Merge changes from topics "wrapped_key_import", "keystore_seclevels"
* changes:
Add importWrappedKey to IKeystoreService.aidl
Keystore: Use security levels
diff --git a/core/java/android/security/IKeystoreService.aidl b/core/java/android/security/IKeystoreService.aidl
index 42282ac..57477f5 100644
--- a/core/java/android/security/IKeystoreService.aidl
+++ b/core/java/android/security/IKeystoreService.aidl
@@ -56,7 +56,7 @@
int clear_uid(long uid);
// Keymaster 0.4 methods
- int addRngEntropy(in byte[] data);
+ int addRngEntropy(in byte[] data, int flags);
int generateKey(String alias, in KeymasterArguments arguments, in byte[] entropy, int uid,
int flags, out KeyCharacteristics characteristics);
int getKeyCharacteristics(String alias, in KeymasterBlob clientId, in KeymasterBlob appId,
@@ -78,4 +78,8 @@
int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain);
int attestDeviceIds(in KeymasterArguments params, out KeymasterCertificateChain chain);
int onDeviceOffBody();
+ int importWrappedKey(in String wrappedKeyAlias, in byte[] wrappedKey,
+ in String wrappingKeyAlias, in byte[] maskingKey, in KeymasterArguments arguments,
+ in long rootSid, in long fingerprintSid,
+ out KeyCharacteristics characteristics);
}
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
index 399dddd..fabcdf0 100644
--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
@@ -95,6 +95,16 @@
public static final int FLAG_ENCRYPTED = 1;
/**
+ * Select Software keymaster device, which as of this writing is the lowest security
+ * level available on an android device. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided
+ * A TEE based keymaster implementation is implied.
+ *
+ * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
+ * For historical reasons this corresponds to the KEYSTORE_FLAG_FALLBACK flag.
+ */
+ public static final int FLAG_SOFTWARE = 1 << 1;
+
+ /**
* A private flag that's only available to system server to indicate that this key is part of
* device encryption flow so it receives special treatment from keystore. For example this key
* will not be super encrypted, and it will be stored separately under an unique UID instead
@@ -104,6 +114,16 @@
*/
public static final int FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3;
+ /**
+ * Select Strongbox keymaster device, which as of this writing the the highest security level
+ * available an android devices. If neither FLAG_STRONGBOX nor FLAG_SOFTWARE is provided
+ * A TEE based keymaster implementation is implied.
+ *
+ * Need to be in sync with KeyStoreFlag in system/security/keystore/include/keystore/keystore.h
+ */
+ public static final int FLAG_STRONGBOX = 1 << 4;
+
+
// States
public enum State { UNLOCKED, LOCKED, UNINITIALIZED };
@@ -440,9 +460,9 @@
return mError;
}
- public boolean addRngEntropy(byte[] data) {
+ public boolean addRngEntropy(byte[] data, int flags) {
try {
- return mBinder.addRngEntropy(data) == NO_ERROR;
+ return mBinder.addRngEntropy(data, flags) == NO_ERROR;
} catch (RemoteException e) {
Log.w(TAG, "Cannot connect to keystore", e);
return false;