Support 2nd IMEI and bump KeyMint version to 3
Part of the changes to include the 2nd IMEI in the attestation record.
Bug: 244732345
Test: atest android.keystore.cts.DeviceOwnerKeyManagementTest
Change-Id: I2f455dd54e9aa017a741656482dd89059de15a91
diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp
index de768cb..5c3bf01 100644
--- a/android_keymaster/keymaster_enforcement.cpp
+++ b/android_keymaster/keymaster_enforcement.cpp
@@ -313,6 +313,7 @@
case KM_TAG_ATTESTATION_ID_PRODUCT:
case KM_TAG_ATTESTATION_ID_SERIAL:
case KM_TAG_ATTESTATION_ID_IMEI:
+ case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
case KM_TAG_ATTESTATION_ID_MEID:
case KM_TAG_ATTESTATION_ID_MANUFACTURER:
case KM_TAG_ATTESTATION_ID_MODEL:
diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp
index dc42061..f1aafea 100644
--- a/android_keymaster/keymaster_tags.cpp
+++ b/android_keymaster/keymaster_tags.cpp
@@ -131,6 +131,8 @@
return "KM_TAG_ATTESTATION_ID_SERIAL";
case KM_TAG_ATTESTATION_ID_IMEI:
return "KM_TAG_ATTESTATION_ID_IMEI";
+ case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
+ return "KM_TAG_ATTESTATION_ID_SECOND_IMEI";
case KM_TAG_ATTESTATION_ID_MEID:
return "KM_TAG_ATTESTATION_ID_MEID";
case KM_TAG_ATTESTATION_ID_MANUFACTURER:
@@ -214,6 +216,7 @@
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_PRODUCT);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_SERIAL);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_IMEI);
+DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_SECOND_IMEI);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MEID);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MANUFACTURER);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MODEL);
diff --git a/include/keymaster/android_keymaster_messages.h b/include/keymaster/android_keymaster_messages.h
index 0e594d0..a576af8 100644
--- a/include/keymaster/android_keymaster_messages.h
+++ b/include/keymaster/android_keymaster_messages.h
@@ -135,6 +135,7 @@
return 3;
case KmVersion::KEYMINT_1:
case KmVersion::KEYMINT_2:
+ case KmVersion::KEYMINT_3:
return 4;
}
return kInvalidMessageVersion;
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index f620dfb..e8188e8 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -180,6 +180,7 @@
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_PRODUCT);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_SERIAL);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_IMEI);
+DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_SECOND_IMEI);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MEID);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MANUFACTURER);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ATTESTATION_ID_MODEL);
diff --git a/include/keymaster/km_openssl/attestation_record.h b/include/keymaster/km_openssl/attestation_record.h
index f9ab811..a224246 100644
--- a/include/keymaster/km_openssl/attestation_record.h
+++ b/include/keymaster/km_openssl/attestation_record.h
@@ -121,6 +121,7 @@
ASN1_INTEGER* boot_patch_level;
ASN1_NULL* device_unique_attestation;
ASN1_NULL* identity_credential_key;
+ ASN1_OCTET_STRING* attestation_id_second_imei;
} KM_AUTH_LIST;
ASN1_SEQUENCE(KM_AUTH_LIST) = {
@@ -191,6 +192,8 @@
TAG_DEVICE_UNIQUE_ATTESTATION.masked_tag()),
ASN1_EXP_OPT(KM_AUTH_LIST, identity_credential_key, ASN1_NULL,
TAG_IDENTITY_CREDENTIAL_KEY.masked_tag()),
+ ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_second_imei, ASN1_OCTET_STRING,
+ TAG_ATTESTATION_ID_SECOND_IMEI.masked_tag()),
} ASN1_SEQUENCE_END(KM_AUTH_LIST);
DECLARE_ASN1_FUNCTIONS(KM_AUTH_LIST);
@@ -418,6 +421,8 @@
return 100;
case KmVersion::KEYMINT_2:
return 200;
+ case KmVersion::KEYMINT_3:
+ return 300;
}
}
@@ -441,6 +446,8 @@
return 100;
case KmVersion::KEYMINT_2:
return 200;
+ case KmVersion::KEYMINT_3:
+ return 300;
}
}
diff --git a/include/keymaster/km_version.h b/include/keymaster/km_version.h
index 122d045..6287aa3 100644
--- a/include/keymaster/km_version.h
+++ b/include/keymaster/km_version.h
@@ -32,6 +32,7 @@
KEYMASTER_4_1 = 41,
KEYMINT_1 = 100,
KEYMINT_2 = 200,
+ KEYMINT_3 = 300,
};
}; // namespace keymaster
diff --git a/key_blob_utils/software_keyblobs.cpp b/key_blob_utils/software_keyblobs.cpp
index 8266326..056068c 100644
--- a/key_blob_utils/software_keyblobs.cpp
+++ b/key_blob_utils/software_keyblobs.cpp
@@ -318,6 +318,7 @@
case KM_TAG_ATTESTATION_ID_BRAND:
case KM_TAG_ATTESTATION_ID_DEVICE:
case KM_TAG_ATTESTATION_ID_IMEI:
+ case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
case KM_TAG_ATTESTATION_ID_MANUFACTURER:
case KM_TAG_ATTESTATION_ID_MEID:
case KM_TAG_ATTESTATION_ID_MODEL:
diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp
index f413064..33d74fa 100644
--- a/km_openssl/attestation_record.cpp
+++ b/km_openssl/attestation_record.cpp
@@ -47,10 +47,11 @@
IMPLEMENT_ASN1_FUNCTIONS(KM_KEY_DESCRIPTION);
static const keymaster_tag_t kDeviceAttestationTags[] = {
- KM_TAG_ATTESTATION_ID_BRAND, KM_TAG_ATTESTATION_ID_DEVICE, KM_TAG_ATTESTATION_ID_PRODUCT,
- KM_TAG_ATTESTATION_ID_SERIAL, KM_TAG_ATTESTATION_ID_IMEI, KM_TAG_ATTESTATION_ID_MEID,
+ KM_TAG_ATTESTATION_ID_BRAND, KM_TAG_ATTESTATION_ID_DEVICE,
+ KM_TAG_ATTESTATION_ID_PRODUCT, KM_TAG_ATTESTATION_ID_SERIAL,
+ KM_TAG_ATTESTATION_ID_IMEI, KM_TAG_ATTESTATION_ID_MEID,
KM_TAG_ATTESTATION_ID_MANUFACTURER, KM_TAG_ATTESTATION_ID_MODEL,
-};
+ KM_TAG_ATTESTATION_ID_SECOND_IMEI};
struct KM_AUTH_LIST_Delete {
void operator()(KM_AUTH_LIST* p) { KM_AUTH_LIST_free(p); }
@@ -679,6 +680,9 @@
case KM_TAG_ATTESTATION_ID_IMEI:
string_ptr = &record->attestation_id_imei;
break;
+ case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
+ string_ptr = &record->attestation_id_second_imei;
+ break;
case KM_TAG_ATTESTATION_ID_MEID:
string_ptr = &record->attestation_id_meid;
break;
@@ -1388,6 +1392,14 @@
return KM_ERROR_MEMORY_ALLOCATION_FAILED;
}
+ // Second IMEI
+ if (record->attestation_id_second_imei &&
+ !auth_list->push_back(TAG_ATTESTATION_ID_SECOND_IMEI,
+ record->attestation_id_second_imei->data,
+ record->attestation_id_second_imei->length)) {
+ return KM_ERROR_MEMORY_ALLOCATION_FAILED;
+ }
+
return KM_ERROR_OK;
}
diff --git a/ng/AndroidKeyMintDevice.cpp b/ng/AndroidKeyMintDevice.cpp
index 25ad463..fb7b632 100644
--- a/ng/AndroidKeyMintDevice.cpp
+++ b/ng/AndroidKeyMintDevice.cpp
@@ -108,6 +108,7 @@
case KM_TAG_ATTESTATION_ID_BRAND:
case KM_TAG_ATTESTATION_ID_DEVICE:
case KM_TAG_ATTESTATION_ID_IMEI:
+ case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
case KM_TAG_ATTESTATION_ID_MANUFACTURER:
case KM_TAG_ATTESTATION_ID_MEID:
case KM_TAG_ATTESTATION_ID_MODEL:
@@ -213,10 +214,10 @@
constexpr size_t kOperationTableSize = 16;
AndroidKeyMintDevice::AndroidKeyMintDevice(SecurityLevel securityLevel)
- : impl_(new (std::nothrow)::keymaster::AndroidKeymaster(
+ : impl_(new(std::nothrow)::keymaster::AndroidKeymaster(
[&]() -> auto{
auto context = new (std::nothrow) PureSoftKeymasterContext(
- KmVersion::KEYMINT_2, static_cast<keymaster_security_level_t>(securityLevel));
+ KmVersion::KEYMINT_3, static_cast<keymaster_security_level_t>(securityLevel));
context->SetSystemVersion(::keymaster::GetOsVersion(),
::keymaster::GetOsPatchlevel());
context->SetVendorPatchlevel(::keymaster::GetVendorPatchlevel());
@@ -241,7 +242,7 @@
AndroidKeyMintDevice::~AndroidKeyMintDevice() {}
ScopedAStatus AndroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
- info->versionNumber = 2;
+ info->versionNumber = 3;
info->securityLevel = securityLevel_;
info->keyMintName = "FakeKeyMintDevice";
info->keyMintAuthorName = "Google";
