Merge changes from topic "RKP_metrics"
* changes:
Add Security Level and the four key states to RkpPoolStats
Remove obsolete keystore2 atoms.
diff --git a/stats/atoms.proto b/stats/atoms.proto
index 4653f00..874b6f6 100644
--- a/stats/atoms.proto
+++ b/stats/atoms.proto
@@ -507,10 +507,7 @@
RebootEscrowRebootReported reboot_escrow_reboot_reported = 341 [(module) = "framework"];
MediametricsMediaParserReported mediametrics_mediaparser_reported = 316;
BinderLatencyReported binder_latency_reported = 342 [(module) = "framework"];
- Keystore2KeyCreationEventReported keystore2_key_creation_event_reported = 360;
- Keystore2KeyOperationEventReported keystore2_key_operation_event_reported = 361;
- Keystore2CrashEventReported keystore2_crash_event_reported = 362;
- RkpErrorReported rkp_error_reported = 363;
+ // 360-363 are reserved.
OdrefreshReported odrefresh_reported = 366 [(module) = "art"];
NetworkIpReachabilityMonitorReported network_ip_reachability_monitor_reported =
367 [(module) = "network_stack"];
@@ -12096,216 +12093,6 @@
}
/**
- * Logs: creation of different types of cryptographic keys in keystore2.
- * Logged from: system/security/keystore2/metrics.rs
- */
-message Keystore2KeyCreationEventReported {
-
- enum Algorithm {
- // ALGORITHM is prepended because UNSPECIFIED exists in other enums as well.
- ALGORITHM_UNSPECIFIED = 0;
- // Asymmetric algorithms.
- RSA = 1;
- // 2 removed, do not reuse.
- EC = 3;
- // Block cipher algorithms
- AES = 32;
- TRIPLE_DES = 33;
- // MAC algorithms
- HMAC = 128;
- };
- // Algorithm associated with the key
- optional Algorithm algorithm = 1;
-
- // Size of the key, based on the algorithm used.
- optional int32 key_size = 2;
-
- enum KeyOrigin {
- // Unspecified takes 0. Other values are incremented by 1 compared to keymint spec.
- ORIGIN_UNSPECIFIED = 0;
- // Generated in keymaster. Should not exist outside the TEE.
- GENERATED = 1;
- // Derived inside keymaster. Likely exists off-device.
- DERIVED = 2;
- // Imported into keymaster. Existed as cleartext in Android.
- IMPORTED = 3;
- // Previously used for another purpose that is now obsolete.
- RESERVED = 4;
- // Securely imported into Keymaster.
- SECURELY_IMPORTED = 5;
- };
- // Logs whether the key was generated, imported, securely imported, or derived.
- optional KeyOrigin key_origin = 3;
-
- enum HardwareAuthenticatorType {
- // Unspecified takes 0. Other values are incremented by 1 compared to keymint spec.
- AUTH_TYPE_UNSPECIFIED = 0;
- NONE = 1;
- PASSWORD = 2;
- FINGERPRINT = 3;
- ANY = 5;
- };
- /**
- * What auth types does this key require? If none,
- * then no auth required.
- */
- optional HardwareAuthenticatorType user_auth_type = 4;
-
- /**
- * If user authentication is required, is the requirement time based? If it
- * is time based then this field indicates the time out in seconds.
- */
- optional int32 user_auth_key_timeout_seconds = 5;
-
- /**
- * Padding mode, digest, block_mode and purpose should ideally be repeated
- * fields. However, since statsd does not support repeated fields in
- * pushed atoms, they are represented using bitmaps.
- */
-
- /**
- * Track which padding mode is being used.
- * Bitmap composition is given by PaddingModeBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 padding_mode_bitmap = 6;
-
- /**
- * Track which digest is being used.
- * Bitmap composition is given by DigestBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 digest_bitmap = 7;
-
- /**
- * Track which block mode is being used.
- * Bitmap composition is given by BlockModeBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 block_mode_bitmap = 8;
-
- /**
- * Track which purpose is being used.
- * Bitmap composition is given by KeyPurposeBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 purpose_bitmap = 9;
-
- enum EcCurve {
- // Unspecified takes 0. Other values are incremented by 1 compared to keymint spec.
- EC_CURVE_UNSPECIFIED = 0;
- P_224 = 1;
- P_256 = 2;
- P_384 = 3;
- P_521 = 4;
- };
- // Which ec curve was selected if elliptic curve cryptography is in use
- optional EcCurve ec_curve = 10;
-
- /**
- * Response code (system/hardware/interfaces/keystore2/aidl/../ResponseCode.aidl)
- * or
- * error code (hardware/interfaces/security/keymint/aidl/../ErrorCode.aidl)
- */
- optional int32 error_code = 11;
-
- // Indicates whether key attestation requested in creation
- optional bool attestation_requested = 12;
-
- // Security level of the Keymint instance which creates the key.
- optional android.system.security.keystore2.SecurityLevelEnum security_level = 13;
-}
-
-/**
- * Logs operations using cryptographic keys in keystore2.
- * Logged from: system/security/keystore2/metrics.rs
- */
-message Keystore2KeyOperationEventReported {
-
- enum KeyPurpose {
- // Unspecified takes 0. Other values are incremented by 1 compared to keymint spec.
- KEY_PURPOSE_UNSPECIFIED = 0;
-
- // Usable with RSA, EC and AES keys.
- ENCRYPT = 1;
-
- // Usable with RSA, EC and AES keys.
- DECRYPT = 2;
-
- // Usable with RSA, EC and HMAC keys.
- SIGN = 3;
-
- // Usable with RSA, EC and HMAC keys.
- VERIFY = 4;
-
- // 5 is reserved
- // Usable with wrapping keys.
- WRAP_KEY = 6;
-
- // Key Agreement, usable with EC keys.
- AGREE_KEY = 7;
-
- // Usable as an attestation signing key.
- ATTEST_KEY = 8;
- }
- // Purpose of the key operation
- optional KeyPurpose purpose = 1;
-
- /**
- * Padding mode, digest, block_mode and purpose should ideally be repeated
- * fields. However, since statsd does not support repeated fields in
- * pushed atoms, they are represented using bitmaps.
- */
-
- /**
- * Track which padding mode is being used.
- * Bitmap composition is given by PaddingModeBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 padding_mode_bitmap = 2;
-
- /**
- * Track which digest is being used.
- * Bitmap composition is given by DigestBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 digest_bitmap = 3;
-
- /**
- * Track which block mode is being used.
- * Bitmap composition is given by BlockModeBitPosition enum
- * defined in system/security/keystore2/metrics.rs.
- */
- optional int32 block_mode_bitmap = 4;
-
- enum Outcome {
- OUTCOME_UNSPECIFIED = 0;
- DROPPED = 1;
- SUCCESS = 2;
- ABORT = 3;
- PRUNED = 4;
- ERROR = 5;
- }
- // Outcome of the operation
- optional Outcome outcome = 5;
-
- // Response code or error code in case of error outcome
- optional int32 error_code = 6;
-
- // Indicates whether the key was upgraded during the operation
- optional bool key_upgraded = 7;
-
- // Security level of the Keymint instance which performs the operation.
- optional android.system.security.keystore2.SecurityLevelEnum security_level = 8;
-}
-
-/**
- * Logs: Keystore 2 crash events.
- * Logged from: system/security/keystore2
- */
-message Keystore2CrashEventReported {}
-
-/**
* Logs: key creation events with Algorithm, Origin, Error and Attestation info.
* Logged from: system/security/keystore2/metrics.rs
*/
@@ -12579,23 +12366,6 @@
* Logs Remote Key Provisioning (RKP) related error events.
* Logged from: system/security/keystore2
*/
-message RkpErrorReported {
-
- enum RkpErrorEvent {
- RKP_ERROR_UNSPECIFIED = 0;
- // The key pool is out of keys.
- OUT_OF_KEYS = 1;
- // Falling back to factory provisioned keys during hybrid mode.
- FALL_BACK_DURING_HYBRID = 2;
- }
- // Type of the error event
- optional RkpErrorEvent rkp_error_event = 1;
-}
-
-/**
- * Logs Remote Key Provisioning (RKP) related error events.
- * Logged from: system/security/keystore2
- */
message RkpErrorStats {
enum RkpError {
@@ -12613,22 +12383,39 @@
}
/**
- * Logs: Count of keys in the key pool related to
+ * Logs: Status of the attestation key pool related to
* Remote Key Provisioning (RKP).
* Logged from: system/security/keystore2
*/
message RkpPoolStats {
- enum PoolStatus {
- EXPIRING = 1;
- UNASSIGNED = 2;
- ATTESTED = 3;
- TOTAL = 4;
- }
- // State of the attestation key pool, for which the count of keys is reported.
- optional PoolStatus pool_status = 1;
+ /**
+ * Security level of the Keymint instance associated with the
+ * attestation pool status.
+ */
+ optional android.system.security.keystore2.SecurityLevelEnum security_level = 1;
- // Count of keys in the particular status
- optional int32 count_of_keys = 2;
+ /**
+ * The number of signed attestation certificate chains which are
+ * expired.
+ */
+ optional int32 expiring = 2;
+
+ /**
+ * The number of signed attestation certificate chains which have
+ * not yet been assigned to an app.
+ */
+ optional int32 unassigned = 3;
+
+ /**
+ * The number of signed attestation keys.
+ */
+ optional int32 attested = 4;
+
+ /**
+ * The total number of attestation keys.
+ */
+ optional int32 total = 5;
+
}
/**