ <td><a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_LEFT">D-pad left</a>1<br />
-<p><a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_RIGHT">D-pad right</a><sup>1</sup></td>
+<a href="http://developer.android.com/reference/android/view/KeyEvent.html#KEYCODE_DPAD_RIGHT">D-pad right</a><sup>1</sup></td>
<td>0x01 0x0039<sup>3</sup></td>
<td><a href="http://developer.android.com/reference/android/view/MotionEvent.html#AXIS_HAT_X">AXIS_HAT_X</a><sup>4</sup></td>
</tr>
@@ -3034,7 +3380,7 @@
<table>
<tr>
- <th>Analog Controls</strong><sup>1</sup></td>
+ <th>Analog Controls<sup>1</sup></th>
<th>HID Usage</th>
<th>Android Button</th>
</tr>
@@ -3050,21 +3396,21 @@
</tr>
<tr>
<td><a href="http://developer.android.com/reference/android/view/MotionEvent.html#AXIS_Y">Left Joystick</a></td>
- <td>0x01 0x0030</p>
+ <td>0x01 0x0030<br />
-<p>0x01 0x0031</td>
- <td>AXIS_X</p>
+0x01 0x0031</td>
+ <td>AXIS_X<br />
-<p>AXIS_Y</td>
+AXIS_Y</td>
</tr>
<tr>
<td><a href="http://developer.android.com/reference/android/view/MotionEvent.html#AXIS_Z">Right Joystick</a></td>
- <td>0x01 0x0032</p>
+ <td>0x01 0x0032<br />
-<p>0x01 0x0035</td>
- <td>AXIS_Z</p>
+0x01 0x0035</td>
+ <td>AXIS_Z<br />
-<p>AXIS_RZ</td>
+AXIS_RZ</td>
</tr>
</table>
@@ -3110,9 +3456,12 @@
<li>SHOULD report the event time in nanoseconds as defined in the Android SDK
documentation, representing the time the event happened and synchronized with
the SystemClock.elapsedRealtimeNano() clock. Existing and new Android devices
-are <strong>very strongly encouraged</strong> to meet these requirement so they will be able to upgrade to the future
+are <strong>STRONGLY RECOMMENDED</strong> to meet these requirement so they will be able to upgrade to the future
platform releases where this might become a REQUIRED component. The
synchronization error SHOULD be below 100 milliseconds [<a href="http://developer.android.com/reference/android/hardware/SensorEvent.html#timestamp">Resources, 75</a>].</li>
+ <li>MUST report sensor data with a maximum latency of 100 milliseconds + 2 * sample_time for the case of a sensor streamed
+ with a minimum required latency of 5 ms + 2 * sample_time when the application processor is active. This delay does not include any filtering delays.</li>
+ <li>MUST report the first sensor sample within 400 milliseconds + 2 * sample_time of the sensor being activated. It is acceptable for this sample to have an accuracy of 0.</li>
</ul>
<p>The list above is not comprehensive; the documented behavior of the Android SDK
@@ -3145,7 +3494,7 @@
<p>Device implementations SHOULD include a 3-axis accelerometer. Android Handheld
-devices and Android Watch devices are strongly encouraged to include this
+devices and Android Watch devices are STRONGLY RECOMMENDED to include this
sensor. If a device implementation does include a 3-axis accelerometer, it:</p>
<ul>
@@ -3158,7 +3507,7 @@
Android APIs [<a href="http://developer.android.com/reference/android/hardware/SensorEvent.html">Resources, 74</a>].</li>
<li>MUST be capable of measuring from freefall up to four times the gravity (4g) or
more on any axis.</li>
- <li>MUST have a resolution of at least 8-bits and SHOULD have a resolution of at
+ <li>MUST have a resolution of at least 12-bits and SHOULD have a resolution of at
least 16-bits.</li>
<li>SHOULD be calibrated while in use if the characteristics changes over the life
cycle and compensated, and preserve the compensation parameters between device
@@ -3169,15 +3518,15 @@
period of at least 3 seconds at the fastest sampling rate.</li>
<li>SHOULD implement the TYPE_SIGNIFICANT_MOTION, TYPE_TILT_DETECTOR,
TYPE_STEP_DETECTOR, TYPE_STEP_COUNTER composite sensors as described in the
-Android SDK document. Existing and new Android devices are <strong>very strongly encouraged</strong> to implement the TYPE_SIGNIFICANT_MOTION composite sensor. If any of these
+Android SDK document. Existing and new Android devices are <strong>STRONGLY RECOMMENDED</strong> to implement the TYPE_SIGNIFICANT_MOTION composite sensor. If any of these
sensors are implemented, the sum of their power consumption MUST always be less
than 4 mW and SHOULD each be below 2 mW and 0.5 mW for when the device is in a
dynamic or static condition.</li>
<li>If a gyroscope sensor is included, MUST implement the TYPE_GRAVITY and
TYPE_LINEAR_ACCELERATION composite sensors and SHOULD implement the
TYPE_GAME_ROTATION_VECTOR composite sensor. Existing and new Android devices
-are strongly encouraged to implement the TYPE_GAME_ROTATION_VECTOR sensor.</li>
- <li>SHOULD implement a TYPE_ROTATION_VECTOR composite sensor, if a gyroscope sensor
+are STRONGLY RECOMMENDED to implement the TYPE_GAME_ROTATION_VECTOR sensor.</li>
+ <li>MUST implement a TYPE_ROTATION_VECTOR composite sensor, if a gyroscope sensor
and a magnetometer sensor is also included.</li>
</ul>
@@ -3190,7 +3539,7 @@
<ul>
<li>MUST implement the TYPE_MAGNETIC_FIELD sensor and SHOULD also implement
TYPE_MAGNETIC_FIELD_UNCALIBRATED sensor. Existing and new Android devices are
-strongly encouraged to implement the TYPE_MAGNETIC_FIELD_UNCALIBRATED sensor.</li>
+STRONGLY RECOMMENDED to implement the TYPE_MAGNETIC_FIELD_UNCALIBRATED sensor.</li>
<li>MUST be able to report events up to a frequency of at least 10 Hz and SHOULD
report events up to at least 50 Hz.</li>
<li>MUST comply with the Android sensor coordinate system as detailed in the
@@ -3210,7 +3559,7 @@
<li>SHOULD have a standard deviation, calculated on a per axis basis on samples
collected over a period of at least 3 seconds at the fastest sampling rate, no
greater than 0.5 µT.</li>
- <li>SHOULD implement a TYPE_ROTATION_VECTOR composite sensor, if an accelerometer
+ <li>MUST implement a TYPE_ROTATION_VECTOR composite sensor, if an accelerometer
sensor and a gyroscope sensor is also included.</li>
<li>MAY implement the TYPE_GEOMAGNETIC_ROTATION_VECTOR sensor if an accelerometer
sensor is also implemented. However if implemented, it MUST consume less than
@@ -3234,7 +3583,7 @@
<ul>
<li>MUST implement the TYPE_GYROSCOPE sensor and SHOULD also implement
TYPE_GYROSCOPE_UNCALIBRATED sensor. Existing and new Android devices are
-strongly encouraged to implement the SENSOR_TYPE_GYROSCOPE_UNCALIBRATED sensor.</li>
+STRONGLY RECOMMENDED to implement the SENSOR_TYPE_GYROSCOPE_UNCALIBRATED sensor.</li>
<li>MUST be capable of measuring orientation changes up to 1,000 degrees per second.</li>
<li>MUST be able to report events up to a frequency of at least 50 Hz for
Android Watch devices as such devices have a stricter power constraint and
@@ -3249,12 +3598,12 @@
or rad^2 / s). The variance is allowed to vary with the sampling rate, but must
be constrained by this value. In other words, if you measure the variance of
the gyro at 1 Hz sampling rate it should be no greater than 1e-7 rad^2/s^2.</li>
- <li>SHOULD implement a TYPE_ROTATION_VECTOR composite sensor, if an accelerometer
+ <li>MUST implement a TYPE_ROTATION_VECTOR composite sensor, if an accelerometer
sensor and a magnetometer sensor is also included.</li>
<li>If an accelerometer sensor is included, MUST implement the TYPE_GRAVITY and
TYPE_LINEAR_ACCELERATION composite sensors and SHOULD implement the
TYPE_GAME_ROTATION_VECTOR composite sensor. Existing and new Android devices
-are strongly encouraged to implement the TYPE_GAME_ROTATION_VECTOR sensor.</li>
+are STRONGLY RECOMMENDED to implement the TYPE_GAME_ROTATION_VECTOR sensor.</li>
</ul>
<h3 id="7_3_5_barometer">7.3.5. Barometer</h3>
@@ -3304,6 +3653,169 @@
<li>MUST have 1-bit of accuracy or more.</li>
</ul>
+
+<h3 id="7_3_9_hifi_sensors">7.3.9. High Fidelity Sensors</h3>
+
+<p>Device implementations supporting a set of higher quality sensors that can meet all
+the requirements listed in this section MUST identify the support through the
+<code>android.hardware.sensor.hifi_sensors</code> feature flag.</p>
+
+<p>A device declaring android.hardware.sensor.hifi_sensors MUST support all of the following
+sensor types meeting the quality requirements as below:</p>
+
+<ul>
+ <li>SENSOR_TYPE_ACCELEROMETER
+ <ul>
+ <li>MUST have a measurement range between at least -8g and +8g</li>
+ <li>MUST have a measurement resolution of at least 1024 LSB/G</li>
+ <li>MUST have a minimum measurement frequency of 12.5 Hz or lower</li>
+ <li>MUST have a maxmium measurement frequency of 200 Hz or higher</li>
+ <li>MUST have a measurement noise not above 400uG/√Hz</li>
+ <li>MUST implement a non-wake-up form of this sensor with a buffering capability of at least 3000 sensor events</li>
+ <li>MUST have a batching power consumption not worse than 3 mW</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_GYROSCOPE
+ <ul>
+ <li>MUST have a measurement range between at least -1000 and +1000 dps</li>
+ <li>MUST have a measurement resolution of at least 16 LSB/dps</li>
+ <li>MUST have a minimum measurement frequency of 12.5 Hz or lower</li>
+ <li>MUST have a maxmium measurement frequency of 200 Hz or higher</li>
+ <li>MUST have a measurement noise not above 0.014°/s/√Hz</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_GYROSCOPE_UNCALIBRATED with the same quality requirements as
+ SENSOR_TYPE_GYROSCOPE</li>
+ <li>SENSOR_TYPE_GEOMAGNETIC_FIELD
+ <ul>
+ <li>MUST have a measurement range between at least -900 and +900 uT</li>
+ <li>MUST have a measurement resolution of at least 5 LSB/uT</li>
+ <li>MUST have a minimum measurement frequency of 5 Hz or lower</li>
+ <li>MUST have a maxmium measurement frequency of 50 Hz or higher</li>
+ <li>MUST have a measurement noise not above 0.5 uT</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_MAGNETIC_FIELD_UNCALIBRATED with the same quality requirements as
+ SENSOR_TYPE_GEOMAGNETIC_FIELD and in addition:
+ <ul>
+ <li>MUST implement a non-wake-up form of this sensor with a buffering capability of at least 600 sensor events</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_PRESSURE
+ <ul>
+ <li>MUST have a measurement range between at least 300 and 1100 hPa</li>
+ <li>MUST have a measurement resolution of at least 80 LSB/hPa</li>
+ <li>MUST have a minimum measurement frequency of 1 Hz or lower</li>
+ <li>MUST have a maximum measurement frequency of 10 Hz or higher</li>
+ <li>MUST have a measurement noise not above 2 Pa/√Hz</li>
+ <li>MUST implement a non-wake-up form of this sensor with a buffering capability of at least 300 sensor events</li>
+ <li>MUST have a batching power consumption not worse than 2 mW</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_ROTATION_VECTOR
+ <ul>
+ <li>MUST have a batching power consumption not worse than 4 mW</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_GAME_ROTATION_VECTOR MUST implement a non-wake-up form of this sensor with a buffering capability of at least 300 sensor events</li>
+ <li>SENSOR_TYPE_SIGNIFICANT_MOTION
+ <ul>
+ <li>MUST have a power consumption not worse than 0.5 mW when device is static
+ and 1.5 mW when device is moving</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_STEP_DETECTOR
+ <ul>
+ <li>MUST implement a non-wake-up form of this sensor with a buffering capability of at least 100 sensor events</li>
+ <li>MUST have a power consumption not worse than 0.5 mW when device is static
+ and 1.5 mW when device is moving</li>
+ <li>MUST have a batching power consumption not worse than 4 mW</li>
+ </ul>
+ </li>
+ <li>SENSOR_TYPE_STEP_COUNTER
+ <ul>
+ <li>MUST have a power consumption not worse than 0.5 mW when device is static
+ and 1.5 mW when device is moving</li>
+ </ul>
+ </li>
+ <li>SENSOR_TILT_DETECTOR
+ <ul>
+ <li>MUST have a power consumption not worse than 0.5 mW when device is static
+ and 1.5 mW when device is moving</li>
+ </ul>
+ </li>
+</ul>
+
+<p>Also such a device MUST meet the following sensor subsystem requirements:</p>
+
+<ul>
+ <li>The event timestamp of the same physical event reported by the Accelerometer, Gyroscope
+ sensor and Magnetometer MUST be within 2.5 milliseconds of each other.</li>
+ <li>The Gyroscope sensor event timestamps MUST be on the same time base as the camera
+ subsystem and within 1 millisconds of error.</li>
+ <li>The latency of delivery of samples to the HAL SHOULD be below 5 milliseconds from
+ the instant the data is available on the physical sensor hardware.</li>
+ <li>The power consumption MUST not be higher than 0.5 mW when device is static and 2.0 mW
+ when device is moving when any combination of the following sensors are enabled:
+ <ul>
+ <li>SENSOR_TYPE_SIGNIFICANT_MOTION</li>
+ <li>SENSOR_TYPE_STEP_DETECTOR</li>
+ <li>SENSOR_TYPE_STEP_COUNTER</li>
+ <li>SENSOR_TILT_DETECTORS</li>
+ </ul>
+ </li>
+</ul>
+
+<p>Note that all power consumption requirements in this section do not include the power
+ consumption of the Application Processor. It is inclusive of the power drawn by the entire
+ sensor chain - the sensor, any supporting circuitry, any dedicated sensor processing system,
+ etc.</p>
+
+<p>The following sensor types MAY also be supported on a device implementation declaring
+ android.hardware.sensor.hifi_sensors, but if these sensor types are present they MUST meet the
+ following minimum buffering capability requirement:</p>
+
+<ul>
+ <li>SENSOR_TYPE_PROXIMITY: 100 sensor events</li>
+</ul>
+
+<h3 id="7_3_10_fingeprint">7.3.10. Fingerprint Sensor</h3>
+
+<p>Device implementations with a secure lock screen SHOULD include a fingerprint sensor.
+If a device implementation includes a fingerprint sensor and has a corresponding API for
+third-party developers, it:</p>
+
+<ul>
+ <li>MUST declare support for the android.hardware.fingerprint feature.</li>
+ <li>MUST fully implement the corresponding API as described in the Android SDK documentation
+[<a href="https://developer.android.com/reference/android/hardware/fingerprint/package-summary.html">Resources, XX</a>].
+ </li>
+ <li>MUST have a false acceptance rate not higher than 0.002%.</li>
+ <li>Is STRONGLY RECOMMENDED to have a false rejection rate not higher than 10%, and a
+ latency from when the fingerprint sensor is touched until the screen is unlocked below
+ 1 second, for 1 enrolled finger.</li>
+ <li>MUST rate limit attempts for at least 30 seconds after 5 false trials for fingerprint
+ verification.</li>
+ <li>MUST have a hardware-backed keystore implementation, and perform the fingerprint matching
+ in a Trusted Execution Environment (TEE) or on a chip with a secure channel to the TEE.
+ </li>
+ <li>MUST have all identifiable fingerprint data encrypted and cryptographically
+ authenticated such that they cannot be acquired, read or altered outside of the
+ Trusted Execution Environment (TEE) as documented in the implementation guidelines
+ on the Android Open Source Project site
+ [<a href="https://source.android.com/devices/tech/security/authentication/fingerprint-hal.html">Resources, XX</a>].
+ </li>
+ <li>MUST prevent adding a fingerprint without first establishing a chain of trust by
+ having the user confirm existing or add a new device credential (PIN/pattern/password)
+ using the TEE as implemented in the Android Open Source project.</li>
+ <li>MUST NOT enable 3rd-party applications to distinguish between individual fingerprints.
+ </li>
+ <li>MUST honor the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag.</li>
+ <li>MUST, when upgraded from a version earlier than Android 6.0, have the fingerprint
+ data securely migrated to meet the above requirements or removed.</li>
+ <li>SHOULD use the Android Fingerprint icon provided in the Android Open Source Project.</li>
+</ul>
+
<h2 id="7_4_data_connectivity">7.4. Data Connectivity</h2>
@@ -3404,6 +3916,8 @@
<li>MUST declare the hardware feature android.hardware.bluetooth_le.</li>
<li>MUST enable the GATT (generic attribute profile) based Bluetooth APIs as
described in the SDK documentation and [<a href="http://developer.android.com/reference/android/bluetooth/package-summary.html">Resources, 82</a>].</li>
+ <li>MUST implement a Resolvable Private Address (RPA) timeout no longer than
+15 minutes, and rotate the address at timeout to protect user privacy.</li>
<li>SHOULD support offloading of the filtering logic to the bluetooth chipset when
implementing the ScanFilter API [<a href="https://developer.android.com/reference/android/bluetooth/le/ScanFilter.html">Resources, 83</a>], and MUST report the correct value of where the filtering logic is implemented whenever queried via the
android.bluetooth.BluetoothAdapter.isOffloadedFilteringSupported() method.</li>
@@ -3434,23 +3948,24 @@
<ul>
<li>NfcA (ISO14443-3A)</li>
<li>NfcB (ISO14443-3B)</li>
- <li>NfcF (JIS 6319-4)</li>
+ <li>NfcF (JIS X 6319-4)</li>
<li>IsoDep (ISO 14443-4)</li>
<li>NFC Forum Tag Types 1, 2, 3, 4 (defined by the NFC Forum)</li>
</ul>
- <li>SHOULD be capable of reading and writing NDEF messages via the following NFC
-standards. Note that while the NFC standards below are stated as SHOULD, the
-Compatibility Definition for a future version is planned to change these to
-MUST. These standards are optional in this version but will be required in
-future versions. Existing and new devices that run this version of Android are <strong>very strongly encouraged</strong> to meet these requirements now so they will be able to upgrade to the future platform releases.</li>
+ <li>MUST be capable of reading and writing NDEF messages as well as raw
+ data via the following NFC standards:
<ul>
<li>NfcV (ISO 15693)</li>
</ul></li>
+ <li>SHOULD be capable of reading the barcode and URL (if encoded) of
+ Thinfilm NFC Barcode
+ [<a href="http://developer.android.com/reference/android/nfc/tech/NfcBarcode.html">Resources, XX</a>] products.
+ </li>
<li>MUST be capable of transmitting and receiving data via the following
peer-to-peer standards and protocols:
<ul>
<li>ISO 18092</li>
- <li>LLCP 1.0 (defined by the NFC Forum)</li>
+ <li>LLCP 1.2 (defined by the NFC Forum)</li>
<li>SDP 1.0 (defined by the NFC Forum)</li>
<li>NDEF Push Protocol [<a href="http://static.googleusercontent.com/media/source.android.com/en/us/compatibility/ndef-push-protocol.pdf">Resources, 84</a>]</li>
<li>SNEP 1.0 (defined by the NFC Forum)</li>
@@ -3521,8 +4036,8 @@
<ul>
<li>MUST implement the corresponding Android APIs as documented by the Android SDK.</li>
<li>MUST report the feature com.nxp.mifare from the
-android.content.pm.PackageManager.hasSystemFeature() meth<a href="http://developer.android.com/reference/android/content/pm/PackageManager.html">od [Resources, 53]</a>. Note that this is not a standard Android feature and as such does not appear
-as a constant on the PackageManager class.</li>
+android.content.pm.PackageManager.hasSystemFeature() method <a href="http://developer.android.com/reference/android/content/pm/PackageManager.html">[Resources, 53]</a>. Note that this is not a standard Android feature and as such does not appear
+as a constant in the android.content.pm.PackageManager class.</li>
<li>MUST NOT implement the corresponding Android APIs nor report the com.nxp.mifare
feature unless it also implements general NFC support as described in this
section.</li>
@@ -3807,7 +4322,7 @@
implementations MUST have at least 1.5GB of non-volatile storage available for
application private data. That is, the /data partition MUST be at least 5GB for
Android Television devices and at least 1.5GB for other device implementations.
-Device implementations that run Android are <strong>very strongly encouraged</strong> to have at least 3GB of non-volatile storage for application private data so
+Device implementations that run Android are <strong>STRONGLY RECOMMENDED</strong> to have at least 3GB of non-volatile storage for application private data so
they will be able to upgrade to the future platform releases.</p>
<p>The Android APIs include a Download Manager that applications MAY use to
@@ -3873,6 +4388,21 @@
<li>SHOULD report a USB interface name of 'MTP'.</li>
</ul>
+<h3 id="7_6_3_adoptable_storage">7.6.3. Adoptable Storage</h3>
+
+<p>Device implementations are STRONGLY RECOMMENDED to implement adoptable
+storage if the removable storage device port is in a long-term stable location,
+such as within the battery compartment or other protective cover
+[<a
+href="http://source.android.com/devices/storage/adoptable.html">Resources,
+XX</a>].</p>
+
+<p>Device implementations such as a television, MAY enable adoption through USB
+ports as the device is expected to be static and not mobile. But for other
+device implementations that are mobile in nature, it is STRONGLY RECOMMENDED to
+implement the adoptable storage in a long-term stable location, since accidentally
+disconnecting them can cause data loss/corruption.</p>
+
<h2 id="7_7_usb">7.7. USB</h2>
@@ -3885,12 +4415,12 @@
<li>The port MUST be connectable to a USB host that has a standard type-A or type
-C USB port.</li>
<li>The port SHOULD use micro-A, micro-AB or type-C USB form factor. Existing and
-new Android devices are <strong>very strongly encouraged to meet these requirements</strong> so they will be able to upgrade to the future platform releases.</li>
+new Android devices are <strong>STRONGLY RECOMMENDED to meet these requirements</strong> so they will be able to upgrade to the future platform releases.</li>
<li>The port SHOULD be centered in the middle of an edge. Device implementations
SHOULD either locate the port on the bottom of the device (according to natural
orientation) or enable software screen rotation for all apps (including home
screen), so that the display draws correctly when the device is oriented with
-the port at bottom. Existing and new Android devices are <strong>very strongly encouraged to meet these requirements</strong> so they will be able to upgrade to future platform releases.</li>
+the port at bottom. Existing and new Android devices are <strong>STRONGLY RECOMMENDED to meet these requirements</strong> so they will be able to upgrade to future platform releases.</li>
<li>It MUST allow a USB host connected with the Android device to access the
contents of the shared storage volume using either USB mass storage or Media
Transfer Protocol.</li>
@@ -3902,9 +4432,13 @@
<li>MUST declare support for the hardware feature android.hardware.usb.accessory [<a href="http://developer.android.com/guide/topics/connectivity/usb/accessory.html">Resources, 97</a>].</li>
<li>MUST implement the USB audio class as documented in the Android SDK
documentation [<a href="http://developer.android.com/reference/android/hardware/usb/UsbConstants.html#USB_CLASS_AUDIO">Resources, 98</a>].</li>
- </ul></li>
+ <li>And also the USB mass storage class, MUST include the string "android"
+at the end of the interface description <code>iInterface</code> string of the
+USB mass storage</li>
+ </ul>
+ </li>
<li>It SHOULD implement support to draw 1.5 A current during HS chirp and traffic
-as specified in the USB battery charging specification [<a href="http://www.usb.org/developers/docs/devclass_docs/USB_Battery_Charging_1.2.pdf">Resources, 99</a>]. Existing and new Android devices are <strong>very strongly encouraged to meet these requirements</strong> so they will be able to upgrade to the future platform releases.</li>
+as specified in the USB battery charging specification [<a href="http://www.usb.org/developers/docs/devclass_docs/USB_Battery_Charging_1.2.pdf">Resources, 99</a>]. Existing and new Android devices are <strong>STRONGLY RECOMMENDED to meet these requirements</strong> so they will be able to upgrade to the future platform releases.</li>
<li>The value of iSerialNumber in USB standard device descriptor MUST be equal to
the value of android.os.Build.SERIAL.</li>
</ul>
@@ -3917,7 +4451,7 @@
cables adapting the port to a standard type-A or type-C USB port.</li>
<li>MAY use a micro-AB USB port, but if so SHOULD ship with a cable or cables
adapting the port to a standard type-A or type-C USB port.</li>
- <li>is <strong>very strongly RECOMMENDED</strong> to implement the USB audio class as documented in the Android SDK
+ <li>is <strong>STRONGLY RECOMMENDED</strong> to implement the USB audio class as documented in the Android SDK
documentation [<a href="http://developer.android.com/reference/android/hardware/usb/UsbConstants.html#USB_CLASS_AUDIO">Resources, 98</a>].</li>
<li>MUST implement the Android USB host API as documented in the Android SDK, and
MUST declare support for the hardware feature android.hardware.usb.host [<a href="http://developer.android.com/guide/topics/connectivity/usb/host.html">Resources, 100</a>].</li>
@@ -3939,12 +4473,15 @@
<p>Device implementations MAY omit a microphone. However, if a device
implementation omits a microphone, it MUST NOT report the
android.hardware.microphone feature constant, and MUST implement the audio
-recording API at least as no-ops, per <a href="#7_hardware_compatibility">section 7</a>. Conversely, device implementations that do possess a microphone:</p>
+recording API at least as no-ops, per <a href="#7_hardware_compatibility">section 7</a>.
+Conversely, device implementations that do possess a microphone:</p>
<ul>
- <li>MUST report the android.hardware.microphone feature constant
- <li>MUST meet the audio recording requirements in <a href="#5_4_audio_recording">section 5.4</a>
- <li>MUST meet the audio latency requirements in <a href="#5_6_audio_latency">section 5.6</a>
+ <li>MUST report the android.hardware.microphone feature constant</li>
+ <li>MUST meet the audio recording requirements in <a href="#5_4_audio_recording">section 5.4</a></li>
+ <li>MUST meet the audio latency requirements in <a href="#5_6_audio_latency">section 5.6</a></li>
+ <li>STRONGLY RECOMMENDED to support near-ultrasound recording as described in
+ <a href="#7_8_3_near_ultrasound">section 7.8.3</a></li>
</ul>
<h3 id="7_8_2_audio_output">7.8.2. Audio Output</h3>
@@ -3960,6 +4497,8 @@
<li>MUST report the android.hardware.audio.output feature constant.</li>
<li>MUST meet the audio playback requirements in <a href="#5_5_audio_playback">section 5.5</a>.</li>
<li>MUST meet the audio latency requirements in <a href="#5_6_audio_latency">section 5.6</a>.</li>
+ <li>STRONGLY RECOMMENDED to support near-ultrasound playback as described in
+ <a href="#7_8_3_near_ultrasound">section 7.8.3</a></li>
</ul>
<p>Conversely, if a device implementation does not include a speaker or audio
@@ -3992,7 +4531,7 @@
the audio plug:
<ul>
<li><strong>70 ohm or less</strong>: KEYCODE_HEADSETHOOK</li>
- <li><strong>210-290 Ohm</strong>:<strong> </strong>KEYCODE_VOLUME_UP</li>
+ <li><strong>210-290 Ohm</strong>: KEYCODE_VOLUME_UP</li>
<li><strong>360-680 Ohm</strong>: KEYCODE_VOLUME_DOWN</li>
</ul></li>
<li>SHOULD support the detection and mapping to the keycode for the following range
@@ -4008,6 +4547,32 @@
<li>MUST have a microphone bias voltage between 1.8V ~ 2.9V.</li>
</ul>
+<h3 id="7_8_3_near_ultrasound">7.8.3. Near-Ultrasound </h3>
+
+<p>Near-Ultrasound audio is the 18.5 kHz to 20 kHz band.
+Device implementations MUST correctly report the support
+of near-ultrasound audio capability via the
+<a href="http://developer.android.com/reference/android/media/AudioManager.html#getProperty(java.lang.String)">AudioManager.getProperty</a>
+API as follows:
+</p>
+
+<ul>
+ <li>If
+ <a href="http://developer.android.com/reference/android/media/AudioManager.html#PROPERTY_SUPPORT_MIC_NEAR_ULTRASOUND">PROPERTY_SUPPORT_MIC_NEAR_ULTRASOUND</a>
+ is "true", then
+ <ul>
+ <li>The microphone's mean power response in the 18.5 kHz to 20 kHz band MUST be no more than
+ 15 dB below the response at 2 kHz.</li>
+ <li>The signal to noise ratio of the microphone MUST be no lower than 80 dB.</li>
+ </ul>
+ </li>
+ <li>If
+ <a href="http://developer.android.com/reference/android/media/AudioManager.html#PROPERTY_SUPPORT_SPEAKER_NEAR_ULTRASOUND">PROPERTY_SUPPORT_SPEAKER_NEAR_ULTRASOUND</a>
+ is "true", then the speaker's mean response in 18.5 kHz - 20 kHz MUST be no lower than 40 dB
+ below the response at 2 kHz.
+ </li>
+</ul>
+
<h1 id="8_performance_compatibility">8. Performance Compatibility</h1>
@@ -4070,6 +4635,23 @@
ignored. Implementations MAY add additional permissions, provided the new
permission ID strings are not in the android.* namespace.</p>
+<p>Permissions with a protection level of dangerous are runtime permissions. Applications
+with targetSdkVersion > 22 request them at runtime. Device implementations:</p>
+
+<ul>
+<li>MUST show a dedicated interface for the user to decide whether to grant the
+requested runtime permissions and also provide an interface for the user to manage
+runtime permissions.</li>
+<li>MUST have one and only one implementation of both user interfaces.</li>
+<li>MUST NOT grant any runtime permissions to preinstalled apps unless:
+ <ul>
+ <li>the user's consent can be obtained before the application uses it</li>
+ <li>the runtime permissions are associated with an intent pattern for which the preinstalled
+ application is set as the default handler</li>
+ </ul>
+</li>
+</ul>
+
<h2 id="9_2_uid_and_process_isolation">9.2. UID and Process Isolation</h2>
@@ -4159,13 +4741,6 @@
<li>Device implementations MUST, for each user, implement a security model
consistent with the Android platform security model as defined in Security and
Permissions reference document in the APIs [<a href="http://developer.android.com/guide/topics/security/permissions.html">Resources, 102</a>].</li>
- <li>Device implementations MAY support creating users and managed profiles via the
-android.app.admin.DevicePolicyManager APIs, and if supported, MUST declare the
-platform feature flag android.software.managed_users.
- <li>Device implementations that declare the feature flag
-android.software.managed_users MUST use the upstream AOSP icon badge to
-represent the managed applications and other badge UI elements like Recents &
-Notifications.</li>
<li>Each user instance on an Android device MUST have separate and isolated
external storage directories. Device implementations MAY store multiple users'
data on the same volume or filesystem. However, the device implementation MUST
@@ -4196,9 +4771,9 @@
<h2 id="9_7_kernel_security_features">9.7. Kernel Security Features</h2>
-<p>The Android Sandbox includes features that can use the Security-Enhanced Linux
+<p>The Android Sandbox includes features that use the Security-Enhanced Linux
(SELinux) mandatory access control (MAC) system and other security features in
-the Linux kernel. SELinux or any other security features, if implemented below
+the Linux kernel. SELinux or any other security features implemented below
the Android framework:</p>
<ul>
@@ -4213,31 +4788,28 @@
affect another application (such as a Device Administration API), the API MUST
NOT allow configurations that break compatibility.</p>
-<p>Devices MUST implement SELinux or an equivalent mandatory access control system
-if using a kernel other than Linux and meet the following requirements, which
-are satisfied by the reference implementation in the upstream Android Open
-Source Project.</p>
+<p>Devices MUST implement SELinux or, if using a kernel other than Linux, an
+equivalent mandatory access control system. Devices MUST also meet the
+following requirements, which are satisfied by the reference implementation
+in the upstream Android Open Source Project.</p>
<p>Device implementations:</p>
<ul>
- <li>MUST support a SELinux policy that allows the SELinux mode to be set on a
-per-domain basis, and MUST configure all domains in enforcing mode. No
-permissive mode domains are allowed, including domains specific to a
-device/vendor.</li>
- <li>SHOULD load policy from /sepolicy file on the device.</li>
+ <li>MUST set SELinux to global enforcing mode.</li>
+ <li>MUST configure all domains in enforcing mode. No permissive mode domains
+are allowed, including domains specific to a device/vendor.</li>
<li>MUST NOT modify, omit, or replace the neverallow rules present within the
-sepolicy file provided in the upstream Android Open Source Project (AOSP) and
-the policy MUST compile with all neverallow present, for both AOSP SELinux
+external/sepolicy folder provided in the upstream Android Open Source Project (AOSP) and
+the policy MUST compile with all neverallow rules present, for both AOSP SELinux
domains as well as device/vendor specific domains.</li>
- <li>MUST support dynamic updates of the SELinux policy file without requiring a
-system image update.</li>
</ul>
<p>Device implementations SHOULD retain the default SELinux policy provided in the
-upstream Android Open Source Project, until they have first audited their
-additions to the SELinux policy. Device implementations MUST be compatible with
-the upstream Android Open Source Project.</p>
+external/sepolicy folder of the upstream Android Open Source Project and only
+further add to this policy for their own device-specific configuration. Device
+implementations MUST be compatible with the upstream Android Open Source Project.
+</p>
<h2 id="9_8_privacy">9.8. Privacy</h2>
@@ -4251,22 +4823,34 @@
service with android.permission.CONTROL_VPN granted), the device implementation
MUST ask for the user's consent before enabling that mechanism.</p>
+<p>If a device implementation has a USB port with USB peripheral mode support,
+it MUST present a user interface asking for the user's consent before allowing
+access to the contents of the shared storage over the USB port.</p>
+
<h2 id="9_9_full-disk_encryption">9.9. Full-Disk Encryption</h2>
<div class="note">
<p>Optional for Android device implementations without a lock screen.</p>
</div>
+<p>If the device implementation supports a secure lock screen reporting "<code>true</code>"
+for KeyguardManager.isDeviceSecure()
+[<a href="http://developer.android.com/reference/android/app/KeyguardManager.html#isDeviceSecure()">Resources, XX</a>],
+and is not a device with restricted memory as reported through the
+ActivityManager.isLowRamDevice() method, then the device MUST support full-disk encryption
+[<a href="http://source.android.com/devices/tech/security/encryption/index.html">Resources, 107</a>]
+of the application private data (/data partition), as well as the application
+shared storage partition (/sdcard partition) if it is a permanent, non-removable
+part of the device.</p>
-<p>If the device implementation supports a lock screen with PIN (numeric) or
-PASSWORD (alphanumeric), the device MUST support full-disk encryption of the
-application private data (/data partition), as well
-as the SD card partition if it is a permanent, non-removable part of the device
-[<a href="http://source.android.com/devices/tech/security/encryption/index.html">Resources, 107</a>]. For devices supporting full-disk encryption, the full-disk encryption SHOULD
-be enabled all the time after the user has completed the out-of-box experience.
-While this requirement is stated as SHOULD for this version of the Android
-platform, it is <strong>very strongly RECOMMENDED</strong> as we expect this to change to MUST in the future versions of Android.
-Encryption MUST use AES with a key of 128-bits (or greater) and a mode designed
+<p>For device implementations supporting full-disk encryption and with Advanced
+Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk
+encryption MUST be enabled by default at the time the user has completed the out-of-box
+setup experience. If a device implementation is already launched on an earlier Android
+version with full-disk encryption disabled by default, such a device cannot
+meet the requirement through a system software update and thus MAY be exempted.</p>
+
+<p>Encryption MUST use AES with a key of 128-bits (or greater) and a mode designed
for storage (for example, AES-XTS, AES-CBC-ESSIV). The encryption key MUST NOT
be written to storage at any time without being encrypted. Other than when in
active use, the encryption key SHOULD be AES encrypted with the lockscreen
@@ -4277,7 +4861,7 @@
stretching algorithm MUST be cryptographically bound to that keystore. The
encryption key MUST NOT be sent off the device (even when wrapped with the user
passcode and/or hardware bound key). The upstream Android Open Source project
-provides a preferred implementation of this feature based on the linux kernel
+provides a preferred implementation of this feature based on the Linux kernel
feature dm-crypt.</p>
<h2 id="9_10_verified_boot">9.10. Verified Boot</h2>
@@ -4285,24 +4869,74 @@
<p>
Verified boot is a feature that guarantees the integrity of the device software.
If a device implementation supports the feature, it MUST:
+</p>
<ul>
<li>Declare the platform feature flag android.software.verified_boot</li>
<li>Perform verification on every boot sequence</li>
-<li>Start verification from a hardware key that is the root of trust, and go
-all the way up to the system partition</li>
+<li>Start verification from an immutable hardware key that is the root of trust,
+and go all the way up to the system partition</li>
<li>Implement each stage of verification to check the integrity and authenticity
of all the bytes in the next stage before executing the code in the next stage</li>
<li>Use verification algorithms as strong as current recommendations
from NIST for hashing algorithms (SHA-256) and public key sizes (RSA-2048)</li>
</ul>
+
+<p>The upstream Android Open Source Project provides a preferred implementation of this
+feature based on the Linux kernel feature dm-verity.</p>
+
+<p>Starting from Android 6.0, device implementations with Advanced Encryption Standard (AES)
+crypto perfomance above 50MiB/seconds MUST support verified boot for device integrity.
+If a device implementation is already launched without supporting verified boot on an earlier
+version of Android, such a device can not add support for this feature with a system software
+update and thus are exempted from the requirement.</p>
+
+<h2 id="9_11_keys_and_credentials">9.11. Keys and Credentials</h2>
+
+<p>The Android Keystore System
+[<a href="https://developer.android.com/training/articles/keystore.html">Resources, XX</a>]
+allows app developers to store cryptographic keys in a container and use them in cryptographic
+operations through the KeyChain API
+[<a href="https://developer.android.com/reference/android/security/KeyChain.html">Resources, XX</a>]
+or the Keystore API
+ [<a href="https://developer.android.com/reference/java/security/KeyStore.html">Resources, XX</a>].
</p>
-<p>Device implementations SHOULD support verified boot for device integrity.
-While this requirement is SHOULD for this version of the Android platform,
-it is <strong>strongly RECOMMENDED</strong> as we expect this to change to MUST
-in future versions of Android. The upstream Android Open Source Project provides
-a preferred implementation of this feature based on the linux kernel feature dm-verity.
-</p>
+<p>All Android device implementations MUST meet the following requirements:</p>
+
+<ul>
+<li>SHOULD not limit the number of keys that can be generated, and MUST at least allow more
+than 8,192 keys to be imported.</li>
+<li>The lock screen authentication MUST rate limit attempts and SHOULD have an exponential
+ backoff algorithm as implemented in the Android Open Source Project.</li>
+<li>When the device implementation supports a secure lock screen and has a secure hardware
+ such as a Secure Element (SE) where a Trusted Execution Environment (TEE) can be implemented,
+ then it:
+ <ul>
+ <li>MUST back up the keystore implementation with the secure hardware. The upstream Android
+ Open Source Project provides the Keymaster Hardware Abstraction Layer (HAL) implementation
+ that can be used to satisfy this requirement.</li>
+ <li>MUST perform the lock screen authentication in the secure hardware and only when successful
+ allow the authentication-bound keys to be used. The upstream Android Open Source Project
+ provides the Gatekeeper Hardware Abstraction Layer (HAL) that can be used to satisfy this
+ requirement
+ [<a href="http://source.android.com/devices/tech/security/authentication/gatekeeper.html">Resources, XX</a>].</li>
+ </ul>
+</li>
+</ul>
+
+<p>Note that if a device implementation is already launched on an earlier Android version and has
+ not implemented a trusted operating system on the secure hardware, such a device cannot meet
+ the above TEE-related requirements through a system software update and thus is exempted from these TEE-related requirements.</p>
+
+<h2 id="9_12_data_deletion">9.12. Data Deletion</h2>
+
+<p>Devices MUST provide users with a mechanism to perform a "Factory Data Reset"
+that allows logical and physical deletion of all data. This MUST satisfy relevant
+industry standards for data deletion such as NIST SP800-88. This MUST be used for
+the implementation of the wipeData() API (part of the Android Device Administration API)
+described in <a href="#3_9_device_administration">section 3.9 Device Administration.</p>
+
+<p>Devices MAY provide a fast data wipe that conducts a logical data erase.</p>
<h1 id="10_software_compatibility_testing">10. Software Compatibility Testing</h1>
@@ -4310,7 +4944,7 @@
<p>Device implementations MUST pass all tests described in this section.</p>
<p>However, note that no software test package is fully comprehensive. For this
-reason, device implementers are <strong>very strongly encouraged</strong> to make the minimum number of changes as possible to the reference and
+reason, device implementers are <strong>STRONGLY RECOMMENDED</strong> to make the minimum number of changes as possible to the reference and
preferred implementation of Android available from the Android Open Source
Project. This will minimize the risk of introducing bugs that create
incompatibilities requiring rework and potential device updates.</p>
@@ -4397,148 +5031,143 @@
applications, the device implementer MUST correct the error via a software
update available that can be applied per the mechanism just described.</p>
+<p>Android includes features that allow the Device Owner app (if present) to control the
+installation of system updates. To facilitate this, the system update subsystem
+for devices that report android.software.device_admin MUST implement the behavior
+described in the SystemUpdatePolicy class
+[<a href="http://developer.android.com/reference/android/app/admin/SystemUpdatePolicy.html">
+Resources, XX</a>].</p>
+
<h1 id="12_document_changelog">12. Document Changelog</h1>
-
<p>The following table contains a summary of the changes to the Compatibility
-Definition in this release. </p>
+Definition in this release.</p>
<table>
<tr>
<th>Section</th>
- <th>Summary of change</th>
+ <th>Summary of changes</th>
</tr>
<tr>
- <td>2. Device Types</td>
- <td>Added definition for Android automotive implementation.</td>
+ <td>Various</td>
+ <td>Replaced instances of the "encouraged" term with "RECOMMENDED"</td>
</tr>
<tr>
- <td>2.1 Device Configurations</td>
- <td>Added column for Android automotive implementation.</td>
+ <td>3.2.2. Build Parameters</td>
+ <td>Addition regarding hardware serial number</td>
</tr>
<tr>
- <td>3.3.2. 32-bit ARM Native Code Compatibility</td>
- <td>New section added.</td>
+ <td>3.3.1. Application Binary Interfaces</td>
+ <td>Additions for Android ABI support; change related to Vulkan library name</td>
</tr>
<tr>
<td>3.4.1. WebView Compatibility</td>
- <td>Updated webview user agent string requirement to accomodate upstream
- implementation change.</td>
- </tr>
- <tr>
- <td>3.4.2. Browser compatibility</td>
- <td>Added Android automotive implementations as another case that MAY omit a
- browser application.</td>
+ <td>Change for the user agent string reported by the WebView</td>
</tr>
<tr>
<td>3.7. Runtime Compatibility</td>
- <td>Updated required runtime heap size for smaller screens and added requirement
- for the new dpi bucket (280dpi).</td>
+ <td>Updates to memory allocation table</td>
</tr>
<tr>
- <td>3.8.3. Notifications</td>
- <td>Clarified notification requirement for Android Watch, Television and
- Automotive implementations.</td>
+ <td>3.8.6. Themes</td>
+ <td>Added requirement to support black system icons when requested by the SYSTEM_UI_FLAG_LIGHT_STATUS_BAR flag</td>
</tr>
<tr>
- <td>3.8.10. Lock Screen Media Control<</td>
- <td>Clarified requirement for Android Watch and Automotive implementations.</td>
+ <td>3.9.1. Device Provisioning</td>
+ <td>Contains new sections for device owner provisioning and managed profile provisioning</td>
</tr>
<tr>
- <td>3.8.13. Unicode and font</td>
- <td>Relaxed Emoji character input method requirement.</td>
+ <td>3.9.2. Managed Profile Support</td>
+ <td>New section with requirements for device support of managed profile functionality</td>
</tr>
<tr>
- <td>3.9. Device Administration</td>
- <td>Clarified condition when the full range of device administration policies
- has to be supported.</td>
+ <td>5.1.3. Video Codecs</td>
+ <td>Changes and additions related to Android Televisions</td>
</tr>
<tr>
- <td>3.10. Accessibility</td>
- <td>Added Android automotive requirements.</td>
+ <td>5.2. Video Encoding</td>
+ <td>Changes for encoders</td>
</tr>
<tr>
- <td>3.11. Text-To-Speech</td>
- <td>Added Android automotive requirements.</td>
+ <td>5.3. Video Decoding</td>
+ <td>Changes for decoders</td>
</tr>
<tr>
- <td>5.1. Media Codecs</td>
- <td>Mandated decoding support for codecs reported by CamcorderProfile.</td>
+ <td>5.4. Audio Recording</td>
+ <td>Additions related to audio capture</td>
</tr>
- <tr>
- <td>5.1.3 Video Codecs</td>
- <td>Added Android automotive requirements.</td>
+ <tr>
+ <td>5.10. Professional Audio</td>
+ <td>General updates for professional audio support; updates for mobile device (jack) specifications, USB audio host mode, and other updates</td>
+ </tr>
+ <tr>
+ <td>5.9. Musical Instrument Digital Interface (MIDI)</td>
+ <td>Added new section on optional Musical Instrument Digital Interface (MIDI) support</td>
+ </tr>
+<tr>
+ <td>6.1. Developer Tools</td>
+ <td>Update for drivers supporting Windows 10</td>
</tr>
<tr>
<td>7.1.1.3. Screen Density</td>
- <td>Added a new screen dpi (280dpi).</td>
+ <td>Updates for screen density, for example related to an Android watch</td>
</tr>
<tr>
- <td>7.1.5. Legacy Application Compatibility Mode</td>
- <td>Added Android automotive requirements.</td>
+ <td>7.3. Sensors (and subsections)</td>
+ <td>New requirements for some sensor types</td>
</tr>
<tr>
- <td>7.2 Input Devices</td>
- <td>Added general introduction statement.</td>
+ <td>7.3.9. High Fidelity Sensors</td>
+ <td>New section with requirements for devices supporting high fidelity sensors</td>
</tr>
<tr>
- <td>7.2.1. Keyboard</td>
- <td>Added Android Automotive requirements.</td>
+ <td>7.3.10. Fingerprint Sensor</td>
+ <td>New section on requirements related to fingerprint sensors</td>
</tr>
<tr>
- <td>7.2.3. Navigation Keys</td>
- <td>Added Android Automotive requirements.</td>
- </tr>
- <tr>
- <td>7.3.1. Accelerometer</td>
- <td>Relaxed requirement for reporting frequency on Android Watch.</td>
- </tr>
- <tr>
- <td>7.3.4. Gyroscope</td>
- <td>Relaxed requirement for reporting frequency on Android Watch.</td>
- </tr>
- <tr>
- <td>7.4.3 Bluetooth</td>
- <td>Added Android Automotive requirements.</td>
+ <td>7.4.3. Bluetooth</td>
+ <td>Addition related to Resolvable Private Address (RPA) for Bluetooth Low Energy (BLE)</td>
</tr>
<tr>
<td>7.4.4. Near-Field Communications</td>
- <td>Clarified condition for when Host Card Emulation is a requirement.</td>
+ <td>Additions to requirements for Near-Field Communications (NFC)</td>
</tr>
<tr>
- <td>7.6.1. Minimum Memory and Storage</td>
- <td>Updated minimum memory requirements for lower resulution screen devices
- and added hard-limit requirement isLowRamDevice().</td>
+ <td>7.7. USB</td>
+ <td>Requirement related to implementing the AOA specification</td>
</tr>
<tr>
- <td>7.6.2. Application Shared Storage</td>
- <td>Updated requirements when support for host machine access is mandatory.</td>
+ <td>7.8.3. Near-Ultrasound</td>
+ <td>Additions related to near-ultrasound recording, playback, and audio</td>
</tr>
<tr>
- <td>7.8.1. Microphone</td>
- <td>Added Android Automotive requirements.</td>
+ <td>9.1. Permissions</td>
+ <td>Addition to Permissions requirements</td>
</tr>
- <tr>
- <td>8.2. File I/O Access Performance</td>
- <td>Clarified requirements.</td>
+<tr>
+ <td>9.7. Kernel Security Features</td>
+ <td>SE Linux updates</td>
</tr>
- <tr>
+<tr>
<td>9.8. Privacy</td>
- <td>Added privacy requirement for preloaded VPNs.</td>
+ <td>Addition regarding user's consent for access to shared storage over a USB port</td>
</tr>
<tr>
<td>9.9. Full-Disk Encryption</td>
- <td>Clarified condition when Full-Disk encryption support is mandatory.</td>
+ <td>Requirements related to full disk encryption</td>
</tr>
<tr>
<td>9.10. Verified Boot</td>
- <td>Clarified definition of verified boot.</td>
+ <td>Additional requirement for verified boot</td>
+ </tr>
+ <tr>
+ <td>9.11. Keys and Credentials</td>
+ <td>New section of requirements related to keys and credentials</td>
</tr>
<tr>
<td>11. Updatable Software</td>
- <td>Clarified the OTA download requirement is allowed but not mandatory for
- Android Automotive implementations.</td>
+ <td>Requirement related to the system update policy set by the device owner</td>
</tr>
-</table>
+ </table>
<h1 id="13_contact_us">13. Contact Us</h1>
@@ -4636,6 +5265,23 @@
<p>41. Android Device Owner App:</p>
<p><a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isDeviceOwnerApp(java.lang.String)">http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isDeviceOwnerApp(java.lang.String)</a></p>
+<p>XX. Android Device Owner Provisioning Flow:</p>
+
+<p><a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE">http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE</a></p>
+<p>XX. Device Owner Provisioning via NFC:</p>
+
+<p><a href="https://source.android.com/devices/tech/admin/provision.html#device_owner_provisioning_via_nfc">https://source.android.com/devices/tech/admin/provision.html#device_owner_provisioning_via_nfc</a></p>
+<p>XX. Android Managed Profile Provisioning flow:</p>
+
+<p><a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE">http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE</a></p>
+
+<p>XX. Android Profile Owner App:</p>
+
+<p><a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isProfileOwnerApp(java.lang.String)">http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isProfileOwnerApp(java.lang.String)</a></p>
+
+<p>XX. Managed profile provisioning intent</p>
+
+<p><a href="http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE">http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE</a></p>
<p>42. Android Accessibility Service APIs: <a href="http://developer.android.com/reference/android/accessibilityservice/AccessibilityService.html">http://developer.android.com/reference/android/accessibilityservice/AccessibilityService.html</a></p>
diff --git a/src/compatibility/source/android-cdd-cover.html b/src/compatibility/source/android-cdd-cover.html
index eccca0c..ee76ef8 100644
--- a/src/compatibility/source/android-cdd-cover.html
+++ b/src/compatibility/source/android-cdd-cover.html
@@ -17,14 +17,14 @@
<tr>
<td>
-<img src="images/android-marshmallow.png" alt="Marshmallow logo" style="border-top: 5px solid orange; border-bottom: 5px solid orange"/>
+<img src="images/android-marshmallow-1.png" alt="Marshmallow logo" style="border-top: 5px solid orange; border-bottom: 5px solid orange"/>
</td>
</tr>
<tr>
<td>
<p class="subtitle">Android 6.0</p>
-<p class="cover-text">Last updated: August 20th, 2015</p>
+<p class="cover-text">Last updated: October 7th, 2015</p>
<p class="cover-text">Copyright © 2015, Google Inc. All rights reserved.</p>
<p class="cover-text"><a href="mailto:compatibility@android.com">compatibility@android.com</a></p>
</td>
diff --git a/src/compatibility/source/android-cdd-footer.html b/src/compatibility/source/android-cdd-footer.html
index dfb0f51..fce6481 100644
--- a/src/compatibility/source/android-cdd-footer.html
+++ b/src/compatibility/source/android-cdd-footer.html
@@ -24,7 +24,7 @@
<table class="noborder" style="border-top: 1px solid silver; width: 100%">
<tr>
- <td class="noborder"><img src="images/android-logo.png" alt="Android logo"/></td>
+ <td class="noborder"><img src="../images/android-logo.png" alt="Android logo"/></td>
<td class="noborder" style="text-align:right">
Page <span class="page"></span> of <span class="topage"></span>
</td>
@@ -34,4 +34,4 @@
</div>
</body>
-</html>
+</html>
\ No newline at end of file
diff --git a/src/compatibility/source/android-cdd.css b/src/compatibility/source/android-cdd.css
index 83c46bc..cef5969 100644
--- a/src/compatibility/source/android-cdd.css
+++ b/src/compatibility/source/android-cdd.css
@@ -284,16 +284,14 @@
width: 950px;
}
-#toc_left,
-#toc_left_2 {
+#toc_left {
float: left;
padding-top:15px;
padding-bottom:15px;
width: 470px;
}
-#toc_right,
-#toc_right_2 {
+#toc_right {
float: right;
padding-top:15px;
padding-bottom:15px;
diff --git a/src/compatibility/source/images/android-marshmallow-1.png b/src/compatibility/source/images/android-marshmallow-1.png
new file mode 100644
index 0000000..4d51b87
--- /dev/null
+++ b/src/compatibility/source/images/android-marshmallow-1.png
Binary files differ
diff --git a/src/devices/devices_toc.cs b/src/devices/devices_toc.cs
index 018930d..85c5f76 100644
--- a/src/devices/devices_toc.cs
+++ b/src/devices/devices_toc.cs
@@ -129,7 +129,17 @@
<li><a href="<?cs var:toroot ?>devices/input/validate-keymaps.html">Validate Keymaps</a></li>
</ul>
</li>
- <li><a href="<?cs var:toroot ?>devices/media.html">Media</a></li>
+ <li class="nav-section">
+ <div class="nav-section-header">
+ <a href="<?cs var:toroot ?>devices/media/index.html">
+ <span class="en">Media</span>
+ </a>
+ </div>
+ <ul>
+ <li><a href="<?cs var:toroot ?>devices/media/soc.html">SoC Dependencies</a></li>
+ <li><a href="<?cs var:toroot ?>devices/media/oem.html">OEM Dependencies</a></li>
+ </ul>
+ </li>
<li class="nav-section">
<div class="nav-section-header">
<a href="<?cs var:toroot ?>devices/sensors/index.html">
@@ -155,8 +165,10 @@
</a>
</div>
<ul>
- <li><a href="<?cs var:toroot ?>devices/storage/config.html">Device Specific Configuration</a></li>
- <li><a href="<?cs var:toroot ?>devices/storage/config-example.html">Typical Configuration Examples</a></li>
+ <li><a href="<?cs var:toroot ?>devices/storage/traditional.html">Traditional Storage</a></li>
+ <li><a href="<?cs var:toroot ?>devices/storage/adoptable.html">Adoptable Storage</a></li>
+ <li><a href="<?cs var:toroot ?>devices/storage/config.html">Device Configuration</a></li>
+ <li><a href="<?cs var:toroot ?>devices/storage/config-example.html">Configuration Examples</a></li>
</ul>
</li>
<li class="nav-section">
@@ -192,6 +204,7 @@
<li><a href="<?cs var:toroot ?>devices/tech/dalvik/instruction-formats.html">Instruction Formats</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/dalvik/constraints.html">Constraints</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/dalvik/configure.html">Configuration</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/dalvik/gc-debug.html">Garbage Collection</a></li>
</ul>
</li>
@@ -202,11 +215,14 @@
</a>
</div>
<ul>
- <li><a href="<?cs var:toroot ?>devices/tech/filesystem-config.html">File System Configuration</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/config/carrier.html">Carrier Customization</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/config/filesystem.html">File System</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/config/kernel.html">Kernel</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/config/low-ram.html">Low RAM</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/config/renderer.html">OpenGLRenderer</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/config/runtime_perms.html">Runtime Permissions</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/config/uicc.html">UICC</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/config/voicemail.html">Visual Voicemail</a></li>
</ul>
</li>
@@ -285,6 +301,8 @@
<a href="<?cs var:toroot ?>devices/tech/power/index.html"><span class="en">Power</span></a>
</div>
<ul>
+ <li><a href="<?cs var:toroot ?>devices/tech/power/mgmt.html">Power Management</a>
+ </li>
<li><a href="<?cs var:toroot ?>devices/tech/power/component.html">Component Power</a></li>
<li><a href="<?cs var:toroot ?>devices/tech/power/device.html">Device Power</a>
</li>
@@ -336,7 +354,29 @@
</a>
</div>
<ul>
- <li><a href="<?cs var:toroot ?>devices/tech/security/encryption/index.html">Full Disk Encryption</a></li>
+ <li class="nav-section">
+ <div class="nav-section-header">
+ <a href="<?cs var:toroot ?>devices/tech/security/authentication/index.html">
+ <span class="en">Authentication</span>
+ </a>
+ </div>
+ <ul>
+ <li><a href="<?cs var:toroot ?>devices/tech/security/authentication/fingerprint-hal.html">Fingerprint HAL</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/security/authentication/gatekeeper.html">Gatekeeper</a></li>
+ <li class="nav-section">
+ <div class="nav-section-header">
+ <a href="<?cs var:toroot ?>devices/tech/security/authentication/keymaster.html">
+ <span class="en">Keymaster</span>
+ </a>
+ </div>
+ <ul>
+ <li><a href="<?cs var:toroot ?>devices/tech/security/authentication/km-features.html">Features</a></li>
+ <li><a href="<?cs var:toroot ?>devices/tech/security/authentication/km-implementer-ref.html">Implementer's Reference</a></li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li><a href="<?cs var:toroot ?>devices/tech/security/encryption/index.html">Full Disk Encryption</a></li>
<li class="nav-section">
<div class="nav-section-header">
<a href="<?cs var:toroot ?>devices/tech/security/selinux/index.html">
@@ -368,7 +408,6 @@
<li class="nav-section">
<div class="nav-section-header">
-
<a href="<?cs var:toroot ?>devices/tech/test_infra/tradefed/index.html">
<span class="en">Testing Infrastructure</span>
</a>
diff --git a/src/devices/images/media.png b/src/devices/images/media.png
deleted file mode 100644
index 7aaee93..0000000
--- a/src/devices/images/media.png
+++ /dev/null
Binary files differ
diff --git a/src/devices/images/ape_fwk_hal_media.png b/src/devices/media/images/ape_fwk_hal_media.png
similarity index 100%
rename from src/devices/images/ape_fwk_hal_media.png
rename to src/devices/media/images/ape_fwk_hal_media.png
Binary files differ
diff --git a/src/devices/images/ape_fwk_media.png b/src/devices/media/images/ape_fwk_media.png
similarity index 100%
rename from src/devices/images/ape_fwk_media.png
rename to src/devices/media/images/ape_fwk_media.png
Binary files differ
diff --git a/src/devices/media.jd b/src/devices/media/index.jd
similarity index 100%
rename from src/devices/media.jd
rename to src/devices/media/index.jd
diff --git a/src/devices/media/oem.jd b/src/devices/media/oem.jd
new file mode 100644
index 0000000..a271ecd
--- /dev/null
+++ b/src/devices/media/oem.jd
@@ -0,0 +1,162 @@
+page.title=OEM Dependencies for Media Resource Manager
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>This document is intended to help original equipment manufacturers (OEMs)
+properly implement support for Android media resource manager and related APIs.</p>
+
+<h2 id=1_max_concurrent_codec_instances>1. Max concurrent codec instances</h2>
+
+<p>The <code>CodecCapabilities.getMaxSupportedInstances</code> interface
+returns the maximum number of supported concurrent codec instances.</p>
+
+<p>The CTS test
+<code>testGetMaxSupportedInstances(android.media.cts.MediaCodecCapabilitiesTest)</code>
+is used to enforce the proper maximum is set in
+<code>/etc/media_codecs.xml</code>.</p>
+
+<p>Here is an example:</p>
+
+<pre>
+...
+<MediaCodecs>
+ ...
+ <Encoders>
+ <MediaCodec name="OMX.<em><vendor></em>.video.encoder.avc" type="video/avc" >
+ ...
+ <Limit name="concurrent-instances" max="13" />
+ </MediaCodec>
+ ...
+ </Encoders>
+ ...
+</MediaCodecs>
+</pre>
+
+<p>OEMs can use this test to generate the concurrent limits that pass the test.
+To do this:</p>
+
+ <ol>
+ <li>Run the test first using cts-tradefed.
+ <li>Evaluate the resulting failure message. Here is an example:
+
+<pre>
+There was 1 failure:
+1) testGetMaxSupportedInstances(android.media.cts.MediaCodecCapabilitiesTest)
+junit.framework.AssertionFailedError: In order to pass the test, please publish
+following codecs' concurrent instances limit in /etc/media_codecs.xml:
+<MediaCodec name="OMX.<em><vendor></em>.video.encoder.mpeg4" type="video/mp4v-es" >
+ <Limit name="concurrent-instances" max="13" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.encoder.h263" type="video/3gpp" >
+ <Limit name="concurrent-instances" max="13" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.encoder.avc" type="video/avc" >
+ <Limit name="concurrent-instances" max="13" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.encoder.vp8" type="video/x-vnd.on2.vp8" >
+ <Limit name="concurrent-instances" max="13" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.decoder.avc" type="video/avc" >
+ <Limit name="concurrent-instances" max="13" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.decoder.avc.secure" type="video/avc" >
+ <Limit name="concurrent-instances" max="4" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.decoder.mpeg4" type="video/mp4v-es" >
+ <Limit name="concurrent-instances" max="12" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.decoder.h263" type="video/3gpp" >
+ <Limit name="concurrent-instances" max="12" />
+</MediaCodec>
+<MediaCodec name="OMX.<em><vendor></em>.video.decoder.vp8" type="video/x-vnd.on2.vp8" >
+ <Limit name="concurrent-instances" max="12" />
+</MediaCodec>
+</pre>
+
+ <li>Add the <code>concurrent-instances</code> lines suggested in the test
+failure message to the <code>/etc/media_codecs.xml</code> file.
+
+ <li>Re-run the test to verify its success.
+ </ol>
+
+<h2 id=2_achievable_frame_rates_for_video_codecs>2. Achievable frame rates for video codecs</h2>
+<p>The <code>VideoCapabilities.getAchievableFrameRatesFor</code> interface
+returns the range of achievable video frame rates for a video size. This
+information must be provided by the OEM for each device via an XML file placed at
+<code>/etc/media_codecs_performance.xml</code>. These settings are tested by
+the <code>com.android.cts.videoperf.VideoEncoderDecoderTest</code> and
+<code>android.media.cts.VideoDecoderPerfTest</code> CTS tests.</p>
+
+<p>OEMs can use the CTS tests to generate the XML files that pass the tests. To do this:</p>
+ <ol>
+ <li>Run the tests first using cts-tradefed. Given the
+variability of Android performance, it is recommended the tests are run
+multiple times to get more accurate minimum and maximum values.
+ <li>Use the provided <code>get_achievable_rates.py</code> script to
+generate the XML file.
+ <li>Place the XML file at: <code>/etc/media_codecs_performance.xml</code><br>
+This is usually done by placing the XML file in the device project
+(device/<em><vendor></em>/<em><product></em>) and adding a
+<code>PRODUCT_COPY_FILES</code> line to <code>device.mk</code> like so:
+<pre>
+PRODUCT_COPY_FILES += \
+...
+ device/moto/shamu/media_codecs.xml:system/etc/media_codecs.xml \
++ device/moto/shamu/media_codecs_performance.xml:system/etc/media_codecs_performance.xml
+</pre>
+ <li>Re-run the performance tests to verify their success.
+ </ol>
+
+<h2 id=3_co-exist_of_secure_codec_and_non-secure_codec>3. Co-exist of secure codec and non-secure codec</h2>
+
+<ul>
+ <li>supports-secure-with-non-secure-codec —
+If the instance of secure codec and the instance of non-secure codec can’t
+co-exist at the same time, that should be indicated as global setting in the
+<code>media_codecs.xml</code> file.
+<pre>
+<MediaCodecs>
+ <Settings>
+ <Setting name="supports-secure-with-non-secure-codec" value="false" />
+ </Settings>
+ <Encoders>
+…
+</pre>
+ <li>supports-multiple-secure-codecs —
+If co-exist of multiple secure codec instances is not supported, that should be
+indicated as a global setting in the <code>media_codecs.xml</code> file.
+<pre>
+<MediaCodecs>
+ <Settings>
+ <Setting name="supports-multiple-secure-codecs" value="false" />
+ </Settings>
+ <Encoders>
+…
+</pre>
+ <li>Note that the both settings are true by default, meaning if they are supported,
+there’s no need to add the setting line to the <code>media_codecs.xml</code>.
+ <li>The <code>ResourceManagerTest</code> CTS tests may fail if these two settings were not set
+properly.
+</ul>
diff --git a/src/devices/media/soc.jd b/src/devices/media/soc.jd
new file mode 100644
index 0000000..e42a2af
--- /dev/null
+++ b/src/devices/media/soc.jd
@@ -0,0 +1,74 @@
+page.title=SoC Vendor Dependencies for Media Resource Manager
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>This document is intended to help system on chip vendors (SoCs) properly
+implement support for priority, operating rate and the hooks needed for Android
+media resource manager.</p>
+
+<h2 id=1_omx_errorinsufficientresources>1. OMX_ErrorInsufficientResources</h2>
+
+<p>The codec component should return
+<code>OMX_ErrorInsufficientResources</code> on <code>GetHandle</code>,
+<code>Init</code>, <code>UseBuffer</code>, <code>AllocateBuffer</code> or a
+state transition if the failure is due to insufficient resource. The error code
+will be used by the media resource manager as the indicator to potentially
+preempt media resource from other lower priority process.</p>
+
+<p>An Android Compatibility Test Suite (CTS) test exists to allocate, configure
+and start each codec repeatedly until <code>catching
+OMX_ErrorInsufficientResources</code> (pass) or any other error (fail).</p>
+
+<h2 id=2_omx_indexconfigpriority>2. OMX_IndexConfigPriority</h2>
+
+<p>This configuration lets the application describe desired codec priority.</p>
+
+<p>The associated value is an integer. Higher value means lower priority.
+Currently, only two levels are supported:</p>
+
+<ul>
+ <li>0: realtime priority - meaning that the codec shall support the given
+performance configuration (e.g. framerate) at realtime. This will only be used
+by media playback, capture, and possibly by realtime communication scenarios if
+best effort performance is not suitable.</li>
+ <li>1: non-realtime priority (best effort). This is the default value.</li>
+</ul>
+
+<p>Vendor is suggested to use this as a hint used at codec configuration and
+resource planning - to understand the realtime requirements of the application.</p>
+
+<p>Don’t assume realtime priority unless it is configured to 0.</p>
+
+<h2 id=3_omx_indexconfigoperatingrate>3. OMX_IndexConfigOperatingRate</h2>
+
+<p>This configuration lets the application describe operating frame rate for
+video or sample rate for audio at which the codec will need to operate.</p>
+
+<p>This is used for cases like high-speed/slow-motion video capture, where the
+video encoder format contains the target playback rate (e.g. 30fps), but the
+component must be able to handle the high operating capture rate (e.g. 240fps).</p>
+
+<p>This rate should be used for resource planning and setting the operating
+points.</p>
diff --git a/src/devices/storage/adoptable.jd b/src/devices/storage/adoptable.jd
new file mode 100644
index 0000000..899db9b
--- /dev/null
+++ b/src/devices/storage/adoptable.jd
@@ -0,0 +1,98 @@
+page.title=Adoptable Storage
+@jd:body
+<!--
+ Copyright 2015 The Android Open Source Project
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+
+<p>Android has always supported external storage accessories (such as SD cards), but
+these accessories were historically limited to simple file storage, due to
+their expected impermanence and the minimal data protection offered to
+<a href="{@docRoot}devices/storage/traditional.html">traditional external storage</a>.
+Android 6.0 introduces the ability to
+<a href="https://developer.android.com/preview/behavior-changes.html#behavior-adoptable-storage">adopt</a>
+external storage media to act like internal storage.</p>
+
+<p>When external storage media is adopted, it’s formatted and encrypted to only
+work with a single Android device at a time. Because the media is strongly tied
+to the Android device that adopted it, it can safely store both apps and
+private data for all users.</p>
+
+<p>When users insert new storage media (such as an SD card) in an adoptable
+location, Android asks them how they want to use the media. They can choose to
+adopt the media, which formats and encrypts it, or they can continue using it
+as-is for simple file storage. If they choose to adopt, the platform offers to
+migrate the primary shared storage contents (typically mounted at <code>/sdcard</code>)
+to the newly adopted media, freeing up valuable space on internal storage.</p>
+
+<p>Apps can be placed on adopted storage media only when the developer has
+indicated support through the <code>android:installLocation</code> attribute.
+New installs of supported apps are automatically placed on the
+storage device with the most free space, and users can move supported apps
+between storage devices in the <em>Settings</em> app. Apps moved to adopted
+media are remembered while the media is ejected,
+and return when the media is reinserted.</p>
+
+<h2 id=security>Security</h2>
+
+
+<p>The platform randomly generates an encryption key for each adopted device,
+and that key is stored on the internal storage of the Android device. This
+effectively makes the adopted media as secure as internal storage. Keys are
+associated with adopted devices based on the adopted partition GUID. The
+adopted device is encrypted using <code>dm-crypt</code> configured with the
+<code>aes-cbc-essiv:sha256</code> algorithm and a 128-bit key size.</p>
+
+<p>The on-disk layout of the adopted device closely mirrors the internal data
+partition, including SELinux labels, etc. When multi-user is supported on the
+Android device, the adopted storage device also supports multi-user with the
+same level of isolation as internal storage.</p>
+
+<p>Because the contents of an adopted storage device are strongly tied to the
+Android device that adopted it, the encryption keys should not be extractable
+from the parent device, and therefore the storage device can't be mounted elsewhere.</p>
+
+<h2 id=performance_and_stability>Performance and stability</h2>
+
+
+<p>Only external storage media in stable locations, such as a slot inside a
+battery compartment or behind a protective cover, should be considered for
+adoption to help avoid accidental data loss or corruption. In particular, USB
+devices connected to a phone or tablet should never be considered for adoption.
+One common exception would be an external USB drive connected to a TV-style
+device, because the entire TV is typically installed in a stable location.</p>
+
+<p>When a user adopts a new storage device, the platform runs a benchmark and
+compares its performance against internal storage. If the adopted device is
+significantly slower than internal storage, the platform warns the user about a
+possibly degraded experience. This benchmark was derived from the actual I/O
+behavior of popular Android apps. Currently, the AOSP implementation will only
+warn users beyond a single threshold, but device manufacturers may adapt this
+further, such as rejecting adoption completely if the card is extremely slow.</p>
+
+<p>Adopted devices must be formatted with a filesystem that supports POSIX
+permissions and extended attributes, such as <code>ext4</code> or <code>f2fs</code>.
+For optimal performance, the <code>f2fs</code> filesystem is recommended for
+flash-based storage devices.</p>
+
+<p>When performing periodic idle maintenance, the platform issues <code>FI_TRIM</code>
+to adopted media just like it does for internal storage. The current SD card
+specification does not support the <code>DISCARD</code> command; but the kernel
+instead falls back to the <code>ERASE</code> command, which SD card firmware
+may choose to use for optimization purposes.</p>
diff --git a/src/devices/storage/config-example.jd b/src/devices/storage/config-example.jd
index fd55db8..91be81b 100644
--- a/src/devices/storage/config-example.jd
+++ b/src/devices/storage/config-example.jd
@@ -1,15 +1,11 @@
-page.title=Typical Configuration Examples
+page.title=Configuration Examples
@jd:body
-
<!--
Copyright 2015 The Android Open Source Project
-
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
http://www.apache.org/licenses/LICENSE-2.0
-
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,40 +20,34 @@
</div>
</div>
-<p>Below are examples of external storage configurations as of Android 4.4
-for various typical devices. Only the relevant portions of the configuration
+<p>Below are examples of external storage configurations
+for various device types. Only the relevant portions of the configuration
files are included.
+<p>Due to configuration changes in Android 6.0 (like the removal of the
+<code>storage_list.xml</code> resource overlay), the configuration examples are
+split into two categories.</p>
-<h2>Physical primary only (like Nexus One)</h2>
-
+<h2 id=android_5_x>Android 5.x and earlier</h2>
+<h3 id=android_5_x_physical>Physical primary only</h3>
<p>This is a typical configuration for a device with single external storage
-device which is a physical SD card.</p>
-
+device which is a physical SD card, like Nexus One.</p>
<p>The raw physical device must first be mounted under
<code>/mnt/media_rw</code> where only the system and FUSE daemon can access
it. <code>vold</code> will then manage the <code>fuse_sdcard0</code> service
when media is inserted/removed.
-
-<h3>fstab.hardware</h3>
-
+<h4>fstab.hardware</h4>
<pre><code>[physical device node] auto vfat defaults voldmanaged=sdcard0:auto,noemulatedsd
</code></pre>
-
-<h3>init.hardware.rc</h3>
-
+<h4>init.hardware.rc</h4>
<pre><code>on init
mkdir /mnt/media_rw/sdcard0 0700 media_rw media_rw
mkdir /storage/sdcard0 0700 root root
-
export EXTERNAL_STORAGE /storage/sdcard0
-
service fuse_sdcard0 /system/bin/sdcard -u 1023 -g 1023 -d /mnt/media_rw/sdcard0 /storage/sdcard0
class late_start
disabled
</code></pre>
-
-<h3>storage_list.xml</h3>
-
+<h4>storage_list.xml</h4>
<pre><code><storage
android:mountPoint="/storage/sdcard0"
android:storageDescription="@string/storage_sd_card"
@@ -65,82 +55,57 @@
android:primary="true"
android:maxFileSize="4096" />
</code></pre>
-
-
-<h2>Emulated primary only (like Nexus 4)</h2>
-
+<h3 id=android_5_x_emulated>Emulated primary only</h3>
<p>This is a typical configuration for a device with single external storage
-device which is backed by internal storage on the device.</p>
-
-<h3>init.hardware.rc</h3>
-
+device which is backed by internal storage on the device, like Nexus 4.</p>
+<h4>init.hardware.rc</h4>
<pre><code>on init
mkdir /mnt/shell/emulated 0700 shell shell
mkdir /storage/emulated 0555 root root
-
export EXTERNAL_STORAGE /storage/emulated/legacy
export EMULATED_STORAGE_SOURCE /mnt/shell/emulated
export EMULATED_STORAGE_TARGET /storage/emulated
-
on fs
setprop ro.crypto.fuse_sdcard true
-
service sdcard /system/bin/sdcard -u 1023 -g 1023 -l /data/media /mnt/shell/emulated
class late_start
</code></pre>
-
-<h3>storage_list.xml</h3>
-
+<h4>storage_list.xml</h4>
<pre><code><storage
android:storageDescription="@string/storage_internal"
android:emulated="true"
android:mtpReserve="100" />
</code></pre>
-
-
-<h2>Emulated primary, physical secondary (like Xoom)</h2>
-
+<h3 id=android_5_x_both>Emulated primary, physical secondary</h3>
<p>This is a typical configuration for a device with multiple external
storage devices, where the primary device is backed by internal storage
-on the device, and where the secondary device is a physical SD card.</p>
-
+on the device, and where the secondary device is a physical SD card, like Xoom.</p>
<p>The raw physical device must first be mounted under
<code>/mnt/media_rw</code> where only the system and FUSE daemon can
access it. <code>vold</code> will then manage the <code>fuse_sdcard1</code>
service when media is inserted/removed.</p>
-
-<h3>fstab.hardware</h3>
-
+<h4>fstab.hardware</h4>
<pre><code>[physical device node] auto vfat defaults voldmanaged=sdcard1:auto
</code></pre>
-
-<h3>init.hardware.rc</h3>
-
+<h4>init.hardware.rc</h4>
<pre><code>on init
mkdir /mnt/shell/emulated 0700 shell shell
mkdir /storage/emulated 0555 root root
-
mkdir /mnt/media_rw/sdcard1 0700 media_rw media_rw
mkdir /storage/sdcard1 0700 root root
-
export EXTERNAL_STORAGE /storage/emulated/legacy
export EMULATED_STORAGE_SOURCE /mnt/shell/emulated
export EMULATED_STORAGE_TARGET /storage/emulated
export SECONDARY_STORAGE /storage/sdcard1
-
on fs
setprop ro.crypto.fuse_sdcard true
-
service sdcard /system/bin/sdcard -u 1023 -g 1023 -l /data/media /mnt/shell/emulated
class late_start
-
service fuse_sdcard1 /system/bin/sdcard -u 1023 -g 1023 -w 1023 -d /mnt/media_rw/sdcard1 /storage/sdcard1
class late_start
disabled
</code></pre>
-
-<h3>storage_list.xml</h3>
-
+<h4>storage_list.xml</h4>
<pre><code><storage
android:storageDescription="@string/storage_internal"
android:emulated="true"
@@ -151,3 +116,43 @@
android:removable="true"
android:maxFileSize="4096" />
</code></pre>
+
+<h2 id=android_6>Android 6.0</h2>
+<h3 id=android_6_physical>Physical primary only</h3>
+<p>This is a typical configuration for a device with single external storage
+device which is a physical SD card, like the original Android One. There is no
+secondary shared storage and the device cannot support multi-user.</p>
+<h4>fstab.device</h4>
+<pre><code>/devices/platform/mtk-msdc.1/mmc_host* auto auto defaults
+voldmanaged=sdcard0:auto,encryptable=userdata,noemulatedsd
+</code></pre>
+<h4>init.device.rc</h4>
+<pre><code>on init
+ # By default, primary storage is physical
+ setprop ro.vold.primary_physical 1
+ </code></pre>
+<h3 id=android_6_emulated> Emulated primary only</h3>
+<p>This is a typical configuration for a device with single external storage
+device which is backed by internal storage on the device, like Nexus 6.</p>
+<ul>
+ <li>Primary shared storage (<code>/sdcard</code>) is emulated on top of internal storage.
+ <li>No secondary SD card storage.
+ <li>USB OTG storage devices supported.
+ <li>Supports multi-user.
+</ul>
+<h4>fstab.device</h4>
+<pre><code>/devices/*/xhci-hcd.0.auto/usb* auto auto defaults
+ voldmanaged=usb:auto</code></pre>
+<h3 id=android_6_both>Emulated primary, physical secondary</h3>
+<p>This is a typical configuration for a device with multiple external storage
+devices, where the primary device is backed by internal storage on the device,
+and where the secondary device is a physical SD card, like Xoom.</p>
+<ul>
+ <li>Primary shared storage (<code>/sdcard</code>) is emulated on top of internal storage.
+ <li>Secondary storage is a physical SD card slot that can be adopted.
+ <li>Supports multi-user.
+</ul>
+<h4>fstab.device</h4>
+<pre><code>/devices/platform/mtk-msdc.1/mmc_host* auto auto defaults
+voldmanaged=sdcard1:auto,encryptable=userdata
+</code></pre>
diff --git a/src/devices/storage/config.jd b/src/devices/storage/config.jd
index b8e4e4f..6db706c 100644
--- a/src/devices/storage/config.jd
+++ b/src/devices/storage/config.jd
@@ -1,34 +1,36 @@
-page.title=Device Specific Configuration
+page.title=Device Configuration
@jd:body
-
<!--
- Copyright 2013 The Android Open Source Project
-
+ Copyright 2015 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
http://www.apache.org/licenses/LICENSE-2.0
-
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
<p>External storage is managed by a combination of the <code>vold</code> init
-service and <code>MountService</code> system servic. Mounting of physical
+service and <code>MountService</code> system service. Mounting of physical
external storage volumes is handled by <code>vold</code>, which performs
staging operations to prepare the media before exposing it to apps.</p>
+<h2 id=file_mappings>File mappings</h2>
<p>For Android 4.2.2 and earlier, the device-specific <code>vold.fstab</code>
configuration file defines mappings from sysfs devices to filesystem mount
points, and each line follows this format:</p>
-
<pre><code>dev_mount <label> <mount_point> <partition> <sysfs_path> [flags]
</code></pre>
-
<ul>
<li><code>label</code>: Label for the volume.</li>
<li><code>mount_point</code>: Filesystem path where the volume should be mounted.</li>
@@ -38,7 +40,6 @@
<li><code>flags</code>: Optional comma separated list of flags, must not contain <code>/</code>.
Possible values include <code>nonremovable</code> and <code>encryptable</code>.</li>
</ul>
-
<p>For Android releases 4.3 and later, the various fstab files used by init, vold and
recovery were unified in the <code>/fstab.<device></code> file. For external
storage volumes that are managed by <code>vold</code>, the entries should have the
@@ -58,10 +59,18 @@
be followed by a label describing the card, and a partition number or the word
<code>auto</code>. Here is an example: <code>voldmanaged=sdcard:auto</code>.
Other possible flags are <code>nonremovable</code>,
-<code>encryptable=sdcard</code>, and <code>noemulatedsd</code>.</li>
+<code>encryptable=sdcard</code>, <code>noemulatedsd</code>, and <code>encryptable=userdata</code>.</li>
</ul>
+
+<h2 id=configuration_details>Configuration details</h2>
<p>External storage interactions at and above the framework level are handled
-through <code>MountService</code>. The device-specific <code>storage_list.xml</code> configuration
+through <code>MountService</code>.
+Due to configuration changes in Android 6.0 (like the
+removal of the storage_list.xml resource overlay), the configuration details
+are split into two categories.
+
+<h3 id=android_5_x_and_earlier>Android 5.x and earlier</h3>
+The device-specific <code>storage_list.xml</code> configuration
file, typically provided through a <code>frameworks/base</code> overlay, defines the
attributes and constraints of storage devices. The <code><StorageList></code> element
contains one or more <code><storage></code> elements, exactly one of which should be marked
@@ -94,3 +103,46 @@
storage. The <code>/sdcard</code> path must also resolve to the same location, possibly
through a symlink. If a device adjusts the location of external storage between
platform updates, symlinks should be created so that old paths continue working.</p>
+
+<h3 id=android_6_0>Android 6.0</h3>
+<p>Configuration of the storage subsystem is now concentrated in the
+device-specific <code>fstab</code> file, and several historical static configuration files/variables have been
+removed to support more dynamic behavior:</p>
+<ul>
+ <li>The <code>storage_list.xml</code> resource overlay has been removed and is no longer used by the framework.
+Storage devices are now configured dynamically when detected by <code>vold</code>.
+ <li>The <code>EMULATED_STORAGE_SOURCE/TARGET</code> environment variables have been removed and are no longer used by Zygote to
+configure user-specific mount points. Instead, user separation is now enforced
+with user-specific GIDs, and primary shared storage is mounted into place by <code>vold</code> at runtime.
+ <ul>
+ <li>Developers may continue to build paths dynamically or statically depending on
+their use case. Including the UUID in the path identifies each card to make
+location clearer for developers. (For example, <code>/storage/ABCD-1234/report.txt</code> is clearly a different file than <code>/storage/DCBA-4321/report.txt</code>.)
+ </ul>
+ <li>The hard-coded FUSE services have been removed from device-specific <code>init.rc</code> files and are instead forked dynamically from <code>vold</code> when needed.
+</ul>
+<p>In addition to these configuration changes, Android 6.0 includes the notion of
+adoptable storage. For Android 6.0 devices, any physical media that is not
+adopted is viewed as portable. </p>
+
+<h4 id=adoptable_storage>Adoptable storage </h4>
+<p>To indicate an adoptable storage device in the <code>fstab</code>, use the <code>encryptable=userdata</code> attribute in the <code>fs_mgr_flags</code> field. Here’s a typical definition:</p>
+<pre><code>/devices/platform/mtk-msdc.1/mmc_host* auto auto defaults
+voldmanaged=sdcard1:auto,encryptable=userdata
+</code></pre>
+<p>When a storage device is adopted, the platform erases the contents and writes a
+GUID partition table that defines two partitions:</p>
+<ul>
+ <li>a small empty <code>android_meta</code> partition that is reserved for future use. The partition type GUID is
+19A710A2-B3CA-11E4-B026-10604B889DCF.
+ <li>a large <code>android_ext</code> partition that is encrypted using dm-crypt and formatted using either <code>ext4</code> or <code>f2fs</code> depending on the kernel capabilities. The partition type GUID is
+193D1EA4-B3CA-11E4-B075-10604B889DCF.
+</ul>
+<h4 id=portable_storage>Portable storage </h4>
+<p>In the <code>fstab</code>, storage devices with the <code>voldmanaged</code> attribute are considered to be portable by default unless another attribute
+like <code>encryptable=userdata</code> is defined. For example, here’s a typical definition for USB OTG devices:</p>
+<pre><code>/devices/*/xhci-hcd.0.auto/usb* auto auto defaults
+ voldmanaged=usb:auto
+</code></pre>
+<p>The platform uses <code>blkid</code> to detect filesystem types before mounting, and users can choose to format the
+media when the filesystem is unsupported.</p>
diff --git a/src/devices/storage/index.jd b/src/devices/storage/index.jd
index 43ee949..7e62fe6 100644
--- a/src/devices/storage/index.jd
+++ b/src/devices/storage/index.jd
@@ -1,15 +1,11 @@
page.title=Storage
@jd:body
-
<!--
Copyright 2015 The Android Open Source Project
-
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
http://www.apache.org/licenses/LICENSE-2.0
-
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -25,19 +21,25 @@
</div>
<img style="float: right; margin: 0px 15px 15px 15px;" src="images/ape_fwk_hal_extstor.png" alt="Android external storage HAL icon"/>
+<p>Android has evolved over time to support a wide variety of storage device types
+and features. All versions of Android support devices with <a href="{@docRoot}devices/storage/traditional.html">traditional storage</a>,
+which includes portable and emulated storage. <em>Portable</em> storage can be provided by physical media, like an SD card or USB, that is for
+temporary data transfer/ file storage. The physical media may remain with the
+device for an extended period of time, but is not tied to the device and may be
+removed. SD cards have been available as portable storage since Android 1.0;
+Android 6.0 added USB support. <em>Emulated</em> storage is provided by exposing a portion of internal storage through an
+emulation layer and has been available since Android 3.0.</p>
-<p>Android supports devices with external storage, which is defined to be a
-case-insensitive filesystem with immutable POSIX permission classes and
-modes. External storage can be provided by physical media (such as an SD
-card), or by exposing a portion of internal storage through an emulation
-layer. Devices may contain multiple instances of external storage.</p>
+<p>Starting in Android 6.0, Android supports <a href="{@docRoot}devices/storage/adoptable.html"><em>adoptable</em> storage</a>, which is provided by physical media, like an SD card or USB, that is
+encrypted and formatted to behave like internal storage. Adoptable storage can
+store all types of application data. </p>
+<h2 id=permissions>Permissions</h2>
<p>Access to external storage is protected by various Android
permissions. Starting in Android 1.0, write access is protected with the
<code>WRITE_EXTERNAL_STORAGE</code> permission. Starting in Android 4.1,
read access is protected with the <code>READ_EXTERNAL_STORAGE</code>
permission.</p>
-
<p>Starting in Android 4.4, the owner, group and modes of files on external
storage devices are now synthesized based on directory structure. This
enables apps to manage their package-specific directories on external
@@ -48,65 +50,29 @@
no permissions. These synthesized permissions are accomplished by wrapping
raw storage devices in a FUSE daemon.</p>
-<p>Since external storage offers minimal protection for stored data, system
-code should not store sensitive data on external storage. Specifically,
-configuration and log files should only be stored on internal storage where
-they can be effectively protected.</p>
+<h3 id=runtime_permissions>Runtime permissions</h3>
-<h2 id="multiple-external-storage-devices">Multiple external storage devices</h2>
-
-<p>Starting in Android 4.4, multiple external storage devices are surfaced
-to developers through <code>Context.getExternalFilesDirs()</code>,
-<code>Context.getExternalCacheDirs()</code>, and
-<code>Context.getObbDirs()</code>.</p>
-
-</p>External storage devices surfaced through these APIs must be a
-semi-permanent part of the device (such as an SD card slot in a battery
-compartment). Developers expect data stored in these locations to be
-available over long periods of time. For this reason, transient storage
-devices (such as USB mass storage drives) should not be surfaced through
-these APIs.</p>
-
-<p>The <code>WRITE_EXTERNAL_STORAGE</code> permission must only grant write
-access to the primary external storage on a device. Apps must not be
-allowed to write to secondary external storage devices, except in their
-package-specific directories as allowed by synthesized
-permissions. Restricting writes in this way ensures the system can clean
-up files when applications are uninstalled.</p>
-
-
-<h2 id="multi-user-external-storage">Multi-user external storage</h2>
-
-<p>Starting in Android 4.2, devices can support multiple users, and external
-storage must meet the following constraints:</p>
+<p>Android 6.0 introduces a new <a href="{@docRoot}devices/tech/config/runtime_perms.html">runtime permissions</a> model where apps request
+capabilities when needed at runtime. Because the new model includes the <code>READ/WRITE_EXTERNAL_STORAGE</code> permissions, the platform needs to dynamically grant storage access without
+killing or restarting already-running apps. It does this by maintaining three
+distinct views of all mounted storage devices:</p>
<ul>
-<li>Each user must have their own isolated primary external storage, and
-must not have access to the primary external storage of other users.</li>
-<li>The <code>/sdcard</code> path must resolve to the correct user-specific
-primary external storage based on the user a process is running as.</li>
-<li>Storage for large OBB files in the <code>Android/obb</code> directory
-may be shared between multiple users as an optimization.</li>
-<li>Secondary external storage must not be writable by apps, except in
-package-specific directories as allowed by synthesized permissions.</li>
+ <li><code>/mnt/runtime/default</code> is shown to apps with no special storage permissions, and to the root
+namespace where <code>adbd</code> and other system components live.
+ <li><code>/mnt/runtime/read</code> is shown to apps with <code>READ_EXTERNAL_STORAGE</code>
+ <li><code>/mnt/runtime/write</code> is shown to apps with <code>WRITE_EXTERNAL_STORAGE</code>
</ul>
-<p>The default platform implementation of this feature leverages Linux kernel
-namespaces to create isolated mount tables for each Zygote-forked process,
-and then uses bind mounts to offer the correct user-specific primary external
-storage into that private namespace.</p>
+<p>At Zygote fork time, we create a mount namespace for each running app and bind
+mount the appropriate initial view into place. Later, when runtime permissions
+are granted, <code>vold</code> jumps into the mount namespace of already-running apps and bind mounts the
+upgraded view into place. Note that permission downgrades always result in the
+app being killed.</p>
-<p>At boot, the system mounts a single emulated external storage FUSE daemon
-at <code>EMULATED_STORAGE_SOURCE</code>, which is hidden from apps. After
-the Zygote forks, it bind mounts the appropriate user-specific subdirectory
-from under the FUSE daemon to <code>EMULATED_STORAGE_TARGET</code> so that
-external storage paths resolve correctly for the app. Because an app lacks
-accessible mount points for other users' storage, they can only access
-storage for the user it was started as.</p>
+<p>The <code>setns()</code> functionality used to implement this feature requires at least Linux 3.8, but
+patches have been backported successfully to Linux 3.4. The <code>PermissionsHostTest</code> CTS test can be used to verify correct kernel behavior.</p>
-<p>This implementation also uses the shared subtree kernel feature to
-propagate mount events from the default root namespace into app namespaces,
-which ensures that features like ASEC containers and OBB mounting continue
-working correctly. It does this by mounting the rootfs as shared, and then
-remounting it as slave after each Zygote namespace is created.</p>
+<p>In Android 6.0, third-party apps don’t have access to the <code>sdcard_r</code> and <code>sdcard_rw</code> GIDs. Instead, access is controlled by mounting only the appropriate runtime
+view in place for that app. Cross-user interactions are blocked using the <code>everybody</code> GID.</p>
diff --git a/src/devices/storage/traditional.jd b/src/devices/storage/traditional.jd
new file mode 100644
index 0000000..c71c644
--- /dev/null
+++ b/src/devices/storage/traditional.jd
@@ -0,0 +1,94 @@
+page.title=Traditional Storage
+@jd:body
+<!--
+ Copyright 2015 The Android Open Source Project
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<img style="float: right; margin: 0px 15px 15px 15px;" src="images/ape_fwk_hal_extstor.png" alt="Android external storage HAL icon"/>
+
+<p>Android supports devices with traditional storage, which is defined to be a
+case-insensitive filesystem with immutable POSIX permission classes and modes.
+The notion of traditional storage encompasses emulated and portable storage.
+Portable storage is defined as any external storage that is not <a href="{@docRoot}devices/storage/adoptable.html">
+adopted</a> by the
+system and therefore not formatted and encrypted or tied to a specific device.
+Because traditional external storage offers minimal protection for stored data,
+system code should not store sensitive data on external storage. Specifically,
+configuration and log files should only be stored on internal storage where
+they can be effectively protected.</p>
+
+<h2 id="multi-user-external-storage">Multi-user external storage</h2>
+<p>Starting in Android 4.2, devices can support multiple users, and external
+storage must meet the following constraints:</p>
+<ul>
+<li>Each user must have their own isolated primary external storage, and
+must not have access to the primary external storage of other users.</li>
+<li>The <code>/sdcard</code> path must resolve to the correct user-specific
+primary external storage based on the user a process is running as.</li>
+<li>Storage for large OBB files in the <code>Android/obb</code> directory
+may be shared between multiple users as an optimization.</li>
+<li>Secondary external storage must not be writable by apps, except in
+package-specific directories as allowed by synthesized permissions.</li>
+</ul>
+<p>The default platform implementation of this feature leverages Linux kernel
+namespaces to create isolated mount tables for each Zygote-forked process,
+and then uses bind mounts to offer the correct user-specific primary external
+storage into that private namespace.</p>
+<p>At boot, the system mounts a single emulated external storage FUSE daemon
+at <code>EMULATED_STORAGE_SOURCE</code>, which is hidden from apps. After
+the Zygote forks, it bind mounts the appropriate user-specific subdirectory
+from under the FUSE daemon to <code>EMULATED_STORAGE_TARGET</code> so that
+external storage paths resolve correctly for the app. Because an app lacks
+accessible mount points for other users' storage, they can only access
+storage for the user it was started as.</p>
+<p>This implementation also uses the shared subtree kernel feature to
+propagate mount events from the default root namespace into app namespaces,
+which ensures that features like ASEC containers and OBB mounting continue
+working correctly. It does this by mounting the rootfs as shared, and then
+remounting it as slave after each Zygote namespace is created.</p>
+
+<h2 id="multiple-external-storage-devices">Multiple external storage devices</h2>
+<p>Starting in Android 4.4, multiple external storage devices are surfaced
+to developers through <code>Context.getExternalFilesDirs()</code>,
+<code>Context.getExternalCacheDirs()</code>, and
+<code>Context.getObbDirs()</code>.</p>
+</p>External storage devices surfaced through these APIs must be a
+semi-permanent part of the device (such as an SD card slot in a battery
+compartment). Developers expect data stored in these locations to be
+available over long periods of time. For this reason, transient storage
+devices (such as USB mass storage drives) should not be surfaced through
+these APIs.</p>
+<p>The <code>WRITE_EXTERNAL_STORAGE</code> permission must only grant write
+access to the primary external storage on a device. Apps must not be
+allowed to write to secondary external storage devices, except in their
+package-specific directories as allowed by synthesized
+permissions. Restricting writes in this way ensures the system can clean
+up files when applications are uninstalled.</p>
+
+<h2 id=support_usb_media>USB media support</h2>
+
+<p>Android 6.0 supports portable storage devices which are only connected to the
+device for a short period of time, like USB flash drives. When a user inserts a
+new portable device, the platform shows a notification to let them copy or
+manage the contents of that device.</p>
+
+<p>In Android 6.0, any device that is not adopted is considered portable. Because
+portable storage is connected for only a short time, the platform avoids heavy
+operations such as media scanning. Third-party apps must go through the <a href="https://developer.android.com/guide/topics/providers/document-provider.html">Storage Access Framework</a> to interact with files on portable storage; direct access is explicitly
+blocked for privacy and security reasons.</p>
diff --git a/src/devices/tech/config/carrier.jd b/src/devices/tech/config/carrier.jd
new file mode 100644
index 0000000..51261ff
--- /dev/null
+++ b/src/devices/tech/config/carrier.jd
@@ -0,0 +1,236 @@
+page.title=Carrier Configuration
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>The Android 6.0 Marshmallow release introduces a capability for privileged
+applications to provide carrier-specific configuration to the platform. This
+functionality, based on the <a href="uicc.html">UICC carrier privilege
+functionality</a> introduced in Android 5.1 (Lollipop MR1), will allow carrier
+configuration to be moved away from the static configuration overlays and give
+carriers and OEMs the ability to dynamically provide carrier configuration to
+the platform through a defined interface.</p>
+
+<p>A properly signed carrier app can either be preloaded in the system image,
+installed automatically, or manually installed through an app store. The app
+will be queried by the platform to provide configuration for settings
+including:</p>
+
+<ul>
+ <li>Roaming/Non-roaming networks
+ <li>Visual Voicemail
+ <li>SMS/MMS network settings
+ <li>VoLTE/IMS configurations
+</ul>
+
+<p class="note"><strong>Note</strong>: This app must be signed with the
+certificate that has a matching signature to one on the SIM. See the <a
+href="#how_privilege_is_granted_to_a_carrier_app">How is privilege granted to a
+Carrier App</a> section for details.</p>
+
+<p>The determination of what values to return is entirely up to the Carrier App
+and can be dynamic based on detailed information passed to the app via the
+platform. </p>
+
+<p>The key benefits of this approach are:</p>
+
+<ul>
+ <li><strong>Dynamic configuration</strong> - Support for concepts like
+non-MCCMNC derived configuration, for example
+mobile virtual network operators (MVNOs) or customer opt in to extra services
+ <li><strong>Support for devices sold through any channel</strong> - e.g. an
+open market phone can be automatically configured with the right
+settings by downloading an app from an app store.
+ <li><strong>Security</strong> - Privilege to provide this configuration is
+given only to applications signed by the carrier
+ <li><strong>Defined API</strong> - Previously this configuration was stored
+mostly in internal XML overlays within the framework and not through a public
+API. The carrier config API in Android 6.0 is public and well defined.
+</ul>
+
+<h2 id=how_it_works>How it works</h2>
+
+<h3 id=loading_the_config>Loading the config</h3>
+
+<p>The carrier configuration supplied by this feature is a set of key-value pairs
+that change various telephony-related behaviors in the platform.</p>
+
+<p>The set of values for a particular device is determined by querying the
+following components in order:</p>
+
+<ol>
+ <li>The Carrier App (although this is technically optional, it is the recommended
+location for additional configuration beyond what exists in the Android Open
+Source Project - AOSP)
+ <li>The Platform Config App bundled with the system image
+ <li>Default values, hardcoded into the framework (equivalent to the behavior prior
+to M)
+</ol>
+
+<p class="caution"><strong>Important</strong>: If a value for a particular key
+is returned at any stage, the first value found takes precedence over the
+further stages.</p>
+
+<h4 id=the_platform_config_app>The Platform Config App</h4>
+
+<p>A generic Platform Config App is bundled with the system image that can supply
+values for any variables the regular Carrier App does not. The platform config
+app can be found (in M) in: <code>packages/apps/CarrierConfig</code></p>
+
+<p>This app’s purpose is to provide some per-network configuration when a Carrier
+App is not installed, and carriers/OEMs should make only minimal changes to it
+in their own images. Instead carriers should provide the separate Carrier App
+for carrier customization, allowing updates to be distributed via avenues such
+as app stores.</p>
+
+<h4 id=how_privilege_is_granted_to_a_carrier_app>How privilege is granted to a Carrier App</h4>
+
+<p>The Carrier App in question must be signed with the same certificate found on
+the SIM card, as documented in <a href="uicc.html">UICC Carrier Privileges</a>.</p>
+
+<h4 id=what_information_is_passed_to_the_carrier_app>What information is passed to the Carrier App</h4>
+
+<p>The Carrier App is supplied with the following values, enabling it to make a
+dynamic decision as to what values to return:</p>
+
+<ul>
+ <li>MCC
+ <li>MNC
+ <li>SPN
+ <li>IMSI
+ <li>GID1
+ <li>GID2
+</ul>
+
+<h4 id=when_loading_the_carrier_config_occurs>When loading the carrier config occurs</h4>
+
+<p>The building of the list of key value pairs occurs:</p>
+
+<ul>
+ <li>When the SIM is loaded (boot, or SIM hot swap)
+ <li>When the Carrier app manually triggers a reload
+ <li>When the Carrier app gets updated
+</ul>
+
+<p>See the <a
+href="http://developer.android.com/reference/android/service/carrier/CarrierService.html#onLoadConfig(android.service.carrier.CarrierIdentifier)">android.service.carrier.CarrierService#onLoadConfig()</a>
+reference for more details.</p>
+
+<p class="note"><strong>Note</strong>: The platform caches carrier
+configuration bundles and loads from the cache for SIM state changes. This is
+to speed up boot and SIM hot swap. It is assumed that without a package update
+or an explicit <code>notifyConfigChangedForSubId</code>, the config bundle has
+not been modified.</p>
+
+<h3 id=using_the_config>Using the config</h3>
+
+<p>Once the configuration has been built, the values contained within it are used
+to set various values of system configuration, including:</p>
+
+<ul>
+ <li>Internal framework telephony settings
+ <li>SDK-returned configuration values, e.g. in SmsManager
+ <li>App settings like VVM connection values in the Dialer
+</ul>
+
+<h3 id=configuration_keys>Configuration keys</h3>
+
+<p>The list of keys is defined as part of the public SDK in <code><a
+href="http://developer.android.com/reference/android/telephony/CarrierConfigManager.html">android.telephony.CarrierConfigManager</a></code>
+and cannot change within the same API level. See the table below for a summary of keys.</p>
+
+<h2 id=how_to_build_your_application>How to build your application</h2>
+
+<h3 id=create_your_application>Create your application</h3>
+
+<p>Your application must target the Android 6.0 API level (23).</p>
+
+<h3 id=declare_a_class_that_overrides_android_service_carrier_carrierservice>Declare a class that overrides android.service.carrier.CarrierService</h3>
+
+<ol>
+ <li>Override <code>onLoadConfig</code> to return the values you wish to
+supply based on the <code>service.carrier.CarrierIdentifier</code> object
+passed.
+ <li>Add logic to call <code>notifyConfigChangedForSubId</code> in scenarios
+where carrier configuration may change over time (e.g. when the
+user adds extra services to their account)
+</ol>
+
+<p>An example is below:</p>
+
+<pre>
+public class SampleCarrierConfigService extends CarrierService {
+
+ private static final String TAG = "SampleCarrierConfigService";
+
+ public SampleCarrierConfigService() {
+ Log.d(TAG, "Service created");
+ }
+
+ @Override
+ public PersistableBundle onLoadConfig(CarrierIdentifier id) {
+ Log.d(TAG, "Config being fetched");
+ PersistableBundle config = new PersistableBundle();
+ config.putBoolean(
+ CarrierConfigManager.KEY_CARRIER_VOLTE_AVAILABLE_BOOL, true);
+ config.putBoolean(
+ CarrierConfigManager.KEY_CARRIER_VOLTE_TTY_SUPPORTED_BOOL, false);
+ config.putInt(CarrierConfigManager.KEY_VOLTE_REPLACEMENT_RAT_INT, 6);
+ // Check CarrierIdentifier and add more config if needed…
+ return config;
+ }
+}
+</pre>
+
+
+<p>Please see the <a
+href="https://developer.android.com/reference/android/service/carrier/CarrierService.html">android.service.carrier.CarrierService</a> reference on developer.android.com for more details.</p>
+
+<h3 id=name_the_class_in_your_manifest>Name the class in your manifest</h3>
+
+<p>An example is below:</p>
+
+<pre>
+<service android:name=".SampleCarrierConfigService"
+android:label="@string/service_name"
+android:permission="android.permission.BIND_CARRIER_SERVICES">
+ <intent-filter>
+ <action android:name="android.service.carrier.ConfigService"/></intent-filter>
+</service>
+</pre>
+
+<h3 id=sign_app_with_same_certificate_on_sim>Sign app with same certificate on SIM</h3>
+
+<p>See <a href="uicc.html">UICC Carrier Privileges</a> for the requirements.</p>
+
+<h2 id=testing_your_application>Testing your application</h2>
+
+<p>Once you have built your configuration application, you can test your code
+with:</p>
+
+<ul>
+ <li>A SIM containing a valid certificate signature
+ <li>A device running Android 6.0 and later, for example a Nexus device
+</ul>
diff --git a/src/devices/tech/filesystem-config.jd b/src/devices/tech/config/filesystem.jd
similarity index 100%
rename from src/devices/tech/filesystem-config.jd
rename to src/devices/tech/config/filesystem.jd
diff --git a/src/devices/tech/config/runtime_perms.jd b/src/devices/tech/config/runtime_perms.jd
new file mode 100644
index 0000000..ef54b78
--- /dev/null
+++ b/src/devices/tech/config/runtime_perms.jd
@@ -0,0 +1,107 @@
+page.title=Runtime Permissions
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>The Android 6.0 release presents a new application permission model aimed at making permissions more understandable, useful, and secure for users. The model moves Android applications that require dangerous permissions (see <a href="#affected-permissions">Affected permissions</a>) from an <i>install</i> time permission model to <i>runtime</i> permission model:</p>
+
+<ul>
+<li><strong>Install Time Permissions</strong> (<i>Android 5.1 and earlier</i>). Users grant dangerous permissions to an app when installing or updating the app. OEMs/carriers can pre-install apps with pre-granted permissions without notifying the user. </li>
+<li><strong>Runtime Permissions</strong> (Android <i>6.0 and later</i>). Users grant dangerous permissions to an app when the app is running. Applications decide when to request permissions (such as when the app launches or the user accesses a specific feature), but must allow the user to grant/deny application access to specific permission groups. OEMs/carriers can pre-install apps but cannot pre-grant permissions (see <a href="#creating-exceptions">Creating exceptions</a>). </li>
+</ul>
+
+<p>The move to runtime permissions provides users additional context and visibility into the permissions that applications are seeking or have been granted. The new model also encourages developers to help users understand why applications require the requested permissions and to provide greater transparency about the benefits and hazards of granting or denying permissions. Users can revoke application permissions using the Apps menu in Settings.</p>
+
+<h2 id="affected-permissions">Affected permissions</h2>
+
+<p>The Android 6.0 release requires only dangerous permissions to use a runtime permissions model. Dangerous permissions are higher-risk permissions (such as <code>READ_CALENDAR</code>) that grant requesting applications access to private user data or control over the device that can negatively impact the user. To view a list of dangerous permissions, run the command: <code>adb shell pm list permissions -g -d</code> .</p>
+
+<p>This release does not change the behavior of normal permissions (all non-dangerous permissions including normal, system, and signature permissions). Normal permissions are lower-risk permissions (such as <code>SET_WALLPAPER</code>) that grant requesting applications access to isolated application-level features with minimal risk to other applications, the system, or the user. As in Android 5.1 and earlier releases, the system automatically grants normal permissions to a requesting application at installation and does not prompt the user for approval. For details on permissions, refer to <a href="http://developer.android.com/guide/topics/manifest/permission-element.html"><permission> element documentation</a>.</p>
+
+<h2 id="requirements">Requirements</h2>
+
+<p>The runtime permission model applies to all applications, including pre-installed apps and apps delivered to the device as part of the setup process. Application software requirements include: </p>
+<ul>
+<li>Runtime permission model must be consistent across all devices running Android 6.0. Enforced by Android Compatibility Test Suite (CTS) tests.</li>
+<li>Apps must prompt users to grant application permissions at runtime. For details, see Updating Applications.Limited exceptions may be granted to default applications and handlers that provide basic device functionality determined to be fundamental to the expected operation of the device (i.e. the device's default Dialer app for handling ACTION_CALL may have Phone permission access). For details, see <a href="#creating-exceptions">Creating exceptions</a>.</li>
+<li>Pre-loaded apps with "dangerous permission" MUST target API level 23 and the AOSP permission model of Android 6.0 should be maintained (i.e. the UI flow during an app installation should not deviate from the AOSP implementation of PackageInstaller, users can even revoke the dangerous permissions of pre-installed apps etc.).</li>
+<li>Headless applications must use an activity to request permissions or share a UID with another application that has the necessary permissions. For details, see <a href="#headless-apps">Headless applications</a>.</li>
+</ul>
+
+<h2 id="permissions-migration">Permissions migration</h2>
+
+<p>Permissions granted to applications on Android 5.x remain granted after updating to Android 6.0, but users can revoke those permissions at any time.</p>
+
+<h2 id="integration">Integration</h2>
+
+<p>When integrating the Android 6.0 application runtime permissions model, you must update pre-installed applications to work with the new model. You can also define exceptions for apps that are the default handlers/providers for core functionality, define custom permissions, and customize the theme used in the PackageInstaller.</p>
+
+<h3 id="updating-apps">Updating applications</h3>
+
+<p>Applications on the system image and pre-installed applications are not automatically pre-granted permissions. We encourage you to work with pre-installed app developers (OEM, Carrier, and third party) to make the required app modifications using the <a href="https://developer.android.com/preview/features/runtime-permissions.html">guidelines</a> posted on the developer portal. Specifically, you must ensure that pre-installed applications are modified to avoid crashes and other issues when users revoke permissions.</p>
+
+<h4 id="preloaded-apps">Pre-loaded applications</h4>
+<p>Pre-loaded apps that use dangerous permissions MUST target API level 23 and maintain the Android 6.0 AOSP permission model (i.e. the UI flow during an app installation should not deviate from the AOSP implementation of PackageInstaller, users can even revoke the dangerous permissions of pre-installed apps etc.).</p>
+
+<h4 id="headless-apps">Headless applications</h4>
+<p>Only activities can request permissions; services cannot directly request permissions. </p>
+<ul>
+<li>In Android 5.1 and earlier releases, headless applications can request permissions when installed or pre-installed without the use of an activity.</li>
+<li>In Android 6.0, headless applications must use one of the following methods to request permissions:<ul>
+<li>Add an activity to request permissions (preferred method).</li>
+<li>Share a UID with another application that has the necessary permissions. Use this method only when you need the platform to handle multiple APKs as a single application.</li>
+</ul></li>
+</ul>
+<p>The goal is to avoid confusing users with permission requests that appear out of context.</p>
+
+<h3 id="customizing-package-install">Customizing PackageInstaller</h3>
+<p>If desired, you can customize the Permissions UI <b>theme</b> by updating the default device themes (<code>Theme.DeviceDefault.Settings</code> and <code>Theme.DeviceDefault.Light.Dialog.NoActionBar</code>) used by PackageInstaller. However, because consistency is critical for app developers, you cannot customize the placement, position, and rules of when the Permissions UI appears.</p>
+<p>To include <b>strings</b> for additional languages, contribute the strings to AOSP.</p>
+
+<h3 id="creating-exceptions">Creating exceptions</h3>
+<p>You can pre-grant permissions to applications that are default handlers or providers for core OS functionality using the <code>DefaultPermissionGrantPolicy.java</code> in PackageManager. Examples:</p>
+
+<code>
+<p>ACTION_CALL (Dialer) Default</p>
+<ul>
+<li>Phone, Contacts, SMS, Microphone</li>
+</ul>
+<p>SMS_DELIVER_ACTION (SMS/MMS) Default</p>
+<ul>
+<li>Phone, Contacts, SMS</li>
+</ul>
+</code>
+
+<h3 id="defining-custom-perms">Defining custom permissions</h3>
+<p>You can define custom permissions and groups as <i>normal</i> or <i>dangerous</i> and add OEM/Carrier-specific permissions to existing permissions groups, just as you could in Android 5.x and earlier releases.</p>
+
+<p>In the Android 6.0 release, if you add a new dangerous permission, it must be handled in the same way as other dangerous permissions (requested during app runtime and revocable by users). Specifically: </p>
+
+<ul>
+<li>You can add new permissions to a current group, but you cannot modify the AOSP mapping of dangerous permissions and dangerous permissions group (e.g. you cannot remove a permission from a group and assign to other group).</li>
+<li>You can add new permission groups in applications installed on the device, but you cannot add new permissions groups in the platform manifest.</li>
+</ul>
+
+<h2 id="testing-perms">Testing permissions</h2>
+<p>The Android 6.0 release includes new Compatibility Test Suite (CTS) tests that verify individual permissions are mapped to the correct Groups. Passing these tests is a requirement for Android 6.0 CTS compatibility.</p>
\ No newline at end of file
diff --git a/src/devices/tech/config/voicemail.jd b/src/devices/tech/config/voicemail.jd
new file mode 100644
index 0000000..2d88828
--- /dev/null
+++ b/src/devices/tech/config/voicemail.jd
@@ -0,0 +1,185 @@
+page.title=Visual Voicemail
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>Android 6.0 (Marshmallow) brings an implementation of Visual Voicemail (VVM)
+support integrated into the Dialer, allowing compatible Carrier VVM services to
+hook into the Dialer with minimal configuration. Visual voicemail lets users
+easily check voicemail without making any phone calls. Users can view a list of
+messages in an inbox-like interface, listen to them in any order, and can
+delete them as desired.</p>
+
+<p>This article gives an overview of what is provided, how carriers can integrate
+with it, and some details of the implementation.</p>
+
+<h2 id=visual_voicemail_vvm_client>Visual Voicemail (VVM) client</h2>
+
+<p>Android 6.0 includes a OMTP VVM client, which (when provided with the correct
+configuration) will connect to Carrier VVM servers and populate Visual
+Voicemail messages within the AOSP Dialer. The VVM client:</p>
+
+<ul>
+ <li>Handles the SMS messages used to activate/deactivate/query status of the
+service and the SMS messages used to notify the device of events in the
+subscriber’s mailbox
+ <li>Syncs the mailbox with the IMAP server
+ <li>Downloads the voicemails when the user chooses to listen to them
+ <li>Integrates into the Dialer for user functionality such as calling back, viewing
+unread messages, deleting messages, etc.
+</ul>
+
+<h2 id=integrate_with_the_vvm_client>Integrate with the VVM client</h2>
+
+<h3 id=implementation>Implementation</h3>
+
+<p>The Carrier must provide a Visual Voicemail server implementing the <a href="http://www.gsma.com/newsroom/wp-content/uploads/2012/07/OMTP_VVM_Specification_1_3.pdf">OMTP VVM specifications</a>. The current implementation of the Google VVM client supports the core
+features (read/delete voicemails, download/sync/listen) but the additional TUI
+features (password change, voicemail greeting, languages) are not implemented.
+At this time, we only support OMTP version 1.1 and do not use encryption for
+IMAP authentication. </p>
+
+<p><strong>Note</strong> that server-originated SMS messages to the device (e.g. STATUS or SYNC) must
+not be class 0 messages.</p>
+
+<h3 id=configuration>Configuration</h3>
+
+<p>In order for a carrier to integrate with the VVM service, the carrier must
+provide configuration details to the platform that the OMTP client can use.
+These parameters are:</p>
+
+<ul>
+ <li>Destination number and port number for SMS
+ <li>Authentication security type for IMAP (SSL, TLS, none, etc.)
+ <li>The package name of the carrier-provided Visual Voicemail app (if one is
+provided), so that the platform implementation can be disabled if that package
+is installed
+</ul>
+
+<p>These values are provided through the <a href="https://developer.android.com/reference/android/telephony/CarrierConfigManager.html">Carrier Config API</a>. This functionality, launched in Android 6.0, allows an application to
+dynamically provide telephony-related configuration to the various platform
+components that need it. In particular the following keys must have values
+defined:</p>
+
+<ul>
+ <li><code>KEY_VVM_DESTINATION_NUMBER_STRING</code>
+ <li><code>KEY_VVM_PORT_NUMBER_INT</code>
+ <li><code>KEY_VVM_TYPE_STRING</code>
+ <li><code>KEY_CARRIER_VVM_PACKAGE_NAME_STRING</code>
+</ul>
+
+<p>Please see the <a href="{@docRoot}devices/tech/config/carrier.html">Carrier Configuration</a> article for more detail.</p>
+
+<h2 id=implementation>Implementation</h2>
+
+<p>The OMTP VVM client is implemented within <code>packages/services/Telephony</code>, in particular within <code>src/com/android/phone/vvm/</code></p>
+
+<h3 id=setup>Setup</h3>
+
+<ol>
+ <li>The VVM client listens for <code>TelephonyIntents#ACTION_SIM_STATE_CHANGED</code> or <code>CarrierConfigManager#ACTION_CARRIER_CONFIG_CHANGED</code>.
+ <li>When a SIM is added that has the right Carrier Config values (<code>KEY_VVM_TYPE_STRING</code> set to <code>TelephonyManager.VVM_TYPE_OMTP</code> or <code>TelephonyManager.VVM_TYPE_CVVM</code>), the VVM client sends an ACTIVATE SMS to the value specified in <code>KEY_VVM_DESTINATION_NUMBER_STRING</code>.
+ <li>The server activates the visual voicemail service and sends the OMTP
+credentials via STATUS sms. When the VVM client receives the STATUS sms, it
+registers the voicemail source and displays the voicemail tab on the device.
+ <li>The OMTP credentials are saved locally and the device begins a full sync, as
+described below.
+</ol>
+
+<h3 id=syncing>Syncing</h3>
+
+<p>There are a variety of ways that the VVM client can sync with the carrier
+server and vice versa.</p>
+
+<ul>
+ <li><strong>Full syncs</strong> occur upon initial download. The VVM client only fetches voicemail metadata
+like date and time, origin number, duration, etc. Full syncs can be triggered
+by a:
+ <ul>
+ <li>new SIM
+ <li>device reboot
+ <li>device coming back in service
+ </ul>
+ <li><strong>Upload sync</strong> happens when a user interacts with a voicemail to read or delete it. Upload
+syncs result in the server changing its data to match the data on the device.
+For example, if the user reads a voicemail, it's marked as read on the server;
+if a user deletes a voicemail, it's deleted on the server.
+ <li><strong>Download sync</strong> occurs when the VVM client receives a "MBU" (mailbox update) SYNC sms from the
+carrier. A SYNC message contains the metadata for a new message so that it can
+be stored in the voicemail content provider.
+</ul>
+
+<h3 id=voicemail_download>Voicemail Download</h3>
+
+<p>When a user presses play to listen to a voicemail, the corresponding audio file
+is downloaded. If the user chooses to listen to the Voicemail, the Dialer can
+broadcast <code>VoicemailContract.ACTION_FETCH_VOICEMAIL</code>, which the voicemail client will receive, initiate the download of the
+content, and update the record in the platform Voicemail content provider.</p>
+
+<h3 id=disabling_vvm>Disabling VVM</h3>
+
+<p>The VVM service can be disabled or deactivated by user interaction, removal of
+a valid SIM, or replacement by a carrier VVM app. <em>Disabled</em> means that the local device no longer displays visual voicemail. <em>Deactivated</em> means that the service is turned off for the subscriber. User interaction can
+deactivate the service, SIM removal temporarily disables the service because
+it's no longer present, and carrier VVM replacement disables the Google
+component of visual voicemail.</p>
+
+<h4 id=user_interaction>User interaction</h4>
+
+<p>The user may manually enable or disable visual voicemail. If a user disables
+visual voicemail, they are also deactivating their service. When they disable
+visual voicemail, a DEACTIVATE sms is sent, the voicemail source is
+unregistered locally, and voicemail tab disappears. If they re-enable visual
+voicemail, their service is reactivated as well.</p>
+
+<h4 id=sim_removal>SIM removal</h4>
+
+<p>If there are changes to the device’s SIM state (<code>ACTION_SIM_STATE_CHANGED</code>) or Carrier Config values (<code>ACTION_CARRIER_CONFIG_CHANGED</code>), and a valid configuration for the given SIM no longer exists, then the
+voicemail source is unregistered locally and the voicemail tab disappears. If
+the SIM is replaced, VVM will be re-enabled.</p>
+
+<h4 id=replaced_by_carrier_vvm>Replaced by carrier VVM</h4>
+
+<p>If the device or the user installs a corresponding carrier visual voicemail app
+and the carrier has opted to disable Google visual voicemail if the carrier
+equivalent is installed, then the Google visual voicemail client will be
+automatically disabled. This is achieved by checking if a package with a name
+matching the <code>KEY_CARRIER_VVM_PACKAGE_NAME_STRING</code> parameter is installed.</p>
+
+<p>The VVM client can still be enabled through user interaction.</p>
+
+<h2 id=testing>Testing</h2>
+
+<p>There is an existing (since Android 4.0) set of CTS tests for the
+VoicemailProvider APIs that allow an app to insert/query/delete voicemails into
+the platform. These are the same APIs that VVM uses to add/delete voicemails so
+that any Dialer app can display them in the UI.</p>
+
+<p>To test your configuration application is passing the OMTP configuration
+correctly you can test your code with:</p>
+
+<ul>
+ <li>A SIM containing a valid certificate signature
+ <li>A device running Android 6.0 with an unmodified version of the AOSP phone framework
+</ul>
diff --git a/src/devices/tech/dalvik/gc-debug.jd b/src/devices/tech/dalvik/gc-debug.jd
new file mode 100644
index 0000000..676d38b
--- /dev/null
+++ b/src/devices/tech/dalvik/gc-debug.jd
@@ -0,0 +1,449 @@
+page.title=Debugging ART Garbage Collection
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+
+<div id="qv-wrapper">
+<div id="qv">
+ <h2 id="Contents">In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+</div>
+</div>
+
+<p>This document describes how to debug Android Runtime (ART) Garbage Collection
+(GC) correctness and performance issues. It explains how to use GC verification
+options, identify solutions for GC verification failures, and measure and
+address GC performance problems.</p>
+
+<p>See <a href="index.html">ART and Dalvik</a>, the <a
+href="dex-format.html">Dalvik Executable format</a>, and the remaining pages
+within this <a href="index.html">ART and Dalvik</a> section to work with
+ART. See <a
+href="http://developer.android.com/guide/practices/verifying-apps-art.html">Verifying
+App Behavior on the Android Runtime (ART)</a> for additional help verifying app
+behavior.</p>
+
+<h2 id=art_gc_overview>ART GC overview</h2>
+
+<p>ART, introduced as a developer option in Android 4.4, is the default Android
+runtime for Android 5.0 and beyond. The Dalvik runtime is no longer maintained
+or available and its byte-code format is now used by ART. Please note this
+section merely summarizes ART’s GC. For additional information, see the <a
+href="https://www.google.com/events/io/io14videos/b750c8da-aebe-e311-b297-00155d5066d7">Android
+runtime</a> presentation conducted at Google I/O 2014. </p>
+
+<p>ART has a few different GC plans that consist of running different garbage
+collectors. The default plan is the CMS (concurrent mark sweep) plan, which
+uses mostly sticky CMS and partial CMS. Sticky CMS is ART’s non-moving
+generational garbage collector. It scans only the portion of the heap that was
+modified since the last GC and can reclaim only the objects allocated since the
+last GC. In addition to the CMS plan, ART performs heap compaction when an app
+changes process state to a jank-imperceptible process state (e.g. background or
+cached).</p>
+
+<p>Aside from the new garbage collectors, ART also introduces a new bitmap-based
+memory allocator called RosAlloc (runs of slots allocator). This new allocator
+has sharded locking and outperforms DlMalloc by adding thread local buffers for
+small allocation sizes.</p>
+
+<p>Compared to Dalvik, the ART CMS garbage collection plan has a number of
+improvements:</p>
+
+<ul>
+ <li>The number of pauses is reduced from two to one compared to Dalvik.
+Dalvik’s first pause, which did mostly root marking, is done concurrently in
+ART by getting the threads to mark their own roots, then resume running right away.
+ <li>Similarly to Dalvik, the ART GC also has a pause before the sweeping process.
+The key difference in this area is that some of the Dalvik phases during this
+pause are done concurrently in ART. These phases include
+<code>java.lang.ref.Reference</code> processing, system weak sweeping (e.g. jni
+weak globals, etc.), re-marking non-thread roots, and card pre-cleaning. The
+phases that are still done paused in ART are scanning the dirty cards and
+re-marking the thread roots, which helps reduce the pause time.
+ <li>The last area where the ART GC improves over Dalvik is with increased GC
+throughput enabled by the sticky CMS collector. Unlike normal generational GC,
+sticky CMS is non-moving. Instead of having a dedicated region for young
+objects, young objects are kept in an allocation stack, which is basically an
+array of <code>java.lang.Object</code>. This avoids moving objects required to
+maintain low pauses but has the disadvantage of having longer collections for
+heaps with complex object graphs.
+</ul>
+
+<p>The other main other area where the ART GC is different than Dalvik is the
+introduction of moving garbage collectors. The goal of moving GCs is to
+reduce memory usage of backgrounded apps through heap compaction. Currently,
+the event that triggers heap compaction is ActivityManager process-state
+changes. When an app goes to background, it notifies ART the process state is
+no longer jank “perceptible.” This enables ART do things that cause long
+application thread pauses, such as compaction and monitor deflation. The two
+current moving GCs that are in use are homogeneous space compaction and
+semi-space compaction.</p>
+
+<ul>
+ <li>Semi-space compaction moves objects between two tightly packed bump pointer
+spaces. This moving GC occurs on low-memory devices since it saves slightly
+more memory than homogeneous space compaction. The additional savings come
+mostly from having tightly packed objects, which avoid RosAlloc / DlMalloc
+allocator accounting overhead. Since CMS is still used in the foreground and it
+can’t collect from a bump pointer space, semi space requires another transition
+when the app is foregrounded. This is not ideal since it can cause a noticeable pause.
+ <li>Homogenous space compaction works by copying from one RosAlloc space to another
+RosAlloc space. This helps reduce memory usage by reducing heap fragmentation.
+This is currently the default compaction mode for non-low-memory devices. The
+main advantage that homogeneous space compaction has over semi-space compaction
+is not needing a heap transition when the app goes back to foreground.
+</ul>
+
+<h2 id=gc_verification_and_performance_options>GC verification and performance options</h2>
+
+<p>It is possible to change the GC type if you are an OEM. The process for doing
+this involves modifying system properties through adb. Keep in mind that these
+are only modifiable on non-user or rooted builds.</p>
+
+<h3 id=changing_the_gc_type>Changing the GC type</h3>
+
+<p>There are ways to change the GC plans that ART uses. The main way to change the
+foreground GC plan is by changing the <code>dalvik.vm.gctype</code> property or
+passing in an <code>-Xgc:</code> option. It is possible to pass in multiple GC
+options separated by commas.</p>
+
+<p>In order to derive the entire list of available <code>-Xgc</code> settings,
+it is possible to type <code>adb shell dalvikvm -help</code> to print the
+various runtime command-line options.</p>
+
+<p>Here is one example that changes the GC to semi space and turns on pre-GC heap
+verification:
+<code>adb shell setprop dalvik.vm.gctype SS,preverify</code></p>
+
+<ul>
+ <li><code>CMS</code>, which is also the default value, specifies the
+concurrent mark sweep GC plan. This plan consists of running sticky
+generational CMS, partial CMS, and full CMS. The allocator for this plan is
+RosAlloc for movable objects and DlMalloc for non-movable objects.
+ <li><code>SS</code> specifies the semi space GC plan. This plan has two semi
+spaces for movable objects and a DlMalloc space for non-movable objects. The
+movable object allocator defaults to a shared bump pointer allocator which uses
+atomic operations. However, if the <code>-XX:UseTLAB</code> flag is also passed
+in, the allocator uses thread local bump pointer allocation.
+ <li><code>GSS</code> specifies the generational semi space plan. This plan is
+very similar to the semi-space plan with the exception that older-lived objects
+are promoted into a large RosAlloc space. This has the advantage of needing to
+copy significantly fewer objects for typical use cases.
+</ul>
+
+<h3 id=verifying_the_heap>Verifying the heap</h3>
+
+<p>Heap verification is probably the most useful GC option for debugging
+GC-related errors or heap corruption. Enabling heap verification causes the GC
+to check the correctness of the heap at a few points during the garbage
+collection process. Heap verification shares the same options as the ones that
+change the GC type. If enabled, heap verification verifies the roots and
+ensures that reachable objects reference only other reachable objects. GC
+verification is enabled by passing in the following -<code>Xgc</code> values:</p>
+
+<ul>
+ <li>If enabled, <code>[no]preverify</code> performs heap verification before starting the GC.
+ <li>If enabled, <code>[no]presweepingverify</code> performs heap verification
+before starting the garbage collector sweeping
+process.
+ <li>If enabled, <code>[no]postverify</code> performs heap verification after
+the GC has finished sweeping.
+ <li><code>[no]preverify_rosalloc</code>,
+<code>[no]postsweepingverify_rosalloc</code>,
+<code>[no]postverify_rosalloc</code> are also additional GC options that verify
+only the state of RosAlloc’s internal accounting. The main things verified are
+that magic values match expected constants, and free blocks of memory are all
+registered in the <code>free_page_runs_</code> map.
+</ul>
+
+<h3 id=using_the_tlab_allocator_option>Using the TLAB allocator option</h3>
+
+<p>Currently, the only option that changes the allocator used without affecting
+the active GC type is the TLAB option. This option is not available through
+system properties but can be enabled by passing in -<code>XX:UseTLAB</code> to
+<code>dalvikvm</code>. This option enables faster allocation by having a
+shorter allocation code path. Since this option requires using either the SS or
+GSS GC types, which have rather long pauses, it is not enabled by default.</p>
+
+<h2 id=performance>Performance</h2>
+
+<p>There are two main tools that can be used to measure GC performance. GC timing
+dumps and systrace. The most visual way to measure GC performance problems
+would be to use systrace to determine which GCs are causing long pauses or
+preempting application threads. Although the ART GC is relatively efficient,
+there are still a few ways to get performance problems through excessive
+allocations or bad mutator behavior.</p>
+
+<h3 id=ergonomics>Ergonomics</h3>
+
+<p>Compared to Dalvik, ART has a few key differences regarding GC ergonomics. One
+of the major improvements compared to Dalvik is no longer having GC for alloc
+in cases where we start the concurrent GC later than needed. However, there is
+one downside to this, not blocking on the GC can cause the heap to grow more
+than Dalvik in some circumstances. Fortunately, ART has heap compaction, which
+mitigates this issue by defragmenting the heap when the process changes to a
+background process state.</p>
+
+<p>The CMS GC ergonomics have two types of GCs that are regularly run. Ideally,
+the GC ergonomics will run the generational sticky CMS more often than the
+partial CMS. The GC does sticky CMS until the throughput (calculated by bytes
+freed / second of GC duration) of the last GC is less than the mean throughput
+of partial CMS. When this occurs, the ergonomics plan the next concurrent GC to
+be a partial CMS instead of sticky CMS. After the partial CMS completes, the
+ergonomics changes the next GC back to sticky CMS. One key factor that makes
+the ergonomics work is that sticky CMS doesn’t adjust the heap footprint limit
+after it completes. This causes sticky CMS to happen more and more often until
+the throughput is lower than partial CMS, which ends up growing the heap.</p>
+
+<h3 id=using_sigquit_to_obtain_gc_performance_info>Using SIGQUIT to obtain GC performance info</h3>
+
+<p>It is possible to get GC performance timings for apps by sending SIGQUIT to
+already running apps or passing in -<code>XX:DumpGCPerformanceOnShutdown</code>
+to <code>dalvikvm</code> when starting a command line program. When an app gets
+the ANR request signal (SIGQUIT) it dumps information related to its locks,
+thread stacks, and GC performance.</p>
+
+<p>The way to get GC timing dumps is to use:<br>
+<code>$ adb shell kill -S QUIT <pid></code></p>
+
+<p>This creates a <code>traces.txt</code> file in <code>/data/anr/</code>. This
+file contains some ANR dumps as well as GC timings. You can locate the
+GC timings by searching for: “Dumping cumulative Gc timings” These timings will
+show a few things that may be of interest. It will show the histogram info for
+each GC type’s phases and pauses. The pauses are usually more important to look
+at. For example:</p>
+
+<pre>
+sticky concurrent mark sweep paused: Sum: 5.491ms 99% C.I. 1.464ms-2.133ms Avg: 1.830ms Max: 2.133ms
+</pre>
+
+<p><code>This</code> shows that the average pause was 1.83ms. This should be low enough to not
+cause missed frames in most applications and shouldn’t be a concern.</p>
+
+<p>Another area of interest is time to suspend. What time to suspend measures is
+how long it takes a thread to reach a suspend point after the GC requests that
+it suspends. This time is included in the GC pauses, so it is useful to
+determine if long pauses are caused by the GC being slow or the thread
+suspending slowly. Here is an example of what a normal time to suspend
+resembles on a Nexus 5:</p>
+
+<pre>
+suspend all histogram: Sum: 1.513ms 99% C.I. 3us-546.560us Avg: 47.281us Max: 601us
+</pre>
+
+<p>There are also a few other areas of interest, such as total time spent, GC
+throughput, etc. Examples:</p>
+
+<pre>
+Total time spent in GC: 502.251ms
+Mean GC size throughput: 92MB/s
+Mean GC object throughput: 1.54702e+06 objects/s
+</pre>
+
+<p>Here is an example of how to dump the GC timings of an already running app:
+
+<pre>
+$ adb shell kill -s QUIT <pid>
+$ adb pull /data/anr/traces.txt
+</pre>
+
+<p>At this point the GC timings are inside of traces.txt. Here is example output
+from Google maps:</p>
+
+<pre>
+Start Dumping histograms for 34 iterations for sticky concurrent mark sweep
+ScanGrayAllocSpaceObjects: Sum: 196.174ms 99% C.I. 0.011ms-11.615ms Avg: 1.442ms Max: 14.091ms
+FreeList: Sum: 140.457ms 99% C.I. 6us-1676.749us Avg: 128.505us Max: 9886us
+MarkRootsCheckpoint: Sum: 110.687ms 99% C.I. 0.056ms-9.515ms Avg: 1.627ms Max: 10.280ms
+SweepArray: Sum: 78.727ms 99% C.I. 0.121ms-11.780ms Avg: 2.315ms Max: 12.744ms
+ProcessMarkStack: Sum: 77.825ms 99% C.I. 1.323us-9120us Avg: 576.481us Max: 10185us
+(Paused)ScanGrayObjects: Sum: 32.538ms 99% C.I. 286us-3235.500us Avg: 986us Max: 3434us
+AllocSpaceClearCards: Sum: 30.592ms 99% C.I. 10us-2249.999us Avg: 224.941us Max: 4765us
+MarkConcurrentRoots: Sum: 30.245ms 99% C.I. 3us-3017.999us Avg: 444.779us Max: 3774us
+ReMarkRoots: Sum: 13.144ms 99% C.I. 66us-712us Avg: 386.588us Max: 712us
+ScanGrayImageSpaceObjects: Sum: 13.075ms 99% C.I. 29us-2538.999us Avg: 192.279us Max: 3080us
+MarkingPhase: Sum: 9.743ms 99% C.I. 170us-518us Avg: 286.558us Max: 518us
+SweepSystemWeaks: Sum: 8.046ms 99% C.I. 28us-479us Avg: 236.647us Max: 479us
+MarkNonThreadRoots: Sum: 5.215ms 99% C.I. 31us-698.999us Avg: 76.691us Max: 703us
+ImageModUnionClearCards: Sum: 2.708ms 99% C.I. 26us-92us Avg: 39.823us Max: 92us
+ScanGrayZygoteSpaceObjects: Sum: 2.488ms 99% C.I. 19us-250.499us Avg: 37.696us Max: 295us
+ResetStack: Sum: 2.226ms 99% C.I. 24us-449us Avg: 65.470us Max: 452us
+ZygoteModUnionClearCards: Sum: 2.124ms 99% C.I. 18us-233.999us Avg: 32.181us Max: 291us
+FinishPhase: Sum: 1.881ms 99% C.I. 31us-431.999us Avg: 55.323us Max: 466us
+RevokeAllThreadLocalAllocationStacks: Sum: 1.749ms 99% C.I. 8us-349us Avg: 51.441us Max: 377us
+EnqueueFinalizerReferences: Sum: 1.513ms 99% C.I. 3us-201us Avg: 44.500us Max: 201us
+ProcessReferences: Sum: 438us 99% C.I. 3us-212us Avg: 12.882us Max: 212us
+ProcessCards: Sum: 381us 99% C.I. 4us-17us Avg: 5.602us Max: 17us
+PreCleanCards: Sum: 363us 99% C.I. 8us-17us Avg: 10.676us Max: 17us
+ReclaimPhase: Sum: 357us 99% C.I. 7us-91.500us Avg: 10.500us Max: 93us
+(Paused)PausePhase: Sum: 312us 99% C.I. 7us-15us Avg: 9.176us Max: 15us
+SwapBitmaps: Sum: 166us 99% C.I. 4us-8us Avg: 4.882us Max: 8us
+(Paused)ScanGrayAllocSpaceObjects: Sum: 126us 99% C.I. 14us-112us Avg: 63us Max: 112us
+MarkRoots: Sum: 121us 99% C.I. 2us-7us Avg: 3.558us Max: 7us
+(Paused)ScanGrayImageSpaceObjects: Sum: 68us 99% C.I. 68us-68us Avg: 68us Max: 68us
+BindBitmaps: Sum: 50us 99% C.I. 1us-3us Avg: 1.470us Max: 3us
+UnBindBitmaps: Sum: 49us 99% C.I. 1us-3us Avg: 1.441us Max: 3us
+SwapStacks: Sum: 47us 99% C.I. 1us-3us Avg: 1.382us Max: 3us
+RecordFree: Sum: 42us 99% C.I. 1us-3us Avg: 1.235us Max: 3us
+ForwardSoftReferences: Sum: 37us 99% C.I. 1us-2us Avg: 1.121us Max: 2us
+InitializePhase: Sum: 36us 99% C.I. 1us-2us Avg: 1.058us Max: 2us
+FindDefaultSpaceBitmap: Sum: 32us 99% C.I. 250ns-1000ns Avg: 941ns Max: 1000ns
+(Paused)ProcessMarkStack: Sum: 5us 99% C.I. 250ns-3000ns Avg: 147ns Max: 3000ns
+PreSweepingGcVerification: Sum: 0 99% C.I. 0ns-0ns Avg: 0ns Max: 0ns
+Done Dumping histograms
+sticky concurrent mark sweep paused: Sum: 63.268ms 99% C.I. 0.308ms-8.405ms
+Avg: 1.860ms Max: 8.883ms
+sticky concurrent mark sweep total time: 763.787ms mean time: 22.464ms
+sticky concurrent mark sweep freed: 1072342 objects with total size 75MB
+sticky concurrent mark sweep throughput: 1.40543e+06/s / 98MB/s
+Total time spent in GC: 4.805s
+Mean GC size throughput: 18MB/s
+Mean GC object throughput: 330899 objects/s
+Total number of allocations 2015049
+Total bytes allocated 177MB
+Free memory 4MB
+Free memory until GC 4MB
+Free memory until OOME 425MB
+Total memory 90MB
+Max memory 512MB
+Zygote space size 4MB
+Total mutator paused time: 229.566ms
+Total time waiting for GC to complete: 187.655us
+</pre>
+
+<h2 id=tools_for_analyzing_gc_correctness_problems>Tools for analyzing GC correctness problems</h2>
+
+<p>There are various things that can cause crashes inside of ART. Crashes that
+occur reading or writing to object fields may indicate heap corruption. If the
+GC crashes when it is running, it could also point to heap corruption. There
+are various things that can cause heap corruption, the most common cause is
+probably incorrect app code. Fortunately, there are tools to debug GC and
+heap-related crashes. These include the heap verification options specified
+above, valgrind, and CheckJNI.</p>
+
+<h3 id=checkjni>CheckJNI</h3>
+
+<p>Another way to verify app behavior is to use CheckJNI. CheckJNI is a mode that
+adds additional JNI checks; these aren’t enabled by default due to performance
+reasons. The checks will catch a few errors that could cause heap corruption
+such as using invalid/stale local and global references. Here is how to enable
+CheckJNI:</p>
+
+<pre>
+$ adb shell setprop dalvik.vm.checkjni true
+</pre>
+
+<p>Forcecopy mode is another part of CheckJNI that is very useful for detecting
+writes past the end of array regions. When enabled, forcecopy causes the array
+access JNI functions to always return copies with red zones. A <em>red
+zone</em> is a region at the end/start of the returned pointer that has a
+special value, which is verified when the array is released. If the values in
+the red zone don’t match what is expected, this usually means a buffer overrun
+or underrun occurred. This would cause CheckJNI to abort. Here is how to enable
+forcecopy mode:</p>
+
+<pre>
+$ adb shell setprop dalvik.vm.jniopts forcecopy
+</pre>
+
+<p>One example of an error that CheckJNI should catch is writing past the end of
+an array obtained from <code>GetPrimitiveArrayCritical</code>. This operation
+would very likely corrupt the Java heap. If the write is
+within the CheckJNI red zone area, then CheckJNI would catch the issue when the
+corresponding <code>ReleasePrimitiveArrayCritical</code> is called. Otherwise,
+the write will end up corrupting some random object in
+the Java heap and possibly causing a future GC crash. If the corrupted memory
+is a reference field, then the GC may catch the error and print a “<em>Tried to
+mark <ptr> not contained by any spaces</em>” error.</p>
+
+<p>This error occurs when the GC attempts to mark an object for which it can’t
+find a space. After this check fails, the GC traverses the roots and tries to
+see if the invalid object is a root. From here, there are two options: The
+object is a root or a non-root object.</p>
+
+<h3 id=valgrind>Valgrind</h3>
+
+<p>The ART heap supports optional valgrind instrumentation, which provides a
+way to detect reads and writes to and from an invalid heap address. ART detects
+when the app is running under valgrind and inserts red zones before and after
+each object allocation. If there are any reads or writes to these red zones,
+valgrind prints an error. One example of when this could happen is if you read
+or write past the end of an array’s elements while using direct array access
+through JNI. Since the AOT compilers use implicit null checks, it is
+recommended to use eng builds for running valgrind. Another thing to note is
+that valgrind is orders of magnitude slower than normal execution.</p>
+
+<p>Here is an example use:</p>
+
+<pre>
+# build and install
+$ mmm external/valgrind
+$ adb remount && adb sync
+# disable selinux
+$ adb shell setenforce 0
+$ adb shell setprop wrap.com.android.calculator2
+"TMPDIR=/data/data/com.android.calculator2 logwrapper valgrind"
+# push symbols
+$ adb shell mkdir /data/local/symbols
+$ adb push $OUT/symbols /data/local/symbols
+$ adb logcat
+</pre>
+
+
+<h3 id=invalid_root_example>Invalid root example</h3>
+
+<p>In the case where the object is actually an invalid root, it will print some
+useful information:
+<code>art E 5955 5955 art/runtime/gc/collector/mark_sweep.cc:383] Tried to mark 0x2
+not contained by any spaces</code></p>
+
+<pre>
+art E 5955 5955 art/runtime/gc/collector/mark_sweep.cc:384] Attempting see if
+it's a bad root
+art E 5955 5955 art/runtime/gc/collector/mark_sweep.cc:485] Found invalid
+root: 0x2
+art E 5955 5955 art/runtime/gc/collector/mark_sweep.cc:486]
+Type=RootJavaFrame thread_id=1 location=Visiting method 'java.lang.Object
+com.google.gwt.corp.collections.JavaReadableJsArray.get(int)' at dex PC 0x0002
+(native PC 0xf19609d9) vreg=1
+</pre>
+
+<p>In this case, <code>vreg 1</code> inside of
+<code>com.google.gwt.corp.collections.JavaReadableJsArray.get</code> is
+supposed to contain a heap reference but actually contains an invalid pointer
+of address <code>0x2</code>. This is clearly an invalid root. The next step to
+debug this issue would be to use <code>oatdump</code> on the oat file and look
+at the method that has the invalid root. In this case, the error turned out to
+be a compiler bug in the x86 backend. Here is the changelist that fixed it: <a
+href="https://android-review.googlesource.com/#/c/133932/">https://android-review.googlesource.com/#/c/133932/</a></p>
+
+<h3 id=corrupted_object_example>Corrupted object example</h3>
+
+<p>In the case where the object isn’t a root, output similar to the following
+prints:</p>
+
+<pre>
+01-15 12:38:00.196 1217 1238 E art : Attempting see if it's a bad root
+01-15 12:38:00.196 1217 1238 F art :
+art/runtime/gc/collector/mark_sweep.cc:381] Can't mark invalid object
+</pre>
+
+<p>When heap corruption isn’t an invalid root, it is unfortunately hard to debug.
+This error message indicates that there was at least one object in the heap
+that was pointing to the invalid object.</p>
diff --git a/src/devices/tech/power/batterystats.jd b/src/devices/tech/power/batterystats.jd
index 11b0b48..d42bc33 100644
--- a/src/devices/tech/power/batterystats.jd
+++ b/src/devices/tech/power/batterystats.jd
@@ -42,41 +42,67 @@
<li>App UID aggregated statistics</li>
</ul>
- <p class="note">You can use the <a href=
- "https://github.com/google/battery-historian">Battery Historian</a> tool on
- the output of the dumpsys command to generate an HTML visualization of
- power-related events from the logs. This information makes it easier for
- you to understand and diagnose any battery-related issues.</p>
+ <p>Use the <a href="https://github.com/google/battery-historian">Battery
+ Historian</a> tool on the output of the dumpsys command to generate an HTML
+ visualization of power-related events from the logs. This information makes it
+ easier to understand and diagnose battery-related issues.</p>
- <h2 id="command-line_options">Command line options</h2>
-
- <p>Use the <code>--help</code> option to learn about the various options
- for tailoring the output.</p>
-
- <p>Use the <code>--checkin</code> option to get the results in
- machine-readable csv format.</p>
-
- <p>To print battery usage statistics for a given app package since the
- device was last charged, run this command:</p>
+ <h2 id="command-line_options">Command input</h2>
+ <p>The basic <code>batterystats</code> command is:</p>
<pre class="prettyprint">
-$ adb shell dumpsys batterystats --charged <package-name>
- </pre>
-
- <h2 id="sample_input">Input</h2>
-
- <p>To print battery usage statistics for all apps since the device was last
- charged, in machine-readable format, run this command:</p>
+$ adb shell dumpsys batterystats</pre>
+ <p>Supported options:</p>
+ <ul>
+ <li><code>--help</code> displays additional options for tailoring the output.
+ </li>
+ <li><code>--checkin</code> exports results in machine-readable csv format.
+ </li>
+ </ul>
+ <p>For example, to print battery usage statistics in csv format for all apps
+ since the device was last charged, run the command:</p>
<pre class="prettyprint">
-$ adb shell dumpsys batterystats --charged --checkin
- </pre>
+$ adb shell dumpsys batterystats --charged --checkin</pre>
+ <p>You can also specify a package name to get statistics for a single app. For
+ example, to print battery usage statistics for a given app package
+ since the device was last charged, run the command:</p>
+ <pre class="prettyprint">
+$ adb shell dumpsys batterystats --charged <package-name></pre>
- <h2 id="output">Output</h2>
+ <h2 id="output">Command output</h2>
- <p>The output looks like this:</p>
+ <p>The <code>batterystats</code> command generates aggregated observations
+ about battery use on the device since it was last charged. Observations may be
+ per-UID or system-level; data is selected for inclusion based on its
+ usefulness in analyzing battery performance. Output includes one (1) entry
+ per observation, and each entry consists of a comma-separated list of values
+ in the format:
+ <em>int</em>,<em>uid</em>,<em>mode</em>,<em>section</em>,<em>fields</em>
+ (one or more).</p>
- <p>$ adb shell dumpsys batterystats --charged --checkin</p>
+ <p>The first four values correspond to the following:</p>
- <pre class="no-pretty=print">
+ <ul>
+ <li>Dummy integer</li>
+
+ <li>UID</li>
+
+ <li>Aggregation mode
+
+ <ul>
+ <li>"i" for information not tied to charged/uncharged status.</li>
+ <li>"l" for --charged (usage since last charge).</li>
+ <li>"u" for --unplugged (usage since last unplugged). Deprecated in
+ Android 5.1.1.</li>
+ </ul>
+ </li>
+
+ <li><a href="#interpreting_the_output">Section identifier</a>, which
+ determines how to interpret subsequent values in the line.</li>
+ </ul>
+
+<p>Sample output:</p>
+
+ <pre class="no-pretty-print">
9,0,i,vers,11,116,K,L 9,0,i,uid,1000,android
9,0,i,uid,1000,com.android.providers.settings
9,0,i,uid,1000,com.android.inputdevices
@@ -177,6 +203,8 @@
9,0,l,pwi,idle,8.73 9,0,l,pwi,uid,5.46 9,1000,l,pwi,uid,5.11
9,0,l,pwi,wifi,3.28 9,10019,l,pwi,uid,0.847 9,10069,l,pwi,uid,0.408
9,0,l,pwi,scrn,0.385 9,10034,l,pwi,uid,0.322 9,10025,l,pwi,uid,0.185
+ 9,0,l,pwi,blue,0.0273
+ 9,0,l,pwi,cell,14.0
9,10002,l,pwi,uid,0.180 9,10023,l,pwi,uid,0.168 9,1001,l,pwi,uid,0.0297
9,10068,l,pwi,uid,0.0296 9,10057,l,pwi,uid,0.0234 9,1027,l,pwi,uid,0.0157
9,10079,l,pwi,uid,0.00905 9,10054,l,pwi,uid,0.00527
@@ -227,811 +255,320 @@
9,10068,l,nt,0,0,11929,8383,0,0,50,47,0,0
9,10069,l,nt,0,0,41553,22886,0,0,85,91,0,0</pre>
- <h2 id="interpreting_the_output">Interpreting the output</h2>
+ <h2 id="interpreting_the_output">Section identifiers</h2>
- <p>The sample output is in CSV format. Each line in the output contains
- statistics related to battery usage.</p>
+ <p>Command output for <code>batterystats</code> supports the following
+ sections:</p>
- <p>The first four values in each line correspond to the following:</p>
+ <table id="batterystats-section-ids">
- <ul>
- <li>Dummy integer</li>
-
- <li>UID</li>
-
- <li>Aggregation mode
-
- <ul>
- <li>"l" for --charged, means usage since last charge.</li>
- <li>"u" for --unplugged, which means usage since last unplugged.</li>
- <li>"i" for information that is not
- tied to charged/uncharged status.</li>
- </ul>
- </li>
-
- <li>Section identifier, which determines how to interpret the fifth
- value and the following ones in the line.</li>
- </ul>
-
- <p>Currently, there are 41 sections and the interpretation for each section
- is shown in the following table:</p>
-
- <table>
<tr>
- <td>
- <p><strong>Order</strong></p>
- </td>
-
- <td class="tab0">
- <p><strong>Section Identifier</strong></p>
- </td>
-
- <td class="tab0">
- <p><strong>Description</strong></p>
- </td>
-
- <td class="tab0">
- <p><strong>Remaining Fields</strong></p>
- </td>
+ <th width="10%">Section Identifier</th>
+ <th width="20%">Description</th>
+ <th width="70%">Remaining Fields</th>
</tr>
<tr>
- <td>
- <p>1</p>
- </td>
-
- <td class="tab0">
- <p>vers</p>
- </td>
-
- <td class="tab0">
- <p>Version</p>
- </td>
-
- <td class="tab0">
- <p>checkin version, parcel version, start platform version, end
- platform version</p>
- </td>
+ <td><p>vers</p></td>
+ <td><p>Version</p></td>
+ <td><p>checkin version, parcel version, start platform version, end
+ platform version</p></td>
</tr>
<tr>
- <td>
- <p>2</p>
- </td>
-
- <td class="tab0">
- <p>uid</p>
- </td>
-
- <td class="tab0">
- <p>UID</p>
- </td>
-
- <td class="tab0">
- <p>uid, package name</p>
- </td>
+ <td><p>uid</p></td>
+ <td><p>UID</p></td>
+ <td><p>uid, package name</p></td>
</tr>
<tr>
- <td>
- <p>3</p>
- </td>
-
- <td class="tab0">
- <p>apk</p>
- </td>
-
- <td class="tab0">
- <p>APK</p>
- </td>
-
- <td class="tab0">
- <p>wakeups, APK, service, start time, starts, launches</p>
- </td>
+ <td><p>apk</p></td>
+ <td><p>APK</p></td>
+ <td><p>wakeups, APK, service, start time, starts, launches</p></td>
</tr>
<tr>
- <td>
- <p>4</p>
- </td>
-
- <td class="tab0">
- <p>pr</p>
- </td>
-
- <td class="tab0">
- <p>Process</p>
- </td>
-
- <td class="tab0">
- <p>process, user, system, foreground, starts</p>
- </td>
+ <td><p>pr</p></td>
+ <td><p>Process</p></td>
+ <td><p>process, user, system, foreground, starts</p></td>
</tr>
<tr>
- <td>
- <p>5</p>
- </td>
-
- <td class="tab0">
- <p>sr</p>
- </td>
-
- <td class="tab0">
- <p>Sensor</p>
- </td>
-
- <td class="tab0">
- <p>sensor number, time, count</p>
- </td>
+ <td><p>sr</p></td>
+ <td><p>Sensor</p></td>
+ <td><p>sensor number, time, count</p></td>
</tr>
<tr>
- <td>
- <p>6</p>
- </td>
-
- <td class="tab0">
- <p>vib</p>
- </td>
-
- <td class="tab0">
- <p>Vibrator</p>
- </td>
-
- <td class="tab0">
- <p>time, count</p>
- </td>
+ <td><p>vib</p></td>
+ <td><p>Vibrator</p></td>
+ <td><p>time, count</p></td>
</tr>
<tr>
- <td>
- <p>7</p>
- </td>
-
- <td class="tab0">
- <p>fg</p>
- </td>
-
- <td class="tab0">
- <p>Foreground</p>
- </td>
-
- <td class="tab0">
- <p>time, count</p>
- </td>
+ <td><p>fg</p></td>
+ <td><p>Foreground</p></td>
+ <td><p>time, count</p></td>
</tr>
<tr>
- <td>
- <p>8</p>
- </td>
-
- <td class="tab0">
- <p>st</p>
- </td>
-
- <td class="tab0">
- <p>State Time</p>
- </td>
-
- <td class="tab0">
- <p>foreground, active, running</p>
- </td>
+ <td><p>st</p></td>
+ <td><p>State Time</p></td>
+ <td><p>foreground, active, running</p></td>
</tr>
<tr>
- <td>
- <p>9</p>
- </td>
-
- <td class="tab0">
- <p>wl</p>
- </td>
-
- <td class="tab0">
- <p>Wake lock</p>
- </td>
-
- <td class="tab0">
- <p>wake lock, full time, 'f', full count, partial time, 'p', partial
- count, window time, 'w', window count</p>
- </td>
+ <td><p>wl</p></td>
+ <td><p>Wake lock</p></td>
+ <td><p>wake lock, full time, 'f', full count, partial time, 'p', partial
+ count, window time, 'w', window count</p></td>
</tr>
<tr>
- <td>
- <p>10</p>
- </td>
-
- <td class="tab0">
- <p>sy</p>
- </td>
-
- <td class="tab0">
- <p>Sync</p>
- </td>
-
- <td class="tab0">
- <p>sync, time, count</p>
- </td>
+ <td><p>sy</p></td>
+ <td><p>Sync</p></td>
+ <td><p>sync, time, count</p></td>
</tr>
<tr>
- <td>
- <p>11</p>
- </td>
-
- <td class="tab0">
- <p>jb</p>
- </td>
-
- <td class="tab0">
- <p>Job</p>
- </td>
-
- <td class="tab0">
- <p>job, time, count</p>
- </td>
+ <td><p>jb</p></td>
+ <td><p>Job</p></td>
+ <td><p>job, time, count</p></td>
</tr>
<tr>
- <td>
- <p>12</p>
- </td>
-
- <td class="tab0">
- <p>kwl</p>
- </td>
-
- <td class="tab0">
- <p>Kernel Wake Lock</p>
- </td>
-
- <td class="tab0">
- <p>kernel wake lock, time, count</p>
- </td>
+ <td><p>kwl</p></td>
+ <td><p>Kernel Wake Lock</p></td>
+ <td><p>kernel wake lock, time, count</p></td>
</tr>
<tr>
- <td>
- <p>13</p>
- </td>
-
- <td class="tab0">
- <p>wr</p>
- </td>
-
- <td class="tab0">
- <p>Wakeup Reason</p>
- </td>
-
- <td class="tab0">
- <p>wakeup reason, time, count</p>
- </td>
+ <td><p>wr</p></td>
+ <td><p>Wakeup Reason</p></td>
+ <td><p>wakeup reason, time, count</p></td>
</tr>
<tr>
- <td>
- <p>14</p>
- </td>
-
- <td class="tab0">
- <p>nt</p>
- </td>
-
- <td class="tab0">
- <p>Network</p>
- </td>
-
- <td class="tab0">
- <p>mobile bytes RX, mobile bytes TX, Wi-Fi bytes RX, Wi-Fi bytes TX,
+ <td><p>nt</p></td>
+ <td><p>Network</p></td>
+ <td><p>mobile bytes RX, mobile bytes TX, Wi-Fi bytes RX, Wi-Fi bytes TX,
mobile packets RX, mobile packets TX, Wi-Fi packets RX, Wi-Fi packets
- TX, mobile active time, mobile active count</p>
- </td>
+ TX, mobile active time, mobile active count</p></td>
</tr>
<tr>
- <td>
- <p>15</p>
- </td>
-
- <td class="tab0">
- <p>ua</p>
- </td>
-
- <td class="tab0">
- <p>User Activity</p>
- </td>
-
- <td class="tab0">
- <p>other, button, touch</p>
- </td>
+ <td><p>ua</p></td>
+ <td><p>User Activity</p></td>
+ <td><p>other, button, touch</p></td>
</tr>
<tr>
- <td>
- <p>16</p>
- </td>
-
- <td class="tab0">
- <p>bt</p>
- </td>
-
- <td class="tab0">
- <p>Battery</p>
- </td>
-
- <td class="tab0">
- <p>start count, battery realtime, battery uptime, total realtime,
+ <td><p>bt</p></td>
+ <td><p>Battery</p></td>
+ <td><p>start count, battery realtime, battery uptime, total realtime,
total uptime, start clock time, battery screen off realtime, battery
- screen off uptime</p>
+ screen off uptime</p></td>
+ </tr>
+
+ <tr>
+ <td><p>dc</p></td>
+ <td><p>Battery Discharge</p></td>
+ <td><p>low, high, screen on, screen off</p></td>
+ </tr>
+
+ <tr>
+ <td><p>lv</p></td>
+ <td><p>Battery Level</p></td>
+ <td><p>start level, current level</p></td>
+ </tr>
+
+ <tr>
+ <td><p>wfl</p></td>
+ <td><p>Wi-Fi</p></td>
+ <td><p>full Wi-Fi lock on time, Wi-Fi scan time, Wi-Fi running time, Wi-Fi
+ scan count, Wi-Fi idle time, Wi-Fi receive time, Wi-Fi transmit time</p>
</td>
</tr>
<tr>
- <td>
- <p>17</p>
- </td>
+ <td><p>gwfl</p></td>
+ <td><p>Global Wi-Fi</p></td>
+ <td><p>Wi-Fi on time, Wi-Fi running time, Wi-Fi idle time, Wi-Fi receive
+ time, Wi-Fi transmit time, Wi-Fi power (mAh)</p></td>
+ </tr>
- <td class="tab0">
- <p>dc</p>
- </td>
-
- <td class="tab0">
- <p>Battery Discharge</p>
- </td>
-
- <td class="tab0">
- <p>low, high, screen on, screen off</p>
+ <tr>
+ <td><p>gble</p></td>
+ <td><p>Global Bluetooth</p></td>
+ <td><p>BT idle time, BT receive time, BT transmit time, BT power (mAh)</p>
</td>
</tr>
<tr>
- <td>
- <p>18</p>
- </td>
-
- <td class="tab0">
- <p>lv</p>
- </td>
-
- <td class="tab0">
- <p>Battery Level</p>
- </td>
-
- <td class="tab0">
- <p>start level, current level</p>
- </td>
+ <td><p>m</p></td>
+ <td><p>Misc</p></td>
+ <td><p>screen on time, phone on time, full wakelock time total, partial
+ wakelock time total, mobile radio active time, mobile radio active
+ adjusted time, interactive time, power save mode enabled time,
+ connectivity changes, device idle mode enabled time, device idle mode
+ enabled count, device idling time, device idling count, mobile radio
+ active count, mobile radio active unknown time</p></td>
</tr>
<tr>
- <td>
- <p>19</p>
- </td>
-
- <td class="tab0">
- <p>wfl</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi</p>
- </td>
-
- <td class="tab0">
- <p>full Wi-Fi lock on time, Wi-Fi scan time, Wi-Fi running time</p>
- </td>
- </tr>
-
- <tr>
- <td>
- <p>20</p>
- </td>
-
- <td class="tab0">
- <p>m</p>
- </td>
-
- <td class="tab0">
- <p>Misc</p>
- </td>
-
- <td class="tab0">
- <p>screen on time, phone on time, Wi-Fi on time, Wi-Fi running time,
- Bluetooth on time, mobile RX total bytes, mobile TX total bytes,
- Wi-Fi RX total bytes, Wi-Fi TX total bytes, full wake lock time
- total, partial wake lock time total, legacy input event count, mobile
- radio active time, mobile radio active adjusted time, interactive
- time, low-power mode enabled time</p>
- </td>
- </tr>
-
- <tr>
- <td>
- <p>21</p>
- </td>
-
- <td class="tab0">
- <p>gn</p>
- </td>
-
- <td class="tab0">
- <p>Global Network</p>
- </td>
-
- <td class="tab0">
- <p>mobile RX total bytes, mobile TX total bytes, Wi-Fi RX total
+ <td><p>gn</p></td>
+ <td><p>Global Network</p></td>
+ <td><p>mobile RX total bytes, mobile TX total bytes, Wi-Fi RX total
bytes, Wi-Fi TX total bytes, mobile RX total packets, mobile TX total
- packets, Wi-Fi RX total packets, Wi-Fi TX total packets</p>
- </td>
+ packets, Wi-Fi RX total packets, Wi-Fi TX total packets</p></td>
</tr>
<tr>
- <td>
- <p>22</p>
- </td>
-
- <td class="tab0">
- <p>br</p>
- </td>
-
- <td class="tab0">
- <p>Screen Brightness</p>
- </td>
-
- <td class="tab0">
- <p>dark, dim, medium, light, bright</p>
- </td>
+ <td><p>br</p></td>
+ <td><p>Screen Brightness</p></td>
+ <td><p>dark, dim, medium, light, bright</p></td>
</tr>
<tr>
- <td>
- <p>23</p>
- </td>
-
- <td class="tab0">
- <p>sst</p>
- </td>
-
- <td class="tab0">
- <p>Signal Scanning Time</p>
- </td>
-
- <td class="tab0">
- <p>signal scanning time</p>
- </td>
+ <td><p>sst</p></td>
+ <td><p>Signal Scanning Time</p></td>
+ <td><p>signal scanning time</p></td>
</tr>
<tr>
- <td>
- <p>24</p>
- </td>
-
- <td class="tab0">
- <p>sgt</p>
- </td>
-
- <td class="tab0">
- <p>Signal Strength Time</p>
- </td>
-
- <td class="tab0">
- <p>none, poor, moderate, good, great</p>
- </td>
+ <td><p>sgt</p></td>
+ <td><p>Signal Strength Time</p></td>
+ <td><p>none, poor, moderate, good, great</p></td>
</tr>
<tr>
- <td>
- <p>25</p>
- </td>
-
- <td class="tab0">
- <p>sgc</p>
- </td>
-
- <td class="tab0">
- <p>Signal Strength Count</p>
- </td>
-
- <td class="tab0">
- <p>none, poor, moderate, good, great</p>
- </td>
+ <td><p>sgc</p></td>
+ <td><p>Signal Strength Count</p></td>
+ <td><p>none, poor, moderate, good, great</p></td>
</tr>
<tr>
- <td>
- <p>26</p>
- </td>
-
- <td class="tab0">
- <p>dct</p>
- </td>
-
- <td class="tab0">
- <p>Data Connection Time</p>
- </td>
-
- <td class="tab0">
- <p>none, GPRS, EDGE, UMTS, CDMA, EVDO_0, EVDO_A, 1xRTT, HSDPA, HSUPA,
- HSPA, IDEN, EVDO_B, LTE, EHRPD, HSPAP, other</p>
- </td>
+ <td><p>dct</p></td>
+ <td><p>Data Connection Time</p></td>
+ <td><p>none, GPRS, EDGE, UMTS, CDMA, EVDO_0, EVDO_A, 1xRTT, HSDPA, HSUPA,
+ HSPA, IDEN, EVDO_B, LTE, EHRPD, HSPAP, other</p></td>
</tr>
<tr>
- <td>
- <p>27</p>
- </td>
-
- <td class="tab0">
- <p>dcc</p>
- </td>
-
- <td class="tab0">
- <p>Data Connection Count</p>
- </td>
-
- <td class="tab0">
- <p>none, GPRS, EDGE, UMTS, CDMA, EVDO_0, EVDO_A, 1xRTT, HSDPA, HSUPA,
- HSPA, IDEN, EVDO_B, LTE, EHRPD, HSPAP, other</p>
- </td>
+ <td><p>dcc</p></td>
+ <td><p>Data Connection Count</p></td>
+ <td><p>none, GPRS, EDGE, UMTS, CDMA, EVDO_0, EVDO_A, 1xRTT, HSDPA, HSUPA,
+ HSPA, IDEN, EVDO_B, LTE, EHRPD, HSPAP, other</p></td>
</tr>
<tr>
- <td>
- <p>28</p>
- </td>
-
- <td class="tab0">
- <p>wst</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi State Time</p>
- </td>
-
- <td class="tab0">
- <p>off, off scanning, on no networks, on disconnected, on connected
- STA, on connected P2P, on connected STA P2P, soft AP</p>
- </td>
+ <td><p>wst</p></td>
+ <td><p>Wi-Fi State Time</p></td>
+ <td><p>off, off scanning, on no networks, on disconnected, on connected
+ STA, on connected P2P, on connected STA P2P, soft AP</p></td>
</tr>
<tr>
- <td>
- <p>29</p>
- </td>
-
- <td class="tab0">
- <p>wsc</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi State Count</p>
- </td>
-
- <td class="tab0">
- <p>off, off scanning, on no networks, on disconnected, on connected
- STA, on connected P2P, on connected STA P2P, soft AP</p>
- </td>
+ <td><p>wsc</p></td>
+ <td><p>Wi-Fi State Count</p></td>
+ <td><p>off, off scanning, on no networks, on disconnected, on connected
+ STA, on connected P2P, on connected STA P2P, soft AP</p></td>
</tr>
<tr>
- <td>
- <p>30</p>
- </td>
-
- <td class="tab0">
- <p>wsst</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi Supplicant State Time</p>
- </td>
-
- <td class="tab0">
- <p>invalid, disconnected, interface disabled, inactive, scanning,
+ <td><p>wsst</p></td>
+ <td><p>Wi-Fi Supplicant State Time</p></td>
+ <td><p>invalid, disconnected, interface disabled, inactive, scanning,
authenticating, associating, associated, four-way handshake, group
- handshake, completed, dormant, uninitialized</p>
- </td>
+ handshake, completed, dormant, uninitialized</p></td>
</tr>
<tr>
- <td>
- <p>31</p>
- </td>
-
- <td class="tab0">
- <p>wssc</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi Supplicant State Count</p>
- </td>
-
- <td class="tab0">
- <p>invalid, disconnected, interface disabled, inactive, scanning,
+ <td><p>wssc</p></td>
+ <td><p>Wi-Fi Supplicant State Count</p></td>
+ <td><p>invalid, disconnected, interface disabled, inactive, scanning,
authenticating, associating, associated, four-way handshake, group
- handshake, completed, dormant, uninitialized</p>
- </td>
+ handshake, completed, dormant, uninitialized</p></td>
</tr>
<tr>
- <td>
- <p>32</p>
- </td>
-
- <td class="tab0">
- <p>wsgt</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi Signal Strength Time</p>
- </td>
-
- <td class="tab0">
- <p>none, poor, moderate, good, great</p>
- </td>
+ <td><p>wsgt</p></td>
+ <td><p>Wi-Fi Signal Strength Time</p></td>
+ <td><p>none, poor, moderate, good, great</p></td>
</tr>
<tr>
- <td>
- <p>33</p>
- </td>
-
- <td class="tab0">
- <p>wsgc</p>
- </td>
-
- <td class="tab0">
- <p>Wi-Fi Signal Strength Count</p>
- </td>
-
- <td class="tab0">
- <p>none, poor, moderate, good, great</p>
- </td>
+ <td><p>wsgc</p></td>
+ <td><p>Wi-Fi Signal Strength Count</p></td>
+ <td><p>none, poor, moderate, good, great</p></td>
</tr>
<tr>
- <td>
- <p>34</p>
- </td>
+ <td><p>bst</p></td>
+ <td><p>Bluetooth State Time</p></td>
+ <td><p>inactive, low, med, high</p></td>
+ </tr>
- <td class="tab0">
- <p>bst</p>
- </td>
-
- <td class="tab0">
- <p>Bluetooth State Time</p>
- </td>
-
- <td class="tab0">
- <p>inactive, low, med, high</p>
- </td>
+ <tr>
+ <td><p>bsc</p></td>
+ <td><p>Bluetooth State Count</p></td>
+ <td><p>inactive, low, med, high</p></td>
</tr>
<tr>
- <td>
- <p>35</p>
- </td>
-
- <td class="tab0">
- <p>bsc</p>
- </td>
-
- <td class="tab0">
- <p>Bluetooth State Count</p>
- </td>
-
- <td class="tab0">
- <p>inactive, low, med, high</p>
- </td>
+ <td><p>pws</p></td>
+ <td><p>Power Use Summary</p></td>
+ <td><p>battery capacity, computed power, minimum drained power, maximum
+ drained power</p></td>
</tr>
<tr>
- <td>
- <p>36</p>
- </td>
-
- <td class="tab0">
- <p>pws</p>
- </td>
-
- <td class="tab0">
- <p>Power Use Summary</p>
- </td>
-
- <td class="tab0">
- <p>battery capacity, computed power, minimum drained power, maximum
- drained power</p>
- </td>
+ <td><p>pwi</p></td>
+ <td><p>Power Use Item</p></td>
+ <td><p>label, mAh</p></td>
</tr>
<tr>
- <td>
- <p>37</p>
- </td>
-
- <td class="tab0">
- <p>pwi</p>
- </td>
-
- <td class="tab0">
- <p>Power Use Item</p>
- </td>
-
- <td class="tab0">
- <p>label, mAh</p>
- </td>
+ <td><p>dsd</p></td>
+ <td><p>Discharge Step</p></td>
+ <td><p>duration, level, screen, power-save</p></td>
</tr>
<tr>
- <td>
- <p>38</p>
- </td>
-
- <td class="tab0">
- <p>dsd</p>
- </td>
-
- <td class="tab0">
- <p>Discharge Step</p>
- </td>
-
- <td class="tab0">
- <p>duration, level, screen, power-save</p>
- </td>
+ <td><p>csd</p></td>
+ <td><p>Charge Step</p></td>
+ <td><p>duration, level, screen, power-save</p></td>
</tr>
<tr>
- <td>
- <p>39</p>
- </td>
-
- <td class="tab0">
- <p>csd</p>
- </td>
-
- <td class="tab0">
- <p>Charge Step</p>
- </td>
-
- <td class="tab0">
- <p>duration, level, screen, power-save</p>
- </td>
+ <td><p>dtr</p></td>
+ <td><p>Discharge Time Remaining</p></td>
+ <td><p>battery time remaining</p></td>
</tr>
<tr>
- <td>
- <p>40</p>
- </td>
-
- <td class="tab0">
- <p>dtr</p>
- </td>
-
- <td class="tab0">
- <p>Discharge Time Remaining</p>
- </td>
-
- <td class="tab0">
- <p>battery time remaining</p>
- </td>
+ <td><p>ctr</p></td>
+ <td><p>Charge Time Remaining</p></td>
+ <td><p>charge time remaining</p></td>
</tr>
- <tr>
- <td>
- <p>41</p>
- </td>
-
- <td class="tab0">
- <p>ctr</p>
- </td>
-
- <td class="tab0">
- <p>Charge Time Remaining</p>
- </td>
-
- <td class="tab0">
- <p>charge time remaining</p>
- </td>
- </tr>
</table>
+
+<h2 id="wifi-reqs">Wi-Fi, Bluetooth, and cellular usage</h2>
+
+<p>Support for battery usage data on Wi-Fi, Bluetooth, and cellular data
+requires that the device Wi-Fi, Bluetooth, and cellular chipsets implement radio
+support and the chipset firmware passes usage data to the framework. OEMs must
+work with their chipset providers to facilitate in-field firmware updates on
+existing chipsets and compatible firmware on new chipsets.</p>
+
+<p>Additionally, OEMs must continue to configure and submit the power profile
+for their devices. However, when the platform detects that Wi-Fi and Bluetooth
+radio power data is available from the chipset, it uses chipset data instead of
+power profile data (cell radio power data is not yet used).</p>
+
+<p class="note"><strong>Note</strong>: Prior to Android 6.0, power use for Wi-Fi
+radio, Bluetooth radio, and cellular radio was tracked in the <em>m</em> (Misc)
+section category. In Android 6.0 and higher, power use for these components is
+tracked in the <em>pwi</em> (Power Use Item) section with individual labels
+(<em>wifi</em>, <em>blue</em>, <em>cell</em>) for each component.</p>
\ No newline at end of file
diff --git a/src/devices/tech/power/index.jd b/src/devices/tech/power/index.jd
index 33e08a8..0876ae7 100644
--- a/src/devices/tech/power/index.jd
+++ b/src/devices/tech/power/index.jd
@@ -79,4 +79,4 @@
<p>The framework also multiplies the CPU time for each application by the mA required to run the
CPU at a specific speed. This calculation establishes a comparative ranking of how much battery an
application consumes by executing CPU code (time as the foreground app and total time including
-background activity are reported separately).</p>
\ No newline at end of file
+background activity are reported separately).</p>
diff --git a/src/devices/tech/power/mgmt.jd b/src/devices/tech/power/mgmt.jd
new file mode 100644
index 0000000..51c87e7
--- /dev/null
+++ b/src/devices/tech/power/mgmt.jd
@@ -0,0 +1,261 @@
+page.title=Power Management
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc"></ol>
+ </div>
+</div>
+
+<p>Battery life is a perennial user concern. To extend battery life, Android
+continually adds new features and optimizations to help the platform optimize
+the off-charger behavior of applications and devices.</p>
+<p>The Android 6.0 release includes the following improvements to battery life:
+</p>
+
+<ul>
+<li><b><a href="#app-standby">App Standby</b></a>. The platform can now place
+unused applications in App Standby mode, temporarily restricting network access
+and deferring syncs and jobs for those applications.</li>
+<li><b><a href="#doze">Doze</b></a>. The platform now enters a state of deep
+sleep (periodically resuming normal operations) if users have not actively used
+their device (screen off and stationary) for extended periods of time. As this
+feature requires the platform to detect the stationary state, it is available
+only on devices that implement the significant motion detection APIs in the
+Sensor HAL. Doze dramatically improves battery life.</li>
+<li><b><a href="#exempt-apps">Exemptions</b></a>. System apps and cloud
+messaging services preloaded on a device are typically exempted by default. App
+developers can intent their applications into this setting. Users can also
+exempt applications from App Standby and Doze via Settings > Battery >
+Battery optimization > All apps and then selecting the app to turn off (or back
+on) optimization.</li>
+</ul>
+<p>The following sections describe these improvements.</p>
+
+<h2 id="app-standby">App Standby</h2>
+<p>App Standby extends battery life by deferring background network activity
+and jobs for applications the user is not actively using.</p>
+
+<h3 id="app-standby-life">App Standby lifecycle</h3>
+<p>The platform detects inactive applications and places them in App Standby
+until the user begins actively engaging with the application.</p>
+
+<table>
+<tbody>
+<tr>
+<th width=33%>Detection</th>
+<th width=33%>During App Standby</th>
+<th width=33%>Exit</th>
+</tr>
+
+<tr>
+<td><p>The platform detects an application is inactive when the device is not
+charging <strong>and</strong> the user has not launched the application directly
+or indirectly for a specific amount of clock time as well as a specific amount
+of screen-on time. (Indirect launches occur when a foreground app accesses a
+service in a second app.)</p></td>
+<td><p>The platform prevents applications from accessing the network more than
+once a day, deferring application syncs and other jobs.</p></td>
+<td><p>The platform exits the app from App Standby when:</p>
+<ul>
+<li>Application becomes active.</li>
+<li>Device is plugged in and charging.</li>
+</ul>
+</td>
+</tr>
+</tbody>
+</table>
+
+<p>Active applications are unaffected by App Standby. An application is active
+when it has:</p>
+<ul>
+<li>A process currently in the foreground (either as an activity or foreground
+service, or in use by another activity or foreground service), such as
+notification listener, accessibility services, live wallpaper, etc.</li>
+<li>A notification viewed by the user, such as in the lock screen or
+notification tray.</li>
+<li>Explicitly been launched by the user.</li>
+</ul>
+<p>An application is inactive if none of the above activities has occurred for
+a period of time.
+</p>
+
+<h3>Testing App Standby</h3>
+<p>You can manually test App Standby using the following ADB commands:</p>
+
+<pre>
+$ adb shell dumpsys battery unplug
+$ adb shell am set-idle packageName true
+$ adb shell am set-idle packageName false
+$ adb shell am get-idle packageName
+</pre>
+
+<h2 id="doze">Doze</h2>
+
+<p>Doze extends battery life by deferring application background CPU and
+network activity when a device is unused for long periods.</p>
+
+<p>Idle devices in Doze periodically enter a maintenance window, during which
+apps can complete pending activities (syncs, jobs, etc.). Doze then resumes sleep
+for a longer period of time, followed by another maintenance window. The
+platform continues the Doze sleep/maintenance sequence, increasing the length of
+idle each time, until a maximum of a few hours of sleep time is reached. At all
+times, a device in Doze remains aware of motion and immediately leaves Doze
+if motion is detected.</p>
+
+<p>System services (such as telephony) and other preloaded services/apps are
+exempted from Doze by default. Users can also exempt specific applications from
+Doze in the Settings menu. By default, Doze is <b>disabled</b> in the Android
+Open Source Project (AOSP). For details on enabling Doze, see
+<a href="#integrate-doze">Integrating Doze</a>.</p>
+
+<h3 id="doze-reqs">Doze requirements</h3>
+
+<p>Doze support requires the following:</p>
+<ul>
+<li>Device implements the
+<a href="http://source.android.com/devices/sensors/sensor-types.html#significant_motion">significant
+motion detector (SMD) APIs</a> in the Sensor HAL. Devices that do not implement
+these APIs cannot support Doze.</li>
+<li>Device has a cloud messaging service, such as
+<a href="https://developers.google.com/cloud-messaging/">Google Cloud Messaging
+(GCM).</a> This enables the device to know when to wake from Doze.</li>
+</ul>
+
+<h3 id="doze-life">Doze lifecycle</h3>
+
+<p>The Doze lifecycle begins when the platform detects the device is idle and
+ends when the device exits Doze mode.</p>
+
+<table>
+<tbody>
+<tr>
+<th width=33%>Detection</td>
+<th width=33%>During Doze</th>
+<th width=33%>Exit</th>
+</tr>
+<tr>
+<td><p>The platform detects a device is idle when:</p>
+<ul>
+<li>Device is stationary (using significant motion detector).</li>
+<li>Device screen is off for some amount of time.</li>
+</ul>
+<p>Doze mode does not engage when the device is plugged into a power charger.
+</p>
+</td>
+<td><p>The platform attempts to keep the system in a sleep state, periodically
+resuming normal operations during a maintenance window then returning the device
+to sleep for longer repeating periods. During the sleep state, the following
+restrictions are active:</p>
+<ul>
+<li>Apps not allowed network access.</li>
+<li>App wakelocks ignored.</li>
+<li>Alarms deferred. Excludes alarm clock alarms and alarms set using
+<code>setAndAllowWhileIdle()</code>. This exemption is intended for apps (such
+as Calendar) that must show event reminder notifications.</li>
+<li>Wi-Fi scans not performed.</li>
+<li>SyncAdapter syncs and JobScheduler jobs deferred until the next maintenance
+window.</li>
+<li>Apps receiving SMS and MMS messages are put on a temporary whitelist so
+they can complete their processing.</li>
+</ul>
+</td>
+<td><p>The platform exits the device from Doze when it detects:</p>
+<ul>
+<li>User interaction with device.</li>
+<li>Device movement.</li>
+<li>Device screen turns on.</li>
+<li>Imminent AlarmClock alarm.</li>
+</ul>
+<p>Notifications do not cause the device to exit from Doze.</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+<h3 id="doze-interactions">Interaction with App Standby</h3>
+<ul>
+<li>Time spent in Doze does not count towards App Standby.</li>
+<li>While the device is in Doze, idle applications are allowed to perform normal
+operations at least once a day.</li>
+</ul>
+
+<h3 id="integrate-doze">Integrating Doze</h3>
+<p>To enable Doze for a device, perform the following tasks:</p>
+
+<ol>
+<li>Confirm the device supports
+<a href="http://source.android.com/devices/sensors/sensor-types.html#significant_motion">SENSOR_TYPE_SIGNIFICANT_MOTION
+</a>. If the device does not support this sensor, it cannot support Doze.</li>
+<li>Confirm the device has a cloud messaging service installed.</li>
+<li>In the device overlay config file
+<code>overlay/frameworks/base/core/res/res/values/config.xml</code>, set
+<code>config_enableAutoPowerModes</code> to <b>true</b>:
+<pre>
+bool name="config_enableAutoPowerModes">true</bool>
+</pre>
+<br>In AOSP, this parameter is set to false (Doze disabled) by default.<br>
+</li>
+<li>Confirm that preloaded apps and services:
+<ul>
+<li>Use the new
+<a href="https://developer.android.com/preview/behavior-changes.html#behavior-power">power-saving
+optimization guidelines</a>. For details, see <a href="#test-apps">Testing and
+optimizing applications</a>.
+<p><b>OR</b></p>
+<li>Are exempted from Doze and App Standby. For details, see
+<a href="#exempt-apps">Exempting applications</a>.</li>
+</ul>
+</li>
+<li>Confirm the necessary services are exempted from Doze.</a>
+</li>
+</ol>
+
+<h4 id="test-apps">Testing and optimizing applications</h4>
+<p>Test all applications (especially preloaded applications) in Doze mode. For
+details, refer to
+<a href="https://developer.android.com/preview/testing/guide.html#doze-standby">Testing
+Doze and App Standby</a>.</p>
+
+<p class="note"><b>Note</b>: MMS/SMS/Telephony services function independently
+of Doze and will always wake client apps even while the device remains in Doze
+mode.</p>
+
+<h2 id="exempt-apps">Exempting applications</h2>
+<p>You can exempt applications from being subject to Doze or App Standby.</p>
+
+<p class="warning"><b>Warning</b>: Do not exempt apps to avoid testing and
+optimizing. Unnecessary exemptions undermine the benefits of Doze and App
+Standby and can compromise the user experience, so we strongly suggest
+minimizing such exemptions as they allow applications to defeat beneficial
+controls the platform has over power use. If users become unhappy about the
+power consumption of these apps, it can lead to frustration, bad experiences
+(and negative user reviews for the app), and customer support questions. For
+these reasons, we strongly recommend that you do not exempt third-party
+applications and instead exempt only cloud messaging services or apps with
+similar functions.</p>
+
+<p>Apps exempted by default are listed in a single view within the Settings >
+Battery menu. This list is used for exempting the app from both Doze and App
+Standby modes. To provide transparency to the user, the Settings menu
+<b>MUST</b> show all exempted applications.</p>
+
+<p>Users can manually exempt apps using the Settings menu. However, users cannot
+unexempt any application or service that is exempted by default in the system
+image.</p>
\ No newline at end of file
diff --git a/src/devices/tech/power/values.jd b/src/devices/tech/power/values.jd
index e88900a..8c6d4ac 100644
--- a/src/devices/tech/power/values.jd
+++ b/src/devices/tech/power/values.jd
@@ -33,7 +33,46 @@
the values (deriving differences from other baseline power uses as appropriate).
</p>
+<h2 id="multiple-cpus">Devices with heterogeneous CPUs</h2>
+
+<p>The power profile for devices with CPU cores of heterogeneous architecture
+must include the following additional fields:
+<ul>
+<li>Number of total CPUs for each cluster.</li>
+<li>CPU speeds supported by each cluster.</li>
+</ul>
+
+<p>To differentiate between active CPUs and supported CPU speeds for each
+cluster, append the cluster number to the name of the array. Example:</p>
+
+<pre>
+<array name="cpu.active.cluster0">
+<value>200</value>
+<value>300</value>
+<value>400</value>
+</array>
+<array name="cpu.speeds.cluster0">
+<value>600000</value>
+<value>800000</value>
+<value>1200000</value>
+</array>
+
+<array name="cpu.active.cluster1">
+<value>400</value>
+<value>500</value>
+<value>600</value>
+</array>
+<array name="cpu.speeds.cluster1">
+<value>800000</value>
+<value>1200000</value>
+<value>1400000</value>
+</array>
+</pre>
+
<h2 id="values">Power values</h2>
+<p>The following table describes available power value settings. To view the
+sample file in AOSP, see
+<a href="https://android.googlesource.com/platform/frameworks/base/+/master/core/res/res/xml/power_profile.xml">power_profile.xml</a>.</p>
<table>
<tr>
@@ -205,60 +244,20 @@
</tr>
<tr>
+ <td>cpu.clusters.cores</td>
+ <td>Number of cores each CPU cluster contains.</td>
+ <td>4, 2</td>
+ <td>Required only for devices with <a href="#multiple-cpus">heterogeneous CPU
+ architectures</a>. Number of entries and order should match the number of
+ cluster entries for the cpu.active and cpu.speeds. The first entry represents
+ the number of CPU cores in cluster0, the second entry represents the number of
+ CPU cores in cluster1, and so on.</td>
+</tr>
+
+<tr>
<td>battery.capacity</td>
<td>Total battery capacity in mAh.</td>
<td>3000mAh</td>
<td></td>
</tr>
-</table>
-
-<h2 id="sample">Sample file</h2>
-
-<pre>
-<!-- Most values are the incremental current used by a feature, in mA (measured at
-nominal voltage). OEMs must measure and provide actual values before shipping a device.
-Example real-world values are given, but are dependent on the platform
-and can vary significantly, so should be measured on the shipping platform with a power meter.
--->
-0
-200
-160
-10
-<!-- Bluetooth stereo audio playback 10.0 mA -->
-1.3
-0.5
-30
-100
-12
-50
-50
-75
-1.1
-<!-- Strength 0 to BINS-1 (4) -->
-1.1
-
-<!-- Different CPU speeds as reported in
-/sys/devices/system/cpu/cpu0/cpufreq/stats/time_in_state -->
-
-250000 <!-- 250 MHz -->
-500000 <!-- 500 MHz -->
-750000 <!-- 750 MHz -->
-1000000 <!-- 1 GHz -->
-1200000 <!-- 1.2 GHz -->
-
-<!-- Power consumption when CPU is idle -->
-3.0
-50.1
-<!-- Power consumption at different speeds -->
-
-100 <!-- 250 MHz -->
-120 <!-- 500 MHz -->
-140 <!-- 750 MHz -->
-155 <!-- 1 GHz -->
-175 <!-- 1.2 GHz -->
-
-<!-- This is the battery capacity in mAh -->
-3000
-<!-- Battery capacity is 3000 mAH (at 3.6 Volts) -->
-
-</pre>
\ No newline at end of file
+</table>
\ No newline at end of file
diff --git a/src/devices/tech/security/authentication/fingerprint-hal.jd b/src/devices/tech/security/authentication/fingerprint-hal.jd
new file mode 100644
index 0000000..e5af5e4
--- /dev/null
+++ b/src/devices/tech/security/authentication/fingerprint-hal.jd
@@ -0,0 +1,174 @@
+page.title=Fingerprint HAL
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<h2 id=overview>Overview</h2>
+
+<p>If a device has a fingerprint sensor, a user can enroll one or more
+fingerprints and then use their fingerprints to unlock the device and perform
+other tasks.</p>
+
+<p>Android uses the Fingerprint Hardware Abstraction Layer (HAL) to connect to a
+vendor-specific library and fingerprint hardware, e.g. a fingerprint sensor.</p>
+
+<p>To implement the Fingerprint HAL, you must implement
+<a href="#major_functions_in_the_fingerprint_hal">functions</a>
+in <code>fingerprint.h</code> (<code>/hardware/libhardware/include/hardware/fingerprint.h</code>)
+in a vendor-specific library; please see the comments in
+the <a href="https://android.googlesource.com/platform/hardware/libhardware/+/master/include/hardware/fingerprint.h"><code>fingerprint.h</code></a> file.</p>
+
+<h3 id=fingerprint_matching_flow>Fingerprint matching flow</h3>
+
+<p>The following is a high-level flow for fingerprint matching. This flow assumes
+that a fingerprint already has been enrolled on the device, i.e. the
+vendor-specific library already has enrolled a template for the fingerprint.
+Also see <a href="index.html">Authentication</a>.</p>
+
+<p>The fingerprint sensor of a device generally is idle. But in response to a call
+to the <code>authenticate</code> or <code>enroll</code> function, the fingerprint
+sensor listens for a touch (and perhaps the screen
+wakes up when a user touches the fingerprint sensor).</p>
+
+<ol>
+ <li>The user places a finger on the fingerprint sensor, and the vendor-specific
+library determines if there is a match based on the current set of enrolled
+templates.
+ <li>The result of step 1 is passed to the Fingerprint HAL, which notifies
+<code>fingerprintd</code> (the Fingerprint daemon) of a fingerprint authentication.
+</ol>
+
+<p>Note that as more templates are stored on a single device, the time needed for
+matching is increased.</p>
+
+<h2 id=architecture>Architecture</h2>
+
+<p>The <strong>Fingerprint HAL</strong> interacts with the following components:</p>
+
+<ul>
+ <li><strong>FingerprintManager API</strong>. Interacts directly with an app in an app process.
+ <ul>
+ <li>Each app has an instance of FingerprintManager.
+ <li>FingerprintManager is a wrapper that communicates with FingerprintService.
+ </ul>
+ <li><strong>FingerprintService</strong>. A singleton service that operates in the system
+ process, which handles
+communication with <code>fingerprintd</code>.
+ <li><strong>fingerprintd (Fingerprint daemon)</strong>. A C/C++ implementation of the
+ binder interface from FingerprintService. The
+<code>fingerprintd</code> daemon operates in its own process and wraps the Fingerprint HAL
+vendor-specific library.
+ <li><strong>Fingerprint HAL vendor-specific library</strong>. A hardware vendor's
+ implementation of the Fingerprint HAL. The
+vendor-specific library communicates with the device-specific hardware.
+ <li><strong>Keystore API and Keymaster</strong>. These components provide hardware-backed cryptography
+ for secure key storage
+ in a Trusted Execution Environment (TEE).
+</ul>
+
+<p>As shown in the following diagram, a vendor-specific HAL implementation needs
+to use the communication protocol required by a TEE.</p>
+
+<img src="../images/fingerprint-data-flow.png" alt="Data flow for fingerprint authentication" id="figure1" />
+
+<p class="img-caption"><strong>Figure 1.</strong> High-level data flow for fingerprint authentication</p>
+
+<p>Thus, raw images and processed fingerprint features must not be passed in
+untrusted memory. All such biometric data needs to be secured within sensor
+hardware or trusted memory. (Memory inside the TEE is considered as trusted
+memory; memory outside the TEE is considered untrusted.)</p>
+
+<p>Rooting must not compromise biometric data.</p>
+
+<p>As shown in the following diagram, <code>fingerprintd</code> makes calls through the
+Fingerprint HAL to the vendor-specific library to enroll fingerprints and
+perform other operations.</p>
+
+<img src="../images/fingerprint-daemon.png" alt="Interaction with fingerprintd" id="figure2" />
+<p class="img-caption"><strong>Figure 2.</strong> Interaction of the
+fingerprint daemon (<code>fingerprintd</code>) with the fingerprint vendor-specific library</p>
+
+<h2 id=fingerprint_implementation_guidelines>Fingerprint implementation guidelines</h2>
+
+<p>The guidelines in this section are intended to ensure the following:</p>
+
+<ul>
+ <li>Fingerprint data is not leaked
+ <li>Fingerprint data is removed when a user account is removed from a device
+</ul>
+
+<p>Here are the guidelines:</p>
+
+<ol>
+ <li>Raw fingerprint data or derivatives (e.g. templates) must never be accessible
+from outside the sensor driver or Trusted Execution Environment (TEE). Hardware
+access must be limited to the TEE, if the hardware supports it, and must be protected by
+an SELinux policy. That is, the Serial Peripheral Interface (SPI) channel must
+be accessible only to the TEE, and there must be an explicit SELinux policy on
+all device files.
+ <li>Fingerprint acquisition, enrollment and recognition must occur inside the TEE.
+ <li>Only the encrypted form of the fingerprint data can be stored on the file
+system, even if the file system itself is encrypted.
+ <li>Fingerprint templates must be signed with a private, device-specific key, for
+example with AES, with at least the absolute file-system path, group and finger
+ID such that template files are inoperable on another device or for anyone
+other than the user that enrolled them on the same device. For example, copying
+the fingerprint data from a different user on the same device, or from another
+device, must not work.
+ <li>Implementations must either use the file system path provided by the
+ <code>set_active_group()</code> function or provide a way to erase all user template data when the user
+account is removed. It is strongly recommended that fingerprint template files
+be stored as encrypted in the path provided. If this is infeasible due to TEE
+storage requirements, then the implementer must add hooks to ensure removal of
+the data when the user's account is removed.
+</ol>
+
+<h2 id=major_functions_in_the_fingerprint_hal>Major functions in the Fingerprint HAL</h2>
+
+<p>Below are the major functions in the <code>/hardware/libhardware/include/hardware/fingerprint.h</code> file; see the detailed descriptions in that
+file.</p>
+
+<ul>
+ <li><strong>enroll.</strong> Switches the HAL state machine to start the collection and storage of a
+fingerprint template. As soon as enrollment is complete, or after a timeout,
+the HAL state machine is returned to the idle state.
+ <li><strong>pre_enroll.</strong> Generates a unique token to indicate the start of a fingerprint enrollment.
+Provides a token to the <code>enroll</code> function to ensure there was prior authentication, e.g. using a password. The
+token is wrapped and, for example, HMAC'd, once the device credential is
+confirmed, to prevent tampering. The token must be checked during enrollment to
+verify that the token is still valid.
+ <li><strong>get_authenticator_id.</strong> Returns a token associated with the current fingerprint set.
+ <li><strong>cancel.</strong> Cancels any pending enroll or authenticate operations. The HAL state machine
+is returned to the idle state.
+ <li><strong>enumerate.</strong> Synchronous call for enumerating all known fingerprint templates.
+ <li><strong>remove.</strong> Deletes a fingerprint template.
+ <li><strong>set_active_group.</strong> Restricts a HAL operation to a set of fingerprints that belong to a specified
+group (identified by a group identifier, or GID).
+ <li><strong>authenticate.</strong> Authenticates a fingerprint-related operation (identified by an operation ID).
+ <li><strong>set_notify.</strong> Registers a user function that will get notifications from the HAL. If the HAL
+state machine is in a busy state, the function is blocked until the HAL leaves
+the busy state.
+</ul>
+
diff --git a/src/devices/tech/security/authentication/gatekeeper.jd b/src/devices/tech/security/authentication/gatekeeper.jd
new file mode 100644
index 0000000..9d760bc
--- /dev/null
+++ b/src/devices/tech/security/authentication/gatekeeper.jd
@@ -0,0 +1,192 @@
+page.title=Gatekeeper
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<h2 id=overview>Overview</h2>
+
+<p>The Gatekeeper subsystem performs device pattern/password authentication in a
+Trusted Execution Environment (TEE). Gatekeeper enrolls and verifies passwords
+via an HMAC with a hardware-backed secret key. Additionally, Gatekeeper
+throttles consecutive failed verification attempts and must refuse to service
+requests based on a given timeout and a given number of consecutive failed
+attempts.</p>
+
+<p>When users verify their passwords, Gatekeeper uses the TEE-derived shared
+secret to sign an authentication attestation to
+send to <a href="keymaster.html">Keymaster</a>. That is, a
+Gatekeeper attestation notifies Keymaster that authentication-bound keys (for
+example, keys that apps have created) can be released for use by apps.</p>
+
+<h2 id=architecture>Architecture</h2>
+
+<p>Gatekeeper involves three main components:</p>
+
+<ul>
+ <li><strong>gatekeeperd (Gatekeeper daemon)</strong>.
+ A C++ binder service containing platform-independent logic and corresponding
+to the <code>GateKeeperService</code> Java interface.
+ <li><strong>Gatekeeper Hardware Abstraction Layer (HAL)</strong>.
+ The HAL interface in <code>hardware/libhardware/include/hardware/gatekeeper.h</code>,
+ and the implementing module.
+ <li><strong>Gatekeeper (TEE)</strong>.
+ The TEE counterpart of <code>gatekeeperd</code>. A TEE-based implementation of Gatekeeper.
+</ul>
+
+<p>To implement Gatekeeper:</p>
+
+<ul>
+ <li>Implement the Gatekeeper HAL, specifically the functions in <code>gatekeeper.h</code>
+ (<code>hardware/libhardware/include/hardware/gatekeeper.h</code>). See <a href="#hal_implementation">HAL Implementation</a>.
+ <li>Implement the TEE-specific Gatekeeper component, in part based on the following
+header file: <code>system/gatekeeper/include/gatekeeper/gatekeeper.h</code>. This
+header file includes pure virtual functions for creating and accessing
+keys, as well as for computing signatures.
+See <a href="#trusty_and_other_implementations">Trusty and other implementations</a>.
+</ul>
+
+<p>As shown in the following diagram, the <code>LockSettingsService</code> makes a request (via
+Binder) that reaches the <code>gatekeeperd</code> daemon in the Android OS. The <code>gatekeeperd</code>
+daemon makes a request that reaches its counterpart (Gatekeeper) in the TEE.</p>
+
+<img src="../images/gatekeeper-flow.png" alt="Gatekeeper flow" id="figure1" />
+<p class="img-caption"><strong>Figure 1.</strong> High-level data flow for authentication by GateKeeper</p>
+
+<p>The <code>gatekeeperd</code> daemon gives the Android framework APIs access to the HAL, and
+participates in reporting device <a href="index.html">authentications</a> to Keymaster.
+The <code>gatekeeperd</code> daemon runs in its own process, separate from the system
+server.</p>
+
+<h2 id=hal_implementation>HAL Implementation</h2>
+
+<p>The <code>gatekeeperd</code> daemon uses the HAL to interact
+with the <code>gatekeeperd</code> daemon's TEE
+counterpart for password authentication. The HAL implementation must be able to
+sign (enroll) and verify blobs. All implementations are expected to adhere to
+the standard format for the authentication token (AuthToken) generated on each
+successful password verification. The contents and semantics of the AuthToken
+are described in <a href="index.html">Authentication</a>.</p>
+
+<p>Specifically, an implementation of the <code>gatekeeper.h</code> header file (in the
+<code>hardware/libhardware/include/hardware</code> folder) needs to implement the
+<code>enroll</code> and <code>verify</code> functions.</p>
+
+<p>The <code>enroll</code> function takes a password blob, signs it, and returns the signature
+as a handle. The returned blob (from a call to <code>enroll</code>) must have the structure
+shown in <code>system/gatekeeper/include/gatekeeper/password_handle.h</code>.</p>
+
+<p>The <code>verify</code> function needs to compare the signature produced by the provided password and
+ensure that it matches the enrolled password handle.</p>
+
+<p>The key used to enroll and verify must never change, and should be re-derivable
+at every device boot.</p>
+
+<h2 id=trusty_and_other_implementations>Trusty and other implementations</h2>
+
+<p>The Trusty operating system is Google's open source trusted OS for TEE
+environments. It contains an approved implementation of GateKeeper. However,
+<strong>any TEE OS</strong> can be used for the implementation of Gatekeeper.
+The TEE <strong>must</strong> have access to a hardware-backed key as well as a secure,
+monotonic clock <strong>that ticks in suspend</strong>.</p>
+
+<p>Trusty uses an internal IPC system to communicate a shared secret directly
+between Keymaster and the Trusty implementation of Gatekeeper ("Trusty
+Gatekeeper"). This shared secret is used for signing AuthTokens that will be
+sent to Keymaster, providing attestations of password verification. Trusty
+Gatekeeper requests the key from Keymaster for each use and does not persist
+or cache the value. Implementations are free to share this secret in any way
+that does not compromise security.</p>
+
+<p>The HMAC key, used to enroll and verify passwords, is derived and kept solely
+in GateKeeper.</p>
+
+<p>The Android tree provides a generic C++ implementation of GateKeeper, requiring
+only the addition of device-specific routines to be complete. To implement a
+TEE Gatekeeper with device-specific code for your TEE, please refer to the
+functions and comments in the following file:</p>
+<pre>
+system/gatekeeper/include/gatekeeper/gatekeeper.h
+</pre>
+
+<p>For the TEE GateKeeper, the primary responsibilities of a compliant
+implementation are:</p>
+
+<ul>
+ <li>Adherence to the Gatekeeper HAL
+ <li>Returned AuthTokens must be formatted according to the AuthToken specification
+(described in <a href="index.html">Authentication</a>)
+ <li>The TEE Gatekeeper must be able to share an HMAC key with Keymaster, either by
+requesting the key through a TEE IPC on demand or maintaining a valid cache of
+the value at all times
+</ul>
+
+<h2 id=user_sids>User SIDs</h2>
+
+<p>A User Secure ID (User SID) is the TEE representation of a user.
+The User SID has no strong connection to an Android user ID.</p>
+
+<p>A User SID is generated with a cryptographic
+PRNG whenever a user enrolls a new password without providing a previous one.
+This is known as an "untrusted" re-enroll.
+A "trusted" re-enroll occurs when a user provides a valid, previous password.
+In this case, the User SID is migrated to the new password handle,
+conserving the keys that were bound to it.
+The Android framework does not allow for an "untrusted" re-enroll under regular circumstances.</p>
+
+<p>The User SID is HMAC'ed along with the password in the password handle when the
+password is enrolled.</p>
+
+<p>User SIDs are written into the AuthToken returned by the <code>verify</code>
+function and associated to all authentication-bound Keymaster keys. For
+information about the AuthToken format and Keymaster, see
+<a href="index.html">Authentication</a>.
+Since an untrusted call to the <code>enroll</code> function
+will change the User SID, the call will render the keys bound to that password useless.</p>
+
+<p>Attackers can change the password for the device if they control the Android
+OS, but they will destroy root-protected, sensitive keys in the process.</p>
+
+<h2 id=request_throttling>Request throttling</h2>
+
+<p>GateKeeper must be able to securely throttle brute-force attempts on a user
+credential. As shown in the <code>gatekeeper.h</code>
+file (in <code>hardware/libhardware/include/hardware</code>),
+the HAL provides for returning a timeout in milliseconds. The timeout
+informs the client not to call GateKeeper again until after the timeout has
+elapsed. GateKeeper should not service requests if there is a pending timeout.</p>
+
+<p>GateKeeper must write a failure counter before verifying a user password. If
+the password verification succeeds, the failure counter should be cleared. This
+prevents attacks that prevent throttling by disabling the embedded MMC (eMMC)
+after issuing a <code>verify</code> call. The <code>enroll</code> function also verifies
+the user password (if provided) and so must be throttled in the same way.</p>
+
+<p>If supported by the device, it is highly recommended that the failure counter
+be written to secure storage. If the device does not support
+file-based encryption, or if secure storage is too slow, implementations may
+use RPMB directly.</p>
+
+
+
+
diff --git a/src/devices/tech/security/authentication/index.jd b/src/devices/tech/security/authentication/index.jd
new file mode 100644
index 0000000..86564eb
--- /dev/null
+++ b/src/devices/tech/security/authentication/index.jd
@@ -0,0 +1,250 @@
+page.title=Authentication
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<h2 id=overview>Overview</h2>
+
+<p>Android 6.0 introduces the concept of user-authentication-gated cryptographic
+keys. To achieve this, two key components need to work together.
+First is the cryptographic key storage and service provider, which stores
+cryptographic keys and provides standard crypto routines on top of them. Second
+is any number of user authenticators that may attest to the user's presence
+and/or successful authentication.</p>
+
+<p>The cryptographic key storage in Android is provided by the keystore service and Keymaster.
+(Also see information about
+the <a href="https://developer.android.com/training/articles/keystore.html">Android Keystore system</a>,
+at the framework level, which is backed by the keystore service.) For Android 6.0,
+the two supported authentication components are Gatekeeper (for
+PIN/pattern/password authentication) and Fingerprint (for fingerprint
+authentication). These components communicate their authentication
+state with the keystore service via an authenticated channel.</p>
+
+<ul>
+ <li><strong>The keystore service and <a href="keymaster.html">Keymaster</a>.</strong> Cryptographic services,
+ including hardware-backed cryptography for key storage,
+ which might include a Trusted Execution Environment (TEE).</li>
+ <li><strong><a href="gatekeeper.html">Gatekeeper</a>.</strong> Components for PIN, pattern, and password authentication.</li>
+ <li><strong><a href="fingerprint-hal.html">Fingerprint</a>.</strong> Components for fingerprint authentication.</li>
+</ul>
+
+<h2 id=architecture>Architecture</h2>
+
+<p>The Gatekeeper and Fingerprint components work with Keymaster and other
+components to support the use of hardware-backed <a href="#authentication_token_format">authentication tokens</a> (referred to below as "AuthTokens").</p>
+
+<h3 id=enrollment>Enrollment</h3>
+
+<p>Upon first boot of the device after a factory reset, all authenticators are prepared to receive
+credential enrollments from the user.</p>
+
+<p>The user must initially enroll a PIN/pattern/password with Gatekeeper. This
+initial enrollment creates a randomly generated, 64-bit User SID (user secure
+identifier, described further below) that serves as an identifier for the user
+and as a binding token for the user's cryptographic material.
+This User SID is cryptographically bound to the user's password.
+As detailed below, successful authentications to Gatekeeper result in AuthTokens that contain the User SID
+for that password.</p>
+
+<p>When a user wants to change their credential, they must present their existing
+credential. If the existing credential is verified successfully, the User SID
+associated with the existing credential is transferred to the new credential.
+This allows the user to keep accessing their keys after changing their
+credential. If a user does not present their existing credential, the new one
+is enrolled with a fully random User SID. The user can access the device but
+keys created under the old User SID are permanently lost. This is known as an
+"untrusted enroll."</p>
+
+<p>Note that an untrusted enroll will not be allowed under normal circumstances by
+the Android framework, so most users won't ever see this functionality.
+However, forcible password resets either by a device administrator or an
+attacker may cause this to occur.</p>
+
+<h3 id=authentication>Authentication</h3>
+
+<p>Now that the user has set up a credential and received a User SID, they may
+proceed to start authentication.</p>
+
+<p>In the diagram below, authentication starts when a user provides a PIN,
+pattern, password, or fingerprint. All TEE components share a secret key which
+they use to authenticate each other's messages.</p>
+
+<img src="../images/authentication-flow.png" alt="Authentication flow" id="figure1" />
+<p class="img-caption"><strong>Figure 1.</strong> Authentication flow</p>
+
+<p>The numbers in the following steps correspond to the numbers in the diagram
+above, and include reference to both the Android OS and the TEE OS: </p>
+
+<ol>
+ <li>A user provides a PIN, pattern, password, or fingerprint. The
+<code>LockSettingsService</code> or <code>FingerprintService</code> make a request via Binder to the
+Gatekeeperd or fingerprintd daemon in the Android OS. Note that fingerprint
+authentication occurs asynchronously after the fingerprint request is sent.
+ <li>This step involves <strong>either</strong> Gatekeeperd (option 1 below)
+ <strong>or</strong> fingerprintd (option 2 below),
+ depending on whether a pin/pattern/password, or fingerprint, is provided.
+ <ul>
+ <li>The Gatekeeperd daemon sends a pin, pattern, or password hash (received in step
+1) to its counterpart (Gatekeeper) in the TEE. If authentication in the TEE is
+successful, Gatekeeper in the TEE sends an AuthToken containing the
+corresponding User SID, signed with the AuthToken HMAC key, to its
+counterpart in the Android OS.
+ <li>Alternatively, the fingerprintd daemon, which listens for fingerprint events,
+sends the data (received in step 1) to its counterpart (Fingerprint) in the
+TEE. If authentication in the TEE is successful, Fingerprint in the TEE sends
+an AuthToken, signed with the AuthToken HMAC key, to its counterpart in the Android OS.
+ </ul>
+ <li>The Gatekeeperd or fingerprintd daemon receives a signed AuthToken and passes
+the AuthToken to the keystore service via an extension to
+the keystore service's Binder interface. Additionally, Gatekeeperd notifies the keystore service when
+the device is re-locked and when the device password changes.
+ <li>The keystore service passes to Keymaster the AuthTokens received from Gatekeeperd and
+fingerprintd, verifying the AuthTokens with the key shared with the Gatekeeper
+and Fingerprint trustlets. Keymaster trusts the timestamp in the token as the
+last authentication time and bases a key release decision (to allow an app to
+use the key) on the timestamp.
+</ol>
+
+<p class="note"><strong>Note:</strong> AuthTokens are invalidated whenever a device reboots.</p>
+
+<h2 id=authentication_token_format>Authentication token format</h2>
+
+<p>The AuthToken format described in the
+<a href="https://android.googlesource.com/platform/hardware/libhardware/+/master/include/hardware/hw_auth_token.h"><code>hw_auth_token.h</code></a> file is
+necessary for token sharing and compatibility across languages and
+components. See the following file:</p>
+<pre>
+hardware/libhardware/include/hardware/hw_auth_token.h
+</pre>
+
+<p>A simple serialization protocol with the required fields is defined in the
+table below. The fields are fixed size.</p>
+
+<p>Field descriptions are below the table.</p>
+<table>
+ <tr>
+ <th><strong>Field</strong></th>
+ <th><strong>Type</strong></th>
+ <th><strong>Required or Optional</strong></th>
+ </tr>
+ <tr>
+ <td>AuthToken Version</td>
+ <td>1 byte</td>
+ <td>Required</td>
+ </tr>
+ <tr>
+ <td>Challenge</td>
+ <td>64-bit unsigned integer</td>
+ <td>Optional</td>
+ </tr>
+ <tr>
+ <td>User SID</td>
+ <td>64-bit unsigned integer</td>
+ <td>Required</td>
+ </tr>
+ <tr>
+ <td>Authenticator ID</td>
+ <td>64-bit unsigned integer in network order</td>
+ <td>Optional</td>
+ </tr>
+ <tr>
+ <td>Authenticator type</td>
+ <td>32-bit unsigned integer in network order</td>
+ <td>Required</td>
+ </tr>
+ <tr>
+ <td>Timestamp</td>
+ <td>64-bit unsigned integer in network order</td>
+ <td>Required</td>
+ </tr>
+ <tr>
+ <td>AuthToken HMAC key (SHA-256)</td>
+ <td>256-bit blob</td>
+ <td>Required</td>
+ </tr>
+</table>
+
+<h3 id=field_descriptions>Field descriptions </h3>
+
+<p>This section describes the fields of the AuthToken table above.</p>
+
+<p><strong>AuthToken Version:</strong> Group tag for all fields below.</p>
+
+<p><strong>Challenge:</strong> A random integer to prevent replay attacks. Usually the ID of a requested
+crypto operation. Currently used by transactional fingerprint authorizations.
+If present, the AuthToken is valid only for crypto operations containing the
+same challenge.</p>
+
+<p><strong>User SID</strong>: Non-repeating user identifier tied cryptographically to all keys associated
+with device authentication. For more information, see the Gatekeeper page.</p>
+
+<p><strong>Authenticator ID (ASID)</strong>: Identifier used to bind to a specific authenticator policy. All
+authenticators have their own value of ASID that they can change according to
+their own requirements.</p>
+
+<p><strong>Authenticator Type</strong>: Either Gatekeeper or Fingerprint, as follows:</p>
+<table>
+ <tr>
+ <th><strong>Authenticator Type</strong></th>
+ <th><strong>Authenticator Name</strong></th>
+ </tr>
+ <tr>
+ <td>0x00</td>
+ <td>Gatekeeper</td>
+ </tr>
+ <tr>
+ <td>0x01</td>
+ <td>Fingerprint</td>
+ </tr>
+</table>
+
+<p><strong>Timestamp</strong>: Time (in milliseconds) since the most recent system boot.</p>
+
+<p><strong>AuthToken HMAC key</strong>: Keyed SHA-256 MAC of all fields except the HMAC field.</p>
+
+<h2 id=device_boot_flow>Device boot flow</h2>
+
+<p>On every boot of a device, the AuthToken HMAC key must be generated and shared
+with all TEE components (Gatekeeper, Fingerprint, and Keymaster). Thus, the HMAC key
+must be randomly generated every time the device reboots, for added protection against replay attacks.</p>
+
+<p>The protocol for sharing this HMAC key with all components is a
+platform-dependent implementation feature. The key must <strong>never</strong>
+be made available outside the TEE. Thus, if a TEE OS lacks an
+internal inter-process communication (IPC) mechanism,
+and the TEE needs to transfer the data through the untrusted OS, the transfer
+must be done via a secure key exchange protocol.</p>
+
+<p>The Trusty operating system, which runs next to Android, is an example of a
+TEE, but other TEEs can be used instead. Trusty uses an internal IPC system to
+communicate directly between Keymaster and Fingerprint or Gatekeeper. The HMAC
+key is kept solely in Keymaster. Fingerprint and Gatekeeper request the key
+from Keymaster for each use, and do not persist or cache the value.</p>
+
+<p>Note that no communication happens between applets in the TEE because some TEEs
+are lacking in IPC infrastructure. This also
+permits the keystore service to quickly deny requests that are bound to fail as it has
+knowledge of the authentication table in the system, saving a potentially
+costly IPC into the TEE.</p>
diff --git a/src/devices/tech/security/authentication/keymaster.jd b/src/devices/tech/security/authentication/keymaster.jd
new file mode 100644
index 0000000..8febf76
--- /dev/null
+++ b/src/devices/tech/security/authentication/keymaster.jd
@@ -0,0 +1,100 @@
+page.title=Keymaster
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>The availability of a trusted execution environment in a system on a chip (SoC)
+offers an opportunity for Android devices to provide hardware-backed, strong
+security services to the Android OS, to platform services, and even to
+third-party apps.</p>
+
+<p>Keymaster has been <a href="km-features.html">significantly enhanced</a>
+in Android 6.0 with the addition of symmetric cryptographic primitives,
+AES and HMAC, and the addition of an access control
+system for hardware-backed keys. Access controls are specified during key
+generation and enforced for the lifetime of the key. Keys can be restricted to
+be usable only after the user has authenticated, only at a specific usage
+velocity, and only for specified purposes or with specified cryptographic
+parameters. For more information, please see
+the <a href="km-implementer-ref.html">Implementer's Reference</a>.</p>
+
+<p>Before Keymaster 1.0, Android already had a simple, hardware-backed crypto
+services API: Keymaster versions 0.2 and 0.3, which provided only digital
+signing and verification operations, plus generation of
+asymmetric signing key pairs. This is already
+implemented on many devices, but there are many security goals that cannot
+easily be achieved with only a signature API. The intent of Keymaster 1.0 is to
+extend the Keymaster API to provide a broader range of capabilities.</p>
+
+<h2 id=goals>Goals</h2>
+
+<p>The goal of the Keymaster API is to provide a basic but adequate set of
+cryptographic primitives to allow the implementation of protocols using
+access-controlled, hardware-backed keys.</p>
+
+<p>In addition to expanding the range of cryptographic primitives, Keymaster v1.0
+adds the following:</p>
+
+<ul>
+ <li>A usage control scheme to allow key usage to be limited, to mitigate the risk
+of security compromise due to misuse of keys
+ <li>An access control scheme to enable restriction of keys to specified users,
+clients, and a defined time range
+</ul>
+
+<h2 id=architecture>Architecture</h2>
+
+<p>The Keymaster API is a Hardware Abstraction Layer module, which is a
+dynamically-loaded library. Implementations must not
+perform any sensitive operations in user space, or even in kernel space.
+Sensitive operations are delegated to a secure processor reached through some
+kernel interface. The resulting architecture looks something like the
+following:</p>
+
+<img src="../images/access-to-keymaster.png" alt="Access to Keymaster" id="figure1" />
+<p class="img-caption"><strong>Figure 1.</strong> Access to Keymaster</p>
+
+<p>Within an Android device, the "client" actually consists of multiple layers
+(e.g. app, framework, keystore daemon), but that can be ignored for the
+purposes of this document. This means that the described API is low-level, used
+by platform-internal components, and not exposed to app developers. The
+higher-level API, for API level 23, is described on
+the <a href="http://developer.android.com/reference/java/security/KeyStore.html">Android Developer site</a>.</p>
+
+<p>The purpose of the <code>libkeymaster</code> library is not to implement the
+security-sensitive algorithms but only to
+marshal and unmarshal requests to the secure world. The wire format is
+implementation-defined.</p>
+
+<h2 id=compatibility_with_previous_versions>Compatibility with previous versions</h2>
+
+<p>The Keymaster v1.0 API is completely incompatible with the previously-released
+APIs, e.g. Keymaster v0.2 and v0.3.
+To facilitate interoperability on pre-Marshmallow devices that launched
+with the older Keymaster APIs, Keystore provides an adapter that provides
+the 1.0 API implemented with calls to the existing hardware library. The result
+cannot provide the full range of functionality in the
+1.0 API. In particular, it will only support RSA and ECDSA algorithms, and all
+of the key authorization enforcement will be performed by the adapter, in the
+non-secure world.</p>
diff --git a/src/devices/tech/security/authentication/km-features.jd b/src/devices/tech/security/authentication/km-features.jd
new file mode 100644
index 0000000..2b469c9
--- /dev/null
+++ b/src/devices/tech/security/authentication/km-features.jd
@@ -0,0 +1,412 @@
+page.title=Features
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p>This page contains information about the features of <a href="keymaster.html">Keymaster</a> 1.0.</p>
+
+<h2 id=cryptographic_primitives>Cryptographic primitives</h2>
+
+<p>The <code>libkeymaster</code> library and Keymaster provide the following categories of operations:</p>
+
+<ul>
+ <li>Key generation
+ <li>Import and export of asymmetric keys (no key wrapping)
+ <li>Import of raw symmetric keys (again, no wrapping)
+ <li>Asymmetric encryption and decryption with appropriate padding modes
+ <li>Asymmetric signing and verification with digesting and appropriate padding
+modes
+ <li>Symmetric encryption and decryption in appropriate modes, including an AEAD
+mode
+ <li>Generation and verification of symmetric message authentication codes
+</ul>
+
+<p>Within each category, <code>libkeymaster</code> provides a mechanism for
+discovering the available options (algorithms,
+modes, etc.). But we also specify at least one required option, to ensure that
+client software can depend on the presence of the required primitives.</p>
+
+<p>Protocol elements, such as purpose, mode and padding, as well
+as <a href="#key_access_control">access control constraints</a>,
+must be specified when keys are generated or imported and are permanently
+bound to the key, ensuring the key cannot be used in any other way.</p>
+
+<p>In addition to the list above, there is one more service that Keymaster
+implementations must provide but which is not exposed as an API: Random number
+generation. This is used internally for generation of keys, Initialization
+Vectors (IVs), random padding and other elements of secure protocols that
+require randomness.</p>
+
+<h2 id=required_primitives>Required primitives</h2>
+
+<p>All implementations must provide:</p>
+
+<ul>
+ <li><a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA</a>
+ <ul>
+ <li>2048, 3072 and 4096-bit key support are required
+ <li>Support for public exponent F4 (2^16+1)
+ <li>Required padding modes for RSA signing are:
+ <ul>
+ <li>No padding (deprecated, will be removed in the future)
+ <li>RSASSA-PSS (<code>KM_PAD_RSA_PSS</code>)
+ <li>RSASSA-PKCS1-v1_5 (<code>KM_PAD_RSA_PKCS1_1_5_SIGN</code>)
+ </ul>
+ <li>Required digest modes for RSA signing are:
+ <ul>
+ <li>No digest (deprecated, will be removed in the future)
+ <li>SHA-256
+ </ul>
+ <li>Required padding modes for RSA encryption/decryption are:
+ <ul>
+ <li>RSAES-OAEP (<code>KM_PAD_RSA_OAEP</code>)
+ <li>RSAES-PKCS1-v1_5 (<code>KM_PAD_RSA_PKCS1_1_5_ENCRYPT</code>)
+ </ul>
+ <li>Unpadded RSA encryption must not be supported
+ </ul>
+ <li><a href="http://en.wikipedia.org/wiki/Elliptic_Curve_DSA">ECDSA</a>
+ <ul>
+ <li>224, 256, 384 and 521-bit key support are required, using the NIST P-224,
+P-256, P-384 and P-521 curves, respectively
+ <li>Required digest modes for ECDSA are:
+ <ul>
+ <li>No digest (deprecated, will be removed in the future)
+ <li>SHA-256
+ </ul>
+ </ul>
+ <li><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES</a>
+ <ul>
+ <li>128 and 256-bit keys are required
+ <li><a href="http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29">CBC</a>,
+ CTR, ECB and and GCM. The GCM implementation must not allow the use of tags
+smaller than 96 bits or nonce lengths other than 96 bits.
+ <li>Padding modes <code>KM_PAD_NONE</code> and <code>KM_PAD_PKCS7</code> must
+ be supported for CBC and ECB modes. With no padding, CBC or ECB mode
+encryption must fail if the input isn't a multiple of the block size.
+ </ul>
+ <li><a href="http://en.wikipedia.org/wiki/Hash-based_message_authentication_code">HMAC</a>
+ <a href="http://en.wikipedia.org/wiki/SHA-2">SHA-256</a>, with any key size up to at least 32 bytes.
+</ul>
+</ul>
+
+<p>SHA1 and the other members of the SHA2 family (SHA-224, SHA384 and SHA512) are
+strongly recommended, but not required. Keystore will provide them in software
+if the hardware Keymaster implementation doesn't provide them.</p>
+
+<p>Some primitives are also recommended for interoperability with other systems:</p>
+
+<ul>
+ <li>Smaller key sizes for RSA
+ <li>Arbitrary public exponents for RSA
+</ul>
+
+<h2 id=key_access_control>Key access control</h2>
+
+<p>Hardware-based keys that can never be extracted from the device don't provide
+much security if an attacker can use them at will (though they're more secure
+than keys which <em>can</em> be exfiltrated). Thus, it's crucial that Keymaster enforce access controls.</p>
+
+<p>Access controls are defined as an "authorization list" of tag/value pairs.
+Authorization tags are 32-bit integers and the values are a variety of types.
+Some tags may be repeated to specify multiple values. Whether a tag may be
+repeated is specified in the documentation for the tag. When a key is created,
+the caller specifies an authorization list. The Keymaster implementation will
+modify the list to specify some additional information, such as whether the key
+has rollback protection, and return a "final" authorization list, encoded into
+the returned key blob. Any attempt to use the key for any cryptographic
+operation must fail if the final authorization list is modified.</p>
+
+<p>The set of possible tags is defined in the enumeration <code>keymaster_authorization_tag_t</code> and
+the set must be permanently fixed (though it can be extended).
+Names are prefixed with <code>KM_TAG_</code>. The top
+four bits of tag IDs are used to indicate the type.</p>
+
+<p>Possible types include:</p>
+
+<p><strong><code>KM_ENUM</code>:</strong> Many tags' values are defined in enumerations. For example, the possible
+values of <code>KM_TAG_PURPOSE</code> are defined in enum <code>keymaster_purpose_t</code>.</p>
+
+<p><strong><code>KM_ENUM_REP</code></strong>: Same as <code>KM_ENUM</code>, except that the tag may
+be repeated in an authorization list. Repetition
+indicates multiple authorized values. For example, an encryption key will
+likely have <code>KM_PURPOSE_ENCRYPT</code> and <code>KM_PURPOSE_DECRYPT</code>.</p>
+
+<p><strong><code>KM_UINT</code>:</strong> 32-bit unsigned integers. Example: <code>KM_TAG_KEY_SIZE</code></p>
+
+<p><strong><code>KM_UINT_REP</code></strong>: Same as <code>KM_UINT</code>, except that the tag may be
+repeated in an authorization list. Repetition indicates multiple authorized values.</p>
+
+<p><strong><code>KM_ULONG</code></strong>: 64-bit unsigned integers. Example: <code>KM_TAG_RSA_PUBLIC_EXPONENT</code></p>
+
+<p><strong><code>KM_ULONG_REP</code></strong>: Same as <code>KM_ULONG</code>, except that the tag may be
+repeated in an authorization list. Repetition
+indicates multiple authorized values.</p>
+
+<p><strong><code>KM_DATE</code></strong>: Date/time values, expressed as milliseconds since January 1, 1970.
+Example: <code>KM_TAG_PRIVKEY_EXPIRE_DATETIME</code></p>
+
+<p><strong><code>KM_BOOL</code></strong>: True or false. A tag of type <code>KM_BOOL</code> is assumed
+to be "false" if the tag is not present and "true" if present. Example: <code>KM_TAG_ROLLBACK_RESISTANT</code></p>
+
+<p><strong><code>KM_BIGNUM</code></strong>: Arbitrary-length integers, expressed as a byte array
+in big-endian order. Example: <code>KM_TAG_RSA_PUBLIC_EXPONENT</code></p>
+
+<p><strong><code>KM_BYTES</code></strong>: A sequence of bytes. Example: <code>KM_TAG_ROOT_OF_TRUST</code></p>
+
+<h3 id=hardware_vs_software_enforcement>Hardware vs. software enforcement</h3>
+
+<p>Not all Keymaster implementations will implement the same features. To support
+a variety of approaches, Keymaster 1.0 distinguishes between secure and
+non-secure world access control enforcement, which we call hardware and
+software enforcement, respectively.</p>
+
+<p>Implementations are required to:</p>
+
+<ul>
+ <li>Enforce exact matching (not enforcement) of all authorizations. Authorization
+lists in key blobs must exactly match the authorizations returned during key
+generation, including ordering. Any mismatch must cause an error diagnostic.
+ <li>Declare the authorizations whose semantic values are enforced.
+</ul>
+
+<p>The API mechanism for declaring hardware-enforced authorizations is in
+the <code>keymaster_key_characteristics_t</code> structure. It divides the authorization
+list into two sub-lists, <code>hw_enforced</code> and <code>sw_enforced</code>. The
+Keymaster implementation is responsible for placing the appropriate
+values in each, based on what it can enforce.</p>
+
+<p>In addition, the keystore daemon will implement software-based enforcement of <em>all</em> authorizations,
+whether they're enforced in hardware or not.</p>
+
+<p>For example, consider a TrustZone-based implementation that does not support
+key expiration. A key with an expiration date may still be created. That key's
+authorization list will include the tag <code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code> with
+the expiration date. A request to Keymaster for the key characteristics
+will find this tag in the <code>sw_enforced</code> list and the Keymaster implementation will
+not enforce the expiration
+requirement. However, attempts to use the key after expiration will be rejected
+by the keystore daemon.</p>
+
+<p>If the device is then upgraded with a Keymaster implementation that does
+support expiration, then a request for key characteristics will
+find <code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code> in
+the <code>hw_enforced</code> list, and attempts to use the key after expiration will fail even if the
+keystore is somehow subverted or bypassed.</p>
+
+<h3 id=cryptographic_message_construction_authorizations>Cryptographic message construction authorizations</h3>
+
+<p>The following tags are used to define the cryptographic characteristics of
+operations using the associated key: <code>KM_TAG_ALGORITHM</code>, <code>KM_TAG_KEY_SIZE</code>,
+<code>KM_TAG_BLOCK_MODE</code>, <code>KM_TAG_PADDING</code>, <code>KM_TAG_CALLER_NONCE</code>, and <code>KM_TAG_DIGEST</code></p>
+
+<p><code>KM_TAG_PADDING</code>, <code>KM_TAG_DIGEST</code>, and <code>KM_PAD_BLOCK_MODE</code>
+are repeatable, meaning that multiple values may be associated with a single
+key, and the value to be used will be specified at operation time.</p>
+
+<h3 id=purpose>Purpose</h3>
+
+<p>Keys have an associated set of purposes, expressed as one or more authorization
+entries with tag <code>KM_TAG_PURPOSE</code>, which defines how they can be used. The purposes are:</p>
+
+<ul>
+ <li><code>KM_PURPOSE_ENCRYPT</code>
+ <li><code>KM_PURPOSE_DECRYPT</code>
+ <li><code>KM_PURPOSE_SIGN</code>
+ <li><code>KM_PURPOSE_VERIFY</code>
+</ul>
+
+<p>Any key can have any subset of these purposes. Note that some combinations
+create security problems. For example, an RSA key that can be used to both
+encrypt and to sign allows an attacker who can convince the system to decrypt
+arbitrary data to generate signatures.</p>
+
+<p>Other purposes for keys that may be added in the future include:</p>
+
+<ul>
+ <li>"Derive Key" purpose, for key derivation keys
+ <li>"Attest" purpose, for keys that can generate attestations of the Keymaster
+implementation and/or its environment
+ <li>"Wrap Key" purpose, for keys used to wrap keys for secure import or export
+</ul>
+
+<h3 id=import_and_export>Import and export</h3>
+
+<p>Keymaster supports export of public keys only, in X.509 format, and import of:</p>
+
+<ul>
+ <li>Public and private key pairs in DER-encoded PKCS#8 format, without
+password-based encryption, and
+ <li>Symmetric keys as raw bytes
+</ul>
+
+<p>Future versions will likely expand the import/export options.</p>
+
+<p>To ensure that imported keys can be distinguished from securely-generated
+keys, <code>KM_TAG_ORIGIN</code> is included in the appropriate key
+authorization list. For example, if a key
+was generated in secure hardware, <code>KM_TAG_ORIGIN</code> with
+value <code>KM_ORIGIN_GENERATED</code> will be found in
+the <code>hw_enforced</code> list of the key characteristics, while a key
+that was imported into secure
+hardware will have the value <code>KM_ORIGIN_IMPORTED</code>.</p>
+
+<h3 id=user_authentication>User authentication</h3>
+
+<p>Keymaster does not implement user authentication, but depends on other trusted
+apps which do. For the interface that must be implemented by these apps, see
+the Gatekeeper page.</p>
+
+<p>User authentication requirements are specified via two sets of tags. The first
+set indicate which user can use the key:</p>
+
+<ul>
+ <li><code>KM_TAG_ALL_USERS</code> indicates the key is usable by all users. If
+ present, <code>KM_TAG_USER_ID</code> and <code>KM_TAG_SECURE_USER_ID</code> must not be present.
+ <li><code>KM_TAG_USER_ID</code> has a numeric value specifying the ID of the authorized user.
+ Note that this
+is the Android user ID (for multi-user), not the application UID, and it is
+enforced by non-secure software only. If present, <code>KM_TAG_ALL_USERS</code> must not be present.
+ <li><code>KM_TAG_SECURE_USER_ID</code> has a 64-bit numeric value specifying the secure user ID
+ that must be provided
+in a secure authentication token to unlock use of the key. If repeated, the key
+may be used if any of the values is provided in a secure authentication token.
+</ul>
+
+<p>The second set indicate whether and when the user must be authenticated. If
+neither of these tags is present, but <code>KM_TAG_SECURE_USER_ID</code> is, authentication is
+required for every use of the key.</p>
+
+<ul>
+ <li><code>KM_NO_AUTHENTICATION_REQUIRED</code> indicates no user authentication is required, though
+ the key still may only be
+used by apps running as the user(s) specified by <code>KM_TAG_USER_ID</code>.
+ <li><code>KM_TAG_AUTH_TIMEOUT</code> is a numeric value specifying, in seconds, how fresh the user
+ authentication
+must be to authorize key usage. This applies only to private/secret key
+operations. Public key operations don't require authentication. Timeouts do not
+cross reboots; after a reboot, all keys are "never authenticated." The timeout
+may be set to a large value to indicate that authentication is required once
+per boot (2^32 seconds is ~136 years; presumably Android devices are rebooted
+more often than that).
+</ul>
+
+<h3 id=client_binding>Client binding</h3>
+
+<p>Client binding, the association of a key with a particular client application,
+is done via an optional client ID and some optional client data (<code>KM_TAG_APPLICATION_ID</code>
+and <code>KM_TAG_APPLICATION_DATA</code>, respectively). Keymaster treats these values as opaque blobs,
+only ensuring
+that the same blobs presented during key generation/import are presented for
+every use and are byte-for-byte identical. The client binding data is not
+returned by Keymaster. The caller must know it in order to use the key.</p>
+
+<h3 id=expiration>Expiration</h3>
+
+<p>Keymaster supports restricting key usage by date. Key start of validity and key
+expirations can be associated with a key and Keymaster will refuse to perform
+key operations if the current date/time is outside of the valid range. The key
+validity range is specified with the tags <code>KM_TAG_ACTIVE_DATETIME</code>,
+<code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code>, and <code>KM_TAG_USAGE_EXPIRE_DATETIME</code>.
+The distinction between "origination" and "usage" is based on whether the key
+is being used to "originate" a new ciphertext/signature/etc., or to "use" an
+existing ciphertext/signature/etc.</p>
+
+<p>The <code>KM_TAG_ACTIVE_DATETIME</code>, <code>KM_TAG_ORIGINATION_EXPIRE_DATETIME</code>,
+and <code>KM_TAG_USAGE_EXPIRE_DATETIME</code> tags are optional. If the tags are absent, it is
+assumed that the key in
+question can always be used to decrypt/verify messages.</p>
+
+<p>Because wall-clock time is provided by the non-secure world, it's unlikely that
+the expiration-related tags will be in the hardware-enforced list. Hardware
+enforcement of expiry would require that the secure world somehow obtain
+trusted time and data, for example via a challenge response protocol with a
+trusted remote timeserver.</p>
+
+<h3 id=root_of_trust_binding>Root of trust binding</h3>
+
+<p>Keymaster allows keys to be bound to a root of trust, which is a bitstring
+provided to Keymaster during startup, preferably by the bootloader. If
+provided, this bitstring must be cryptographically bound to every key managed
+by Keymaster.</p>
+
+<p>The intent is for the bootloader to pass in the public key, used to verify the
+signature on the boot image, along with the verified boot state (locked or
+unlocked). If the public key is changed to allow a different system image to be
+used or if the verified boot state is changed, then none of the
+Keymaster-protected keys created by the previous system will be usable, unless
+the previous root of trust is restored and a system that is signed by that key
+is booted. The goal is to increase the value of the software-enforced key
+access controls by making it imposSTEM</code>sible for an attacker-installed operating
+system to use Keymaster keys.</p>
+
+<h3 id=standalone_keys>Standalone keys</h3>
+
+<p>Some Keymaster implementations may choose to store key material internally and
+return handles rather than encrypted key material. Or there may be other cases
+in which keys cannot be used until some other non-secure or secure world system
+component is available. The Keymaster 1.0 API allows the caller to request that
+a key be "standalone," via the <code>KM_TAG_STANDALONE</code> tag,
+meaning that no resources other than the blob and the running Keymaster
+system are required. The tags associated with a key may be inspected to see
+whether a key is standalone. At present, only two values are defined:</p>
+
+<ul>
+ <li><code>KM_BLOB_STANDALONE</code>
+ <li><code>KM_BLOB_REQUIRES_FILE_SYSTEM</code>
+</ul>
+
+<h3 id=velocity>Velocity</h3>
+
+<p>When it's created, the maximum usage velocity can be specified
+with <code>KM_TAG_MIN_SECONDS_BETWEEN_OPS</code>.
+TrustZone implementations will refuse to perform cryptographic operations
+with that key if an operation was performed less
+than <code>KM_TAG_MIN_SECONDS_BETWEEN_OPS</code> seconds earlier.</p>
+
+<p>The simple approach to implementing velocity limits is a table of key IDs and
+last-use timestamps. This table will likely be of limited size, but must
+accommodate at least 16 entries. In the event that the table is full and no
+entries may be updated or discarded, Keymaster implementations must "fail
+safe," preferring to refuse all velocity-limited key operations until one of
+the entries expires. It is acceptable for all entries to expire upon reboot.</p>
+
+<p>Keys can also be limited to <em>n</em> uses per boot with <code>KM_TAG_USES_PER_BOOT</code>.
+This also requires a tracking table, which must accommodate at least four
+keys, and must also fail safe. Note that applications will be unable to create
+per-boot limited keys. This feature will not be exposed through keystore and
+will be reserved for system operations.</p>
+
+<h3 id=random_number_generator_re-seeding>Random number generator re-seeding</h3>
+
+<p>Because Keymaster must generate random numbers for key material and
+Initialization Vectors (IVs), and because hardware random number generators may
+not always be fully trustworthy, Keymaster provides an interface to allow the
+client to provide additional entropy which will be mixed into the random
+numbers generated.</p>
+
+<p>A hardware random-number generator should be used as the primary seed source,
+if available, and the seed data provided through the external API must not be
+the sole source of randomness used for number generation. Further, the mixing
+operation used must ensure that the random output is unpredictable if any one
+of the seed sources is unpredictable.</p>
diff --git a/src/devices/tech/security/authentication/km-implementer-ref.jd b/src/devices/tech/security/authentication/km-implementer-ref.jd
new file mode 100644
index 0000000..9c8c619
--- /dev/null
+++ b/src/devices/tech/security/authentication/km-implementer-ref.jd
@@ -0,0 +1,1229 @@
+page.title=Implementer's Reference
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<p>This page provides details to assist implementers of <a href="keymaster.html">Keymaster</a> HALs. It
+covers each tag and each function in the API.</p>
+
+<h2 id=authorization_tags>Authorization tags</h2>
+
+<p>Except as noted in the tag descriptions, all of the tags below are used during
+key generation to specify key characteristics.</p>
+
+<h3 id=km_tag_purpose>KM_TAG_PURPOSE</h3>
+
+<p>Specifies the set of purposes for which the key may be used.</p>
+
+<p>Possible values are defined by the following enumeration:</p>
+
+<pre>
+typedef enum {
+ KM_PURPOSE_ENCRYPT = 0,
+ KM_PURPOSE_DECRYPT = 1,
+ KM_PURPOSE_SIGN = 2,
+ KM_PURPOSE_VERIFY = 3,
+} keymaster_purpose_t;
+</pre>
+
+<p>This tag is repeatable; keys may be generated with multiple values, although an
+operation has a single purpose. When the <a href="#begin">begin</a> function is called to
+start an operation, the purpose of the operation is
+specified. If the purpose specified to the operation is not authorized by the
+key, the operation must fail with <code>KM_ERROR_INCOMPATIBLE_PURPOSE</code>.</p>
+
+<h3 id=km_tag_algorithm>KM_TAG_ALGORITHM</h3>
+
+<p>Specifies the cryptographic algorithm with which the key is used.</p>
+
+<p>Possible values are defined by the following enumeration:</p>
+
+<pre>
+typedef enum {
+ KM_ALGORITHM_RSA = 1,
+ KM_ALGORITHM_EC = 3,
+ KM_ALGORITHM_AES = 32,
+ KM_ALGORITHM_HMAC = 128,
+} keymaster_algorithm_t;
+</pre>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_key_size>KM_TAG_KEY_SIZE</h3>
+
+<p>Specifies the size, in bits, of the key, measuring in the normal way for the
+key's algorithm. For example, for RSA keys, <code>KM_TAG_KEY_SIZE</code> specifies
+the size of the public modulus. For AES keys it specifies the length
+of the secret key material.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_block_mode>KM_TAG_BLOCK_MODE</h3>
+
+<p>Specifies the block cipher mode(s) with which the key may be used. This tag is
+only relevant to AES keys.</p>
+
+<p>Possible values are defined by the following enumeration:</p>
+
+<pre>
+typedef enum {
+ KM_MODE_ECB = 1,
+ KM_MODE_CBC = 2,
+ KM_MODE_CTR = 3,
+ KM_MODE_GCM = 32,
+} keymaster_block_mode_t;
+</pre>
+
+<p>This tag is repeatable, and for AES key operations a mode must be specified in
+the <code>additional_params</code> argument of <a href="#begin">begin</a>. If the specified
+mode is not in the modes associated with the key, the
+operation must fail with <code>KM_ERROR_INCOMPATIBLE_BLOCK_MODE</code>.</p>
+
+<h3 id=km_tag_digest>KM_TAG_DIGEST</h3>
+
+<p>Specifies the digest algorithms which may be used with the key to perform
+signing and verification operations. This tag is relevant to RSA, ECDSA and
+HMAC keys.</p>
+
+<p>Possible values are defined by the following enumeration:</p>
+
+<pre>
+typedef enum {
+ KM_DIGEST_NONE = 0,
+ KM_DIGEST_MD5 = 1,
+ KM_DIGEST_SHA1 = 2,
+ KM_DIGEST_SHA_2_224 = 3,
+ KM_DIGEST_SHA_2_256 = 4,
+ KM_DIGEST_SHA_2_384 = 5,
+ KM_DIGEST_SHA_2_512 = 6,
+}
+keymaster_digest_t;
+</pre>
+
+<p>This tag is repeatable. For signing and verification operations a digest must
+be specified in the <code>additional_params</code> argument of <a href="#begin">begin</a>.
+If the specified digest is not in the digests associated with the key, the
+operation must fail with <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>.</p>
+
+<h3 id=km_tag_padding>KM_TAG_PADDING</h3>
+
+<p>Specifies the padding modes which may be used with the key. This tag is
+relevant to RSA and AES keys.</p>
+
+<p>Possible values are defined by the following enumeration:</p>
+
+<pre>
+typedef enum {
+ KM_PAD_NONE = 1,
+ KM_PAD_RSA_OAEP = 2,
+ KM_PAD_RSA_PSS = 3,
+ KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4,
+ KM_PAD_RSA_PKCS1_1_5_SIGN = 5,
+ KM_PAD_PKCS7 = 64,
+} keymaster_padding_t;
+</pre>
+
+<p><code>KM_PAD_RSA_OAEP</code> and <code>KM_PAD_RSA_PKCS1_1_5_ENCRYPT</code> are used
+only for RSA encryption/decryption keys and specify RSA PKCS#1v2 OAEP
+padding and RSA PKCS#1 v1.5 randomized padding, respectively. <code>KM_PAD_RSA_PSS</code> and
+<code>KM_PAD_RSA_PKCS1_1_5_SIGN</code> are used only for RSA signing/verification keys and
+specify RSA PKCS#1v2 PSS
+padding and RSA PKCS#1 v1.5 deterministic padding, respectively. Note also that
+the RSA PSS padding mode is incompatible with <a href="#km_tag_digest">KM_DIGEST_NONE</a>.</p>
+
+<p><code>KM_PAD_NONE</code> may be used with either RSA or AES keys. For AES keys,
+if <code>KM_PAD_NONE</code> is used with block mode ECB or CBC and the data to be encrypted
+or decrypted
+is not a multiple of the AES block size in length, the call to finish must fail
+with <code>KM_ERROR_INVALID_INPUT_LENGTH</code>.</p>
+
+<p><code>KM_PAD_PKCS7</code> may only be used with AES keys, and only with ECB and CBC modes.</p>
+
+<p>This tag is repeatable. A padding mode must be specified in the call to
+<a href="#begin">begin</a>. If the specified mode is not authorized for the key,
+the operation must fail
+with <code>KM_ERROR_INCOMPATIBLE_BLOCK_MODE</code>.</p>
+
+<h3 id=km_tag_caller_nonce>KM_TAG_CALLER_NONCE</h3>
+
+<p>Specifies that the caller is allowed to provide a nonce for nonce-requiring
+operations.</p>
+
+<p>This tag is boolean, so the possible values are true (if the tag is present)
+and false (if the tag is not present).</p>
+
+<p>This tag is used only for AES keys, and is only relevant for CBC, CTR and GCM
+block modes. If the tag is not present, implementations should reject any
+operation which provides <a href="#km_tag_nonce">KM_TAG_NONCE</a> to <a href="#begin">begin</a>
+with <code>KM_ERROR_CALLER_NONCE_PROHIBITED</code>.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_min_mac_length>KM_TAG_MIN_MAC_LENGTH</h3>
+
+<p>Required for HMAC keys and AES keys that support GCM mode, this tag specifies
+the minimum length of MAC that can be requested or verified with this key.</p>
+
+<p>This value is the minimum MAC length, in bits. It must be a multiple of 8. For
+HMAC keys, the value must be at least 64. For GCM keys it must be at least 96
+and must not exceed 128.</p>
+
+<h3 id=km_tag_rsa_public_exponent>KM_TAG_RSA_PUBLIC_EXPONENT</h3>
+
+<p>Specifies the value of the public exponent for an RSA key pair. This tag is
+relevant only to RSA keys, and required for all RSA keys.</p>
+
+<p>The value is a 64-bit unsigned integer that must satisfy the requirements of an
+RSA public exponent. Because it is specified by the caller and therefore cannot
+be chosen by the implementation, it must be a prime number. Trustlets are
+required to support the value 2^16+1. It is recommended that other reasonable
+values be supported, in particular the value 3. If no exponent is specified or
+if the specified exponent is not supported, key generation must fail
+with <code>KM_ERROR_INVALID_ARGUMENT</code>.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_blob_usage_requirements>KM_TAG_BLOB_USAGE_REQUIREMENTS</h3>
+
+<p>Specifies the system environment conditions which must hold for the generated
+key to be used.</p>
+
+<p>Possible values are defined by the following enumeration:</p>
+
+<pre>
+typedef enum {
+ KM_BLOB_STANDALONE = 0,
+ KM_BLOB_REQUIRES_FILE_SYSTEM = 1,
+} keymaster_key_blob_usage_requirements_t;
+</pre>
+
+<p>This tag may be specified during key generation to require that the key be
+usable in the specified condition, and must be returned with the key
+characteristics (from <a href="#generate_key">generate_key</a> and
+<a href="#get_key_characteristics">get_key_characteristics</a>). If
+the caller specifies <code>KM_TAG_BLOB_USAGE_REQUIREMENTS</code> with
+value <code>KM_BLOB_STANDALONE</code> the trustlet must return a key blob
+which can be used without file system
+support. This is critical for devices with encrypted disks, where the file
+system may not be available until after a Keymaster key is used to decrypt the
+disk.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_bootloader_only>KM_TAG_BOOTLOADER_ONLY</h3>
+
+<p>Specifies that the key may only be used by the bootloader.</p>
+
+<p>This tag is boolean, so the possible values are true (if the tag is present)
+and false (if the tag is not present).</p>
+
+<p>Any attempt to use a key with <code>KM_TAG_BOOTLOADER_ONLY</code> from the
+Android system must fail with <code>KM_ERROR_INVALID_KEY_BLOB</code>.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_active_datetime>KM_TAG_ACTIVE_DATETIME</h3>
+
+<p>Specifies the date and time at which the key becomes active. Prior to this
+time, any attempt to use the key must fail with <code>KM_ERROR_KEY_NOT_YET_VALID</code>.</p>
+
+<p>The value is a 64-bit integer representing milliseconds since January 1, 1970.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_origination_expire_datetime>KM_TAG_ORIGINATION_EXPIRE_DATETIME</h3>
+
+<p>Specifies the date and time at which the key expires for signing and encryption
+purposes. After this time, any attempt to use a key
+with <a href="#km_tag_purpose">KM_PURPOSE_SIGN</a> or
+<a href="#km_tag_purpose">KM_PURPOSE_ENCRYPT</a> provided
+to <a href="#begin">begin</a> must fail with <code>KM_ERROR_KEY_EXPIRED</code>.</p>
+
+<p>The value is a 64-bit integer representing milliseconds since January 1, 1970.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_usage_expire_datetime>KM_TAG_USAGE_EXPIRE_DATETIME</h3>
+
+<p>Specifies the date and time at which the key expires for verification and
+decryption purposes. After this time, any attempt to use a key with
+<a href="#km_tag_purpose">KM_PURPOSE_VERIFY</a> or <a href="#km_tag_purpose">KM_PURPOSE DECRYPT</a>
+provided to <a href="#begin">begin</a> must fail with <code>KM_ERROR_KEY_EXPIRED</code>.</p>
+
+<p>The value is a 64-bit integer representing milliseconds since January 1, 1970.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_min_seconds_between_ops>KM_TAG_MIN_SECONDS_BETWEEN_OPS</h3>
+
+<p>Specifies the minimum amount of time that must elapse between allowed
+operations using a key. This can be used to rate-limit uses of keys in contexts
+where unlimited use may enable brute force attacks.</p>
+
+<p>The value is a 32-bit integer representing seconds between allowed operations.</p>
+
+<p>When a key with this tag is used in an operation, a timer should be started
+during the <a href="#finish">finish</a> or <a href="#abort">abort</a> call. Any
+call to <a href="#begin">begin</a> that is received before the timer indicates
+that the interval specified by <code>KM_TAG_MIN_SECONDS_BETWEEN_OPS</code> has
+elapsed must fail with <code>KM_ERROR_KEY_RATE_LIMIT_EXCEEDED</code>. This
+requirement implies that a trustlet must keep a table of timers for keys
+with this tag. Because Keymaster memory is often limited, it is acceptable for
+this table to have a fixed maximum size and for Keymaster to fail operations
+which attempt to use keys with this tag when the table is full. At least 32
+in-use keys must be accommodated, and table slots must be aggressively reused
+when key minimum-usage intervals expire. If an operation fails because the
+table is full, Keymaster should return <code>KM_ERROR_TOO_MANY_OPERATIONS</code>.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_max_uses_per_boot>KM_TAG_MAX_USES_PER_BOOT</h3>
+
+<p>Specifies the maximum number of times that a key may be used between system
+reboots. This is another mechanism to rate-limit key use.</p>
+
+<p>The value is a 32-bit integer representing uses per boot.</p>
+
+<p>When a key with this tag is used in an operation, a key-associated counter
+should be incremented during the <a href="#begin">begin</a> call. After the key counter
+has exceeded this value, all subsequent attempts
+to use the key must fail with <code>KM_ERROR_MAX_OPS_EXCEEDED</code>, until the device is
+restarted. This requirement implies that a trustlet must
+keep a table of use counters for keys with this tag. Because Keymaster memory
+is often limited, it is acceptable for this table to have a fixed maximum size
+and for Keymaster to fail operations that attempt to use keys with this tag
+when the table is full. At least 16 keys must be accommodated. If an operation
+fails because the table is full, Keymaster should return <code>KM_ERROR_TOO_MANY_OPERATIONS</code>.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_user_secure_id>KM_TAG_USER_SECURE_ID</h3>
+
+<p>Specifies that a key may only be used under a particular secure user
+authentication state. This tag is mutually exclusive
+with <a href="#km_tag_no_auth_required">KM_TAG_NO_AUTH_REQUIRED</a>.</p>
+
+<p>The value is a 64-bit integer specifying the authentication policy state value
+which must be present in an authentication token (provided to <a href="#begin">begin</a> with
+the <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a>) to authorize use of the key. Any
+call to <a href="#begin">begin</a> with a key with this tag that does not provide an
+authentication token, or provides an
+authentication token without a matching policy state value, must fail.</p>
+
+<p>This tag is repeatable. If any of the provided values matches any policy state
+value in the authentication token, the key is authorized for use. Otherwise the operation
+must fail with <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.</p>
+
+<h3 id=km_tag_no_auth_required>KM_TAG_NO_AUTH_REQUIRED</h3>
+
+<p>Specifies that no authentication is required to use this key. This tag is
+mutually exclusive with <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a>.</p>
+
+<p>This tag is boolean, so the possible values are true (if the tag is present)
+and false (if the tag is not present).</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_user_auth_type>KM_TAG_USER_AUTH_TYPE</h3>
+
+<p>Specifies the types of user authenticators that may be used to authorize this
+key.</p>
+
+<p>The value is a 32-bit integer bitmask of values from the enumeration:</p>
+
+<pre>
+typedef enum {
+ HW_AUTH_NONE = 0,
+ HW_AUTH_PASSWORD = 1 << 0,
+ HW_AUTH_FINGERPRINT = 1 << 1,
+ // Additional entries should be powers of 2.
+ HW_AUTH_ANY = UINT32_MAX,
+} hw_authenticator_type_t;
+</pre>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_auth_timeout>KM_TAG_AUTH_TIMEOUT</h3>
+
+<p>Specifies the time in seconds for which the key is authorized for use, after
+authentication. If <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> is present and this tag
+is not, then the key requires authentication for every
+usage (see <a href="#begin">begin</a> for the details of the authentication-per-operation flow).</p>
+
+<p>The value is a 32-bit integer specifying the time in seconds after a successful
+authentication of the user specified by <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> with
+the authentication method specified
+by <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a> that the key can be used.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_all_applications>KM_TAG_ALL_APPLICATIONS</h3>
+
+<p>Reserved for future use.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_application_id>KM_TAG_APPLICATION_ID</h3>
+
+<p>When provided to <a href="#generate_key">generate_key</a> or <a href="#import_key">import_key</a>,
+this tag specifies data that must be provided during all uses of the key. In
+particular, calls to <a href="#export_key">export_key</a> and
+<a href="#get_key_characteristics">get_key_characteristics</a> must
+provide the same value in the <code>client_id</code> parameter, and
+calls to <a href="#begin">begin</a> must provide this tag and the
+same associated data as part of the <code>in_params</code> set. If the correct
+data is not provided the function must return <code>KM_ERROR_INVALID_KEY_BLOB</code>.</p>
+
+<p>The value is a blob, an arbitrary-length array of bytes.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_application_data>KM_TAG_APPLICATION_DATA</h3>
+
+<p>When provided to <a href="#generate_key">generate_key</a> or <a href="#import_key">import_key</a>,
+this tag specifies data that must be provided during all uses of the key. In
+particular, calls to <a href="#export_key">export_key</a> and
+<a href="#get_key_characteristics">get_key_characteristics</a> must
+provide the same value to the <code>client_id</code> parameter, and calls
+to <a href="#begin">begin</a> must provide this tag and the same associated
+data as part of the <code>in_params</code> set. If the correct data is not
+provided, the function must return <code>KM_ERROR_INVALID_KEY_BLOB</code>.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_creation_datetime>KM_TAG_CREATION_DATETIME</h3>
+
+<p>Specifies the date and time the key was created, in milliseconds since January
+1, 1970. This tag is optional and informational only.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_origin>KM_TAG_ORIGIN</h3>
+
+<p>Specifies where the key was created, if known. This tag may not be specified
+during key generation or import, and must be added to the key characteristics
+by the trustlet.</p>
+
+<p>The possible values are defined in <code>keymaster_origin_t</code>:</p>
+
+<pre>
+typedef enum {
+ KM_ORIGIN_GENERATED = 0,
+ KM_ORIGIN_IMPORTED = 2,
+ KM_ORIGIN_UNKNOWN = 3,
+} keymaster_key_origin_t
+</pre>
+
+<p>The full meaning of the value depends not only on the value but on whether it's
+found in the hardware-enforced or software-enforced characteristics list.</p>
+
+<p><code>KM_ORIGIN_GENERATED</code> indicates that Keymaster generated the key.
+If in the hardware-enforced list,
+the key was generated in secure hardware and is permanently hardware-bound. If
+in the software-enforced list, the key was generated in SoftKeymaster and is
+not hardware-bound.</p>
+
+<p><code>KM_ORIGIN_IMPORTED</code> indicates that the key was generated outside
+of Keymaster and imported into
+Keymaster. If in the hardware-enforced list, it is permanently hardware-bound,
+although copies outside of secure hardware may exist. If in the
+software-enforces list, the key was imported into SoftKeymaster and is not
+hardware-bound.</p>
+
+<p><code>KM_ORIGIN_UNKNOWN</code> should only appear in the hardware-enforced list.
+It indicates that the key is
+hardware-bound, but it is not known whether the key was originally generated in
+secure hardware or was imported. This only occurs when keymaster0 hardware is
+being used to emulate keymaster1 services.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_rollback_resistant>KM_TAG_ROLLBACK_RESISTANT</h3>
+
+<p>Indicates that the key is rollback-resistant, meaning that when deleted
+by <a href="#delete_key">delete_key</a> or <a href="#delete_all_keys">delete_all_keys</a>,
+the key is guaranteed to be permanently deleted and unusable. It's possible
+that keys without this tag could be deleted and then restored from backup.</p>
+
+<p>This tag is boolean, so the possible values are true (if the tag is present)
+and false (if the tag is not present).</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_root_of_trust>KM_TAG_ROOT_OF_TRUST</h3>
+
+<p>Specifies the "root of trust," the key used by verified boot to validate the
+operating system booted (if any). This tag is never provided to or returned
+from Keymaster in the key characteristics.</p>
+
+<h3 id=km_tag_associated_data>KM_TAG_ASSOCIATED_DATA</h3>
+
+<p>Provides "associated data" for AES-GCM encryption or decryption. This tag is
+provided to <a href="#update">update</a> and specifies data that is not
+encrypted/decrypted but is used in computing
+the GCM tag.</p>
+
+<p>The value is a blob, an arbitrary-length array of bytes.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_nonce>KM_TAG_NONCE</h3>
+
+<p>Provides or returns a nonce or Initialization Vector (IV) for AES GCM, CBC or
+CTR encryption or decryption. This tag is provided to <a href="#begin">begin</a>
+during encryption and decryption operations. It may only be provided to <a href="#begin">begin</a>
+if the key has <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a>. If not provided,
+an appropriate nonce or IV will be randomly generated by
+Keymaster and returned from begin.</p>
+
+<p>The value is a blob, an arbitrary-length array of bytes. Allowed lengths depend
+on the mode: GCM nonces are 12 bytes in length; CBC and CTR IVs are 16 bytes in
+length.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_auth_token>KM_TAG_AUTH_TOKEN</h3>
+
+<p>Provides an authentication token (see the Authentication page) to
+<a href="#begin">begin</a>, <a href="#update">update</a> or <a href="#finish">finish</a>,
+to prove user authentication for a key operation that requires
+it (key has <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a>).</p>
+
+<p>The value is a blob which contains a <code>hw_auth_token_t</code> structure.</p>
+
+<p>This tag is not repeatable.</p>
+
+<h3 id=km_tag_mac_length>KM_TAG_MAC_LENGTH</h3>
+
+<p>Provides the requested length of a MAC or GCM authentication tag, in bits.</p>
+
+<p>The value is the MAC length in bits. It must be a multiple of 8 and must be at
+least as large as the value of <a href="#km_tag_min_mac_length">KM_TAG_MIN_MAC_LENGTH</a>
+associated with the key.</p>
+
+<h2 id=functions>Functions</h2>
+
+<h3 id=deprecated_functions>Deprecated functions</h3>
+
+<p>The following functions are in the <code>keymaster1_device_t</code> definition but
+should not be implemented. The function pointers should be set
+to <code>NULL</code>:</p>
+
+<ul>
+ <li><code>generate_keypair</code>
+ <li><code>import_keypair</code>
+ <li><code>get_keypair_public</code>
+ <li><code>delete_keypair</code>
+ <li><code>delete_all</code>
+ <li><code>sign_data</code>
+ <li><code>verify_data</code>
+</ul>
+
+<h3 id=general_implementation_guidelines>General implementation guidelines</h3>
+
+<p>The following guidelines apply to all functions in the API.</p>
+
+<h4 id=input_pointer_parameters>Input pointer parameters</h4>
+
+<p>Input pointer parameters that are not used for a given call may be <code>NULL</code>.
+The caller is not required to provide placeholders. For example, some key
+types and modes may not use any values from the <code>in_params</code> argument
+to <a href="#begin">begin</a>, so the caller may set <code>in_params</code>
+to <code>NULL</code> or provide an empty parameter set. It is also acceptable for the caller to
+provide unused parameters, and Keymaster methods should not issue errors.</p>
+
+<p>If a required input parameter is NULL, Keymaster methods should return
+<code>KM_ERROR_UNEXPECTED_NULL_POINTER</code>.</p>
+
+<h4 id=output_pointer_parameters>Output pointer parameters</h4>
+
+<p>Similar to input pointer parameters, unused output pointer parameters
+may be <code>NULL</code>. If a method needs to return data in an output
+parameter found to be <code>NULL</code>, it should return <code>KM_ERROR_OUTPUT_PARAMETER_NULL</code>.</p>
+
+<h4 id=api_misuse>API misuse</h4>
+
+<p>There are many ways that callers can make requests that don't make sense or are
+foolish but not technically wrong. Keymaster1 implementations are not required
+to fail in such cases or issue a diagnostic. Use of too-small keys,
+specification of irrelevant input parameters, reuse of IVs or nonces,
+generation of keys with no purposes (hence useless) and the like should not be
+diagnosed by implementations. Omission of required parameters, specification of
+invalid required parameters, and similar errors must be diagnosed.</p>
+
+<p>It is the responsibility of apps, the framework, and Android keystore to ensure
+that the calls to Keymaster modules are sensible and useful.</p>
+
+<h3 id=get_supported_algorithms>get_supported_algorithms</h3>
+
+<p>Returns the list of algorithms supported by the Keymaster hardware
+implementation. A software implementation must return an empty list; a hybrid
+implementation must return a list containing only the algorithms that are
+supported by hardware.</p>
+
+<p>Keymaster1 implementations must support RSA, EC, AES and HMAC.</p>
+
+<h3 id=get_supported_block_modes>get_supported_block_modes</h3>
+
+<p>Returns the list of AES block modes supported by the Keymaster hardware
+implementation for a specified algorithm and purpose.</p>
+
+<p>For RSA, EC and HMAC, which are not block ciphers, the method must return an
+empty list for all valid purposes. Invalid purposes should cause the method to
+return <code>KM_ERROR_INVALID_PURPOSE</code>.</p>
+
+<p>Keymaster1 implementations must support ECB, CBC, CTR and GCM for AES
+encryption and decryption.</p>
+
+<h3 id=get_supported_padding_modes>get_supported_padding_modes</h3>
+
+<p>Returns the list of padding modes supported by the Keymaster hardware
+implementation for a specified algorithm and purpose.</p>
+
+<p>HMAC and EC have no notion of padding so the method must return an empty list
+for all valid purposes. Invalid purposes should cause the method to return <code>KM_ERROR_INVALID_PURPOSE</code>.</p>
+
+<p>For RSA, keymaster1 implementations must support:</p>
+
+<ul>
+ <li>Unpadded encryption, decryption, signing and verification. For unpadded
+encryption and signing, if the message is shorter than the public modulus,
+implementations must left-pad it with zeros. For unpadded decryption and
+verification, the input length must match the public modulus size.
+ <li>PKCS#1 v1.5 encryption and signing padding modes
+ <li>PSS with a minimum salt length of 20
+ <li>OAEP
+</ul>
+
+<p>For AES in ECB and CBC modes, keymaster1 implementations must support no
+padding and PKCS#7-padding. CTR and GCM modes must support only no padding.</p>
+
+<h3 id=get_supported_digests>get_supported_digests</h3>
+
+<p>Returns the list of digest modes supported by the Keymaster hardware
+implementation for a specified algorithm and purpose.</p>
+
+<p>No AES modes support or require digesting, so the method must return an empty
+list for valid purposes.</p>
+
+<p>Keymaster1 implementations are allowed to implement a subset of the defined
+digests, but must provide SHA-256. It is strongly recommended that keymaster1
+implementations provide MD5, SHA1, SHA-224, SHA-256, SHA384 and SHA512 (the
+full set of defined digests).</p>
+
+<h3 id=get_supported_import_formats>get_supported_import_formats</h3>
+
+<p>Returns the list of import formats supported by the Keymaster hardware
+implementation of a specified algorithm.</p>
+
+<p>Keymaster1 implementations must support the PKCS#8 format (without password
+protection) for importing RSA and EC key pairs, and must support RAW import of
+AES and HMAC key material.</p>
+
+<h3 id=get_supported_export_formats>get_supported_export_formats</h3>
+
+<p>Returns the list of export formats supported by the Keymaster hardware
+implementation of a specified algorithm.</p>
+
+<p>Keymaster1 implementations must support the X.509 format for exporting RSA and
+EC public keys. Export of private keys or asymmetric keys must not be
+supported.</p>
+
+<h3 id=add_rng_entropy>add_rng_entropy</h3>
+
+<p>Adds caller-provided entropy to the pool used by the Keymaster1 implementation
+for generating random numbers, for keys, IVs, etc.</p>
+
+<p>Keymaster1 implementations must <strong>securely</strong> mix the provided
+entropy into their pool, which must also contain
+internally-generated entropy from a hardware random number generator. Mixing
+must have the property that an attacker with complete control of either
+the <code>add_rng_entropy</code>-provided bits or the hardware-generated bits, but not both, cannot predict
+bits generated from the entropy pool with probability greater than ½.</p>
+
+<p>Keymaster1 implementations that attempt to estimate the entropy in their
+internal pool must assume that data provided by <code>add_rng_entropy</code> contains no entropy.</p>
+
+<h3 id=generate_key>generate_key</h3>
+
+<p>Generates a new cryptographic key, specifying associated authorizations, which
+will be permanently bound to the key. Keymaster1 implementations must make it
+impossible to use a key in any way inconsistent with the authorizations
+specified at generation time. With respect to authorizations that the secure
+hardware cannot enforce, the secure hardware's obligation is limited to
+ensuring that the unenforceable authorizations associated with the key cannot
+be modified, so that every call to <a href="#get_key_characteristics">get_key_characteristics</a>
+will return the original value. In addition, the characteristics returned by <code>generate_key</code>
+must allocate authorizations correctly between the hardware-enforced and
+software-enforced lists. See <a href="#get_key_characteristics">get_key_characteristics</a>
+for more details.</p>
+
+<p>The parameters that must be provided to <code>generate_key</code> depend on the type of key
+being generated. This section will summarize the
+required and allowed tags for each type of key. <a href="#km_tag_algorithm">KM_TAG_ALGORITHM</a>
+is always required, to specify the type.</p>
+
+<h4 id=rsa_keys>RSA keys</h4>
+
+<p>The following parameters are required when generating an RSA key.</p>
+
+<ul>
+ <li><a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> specifies the size of the public
+ modulus, in bits. If omitted, the method must
+return <code>KM_ERROR_UNSUPPORTED_KEY_SIZE</code>. Values that must be supported are
+1024, 2048, 3072 and 4096. It is
+recommended to support all key sizes that are a multiple of 8.
+ <li><a href="#km_tag_rsa_public_exponent">KM_TAG_RSA_PUBLIC_EXPONENT</a> specifies
+ the RSA public exponent value. If omitted, the method must
+ return <code>KM_ERROR_INVALID_ARGUMENT</code>.
+ Implementations must support the values 3 and 65537. It is recommended to
+support all prime values up to 2^64.
+</ul>
+
+<p>The following parameters are not required to generate an RSA key, but creating
+an RSA key without them will produce a key that is unusable.
+The <code>generate_key</code> function should not return an error if these parameters are omitted.</p>
+
+<ul>
+ <li><a href="#km_tag_purpose">KM_TAG_PURPOSE</a> specifies allowed purposes.
+ All purposes must be supported for RSA keys, in
+any combination.
+ <li><a href="#km_tag_digest">KM_TAG_DIGEST</a> specifies digest algorithms that
+ may be used with the new key. Implementations
+that do not support all digest algorithms must accept key generation requests
+that include unsupported digests. The unsupported digests should be placed in
+the "software-enforced" list in the returned key characteristics. This is
+because the key will be usable with those other digests, but digesting will be
+performed in software. Then hardware will be called to perform the operation
+with <code>KM_DIGEST_NONE</code>.
+ <li><a href="#km_tag_padding">KM_TAG_PADDING</a> specifies the padding modes
+ that may be used with the new key. Implementations
+that do not support all digest algorithms must place <code>KM_PAD_RSA_PSS</code>
+and <code>KM_PAD_RSA_OAEP</code> in the software-enforced list of the key
+characteristics if any unsupported
+digest algorithms are specified.
+</ul>
+
+<h4 id=ecdsa_keys>ECDSA keys</h4>
+
+<p>Only <a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> is required to generate an
+ECDSA key. It is used to select the EC group.
+Implementations must support values 224, 256, 384 and 521, which indicate the
+NIST p-224, p-256, p-384 and p521 curves, respectively.</p>
+
+<p><a href="#km_tag_digest">KM_TAG_DIGEST</a> is also needed for a useful ECDSA key,
+but is not required for generation.</p>
+
+<h4 id=aes_keys>AES keys</h4>
+
+<p>Only <a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> is required when
+generating an AES key. If omitted, the method must return <code>KM_ERROR_UNSUPPORTED_KEY_SIZE</code>.
+Values that must be supported are 128 and 256. It is recommended to support
+192-bit AES keys.</p>
+
+<p>The following parameters are particularly relevant for AES keys, but not
+required to generate one:</p>
+
+<ul>
+ <li><code>KM_TAG_BLOCK_MODE</code> specifies the block modes with which the new key may be used.
+ <li><code>KM_TAG_PADDING</code> specifies the padding modes that may be used. This is only relevant for ECB
+and CBC modes.
+</ul>
+
+<p>If the GCM block mode is specified, then <a href="#km_tag_min_mac_length">KM_TAG_MIN_MAC_LENGTH</a>
+must be provided. If omitted, the method must return
+<code>KM_ERROR_MISSING_MIN_MAC_LENGTH</code>. The value of the tag must be a multiple of 8 and must
+be at least 96 and no more than 128.</p>
+
+<h4 id=hmac_keys>HMAC keys</h4>
+
+<p>The following parameters are required for HMAC key generation:</p>
+
+<ul>
+ <li><a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> specifies the key size in bits. Values
+ smaller than 64 and values that are not
+multiples of 8 must not be supported. All multiples of 8, from 64 to 512, must
+be supported. Larger values may be supported.
+ <li><a href="#km_tag_min_mac_length">KM_TAG_MIN_MAC_LENGTH</a> specifies the minimum length of
+ MACs that can be generated or verified with
+this key. The value must be a multiple of 8 and must be at least 64.
+ <li><a href="#km_tag_digest">KM_TAG_DIGEST</a> specifies the digest algorithm for the key. Exactly
+ one digest must be
+specified, otherwise return <code>KM_ERROR_UNSUPPORTED_DIGEST</code>. If the digest is not supported
+by the trustlet, return <code>KM_ERROR_UNSUPPORTED_DIGEST</code>.
+</ul>
+
+<h4 id=key_characteristics>Key characteristics</h4>
+
+<p>If the characteristics argument is non-NULL, <code>generate_key</code> must return the newly-generated
+key's characteristics divided appropriately
+into hardware-enforced and software-enforced lists. See <a href="#get_key_characteristics">get_key_characteristics</a>
+for a description of which characteristics go in which list. The returned
+characteristics must include all of the parameters specified to key generation,
+except <a href="#km_tag_application_id">KM_TAG_APPLICATION_ID</a> and
+<a href="#km_tag_application_data">KM_TAG_APPLICATION_DATA</a>.
+If these tags were included in the key parameters, they must be removed from
+the returned characteristics; it must not be possible to find their values by
+examining the returned key blob. However, they must be cryptographically bound
+to the key blob, so that if the correct values are not provided when the key is
+used, usage will fail. Similarly, <a href="#km_tag_root_of_trust">KM_TAG_ROOT_OF_TRUST</a> must
+be cryptographically bound to the key, but it may not be specified during
+key creation or import and must never be returned.</p>
+
+<p>In addition to the provided tags, the trustlet must also
+add <a href="#km_tag_origin">KM_TAG_ORIGIN</a>, with the value <code>KM_ORIGIN_GENERATED</code>,
+and if the key is rollback resistant, <a href="#km_tag_rollback_resistant">KM_TAG_ROLLBACK_RESISTANT</a>.</p>
+
+<h4 id=rollback_resistance>Rollback resistance </h4>
+
+<p>Rollback resistance means that once a key is deleted with
+<a href="#delete_key">delete_key</a> or <a href="#delete_all_keys">delete_all_keys</a>,
+it is guaranteed by secure hardware never to be usable again. Implementations
+without rollback resistance will typically return generated or imported key
+material to the caller as a key blob, an encrypted and authenticated form. When
+keystore deletes the key blob, the key is gone, but an attacker who has
+previously managed to retrieve the key material can potentially restore it to
+the device.</p>
+
+<p>A key is rollback resistant if the secure hardware guarantees that deleted keys
+cannot be restored later. This is generally done by storing additional key
+metadata in a trusted location that cannot be manipulated by an attacker. On
+mobile devices, the mechanism used for this is usually Replay Protected Memory
+Blocks (RPMB). Because the number of keys that may be created is essentially
+unbounded and the trusted storage used for rollback resistance may be limited
+in size, it is required that this method succeed even if rollback resistance
+cannot be provided for the new key. In that case,
+<a href="#km_tag_rollback_resistant">KM_TAG_ROLLBACK_RESISTANT</a> should not be
+added to the key characteristics.</p>
+
+<h3 id=get_key_characteristics>get_key_characteristics</h3>
+
+<p>Returns parameters and authorizations associated with the provided key, divided
+into two sets: hardware-enforced and software-enforced. The description here
+applies equally to the key characteristics lists returned
+by <a href="#generate_key">generate_key</a> and <a href="#import_key">import_key</a>.</p>
+
+<p>If <code>KM_TAG_APPLICATION_ID</code> was provided during key generation
+or import, the same value must provided to
+this method in the <code>client_id</code> argument. Otherwise, the
+method must return <code>KM_ERROR_INVALID_KEY_BLOB</code>. Similarly,
+if <code>KM_TAG_APPLICATION_DATA </code>was provided during generation
+or import, the same value must be provided to
+this method in the <code>app_data</code> argument.</p>
+
+<p>The characteristics returned by this method completely describe the type and
+usage of the specified key.</p>
+
+<p>The general rule for deciding whether a given tag belongs in the
+hardware-enforced or software-enforced list is that if the meaning of the tag
+is fully assured by secure hardware, it is hardware-enforced. Otherwise, it's
+software enforced. Below is a list of specific tags whose correct allocation
+may be unclear:</p>
+
+<ul>
+ <li><a href="#km_tag_algorithm">KM_TAG_ALGORITHM</a>, <a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a>,
+ and <a href="#km_tag_rsa_public_exponent">KM_TAG_RSA_PUBLIC_EXPONENT</a> are
+ intrinsic properties of the key. For any key that is secured by hardware,
+these will be in the hardware-enforced list, because the statement that, for
+example, "This RSA key material is only used as an RSA key" is enforced by
+hardware because the hardware will use it in no other way and software has no
+access to the key material and cannot use it at all.
+ <li><a href="#km_tag_digest">KM_TAG_DIGEST</a> values that are supported by the
+ secure hardware are to be placed in the
+hardware-supported list. Unsupported digests go in the software-supported list.
+ <li><a href="#km_tag_padding">KM_TAG_PADDING</a> values generally go in the
+ hardware-supported list, but if there is a
+possibility that a specific padding mode may have to be performed by software,
+they go in the software-enforced list. Such a possibility arises for RSA keys
+that permit PSS or OAEP padding with digest algorithms that are not supported
+by the secure hardware.
+ <li><a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> and
+ <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a> are hardware-enforced
+ only if user authentication is hardware enforced. For
+that to be true, the Keymaster trustlet and the relevant authentication
+trustlet must both be secure and must share a secret HMAC key used to sign and
+validate authentication tokens. See the Authentication page for details.
+ <li><a href="#km_tag_active_datetime">KM_TAG_ACTIVE_DATETIME</a>,
+ <a href="#km_tag_origination_expire_datetime">KM_TAG_ORIGINATION_EXPIRE_DATETIME</a>,
+ and <a href="#km_tag_usage_expire_datetime">KM_TAG_USAGE_EXPIRE_DATETIME</a> tags
+ require access to a verifiably correct wall clock. Most secure hardware
+will only have access to time information provided by the non-secure OS, which
+means the tags are software-enforced.
+ <li><a href="#km_tag_origin">KM_TAG_ORIGIN</a> is always in the hardware list for
+ hardware-bound keys. Its presence in that
+list is the way higher layers determine that a key is hardware-backed.
+</ul>
+
+<h3 id=import_key>import_key</h3>
+
+<p>Imports key material into Keymaster hardware. Key definition parameters and
+output characteristics are handled the same as for <code>generate_key</code>,
+with the following exceptions:</p>
+
+<ul>
+ <li><a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> and
+ <a href="#km_tag_rsa_public_exponent">KM_TAG_RSA_PUBLIC_EXPONENT</a> (for RSA keys only)
+ are not required in the input parameters. If not provided,
+the trustlet must deduce the values from the provided key material and add
+appropriate tags and values to the key characteristics. If the parameters are
+provided, the trustlet must validate them against the key material. In the
+event of a mismatch, the method must return <code>KM_ERROR_IMPORT_PARAMETER_MISMATCH</code>.
+ <li>The returned <a href="#km_tag_origin">KM_TAG_ORIGIN</a> must have the
+ value <code>KM_ORIGIN_IMPORTED</code>.
+</ul>
+
+<h3 id=export_key>export_key</h3>
+
+<p>Exports a public key from a Keymaster RSA or EC key pair.</p>
+
+<p>If <code>KM_TAG_APPLICATION_ID</code> was provided during key generation or import,
+the same value must provided to
+this method in the <code>client_id</code> argument. Otherwise, the method must return
+<code>KM_ERROR_INVALID_KEY_BLOB</code>. Similarly, if <code>KM_TAG_APPLICATION_DATA</code>
+was provided during generation or import, the same value must be provided to
+this method in the <code>app_data</code> argument.</p>
+
+<h3 id=delete_key>delete_key</h3>
+
+<p>Deletes the provided key. This method is optional, and will likely be
+implemented only by Keymaster modules that provide rollback resistance.</p>
+
+<h3 id=delete_all_keys>delete_all_keys</h3>
+
+<p>Deletes all keys. This method is optional, and will likely be implemented only
+by Keymaster modules that provide rollback resistance.</p>
+
+<h3 id=begin>begin</h3>
+
+<p>Begins a cryptographic operation, using the specified key, for the specified
+purpose, with the specified parameters (as appropriate), and returns an
+operation handle which is used with <a href="#update">update</a> and <a href="#finish">finish</a> to complete the operation.</p>
+
+<p>If <a href="#km_tag_application_id">KM_TAG_APPLICATION_ID</a> or <a href="#km_tag_application_data">KM_TAG_APPLICATION_DATA</a>
+were specified during key generation or import, calls to begin must include
+those tags with the originally-specified values in the <code>in_params</code> argument to this method.</p>
+
+<h4 id=authorization_enforcement>Authorization enforcement</h4>
+
+<p>During this method, the following key authorizations must be enforced by the
+trustlet if the implementation placed them in the "hardware-enforced"
+characteristics and if the operation is not a public key operation. Public key
+operations, meaning <code>KM_PURPOSE_ENCRYPT</code> and <code>KM_PURPOSE_VERIFY</code>,
+with RSA or EC keys, must be allowed to succeed even if authorization
+requirements are not met.</p>
+
+<ul>
+ <li><a href="#km_tag_purpose">KM_TAG_PURPOSE</a> requires that the purpose specified
+ for this method match one of the purposes
+in the key authorizations, unless the requested operation is a public key
+operation, meaning that the key is RSA or EC and the purpose is <code>KM_PURPOSE_ENCRYPT</code>
+or <code>KM_PURPOSE_VERIFY</code>. Note that <code>KM_PURPOSE_ENCRYPT</code> is not valid for EC keys.
+Begin should return <code>KM_ERROR_UNSUPPORTED_PURPOSE</code> in that case.
+ <li><a href="#km_tag_active_datetime">KM_TAG_ACTIVE_DATETIME</a> requires comparison with a trusted
+ UTC time source. If the current date and
+time is prior to the tag value, the method must return <code>KM_ERROR_KEY_NOT_YET_VALID</code>.
+ <li><a href="#km_tag_origination_expire_datetime">KM_TAG_ORIGINATION_EXPIRE_DATETIME</a> requires
+ comparison with a trusted UTC time source. If the current date and
+time is later than the tag value and the purpose is <code>KM_PURPOSE_ENCRYPT</code> or <code>KM_PURPOSE_SIGN</code>,
+the method must return <code>KM_ERROR_KEY_EXPIRED</code>.
+ <li><a href="#km_tag_usage_expire_datetime">KM_TAG_USAGE_EXPIRE_DATETIME</a> requires comparison with a
+ trusted UTC time source. If the current date and
+time is later than the tag value and the purpose is <code>KM_PURPOSE_DECRYPT</code> or <code>KM_PURPOSE_VERIFY</code>,
+the method must return <code>KM_ERROR_KEY_EXPIRED</code>.
+ <li><a href="#km_tag_min_seconds_between_ops">KM_TAG_MIN_SECONDS_BETWEEN_OPS</a> requires comparison with a
+ trusted relative timer indicating the last use of
+the key. If the last use time plus the tag value is less than the current time,
+the method must return <code>KM_ERROR_KEY_RATE_LIMIT_EXCEEDED</code>. See the tag description for
+important implementation requirements.
+ <li><a href="#km_tag_max_uses_per_boot">KM_TAG_MAX_USES_PER_BOOT</a> requires comparison against a
+ secure counter that tracks the uses of the key
+since boot time. If the count of previous uses exceeds the tag value, the
+method must return <code>KM_ERROR_KEY_MAX_OPS_EXCEEDED</code>.
+ <li><a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> is enforced by this method only
+ if the key also has <a href="#km_tag_auth_timeout">KM_TAG_AUTH_TIMEOUT</a>. If the key has both,
+ then this method must have received a <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a> in
+ <code>in_params</code> and that token must be valid, meaning that the HMAC field validates correctly.
+In addition, at least one of the <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a>
+values from the key must match at least one of the secure ID values in the
+token. Finally, the key must also have a <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a> and
+it must match the auth type in the token. If any of these requirements is
+not met, the method must return <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.
+ <li><a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a> allows the caller to specify a nonce
+ or initialization vector (IV). If the key
+does not have this tag but the caller provided <a href="#km_tag_nonce">KM_TAG_NONCE</a> to this method,
+<code>KM_ERROR_CALLER_NONCE_PROHIBITED</code> must be returned.
+ <li><a href="#km_tag_bootloader_only">KM_TAG_BOOTLOADER_ONLY</a> specifies that the key may only be
+ used by the bootloader. If this method is
+called with a bootloader-only key after the bootloader has finished executing,
+it must return <code>KM_ERROR_INVALID_KEY_BLOB</code>.
+</ul>
+
+<h4 id=rsa_keys>RSA keys</h4>
+
+<p>All RSA key operations must specify exactly one padding mode in <code>in_params</code>. If
+unspecified or specified more than once, the method must return <code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code>.</p>
+
+<p>RSA signing and verification operations require a digest, as do RSA encryption
+and decryption operations with OAEP padding mode. For those cases, the caller
+must specify exactly one digest in <code>in_params</code>. If unspecified or specified more than once,
+the method must return <code>KM_ERROR_UNSUPPORTED_DIGEST</code>.</p>
+
+<p>Private key operations (<code>KM_PURPOSE_DECYPT</code> and <code>KM_PURPOSE_SIGN</code>) require
+authorization of digest and padding, which means that the specified
+values must be in the key authorizations. If not, the method must return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>
+or <code>KM_ERROR_INCOMPATIBLE_PADDING</code>, as appropriate. Public key operations
+(<code>KM_PURPOSE_ENCRYPT</code> and <code>KM_PURPOSE_VERIFY</code>) are permitted with
+unauthorized digest or padding.</p>
+
+<p>With the exception of <code>KM_PAD_NONE</code>, all RSA padding modes are applicable only to
+certain purposes. Specifically, <code>KM_PAD_RSA_PKCS1_1_5_SIGN</code> and <code>KM_PAD_RSA_PSS</code>
+only support signing and verification, while <code>KM_PAD_RSA_PKCS1_1_1_5_ENCRYPT</code> and
+<code>KM_PAD_RSA_OAEP</code> only support encryption and decryption. The method must return
+<code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code> if the specified mode does not support the specified purpose.</p>
+
+<p>There are some important interactions between padding modes and digests:</p>
+
+<ul>
+ <li><code>KM_PAD_NONE</code> indicates that a "raw" RSA operation will be performed. If signing or
+verifying, <code>KM_DIGEST_NONE </code>must be specified for the digest. No digest is required for unpadded encryption
+or decryption.
+ <li><code>KM_PAD_RSA_PKCS1_1_5_SIGN</code> padding requires a digest, which may be <code>KM_DIGEST_NONE.</code>
+ <li><code>KM_PAD_RSA_PKCS1_1_1_5_ENCRYPT</code> padding does not require a digest.
+ <li><code>KM_PAD_RSA_PSS</code> padding requires a digest, which may not be <code>KM_DIGEST_NONE</code>.
+ If <code>KM_DIGEST_NONE</code> is specified, the method must return
+ <code>KM_ERROR_INCOMPATIBLE_PADDING_MODE</code>. In addition, the
+ size of the RSA key must be at least 22 bytes larger than
+the output size of the digest. Otherwise, the method must return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>.
+ <li><code>KM_PAD_RSA_OAEP</code> padding requires a digest, which may not be <code>KM_DIGEST_NONE</code>.
+ If <code>KM_DIGEST_NONE</code> is specified, the method must return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>.
+</ul>
+
+<h4 id=ec_keys>EC keys</h4>
+
+<p>EC key operations must specify exactly one padding mode in <code>in_params</code>.
+If unspecified or specified more than once,
+return <code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code>.</p>
+
+<p>Private key operations (<code>KM_PURPOSE_SIGN</code>) require authorization of the
+digest, which means that the specified value must be in the key authorizations.
+If not, return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>.
+Public key operations (<code>KM_PURPOSE_VERIFY</code>) are permitted with unauthorized digest or padding.</p>
+
+<h4 id=aes_keys>AES keys</h4>
+
+<p>AES key operations must specify exactly one block mode and one padding mode in <code>in_params</code>.
+If either value is unspecified or specified more than once, return <code>KM_ERROR_UNSUPPORTED_BLOCK_MODE</code> or
+<code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code>. The specified modes must be authorized by the key.
+Otherwise, the method must
+return <code>KM_ERROR_INCOMPATIBLE_BLOCK_MODE</code> or <code>KM_ERROR_INCOMPATIBLE_PADDING_MODE</code>.</p>
+
+<p>If the block mode is <code>KM_MODE_GCM</code>, <code>in_params</code> must specify <code>KM_TAG_MAC_LENGTH</code>, and the
+specified value must be a multiple of 8 and must not be greater than
+128, or less than the value of <code>KM_TAG_MIN_MAC_LENGTH</code> in the key authorizations. For MAC lengths greater than 128 or non-multiples of
+8, return <code>KM_ERROR_UNSUPPORTED_MAC_LENGTH</code>. For values less than the key's minimum length, return <code>KM_ERROR_INVALID_MAC_LENGTH</code>.</p>
+
+<p>If the block mode is <code>KM_MODE_GCM</code> or <code>KM_MODE_CTR</code>, the specified padding mode must
+be <code>KM_PAD_NONE</code>. For <code>KM_MODE_ECB</code> or <code>KM_MODE_CBC</code>, the mode may
+be <code>KM_PAD_NONE</code> or <code>KM_PAD_PKCS7</code>. If the padding mode doesn't meet these
+requirements, return <code>KM_ERROR_INCOMPATIBLE_PADDING_MODE</code>.</p>
+
+<p>If the block mode is <code>KM_MODE_CBC</code>, <code>KM_MODE_CTR</code>, or <code>KM_MODE_GCM</code>, an initialization vector or nonce is needed.
+In most cases, callers should not
+provide an IV or nonce and the Keymaster implementation must generate a random
+IV or nonce and return it via <a href="#km_tag_nonce">KM_TAG_NONCE</a> in <code>out_params</code>. CBC
+and CTR IVs are 16 bytes. GCM nonces are 12 bytes. If the key
+authorizations contain <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a>, then the caller may
+provide an IV/nonce with <a href="#km_tag_nonce">KM_TAG_NONCE</a> in <code>in_params</code>. If a
+nonce is provided when <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a> is not authorized,
+return <code>KM_ERROR_CALLER_NONCE_PROHIBITED</code>. If a nonce is not provided when
+<a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a> is authorized, generate a random IV/nonce.</p>
+
+<h4 id=hmac_keys>HMAC keys</h4>
+
+<p>HMAC key operations must specify <code>KM_TAG_MAC_LENGTH</code> in <code>in_params</code>.
+The specified value must be a multiple of 8 and must not be greater than the
+digest length, or less than the value of <code>KM_TAG_MIN_MAC_LENGTH</code> in the key authorizations.
+For MAC lengths greater than the digest length or
+non-multiples of 8, return <code>KM_ERROR_UNSUPPORTED_MAC_LENGTH</code>. For values less than
+the key's minimum length, return <code>KM_ERROR_INVALID_MAC_LENGTH</code>.</p>
+
+<h3 id=update>update</h3>
+
+<p>Provides data to process in an ongoing operation started with <a href="#begin">begin</a>.
+The operation is specified by the <code>operation_handle</code> parameter.</p>
+
+<p>To provide more flexibility for buffer handling, implementations of this method
+have the option of consuming less data than was provided. The caller is
+responsible for looping to feed the rest of the data in subsequent calls. The
+amount of input consumed must be returned in the <code>input_consumed</code> parameter.
+Implementations must always consume at least one byte, unless the
+operation cannot accept any more; if more than zero bytes are provided and zero
+bytes are consumed, callers will consider this an error and abort the
+operation.</p>
+
+<p>Implementations may also choose how much data to return, as a result of the
+update. This is only relevant for encryption and decryption operations, since
+signing and verification return no data until <a href="#finish">finish</a>. It is recommended
+to return data as early as possible, rather than buffer it.</p>
+
+<h4 id=error_handling>Error handling</h4>
+
+<p>If this method returns an error code other than <code>KM_ERROR_OK</code>, the operation is
+aborted and the operation handle must be invalidated. Any
+future use of the handle, with this method or <a href="#finish">finish</a> or <a href="#abort">abort</a>,
+must return <code>KM_ERROR_INVALID_OPERATION_HANDLE</code>.</p>
+
+<h4 id=authorization_enforcement>Authorization enforcement</h4>
+
+<p>Key authorization enforcement is performed primarily in <a href="#begin">begin</a>. The one exception
+is the case where the key has:</p>
+
+<ul>
+ <li>One or more <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_IDs</a>, and
+ <li>Does not have a <a href="#km_tag_auth_timeout">KM_TAG_AUTH_TIMEOUT</a>
+</ul>
+
+<p>In this case, the key requires an authorization per operation, and the update
+method must receive a <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a> in the <code>in_params</code> argument.
+The token must be valid (HMAC must verify) and it must contain a
+matching secure user ID, must match the key's <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a>, and must
+contain the operation handle of the current operation in the
+challenge field. If these requirements aren't met, return <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.</p>
+
+<p>The caller must provide the authentication token to every call to <a href="#update">update</a> and
+<a href="#finish">finish</a>. The implementation need only validate the token once if it prefers.</p>
+
+<h4 id=rsa_keys>RSA keys</h4>
+
+<p>For signing and verification operations with <code>KM_DIGEST_NONE</code>, this method must accept
+the entire block to be signed or verified in a single
+update. It may not consume only a portion of the block. It still must accept
+the data in multiple updates if the caller chooses to provide it that way,
+however. If the caller provides more data to sign than can be used (length of
+data exceeds RSA key size), return <code>KM_ERROR_INVALID_INPUT_LENGTH</code>.</p>
+
+<h4 id=ecdsa_keys>ECDSA keys</h4>
+
+<p>For signing and verification operations with <code>KM_DIGEST_NONE</code>, this method must accept the
+entire block to be signed or verified in a single
+update. This method may not consume only a portion of the block.</p>
+
+<p>However, this method still must accept the data in multiple updates if the
+caller chooses to provide it that way. If the caller provides more data to sign
+than can be used, the data should be silently truncated. (This differs from the
+handling of excess data provided in similar RSA operations. The reason for this
+is compatibility with legacy clients.)</p>
+
+<h4 id=aes_keys>AES keys</h4>
+
+<p>AES GCM mode supports "associated authentication data," provided via the
+<a href="#km_tag_associated_data">KM_TAG_ASSOCIATED_DATA</a> tag in the <code>in_params</code> argument.
+The associated data may be provided in repeated calls (important if
+the data is too large to send in a single block) but must always precede data
+to be encrypted or decrypted. An update call may receive both associated data
+and data to encrypt/decrypt, but subsequent updates may not include associated
+data. If the caller provides associated data to an update call after a call
+that includes data to encrypt/decrypt, return <code>KM_ERROR_INVALID_TAG</code>.</p>
+
+<p>For GCM encryption, the tag is appended to the ciphertext by <a href="#finish">finish</a>.
+During decryption, the last <code>KM_TAG_MAC_LENGTH</code> bytes of the data provided to the last
+update call is the tag. Since a given
+invocation of <a href="#update">update</a> cannot know if it's the last invocation, it must process all but the tag
+length and buffer the possible tag data for processing during <a href="#finish">finish</a>.</p>
+
+<h3 id=finish>finish</h3>
+
+<p>Finished an ongoing operation started with <a href="#begin">begin</a>, processing all of the
+as-yet-unprocessed data provided by <a href="#update">update</a>(s).</p>
+
+<p>This method is the last one called in an operation, so all processed data must
+be returned.</p>
+
+<p>Whether it completes successfully or returns an error, this method finalizes
+the operation and therefore invalidates the provided operation handle. Any
+future use of the handle, with this method or <a href="#update">update</a> or
+<a href="#abort">abort</a>, must return <code>KM_ERROR_INVALID_OPERATION_HANDLE</code>.</p>
+
+<p>Signing operations return the signature as the output. Verification operations
+accept the signature in the <code>signature</code> parameter, and return no output.</p>
+
+<h4 id=authorization_enforcement>Authorization enforcement</h4>
+
+<p>Key authorization enforcement is performed primarily in <a href="#begin">begin</a>. The one exception is the case where the key has:</p>
+
+<ul>
+ <li>One or more <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_IDs</a>, and
+ <li>Does not have a <a href="#km_tag_auth_timeout">KM_TAG_AUTH_TIMEOUT</a>
+</ul>
+
+<p>In this case, the key requires an authorization per operation, and the update
+method must receive a <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a> in the <code>in_params</code> argument.
+The token must be valid (HMAC must verify) and it must contain a
+matching secure user ID, must match the key's <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a>, and must
+contain the operation handle of the current operation in the
+challenge field. If these requirements aren't met, return <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.</p>
+
+<p>The caller must provide the authentication token to every call to <a href="#update">update</a> and <a href="#finish">finish</a>.
+The implementation need only validate the token once if it prefers.</p>
+
+<h4 id=rsa_keys>RSA keys</h4>
+
+<p>Some additional requirements, depending on the padding mode:</p>
+
+<ul>
+ <li><strong>KM_PAD_NONE</strong>. For unpadded signing and encryption operations, if the provided data is
+shorter than the key, the data must be zero-padded on the left before
+signing/encryption. If the data is the same length as the key but numerically
+larger, return <code>KM_ERROR_INVALID_ARGUMENT</code>. For verification and decryption operations, the data must be exactly as long
+as the key. Otherwise, return <code>KM_ERROR_INVALID_INPUT_LENGTH.</code>
+ <li><strong>KM_PAD_RSA_PSS</strong>. For PSS-padded signature operations, the PSS salt must be at least 20 bytes
+in length and randomly-generated. The salt may be longer; the reference
+implementation uses maximally-sized salt. The digest specified with <a href="#km_tag_digest">KM_TAG_DIGEST</a> in
+<code>input_params</code> on <a href="#begin">begin</a> is used as the PSS digest algorithm, and SHA1 is used as the MGF1 digest
+algorithm.
+ <li><strong>KM_PAD_RSA_OAEP</strong>. The digest specified with <a href="#km_tag_digest">KM_TAG_DIGEST</a> in
+ <code>input_params</code> on <a href="#begin">begin</a> is used as the OAEP digest algorithm, and SHA1 is used as the MGF1 digest
+algorithm.
+</ul>
+
+<h4 id=ecdsa_keys>ECDSA keys</h4>
+
+<p>If the data provided for unpadded signing or verification is too long, truncate
+it.</p>
+
+<h4 id=aes_keys>AES keys</h4>
+
+<p>Some additional requirements, depending on block mode:</p>
+
+<ul>
+ <li><strong>KM_MODE_ECB</strong> or <strong>KM_MODE_CBC</strong>. If padding is <code>KM_PAD_NONE</code> and the
+ data length is not a multiple of the AES block size, return <code>KM_ERROR_INVALID_INPUT_LENGTH</code>. If
+ padding is <code>KM_PAD_PKCS7</code>, pad the data per the PKCS#7 specification. Note that PKCS#7 requires that if
+the data is a multiple of the block length, an additional padding block must be
+added.
+ <li><strong>KM_MODE_GCM</strong>. During encryption, after processing all plaintext, compute the
+ tag (<a href="#km_tag_mac_length">KM_TAG_MAC_LENGTH</a> bytes) and append it to the returned ciphertext.
+ During decryption, process
+the last <a href="#km_tag_mac_length">KM_TAG_MAC_LENGTH</a> bytes as the tag. If tag verification fails,
+return <code>KM_ERROR_VERIFICATION_FAILED</code>.
+</ul>
+
+<h3 id=abort>abort</h3>
+
+<p>Aborts the in-progress operation. After the call to abort, return <code>KM_ERROR_INVALID_OPERATION_HANDLE</code> for
+any subsequent use of the provided operation handle with <a href="#update">update</a>,
+<a href="#finish">finish</a>, or <a href="#abort">abort</a>.</p>
diff --git a/src/devices/tech/security/images/access-to-keymaster.png b/src/devices/tech/security/images/access-to-keymaster.png
new file mode 100644
index 0000000..611f8e3
--- /dev/null
+++ b/src/devices/tech/security/images/access-to-keymaster.png
Binary files differ
diff --git a/src/devices/tech/security/images/authentication-flow.png b/src/devices/tech/security/images/authentication-flow.png
new file mode 100644
index 0000000..1c136e4
--- /dev/null
+++ b/src/devices/tech/security/images/authentication-flow.png
Binary files differ
diff --git a/src/devices/tech/security/images/fingerprint-daemon.png b/src/devices/tech/security/images/fingerprint-daemon.png
new file mode 100644
index 0000000..a57a7a4
--- /dev/null
+++ b/src/devices/tech/security/images/fingerprint-daemon.png
Binary files differ
diff --git a/src/devices/tech/security/images/fingerprint-data-flow.png b/src/devices/tech/security/images/fingerprint-data-flow.png
new file mode 100644
index 0000000..bc3ff36
--- /dev/null
+++ b/src/devices/tech/security/images/fingerprint-data-flow.png
Binary files differ
diff --git a/src/devices/tech/security/images/gatekeeper-flow.png b/src/devices/tech/security/images/gatekeeper-flow.png
new file mode 100644
index 0000000..693ebec
--- /dev/null
+++ b/src/devices/tech/security/images/gatekeeper-flow.png
Binary files differ
diff --git a/src/images/jack-library-file.png b/src/images/jack-library-file.png
new file mode 100644
index 0000000..b25dd85
--- /dev/null
+++ b/src/images/jack-library-file.png
Binary files differ
diff --git a/src/images/jack-overview.png b/src/images/jack-overview.png
new file mode 100644
index 0000000..74d396f
--- /dev/null
+++ b/src/images/jack-overview.png
Binary files differ
diff --git a/src/images/jill.png b/src/images/jill.png
new file mode 100644
index 0000000..0d9ba14
--- /dev/null
+++ b/src/images/jill.png
Binary files differ
diff --git a/src/images/pre-dex.png b/src/images/pre-dex.png
new file mode 100644
index 0000000..4d39700
--- /dev/null
+++ b/src/images/pre-dex.png
Binary files differ
diff --git a/src/index.jd b/src/index.jd
index b77ab6e..c903f3e 100644
--- a/src/index.jd
+++ b/src/index.jd
@@ -33,6 +33,7 @@
devices meet compatibility requirements.
</p>
+<h2 align="center">Android 6.0 Updates Available — see details below</h2>
</div>
</div>
diff --git a/src/source/jack.jd b/src/source/jack.jd
new file mode 100644
index 0000000..7abead7
--- /dev/null
+++ b/src/source/jack.jd
@@ -0,0 +1,357 @@
+page.title=Jack (Java Android Compiler Kit)
+@jd:body
+
+<!--
+ Copyright 2015 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<h2 id=the_jack_toolchain>The Jack toolchain</h2>
+
+<p>Jack (Java Android Compiler Kit) is a new Android toolchain that compiles Java
+source into Android dex bytecode. It replaces the previous Android toolchain,
+which consists of multiple tools, such as javac, ProGuard, jarjar, and dx.</p>
+
+<p>The Jack toolchain provides the following advantages:</p>
+
+<ul>
+ <li> <strong>Completely open source</strong><br>
+Available in AOSP; partners are welcome to contribute.
+ <li> <strong>Speeds compilation time</strong><br>
+
+Jack has specific supports to reduce compilation time: pre-dexing, incremental
+compilation and a Jack compilation server.
+ <li> <strong>Handles shrinking, obfuscation, repackaging and multidex</strong><br>
+Using a separate package such as ProGuard is no longer necessary.
+</ul>
+
+<img src="{@docRoot}images/jack-overview.png" height="75%" width="75%" alt="Jack overview" />
+<p class="img-caption"><strong>Figure 1. </strong>Jack (Java Android Compiler Kit)</p>
+
+<h2 id=the_jack_library_format>The .jack library format</h2>
+
+<p>Jack has its own .jack file format, which contains the pre-compiled dex code
+for the library, allowing for faster compilation (pre-dex).</p>
+
+<img src="{@docRoot}images/jack-library-file.png" height="75%" width="75%" alt="Jack library file contents" />
+<p class="img-caption"><strong>Figure 2. </strong>Jack library file contents</p>
+
+<h2 id=jack_intermediate_library_linker_jill>Jack Intermediate Library Linker (Jill)</h2>
+
+<p>The Jill tool translates the existing .jar libraries into the new library
+format, as shown below.</p>
+
+<img src="{@docRoot}images/jill.png" alt="Importing existing .jar libraries using Jill" />
+<p class="img-caption"><strong>Figure 3. </strong>Workflow to import an existing .jar library</p>
+
+<h2 id=using_jack_in_your_android_build>Using Jack in your Android build</h2>
+
+<p>You don’t have to do anything differently to use Jack — just use your standard
+makefile commands to compile the tree or your project. Jack is the default
+Android build toolchain for M.</p>
+
+<p>The first time Jack is used, it launches a local Jack compilation server on
+your computer:</p>
+
+<ul>
+ <li> This server brings an intrinsic speedup, because it avoids launching a new host
+JRE JVM, loading Jack code, initializing Jack and warming up the JIT at each
+compilation. It also provides very good compilation times during small
+compilations (e.g. in incremental mode).
+ <li> The server is also a short-term solution to control the number of parallel Jack
+compilations, and so to avoid overloading your computer (memory or disk issue),
+because it limits the number of parallel compilations.
+</ul>
+
+<p>The Jack server shuts itself down after an idle time without any compilation.
+It uses two TCP ports on the localhost interface, and so is not available
+externally. All these parameters (number of parallel compilations, timeout,
+ports number, etc) can be modified by editing the<code> $HOME/.jack</code> file.</p>
+
+<h3 id=$home_jack_file>$HOME/.jack file</h3>
+
+<p>The <code>$HOME/.jack</code> file contains settings for Jack server variables, in a full bash syntax. </p>
+
+<p>Here are the available settings, with their definitions and default values:</p>
+
+<ul>
+ <li> <strong><code>SERVER=true</strong> </code>Enable the server feature of Jack.
+ <li> <strong><code>SERVER_PORT_SERVICE=8072</code>
+</strong>Set the TCP port number of the server for compilation purposes.
+ <li> <strong><code>SERVER_PORT_ADMIN=8073</code></strong>
+Set the TCP port number of the server for admin purposes.
+ <li> <strong><code>SERVER_COUNT=1</code></strong>
+Unused at present.
+ <li> <strong><code>SERVER_NB_COMPILE=4</code></strong>
+Maximum number of parallel compilations allowed.
+ <li> <strong><code>SERVER_TIMEOUT=60</code></strong>
+Number of idle seconds the server has to wait without any compilation before
+shutting itself down.
+ <li> <strong><code>SERVER_LOG=${SERVER_LOG:=$SERVER_DIR/jack-$SERVER_PORT_SERVICE.log}</code></strong>
+File where server logs are written. By default, this variable can be
+overloaded by an environment variable.
+ <li> <strong><code>JACK_VM_COMMAND=${JACK_VM_COMMAND:=java}</code></strong>
+The default command used to launch a JVM on the host. By default, this
+variable can be overloaded by environment variable.
+</ul>
+
+<h3 id=jack_troubleshooting>Jack troubleshooting</h3>
+
+<p><strong>If your computer becomes unresponsive during compilation or if you experience
+Jack compilations failing on “Out of memory error”</strong></p>
+
+<p>You can improve the situation by reducing the number of Jack simultaneous
+compilations by editing your<code> $HOME/.jack</code> and changing<code> SERVER_NB_COMPILE</code> to a lower value.</p>
+
+<p><strong>If your compilations are failing on “Cannot launch background server”</strong></p>
+
+<p>The most likely cause is TCP ports are already used on your computer. Try to
+change it by editing your <code>$HOME/.jack </code>(<code>SERVER_PORT_SERVICE</code> and <code>SERVER_PORT_ADMIN</code> variables).</p>
+
+<p>If it doesn’t solve the problem, please report and attach your compilation log
+and the Jack server log (see ‘Finding the Jack log’ below to know where to find
+the server log file). To unblock the situation, disable jack compilation server
+by editing your <code>$HOME/.jack</code> and changing <code>SERVER</code> to false. Unfortunately this will significantly slow down your compilation and
+may force you to launch <code>make -j</code> with load control (option "<code>-l</code>" of <code>make</code>). </p>
+
+<p><strong>If your compilation gets stuck without any progress</strong></p>
+
+<p>Please report this and give us the following additional information (where
+possible):</p>
+
+<ul>
+ <li> The command line at which you are stuck.
+ <li> The output of this command line.
+ <li> The result of executing <code>jack-admin server-stat</code>.
+ <li> The <code>$HOME/.jack</code> file.
+ <li> The content of the server log with the server state dumped. To get this —
+ <ul>
+ <li> Find the Jack background server process by running <code>jack-admin list-server</code>.
+ <li> Send a <code>kill -3</code> command to this server to dump its state into the log file.
+ <li> To locate the server log file, see ‘Finding the Jack log’ below.
+ </ul>
+ <li> The result of executing <code>ls -lR $TMPDIR/jack-$USER.</code>
+ <li> The result of running <code>ps j -U $USER.</code>
+</ul>
+
+<p>You should be able to unblock yourself by killing the Jack background server
+(use <code>jack-admin kill-server</code>), and then by removing its temporary directories contained in <code>jack-$USER</code> of your temporary directory (<code>/tmp</code> or <code>$TMPDIR</code>).</p>
+
+<p><strong>If you have any other issues </strong></p>
+
+<p>To report bugs or request features, please use our public issue tracker,
+available at <a href="http://b.android.com">http://b.android.com</a>, with the <a href="https://code.google.com/p/android/issues/entry?template=Jack%20bug%20report">Jack tool bug report</a> or <a href="https://code.google.com/p/android/issues/entry?template=Jack%20feature%20request">Jack tool feature request</a> templates. Please attach the Jack log to the bug report. </p>
+<table>
+ <tr>
+ <td><strong>Finding the Jack log</strong>
+<ul>
+ <li> If you ran a make command with a dist target, the Jack log is located at <code>$ANDROID_BUILD_TOP/out/dist/logs/jack-server.log</code>
+ <li> Otherwise you can find it in by running <code>jack-admin server-log</code>
+</ul>
+</td>
+ </tr>
+</table>
+
+<p>In case of reproducible Jack failures, you can get a more detailed log by
+setting one variable, as follows:</p>
+
+<pre class=prettyprint>
+$ export ANDROID_JACK_EXTRA_ARGS= "--verbose debug --sanity-checks on -D
+sched.runner=single-threaded"
+</pre>
+
+<p>Then use your standard makefile commands to compile the tree or your project
+and attach its standard output and error.</p>
+
+<p>To remove detailed build logs use:</p>
+
+<pre class=prettyprint>
+$ unset ANDROID_JACK_EXTRA_ARGS
+</pre>
+
+<h3 id=jack_limitations>Jack limitations</h3>
+
+<ul>
+ <li> The Jack server is mono-user by default, so can be only used by one user on a
+computer. If it is not the case, please, choose different port numbers for each
+user and adjust SERVER_NB_COMPILE accordingly. You can also disable the Jack
+server by setting SERVER=false in your $HOME/.jack.
+ <li> CTS compilation is slow due to current vm-tests-tf integration.
+ <li> Bytecode manipulation tools, like JaCoCo, are not supported.
+</ul>
+
+<h2 id=using_jack_features>Using Jack features</h2>
+
+<p>Jack supports Java programming language 1.7 and integrates additional features
+described below.</p>
+
+<h3 id=predexing>Predexing </h3>
+
+<p>When generating a JACK library file, the .dex of the library is generated and
+stored inside the .jack library file as a pre-dex. When compiling, JACK reuses
+the pre-dex from each library.</p>
+
+<p>All libraries are pre-dexed.</p>
+
+<img src="{@docRoot}images/pre-dex.png" height="75%" width="75%" alt="Jack libraries with pre-dex" />
+<p class="img-caption"><strong>Figure 4. </strong>Jack libraries with pre-dex</p>
+
+<h4 id=limitations>Limitations</h4>
+
+
+<p>Currently, JACK does not reuse the library pre-dex if
+shrinking/obfuscation/repackaging is used in the compilation.</p>
+
+<h3 id=incremental_compilation>Incremental compilation</h3>
+
+
+<p>Incremental compilation means that only components that were touched since the
+last compilation, and their dependencies, are recompiled. Incremental
+compilation can be significantly faster than a full compilation when changes
+are limited to only a limited set of components.</p>
+
+<h4 id=limitations>Limitations</h4>
+
+
+<p>Incremental compilation is deactivated when shrinking, obfuscation, repackaging
+or multi-dex legacy is enabled.</p>
+
+<h4 id=enabling_incremental_builds>Enabling incremental builds</h4>
+
+
+<p>Currently incremental compilation is not enabled by default. To enable
+incremental builds, add the following line to the Android.mk file of the
+project that you want to build incrementally:</p>
+
+<pre class=prettyprint>
+LOCAL_JACK_ENABLED := incremental
+</pre>
+
+<p class="note"><strong>Note:</strong> The first time that you build your project with Jack if some dependencies
+are not built, use <code>mma</code> to build them, and after that you can use the standard build command.</p>
+
+<h3 id=shrinking_and_obfuscation>Shrinking and Obfuscation</h3>
+
+<p>JACK has shrinking and obfuscation support and uses proguard configuration
+files to enable shrinking and obfuscation features. Here are the supported and
+ignored options:</p>
+
+<h4 id=supported_common_options>Supported common options</h4>
+
+
+<p>Common options include the following:</p>
+
+<ul>
+ <li> <code>@</code>
+ <li> <code>-include</code>
+ <li> <code>-basedirectory</code>
+ <li> <code>-injars</code>
+ <li> <code>-outjars // only 1 output jar supported</code>
+ <li> <code>-libraryjars</code>
+ <li> <code>-keep</code>
+ <li> <code>-keepclassmembers</code>
+ <li> <code>-keepclasseswithmembers</code>
+ <li> <code>-keepnames</code>
+ <li> <code>-keepclassmembernames</code>
+ <li> <code>-keepclasseswithmembernames</code>
+ <li> <code>-printseeds</code>
+</ul>
+
+<h4 id=supported_shrinking_options>Supported shrinking options</h4>
+
+
+<p>Shrinking options include the following:</p>
+
+<ul>
+ <li> <code>-dontshrink</code>
+</ul>
+
+<h4 id=supported_obfuscation_options>Supported obfuscation options</h4>
+
+
+<p>Obfuscation options include the following:</p>
+
+<ul>
+ <li> <code>-dontobfuscate</code>
+ <li> <code>-printmapping</code>
+ <li> <code>-applymapping</code>
+ <li> <code>-obfuscationdictionary</code>
+ <li> <code>-classobfuscationdictionary</code>
+ <li> <code>-packageobfuscationdictionary</code>
+ <li> <code>-useuniqueclassmembernames</code>
+ <li> <code>-dontusemixedcaseclassnames</code>
+ <li> <code>-keeppackagenames</code>
+ <li> <code>-flattenpackagehierarchy</code>
+ <li> <code>-repackageclasses</code>
+ <li> <code>-keepattributes</code>
+ <li> <code>-adaptclassstrings</code>
+</ul>
+
+<h4 id=ignored_options>Ignored options</h4>
+
+
+<p>Ignored options include the following:</p>
+
+<ul>
+ <li> <code>-dontoptimize // Jack does not optimize</code>
+ <li> <code>-dontpreverify // Jack does not preverify</code>
+ <li> <code>-skipnonpubliclibraryclasses</code>
+ <li> <code>-dontskipnonpubliclibraryclasses</code>
+ <li> <code>-dontskipnonpubliclibraryclassmembers</code>
+ <li> <code>-keepdirectories</code>
+ <li> <code>-target</code>
+ <li> <code>-forceprocessing</code>
+ <li> <code>-printusage</code>
+ <li> <code>-whyareyoukeeping</code>
+ <li> <code>-optimizations</code>
+ <li> <code>-optimizationpasses</code>
+ <li> <code>-assumenosideeffects</code>
+ <li> <code>-allowaccessmodification</code>
+ <li> <code>-mergeinterfacesaggressively</code>
+ <li> <code>-overloadaggressively</code>
+ <li> <code>-microedition</code>
+ <li> <code>-verbose</code>
+ <li> <code>-dontnote</code>
+ <li> <code>-dontwarn</code>
+ <li> <code>-ignorewarnings</code>
+ <li> <code>-printconfiguration</code>
+ <li> <code>-dump</code>
+</ul>
+
+<p class="note"><strong>Note:</strong> Other options will generate an error.</p>
+
+<h3 id=repackaging>Repackaging</h3>
+
+<p>JACK uses jarjar configuration files to do the repackaging.</p>
+
+<p class="note"><strong>Note:</strong> JACK is compatible with "rule" rule types, but is not compatible with "zap" or
+"keep" rule types. If you need "zap" or "keep" rule types please file a feature
+request with a description of how you use the feature in your app.</p>
+
+<h3 id=multidex_support>Multidex support</h3>
+
+
+<p>Since dex files are limited to 65K methods, apps with over 65K methods must be
+split into multiple dex files. (See <a href="http://developer.android.com/tools/building/multidex.html">‘Building Apps with Over 65K Methods’</a> for more information about multidex.)</p>
+
+<p>Jack offers native and legacy multidex support. </p>
+
