diff options
| author | Kenny Root <kroot@google.com> | 2013-10-25 10:55:04 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2014-04-18 14:03:35 -0700 |
| commit | fea9aa6eb8d46768acafc3b905798a9d42e4caaf (patch) | |
| tree | 71316eb619c1baf044ec61651762e07b852c5c48 /include | |
| parent | 1fbd8eff42f413040b00e7a6b7cf3a5bb338d6f1 (diff) | |
| download | hardware_libhardware-fea9aa6eb8d46768acafc3b905798a9d42e4caaf.zip hardware_libhardware-fea9aa6eb8d46768acafc3b905798a9d42e4caaf.tar.gz hardware_libhardware-fea9aa6eb8d46768acafc3b905798a9d42e4caaf.tar.bz2 | |
keymaster: add flags indicating feature support
For wrapping the disk encryption secret, we add a flag that indicates it
can be done without having to start some storage daemon which the
trusted OS will query to get data needed to load up the keys. This
usually means that the "key blob" we store is actually just the RSA key
encrypted with the device's KEK and not a reference to an encrypted
filesystem stored on /data
Also to allow other providers to upgrade to V3 of the header, we add
flags to show whether the keymaster supports different key types. This
allows keymaster HALs to support the whole device encryption secret
wrapping without needing to implement DSA and EC key handling. The V2
header made support implicit.
(cherry picked from commit 8a3849e26f9c64314edb69586819250e8f95c1eb)
Change-Id: I49be8403faf9f4c3888c84848b3009b44ab6d183
Diffstat (limited to 'include')
| -rw-r--r-- | include/hardware/keymaster.h | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/include/hardware/keymaster.h b/include/hardware/keymaster.h index 6752146..12158bf 100644 --- a/include/hardware/keymaster.h +++ b/include/hardware/keymaster.h @@ -36,11 +36,14 @@ __BEGIN_DECLS * Settings for "module_api_version" and "hal_api_version" * fields in the keymaster_module initialization. */ -#define KEYMASTER_HEADER_VERSION 2 +#define KEYMASTER_HEADER_VERSION 3 #define KEYMASTER_MODULE_API_VERSION_0_2 HARDWARE_MODULE_API_VERSION(0, 2) #define KEYMASTER_DEVICE_API_VERSION_0_2 HARDWARE_DEVICE_API_VERSION_2(0, 2, KEYMASTER_HEADER_VERSION) +#define KEYMASTER_MODULE_API_VERSION_0_3 HARDWARE_MODULE_API_VERSION(0, 3) +#define KEYMASTER_DEVICE_API_VERSION_0_3 HARDWARE_DEVICE_API_VERSION_2(0, 3, KEYMASTER_HEADER_VERSION) + /** * Flags for keymaster_device::flags */ @@ -52,7 +55,31 @@ enum { * This should not be implemented on anything other than the default * implementation. */ - KEYMASTER_SOFTWARE_ONLY = 0x00000001, + KEYMASTER_SOFTWARE_ONLY = 1 << 0, + + /* + * This indicates that the key blobs returned via all the primitives + * are sufficient to operate on their own without the trusted OS + * querying userspace to retrieve some other data. Key blobs of + * this type are normally returned encrypted with a + * Key Encryption Key (KEK). + * + * This is currently used by "vold" to know whether the whole disk + * encryption secret can be unwrapped without having some external + * service started up beforehand since the "/data" partition will + * be unavailable at that point. + */ + KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1, + + /* + * Indicates that the keymaster module supports DSA keys. + */ + KEYMASTER_SUPPORTS_DSA = 1 << 2, + + /* + * Indicates that the keymaster module supports EC keys. + */ + KEYMASTER_SUPPORTS_EC = 1 << 3, }; struct keystore_module { |