1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.hardware.keymaster@4.1;
18
19import @4.0::ErrorCode;
20import @4.0::Tag;
21import @4.0::TagType;
22
23enum Tag : @4.0::Tag {
24    /**
25     * Keys tagged with EARLY_BOOT_ONLY may only be used, or created, during early boot, until
26     * IKeymasterDevice::earlyBootEnded() is called.
27     */
28    EARLY_BOOT_ONLY = TagType:BOOL | 305,
29
30    /**
31     * DEVICE_UNIQUE_ATTESTATION is an argument to IKeymasterDevice::attestKey().  It indicates that
32     * attestation using a device-unique key is requested, rather than a batch key.  When a
33     * device-unique key is used, only the attestation certificate is returned; no additional
34     * chained certificates are provided.  It's up to the caller to recognize the device-unique
35     * signing key.  Only SecurityLevel::STRONGBOX IKeymasterDevices may support device-unique
36     * attestations.  SecurityLevel::TRUSTED_ENVIRONMENT IKeymasterDevices must return
37     * ErrorCode::INVALID_ARGUMENT if they receive DEVICE_UNIQUE_ATTESTATION.
38     * SecurityLevel::STRONGBOX IKeymasterDevices need not support DEVICE_UNIQUE_ATTESTATION, and
39     * return ErrorCode::CANNOT_ATTEST_IDS if they do not support it.
40     *
41     * IKeymasterDevice implementations that support device-unique attestation MUST add the
42     * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations.
43     */
44    DEVICE_UNIQUE_ATTESTATION = TagType:BOOL | 720,
45
46    /**
47     * IDENTITY_CREDENTIAL_KEY is never used by IKeymasterDevice, is not a valid argument to key
48     * generation or any operation, is never returned by any method and is never used in a key
49     * attestation.  It is used in attestations produced by the IIdentityCredential HAL when that
50     * HAL attests to Credential Keys.  IIdentityCredential produces Keymaster-style attestations.
51     */
52    IDENTITY_CREDENTIAL_KEY = TagType:BOOL | 721,
53
54    /**
55     * To prevent keys from being compromised if an attacker acquires read access to system / kernel
56     * memory, some inline encryption hardware supports protecting storage encryption keys in hardware
57     * without software having access to or the ability to set the plaintext keys. Instead, software
58     * only sees wrapped version of these keys.
59     *
60     * STORAGE_KEY is used to denote that a key generated or imported is a key used for storage
61     * encryption. Keys of this type can either be generated or imported or secure imported using
62     * keymaster. exportKey() can be used to re-wrap storage key with a per-boot ephemeral key wrapped
63     * key once the key characteristics are enforced.
64     *
65     * Keys with this tag cannot be used for any operation within keymaster.
66     * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to
67     * begin().
68     */
69    STORAGE_KEY = TagType:BOOL | 722,
70};
71
72enum ErrorCode : @4.0::ErrorCode {
73    EARLY_BOOT_ENDED = -73,
74    ATTESTATION_KEYS_NOT_PROVISIONED = -74,
75    ATTESTATION_IDS_NOT_PROVISIONED = -75,
76    INVALID_OPERATION = -76,
77    STORAGE_KEY_UNSUPPORTED = -77,
78};
79