1*4d7e907cSAndroid Build Coastguard Worker/* 2*4d7e907cSAndroid Build Coastguard Worker * Copyright (C) 2019 The Android Open Source Project 3*4d7e907cSAndroid Build Coastguard Worker * 4*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*4d7e907cSAndroid Build Coastguard Worker * 8*4d7e907cSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*4d7e907cSAndroid Build Coastguard Worker * 10*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*4d7e907cSAndroid Build Coastguard Worker * limitations under the License. 15*4d7e907cSAndroid Build Coastguard Worker */ 16*4d7e907cSAndroid Build Coastguard Worker 17*4d7e907cSAndroid Build Coastguard Workerpackage [email protected]; 18*4d7e907cSAndroid Build Coastguard Worker 19*4d7e907cSAndroid Build Coastguard Workerimport @4.0::ErrorCode; 20*4d7e907cSAndroid Build Coastguard Workerimport @4.0::HardwareAuthToken; 21*4d7e907cSAndroid Build Coastguard Workerimport @4.0::IKeymasterDevice; 22*4d7e907cSAndroid Build Coastguard Workerimport @4.0::KeyParameter; 23*4d7e907cSAndroid Build Coastguard Workerimport @4.0::KeyPurpose; 24*4d7e907cSAndroid Build Coastguard Workerimport @4.0::OperationHandle; 25*4d7e907cSAndroid Build Coastguard Workerimport @4.0::VerificationToken; 26*4d7e907cSAndroid Build Coastguard Worker 27*4d7e907cSAndroid Build Coastguard Worker/** 28*4d7e907cSAndroid Build Coastguard Worker * @4.1::IKeymasterDevice is a minor extension to @4.0::IKeymasterDevice. It adds support for 29*4d7e907cSAndroid Build Coastguard Worker * 30*4d7e907cSAndroid Build Coastguard Worker * - Partial hardware enforcment of UNLOCKED_DEVICE_REQUIRED keys; 31*4d7e907cSAndroid Build Coastguard Worker * - Device-unique attestaion; 32*4d7e907cSAndroid Build Coastguard Worker * - Early boot only keys; 33*4d7e907cSAndroid Build Coastguard Worker * - Better cleanup of operations when clients die without completing or aborting them. 34*4d7e907cSAndroid Build Coastguard Worker * 35*4d7e907cSAndroid Build Coastguard Worker * @4.1::IKeymasterDevice::attestKey() must produce attestations with keymasterVersion 41. An 36*4d7e907cSAndroid Build Coastguard Worker * oversight in the original numbering left no room for minor versions, so starting with 4.1 the 37*4d7e907cSAndroid Build Coastguard Worker * versions will be numbered as major_version * 10 + minor version. The addition of new attestable 38*4d7e907cSAndroid Build Coastguard Worker * tags changes the attestation format again, slightly, so the attestationVersion must be 4. 39*4d7e907cSAndroid Build Coastguard Worker */ 40*4d7e907cSAndroid Build Coastguard Worker@SensitiveData 41*4d7e907cSAndroid Build Coastguard Workerinterface IKeymasterDevice extends @4.0::IKeymasterDevice { 42*4d7e907cSAndroid Build Coastguard Worker /** 43*4d7e907cSAndroid Build Coastguard Worker * Called by client to notify the IKeymasterDevice that the device is now locked, and keys with 44*4d7e907cSAndroid Build Coastguard Worker * the UNLOCKED_DEVICE_REQUIRED tag should no longer be usable. When this function is called, 45*4d7e907cSAndroid Build Coastguard Worker * the IKeymasterDevice should note the current timestamp, and attempts to use 46*4d7e907cSAndroid Build Coastguard Worker * UNLOCKED_DEVICE_REQUIRED keys must be rejected with Error::DEVICE_LOCKED until an 47*4d7e907cSAndroid Build Coastguard Worker * authentication token with a later timestamp is presented. If the `passwordOnly' argument is 48*4d7e907cSAndroid Build Coastguard Worker * set to true the sufficiently-recent authentication token must indicate that the user 49*4d7e907cSAndroid Build Coastguard Worker * authenticated with a password, not a biometric. 50*4d7e907cSAndroid Build Coastguard Worker * 51*4d7e907cSAndroid Build Coastguard Worker * Note that the IKeymasterDevice UNLOCKED_DEVICE_REQUIRED semantics are slightly different from 52*4d7e907cSAndroid Build Coastguard Worker * the UNLOCKED_DEVICE_REQUIRED semantics enforced by keystore. Keystore handles device locking 53*4d7e907cSAndroid Build Coastguard Worker * on a per-user basis. Because auth tokens do not contain an Android user ID, it's not 54*4d7e907cSAndroid Build Coastguard Worker * possible to replicate the keystore enformcement logic in IKeymasterDevice. So from the 55*4d7e907cSAndroid Build Coastguard Worker * IKeymasterDevice perspective, any user unlock unlocks all UNLOCKED_DEVICE_REQUIRED keys. 56*4d7e907cSAndroid Build Coastguard Worker * Keystore will continue enforcing the per-user device locking. 57*4d7e907cSAndroid Build Coastguard Worker * 58*4d7e907cSAndroid Build Coastguard Worker * @param passwordOnly specifies whether the device must be unlocked with a password, rather 59*4d7e907cSAndroid Build Coastguard Worker * than a biometric, before UNLOCKED_DEVICE_REQUIRED keys can be used. 60*4d7e907cSAndroid Build Coastguard Worker * 61*4d7e907cSAndroid Build Coastguard Worker * @param verificationToken is used by StrongBox implementations of IKeymasterDevice. It 62*4d7e907cSAndroid Build Coastguard Worker * provides the StrongBox IKeymasterDevice with a fresh, MACed timestamp which it can use as the 63*4d7e907cSAndroid Build Coastguard Worker * device-lock time, for future comparison against auth tokens when operations using 64*4d7e907cSAndroid Build Coastguard Worker * UNLOCKED_DEVICE_REQUIRED keys are attempted. Unless the auth token timestamp is newer than 65*4d7e907cSAndroid Build Coastguard Worker * the timestamp in the verificationToken, the device is still considered to be locked. 66*4d7e907cSAndroid Build Coastguard Worker * Crucially, if a StrongBox IKeymasterDevice receives a deviceLocked() call with a verification 67*4d7e907cSAndroid Build Coastguard Worker * token timestamp that is less than the timestamp in the last deviceLocked() call, it must 68*4d7e907cSAndroid Build Coastguard Worker * ignore the new timestamp. TEE IKeymasterDevice implementations will receive an empty 69*4d7e907cSAndroid Build Coastguard Worker * verificationToken (zero values and empty vectors) and should use their own clock as the 70*4d7e907cSAndroid Build Coastguard Worker * device-lock time. 71*4d7e907cSAndroid Build Coastguard Worker */ 72*4d7e907cSAndroid Build Coastguard Worker deviceLocked(bool passwordOnly, VerificationToken verificationToken) generates (ErrorCode error); 73*4d7e907cSAndroid Build Coastguard Worker 74*4d7e907cSAndroid Build Coastguard Worker /** 75*4d7e907cSAndroid Build Coastguard Worker * Called by client to notify the IKeymasterDevice that the device has left the early boot 76*4d7e907cSAndroid Build Coastguard Worker * state, and that keys with the EARLY_BOOT_ONLY tag may no longer be used. All attempts to use 77*4d7e907cSAndroid Build Coastguard Worker * an EARLY_BOOT_ONLY key after this method is called must fail with Error::INVALID_KEY_BLOB. 78*4d7e907cSAndroid Build Coastguard Worker */ 79*4d7e907cSAndroid Build Coastguard Worker earlyBootEnded() generates (ErrorCode error); 80*4d7e907cSAndroid Build Coastguard Worker}; 81